GDPRISO.com — EU Compliance Self-Assessment Tool

The only free tool that assesses your compliance across all 6 major EU regulatory frameworks simultaneously

Covers: GDPR · ISO 27001:2022 · NIS2 · DORA · EU AI Act · CRA

What is this tool?

GDPRISO.com is a free, browser-based compliance self-assessment that helps CISOs, CCOs, privacy professionals, and security teams evaluate their organisation's posture across all six major EU regulatory frameworks in a single session. There is no registration required, no data is transmitted to any server, and all your answers are stored only in your own browser's local storage.

The tool generates instant percentage scores for each framework, highlights your biggest gaps, and produces a prioritised action plan you can export as a PDF or CSV — giving you everything you need to brief stakeholders or kick off a remediation programme.

The 6 Frameworks

Framework	Who it applies to	Key focus	Status
GDPR	All organisations processing EU residents' personal data	Data privacy & data subject rights	In force
ISO 27001:2022	Any organisation seeking ISMS certification	Information security management	Transition complete Oct 2025
NIS2	Essential & important entities across 18 sectors	Cyber risk management & incident reporting	In force Oct 2024
DORA	Financial sector entities (banks, insurers, investment firms, etc.)	ICT resilience & third-party risk	In force Jan 2025
EU AI Act	Organisations developing or deploying AI systems	AI risk classification & governance	Phased: 2025–2027
CRA	Manufacturers of products with digital elements	Product security by design	Reporting obligations Sep 2026

How scoring works

Each question is answered on a 3-point scale:

Fully Implemented — 3 points. The control or requirement is completely satisfied with documented evidence.
Partially Implemented — 1 point. Some elements are in place but the requirement is not fully met.
Not Implemented — 0 points. No meaningful implementation has occurred.
Not Applicable — excluded from scoring for your organisation.

Questions marked with an asterisk (*) are critical controls and carry 2× weighting — missing these has a greater impact on your score. Your per-framework percentage is calculated as: (achieved points ÷ maximum possible points) × 100, ignoring N/A answers.

Scores map to the following risk levels:

Low risk — 75% and above
Moderate risk — 50%–74%
High risk — 25%–49%
Critical risk — below 25%

Assessment instructions

Click the Assessment tab to open the questionnaire.
Work through all 10 sections in order. Each section covers a distinct compliance domain.
Answer each question honestly based on your organisation's current state — not planned controls.
Hover over the i icon next to any question for guidance on what evidence or controls are expected.
Use the Notes field beneath each question to record context, owners, or caveats.
Your progress auto-saves to browser local storage every time you change an answer. You can also click Save Progress manually.
When you have completed all sections, click Calculate Results at the bottom of the final section.

What you get

Results & Recommendations tab:

Per-framework percentage scores with colour-coded risk ratings
Radar chart showing your compliance profile across all frameworks at a glance
Key findings summary and top-priority gap list
Section-by-section score breakdown so you can see which domains need the most attention
Framework-specific recommendations tailored to your answers

Action Plan tab:

Prioritised remediation steps ordered by risk level (Critical → High → Medium → Low)
Each item tagged with the relevant framework(s) and estimated effort
Export the full plan as a PDF or CSV for stakeholder reporting or project tracking

Assessment Progress 0%

Auto-saving enabled

Section 1: Organizational Context and Governance

ISO 27001

1.1 Has your organization established and documented the context of internal and external factors that affect its information security and data protection objectives? i Consider regulatory, technological, competitive, market, cultural, social, and economic factors that may impact your information security and data protection posture.

Applicable to: Both GDPR (Art. 24) and ISO 27001 (Clause 4.1)

Fully Implemented Partially Implemented Not Implemented Not Applicable

1.2* Has your organization identified and documented all interested parties and their requirements relevant to information security and data protection? i Interested parties may include customers, suppliers, regulators, shareholders, employees, and other stakeholders with requirements or expectations related to security and privacy.

