96 free compliance generators — 4 from 100
ComplyKit now has 96 free AI compliance generators, covering GDPR, SOC 2, ISO 27001, HIPAA, CCPA, PCI DSS, NIS2, DORA, EU AI Act, APRA CPS 234, MiFID II, CSDDD, CSRD, CRA, EU Whistleblowing Directive, and more. Today's additions: the ISO 27001:2022 Annex A Controls Gap Assessment and the DORA Major ICT Incident Classification Matrix.
New: ISO 27001:2022 Annex A Controls Gap Assessment (95th generator)
ISO 27001:2022 restructured Annex A from 114 controls across 14 domains to 93 controls across 4 themes, adding 11 new controls covering threat intelligence, cloud services, remote working, configuration management, data masking, DLP, secure coding, and more. The transition deadline was October 2025 — all ISO 27001 certifications should now be against the 2022 standard.
The new Annex A Gap Assessment covers all four themes:
- Organisational Controls (A.5): 16 controls including A.5.7 Threat Intelligence (🆕), A.5.23 Cloud Services (🆕), A.5.24 Incident Management Planning (🆕), A.5.30 ICT Readiness (🆕)
- People Controls (A.6): 7 controls including A.6.7 Remote Working (🆕), A.6.8 Security Event Reporting (🆕)
- Physical Controls (A.7): 8 controls including A.7.4 Physical Security Monitoring (🆕)
- Technological Controls (A.8): 24 controls including A.8.9 Configuration Management (🆕), A.8.10 Information Deletion (🆕), A.8.11 Data Masking (🆕), A.8.12 DLP (🆕), A.8.16 Monitoring (🆕), A.8.23 Web Filtering (🆕), A.8.28 Secure Coding (🆕), A.8.29 Security Testing (🆕)
Each control includes: the Annex A reference and whether it's new in 2022, the weight (Critical/High/Medium), audit guidance on what auditors look for, evidence examples, and a 4-option assessment (Implemented / Partial / Not Implemented / N/A). The generated report includes a per-theme scorecard, critical gap cards with specific audit risks and remediation actions, SoA guidance, and a three-phase certification roadmap.
→ Use the ISO 27001:2022 Annex A Gap Assessment free
New: DORA Major ICT Incident Classification Matrix (96th generator)
DORA Regulation (EU) 2022/2554 has been applicable since 17 January 2025. When a significant ICT incident occurs at a financial entity, the first question is: does it meet the Art. 19 threshold for a "major ICT-related incident"? The answer determines whether you have regulatory notification obligations — including an early warning within 24 hours and an intermediate report within 72 hours.
The DORA Major ICT Incident Classification Matrix evaluates all six Art. 19 criteria:
- Art. 19(1)(a): Client threshold (>10% or 50,000 clients) and transaction threshold (>10% or €5M), per Delegated Reg. 2024/1772 Art. 5
- Art. 19(1)(b): Reputational impact — media coverage, regulatory attention, client complaints
- Art. 19(1)(c): Duration ≥4 hours for a critical or important function
- Art. 19(1)(d): Geographic spread across more than one EU Member State
- Art. 19(1)(e): Data loss, integrity breach, or confidentiality breach
- Art. 19(1)(f): Critical or important function significantly impacted
The tool provides a live classification decision as you assess each criterion. The generated report includes: the Art. 19 classification matrix with RTS article citations, the 24h/72h/1-month reporting timeline with content requirements per ITS 2024/2518, parallel GDPR/NIS2/PSD2 obligation assessment, RTO/RPO breach analysis, third-party ICT provider obligations, and a competent authority contact table by entity type and member state.
→ Use the DORA Incident Classification Matrix free
96 generators — next stop: 100
With 96 generators live, ComplyKit is 4 generators from the milestone 100. Browse all generators at ComplyKit Generators — no account, no paywall, no credit card required.