No matches
Try other search terms or click a category above.
Licence & ownership — 5 questions
What you buy, who owns it, buy once — always up-to-date, and the money-back guarantee*
The licence applies to the company named in the order, including affiliated corporate group companies (§ 15 AktG). Passing on the templates to third parties outside the licensed company is not permitted — details are governed by the scope section of our Terms. Within your company, you may use the templates for an unlimited number of employees and locations.
No. The templates can be used without restriction within your company. You can use them for 5 employees just as well as for 500. Internal adaptations (inserting your logo, refining clauses) are also permitted without an additional licence.
We only store the data required for ordering and invoicing (company name, VAT-ID, email, order number). Data storage runs on Cloudflare R2 (Object Storage) in EU region — data does not leave the EU. The professional templates are personalised locally and delivered to you — we do NOT store content-adapted versions of your compliance documentation. Details see Privacy Policy.
You have the professional templates locally — they work without our servers, without cloud, without activation. Even if Compliance-Kit no longer exists, you can continue to use the kits you have already purchased indefinitely. This is the key advantage over cloud platform subscriptions: there you lose access to your compliance data on provider insolvency or cancellation.
You receive all updates of the kit as long as the kit is maintained in its current major version. Updates come with authority interpretation changes, new case law and known follow-up phases of a regulation (e.g. EU AI Act Annex III from 2 August 2026). For a substantially new regulation: 50% existing-customer discount. Details see Terms § 7.
Money-back & guarantee — 3 questions
How does the money-back guarantee* work? What evidence must I provide? What happens with the licence after refund?
Should the content of our templates prove to be legally demonstrably incorrect, we will refund the purchase price. Period: 60 days from delivery date. Processing within 14 working days of full defect notification. Details see Terms § 8.
A substantiated defect justification, confirmed by one of the following sources: (a) an attorney letter from an EU-licensed lawyer, or (b) a written statement from a competent supervisory authority (e.g. BfDI, dsb.gv.at, edoeb.admin.ch, BSI). Subjective defect perceptions without objective verifiability are not sufficient. Details see Terms § 8 (3).
With the refund, the licence to use expires. Already downloaded templates must be deleted and may not be used further. The money-back guarantee* applies in addition to statutory warranty rights — these remain unaffected.
General — 18 questions
About Compliance-Kit, delivery, prices, support
The contractual counterparty for licence, delivery and payment processing is exclusively Ens Naturale e.U. (Owner: Cosmin Birtalan, Vienna 1070). No external Merchant-of-Record service (Paddle, Stripe, PayPal, Lemon Squeezy etc.) is interposed — no online checkout.
Process:
- Fill out the order form on the website.
- Within 1 business day you receive an invoice (PDF) with correctly shown VAT. For EU B2B with a valid VAT-ID outside Austria: reverse-charge per Art. 196 VAT Directive (no VAT).
- You transfer the invoice amount to the business account stated on the invoice.
- Once payment is received you automatically receive the time-limited download link by email (standard: valid for 7 days, extendable once).
Payment method: bank transfer only (SEPA transfer within the EEA; SWIFT for buyers outside the EEA). Details see Privacy Policy section 4.1.
Compliance-Kit delivers ready-to-use documentation templates for the five most important EU compliance areas (GDPR, EU AI Act, NIS2, HinSchG, AGG/Pay Transparency). Solo founders, SMEs and compliance teams save weeks of research and creation effort.
Five kits: EU AI Act (58 documents), NIS2 (72), GDPR (67), HinSchG (55) and AGG/Pay Transparency (62). Each kit is available in three tiers — Basis, Plus and Komplett.
Three tiers — Basis EUR 990, Plus EUR 1,290, Komplett EUR 1,490 — identical for all 5 kits. All tiers contain the full document scope. Details and comparison table on the Pricing page.
You pay once for the kit and use it without restriction. No subscription, no hidden costs. Includes major updates without time limit.
Immediately after payment confirmation you receive an email link with the ZIP files. Personalisation with your company name is automatic at the download step.
