Regulix connects to your data systems through read-only APIs and continuously scores you against GDPR, MiCA, and the EU AI Act, all from one dashboard. No raw user data ever stored or transferred.
Crypto companies are now caught between overlapping EU laws, and the existing tools only solve one piece each.
KYC databases, S3 buckets, and CRMs hold personal data scattered across systems, with no unified view of consent, encryption, or retention.
Hundreds of CASPs are racing for MiCA authorisation, with no clear way to prove their data governance is regulator-ready.
Trading bots and KYC models run on sensitive data, but nobody is classifying their risk tier or auditing them against the AI Act.
The EU's crypto and AI rules land on fixed dates, some already in force. Here's exactly where the clock stands today, checked against ESMA and the latest AI Act amendments.
Grandfathering ends 1 July 2026. ESMA confirmed in April 2026 that there are no extensions. After this, serving EU clients without a CASP licence breaches EU law.
Annex III high-risk duties, including Article 26 deployer obligations, now apply 2 December 2027, moved from August 2026 by the EU's 2026 Digital Omnibus. Prohibited practices and AI-literacy duties are already in force.
In force since 2018 and actively enforced. Fines reach €20M or 4% of global turnover, and crypto-sector enforcement rises every year. There is no countdown; it already applies.
Each regulation sets penalties as the higher of a fixed sum or a percentage of worldwide annual turnover, and customers' procurement teams ask for evidence long before any regulator does.
Art. 83. For data-protection breaches. In force and actively enforced since 2018, this is not a future risk.
Art. 111. For CASP breaches, plus suspension or withdrawal of authorisation, and a public censure that follows you.
Art. 99. Top tier, for prohibited practices. €15M / 3% for high-risk deployer & provider duties; €7.5M / 1% for misleading authorities.
And it's not only the fine. Authorities can order systems withdrawn from the market and mandate corrective measures, while a single connection to Regulix scores all three at once, so nothing is left uncovered.
Regulix indexes encrypted metadata across your entire stack, on-chain and off-chain, and turns it into a live compliance picture.
Regulix automatically classifies every AI model you run, trading algorithms, KYC tools, fraud detection, into EU AI Act risk tiers, tracks its data lineage, and flags any model trained on unconsented or non-compliant data. No other tool does this for the crypto sector.
GDPR, MiCA, and EU AI Act scored simultaneously, with a single weighted score and a breakdown per regulation, updated in real time.
Read-only API connections. We analyse encrypted metadata and hashes, never raw PII. The architecture is itself a GDPR safeguard.
A live readiness score and a step-by-step remediation checklist that maps every gap to a fix, pre-formatted for national regulators.
Severity-ranked alerts the moment something goes non-compliant, plus one-click regulator-ready audit reports with a signed attestation.
A live control tower across every connected system.
No data migration. No lengthy integration. Connect and see your compliance picture the same day.
Link your cloud storage, databases, blockchain nodes, and AI pipelines via secure read-only API.
Our engine scans metadata, classifies your data, and maps it to the right jurisdiction automatically.
Get a unified compliance score across GDPR, MiCA, and the EU AI Act, with every gap surfaced.
Generate regulator-ready audit reports on demand, with a signed no-raw-data attestation.
A checklist tells you you're in scope. The hard 90% is proving, article by article, that you actually meet each obligation, across all three regulations at once. That's the evidence Regulix produces, and keeps current.
We confirm a lawful basis is recorded for each processing activity (one of the six under Art. 6), test security of processing under Art. 32, encryption at rest, access control, resilience, and check retention, minimisation, and that data-subject rights can actually be honoured. We read the settings that protect personal data, never the data itself.
We score the exact CASP authorisation controls in Articles 66-71: board-approved data governance (Art. 68), ICT integrity and encryption (Art. 67-68), record-keeping and retention (Art. 68(8)), fair-conduct audit trails (Art. 66), and complaints handling (Art. 71), so you walk into authorisation with a documented file, not a scramble.