Applicable to: Both GDPR (Art. 24, 28) and ISO 27001 (Clause 4.2)

Fully Implemented Partially Implemented Not Implemented Not Applicable

1.4* Has your organization established and documented the scope of your Information Security Management System (ISMS)? i This should define the boundaries of your ISMS including locations, functions, assets, technology, and interfaces with external entities.

Applicable to: ISO 27001 (Clause 4.3)

Fully Implemented Partially Implemented Not Implemented Not Applicable

1.5* Does your organization have documented evidence of executive leadership commitment for both data protection and information security? i This should include formal policy approval, resource allocation, defined roles and responsibilities, and active oversight by top management.

Applicable to: Both GDPR (Art. 24) and ISO 27001 (Clause 5.1)

Fully Implemented Partially Implemented Not Implemented Not Applicable

1.7 Has your organization assigned information security responsibilities to specific roles with clear authority and accountability? i This includes roles like Chief Information Security Officer (CISO), security managers, and others with specific security responsibilities across the organization.

Applicable to: ISO 27001 (Clause 5.3)

Fully Implemented Partially Implemented Not Implemented Not Applicable

1.8* Does your organization have documented information security and data protection policies approved by management? i Policies should be comprehensive, formally approved, communicated to all relevant parties, and regularly reviewed and updated.

Applicable to: Both GDPR (Art. 24) and ISO 27001 (Clause 5.2)

Fully Implemented Partially Implemented Not Implemented Not Applicable

Section 2: Risk Assessment and Management

ISO 27001

2.2* Does your organization have a documented information security risk assessment methodology? i The methodology should define criteria for risk acceptance, assessment methods, and how to evaluate likelihood and impact.

Applicable to: ISO 27001 (Clause 6.1)

Fully Implemented Partially Implemented Not Implemented Not Applicable

2.3* Has your organization conducted a comprehensive risk assessment covering both security and privacy risks? i This should identify, analyze and evaluate risks to information confidentiality, integrity, availability as well as privacy-specific risks related to personal data.

Applicable to: Both GDPR (Art. 24, 32) and ISO 27001 (Clause 6.1.2)

Fully Implemented Partially Implemented Not Implemented Not Applicable

2.4 Do you have a risk treatment plan with defined controls for identified risks? i The plan should outline how each identified risk will be treated (mitigated, transferred, avoided, or accepted) with specific control measures.

Applicable to: Both GDPR (Art. 24, 32) and ISO 27001 (Clause 6.1.3)

Fully Implemented Partially Implemented Not Implemented Not Applicable

2.5 Is your risk assessment process repeated at planned intervals or when significant changes occur? i Regular risk assessments should be scheduled (typically annually) and also triggered by significant changes to systems, processes, or the threat landscape.

Applicable to: Both GDPR (Art. 32) and ISO 27001 (Clause 6.1, 8.1)

Fully Implemented Partially Implemented Not Implemented Not Applicable

2.6 Has your organization created a Statement of Applicability (SoA) documenting relevant ISO 27001 controls? i The SoA should list all controls from Annex A, indicating whether each is applicable or not, with justification for exclusions.

Applicable to: ISO 27001 (Clause 6.1.3)

Fully Implemented Partially Implemented Not Implemented Not Applicable

Section 3: Data Protection Principles and Requirements

Section 4: Data Subject Rights and Transparency

Section 5: Information Security Controls

ISO 27001

5.1* Has your organization implemented appropriate technical and organizational security measures? i These should include measures such as encryption, pseudonymization, access controls, backup procedures, and regular testing of security measures, based on risk.

Applicable to: Both GDPR (Art. 32) and ISO 27001 (Clauses 6.1.3, 8.1)

Fully Implemented Partially Implemented Not Implemented Not Applicable

5.2* Do you have an information classification scheme implemented? i Information should be classified based on legal requirements, value, criticality, and sensitivity to unauthorized disclosure or modification, with corresponding handling procedures.

Applicable to: Both GDPR (Art. 32) and ISO 27001 (Annex A)

Fully Implemented Partially Implemented Not Implemented Not Applicable

5.3* Have you implemented access control policies and procedures? i This should include formal user registration/deregistration, privilege management, regular review of access rights, and password management.

