Search Client access
Free tool · Compliance

Which regulation applies to me? Find out in 2 minutes.

A 10-question wizard that cross-checks your company's sector, size and activity against ENS, NIS2, DORA, the AI Act and GDPR — and tells you, area by area, whether it applies, what it requires and where to start.

Free, no sign-up Instant result Your answers never leave your browser
Question 1 1 / 10

What sector does your company operate in?

Determines whether you fall under the NIS2 Directive (Annex I and Annex II).

How many employees does your company have?

Size is key to knowing whether NIS2 or GDPR demand more or less from you.

What is your company's annual turnover or balance sheet?

We use the less favourable of the two figures (employees or turnover) so as not to under-estimate your obligation.

Does your company provide services, under contract, to any public administration?

Contracts, tenders or public procurement with town councils, regional governments, ministries or public bodies.

Is your organisation a public-sector body?

Town council, provincial council, autonomous body, public university, an entity dependent on a public administration…

Is your company a financial entity or does it provide ICT services to financial entities?

Determines whether DORA, the EU digital operational resilience regulation, applies to you.

Do you develop or place AI systems on the market?

Under the AI Act, this makes you a "provider" of AI, with reinforced obligations.

Do you use third-party AI systems in your activity under your own authority?

Chatbots, hiring tools, scoring, content generation… This makes you a "deployer" of AI.

In which area is that AI system used?

Some uses are classified as "high-risk" under Annex III of the AI Act.

Do you process special category data or carry out systematic large-scale monitoring of people?

Health, biometrics, ideology, sexual orientation… or geolocation, video surveillance, profiling and scoring at scale.

Indicative result

Here's what we found for your company

Legal notice: this result is indicative and generated automatically from your answers. It does not replace the advice of a legal or compliance professional on your company's specific case. If in doubt about any obligation with legal or financial implications, consult the official source or book a session with us.
How it works

Five steps, no data sent anywhere.

01

Answer 10 questions

About your sector, size, turnover, relationship with public administrations, the financial sector and your use of AI.

02

Everything happens in your browser

The logic is local JavaScript: no answer is sent to a server or stored anywhere.

03

We cross-check your answers

Against the applicability criteria of each regulation: sector and size for NIS2, contractual relationship for ENS, financial activity for DORA, role for the AI Act.

04

You get 5 verdicts

ENS, NIS2, DORA, AI Act and GDPR: applies, doesn't apply, or probably — with the key obligations for each.

05

Go deeper if needed

Each card links to the full guide for that regulation. And if you'd rather talk it through with someone, there's a free session at the end.

Why this tool exists

Five regulations, one starting point.

Between 2022 and 2026, the compliance landscape for Spanish and European companies became dense all at once. Spain's National Security Framework (ENS) has required security measures from public administrations and their technology providers since 2010. The NIS2 Directive widens the perimeter of mandatory cybersecurity to entire sectors of the economy, with or without a public contract involved. The DORA Regulation does the same for the financial sector and its technology suppliers. The European AI Act is starting to impose concrete obligations on anyone who develops or uses AI systems. And GDPR, the most established of them all, still applies to virtually any company that processes personal data — which is all of them.

The problem isn't a lack of information: there are thorough guides on each regulation separately. The problem is that nobody tells you, by cross-referencing your sector, your size and your specific activity, which of the five actually apply to you and which don't. An 80-employee manufacturing SME may fall under Annex II of NIS2 without knowing it. A 6-person consultancy selling a recruitment chatbot may be a "high-risk AI provider" under the AI Act without ever having considered that label. A firm that never touches a public administration may wrongly assume ENS never affects it — until it enters a tender.

What each block of the test evaluates

ENS — Regulated by Royal Decree 311/2022, it applies to the public sector and to private companies that, under a contractual relationship, provide technology services to a public administration. If you don't work with public bodies, it doesn't apply to you today.

NIS2 — The EU cybersecurity directive classifies sectors into two criticality annexes and sets the applicability threshold at medium-sized enterprise level (from 50 employees or €10 million in turnover/balance sheet). In Spain, the law transposing it — the Law on Cybersecurity Coordination and Governance — is still going through parliament, but the underlying obligations are already being enforced in practice.

DORA — Directly applicable (no transposition needed) since 17 January 2025, it covers more than twenty types of financial entities, plus the third-party ICT service providers that give them critical support.

AI Act — Regulation (EU) 2024/1689 distinguishes between "providers" (whoever develops or places AI systems on the market) and "deployers" (whoever uses them under their own authority), and classifies risk by use: Annex III systems (HR, credit, health, biometrics, justice…) are considered high-risk. General application of the regulation arrives on 2 August 2026; the specific obligations for Annex III high-risk systems were postponed to 2 December 2027 following the Digital Omnibus approved in June 2026.

GDPR — Applies to any company that processes personal data, regardless of size. What varies is the intensity of the obligations: whether a Data Protection Officer is mandatory, whether the Record of Processing Activities has any exemption (companies with fewer than 250 employees with occasional processing and no sensitive data), and whether a Data Protection Impact Assessment (DPIA) is needed before processing certain data.

If the test shows that one of the five regulations applies to you and you're not sure where to start, our AI audit and governance service and our AI Act compliance consulting service walk through how each is actually handled in practice, with real timelines and deliverables.

Frequently asked questions

Before you start the test.

Which regulations does this tool evaluate?+

Spain's ENS (National Security Framework, Royal Decree 311/2022), the NIS2 cybersecurity Directive, the DORA Regulation on digital operational resilience for the financial sector, the EU AI Act, and GDPR data protection rules.

Is the test result legal advice?+

No. It is an automated indication based on the answers you give, meant to show you where to start. It does not replace the analysis of a legal or compliance advisor on your specific case.

Are my answers or data stored?+

No. The test runs entirely in your browser with JavaScript: no answer is sent to any server and nothing is stored, unless you choose to book a session at the end.

My company is small — could it be exempt from everything?+

GDPR applies to you regardless of size. ENS, NIS2 and DORA depend on your sector and whether you work with public administrations or financial entities — a micro-business may be exempt from NIS2 but rarely from GDPR. The AI Act depends on whether you develop or use AI systems, not on size.

Why does NIS2 show as "pending" for Spain?+

Spain was due to transpose the NIS2 Directive by 17 October 2024. As of July 2026 the Law on Cybersecurity Coordination and Governance that transposes it is still going through parliament, although the underlying obligations are already being enforced in practice by regulators and European clients.

Want to talk through the result?

Want us to review it together?

Book a free 30-minute session. We'll go through your result, clarify which regulation matters most in your case, and what concrete steps to take first.

Book a free session →