ComplianceOS, by Practicl AI, is built for regulated firms under continuous compliance-evidence obligations — DORA, NIS2 and beyond. It analyses your contracts, policies and entire data rooms against the regulations that matter and turns the result into audit-grade evidence you can put in front of a supervisor.
Built for the regulations you have to evidence
Every finding is cited back to the exact source.
Different mandates, the same problem — too much to read, too much riding on a missed line. Meet three of the people ComplianceOS was built for.
Head of Third-Party ICT Risk
Lúmen Banque — a fictional EU bank
Paris · 1,400 ICT vendors
“The regulator wants every critical vendor contract to prove it has audit rights, exit plans and incident SLAs. I have 1,400 of them.”
Under DORA, Élise must maintain a Register of Information covering every ICT third-party arrangement — and prove that contracts for critical or important functions actually contain the mandatory provisions in Article 30: audit and access rights, sub-outsourcing limits, exit strategies, incident-reporting SLAs, data location, and termination rights.
Today that means her team opens each MSA, DPA and SLA by hand, hunts for the clause, copies it into a spreadsheet, and hopes nothing was missed. Across 1,400 vendors and chains of subcontractors, a single overlooked exit clause can become a finding in the next supervisory inspection.
A DORA playbook for every contract
Upload the vendor pack once. An Article 30 playbook checks each contract for the mandatory provisions and reports them present, partial or missing — clause by clause.
Gaps with the evidence attached
Every finding links to the exact quote, page and section. “No audit rights in §11” is backed by the source text, so she can challenge a vendor or brief the board without re-reading the contract.
Feeds the Register of Information
Findings export as a structured grid that maps onto the Register and concentration-risk view — turning weeks of manual extraction into a reviewable afternoon.
Élise enters supervisory dialogue with a citation-backed gap report, not a half-finished spreadsheet.
Practice Lead, Managed Compliance
Northbridge Managed Security — a fictional MSSP
Stockholm · 40+ mid-market clients
“NIS2 made 50 of my clients legally responsible for cybersecurity overnight. They’re all calling me — and I’m not reading 50 policy sets by hand.”
NIS2 reclassified swathes of Sofia’s clients — manufacturers, hospitals, logistics firms, digital providers — as Essential or Important Entities, with board-level accountability and fines that bite. Overnight, cybersecurity compliance became a legal obligation for companies that have never had a compliance function. They don’t call a Big Four firm. They call the people who already run their infrastructure: Sofia.
The demand is the easy part. Delivering it isn’t: every client needs its security policies tested against NIS2 Article 21, evidenced, and kept current as the rules and the business change. By hand, that means hiring compliance analysts she can’t find fast enough — and margin evaporates the moment the service is built on billable hours.
One NIS2 playbook, every client
A single Article 21 playbook runs across each client’s policy set and reports the requirements present, partial or missing. Onboard the tenth client as fast as the first — the methodology is the playbook, not a person.
A workspace and a report per client — under your brand
Each client lives in its own workspace with citation-backed findings she exports as a branded report. The evidence is audit-grade and traced to the source, so it survives a national authority’s scrutiny, not just the client’s.
Recurring, not one-off
Re-run the playbook each quarter and surface only what changed. Continuous compliance becomes a retainer — Compliance-as-a-Service — instead of a project that ends.
Sofia turns NIS2 from her clients’ headache into her firm’s fastest-growing recurring revenue line — without hiring a single compliance analyst.
Partner, Financial Regulation
Whitmore Vance LLP — a fictional law firm
Frankfurt · advising an EU crypto-asset firm
“My client is a European crypto-asset service provider — a CASP. The rules don’t sit still, and “compliant in March” means nothing to a supervisor in September.”
Mathias advises a crypto-asset service provider authorised under MiCA and squarely in scope for DORA, NIS2 and the AML package. None of these are point-in-time regimes — they demand continuous monitoring. When an RTS lands, a MiCA Level-2 measure is finalised, or an incident-reporting threshold shifts, his client’s policies and vendor contracts have to be re-tested against the new text.
Re-reviewing a full document set every time the law moves doesn’t scale on a partner’s billing rate. So the honest answer clients usually get is “we’ll look at it at renewal” — which is exactly the gap that becomes a regulatory problem.
Playbooks that track the legislation
His regulatory playbooks are wired to the underlying legal sources. When monitored legislation changes, the playbook flags it and can auto-update — so continuous monitoring becomes a setting, not a heroic effort.
Re-run the whole book in minutes
When the rules move, he re-runs the playbook across the client’s entire policy and contract set at once and sees only what changed — every finding cited back to the document and the regulation.
Advice he can defend
Each conclusion carries the verbatim source and a confidence score, so his memo to the client is evidence-backed — not a black-box opinion a regulator can pick apart.
Mathias offers continuous assurance instead of an annual scramble — and his client stays ahead of the next RTS, not behind it.
Principal, Venture Capital
Greycastle Ventures — a fictional VC
London · Series B diligence
“Diligence is hours of reading 300 documents hoping to notice that the ARR in the deck doesn’t match the model. It’s tedious — until it costs you.”
Marcus lives in data rooms: SAFEs and the cap table, customer contracts, the financial model, IP assignments, board minutes. The value isn’t in any one document — it’s in the contradictions between them. An exclusivity clause that conflicts with another customer. A liability cap that undercuts the warranties. A revenue figure in the deck the model quietly disagrees with. Founder IP that was never actually assigned to the company.
Finding those needs a tired human to hold 300 documents in their head at 11pm. Miss one and it surfaces after the wire has cleared.
Reads the whole room at once
Connect the data room and ask questions across every document together. ComplianceOS surfaces the contradictions between files — not just a summary of each one.
Inconsistencies, side by side
When the deck says one ARR and the model says another, he gets both quotes next to each other with their sources — so a five-second check replaces an hour of cross-referencing.
A red-flag report he can forward
Cross-document findings export into a structured grid that drops straight into the IC memo — every flag traceable to the exact page it came from.
Marcus spends the evening deciding on the deal, not playing spot-the-difference across a data room.
We don't train on your documents. We don't share them. We don't keep them longer than necessary.
Designed to meet EU and UK data protection requirements.
Building towards ISO 27001 certification.
All data encrypted at rest and in transit.
Your choice of sovereign EU infrastructure or AWS. Your data stays in the EU.
Documents are never used to train models.
Loading plans...
We partner with law firms, compliance consultancies and audit firms. Our playbook engine encodes your own review methodology, so your IP stays yours — you deliver audit-grade compliance and evidence to your clients under your own brand, on recurring terms. We supply the engine; you keep the expertise.
Whether it's a DORA clause, a shifting MiCA obligation, or a contradiction buried in a data room — ComplianceOS reads the documents, checks them against the questions that matter, and shows its work. Every answer carries the exact quote, page, and a confidence score you can verify in seconds.
100%
Findings backed by a verbatim citation
12×
Faster than manual document review
EU
Sovereign hosting · no training on your data