Applicable to: Both GDPR (Art. 32) and ISO 27001 (Annex A)

Fully Implemented Partially Implemented Not Implemented Not Applicable

5.4 Do you have cryptographic controls in place to protect sensitive information? i This includes encryption for data at rest and in transit, with proper key management procedures and policies on the use of cryptographic controls.

Applicable to: Both GDPR (Art. 32) and ISO 27001 (Annex A)

Fully Implemented Partially Implemented Not Implemented Not Applicable

5.5 Do you have physical and environmental security controls? i This includes secure areas, equipment security, and protection against environmental threats to prevent unauthorized physical access, damage, and interference.

Applicable to: Both GDPR (Art. 32) and ISO 27001 (Annex A)

Fully Implemented Partially Implemented Not Implemented Not Applicable

5.6 Do you have secure development practices for systems that process sensitive data? i This includes security in development processes, secure coding guidelines, testing, and separation of development, testing, and operational environments.

Applicable to: Both GDPR (Art. 25, 32) and ISO 27001 (Annex A)

Fully Implemented Partially Implemented Not Implemented Not Applicable

5.7* Do you have logging and monitoring capabilities for security-relevant events? i This includes event logging, protection of log information, administrator/operator logs, clock synchronization, and monitoring of system use.

Applicable to: Both GDPR (Art. 32) and ISO 27001 (Annex A)

Fully Implemented Partially Implemented Not Implemented Not Applicable

5.8 Do you have backup and recovery procedures for critical information? i This includes regular backups, testing of restoration procedures, and secure storage of backup media in accordance with a backup policy.

Applicable to: Both GDPR (Art. 32) and ISO 27001 (Annex A)

Fully Implemented Partially Implemented Not Implemented Not Applicable

Section 6: Incident and Breach Management

ISO 27001

6.1* Do you have a documented data breach/incident response plan? i The plan should define roles and responsibilities, steps for identification, containment, eradication, recovery, and lessons learned for security incidents.

Applicable to: Both GDPR (Art. 33-34) and ISO 27001 (Annex A)

Fully Implemented Partially Implemented Not Implemented Not Applicable

6.4 Do you maintain documentation of all data breaches/security incidents? i Documentation should include the facts, effects, and remedial actions taken for all breaches, regardless of whether they require notification.

Applicable to: Both GDPR (Art. 33(5)) and ISO 27001 (Annex A)

Fully Implemented Partially Implemented Not Implemented Not Applicable

6.5 Do you conduct regular testing of your incident response procedures? i This should include periodic tabletop exercises, simulations, or other forms of testing to ensure the effectiveness of incident response procedures.

Applicable to: Both GDPR (Art. 32) and ISO 27001 (Annex A)

Fully Implemented Partially Implemented Not Implemented Not Applicable

6.6 Do you conduct post-incident reviews to identify improvements? i After incidents are resolved, you should have a formal process to review what happened, identify lessons learned, and implement improvements to prevent similar incidents.

Applicable to: ISO 27001 (Annex A)

Fully Implemented Partially Implemented Not Implemented Not Applicable

Section 7: Supply Chain & Third-Party Management

ISO 27001 NIS2 DORA CRA

7.1* Have you established Data Processing Agreements (DPAs) with all processors handling personal data on your behalf? iGDPR Art. 28 requires written contracts with processors specifying the subject-matter, duration, nature and purpose of processing, type of personal data, and obligations and rights of the controller.

Applicable to: GDPR (Art. 28, 29)

Fully Implemented Partially Implemented Not Implemented Not Applicable

7.2* Do you conduct security assessments of suppliers and third-party service providers before onboarding and periodically thereafter? iISO 27001:2022 A.5.19 requires information security policies for supplier relationships. NIS2 Art. 21(d) requires supply chain security including security aspects of relationships with direct suppliers.

Applicable to: GDPR (Art. 28), ISO 27001:2022 (A.5.19), NIS2 (Art. 21d), DORA (Art. 28)

Fully Implemented Partially Implemented Not Implemented Not Applicable

7.3 Do you have a process for ongoing monitoring of supplier security and contractual compliance? iISO 27001:2022 A.5.22 requires monitoring and review of supplier services. This includes reviewing service delivery reports, conducting audits, and managing changes to supplier services.

