Compliance, kept current

Ready-to-edit, role-split document kits for every EU regulation — built and maintained by a working CISO.
One shelf: CRA, PCI DSS, NIS2 and the AI Act ready; DORA in early access.

Practitioner-builtCurrency StampEU VAT handled30-day refundFind us on Product Hunt

Every regulation, one shelf

See the full catalogue ›
LIVE
Reg (EU) 2024/2847

Cyber Resilience Act

Scope, technical file, vulnerability handling and Article 14 reporting — by role.

Open the kit
BUILT
Reg (EU) 2022/2554

Digital Operational Resilience Act

ICT risk, incident classification and the Register of Information.

Early access
LIVE
PCI DSS v4.0.1

Payment Card Industry Data Security Standard

PCI DSS v4.0.1 starter & self-review templates — policies, procedures and an evidence structure.

Open the kit
LIVE
Directive (EU) 2022/2555

Network & Information Security Directive 2

NIS2 Directive starter pack — scope self-assessment and the Article 21 measures. National transposition check required.

Open the kit
LIVE
Reg (EU) 2024/1689

EU Artificial Intelligence Act

Risk-tiered obligations for AI systems and general-purpose AI models on the EU market.

Open the kit
The problem

Two bad options — until now

Six-figure consultants on one side. Stale €30 template dumps on the other.
The difference is night and day.

THE OLD WAY
Six-figure consultants
Months and a five-figure invoice for what a lean team could adapt in a day.
€30 template dumps
A Word file sold once and never touched again as the regulation moves.
Just 6.5% passed
Of DORA Register dry-run submissions built on the regulator’s own raw templates.
No guidance at all
Raw templates with no inline notes on what you actually need to change.
THE FIX
THE VARVICO WAY
Practitioner-built
Authored and maintained by a working CISO — not scraped, not white-labelled.
Kept current, provably
The Currency Stamp and a public changelog track the exact regulation text.
Inline guidance
Every document ships with “what to change” notes — no consultant to translate the law.
Priced for real teams
From €24. Adapt the role-split kit in a day, not a quarter.
Browse the catalogue →

We sell maintained documents
… and we prove it

Every kit and document carries the Currency Stamp — proof a static template can’t make.

Dated

The exact day it’s current as of.

Versioned

With a public changelog you can actually read.

Pinned to the regulation

The precise text it tracks — article by article.

CHANGELOGLIVE · CURRENT AS OF 2026-06-23
v1.423 Jun 2026UPDATED

Article 14 reporting runbook refreshed for the 11 Sep 2026 deadline.

v1.302 May 2026ADDED

Importer due-diligence checklist split into its own standalone pack.

v1.214 Mar 2026FIXED

Annex I control-mapping lettering corrected to properties (a)–(m).

Aligned to Reg (EU) 2024/2847 · v1.4 · maintained by a practicing CISORead the full changelog ›
PRACTITIONER-BUILT
A practicing CISO
EU-regulated fintech · 10+ years in security & compliance
CRADORANIS2PCI DSSISO 27001
Read the methodology & independence statement
Built by a practitioner

A real practitioner stands
behind every kit

Every VARVICO kit is built and maintained by a practicing CISO in EU-regulated fintech — someone who runs this in a regulated business, not scraped or white-labelled from a content farm. Kept anonymous by design; the work speaks for itself.

From scope to filed, in four steps

1

Check your scope

Run the free wizard. Find out, indicatively, whether a regulation applies and which role you are.

2

Pick your role pack

Manufacturer, importer or distributor — open manifests, so you see every document first.

3

Edit with guidance

Each document ships with inline “what to change” notes. No consultant needed to translate the law.

4

File & keep current

Deploy your set, then let Kept Current push each update as the regulation moves.

Built for the people who actually file

A structured starting point I could actually edit — not a six-figure engagement, not a dead Word file. The inline guidance is what saved me.
Solo CISO
EU non-bank financial institution
The importer pack covered the exact obligations the generic ISMS toolkits skip. One accountable practitioner behind it is why I trusted it.
Compliance Lead
Connected-product importer
I run it across client engagements. The Currency Stamp means I hand over documents that track the regulation, not last year's draft.
GRC Consultant
Independent advisory

Find the kit for your regulation

Browse the shelf, or run the free scope check —
six questions, an indicative result, and the matching kit in two minutes.