Legal Tech & GRC Department
Lawyers, engineers, and GRC consultants — under one roof
Our Legal Tech department brings together lawyers, GRC consultants, and cybersecurity engineers with deep expertise in EU digital and industrial regulation. We work end-to-end: from regulatory scoping and gap assessment through documentation, training, and ongoing compliance support — for NIS2, GDPR, AI Act, Cyber Resilience Act, and the EU Machinery Regulation.
The NIS2 Directive imposes measurable security obligations on thousands of organisations. Knowing you are in scope is not enough: you need formal classification, risk analysis, technical and organisational measures, incident reporting procedures, and an operational CSIRT Contact Point. We guide you from assessment to full compliance.
116
mandatory security measures for essential entities
10M€
maximum fine for essential entities
24h
for the initial notification to CSIRT-IT
18
regulated sectors (Annexes I and II)
When you need it
01
You are in scope for NIS2 and don't know where to start
You have not yet verified whether you qualify as an essential or important entity, or you have not yet initiated the formal compliance process.
02
You are a critical supplier to NIS2 entities
Your clients require NIS2 compliance evidence as a contractual condition or supply chain requirement.
03
You have started the process but have gaps to address
You have received the results of an assessment and need technical and documentary support to implement the missing measures.
04
You need to appoint an external CSIRT Contact Point
You need a qualified, 24/7-available professional as the Representative with CSIRT-IT for significant incident notifications.
External CSIRT Contact Point — an AptGetDefence specialism
We field experienced referents who act as your organisation's external CSIRT Contact Point under NIS2. Our team handles mandatory early warnings and formal notifications to CSIRT-IT, coordinates with authorities during significant incidents, and ensures your incident response meets the 24-hour and 72-hour deadlines. Available 24/7.
What we do
- Formal entity classification (essential / important / out of scope)
- Gap assessment of the 219 NIS2 security measures
- Risk analysis using a structured methodology
- Definition and implementation of technical and organisational measures
- Drafting of security policies, procedures, and response plans
- Mandatory incident reporting procedures to CSIRT-IT
- Appointment and operation of the CSIRT Contact Point (external service)
- Awareness training for staff and management
What you receive
- Classification report with formal justification
- Complete gap assessment of the 219 measures
- Documented and updatable risk analysis
- Compliance roadmap with priorities and timelines
- Documentation package: policies, procedures, operational plans
- CSIRT-IT notification procedures (early warning, notification, final report)
- External CSIRT Contact Point contract (if required)
- Ongoing support in the event of a significant incident
Target
CEO / DG
Legal & Compliance
IT Manager
CISO / DPO
Operations
Supply Chain Manager
FAQ
Who is subject to the NIS2 Directive?
Organisations operating in the 18 regulated sectors (energy, transport, banking, healthcare, digital, etc.) that exceed certain size thresholds are in scope. Some categories are in scope regardless of size. Classification must be verified formally: self-assessment alone is not sufficient.
What happens if you do not comply?
Fines range from €7M (important entities) to €10M or 2% of global turnover (essential entities). In addition to financial penalties, if a significant incident is not properly managed, management may be held personally liable.
How long does a NIS2 compliance programme take?
The initial gap assessment takes 2–4 weeks. The full compliance programme ranges from 3 to 9 months depending on the organisation's maturity and the number of gaps identified. We can also support only the documentary phase or only the assessment.
GDPR (Regulation EU 2016/679) sets strict obligations on any organisation processing personal data of EU residents. Our Legal Tech department helps you map data flows, build your Records of Processing Activities, conduct Data Protection Impact Assessments, and design breach notification procedures — whether you need a full compliance programme or targeted support.
72h
to notify the supervisory authority of a personal data breach
4%
of global annual turnover or €20M — maximum fine
2018
in force since May 2018 — still one of the most enforced EU regulations
+1K
enforcement actions by EU supervisory authorities in 2024
When you need it
01
You have not mapped your data processing activities
You lack a Records of Processing Activities (RoPA), cannot demonstrate data minimisation, or have not classified your processing operations by legal basis.