All documents are populated with your company name, country of registered office and sector before download — no more mass find-and-replace in Word/Excel necessary. Audit-ready out of the box.
The templates are based on legal texts, EDPB/BSI/EU Office guidelines and current BAG case law. Before productive use, we recommend a final review by your legal department or specialist lawyer — we deliver the raw material, not legal advice.
Yes, for 12 months. When laws change (e.g. trilogue adoption of the Digital Omnibus proposal of 19 November 2025), you receive updated versions automatically by email. Update service can optionally be extended afterwards.
All three tiers contain the full document scope of the kit. Basis (EUR 990) is the entry-level option with all templates. Plus (EUR 1,290) adds premium options. Komplett (EUR 1,490) additionally contains all add-ons including the matching E-Learning module with quiz and certificate — the full equipment.
Per kit an interactive HTML E-Learning (8–10 chapters, 40+ slides) with quiz (50-question pool, 20 per session), printable certificate and offline capability. Unlimited users per licence.
Yes. Each E-Learning module delivers a printable participation certificate with date, score and company name. Fulfils the proof obligations under Art. 4 EU AI Act (AI literacy), § 12 AGG (training obligation) and NIS2 § 30 (awareness training).
Yes. Our Terms contain an express corporate group licence clause: affiliated companies within the meaning of § 15 AktG / Art. 3 para. 1 Directive 2013/34/EU may co-use the kit without surcharge, as long as they do not resell it.
All kits are available in German and English. This is relevant for international subsidiaries, multilingual workforces and EU-wide compliance.
Word (.docx) for policies, contracts and guidelines · Excel (.xlsx) for ROPA, risk registers and pay-gap tools · PDF for diagrams and training materials · HTML for E-Learning. All without macros, without lock-in.
You have 14 days for review. If the kit does not meet your expectations, send a short email to [email protected] and you will receive the full purchase price back — no questions asked.
For buyers from the EU (outside Austria) with a valid VAT-ID, we issue the invoice net without VAT (§ 19 UStG AT or § 13b UStG DE). You account for VAT yourself within your input-tax procedure.
No. Anyone who can operate Word and Excel can use the kit. Most templates are delivered with your company name and only need to be adapted to specific processes.
EU AI Act — 17 questions
Scope, obligations, deadlines, fines
Yes. Approximately 90 % of affected companies are deployers. Art. 26 EU AI Act defines extensive obligations — human oversight, input data quality, logging, information of those concerned.
Art. 4 EU AI Act has been in force since 2 February 2025. All employees who use AI systems must be trained — regardless of company size. Violations will be sanctioned from 2026.
Up to EUR 35 million or 7 % of worldwide annual turnover for prohibited practices (Art. 5). For high-risk violations EUR 15 million / 3 %, for other obligations EUR 7.5 million / 1.5 %.
Every company that offers, deploys, imports or distributes AI systems — as soon as the systems are available in the EU market or have their effect in the EU. US providers with EU users are also covered.
Social scoring, manipulative AI with harm potential, biometric mass surveillance in public spaces (with exceptions), emotion recognition at the workplace and in educational institutions, predictive policing based on profiling. Prohibited since 2 February 2025.
Systems according to Annex III: HR recruiting, education assessment, credit scoring, law enforcement, migration, justice, democratic processes, critical infrastructure — and safety components of regulated products (Annex II). Obligations apply from 2 August 2026.
Yes, in practice. Without a current register of your AI systems, you can neither classify risk nor assign obligations. Our quick test and the AI inventory quick check help with the entry.
Mandatory for high-risk AI deployers in the public sector and for private bodies with public mandate (bank credit scoring, insurance risk, critical infrastructure). Before deployment + on significant changes. Template included in the Plus tier of the EU AI Act Kit.
General-Purpose AI Models — foundation models such as GPT-4, Claude or Gemini. Providers have had to fulfil transparency, training-data and copyright obligations since 2 August 2025. Existing models (before 2 August 2025) have an adaptation period until 2 August 2027.
