The EU Compliance Stack for SMEs: EAA + NIS2 + AI Act Without €50K/Year Tools

European SMEs are facing three major regulations simultaneously — the European Accessibility Act (EAA), the NIS2 Directive, and the AI Act. Enterprise compliance tools cost $15,000-80,000/year. Most SMEs can't afford that. Here's a practical stack of open source and affordable SaaS tools that actually work.

The Three Regulations

European Accessibility Act (EAA)

• In force since June 28, 2025
• Fines up to €300K (Spain), €500K (Germany), €900K (Netherlands)
• Covers web, mobile apps, banking, e-commerce, transport, media

NIS2 Directive

• Transposition deadline: October 2024 (most EU states late, including Spain)
• Fines up to €10M or 2% of global revenue
• Affects ~160K entities across the EU (50+ employees in 18 sectors)

EU AI Act

• High-risk provisions from August 2026
• Fines up to €15M or 3% of global revenue
• Applies to AI systems in employment, credit, education, justice, etc.

Total potential exposure: up to €25M+ in combined fines for a single SME.

The Enterprise Tools (And Why They Don't Work for SMEs)

Vanta

• Pricing: $10K-80K/year (median contract $20K)
• Covers: SOC 2, ISO 27001, NIS2 (recent), EU AI Act (recent)
• Problem: US-centric, expensive, NIS2/AI Act are afterthoughts

Drata

• Pricing: $7.5K-100K/year
• Covers: SOC 2, ISO 27001, HIPAA, NIS2
• Problem: Similar issues as Vanta, renewal prices balloon

Credo AI (AI governance)

• Pricing: Six figures/year
• Covers: AI Act, NIST AI RMF, ISO 42001
• Problem: Enterprise-only, no accessibility features

Holistic AI

• Pricing: Custom enterprise
• Covers: AI governance with EU focus
• Problem: Enterprise-only

None of these cover all three regulations in one place. None of them address Article 16(l) (the accessibility requirement for high-risk AI). And none of them are affordable for a team of 5-50 people.

The SME Stack That Works

Here's what we recommend for an SME (5-50 employees) in the EU:

Layer 1: Open Source Foundation (free)

For accessibility (EAA):

• axe-core — The industry standard accessibility testing engine (MPL-2.0). Used by Google Lighthouse, Microsoft, GitHub. Catches ~57% of WCAG issues through automated scanning.
• Pa11y — CLI wrapper around axe-core for CI/CD integration.
• NVDA (free screen reader for Windows) — for manual testing.

For AI Act:

• eucompliance (open source, EUPL-1.2) — Risk classifier, AI Accessibility Impact Assessment (AAIA), FRIA generator, Annex IV documentation templates.
• EU Commission AI Act Compliance Checker — Basic risk classification, official.

For NIS2:

• nis2-sme-toolkit — Excel-based gap assessment. Crude but functional.
• ENISA NIS2 Technical Implementation Guidance — Free, comprehensive, official.
• OpenSCAP, Syft, DependencyTrack — Supply chain security tools.

For documentation:

• Markdown + Git — Version-controlled compliance documentation.
• Pandoc — Convert to PDF for auditors.

Estimated cost: €0. Estimated time investment: 2-4 weeks to learn and implement.

Layer 2: Affordable SaaS (€49-149/month)

If you don't have the bandwidth to roll your own, affordable SaaS options exist:

Regulia (disclaimer: we built this)

• €49/mo (Starter): EAA only
• €149/mo (Professional): EAA + NIS2 + AI Act
• Built on top of eucompliance (so the engine is open source)
• Covers: automated scanning, AI classifier, NIS2 assessment, AI Act conformity, generated policies, PDF reports
• 14-day free trial

Cyberday (NIS2 focus, not accessibility)

• €250/mo (under 20 employees)
• 70+ compliance frameworks including NIS2
• EU-native (Finland)
• No AI Act or EAA coverage

DataGuard (NIS2 + AI Act, no EAA)

• Custom quotes
• Strong in DACH market
• Consulting-heavy

Our honest take: If you only need NIS2, Cyberday is excellent. If you need all three regulations in one place without paying enterprise prices, Regulia is the only option right now (because we built it). If you want to avoid SaaS entirely, the open source stack works but takes longer.

Layer 3: Consulting (when needed)

For complex cases, you'll still need occasional human expertise:

• Initial gap assessment — €2K-5K one-time
• Annual review — €1K-3K
• Crisis response (incident, audit, lawsuit) — €5K-20K

Budget 20% of your compliance spend for consulting. Don't try to be 100% DIY on legal interpretation.