We classify each AI system into its risk tier, prohibited (Art. 5), high-risk (Art. 6 / Annex III), limited (Art. 50) or minimal, check deployer duties (Art. 26), flag where a Fundamental Rights Impact Assessment (Art. 27) applies, and track data lineage. Prohibited practices and AI-literacy (Art. 4) are already in force; high-risk duties apply 2 December 2027.
One connection. Three regulations. Evidence a regulator, or your own lawyer, can rely on. DORA is next.
Market signalDORA alone covers 22,000+ EU financial entities and their critical IT & cloud providers, operational resilience & ICT third-party risk. Same buyer, next regulation.
Regulix is for EU crypto-asset service providers, and the people personally accountable when the evidence is asked for.
Exchanges, custodians and brokers pursuing or holding MiCA authorisation, and the compliance leads, MLROs, DPOs and legal counsel accountable to a national regulator, a customer's procurement team, or their own board.
In-house counsel isn't an AI-Act specialist, and is likely already stretched across GDPR, MiCA, DORA and NIS2 at once. Regulix does roughly 70-80% of the groundwork, collecting evidence, mapping each finding to the right article, keeping it current, so your people spend their time on judgment, not collection.
From three overlapping EU regulations to one live compliance score.
Most "compliance tools" are marketing for something else, a single-regulation point tool, a Big-Four upsell, or a generic GRC platform. Regulix is one thing: the unified, evidence-based control plane for the three EU regulations crypto firms actually face, conservative by default, and current every day.
Every early CASP begins with a no-cost pilot. When you're ready, pricing is flat, transparent, and sized to your operation, never per seat.
First cohort: 3 months free. A full quarter of unified GDPR · MiCA · EU AI Act monitoring, no cost, no card. We're onboarding a small group of EU CASPs as design partners to shape the product.
One connection, three regulations, kept current. The groundwork that costs a Big-Four engagement tens of thousands, organised, governed and accountable from day one, for a fraction of the cost and a fraction of the time.
All plans begin with the 3-month free pilot. Prices in USD, billed monthly or annually, no per-seat fees, no setup cost.
The platform above is for crypto companies proving their own compliance. This one is different. It is a live library of crypto and digital-asset regulation worldwide, built for the legal and compliance side: in-house counsel, compliance officers, external lawyers, founders, and crypto enthusiasts who need to know what applies where, and when.
84 regulations across more than 40 jurisdictions, kept current. From MiCA and the EU AI Act to the newest national rules, each entry sets out the law, the key obligations, the timeline, legislative progress, and links to the official source. A built-in assistant points you to the right rule in seconds. Pay monthly, or choose annual billing and get two months free. Cancel anytime.
Straight answers for compliance leads, legal teams and investors. Regulix scores you against GDPR, MiCA and the EU AI Act from one dashboard, reading only metadata, never your users' data, never your funds.
Regulix is a single dashboard that continuously scores a crypto-asset service provider (CASP) against the three EU regulations that hit it at once, GDPR, MiCA and the EU AI Act, and turns the result into regulator-ready evidence. It connects through read-only APIs, reads only compliance metadata (never raw user data), and shows you exactly what a regulator would find, before they find it.
Yes, arguably more so. Regulix is not a tool for getting licensed; it's for the part that comes after: proving you stay compliant every day.
A MiCA authorisation isn't a certificate you frame and forget. Regulators expect continuous evidence that your controls remain in place, and they can suspend or revoke a licence if those controls slip. Regulix gives you that live, ongoing proof. The EU AI Act layer especially, risk-tiering your trading and KYC models, is new territory even for fully-licensed CASPs.
No. The licence application itself is legal work, your lawyers and consultants write it. What Regulix does is generate the technical evidence pack that goes inside that application (governance, ICT integrity, record-keeping, data protection), and then monitor that those controls stay true after authorisation.
The law firm does it once; Regulix checks it every day.