A provider develops, has developed or places AI on the market under its own name. A deployer uses AI within its own area of responsibility. If you substantially modify or rebrand an AI system, you become a provider (Art. 25).
Synthetically generated audio, image, video or text content must be machine-readably marked (e.g. C2PA metadata). For deep fakes, a visible notice is also required. Chatbots need clear „You are communicating with an AI“ information.
Mandatory check for high-risk AI before placement on the market — either internal (self-assessment against Annex IV) or by a notified body (for safety-relevant components). CE marking as the result.
Yes. Art. 4 requires AI literacy for all employees who use AI tools — including standard LLMs such as ChatGPT, Copilot or Claude. Our EU AI Act training covers this.
Controlled environment operated by the supervisory authority for testing innovative AI before market entry. SMEs are admitted preferentially; during the sandbox phase, reduced fines apply for obligation violations.
As of 2 May 2026: The EU Commission presented the Digital Omnibus proposal on 19 November 2025 — trilogue is ongoing, NOT decided. Planned: postponement of Annex III to 2 December 2027 (instead of 2 August 2026), Annex I to 2 August 2028 (instead of 2 August 2027). Until adoption, 2 August 2026 remains the legally binding deadline.
Open-source GPAI models without systemic risk are largely exempt from the GPAI obligations. However: if they are deployed in high-risk applications, the normal high-risk obligations apply to the provider/deployer.
Dual regulation: when AI processes personal data, both apply. Art. 22 GDPR (automated individual decisions) and the AI Regulation interlock. DPIA and FRIA should run in parallel — overlapping fields are reusable.
NIS2 — 17 questions
Cybersecurity, notification obligations, managing-director liability, BSIG
Essential or important entities with ≥50 employees or ≥EUR 10 million turnover in 18 critical sectors (energy, transport, health, digital infrastructure, IT services, food and others). Our NIS2 readiness check clarifies this in 10 questions.
Managing directors must formally approve cybersecurity measures, monitor their implementation and undergo regular training (§ 38 BSIG). On omission, personal internal liability towards the company — on insolvency also towards creditors.
24h early warning to BSI/CSIRT, 72h assessment with initial findings, 1-month final report. Additionally, information of affected recipients and, where relevant, the public. Omission is an independent offence.
Essential = particularly critical sectors (energy, water, banks, health) from 250 employees / EUR 50 million. Important = remaining NIS2 sectors from 50 employees / EUR 10 million. Essential ones are monitored proactively by authorities, important ones only reactively (on incident).
11 highly critical (Annex I): energy, transport, banks, financial market, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, space. 7 other (Annex II): post, waste, chemicals, food, manufacturers (medical devices, machinery, motor vehicles), digital providers, research.
The core provision of the German NIS2UmsuCG: 10 mandatory security measures — risk analysis concept, incident management, BCM, supply chain security, security during acquisition/development, effectiveness assessment, cyber hygiene, cryptography, personnel security/access control, MFA. Detail pillar: § 30 BSIG explained.
Essential entities: up to EUR 10 million or 2 % of worldwide turnover (the higher amount applies). Important: up to EUR 7 million or 1.4 %. Plus personal fines against managing directors.
In practice yes. § 30 BSIG requires a systematic risk-management concept — that is an ISMS under another name. You can start from scratch or use ISO/IEC 27001 as a framework. Build an ISMS in 10 weeks.
ISO 27001 covers ~80 % of the NIS2 requirements. Gaps: NIS2-specific notification obligations, managing-director liability documentation, supplier review against NIS2 standards. Those who hold ISO 27001 meet NIS2 with a manageable delta.
Essential and important entities had to register with the BSI by 6 March 2026. New registrations remain possible; late registration is a separate fine offence.
The NIS2UmsuCG has been in force since 6 December 2025. Obligations apply immediately. The first authority audits are expected from Q4 2026. In Austria, the NISG 2026 is expected to enter into force in Q4 2026.
You must identify, assess and manage cybersecurity risks in your supply chain (§ 30 para. 2 no. 4). This includes SBOM requirements, contract clauses on security standards and regular supplier audits. Secure the supply chain.