A Realistic Compliance Roadmap for a 15-Person SME

Let's make this concrete. Imagine a 15-person Spanish SaaS company:

Month 1: Scoping

• Determine which regulations apply
• Identify AI systems (if any) and classify them
• Map sectors against NIS2 Annexes

Month 2: Quick wins

• Run first accessibility scan with axe-core
• Fix critical and serious violations
• Implement MFA everywhere (NIS2 basics)

Month 3: Documentation

• Draft 8 core NIS2 policies (Regulia generates these)
• Publish accessibility statement
• Document AI risk classification (if applicable)

Month 4: Processes

• Incident response playbook
• Backup and disaster recovery testing
• Supplier risk inventory

Month 5: Technical controls

• Implement logging and monitoring
• Automated vulnerability scanning
• Business continuity testing

Month 6: Review

• Gap assessment
• Consulting review (external)
• Plan for year 2

Total cost (external):

• Open source tools: €0
• Regulia Professional: €149 × 6 = €894
• Consulting (gap assessment + review): €3,000
• Total: ~€3,900

Compare to:

• Vanta: $20,000+/year
• Drata: $15,000+/year
• Consulting-only: €15,000-30,000

The Accessibility Gap Everyone Ignores

If you're building or deploying AI systems, there's one obligation you probably don't know about: Article 16(l) of the EU AI Act requires high-risk AI systems to comply with EAA accessibility requirements.

No AI governance tool — open source or commercial — implements this. Not Credo AI. Not Holistic AI. Not Vanta. Not even the EU Commission's compliance checker.

This is why we built the accessibility-bridge package. It maps AI Act articles to EN 301 549 clauses and generates AI Accessibility Impact Assessments (AAIA).

When your high-risk AI system gets audited, you'll need evidence of Article 16(l) compliance. Most providers won't have it. Don't be one of them.

Common Pitfalls

1. Starting with documentation

Many SMEs start by writing policies and documentation. This is wrong. Start with technical reality: run scans, identify gaps, fix critical issues. Documentation follows.

2. Buying an overlay widget

Widget vendors (accessiBe, UserWay) promise one-line compliance. They don't work. The EU Commission rejects them. The FTC fined accessiBe $1M. Don't do this.

3. Treating compliance as a project

Compliance is ongoing. Every deployment, every hiring decision, every supplier change affects your compliance status. Build it into your regular operations, not a one-off project.

4. Ignoring the overlap

NIS2 and GDPR overlap ~55%. NIS2 and ISO 27001 overlap ~75%. If you already have GDPR or ISO 27001, your NIS2 gap is smaller than you think. Don't start from scratch.

5. Scared into paralysis

The combined regulations look intimidating. They're manageable if you break them down. Start with one regulation, get it working, then add the next. Don't try to do everything at once.

A Simple Decision Tree

Are you 10+ employees with 2M+ revenue?

• No → EAA microenterprise exemption applies
• Yes → EAA applies to your web/products

Are you in a NIS2 sector (energy, transport, finance, health, digital, etc.)?

• No → NIS2 doesn't apply
• Yes, but < 50 employees → NIS2 doesn't apply (unless you're in "essential" sectors)
• Yes, 50+ employees → NIS2 applies

Do you build or deploy AI systems?

• No → AI Act doesn't apply (for now)
• Yes → Classify them. Most are minimal risk. If any fall into Annex III, AI Act applies.

Match your answer to the stack:

• EAA only → Open source axe-core + €49/mo Regulia Starter
• NIS2 only → Cyberday or open source NIS2 toolkit + ENISA guidance
• AI Act only → eucompliance toolkit + consulting for conformity assessment
• All three → Regulia Professional (€149/mo) or self-rolled stack

The Bottom Line

EU compliance for SMEs is possible without paying enterprise prices. The open source ecosystem is mature for accessibility, nascent for NIS2, and emerging for AI Act. Affordable SaaS fills the gaps.

What you shouldn't do:

• Pay €20K+/year for tools built for 1000-person companies
• Install overlay widgets and pretend you're compliant
• Ignore the regulations until someone audits you
• Start with documentation instead of technical reality

What you should do:

• Scan your website with axe-core this week
• Classify any AI systems with the free classifier
• Do a NIS2 gap assessment with ENISA guidance
• Publish honest compliance statements
• Budget for consulting at critical decision points

The regulations are here. The enforcement is starting. SMEs don't have to lose just because they don't have €50K/year for compliance tools.

---

Regulia is an open source EU compliance platform built for SMEs. We use the open source eucompliance toolkit as our engine. Try the free scanner or star the repo if you find it useful.