Applicable to: ISO 27001:2022 (A.5.22), GDPR (Art. 28)

Fully Implemented Partially Implemented Not Implemented Not Applicable

7.5* Do you manage ICT supply chain security risks including software provenance and component integrity? iISO 27001:2022 A.5.21 (new in 2022) requires managing ICT supply chain security. This includes assessing security practices of ICT suppliers, reviewing software bill of materials (SBOM), and verifying integrity of acquired components.

Applicable to: ISO 27001:2022 (A.5.21), NIS2 (Art. 21d), CRA (Art. 13)

Fully Implemented Partially Implemented Not Implemented Not Applicable

7.6* (DORA) Do you maintain a complete register of all ICT third-party service providers with contractual requirements aligned to DORA Art. 28–30? iDORA Art. 28 requires financial entities to maintain a register of all ICT third-party service providers. Contracts must include service level descriptions, security requirements, audit rights, incident notification obligations, and exit strategies.

Applicable to: DORA (Art. 28–30) — Financial entities only

Fully Implemented Partially Implemented Not Implemented Not Applicable

7.7 (DORA) Do you have documented exit strategies and transition plans for critical ICT third-party providers? iDORA Art. 28(8) requires financial entities to develop exit strategies for ICT third-party arrangements, including transition periods, alternative providers, and risks of re-internalisation of ICT services.

Applicable to: DORA (Art. 28) — Financial entities only

Fully Implemented Partially Implemented Not Implemented Not Applicable

Section 8: Business Continuity & Resilience

ISO 27001 NIS2 DORA

8.1* Is there a documented and tested business continuity plan that covers information security and ICT systems? i ISO 27001:2022 A.5.29 requires planning for information security during disruption. NIS2 Art. 21(c) mandates business continuity management including backup management and disaster recovery. DORA Art. 11 requires a comprehensive ICT business continuity policy.

Applicable to: ISO 27001:2022 (A.5.29), NIS2 (Art. 21c), DORA (Art. 11)

Fully Implemented Partially Implemented Not Implemented Not Applicable

8.2* Are backup and recovery procedures tested regularly with defined and validated RTO/RPO targets? iISO 27001:2022 A.8.13 requires information backup procedures. Testing backups verifies recoverability. RTO (Recovery Time Objective) and RPO (Recovery Point Objective) must be defined, agreed with business, and validated through testing.

Applicable to: ISO 27001:2022 (A.8.13), NIS2 (Art. 21c), DORA (Art. 12)

Fully Implemented Partially Implemented Not Implemented Not Applicable

8.3 Is BCM/DR tested at least annually with documented results and improvement actions? iAnnual BCP/DR testing (tabletop exercises, simulation, or full failover tests) demonstrates actual recoverability. Test results should be documented, gaps identified, and improvements tracked.

Applicable to: ISO 27001:2022 (A.5.29), NIS2 (Art. 21c)

Fully Implemented Partially Implemented Not Implemented Not Applicable

8.4* Is ICT readiness for business continuity formally planned including redundancy of critical systems? iISO 27001:2022 A.5.30 (new in 2022) requires ICT readiness for business continuity to ensure availability of information systems. This includes redundancy design, failover capacity, and geographic distribution of critical infrastructure.

Applicable to: ISO 27001:2022 (A.5.30 — new 2022), NIS2 (Art. 21c), DORA (Art. 11)

Fully Implemented Partially Implemented Not Implemented Not Applicable

8.5 Is there a documented crisis management and communication plan for major security incidents? iNIS2 Art. 21(c) requires crisis management as part of BCM. This includes internal escalation procedures, external communication plans (regulators, customers, media), spokespersons, and pre-approved messaging templates.

Applicable to: NIS2 (Art. 21c), DORA (Art. 14), ISO 27001:2022 (A.5.26)

Fully Implemented Partially Implemented Not Implemented Not Applicable

8.6 (DORA) Has your organisation completed Threat-Led Penetration Testing (TLPT) if classified as a significant financial entity? iDORA Art. 26 requires significant financial entities to conduct TLPT at least every 3 years. TLPT is intelligence-led adversarial testing performed by qualified red teams targeting production systems. Mark N/A if not a significant financial entity under DORA.

