KANSA — The Compliance Dispatch · EU Edition

Feature I · The Landscape

The Regulatory Decade

Europe has chosen to govern the digital world by writing it down. The consequence is a body of obligation so broad that no single expert can hold it in their head — and that was never the intent.

or a decade the European project has expressed itself through text. Where the previous era debated whether to regulate the network society, the present one simply legislates it. The General Data Protection Regulation set the grammar; everything since has extended the sentence. The NIS2 Directive hardens the security obligations of essential and important entities. The AI Act places risk-tiered duties on those who build and deploy artificial intelligence. The Cyber Resilience Act reaches into the products themselves. DORA binds the financial sector to operational resilience. The Machinery Regulation (EU) 2023/1230 and the sustainability reporting regime under CSRD push the same logic into the factory floor and the annual report.

Read individually, each instrument is reasonable. Read together — as every serious organisation must now read them — they form a dense, overlapping lattice of requirements, each citing definitions in another, each demanding evidence that the others assume. A manufacturer is at once a data controller, an operator of essential services, a maker of products with digital elements, and a reporting entity. The frameworks do not coordinate their demands. The organisation must.

Beneath the directives runs an older substrate of voluntary standards that the regulations increasingly presume: ISO/IEC 27001 for information security, ISO/IEC 42001 for AI management, IEC 62443 for industrial systems, SOC 2, BSI C5, TISAX®. Certification against one is now table stakes for trading under another. The map of obligation is not a list. It is a terrain.

And terrain is the right word. It is uneven, contoured, and easy to get lost in — which is precisely why the next two features concern not the law itself, but the human cost of reading it.

A fine contour-line map of Europe drawn in brown ink on warm kraft paper, resting on a pale wooden desk in soft light. — Fig. 1 The continent rendered as contour — a single landmass of obligation, its frameworks layered like elevation lines. One assessment engine must read every one of them.

A stack of bound cloth reports and bundles of aged papers tied with twine, beside a pair of tortoiseshell reading glasses, lit by warm window light. — Fig. 2 The evidence room. Policies, procedures, prior audits, supplier attestations — the documentation exists. Reading it does not scale.

Feature II · The Bottleneck

The Operational Gap

The law can be written in months. Assessing one organisation against it still takes a specialist weeks — and there are not enough specialists.

The gap is not one of intent. Organisations want to comply; auditors want to certify; regulators want assurance. The gap is mechanical. Every assessment begins with a person opening a document — a policy, a runbook, a vendor's security questionnaire — and reading it against a requirement held in another document, and recording, by hand, whether the one satisfies the other.

Multiply that act by the hundreds of controls in a single standard, by the dozens of frameworks now in scope, by the thousands of pages of evidence a mature enterprise generates. The arithmetic is unforgiving. Reference engagements across enterprises of up to roughly 600,000 employees make the scale plain: the constraint is never the law and rarely the evidence. It is the reading.

So the work queues. Assessments that should inform decisions instead wait on the one consultant who knows the framework. Quality drifts with fatigue. Coverage becomes a sampling exercise. The compliance function, built to reduce risk, becomes its own source of delay — a cost centre bottlenecked on human attention.

The question the rest of this issue takes up is narrow and practical: what reads the documentation?

Feature III · The Answer

How Kansa Reads the Law

An AI-native assessment engine, regulation-independent by design. It reads the documentation an organisation already has, measures it against any framework, and returns cited, audit-ready findings — in minutes, not weeks.

ansa does the reading. Not in the loose sense an assistant might claim, but in a deliberate, repeatable method: it ingests an organisation's documentation in whatever form it arrives — PDF, Word, Excel, PowerPoint — converts and understands it, then assesses requirement by requirement against the standard in question. The method is the product. Where an individual expert is inconsistent by Tuesday afternoon, the engine is consistent by design.

The story is three beats — Understand. Assess. Act. First, understand: every artefact is read and related to the others. Then assess: each requirement is tested against the available evidence, with 100% requirement coverage by design — no sampling, no controls quietly skipped. Finally, act: a structured, audit-ready review in which every finding is cited to its source paragraph, followed by prioritised, actionable recommendations to close the gaps. A grounded AI chat sits alongside, answering only from your own evidence — never inventing what it cannot cite.

The effect on throughput is the headline a procurement officer remembers. Engagements that ran in weeks resolve in minutes; teams report three to five times the project throughput; partner material puts delivery time down by more than 80%, with consultants completing three to ten times as many assessments. Compliance stops being a craft practised one document at a time and becomes an engine.

What it does not do is replace the expert. The verdict is offered for validation, the citation laid bare for challenge. The specialist is moved off the reading and onto the deciding — which was always the part that needed a human.

ISO/IEC 27001:2022 — Annex A A.8.5

Requirement: Secure authentication technologies and procedures shall be implemented based on information access restrictions and the access control policy.
Cited evidence: Identity & Access Management Policy §4.2, ¶3 — “Multi-factor authentication is enforced for all administrative and remote access.”
Verdict: Satisfied

ISO/IEC 27001:2022 — Annex A A.8.16

Requirement: Networks, systems and applications shall be monitored for anomalous behaviour and appropriate actions taken to evaluate potential incidents.
Cited evidence: Security Operations Runbook §7 — alerting defined; no documented review cadence for low-severity anomalies.
Verdict: Partial — gap noted

Exhibit A A specimen of the output: requirement, the exact source paragraph it was measured against, and a verdict. Illustrative control IDs; representative product UI.

The Spine · Digital Sovereignty

Sovereign by Design

A platform that reads Europe's regulations ought to honour Europe's terms. Kansa operationalises digital sovereignty: your data stays yours, stays in the EU, and never trains a model.

01
Your data stays yours

Content is processed in real time and never used to train any AI model — ever. There is no permanent storage; nothing lingers after the assessment.
02
Hosted in Europe

Run in leading European cloud regions. Data stays within the EU — no transfer outside — encrypted in transit (TLS 1.2+/1.3) and at rest (AES-256).
03
Certified & controlled

ISO/IEC 27001 certified and GDPR compliant, with enterprise SSO (SAML 2.0 / OIDC), RBAC and strict tenant isolation. Continuous monitoring and independent testing.
04
Sovereign deployment

Not tied to a single hyperscaler. Deployable on AWS, Azure, STACKIT and regional or sovereign providers — wherever your obligations require it to live.

Sovereign by design. Compliant by default.

The Regulatory Decade has arrived, and it will be read by someone.

Your data stays yours

Hosted in Europe

Certified & controlled

Sovereign deployment

Stop reading compliance documents. Start understanding them.