EU sovereignty Compliance dossier · v1.0 · 2026

Four regulations,
one operational posture.

For each regulation: what it demands, from when, who it impacts, and which combination of P3 products lets you meet it without rewriting your supplier portfolio.

[ Book Munin ] Regulation → product mapping
[P3] compliance 4 regulations
NIS2Cyber · critical SMEs2024 → 2026
AI ActRisk classificationAug 2026
DORAICT resilience · financeJan 2025
GDPRPrivacy · data residencysince 2018
01 The four regulations Source · EU / Italy Official Journal

The pillars of compliance
for those who operate in Europe.

None is optional. Three are already in force. The fourth is the heaviest and comes due in 2026.

NIS2
Network & Information
Security 2
Cyber · obligation for critical SMEs

Risk management, incident reporting within 24h+72h, supply-chain security, board accountability. Penalties up to 2% of global turnover or €10M.

Deadline: Italian transposition by 17 Oct 2024 · enforcement 2026
AI Act
EU Artificial
Intelligence Act
AI · risk classification

Classification of AI systems by risk (prohibited → minimal). Technical documentation, governance, human oversight, public registry. Fines up to €35M or 7%.

Deadline: applicable from Aug 2026 for high-risk
DORA
Digital Operational
Resilience Act
Finance · ICT risk

ICT resilience for the financial sector. Third-party risk, advanced testing (TLPT), incident reporting, oversight of critical providers. Direct on banks, asset managers, IT service providers.

Deadline: applicable 17 Jan 2025
GDPR
General Data
Protection Regulation
Privacy · data residency

Non-EU transfers, legal bases, DPIA, 72h breach notification. Combined with the Cloud Act, it makes EU hosting a technical choice, not a political one.

Deadline: in force since 2018 · ongoing enforcement
02 Requirement → product mapping 15 core controls

For every regulatory requirement,
which P3 product covers it.

This is how an audit really works: the auditor asks you for "control X", you show "product Y configured this way". A table used literally in our proposals.

Regulation · req.
What it demands
How P3 covers it
Products
NIS2 · art. 21
Technical cyber risk management measures, in a proportionate way.
48h SOC, 24/7 MDR, continuous asset inventory, vulnerability mgmt.
[ Fenrir SOC ]
[ Fenrir MDR ]
[ Munin ]
NIS2 · art. 23
Incident reporting: 24h alert + 72h interim report + 1m final.
IR playbook, log retention on EU soil, integration with the national CSIRT.
[ Fenrir MDR ]
[ HUGIN ]
NIS2 · supply chain
ICT supplier security, third-party assessment.
On-prem supplier audit, continuous external attack surface, TLS certificate monitoring.
[ HUGIN ]
[ Munin ]
AI Act · governance
AI system classification, technical documentation, human oversight.
Risk classification workshop, technical file, audit trail on the AI pipeline.
[ AI Consulting ]
[ P3 Dev Bridge ]
AI Act · provider
Obligations on providers and deployers of high-risk models.
EU-hosted choice architecture, AI supplier due diligence, EU-only contracts.
[ AI Consulting ]
DORA · ICT risk
ICT risk management framework, documented RTO/RPO.
Annual risk assessment, EU-hosted backups, tested DR plan, 5-year log retention.
[ Cybersecurity ]
[ Fenrir MDR ]
DORA · third party
Register of critical ICT suppliers, oversight, exit strategy.
Automatic vendor inventory, attack surface monitoring, contract review.
[ HUGIN ]
[ AI Consulting ]
GDPR · art. 28
Data processor, DPA, sub-processor list.
Standard DPA, EU-only sub-processor list, on-demand client audit.
The whole portfolio
EU-hosted, by architecture
GDPR · art. 32
Appropriate technical and organisational measures. E2EE where feasible.
E2EE chat for public bodies, rugged MDM with encryption, immutable EU log retention.
[ MIRA ]
[ Anvil MDM ]
GDPR · transfer
Non-EU transfers, SCCs, third-country assessment.
Zero transfers: all data stays in the EU, no US sub-processor, no Cloud Act.
Architecture
EU-only, by architecture
03 Cloud Act What no US provider will tell you

The problem you
can't contract away.

Even with the best contract, the best DPA, the best SCC, a US provider remains subject to US law. Full stop.

USC 18 §2713 · the honest summary

When a US authority asks Microsoft, Google or AWS for data, the provider must hand it over, even if the data is in Europe, even without telling the European client.

This is not a political stance: it's the text of the Clarifying Lawful Overseas Use of Data Act, signed in 2018. No private clause can override it. No DPA, no SCC, no ISO certification. When the subpoena arrives, the US provider chooses between obeying US or EU law. It always chooses US law: that's the one that sends it to prison.

US provider, EU region
Exposed to the Cloud Act
The data is physically in Europe but the provider is subject to USC 18 §2713. A US subpoena obtains it anyway, silently.
P3 · EU-only, by architecture
Outside the US perimeter
EU datacentres, EU ownership (an Estonian company), no BAA with US providers. A US subpoena has no jurisdiction.

This is why every byte of every P3 client lives in Europe. It's not marketing, it's architecture. If that ever changed, even for a single client migrated to a US-region service, we'd be forced to rewrite the manifesto. For now, we keep it by design.

Got a compliance audit
to face in the next 90 days?

Munin is the entry door. Seven days on-prem, an archivable report, a clear deliverable.

[ Book Munin ]