No. NIS2 requires technical and organisational measures, not just financial protection. Cyber insurance complements your risk transfer but does not replace the obligations under § 30 BSIG. Insurers even check NIS2 conformity as a precondition.
DORA (Digital Operational Resilience Act) has been in force for financial service providers since 17 January 2025 and is the more specific rule — NIS2 steps back to the extent that DORA is stricter. In practice: DORA obligation for banks/insurers, NIS2 for FinTechs only supplementary where DORA leaves gaps.
NIS2 does not require a formally appointed CISO, but a clearly assigned responsibility for information security at C-level or directly below. In corporate groups, the CISO role is the de facto standard; in SMEs it is often combined with the DPO or IT management.
At least annually — and on occasion-related basis upon significant changes (new systems, M&A, incidents). § 30 para. 1 no. 6 explicitly requires „assessment of effectiveness“.
Fine up to EUR 100,000 per day of omission — and reputation risk, because the BSI may maintain public lists. Additionally: insurance gap, because many cyber policies require registration as a precondition.
GDPR — 17 questions
Data-protection obligations, data breaches, third-country transfers
Yes. Art. 30 GDPR generally obliges every controller to maintain a Record of Processing Activities (ROPA). The SME exemption (<250 employees) hardly applies in practice because it is tied to narrow conditions. ROPA guidance.
Technical and organisational measures under Art. 32 GDPR to protect personal data — encryption, pseudonymisation, access control, backup, recovery, regular effectiveness review. TOM checklist.
In case of high risk to the rights of the data subjects — e.g. for profiling, mass processing of sensitive data, systematic monitoring. The DSK threshold analysis (included in the kit) clarifies this in 12 questions.
Mandatory from 20 employees with constant automated processing (§ 38 BDSG) — or for sensitive data processing as core business (Art. 37 GDPR), e.g. medical practice, law firm. Detailed assessment.
Any breach of confidentiality, integrity or availability of personal data — stolen laptop, misdirected email, hack, misconfiguration, fire. You should also document near-incidents (near-breach) internally.
72 hours from awareness — to the competent supervisory authority (Art. 33). In case of high risk, additionally information of the data subjects without undue delay (Art. 34). 72h procedure.
Data Processing Agreement under Art. 28 GDPR — mandatory contract with every service provider that processes personal data for you (cloud provider, IT service provider, payroll office, newsletter tool). Sample text in the kit, guidance.
Yes, for US companies certified under the EU-US Data Privacy Framework (DPF), without additional safeguards. Otherwise: Standard Contractual Clauses (SCC) + Transfer Impact Assessment. Plan B.
Eight rights: access (Art. 15), rectification (16), erasure/forgetting (17), restriction (18), data portability (20), objection (21), no automated individual decision (22), complaint with the supervisory authority (77). Response period 1 month, extendable once by 2 months.
One month from receipt of the request (Art. 12 para. 3). In case of complex or numerous requests, an extension of 2 months is permitted — with justification to the data subject within the first deadline.
Data is processed in such a way that, without additional information, it can no longer be attributed to a person (Art. 4 no. 5). Example: clear name → employee number, list of mapping stored separately. Reduces risk but does not replace GDPR obligations.
Only when non-essential cookies or tracking technologies are used (§ 25 TDDDG). Purely technical cookies (session, shopping cart) are permitted without consent. Cloudflare Web Analytics, for example, is cookieless. Obligation check.
Up to EUR 20 million or 4 % of worldwide annual turnover (Art. 83 para. 5) — the higher value applies. For simpler violations EUR 10 million / 2 %. Current fines.
In practice yes. Single opt-in is theoretically legally permitted but not provable in practice (BGH case law). Double opt-in with IP/timestamp logging is the only safe way, and it is part of the TOMs under Art. 32.
Standard practice: 6 months after rejection to defend against AGG lawsuits (§ 15 para. 4 AGG: 2-month assertion period + buffer time). On consent for talent pool, longer storage is permitted. After that: delete (Art. 17).