Continuous. Once you connect a data source via read-only API, Regulix keeps watching. Compliance isn't static, encryption can get switched off on a storage bucket, a retention setting can drift, a new AI model can appear. When something changes, your score drops and an alert fires that same day.
A one-time audit tells you where you stood last quarter. Regulix tells you where you stand today.
No, and any tool that promises that should worry you. Regulix is decision-support: it shows you, continuously and in the regulator's own terms, where your controls stand and what to fix.
Acting on those findings, signing off on your compliance, and the regulator's final decision remain with you and your professional advisers. We make the picture clear and current; the judgment stays human. Think of Regulix as the instrument that tells a CASP exactly what a regulator would find, not a substitute for your compliance team, your lawyers, or a formal audit.
No, and it's designed not to. Regulix doesn't make legal judgments or take decisions. It does the heavy, repetitive groundwork that currently eats your team's time: collecting evidence across scattered systems, mapping each finding to the right regulation and article, and organising it into one clear, transparent picture.
Think of it as handling roughly 70-80% of the data-gathering and monitoring grunt work, then placing the results in front of your professionals so their expensive, limited time goes to judgment, not collection.
There's also a legal reason it shouldn't replace them: the EU AI Act itself requires a human in charge. A tool that replaced your compliance professionals would be working against the very law it helps you comply with. The lawyer, DPO or compliance officer stays the decision-maker. We arm them; we don't replace them.
Right, the licence application itself is lawyers' work, and we don't write it. But underneath the paperwork sit technical and operational controls the regulator expects to be real, and to stay real: encryption, access controls, retention settings, governance sign-offs, complaint logs.
Today firms evidence those manually, once, with consultants and spreadsheets. Regulix generates that technical evidence automatically and re-checks it continuously. The law firm does it once; we check it every day.
GDPR governs how personal data is processed, and lawful processing must rest on one of six legal bases: consent, contract, legal obligation, vital interests, public task, or legitimate interests. On the technical side, Article 32 requires appropriate security of that data, encryption, access control, resilience.
Regulix reads the configuration metadata around your personal-data systems, is encryption at rest enabled on the KYC store, who can access which systems, are retention settings consistent, is a basis recorded for processing, maps each observation to the relevant GDPR requirement, and scores it. It never reads the personal data itself; only the settings that protect it.
Penalties: GDPR fines run up to €20M or 4% of global annual turnover, whichever is higher, and enforcement against crypto firms is rising every year. Because the same KYC data sits under GDPR, MiCA and the AI Act at once, a single gap (say, unencrypted personal data) can trigger exposure under more than one regime at the same time.
MiCA is the EU's licensing regime for crypto firms: since late 2024, any CASP serving EU customers needs an authorisation and must keep meeting its conditions. Articles 66-71 set out what the regulator expects, and Regulix scores those exact controls:
Each observation maps to a MiCA article, scores Pass / Low / Medium / High, and rolls up into your MiCA sub-score.
Yes, and this is the heart of why one unified tool beats three separate ones. MiCA doesn't ask for a separate "GDPR certificate" or "AI Act certificate", but to be authorised under MiCA you must demonstrate sound governance and data / ICT integrity over the very same systems the other two regimes govern.
The KYC and personal data your MiCA governance has to account for is GDPR-regulated. The trading, KYC and fraud models running on that data are EU AI Act-regulated. So a CASP can't truthfully be "MiCA-ready" while breaching GDPR on the same data, or ignoring the AI Act on the same models, the regulator is looking at one set of systems through three lenses.
That's exactly why Regulix scores all three together. One finding, say unencrypted KYC data, can lift or sink your MiCA and GDPR position at once. No single-regulation tool can show you that.
Take our sample exchange, NovaTrade, MiCA score 73. Regulix found two things: the board never logged a formal sign-off on the data-governance policy (Article 68), and encryption-at-rest wasn't confirmed on the KYC document store, which hits both MiCA's ICT-integrity requirement and GDPR Article 32 at the same time.
