Open · sourced · free — CC BY 4.0 + MIT

EU compliance,
as a spec file your AI agent can read.

A sourced framework for GDPR, ePrivacy, the AI Act, the DSA and the DMA. Drop one file into your repo and privacy by design lands from the first commit — no law degree required. And a human checklist for the auditors and lawyers who need one too.

206 checks 15 areas 35 sources GDPR ePrivacy AI Act DSA DMA public beta
requirements/EU-WEB-COMPLIANCE.md
[C-03]  MUST
Requirement: No identifier may be written to
  localStorage, sessionStorage or IndexedDB
  before the user consents.
Applies-if: always.
Acceptance: dump client storage pre-consent,
  all frames → zero identifiers present.
Legal: ePrivacy Art. 5(3); Garante 2021.
# one of 206 — ID · test · law.

Most GDPR checklists are legal essays with nothing you can test, or technical scanners with no legal grounding. This welds the two. Every check has a stable ID, the exact article behind it, a binding level, a risk level, and a concrete test — so you can cite it in a report, a ticket, or a commit.

Pick your door

Three audiences, one source of truth

🧑‍💻 Developers

You don't need to read the law.

Drop one file next to your CLAUDE.md / AGENTS.md and add one line to the instructions. Your coding agent now knows that account deletion must exist, that no tracker fires before consent, that consent boxes can't be pre-ticked — and 200 other things you'd otherwise learn from a fine.

Get EU-WEB-COMPLIANCE.md
⚖️ Lawyers & DPOs

Sourced, article by article.

Use it as a plain document, no git needed. Every claim traces to primary law, regulator guidance or case law — never a blog. Two axes tell a client "this is the law" from "this is what a prudent operator does". The strongest finding is the discrepancy: declared versus observed.

Read the checklist
📋 Auditors & consultants

206 checks sounds insane. It never happens.

That's the whole point of the method. Gate questions switch off entire areas; automation runs the scan and the verification. The human part is a 20-to-40-question conversation, most of it pre-answered before you sit down with the client.

See the method

What you have in your hands

One catalog, two shapes

The same 206 items, rendered for humans and for machines from a single source.

For auditors, DPOs, lawyers

The checklist

15 area files with rationale, legal bases by article, and a table of checks carrying risk and binding levels. Areas A–J always apply; K–O wake up only if the business matches. You never face all 206 at once.

checklist/ →
For developers & AI agents

The requirements

The same 206 items as machine-readable RFC 2119 rules — MUST / SHOULD / MAY — in one file. Each has an Applies-if condition and an Acceptance line that doubles as a test spec.

EU-WEB-COMPLIANCE.md →
WORK IN PROGRESS
The automation skill A crawler plus AI agent that runs Run 1 and Run 2 for Claude Code and compatible tools. In development — today the method runs with standard tools (Playwright, testssl.sh, the EDPB auditing tool); the skill will package them.
skill/ →

The 15 areas

A Legal documents B Privacy notice content C Pre-consent trackers D Cookie banner & CMP E Third parties & transfers F Technical security G Forms & consent H Data subject rights I Governance J Data breaches K CRM & direct marketing L E-commerce M AI features N Voice channels O DSA / DMA / DFA
A–J: always apply K–O: conditional, only if the business matches

The method in five minutes

A funnel, not an interrogation

Two human touchpoints; the machine does the rest. Cognitive load is engineered down at every stage.

STEP 1

Gates

10–16 questions switch areas on and off, and reveal what the site alone can never show. Five minutes.

STEP 2

Run 1 · Scan

An automated pass collects evidence: trackers before consent, banner behavior, security headers, third-party domains, forms.

STEP 3

Interview

What remains: a 20–40 question conversation, per area, most of it prefilled with evidence. The document is also the exchange format.

STEP 4

Run 2 · Verify

Answers get checked against evidence. Double opt-in? We subscribe a test address. Each answer: confirmed, contradicted, or needs documents.

STEP 5

Report

Per area, findings cite check IDs and legal bases. The headline findings are the discrepancies: declared versus observed.

A scan can confirm presence, never absence. If the site shows no trace of a CRM, that doesn't mean there is none. That's why the questions come first and the scan comes second.

WORK IN PROGRESSRuns 1 and 2 work today with standard tools (Playwright, testssl.sh, the EDPB auditing tool). The skill that packages them into a single crawler-plus-agent pass — for Claude Code and compatible tools — is what I'm building now.

Two independent axes

"How illegal" and "how dangerous" are different questions

Binding levelMeaningExample
MUST The law says so. Missing = violation. No tracker before consent (ePrivacy Art. 5(3))
SHOULD Regulators or courts say so. Missing = arguable risk. Reject button with equal prominence at the first layer
MAY A maturity signal. Missing = nothing; having it = credibility. A neutral explanation of the consequences of consent

Risk — CRITICAL / HIGH / MEDIUM / LOW — is the second axis: how exposed you are in practice, calibrated on what authorities actually sanction, not on theoretical severity.

What this is not

Honest limits

A floor, not a ceiling. Following it means your app isn't openly against the law and the founding principles of each regulation are substantially covered — not "compliant in every possible reading". Nobody can honestly promise that, and you should distrust anyone who does. It is a compliance engineering tool, not a certification and not legal advice.

Known gaps, named on purpose. Accessibility isn't covered yet; the AI Act only where it touches a website; dark patterns at taxonomy level, not case by case; sector-specific regimes and national divergences beyond Italy and France are mostly out. The gaps aren't a secret to discover — they're an invitation to open a PR.

Sources or it didn't happen

Built to be checked

Built by consolidating 1,075 requirements extracted from 35 catalogued sources — EU and national authorities, official audit tools, law firms, case law — then rewriting them and verifying every legal reference by hand. Vendor sources never ground a legal claim alone; the catalog lists each source's known weaknesses, including the ones ingested and found partly wrong.

Stable IDs, forever: O-18 stays O-18 for life, even if deprecated. People cite these IDs in reports, tickets and commits — renumbering would pull the rug from under every project that relies on them.

Curated by Matteo Flora. A compliance engineering tool, not legal advice: for decisions with legal consequences, involve a qualified professional who can assess your specific situation.

206checks, each with an ID & a test
35catalogued sources
15areas, 10 always-on
5regimes: GDPR → DMA

Free and open

Take it. Use it in client work, ship it in your product, translate it.

Just keep the attribution. The most valuable contributions are legal and factual — a new source, a corrected check, a translation. Open an issue or a PR.

Dual licensed — docs under CC BY 4.0, code under MIT.