Applicable to: DORA (Art. 26) — Significant financial entities only

Fully Implemented Partially Implemented Not Implemented Not Applicable

Section 9: Monitoring, Audit & Improvement

ISO 27001 NIS2

9.1* Are performance monitoring and measurement processes in place to evaluate the effectiveness of security controls?iISO 27001:2022 Clause 9.1 requires monitoring, measurement, analysis and evaluation. NIS2 Art. 21(f) requires policies to assess effectiveness of cybersecurity risk-management measures.

Applicable to: ISO 27001:2022 (Clause 9.1), NIS2 (Art. 21f)

Fully Implemented Partially Implemented Not Implemented Not Applicable

9.2 Is there a formal internal audit programme covering information security and data protection?iISO 27001:2022 Clause 9.2 requires planned internal audits at defined intervals to assess ISMS conformance. Auditors must be objective and impartial. Results reported to management.

Applicable to: ISO 27001:2022 (Clause 9.2)

Fully Implemented Partially Implemented Not Implemented Not Applicable

9.3 Does top management conduct periodic ISMS reviews covering risk posture, audit results, and improvement opportunities?iISO 27001:2022 Clause 9.3 requires management review at planned intervals. Inputs include audit results, risk status, non-conformities, corrective actions, monitoring results, and stakeholder feedback.

Applicable to: ISO 27001:2022 (Clause 9.3)

Fully Implemented Partially Implemented Not Implemented Not Applicable

9.4 Are non-conformities and corrective actions tracked to closure with root cause analysis?iISO 27001:2022 Clause 10.1 requires reacting to non-conformities and taking corrective action. Root cause analysis prevents recurrence. Track via a register with owner, due date, and status.

Applicable to: ISO 27001:2022 (Clause 10.1)

Fully Implemented Partially Implemented Not Implemented Not Applicable

9.5* Is cybersecurity awareness training delivered to all staff including management, covering current threats and regulatory obligations?iNIS2 Art. 21(g) mandates cyber hygiene and cybersecurity training. NIS2 Art. 20 requires management bodies to undergo cybersecurity training. Cover phishing, data handling, incident reporting, and obligations under GDPR/NIS2/AI Act.

Applicable to: NIS2 (Art. 21g, Art. 20), ISO 27001:2022 (A.6.3), GDPR (Art. 24)

Fully Implemented Partially Implemented Not Implemented Not Applicable

Section 10: AI Governance & Product Security

EU AI Act CRA

10.1* Has your organisation inventoried all AI systems and classified them by risk level under the EU AI Act?iEU AI Act Art. 6 and Annex III define high-risk AI systems (HR/recruitment, credit scoring, biometrics, critical infrastructure, education, law enforcement). All AI systems should be catalogued and classified. High-risk obligations apply from August 2026.

Applicable to: EU AI Act (Art. 6, Annex III)

Fully Implemented Partially Implemented Not Implemented Not Applicable

10.2* Has your organisation confirmed no use of AI practices prohibited under EU AI Act Art. 5?iProhibited since February 2025: social scoring, subliminal manipulation, exploitation of vulnerabilities, real-time biometric surveillance in public spaces, AI to infer emotions in workplaces/education, predictive policing based solely on profiling.

Applicable to: EU AI Act (Art. 5) — active since February 2025

Fully Implemented Partially Implemented Not Implemented Not Applicable

10.3* For high-risk AI systems, are human oversight, technical documentation, and conformity assessments in place?iEU AI Act Art. 14 requires human oversight for high-risk AI. Art. 11 requires technical documentation. Art. 43 requires conformity assessment (self-assessment or third-party). Obligations from August 2026.

