What types of documents can I compare?

Any text-based PDF: vendor proposals, RFPs, contracts, SLAs, MSAs, DPAs, technical specs, POC reports, security questionnaires and compliance docs. POCsheet aligns them into clear tables with clause, pricing, and SLA highlights, then files each document into a vendor library you can query later.

How accurate is the AI comparison?

Our AI contract comparison and RFP comparison models align clauses, pricing, SLAs, and technical requirements with 95%+ precision. For high-stakes deals, add a quick human review to validate recommendations.

How fast do I get results?

Most comparisons finish in 2–3 minutes for 2–3 technical PDFs. Larger RFPs or contracts may take slightly longer but remain far faster than manual review or spreadsheets.

Can I compare multiple vendors at once?

Yes. Upload 2–3 vendor proposals or technical PDFs in one run to see side-by-side tables, risks, and AI recommendations. Perfect for procurement, IT, and product teams.

Can I export and share the comparison?

Yes. Export comparison tables and AI summaries as PDF, DOC or print, and generate signed public links (7/14/30/90 days, expiry + revoke) to share reports with stakeholders without forcing them to sign up. Every comparison stays archived in your vendor library for audit and renewal tracking.

Can POCsheet draft the negotiation email for me?

Yes. Apply your negotiation playbook to any comparison and POCsheet's AI drafts a ready-to-send email to the vendor with verbatim citations from their contract, your required counter-positions and concrete counter-language. Also generates a counter-proposal MSA redline with proper track-changes markup and a tailored security questionnaire (SIG/CAIQ/SOC2). All under €9/month on Pro.

Can I verify where the AI got each answer?

Yes. Every AI-extracted value in the comparison includes a verbatim source citation — hover or tap the info icon next to any value to see the exact sentence from the source PDF. Click "View in source context" to open a drawer with the surrounding text, position percentage and the cited paragraph highlighted in yellow. Designed for legal and CFO sign-off without rereading the full document.

Can POCsheet read scanned PDFs?

Yes. POCsheet auto-detects scanned (image-only) PDFs and runs OCR in your browser using Tesseract.js — no server upload of the PDF required. The text is then sent to the AI engine like any native-text PDF. Vendor proposals that arrive as flattened, signed scans now work out of the box.

Does POCsheet check DORA / NIS2 / GDPR compliance?

Yes. One-click EU compliance check evaluates every vendor against the key articles of DORA (financial entities), NIS2 (essential / important entities) and GDPR (any personal data) — with per-article verdict (meets / gap / not_addressed) and verbatim evidence quotes.

Is there a free analyzer without signup?

Yes. Visit /analyze, drop any single vendor PDF and POCsheet returns red flags, missing clauses and the exact questions to ask the vendor — no signup, no email, no credit card. Rate-limited to 3 analyses per day per IP. Privacy by design: text is extracted in your browser, the PDF never uploads.

Contracts May 19, 2026 8 min read

DORA, NIS2 and GDPR: the EU compliance checklist for vendor evaluation

EU regulation in 2026 means every B2B vendor evaluation is also a compliance check. A practical checklist to run on every proposal before you sign.

European Union flag — regulation and compliance context — Photo by Kelly on Pexels

2025 was the year EU regulation finally caught up with B2B procurement. DORA (Digital Operational Resilience Act) is now in force for financial services. NIS2 applies to essential and important entities in healthcare, transport, energy, public administration and several other sectors. GDPR has been there for seven years but the enforcement intensity has roughly tripled in the last 18 months. The practical effect: every vendor evaluation is now also a compliance check. Here's the working checklist.

