Regulation archetype
EU B2B SaaS company with 15-100 employees
An EU B2B SaaS company with 15-100 employees should usually treat GDPR, ISO 27001, SOC 2, and buyer security questionnaires as immediate planning items. NIS2, DORA, EU AI Act, and sector-specific rules can become relevant depending on customers, AI use, and regulated sectors.
Company profile
- A European software company selling B2B SaaS, processing customer and employee personal data, and receiving security questionnaires from larger buyers.
Likely planning items
- GDPR
- ISO 27001
- SOC 2
- NIS2 supply-chain pressure
Possible additional pressure
- DORA
- EU AI Act
- ISO 42001
- PCI DSS
Next steps
- 01Inventory cloud, identity, code, vendors, and customer data flows.
- 02Map current security work to GDPR Article 32, ISO 27001, and buyer questionnaire evidence.
- 03Run the regulation checker to scope NIS2, DORA, AI, and payment exposure.
This page is a practical planning guide, not legal or audit advice. Use it to scope questions before confirming obligations with legal, audit, or regulatory specialists.