02
You have suffered or suspect a personal data breach
A data breach may trigger mandatory notification to the supervisory authority within 72 hours and, in some cases, to affected individuals. You need clear procedures and expert support to respond correctly.
03
You are launching a new product or service that processes personal data
Privacy by design and Data Protection Impact Assessments (DPIAs) must be conducted before deployment for high-risk processing activities, not after.
04
You have received a data subject request or regulatory inquiry
Access requests, erasure requests, and objections must be handled within statutory deadlines. Supervisory authority inquiries require a structured, documented response.
What we do
- Records of Processing Activities (RoPA) drafting and maintenance
- Data Protection Impact Assessment (DPIA) for high-risk processing
- DPO appointment and ongoing DPO-as-a-Service
- Breach notification procedure design and tabletop simulation
- Privacy by design review of new systems and services
- Data transfer compliance (SCCs, BCRs, adequacy decisions)
- Vendor and processor due diligence (Data Processing Agreements)
- Awareness training for staff and management
What you receive
- Complete and auditable Records of Processing Activities (RoPA)
- DPIA reports for high-risk processing activities
- DPO appointment letter and contract (external service, if required)
- Breach notification templates (72h to authority, notification to individuals)
- Updated privacy policies, cookie notices, and consent forms
- Data Processing Agreements (DPAs) for your key processors
- Compliance roadmap with priority actions and timelines
- Training records and awareness programme materials
Target
CEO / DG
Legal & Compliance
DPO / Privacy Officer
Product Manager
IT Manager
HR Manager
FAQ
Do I need to appoint a Data Protection Officer (DPO)?
A DPO is mandatory for public authorities, organisations conducting large-scale systematic monitoring, and those processing special category data at scale. Our Legal Tech team conducts the formal assessment to determine whether appointment is mandatory and, if so, can provide the DPO function as an external service.
When must I notify the supervisory authority of a data breach?
A personal data breach that is likely to result in a risk to the rights and freedoms of individuals must be notified to the supervisory authority (in Italy: the Garante) within 72 hours from when you become aware of it. Late or missed notification is one of the most common grounds for GDPR enforcement action.
What is a DPIA and when is it required?
A Data Protection Impact Assessment is mandatory when processing is likely to result in high risk: systematic monitoring of public areas, large-scale processing of special categories (health, biometric, etc.), profiling with significant effects, and other scenarios listed in supervisory authority guidelines. It must be completed before the processing begins.
The EU AI Act (Regulation EU 2024/1689) introduces a risk-based framework for AI systems placed on or used within the EU market. From prohibited AI practices to high-risk systems and General Purpose AI models, our Legal Tech and cybersecurity teams help you classify, document, and comply — before enforcement deadlines hit.
Aug '24
entered into force — obligations phased through 2027
6%
of global annual turnover or €30M — maximum fine
4
risk tiers: prohibited / high-risk / limited risk / minimal risk
Feb '25
prohibited AI practices in force since 2 February 2025
When you need it
01
You develop or deploy AI systems in the EU
Any provider or deployer of an AI system used in the EU needs to understand which tier applies, what obligations are triggered, and by when.
02
Your AI system may fall in a high-risk category
AI systems used in HR, healthcare, critical infrastructure, education, essential services, law enforcement, or justice are presumptively high-risk and require a conformity assessment.
03
You provide a General Purpose AI (GPAI) model
GPAI model providers face transparency, documentation, and — for systemic-risk models — additional obligations including adversarial testing and incident reporting.
04
You need to audit legacy AI systems before enforcement deadlines
Existing high-risk AI systems must be brought into compliance. The window to act before full enforcement (August 2026) is narrowing.
