ATTOH EU builds the diagnostic instruments and operational workflows that sit between European regulators and the operators who must comply with them.
The EU AI Act, GDPR, Digital Services Act, NIS2, VAT-OSS — Brussels is producing more enforceable regulation than any other jurisdiction, and most operators are still reading newspaper summaries instead of the OJ text. We sit with the OJ text. We turn it into ten-minute gap analyses, in-house DSAR workbenches, VAT-OSS routing engines, and DSA mappers. UK-built, EU-focused, GDPR-respecting from the outset.
The diagnostic outputs below are anonymised by client. They illustrate the shape of an EU regulatory mandate — not the operator. Excerpts of the underlying regulation appear in mono panels.
Annex III(5)(b) — "AI systems intended to be used to evaluate the creditworthiness of natural persons or establish their credit score, with the exception of AI systems used for the purpose of detecting financial fraud." — Regulation (EU) 2024/1689
Each tool is anchored to a specific piece of EU regulation — adopted, not summarised. The diagnostic produces an output you can hand to in-house counsel or to a Member State regulator.
Ten-question diagnostic mapping your AI system to Annex III categories. Returns risk class (unacceptable / high / limited / minimal), Article-by-Article obligations, and a 12-point remediation pack.
Reference: Regulation (EU) 2024/1689 — Annex III. Live since 2026 Q2.
Subject-access request workflow — intake form, identity verification, scope-of-search builder, response template with redaction layer, full audit trail to demonstrate Art. 12(3) compliance.
Reference: Articles 12–22, Regulation (EU) 2016/679. Workbench includes BSI 4575:2024 logging.
Cross-border VAT routing — IOSS for low-value imports, OSS for B2C distance sales, place-of-supply rules per Article 33/33a, EU consumer-threshold tracking, MS-of-identification logic.
Reference: Council Directive (EU) 2017/2455 + Article 33/33a VAT Directive. Real-time HMRC integration.
Digital Services Act mapper — VLOP/VLOSE classification, transparency report skeleton, trusted-flagger workflow, single-point-of-contact registration. For platforms, marketplaces and hosting services.
Reference: Regulation (EU) 2022/2065. Article 11, 22, 24, 25 mapping.
NIS2 entity-class diagnostic (essential / important / out-of-scope) + 21-control gap audit. National CSIRT registration support. Sector-specific deep-dive for the 18 NIS2 sectors.
Reference: Directive (EU) 2022/2555. 21 cybersecurity risk-management measures under Art. 21.
Digital Markets Act watch-list — gatekeeper thresholds (€7.5bn EU annual revenue / €75bn market cap), supplier-side adjacent obligations, MS-of-establishment compliance triggers.
Reference: Regulation (EU) 2022/1925. Art. 3 designation thresholds.
ATTOH EU exists because the European Union is producing more enforceable digital regulation than any other jurisdiction — and the operators most affected by it are still reading press releases instead of the OJ text.
The EU AI Act runs to 144 articles and 13 annexes. The GDPR is 99 articles. The DSA is 93 articles. NIS2 has 21 cybersecurity controls split across two entity classes and 18 sectors. VAT-OSS rewrote cross-border B2C VAT in 2021 and most UK D2C brands still file IOSS wrong. This is not optional reading. It is the operating manual of the regulated continent.
We track each regime on its own calendar — Commission proposals, Parliament amendments, Council positions, OJ publication, Member State transpositions, supervisory authority guidance. The diagnostic instruments are calibrated to the regulation as adopted, not to a journalist's summary of it. The roadmap is sequenced against enforcement dates: EU AI Act first because the high-risk class applies from 2 August 2026; NIS2 next because Member State transposition deadlines have already passed.
We are not a law firm. We do not write formal legal opinions. We build the diagnostic instruments that sit between the regulator and the operator — the gap analyses, the workbenches, the routing engines — and we hand the outputs to in-house counsel or to outside Supreme Advisory strategists when the brief calls for it. The plumbing is supplied by ATTOH Tech; the legal interpretation stays human.