Prohibition of purely automated individual decisions with significant effect (credit score, applicant selection, insurance tariff) if they take place without human involvement. Exceptions: contract, consent, legal permission — always with human review in case of objection.
Both apply in parallel when AI processes personal data. Art. 22 GDPR + Art. 14 AI Regulation (Human Oversight) + Art. 26 AI Regulation (deployer obligations) interlock. Dual obligation in detail.
HinSchG (Whistleblower Protection) — 18 questions
Whistleblower Protection Act, reporting office, procedure
Since 2 July 2023 for all companies with ≥50 employees. Group companies cannot simply use a central group reporting office — the EU Commission criticised the German interpretation in infringement proceedings INFR(2024)0157.
§ 36 HinSchG: If a whistleblower suffers occupational disadvantage after a report (dismissal, transfer, mobbing), it is presumed that this is retaliation. The employer must rebut the presumption.
Yes, since 1 January 2025 the processing of anonymous reports has been mandatory. Before that, it was a should-rule. The reporting office must be able to communicate anonymously (postbox, secure online channel).
Not all legal violations — but defined areas: EU law (public procurement, financial services, money laundering, product safety, transport, environmental protection, radiation protection, food, animal welfare, public health, consumer protection, data protection, network/information security), certain criminal offences and administrative offences.
Acknowledgement of receipt within 7 days, feedback on follow-up actions within 3 months, maintenance of confidentiality, documentation, data protection under Art. 6 para. 1 lit. c GDPR. Follow-up actions: internal investigation, authority notification, procedure conclusion.
Compliance officer, HR head, legal department — or external service provider (lawyer, ombudsperson). Important: independence and expertise under § 15 HinSchG. Not suitable: managing director themselves (conflict of interest).
At least 3 years after conclusion of proceedings (§ 11 para. 1) — then mandatorily deleted, unless further retention is required (Art. 5 GDPR).
Up to EUR 50,000 (previously EUR 100,000, halved by the reform): no reporting office, obstruction of reporting, breach of confidentiality, retaliation. Plus damages to the whistleblower.
Established at the Federal Office of Justice (BfJ). Whistleblowers have the choice whether to report internally or externally — the priority of internal reporting was abolished by the 2024 reform. This motivates companies to offer attractive internal channels.
Restricted. § 14 HinSchG permits outsourcing to the group headquarters, but the EU Commission criticises this. Hybrid model recommended: decentralised reporting channels per legal entity + central processing. Hybrid model.
Theoretically yes — practically not. § 16 requires access via multiple paths (oral + in writing + on request in person). Furthermore: anonymous reports require a channel that leaves no identity traces — pure email does not fulfil this.
SaaS solutions from EUR 50/month for SMEs to EUR 500/month for groups. Provider comparison. Open-source alternatives (GlobaLeaks) exist but require own IT resources.
Only what is necessary for processing — identity (if disclosed), facts, timestamps, follow-up actions. Data minimisation under Art. 5 para. 1 lit. c GDPR. In detail: DPIA reporting office.
Three-layer model: general (What is HinSchG?), specific (How does one report?), managerial (How do I react to reports?). Our HinSchG training covers all three.
Strict confidentiality of their identity until confirmation of the report — afterwards, information as soon as the investigation permits (Art. 14 GDPR). The accused's right of access is limited as long as it would endanger clarification.
No. § 22 HinSchG governs the external reporting office at the Federal Cartel Office (competition law/DMA), not an audit obligation — and there is no deadline of 1 January 2026. An annual effectiveness self-review of the internal reporting office is best practice (NOT a statutory obligation). Details: HinSchG updates 2024–2026.
Yes, from 50 employees. Obligated areas are especially EU procurement (funding partners!), data protection and donation compliance. NPO practice.
Obligation to process anonymous reports (previously should), halving of fines (§ 40 = EUR 50,000 instead of EUR 100,000; via § 30 OWiG up to EUR 500,000 for legal persons), clarification of group interpretation (EU INFR(2024)0157), 3-year limitation period. An annual effectiveness self-review of the reporting office is best practice — NOT a statutory obligation.