One technical fix and one signature, and the score climbs above 85, and the authorisation file is materially stronger. That single cross-regulation finding (one encryption gap touching MiCA and GDPR together) is exactly the unified insight no single-regulation tool gives you.
Regulix doesn't read your documents or your transactions. It reads configuration metadata through read-only APIs, encryption flags, retention settings, access-control states, registry entries, log structures.
Each observation maps to a specific regulatory article, scores Pass / Low / Medium / High, and rolls into the relevant sub-score. When something drifts, say encryption gets disabled on a storage bucket, the score drops and an alert fires that day. It's evidence drawn from your real system state, not a self-assessment questionnaire.
The EU AI Act does for AI what GDPR did for data, and it's already in force, phasing in through 2025-2027. It sorts AI systems into four risk tiers:
Top fines reach €35M or 7% of global turnover, stacked on top of GDPR and MiCA penalties. The part most crypto firms don't realise: several systems they already run are explicitly high-risk, KYC face-matching (biometrics), credit / lending models, and fraud models that gatekeep access to funds; trading models must be classified either way.
Almost no one is doing this classification for crypto. Regulix automatically sorts each AI model you run into its AI Act risk tier and tracks its data lineage, the first tool doing this for crypto AI.
Not life-and-death specifically. The Act's high-risk category (Annex III) is about AI making consequential decisions about people, access to credit, biometric identification, hiring, access to essential services, and similar.
That's why crypto KYC face-matching and lending / credit models land in high-risk, they make or gate decisions about individuals. A purely analytical tool that never decides anything about a person sits in the minimal-risk tier.
We've classified our own systems exactly the way we'd classify a client's. The Act's test is what the AI does, and to whom. Our components analyse system metadata and inform a human, they make no decisions about any person:
None of these touches a human subject or makes a consequential decision about a person, so they fall in the minimal-risk tier, the same bucket as monitoring and analytics software. We're not a prohibited practice, not Annex III high-risk, and not a general-purpose model provider.
And the Act's core principle, human oversight, is literally our architecture: read-only access, no automated actions on your systems, every output landing in front of a human who decides. The Act doesn't say "no AI"; it says "governed AI with a human in charge." That's a description of our product.
Never. Regulix does not custody, hold, store, transmit, exchange, buy, sell, mine or transact in any crypto-asset or virtual currency, at any time. We do not handle or move your funds, or your end-users' funds, in any form.
We are not a crypto exchange, wallet provider, custodian, broker, money-services business, money transmitter or VASP / CASP, and we require no such licensing. Our relationship to crypto is the same as an accounting or audit-software firm serving financial clients: our customers are in the sector; we ourselves engage in no crypto-asset activity.
Only compliance-related metadata, through strictly read-only APIs, encryption flags, access-control states, retention settings, registry entries, log structures, model-registry metadata. We never store or transfer raw personal data, and we never write to or alter your systems.
You connect and disconnect sources at will; nothing is retained outside your environment without consent. The architecture is itself a GDPR safeguard, a compliance tool should reduce your risk surface, not become one.
Our customers are crypto-asset service providers, exchanges, custodians, brokers, and related financial-services businesses operating in the European Union. We sell only to businesses (B2B); there are no individual or consumer accounts.
Today a crypto firm effectively pays three times: one tool or consultant for GDPR, another for MiCA, another for the AI Act, same data, same systems, checked three separate times. Regulix checks all three from one dashboard in a single pass: one connection, one score, one audit report a regulator can read.
For context, a MiCA licence plus first-year setup runs roughly €200K-€475K, and ongoing compliance €500K-€2M a year for a mid-size CASP, with fines up to €5M or 12.5% of turnover. Against that, a software subscription is a rounding error. (200+ CASPs are already authorised, with hundreds more converting through 2026.)