If your business has EU exposure, the EU regulatory cycle now writes part of your roadmap. We help you read it.
We don't sell hours. The gap analyses are free. The tools are per-month, per-controller, per-entity — never per-call.
Ten-minute diagnostic. No email gate. Returns Annex III classification + 12-point remediation pack.
Combined GDPR + DSA + NIS2 + VAT-OSS coverage for operators with stacked-regime exposure.
Single-regime watch-list — Commission proposals, Parliament amendments, MS transpositions tracked for your stack.
Cross-cutting EU AI Act + GDPR + DSA + NIS2 audit for operators with combined exposure. 12-week container.
No discovery deck, no procurement theatre. Run the free diagnostic first. If the output surfaces real exposure, we agree a brief inside a week.
Ten-minute EU AI Act gap analysis. No email gate. Output PDF you can take to in-house counsel or to a supervisory authority.
45 minutes by Zoom. We walk through the diagnostic output, identify stacked exposure (GDPR, DSA, NIS2, VAT-OSS), agree the priority regime.
One-page brief inside five working days. Tool deployment plan, sequencing against enforcement dates, fee, named analyst.
DSAR workbench, VAT-OSS routing, DSA mapper or NIS2 audit — deployed within 14 days of brief signature. Inside your environment, with your data.
Monthly briefing — OJ scan, supervisory authority guidance, Member State transposition diff, control-gap remediation progress.
Quarterly stacked-regime audit. Cross-cutting risk review. Output handed to your in-house counsel or to Supreme Advisory for board-level escalation.
"Most operators with EU exposure have spent two years reading press releases about the EU AI Act. They have never opened the OJ text. The job is not to be alarmist — it is to read the regulation, work out the actual obligation, and build the tool that turns the obligation into a workflow. Adopted text first, journalism never."
— ATTOH EU
Twelve years between Brussels and London — Commission stagiaire, EU public-affairs counsel, in-house regulatory analyst for a UK fintech. Built ATTOH EU inside AMAYA Holdings in 2024 because the diagnostic-instrument layer between regulator and operator simply did not exist. UK-built, EU-focused, GDPR-respecting by construction.
We do not ask clients for testimonials and we do not publish them by name. The reflections below are shared with permission at the close of the audit or after a regulatory milestone.
We ran the EU AI Act diagnostic on a Friday afternoon. By the following Tuesday we had a remediation roadmap that mapped every obligation to a specific engineering ticket. The clarity was the value — finally, an instrument calibrated to the OJ text.
We had a 42-DSAR backlog and four weeks before our supervisory authority deadline. The workbench cleared the backlog inside 30 days. The audit trail alone justified the cost.
The VAT-OSS migration was the cleanest cross-border tax migration we've done. IOSS for low-value imports, OSS in Ireland for distance sales, place-of-supply logic per Article 33. Six months later, zero VAT corrections.
We needed a DSA Article 11 single-point-of-contact, a transparency report skeleton and a trusted-flagger workflow live in 60 days. The mapper delivered all three plus the legal-counsel handover pack.
If the answer isn't here, the conversation is the right venue. We reply personally inside 48 hours.
We sequence the regimes by enforcement date and by stacked exposure. The list below is the regulatory perimeter of the practice as of this year — anchored to OJ text, updated quarterly.
Regulation (EU) 2024/1689. High-risk class enforceable from 2 August 2026. Annex III categories, conformity assessment, post-market monitoring, transparency obligations. Our priority surface.
Regulation (EU) 2016/679. Articles 12-22 (data subject rights), Article 33 (breach notification), Article 35 (DPIA), Articles 44-50 (international transfers). DSAR workbench is the operational instrument.
Regulation (EU) 2022/2065. Articles 11 (single point of contact), 22 (trusted flaggers), 24 (transparency reports), 25 (online interface design). DSA mapper is the operational instrument.
Directive (EU) 2022/2555. 21 cybersecurity risk-management measures, entity-class scoring (essential vs important), national CSIRT registration. Posture audit is the operational instrument.