What we do
- AI system inventory and risk tier classification
- Conformity assessment for high-risk AI systems
- Technical documentation drafting (Annex IV)
- Transparency and explainability review
- GPAI model documentation and compliance assessment
- Bias, robustness, and accuracy audit
- Post-market monitoring plan design
- Staff training on AI Act obligations
What you receive
- AI system classification report with legal justification
- Conformity documentation (Annex IV technical file)
- Transparency notices and user information documents
- GPAI model documentation package (if applicable)
- Remediation roadmap for non-compliant or at-risk systems
- Post-market monitoring and incident reporting procedure
- Registration support for the EU AI Act database
- Training materials and awareness records
Target
CEO / CTO
Legal & Compliance
AI / ML Engineers
CISO / DPO
Product Manager
Data Scientists
FAQ
What is a 'high-risk' AI system under the AI Act?
High-risk AI systems are those listed in Annex III of the AI Act: systems used in critical infrastructure, education and training, employment, access to essential services, law enforcement, migration and border control, justice and democratic processes. These require a conformity assessment, technical documentation, and registration in the EU database before deployment.
Do I have obligations if I use a chatbot powered by an LLM?
If an AI system interacts with humans, transparency obligations apply: users must be informed they are interacting with an AI, unless the context makes this obvious. For providers of GPAI models (like large language models), additional documentation and — for systemic-risk models — adversarial testing obligations also apply.
What are the key AI Act enforcement deadlines?
The Act entered into force on 1 August 2024. Prohibited AI practices apply from 2 February 2025. GPAI model rules apply from 2 August 2025. Full obligations for high-risk AI systems under Annex III apply from 2 August 2026, and for Annex I systems from 2 August 2027.
The Cyber Resilience Act (Regulation EU 2024/2847) introduces mandatory cybersecurity requirements for all hardware and software products with digital elements placed on the EU market. Manufacturers, importers, and distributors face new conformity obligations, ongoing vulnerability management duties, and mandatory incident reporting — starting from 2026.
Dec '24
entered into force on 10 December 2024
2.5%
of global annual turnover or €15M — maximum fine
Sep '26
vulnerability and incident reporting obligations apply
Dec '27
full conformity obligations for products with digital elements
When you need it
01
You manufacture or sell hardware or software products in the EU
The CRA covers any product with digital elements — from IoT devices and industrial equipment to desktop software and firmware. You need to determine your classification and obligations.
02
You need to classify your product and prepare for CE marking
Standard products, important products (Class I and II), and critical products face different conformity assessment routes. The correct classification determines whether you can self-certify or need a notified body.
03
You need to set up a vulnerability disclosure procedure
The CRA mandates a coordinated vulnerability disclosure (CVD) policy and requires you to report actively exploited vulnerabilities and incidents to ENISA and your national CSIRT.
04
You need to prepare your SBOM and technical documentation
A Software Bill of Materials and complete technical documentation (Annexes I and II) are required before CE marking. These must be maintained and updated throughout the product support period.
What we do
- Product classification (standard / important Class I & II / critical)
- Cybersecurity risk assessment for the product lifecycle
- SBOM (Software Bill of Materials) preparation
- Vulnerability handling and coordinated disclosure (CVD) policy design
- Conformity assessment support (self-assessment or notified body)
- Technical documentation drafting (Annexes I and II requirements)
- ENISA and CSIRT incident reporting procedure setup
- Secure development lifecycle (SDLC) review and training
What you receive
- Product classification report with legal justification
- Cybersecurity risk assessment document
- SBOM template and initial SBOM for your product
- Coordinated vulnerability disclosure (CVD) policy
- CE marking conformity documentation
- EU Declaration of Conformity template
- Incident reporting procedure (ENISA / national CSIRT)
- Ongoing obligations monitoring plan
Target
CEO / CTO
Legal & Compliance
Product / R&D
CISO
Manufacturing
IoT / Embedded
FAQ
Does the CRA apply to SaaS and cloud services?
Pure SaaS and cloud services that do not constitute a product with digital elements are generally excluded from the CRA. However, if your cloud service includes a downloadable software component or interacts with a product you manufacture, that component may be in scope. Our team can assess your specific architecture and determine what obligations apply.