Applicable to: EU AI Act (Art. 11, 14, 43) — obligations from August 2026

Fully Implemented Partially Implemented Not Implemented Not Applicable

10.4 Is an AI literacy programme in place for all staff who interact with or deploy AI systems?iEU AI Act Art. 4 (active August 2025) requires deployers to ensure staff have sufficient AI literacy — understanding of AI capabilities, limitations, and risks.

Applicable to: EU AI Act (Art. 4) — active since August 2025

Fully Implemented Partially Implemented Not Implemented Not Applicable

10.5* Are automated decision-making safeguards aligned with both GDPR Art. 22 and EU AI Act requirements?iGDPR Art. 22 gives individuals rights not to be subject to solely automated decisions with significant effects. The EU AI Act adds requirements for high-risk AI in decision-making. Ensure human review capability, meaningful explanations, and right to contest.

Applicable to: GDPR (Art. 22), EU AI Act (Art. 14)

Fully Implemented Partially Implemented Not Implemented Not Applicable

10.6* (CRA) If your organisation manufactures or imports products with digital elements, are security-by-design requirements being met?iCRA Annex I Part I: no known exploitable vulnerabilities at release, secure default configuration, minimal attack surface, authentication controls, data encryption, software integrity verification. CE marking required. Full obligations December 2027. Mark N/A if not applicable.

Applicable to: CRA (Art. 13, Annex I) — Full application December 2027

Fully Implemented Partially Implemented Not Implemented Not Applicable

10.7* (CRA) Is there a vulnerability disclosure policy and SBOM process for software or connected products?iCRA Annex I Part II: vulnerability disclosure policy, Software Bill of Materials (SBOM), security updates for supported lifetime (minimum 5 years). Actively exploited vulnerabilities reported to ENISA within 24 hours — obligation active September 2026.

Applicable to: CRA (Annex I Part II, Art. 14) — Reporting from September 2026

Fully Implemented Partially Implemented Not Implemented Not Applicable

10.8 Are AI training datasets subject to data governance controls covering accuracy, representativeness, and bias testing?iEU AI Act Art. 10 requires high-risk AI training data to be relevant, representative, free of errors, and complete. Bias testing is required where demographic characteristics are used. Intersects with GDPR data minimisation for training data containing personal data.

Applicable to: EU AI Act (Art. 10), GDPR (Art. 5)

Fully Implemented Partially Implemented Not Implemented Not Applicable

Assessment Results

ISO 27001 Compliance Score

Risk Level: Calculating...

Overall Maturity Score

Risk Level: Calculating...

NIS2 Compliance Score

Risk Level: Calculating...

DORA Compliance Score (Financial Entities)

Risk Level: Calculating...

EU AI Act Compliance Score

Risk Level: Calculating...

CRA Compliance Score (Product Manufacturers)

Risk Level: Calculating...

GDPRISO.com — EU Compliance Self-Assessment Tool

What is this tool?

The 6 Frameworks

How scoring works

Assessment instructions

What you get

Section 1: Organizational Context and Governance

Section 2: Risk Assessment and Management

Section 3: Data Protection Principles and Requirements

Section 4: Data Subject Rights and Transparency

Section 5: Information Security Controls

Section 6: Incident and Breach Management

Section 7: Supply Chain & Third-Party Management

Section 8: Business Continuity & Resilience

Section 9: Monitoring, Audit & Improvement

Section 10: AI Governance & Product Security

Assessment Results

Framework Compliance by Section

Key Findings

Section Scores

Recommended Focus Areas

Framework Prioritization Guidance

Recommended Action Plan

What is this tool?

The 6 Frameworks

How scoring works

Assessment instructions

What you get

Section 1: Organizational Context and Governance

Section 2: Risk Assessment and Management

Section 3: Data Protection Principles and Requirements

Section 4: Data Subject Rights and Transparency

Section 5: Information Security Controls

Section 6: Incident and Breach Management

Section 7: Supply Chain & Third-Party Management

Section 8: Business Continuity & Resilience

Section 9: Monitoring, Audit & Improvement

Section 10: AI Governance & Product Security

Assessment Results

Framework Compliance by Section

Key Findings

Section Scores

Recommended Focus Areas

Framework Prioritization Guidance

Recommended Action Plan

Help & Guidance