100 free compliance generators. No account. No paywall.
ComplyKit just crossed the milestone we've been building toward: 100 free AI compliance generators. No account required. No credit card. No paywall. Answer a few questions, get an AI-drafted starting-point document your lawyer can finalise.
Today's two additions bring us to exactly 100:
- PSD2/PSD3 SCA Compliance Checklist — the 99th generator
- NIS2 Incident Reporting Playbook — the 100th generator
99th: PSD2/PSD3 SCA Compliance Checklist
Strong Customer Authentication (SCA) under PSD2 Art. 97 and EBA RTS on SCA (Delegated Regulation (EU) 2018/389) remains one of the most enforcement-active areas in EU payment regulation. EBA NCA supervision reports show SCA violations — particularly dynamic linking failures and TRA exemption misuse — consistently in the top five audit findings for payment service providers.
The PSD2/PSD3 SCA Compliance Checklist covers 40 items across five categories:
- SCA Requirements (8 items): two-factor authentication, dynamic linking (Art. 5 EBA RTS — authentication code linked to specific amount and payee), all five exemptions documented (low-value, contactless POS, TRA, trusted beneficiaries, corporate), TRA fraud rate monitoring, authentication logging
- Open Banking APIs (8 items): dedicated interface availability, eIDAS QWAC/QSealC certificate validation, API performance SLA (≥99.5% uptime, ≤500ms), no additional barriers for licensed TPPs, contingency mechanism, consent management (90-day re-authentication, revocation)
- PSD3/PSR Readiness (8 items): gap analysis against COM(2023) 366 and PSR COM(2023) 367, IBAN/name verification assessment, open finance/FIDA scoping, direct PSR applicability noted, internal roadmap defined
- Consumer Rights (8 items): pre-contractual disclosures (Art. 44-52), unauthorised transaction refund timescales (Art. 73 — end of next business day), €50 liability cap (Art. 74), GDPR lawful basis for payment data, complaint handling (15 business days)
- Fraud Prevention (8 items): real-time fraud monitoring, EBA fraud rate reporting (quarterly, per-channel), APP fraud controls (Confirmation of Payee), PCI DSS maintenance, pen testing of payment infrastructure, major incident reporting to NCA
The generated report includes: SCA compliance scorecard per category, critical gap cards with EBA RTS article citations and NCA enforcement risk, deep dives on SCA authentication methods and PSD3 changes, and a phased remediation roadmap for PSPs, TPPs, banks, fintechs, and e-money institutions.
→ Use the PSD2/PSD3 SCA Compliance Checklist free
100th: NIS2 Incident Reporting Playbook
NIS2 Directive (EU) 2022/2555 Art. 23 introduces a mandatory three-tier incident reporting regime for essential and important entities: 24-hour early warning, 72-hour intermediate notification, and a 1-month final report. Penalties for essential entities reach €10 million or 2% of global annual turnover.
The NIS2 Incident Reporting Playbook covers 42 items across six phases:
- Incident Detection & Classification (7 items): 24/7 monitoring with escalation paths, significant incident classification against Art. 23(3) thresholds, incident severity matrix, IRT roles, incident log, initial containment and evidence preservation, NIS2 Art. 21 security measures pre-check
- 24h Early Warning (7 items): CSIRT submission within 24 hours, early warning form fields (suspected malicious acts, cross-border impact), national CSIRT contact documented, timer tracked, parallel GDPR Art. 33 assessment, executive sign-off, submission receipt logged
- 72h Intermediate Notification (7 items): intermediate notification submitted, Art. 23(4) content complete, IoC package documented (IPs/domains/hashes/ATT&CK TTPs), affected user count estimated, root cause hypothesis, cross-border/ENISA notification assessed, interim mitigations documented
- CSIRT Coordination (7 items): national CSIRT identified, NCA identified (sector-specific), CSIRT technical assistance process, voluntary information sharing (GDPR lawful basis), NCA supervisory obligations, board briefing, EU-CyCLONe awareness
- 1-Month Final Report (7 items): final report submitted, Art. 23(4)(b) required elements complete, full root cause analysis, business impact quantified, mitigation evidence, CVE/vulnerability disclosure, supply chain scope confirmed
- Post-Incident Review (7 items): PIR conducted within 2 weeks, playbook updated, security controls remediation plan, staff training updated, evidence retained ≥5 years, customer/stakeholder communications, cyber insurance claim assessed
The generated report includes: incident reporting readiness scorecard, critical gap cards with Art. 23 citations and NCA penalty exposure, NIS2 notification templates for all three tiers, CSIRT directory for EU Member States, a complete incident timeline checklist, and post-incident review plan. Designed to be used live during an active incident.
→ Use the NIS2 Incident Reporting Playbook free
100 generators — the full coverage picture
100 free generators now live on ComplyKit. The full framework coverage:
- EU privacy & data protection: GDPR (privacy policy, DPA, DPIA, RoPA, breach notification, TIA, LIA, consent management, privacy by design, DSAR policy, sub-processor list, processor security policy), LGPD, PIPEDA/Bill C-27
- US privacy: CCPA/CPRA, HIPAA (BAA, SRA, security risk assessment), FERPA, COPPA
- Security frameworks: ISO 27001:2022 (gap assessment, Annex A, SoA, risk assessment, risk treatment, internal audit, management review), SOC 2 (gap assessment, evidence pack, system description, management assertion, remediation tracker), NIST CSF 2.0, CIS Controls v8, NIST 800-171/CMMC 2.0, Cyber Essentials, FedRAMP, HITRUST CSF
- Payment regulation: PCI DSS v4.0, MiFID II/MiFIR, PSD2/PSD3 SCA, DORA (ICT risk, incident classification, technical standards)
- EU sectoral regulation: NIS2 (checklist, risk assessment, incident reporting playbook), EU AI Act (compliance checklist, high-risk conformity assessment), CSRD, CRA, EU Whistleblowing Directive, EU Data Act, NIST AI RMF, ISO 42001, MiFID II, APRA CPS 234
- Security policies (templates): Information security policy, access control, data classification, vulnerability management, cryptography, secure SDLC, log management, email security, password & auth, remote work, network security, asset management, HR security, change management, pen testing policy, cyber insurance readiness
- Other: AI governance (AUP, PIA, model card, risk register), SOC 2 vendor DDQ, trust centre, third-party risk policy, supplier code of conduct, NDA, terms of service, refund policy, imprint
Browse all 100 generators at complykit.co/generate — no account, no credit card, no paywall.