Yes. The three we cover today are the wedge, not the whole product. The same systems and the same buyer also face DORA, the EU's Digital Operational Resilience Act, covering ICT risk management, incident reporting, resilience testing and third-party / ICT-vendor risk, and licensed firms are already telling us it's their next headache.
DORA is our planned next pillar, with the wider EU financial-compliance stack (and adjacent regimes like CCPA and global AI laws) after it. Regulix is built to add regulations as pillars, each one deepens the single control plane.
It depends what you connect. For a focused CASP with a defined set of systems, a flat monthly plan reflects continuous scoring across GDPR, MiCA and the EU AI Act plus regulator-ready reports, far less than paying three separate tools, or a consultant every time you need evidence.
If your estate is much larger or more complex, we say so on the scoping call before quoting, no surprise scope creep. And every early CASP starts with a 3-month free pilot, so you see the value before paying anything.
A law firm gives you a legal opinion. Regulix gives you a continuous, evidence-based gap picture, a structured mapping of your actual systems to the obligations that apply, refreshed every day.
The two are complementary. Many teams pair Regulix's live evidence with a brief review from their existing counsel, which makes that review faster and cheaper, because the factual work is already done and kept current.
No. Regulatory trackers and horizon-scanning tools tell you what's changing across jurisdictions, useful, but they stop at "a new rule exists." Regulix starts where they stop.
It takes the obligations that apply to you under GDPR, MiCA and the EU AI Act and proves, article by article, whether you actually meet them, with evidence you can hand to a regulator or your own lawyer. Many teams use both: a tracker to see what's coming, Regulix to show they comply. We keep the obligations current as the law changes (it's why our countdown reflects the latest AI Act amendments), but the product's job is proof, not just news.
No, and no. Regulix produces a factual, structured compliance assessment against each regulation's provisions. It is not a legal opinion and does not create a lawyer-client relationship.
Where something is genuinely a legal judgment, say, an ambiguous AI Act classification, we flag it so you can take that specific point to counsel, and the evidence pack makes that handoff efficient. (Regulix is built by a UK-trained lawyer, so the structure mirrors how a regulator actually reads these rules.)
The scoring is conservative by default, if anything it leans toward surfacing a gap rather than hiding it, because on a compliance product a missed risk is worse than a flagged one.
But conservative doesn't mean manufactured: every finding is tied to a specific article, with the reasoning shown, so you or your lawyer can confirm or dismiss it on the evidence. If something genuinely doesn't apply, you mark it and it's documented.
During the 3-month pilot you connect a data source (read-only), get your live compliance picture, and tell us what's useful. There's no obligation.
If it's valuable, you move onto a plan. If your exposure turns out to be minimal, we'll tell you that honestly rather than push you onto one. We only follow up with a scoped next step, no hard sell.
Overlap is the core of the product. The same KYC data sits under GDPR, MiCA and the AI Act at once, so Regulix scores them together and shows where one finding affects more than one regime.
For adjacent regimes like DORA (operational resilience) and NIS2 (cybersecurity), we flag where they intersect your systems today, and DORA is our planned next pillar. We're always explicit about what we cover now versus what's on the roadmap.
A few quick questions and an indicative read on your exposure under GDPR, MiCA or the EU AI Act, shown right here on the page. Indicative only; a Regulix pilot confirms it against your real systems.
Hassan is trained in law in the United Kingdom, with an LLB (Hons) from the University of London. He started Regulix after seeing the same problem again and again: crypto and digital-asset teams trying to keep up with fast-moving rules across GDPR, MiCA, and the EU AI Act using tools that were never meant to work together. Regulix brings that scattered picture into one clear, current place, so legal and compliance teams can see what applies, what has changed, and what to do next. He leads the company's product direction and the regulatory thinking behind it.
MiCA is in force. The EU AI Act is rolling out now. Register your interest below, join our waitlist or apply for a free early pilot, and we'll be in touch.
We’ve received your details. A member of the Regulix team will get back to you within 48 hours.
In the meantime, feel free to reach us directly at hassan@regulix.ai.