A 10-question wizard that cross-checks your company's sector, size and activity against ENS, NIS2, DORA, the AI Act and GDPR — and tells you, area by area, whether it applies, what it requires and where to start.
Determines whether you fall under the NIS2 Directive (Annex I and Annex II).
Size is key to knowing whether NIS2 or GDPR demand more or less from you.
We use the less favourable of the two figures (employees or turnover) so as not to under-estimate your obligation.
Contracts, tenders or public procurement with town councils, regional governments, ministries or public bodies.
Town council, provincial council, autonomous body, public university, an entity dependent on a public administration…
Determines whether DORA, the EU digital operational resilience regulation, applies to you.
Under the AI Act, this makes you a "provider" of AI, with reinforced obligations.
Chatbots, hiring tools, scoring, content generation… This makes you a "deployer" of AI.
Some uses are classified as "high-risk" under Annex III of the AI Act.
Health, biometrics, ideology, sexual orientation… or geolocation, video surveillance, profiling and scoring at scale.
About your sector, size, turnover, relationship with public administrations, the financial sector and your use of AI.
The logic is local JavaScript: no answer is sent to a server or stored anywhere.
Against the applicability criteria of each regulation: sector and size for NIS2, contractual relationship for ENS, financial activity for DORA, role for the AI Act.
ENS, NIS2, DORA, AI Act and GDPR: applies, doesn't apply, or probably — with the key obligations for each.
Each card links to the full guide for that regulation. And if you'd rather talk it through with someone, there's a free session at the end.
Between 2022 and 2026, the compliance landscape for Spanish and European companies became dense all at once. Spain's National Security Framework (ENS) has required security measures from public administrations and their technology providers since 2010. The NIS2 Directive widens the perimeter of mandatory cybersecurity to entire sectors of the economy, with or without a public contract involved. The DORA Regulation does the same for the financial sector and its technology suppliers. The European AI Act is starting to impose concrete obligations on anyone who develops or uses AI systems. And GDPR, the most established of them all, still applies to virtually any company that processes personal data — which is all of them.
The problem isn't a lack of information: there are thorough guides on each regulation separately. The problem is that nobody tells you, by cross-referencing your sector, your size and your specific activity, which of the five actually apply to you and which don't. An 80-employee manufacturing SME may fall under Annex II of NIS2 without knowing it. A 6-person consultancy selling a recruitment chatbot may be a "high-risk AI provider" under the AI Act without ever having considered that label. A firm that never touches a public administration may wrongly assume ENS never affects it — until it enters a tender.
ENS — Regulated by Royal Decree 311/2022, it applies to the public sector and to private companies that, under a contractual relationship, provide technology services to a public administration. If you don't work with public bodies, it doesn't apply to you today.
NIS2 — The EU cybersecurity directive classifies sectors into two criticality annexes and sets the applicability threshold at medium-sized enterprise level (from 50 employees or €10 million in turnover/balance sheet). In Spain, the law transposing it — the Law on Cybersecurity Coordination and Governance — is still going through parliament, but the underlying obligations are already being enforced in practice.
DORA — Directly applicable (no transposition needed) since 17 January 2025, it covers more than twenty types of financial entities, plus the third-party ICT service providers that give them critical support.
AI Act — Regulation (EU) 2024/1689 distinguishes between "providers" (whoever develops or places AI systems on the market) and "deployers" (whoever uses them under their own authority), and classifies risk by use: Annex III systems (HR, credit, health, biometrics, justice…) are considered high-risk. General application of the regulation arrives on 2 August 2026; the specific obligations for Annex III high-risk systems were postponed to 2 December 2027 following the Digital Omnibus approved in June 2026.
GDPR — Applies to any company that processes personal data, regardless of size. What varies is the intensity of the obligations: whether a Data Protection Officer is mandatory, whether the Record of Processing Activities has any exemption (companies with fewer than 250 employees with occasional processing and no sensitive data), and whether a Data Protection Impact Assessment (DPIA) is needed before processing certain data.
If the test shows that one of the five regulations applies to you and you're not sure where to start, our AI audit and governance service and our AI Act compliance consulting service walk through how each is actually handled in practice, with real timelines and deliverables.
Spain's ENS (National Security Framework, Royal Decree 311/2022), the NIS2 cybersecurity Directive, the DORA Regulation on digital operational resilience for the financial sector, the EU AI Act, and GDPR data protection rules.
No. It is an automated indication based on the answers you give, meant to show you where to start. It does not replace the analysis of a legal or compliance advisor on your specific case.
No. The test runs entirely in your browser with JavaScript: no answer is sent to any server and nothing is stored, unless you choose to book a session at the end.
GDPR applies to you regardless of size. ENS, NIS2 and DORA depend on your sector and whether you work with public administrations or financial entities — a micro-business may be exempt from NIS2 but rarely from GDPR. The AI Act depends on whether you develop or use AI systems, not on size.
Spain was due to transpose the NIS2 Directive by 17 October 2024. As of July 2026 the Law on Cybersecurity Coordination and Governance that transposes it is still going through parliament, although the underlying obligations are already being enforced in practice by regulators and European clients.
Book a free 30-minute session. We'll go through your result, clarify which regulation matters most in your case, and what concrete steps to take first.
Book a free session →