Anti-Discrimination (AGG) & EU Pay Transparency — 18 questions
Anti-discrimination, pay gap, BAG case law
Yes. § 12 para. 2 AGG obliges employers to take preventive measures, including training — as a precondition for the liability privilege. Without documented training, you lose the contributory-fault argumentation in litigation.
§ 15 para. 4 AGG: Compensation and damages claims under AGG must be asserted in writing within 2 months of becoming aware of the disadvantage — otherwise forfeiture. Documentation trap no. 1 in recruiting lawsuits.
From 7 June 2026: pay report obligation from 100 employees, right of information for all employees, gender-neutral job evaluation, joint pay assessment from 5 % unexplained pay gap. Implementation in DE through EntgTranspRL-UmsG. Detail.
Every employer. As soon as the applicant/employee presents indications of a disadvantage, the employer must prove that no violation occurred. Indications can be statistical anomalies, job-advertisement wording, selection documentation. § 22 in detail.
(1) race / ethnic origin, (2) gender, (3) religion / worldview, (4) disability, (5) age, (6) sexual identity, (7) — the last is not independent in the AGG but, under EU law, covers all grounds mentioned in Directive 2000/78/EC.
Describe the activity objectively, avoid neutralising terms („dynamic“ → „flexible“), no age limits, (m/f/d) designation, no numerical language or appearance requirements. Our job-ad audit reviews 18 BAG indicators.
Gender-neutral designation under § 11 AGG in conjunction with BAG 8 AZR 501/14: male, female, diverse. Mandatory in job postings — also for pure email searches or social recruiting.
Mandatory under § 13 AGG for every employer — regardless of headcount. It must be made known and staffed. Complaints-office workflow.
Job-ad wording („career starter“, „young team“, „accent-free“), statistical under-representation of women/older candidates in selection/promotion, missing or superficial selection documentation, oral justifications such as „does not fit the team“.
Algorithmic discrimination in recruiting is subject to § 22 AGG reversal of burden of proof: indications (e.g. statistical anomalies in selection outputs) suffice — the employer must provide full proof of non-discrimination. Core point: Anyone who deploys AI in recruiting assumes its bias. Legal situation and consequences.
EU Pay Transparency Art. 10: if the pay gap between men and women per comparison group exceeds 5 % and cannot be explained by objective factors, employers must, together with employee representatives, draw up a systematic analysis + action plan.
Mean/median comparison of gross hourly wages per comparison group (equal or equivalent work). Comparison groups are formed by job evaluation. Pay-gap calculation in practice.
Under AGG: no entitlement to a justification of the rejection (BAG: would undermine the reversal of the burden of proof). Under Pay Transparency Directive from 7 June 2026: applicants must receive the salary range and the individualised criteria before the interview.
AGG does not provide for fines in the classical sense — the sanction is damages to applicants/employees. Usual BAG levels: 1–3 gross monthly salaries per AGG-Hopper (applicant proceedings); in promotion/dismissal cases, five-digit to six-digit amounts.
Person who systematically applies for jobs not seriously intended in order to collect damages through AGG lawsuits. Courts recognise the abuse — but the burden of proof lies with the employer. Defence packages: audit checklist.
Yes. § 22 AGG (reversal of burden of proof) + Annex III AI Regulation (HR is high-risk) compel: bias audit, regular effectiveness review, documented human oversight. Safeguards.
EntgTranspG (DE, since 2017): individual right of information from 200 employees. EU Pay Transparency (Directive 2023/970, from 7 June 2026): comprehensive obligations from 100 employees + applicant information + joint pay assessment. The EU law does not replace the EntgTranspG but extends it.
§ 12 para. 2 AGG: preventive training for all employees, documented. EU Pay Transparency Art. 11: specific training for recruiting / HR / pay decision-makers on gender-neutral evaluation criteria. Both are covered by our AGG training.