What is an SBOM and why does the CRA require it?
A Software Bill of Materials is a structured inventory of all software components in a product, including open-source libraries and third-party dependencies. The CRA requires manufacturers to identify, document, and manage all components so that vulnerabilities in any component can be rapidly assessed and remediated across the supply chain.
When do CRA obligations start applying?
The Cyber Resilience Act entered into force on 10 December 2024. Vulnerability reporting and incident notification obligations apply from 11 September 2026. Full conformity obligations — including CE marking requirements for products with digital elements — apply from 11 December 2027.
The EU Machinery Regulation (EU 2023/1230) replaces the Machinery Directive 2006/42/EC from 20 January 2027. For the first time, cybersecurity is explicitly included in the Essential Health and Safety Requirements for machinery. Our team combines safety engineering expertise with GRC and cybersecurity capabilities to guide manufacturers through the transition.
Jan '27
replaces Dir. 2006/42/EC from 20 January 2027
New
cybersecurity in Essential Health & Safety Requirements
CE
CE marking required — conformity assessment updated
2026
time to act: transition planning must begin now
When you need it
01
You manufacture machinery or partly completed machinery for the EU market
All machinery placed on the EU market from 20 January 2027 must comply with the new Regulation. The transition window is shorter than it appears.
02
You need to understand the new cybersecurity Essential Requirements
The new Regulation explicitly requires machinery to withstand cybersecurity threats that could compromise safety functions. You need to understand what this means for your specific products.
03
You need to update your technical file for the new Regulation
Your existing technical file and Declaration of Conformity under Dir. 2006/42/EC will not be valid under the new Regulation. Risk assessments and documentation must be updated to reflect the new requirements, including cybersecurity.
04
You are integrating connected or automated systems into existing machinery
Connectivity substantially increases the attack surface of machinery. Any significant modification that introduces connectivity may trigger a new conformity assessment obligation.
What we do
- Integrated risk assessment (safety + cybersecurity threats, per Annex III)
- Cybersecurity Essential Requirements gap analysis vs. EU 2023/1230
- Technical file update for CE marking under the new Regulation
- Conformity assessment planning (self-assessment or notified body)
- Cybersecurity by design review for new machinery projects
- Liaison with notified bodies for third-party conformity assessment
- Modification assessment: does a change trigger new conformity obligations?
- Training for R&D, safety, and engineering teams
What you receive
- Updated risk assessment with cybersecurity threat matrix
- Gap analysis report vs. EU 2023/1230 Essential Requirements
- Technical file (complete or updated sections)
- Conformity assessment plan with selected route justification
- EU Declaration of Conformity template (updated for new Regulation)
- Cybersecurity control implementation plan
- Corrective action roadmap with priorities and timelines
- Training materials and workshop records
Target
Machinery Manufacturers
Legal & Compliance
Safety Engineers
CISO
R&D / Product
CEO / Operations
FAQ
What cybersecurity requirements does the new Machinery Regulation introduce?
The Regulation introduces explicit Essential Health and Safety Requirements for protection against corruption and unauthorised access, data integrity, and resilience against interference. Connected machinery must be designed so that cybersecurity incidents cannot compromise safety functions — a requirement absent from the 2006 Directive.
If I already have CE marking under Dir. 2006/42/EC, do I need to recertify?
Machinery already placed on the market before 20 January 2027 under the Machinery Directive does not need to be recertified. However, any significant modification after the transition date requires compliance with the new Regulation. New machinery placed on the market from 20 January 2027 must always comply with Regulation EU 2023/1230.
Can you help with both traditional safety and cybersecurity requirements?
Yes. Our team combines qualified safety expertise with our GRC and cybersecurity background. We perform integrated risk assessments that cover both traditional mechanical and electrical safety hazards and cybersecurity threats — addressing the unified approach required by the new Regulation without the need for two separate consulting teams.