The four questions you have to answer before you sign

For every vendor you're about to sign with — particularly any vendor that processes personal data, supports critical operations, or has access to your network — answer these four questions, in writing, before the contract is final:

What regulations apply to this vendor relationship? Map to GDPR (if any personal data), DORA (if you're a financial entity and they're an "ICT third-party service provider"), NIS2 (if you're a covered entity and they support an essential service), SOC2 / ISO 27001 / HIPAA / sector-specific.
Does the vendor's documentation address each applicable regulation? Specifically, by name. "We are GDPR-compliant" is not enough — you need explicit reference to the controller-processor relationship, sub-processor list, data residency commitments, breach notification SLA.
Are the contractual commitments backed by certification? SOC2 Type II report, ISO 27001 certificate, DORA register of information, current and dated. Promises without certification mean nothing.
What's your exit / portability story? All three regulations require that you can transition away from the vendor in a controlled way. The vendor's contract must support that.

The clauses that have to be in the contract (not just in marketing)

Marketing pages say everything is compliant. Contracts often say less. The compliance-relevant clauses to actively look for:

Data Processing Agreement (DPA) — signed addendum, not just a reference to a webpage. Includes Art. 28 controller-processor terms, sub-processor list, technical and organisational measures, audit rights.
Breach notification SLA — explicit time commitment (best practice ≤ 72 hours), with named contact channels.
Data location commitment — for EU customers, a written commitment to keep customer data + metadata in EU regions for the proposed workloads. If the vendor uses third-country processors, an SCC (Standard Contractual Clauses) reference + transfer impact assessment.
DORA-specific (financial entities only): subordination of the contract to applicable financial regulation, specific assessment of concentration risk, exit and substitution strategies, in-scope rights of audit.
NIS2-specific (essential / important entities): incident reporting cooperation, vulnerability handling, security testing access.
Right to audit — or at minimum the right to receive current SOC2 / ISO audit reports under NDA.
Termination for compliance failure — customer has the right to terminate if the vendor loses a required certification.

Where vendors usually fall short

In our experience across procurement evaluations, the most common gaps are:

DPAs that reference an external URL rather than including the terms in the contract.
Breach notification "as soon as reasonably practicable" instead of a hard SLA.
Data residency commitments that exclude metadata (operational logs, support tickets, billing data).
Audit rights limited to "vendor's SOC2 report once a year" — without right to ad-hoc audits in case of incident.
Sub-processor lists out of date or undisclosed.
DORA "register of information" requirements ignored entirely by vendors who haven't realised they're caught.

Automating the check

Running this checklist manually on every vendor proposal takes 30–60 minutes per document. Across an RFP with 5 candidates, that's a half-day of legal time per cycle. An AI vendor analysis tool with explicit compliance prompts can flag each of these gaps in seconds — surfacing not "the contract is compliant", but "the contract addresses 4 of 7 expected GDPR commitments, with the following gaps: no explicit breach notification SLA, no audit rights, sub-processor list incomplete."

POCsheet can be configured (via the Negotiation Playbook feature) to include compliance positions specific to your regulated industry. The AI then evaluates every vendor against the same rigor, every time. You stop missing things because you were tired or rushed.

What to do this quarter

List every active vendor that processes personal data, supports a critical operation, or has network access.
Map each to applicable regulations (DORA / NIS2 / GDPR / sector-specific).
Pull the current contract for each and run it through the 7-clause check above.
Flag any vendor missing more than 2 critical clauses. Those become priority renegotiations at next renewal.
Build a playbook of your standard compliance positions. Apply to every future contract.

Doing this systematically once a year — at minimum — is the difference between procurement that meets the regulator's bar and procurement that's exposed when the audit comes.

Run an AI vendor comparison in 60 seconds

Compare vendor proposals, RFPs and contracts with AI. Free plan: 4 comparisons / month.

Start free

DORA, NIS2 and GDPR: the EU compliance checklist for vendor evaluation

The four questions you have to answer before you sign

The clauses that have to be in the contract (not just in marketing)

Where vendors usually fall short

Automating the check

What to do this quarter

Related reading

Run an AI vendor comparison in 60 seconds

Related articles

Stop writing vendor pushback emails from scratch: AI drafts them for you

AI counter-proposal redlines: 30 minutes of lawyer work in one click

Generate a SIG / CAIQ / SOC 2 questionnaire for any vendor in 30 seconds