ComplyOne-Practice
Your clients trust you. Your compliance should be watertight.
Client data, contracts and digital tools create GDPR, FADP and NIS2 obligations that are increasingly scrutinised. ComplyOne maps every requirement to your firm — without the legal jargon.
Why professional services firms cannot afford ad-hoc compliance
Consultancies, law firms and advisory practices process exactly the kind of data regulators care about most: client identities, sensitive case files, financial records, employee data, and increasingly AI-generated work product. The combination of professional confidentiality and regulatory compliance is unforgiving — gaps surface during client due diligence, professional indemnity claims, or supervisory inspections, by which point the reputational damage is real.
What's included in ComplyOne-Practice
The regulations that matter most for consultancies, law firms and professional services firms — covered, mapped to your business, and tracked over time.
GDPR
Client data, employee records, marketing databases — controller obligations across every flow. Privacy notices, lawful basis, retention, subject access requests.
Swiss FADP
Swiss-resident clients trigger FADP regardless of where your firm sits. Personal liability up to CHF 250 000 for senior decision-makers.
EU AI Act
AI-assisted document review, contract analysis and research tools — the firm is the deployer with Article 26 obligations from August 2026.
NIS2
Firms supplying essential and important entities are increasingly pulled into NIS2 supply-chain obligations through client contracts.
How ComplyOne-Practice works
Onboard in minutes
Answer 5 questions about your business — sector, locations, data flows. No account needed for the free check.
Get your compliance map
See exactly which regulations apply to your business, where the gaps are, and what severity each carries.
Act on it
A prioritised task list, document templates, and an audit-ready evidence pack — guided through to a defensible compliance baseline.
Daily regulatory horizon scanning
ComplyOne scans EU regulatory sources every day — directives, implementing acts, regulator guidance, enforcement notices. When something changes that affects your obligation map, you get a structured alert: what changed, why it applies to you, and what you need to do. No more discovering enforcement deadlines from a news headline.
How to approach consultancies, law firms and professional services firms compliance
Document the lawful basis for every client and matter
Professional services firms typically have multiple lawful bases active at once — contract for retained work, legitimate interest for marketing, legal obligation for AML, consent for some optional processing. Misclassify the basis and the entire downstream programme is exposed.
Sign DPAs with every digital tool you use
Practice management software, e-discovery vendors, document AI, billing platforms, knowledge bases — every one is a processor under GDPR Article 28 / FADP Article 9. Most firms have signed DPAs for the obvious vendors and missed half a dozen smaller ones.
Classify your AI tools under the AI Act
AI used to make or materially influence decisions about people — recruitment, performance, credit, insurance — is high-risk. AI used purely to assist a qualified professional (drafting, summarisation, research) is generally lower-risk but still requires transparency and human-oversight controls.
Map your supply chain for NIS2
If your firm advises essential or important entities (energy, transport, finance, health, digital infrastructure), expect NIS2 supply-chain security clauses in your engagement letters. Pre-empt the conversation with documented controls rather than reacting under deadline.
Build an audit-ready evidence pack
Professional indemnity insurers, regulators (where applicable), and increasingly clients themselves audit compliance posture. ComplyOne maintains the evidence pack — policies signed and dated, training logs, vendor DPAs, breach records, retention enforcement — so audits do not derail billable hours.
Swiss-hosted
All data hosted in Switzerland — outside US data-access frameworks.
10 EU regulations
GDPR, AI Act, NIS2, DORA, FADP, UK GDPR, Data Act, CSRD, AMLR, CRA — one platform.
Daily horizon scanning
Regulatory changes alerted, mapped to your obligations, every day.
Frequently asked questions
We are a small consultancy. Do all these regulations really apply?+
Most do. Any firm processing personal data of EU/Swiss/UK residents is in scope for GDPR, FADP or UK GDPR — including your own employee and client data. The AI Act applies the moment you use AI tools to support fee-earning work. NIS2 reaches you contractually if you supply regulated entities. The size of the firm affects the intensity, not the applicability.
We rely on professional confidentiality. Doesn't that override GDPR?+
No — they coexist. Professional confidentiality (legal privilege, attorney-client, professional secrecy) is a separate legal regime that limits disclosure obligations. GDPR still applies to how you collect, store, secure, retain and dispose of the underlying personal data. The two frameworks need to be reconciled, not chosen between.
How does the AI Act affect a law firm using AI for document review?+
AI-assisted research, drafting and document review where a qualified professional reviews and validates each output is generally lower-risk. But the moment AI produces output relied upon directly without meaningful review, or where it influences decisions about people, the obligations escalate. ComplyOne classifies your specific AI use cases and maps the obligations accordingly.
Where does NIS2 fit for a professional services firm?+
NIS2 directly applies only to essential and important entities in defined sectors. Most professional services firms are not directly in scope. But firms supplying those entities — providing IT, security, legal or operational advice — are increasingly required to demonstrate equivalent security controls through supply-chain clauses in client contracts.
How quickly can a firm get up and running?+
The compliance check takes about 5 minutes per practice and produces an immediate map of applicable regulations. Most firms reach a defensible compliance baseline in two to three weeks of structured work — much faster than building the equivalent from scratch with external counsel.
See where you stand — in 60 seconds
Free compliance check, no signup required. Get your obligation map and gap report instantly.