Council Directive (EU) 2017/2455 + 2020/284. OSS for distance sales, IOSS for low-value imports, Article 33/33a place-of-supply rules. €10k EU threshold trigger. Routing engine is the operational instrument.
Regulation (EU) 2022/1925. Gatekeeper thresholds (€7.5bn EU annual revenue / €75bn market cap), Article 3 designation criteria, supplier-side adjacent obligations. Watch-list — not a tool surface yet.
EU regulation lands as Regulations (directly applicable) or Directives (transposed into national law). The list below is the Member State transposition status we track for the regimes most relevant to our clients. Updated quarterly.
NIS2 transposed via NIS2UmsuCG with substantive deviations from the Directive (sector classifications). BfDI is among the most active GDPR supervisors. Federal AI Act competent authority still being formed at BSI.
CNIL is the most active GDPR enforcer by fine volume in the EU. ARCOM is the DSA designated authority. French AI Act coordinator role assigned to CNIL with a sector-led approach.
AEPD applies a strong sectoral discipline on GDPR. CNMC handles digital markets. Spanish AI Sandbox Authority (AESIA) is the first dedicated national AI agency in the EU.
AP (Autoriteit Persoonsgegevens) takes a precise, principles-based GDPR enforcement line. ACM is the DSA designated authority. The Dutch government has appointed RDI as AI Act national competent authority.
DPC is lead supervisory authority for most major cross-border GDPR cases due to MS-of-establishment rules. Coimisiún na Meán is the DSA designated authority. AI Act competent authority shared across departments.
Garante per la Protezione dei Dati Personali is the GDPR supervisor and has been particularly active on AI-related GDPR enforcement (including the 2023 ChatGPT ban). AGCOM handles DSA.
EU regulation lands by milestone — Commission adoption, OJ publication, entry into force, application date, Member State transposition. We sequence client work against the milestones that matter most for the operator.
2 August 2026 — high-risk AI systems (Annex III) become subject to the full obligation set: risk management, data governance, conformity assessment, post-market monitoring, transparency.
Following October 2024 transposition deadlines, Member State supervisory authorities are now running first-cycle inspections on essential and important entities. Many MS started in Q1 2026.
National Digital Services Coordinators ramp up enforcement against non-VLOP intermediary services. Single-point-of-contact and trusted-flagger workflows must be in place.
2 August 2027 — full general-purpose AI model obligations apply to providers, including systemic-risk models. Code of Practice signatories transition to the binding regime.
Cross-border GDPR enforcement is processed via the EDPB consistency mechanism. Lead supervisory authority disputes between MS run continuously; we track them per case for clients with multi-MS exposure.
The €10,000 EU consumer threshold is calculated per calendar year and per supplier. Crossing the threshold mid-year triggers OSS registration in the MS of identification within 10 days.
Every regime has its own dialect. The terms below are the ones that turn up across most operator briefs.
DSA Art. 33 designation — platforms with average monthly EU users ≥ 45 million. Tighter due-diligence obligations than non-VLOP intermediary services. Designated by the Commission.
National authority designated by each Member State under DSA Art. 49 to coordinate DSA enforcement domestically. Most MS appointed by Feb 2024; a small number still in flux.
GDPR Art. 4(16) concept that determines lead supervisory authority. Critical for cross-border controllers: typically where central administration sits. Disputes resolved via EDPB consistency.
EU AI Act Art. 3(63) concept covering foundation-model providers. Systemic-risk GPAI carries additional obligations under Art. 55. Full obligations apply from 2 August 2027.
ATTOH EU exists because the EU is producing more enforceable digital regulation than any other jurisdiction — and most operators are still reading newspaper summaries. We read the OJ text and build the tools.
If your priority is the EU AI Act, run the free diagnostic first — the output is what we'll be talking about on the call. For GDPR, DSA, NIS2 or VAT-OSS, send the rough shape of the operator (jurisdictions, size, sector) and we'll point at the right tool.
Adopted text only. GDPR-respecting from the first email. No email gate on the gap analysis.