03 · Service

Compliance
Engineering

GDPR, EU AI Act, NIS2, MDR, ISO-62304 · engineering-led compliance your developers can actually implement - practicality first.

Book a consultation

EU AI Act enforcement begins August 2026. If you deploy AI systems in the EU, you need to know your risk classification and documentation requirements now · not six months from now.

What you get

GDPR Audit & Gap Analysis

Full assessment of your data processing activities, consent mechanisms, data flows, and third-party processors. You get a prioritized remediation plan your engineers can execute · not an 80-page legal document.

EU AI Act Readiness

Risk classification of your AI systems, documentation requirements mapping, conformity assessment preparation. Critical for anyone deploying AI in the EU before Aug 2026 enforcement.

NIS2 Compliance

Security controls, incident response procedures, supply chain risk assessment. Engineering-led implementation that satisfies requirements without crippling your velocity.

Privacy-by-Design Architecture

Data minimization, purpose limitation, and access controls built into your system architecture. Not bolted on after launch · baked in from the start.

Fractional DPO

Data Protection Officer services without the full-time hire. DPIA oversight, regulatory liaison, breach response planning, staff training. Available on retainer.

Data Protection Impact Assessments

DPIAs for high-risk processing activities. I work with your engineering team to document data flows, assess risks, and implement mitigations · not just check boxes.

Digital Health & Clinical Software

ISO-62304 software lifecycle compliance, MDR technical documentation, clinical data pipeline validation. For teams building software that touches patient data, clinical trials, or medical device boundaries.

How it works

01

Audit

1–2 weeks

Data flow mapping, processing activity inventory, current-state assessment. I talk to your team, review your systems, and identify gaps.

02

Remediation Plan

1 week

Prioritized action items with effort estimates. Engineering tasks your team can put straight into their sprint backlog.

03

Implementation

2–6 weeks

I work alongside your engineers to implement changes. Code reviews, architecture changes, documentation, training.

04

Verification

1 week

Final review, documentation package, readiness confirmation. You get everything you need for auditors or investors.

Typical engagement: 4–8 weeks for audit + remediation. DPO retainers are ongoing.

Best for

  • +Startups processing EU personal data (you probably are)
  • +Teams deploying AI systems that need EU AI Act classification
  • +Companies preparing for investor due diligence with compliance questions
  • +Organizations that need a DPO but can't justify a full-time hire
  • +Digital health teams building clinical software or SaMD that needs MDR / ISO-62304 compliance

Not the right fit if

  • Companies needing purely legal advice (I'm an engineer, not a lawyer · I work with your legal team)
  • Organizations looking for checkbox compliance that won't survive an audit
  • Businesses with zero engineering capacity to implement changes

Have compliance questions? 30-minute call, honest assessment.

Book a call