AI contract analysis: DORA, NIS2, CRA gap detection
Upload a supplier, cloud or critical third-party contract. In under 2 minutes, the AI identifies missing clauses, calculates a compliance score per regulatory framework, and produces a prioritized remediation plan.
How it works
Three steps, a report actionable for your leadership.
1. Upload the contract
PDF, DOCX or plain text. Up to 100,000 characters per document. The file stays encrypted and EU-hosted — never sent to an out-of-jurisdiction LLM.
2. AI analyzes against 5 frameworks
Claude Sonnet (Anthropic, EU API) walks through the contract clause by clause and compares to DORA, NIS2, CRA, ISO 22301 and GDPR requirements. Each clause is classified: compliant, partial, non-compliant, absent.
3. Actionable gap report
Per-framework score (0-100), risk level, list of missing clauses and drafting recommendations. PDF export for legal and executive leadership.
Clauses checked by regulatory framework
Each contract is assessed against five frameworks. The AI identifies the specific requirements that should appear based on contract nature and flags those that are missing.
NIS2 — Cybersecurity measures
- Incident notification (24h early warning + 72h report + 1-month final)
- Supply-chain security — flow-down of NIS2 measures to subcontractors
- Cryptography, encryption and MFA obligations
- Cyber-hygiene and mandatory awareness training
- Security policies on the use of information systems
- Evidence of effectiveness — audit and testing rights
DORA — Digital Operational Resilience
- ICT third-party risk management clauses (Art. 28–30)
- Register of Information (RoI) data sharing obligations
- Threat-Led Penetration Testing (TLPT) cooperation (Art. 26–27)
- Exit strategy for critical ICT providers (Art. 28.8)
- Subcontractor chain transparency and oversight
- Incident classification per ESA RTS (major ICT incident criteria)
CRA — Cyber Resilience Act
- Products with digital elements (PDE) scope declaration
- Secure-by-default and secure-by-design obligations
- CE marking and Declaration of Conformity
- Vulnerability handling — coordinated disclosure + SBOM availability
- Security update period (minimum 5 years — 15 years for certain PDEs)
- Exploited-vulnerability notification to ENISA (24h / 72h / 14 days)
- Conformity assessment route (self-assessment vs notified body)
- Manufacturer liability for non-compliance
ISO 22301 — Business Continuity
- RTO / RPO / MBCO explicitly stated and measurable
- Alternate sites, redundancy and failover capabilities
- Continuity testing and exercise obligations (frequency, scope, evidence)
- Exit and reversibility strategy with data portability guarantees
- Force majeure with scope limits and mitigation duty
- Insurance coverage aligned with continuity risk profile
GDPR — Data Protection
- Article 28 Data Processing Agreement (DPA) full compliance
- Sub-processor authorization and flow-down requirements
- Data subject rights support (access, deletion, portability)
- Data breach notification (72 hours to the controller)
- International transfers (SCCs, adequacy, transfer impact assessment)
- Audit and inspection rights of the controller
Sample output report
Each analysis returns a standardized structure, persisted in ResiPlan and linked to the contract in the CMDB.
- CRA: Minimum security support period (5 years) — absent
- DORA Art. 28.8: Exit strategy with data portability — partial
- NIS2 Art. 21.2.d: Flow-down to critical sub-processors — absent
- GDPR Art. 28: Data Processing Agreement — compliant
Typical use cases
The analysis adapts to the contract type. Expected clauses vary based on the nature of the relationship.
Critical ICT provider contracts (DORA Art. 28)
Cloud, SaaS, payment, messaging and data provider contracts — check all DORA mandatory clauses including exit strategy and TLPT cooperation.
Supply-chain vendor contracts (NIS2 Art. 21.2.d)
Flow-down verification: your NIS2 obligations must cascade to critical suppliers. Detect missing cyber-hygiene, incident notification or MFA clauses.
Manufacturer contracts with digital products (CRA)
Hardware and software manufacturers in scope of the Cyber Resilience Act — verify SBOM availability, support period, CE marking and incident reporting clauses.
Data Processing Agreements (GDPR Art. 28)
DPA completeness: sub-processor chain, transfer mechanisms, breach notification SLAs, and audit rights — aligned with EDPB guidelines.
Business continuity and DR contracts (ISO 22301)
Alternate sites, failover providers, backup vendors — verify that RTO/RPO commitments, testing obligations and reversibility clauses are present.
Standard supplier contracts — generic assessment
Generic commercial contracts with SLA, liability, IP and confidentiality — baseline assessment even when not framework-scoped.
Is your contract portfolio compliant with DORA, NIS2 and CRA?
In one onboarding session, you analyze 10 critical contracts. You immediately get the list of clauses to renegotiate before the next ACPR, ENISA or national authority audit.