01
Complete GDPR audit
Mapping of processing activities, risk analysis, gap analysis, accountability report, quantified action plan prioritized over 12 to 24 months.
HomeChoose
GDPR, compliance
Choose
compliance.
GDPR, NIS2, DORA, AI Act. Audit, outsourced DPO, sector compliance, processors, incident management. A legal and technical approach, in partnership with Hashtag Avocats. Diagnosis within 48 hours.
Three stakes
Credibility with your stakeholders. Transparency with your users. Peace of mind in the face of penalties.
Compliance is not a regulatory burden, it is a strategic asset. Built well, it protects, structures and accelerates. Four frameworks, GDPR, NIS2, DORA and the AI Act, now converge on the same organization.
Four pillars
A joint legal and technical approach
- 01
Diagnosis
Map before acting.
Complete organizational audit, inventory of processing activities, identification of risks and non-compliances, accountability report, quantified and prioritized action plan.
- 02
Legal
Documentation that holds.
Data protection charter, data processing agreements (DPA), terms of sale, legal notices, privacy policy, governed transfers. In partnership with Hashtag Avocats.
- 03
Technical
Security by design.
Encryption, access management, logging, 3-2-1 backups, legal archiving, anonymization, pseudonymization. Documented technical and organizational measures.
- 04
Training
Build the culture to make it last.
Team awareness, training of internal leads, phishing simulations, internal communication plan, continuous checks and an annual plan.
What we offer
Eight objectives for durable compliance
Audit, outsourced DPO, NIS2, DORA, AI Act, privacy by design, incident management, training: we cover the entire scope of digital compliance.
02
Outsourced DPO
A complete engagement: keeping the register, DPIAs, internal advice, CNIL point of contact, handling of rights requests, training, monthly reporting to the executive committee.
03
NIS2 compliance
Cybersecurity audit, EBIOS RM, implementation plan, documentation, governance, executive committee training. For essential and important entities.
04
DORA compliance
Operational resilience for the financial sector: ICT risk management, resilience testing, register of third-party providers, incident notification.
05
AI Act compliance
Classification of your AI systems, dedicated DPIAs, AI governance, technical documentation (annex IV), compliance with the 2024-2026 timeline.
06
Privacy by design
Project support from the design stage: prior impact analysis, compliant architecture choices, minimization, security by default.
07
Incident management
24/7 emergency protocol, breach qualification, CNIL notification within 72 hours, communication to the individuals concerned, corrective plan, lessons-learned review.
08
Training and awareness
Bespoke sessions for every audience: operational teams, executive committee, DPO and internal leads, sector focus available.
A unique partnership
With Hashtag Avocats
A law firm specialized in digital law, a long-standing partner of CONCILIUM. Sharp legal expertise coupled with our technical know-how, for deliverables that hold up in court and in production.
- A senior legal team, specialized in digital law
- Single coordination by CONCILIUM, one point of contact
- Co-signed deliverables, defensible in litigation
- Representation before the CNIL if necessary
Why CONCILIUM
Four defensible commitments
The compliance market is saturated with purely legal or purely technical players. Here is what makes us different.
- 1Legal and technicalCompliance does not come down to a lawyer, nor to a CISO. We orchestrate both dimensions under a single project, for deliverables that hold up in court and in production.
- 2Hashtag Avocats partnershipA law firm specialized in digital law, a long-standing partner. Sharp legal expertise coupled with our technical know-how. Single coordination.
- 3Senior outsourced DPOFor organizations without internal resources, an expert DPO takes on the entire mission. More economical and more expert than a hire.
- 4Measurable reportingCompliance indicators, prioritized action plan, monthly or quarterly follow-up. Compliance progresses in a quantified way, defensible before an audit.
Frequently asked questions
Getting it exactly right
What is the difference between GDPR, NIS2, DORA and the AI Act?+
GDPR (2018): personal data. NIS2 (French law of April 30, 2024): cybersecurity of essential and important entities. DORA (since January 17, 2025): operational resilience of the financial sector. AI Act (2024-2026): regulation of AI systems according to risk. Often applicable simultaneously.
Do you need an internal or an outsourced DPO?+
SMEs and mid-sized companies: an outsourced DPO, more economical and more expert. Large organizations or sensitive sectors (healthcare, finance): an internal DPO, supported by an external firm on specialized matters.
What happens in the event of a CNIL inspection?+
Support from the moment of notification: preparation of documents (processing register, DPIA, charter), hearing rehearsal, legal support through Hashtag Avocats, follow-up on recommendations or sanctions.
What happens in the event of a data breach?+
A 24/7 protocol: alert within 1 hour, qualification and protective measures, forensics, CNIL notification within 72 hours (a legal obligation), information of the individuals concerned if necessary (article 34), report and corrective plan within one month, lessons-learned review.
How do you handle cookies and consent?+
A CNIL-compliant consent platform (Axeptio, Didomi, Tarteaucitron): free and informed consent, refusal as simple as acceptance, choice retained for six months maximum, annual audit via CookieServe or Cookie Inspector.
Is a DPIA mandatory for my processing activities?+
Yes, as soon as a processing activity creates a high risk: large-scale profiling, sensitive data, systematic monitoring, cross-referencing of files. We conduct it with the CNIL’s PIA method and tool, and record it in the register.
How do you govern transfers outside the EU?+
Depending on the country: an adequacy decision (UK, Switzerland, Canada, Japan, Korea, Israel, New Zealand, Argentina and others), the 2021 Standard Contractual Clauses, or BCRs. For the United States, the Data Privacy Framework of July 2023, whose durability remains to be watched.
Does DORA apply to me?+
DORA has applied since January 17, 2025 to financial entities: banks, insurers, asset managers, payment providers, crowdfunding platforms, intermediaries, rating agencies, central securities depositories. Five pillars, including TLPT resilience testing for significant entities.
What is the AI Act timeline?+
Entry into force on August 1, 2024; prohibitions since February 2, 2025; obligations for general-purpose models since August 2, 2025; high-risk systems from August 2, 2026. Penalties up to 35 million euros or 7% of worldwide revenue for prohibited systems.
What does NIS2 change for us?+
Around 15,000 entities in scope. Beyond technical measures: mandatory cyber governance, regulated incident notifications, personal liability for executives, penalties up to 10 million euros or 2% of worldwide revenue.
Do you have sector references?+
Yes. Healthcare: HDS, MR-001 to MR-006, CNIL approval. Finance: DORA, AML-CFT, PSD2 and PSD3, ACPR. Public sector: RGAA, RGS, RGI, RGESN, CCAG-TIC, CNIL deliberations. Defense: IGI 1300, SecNumCloud for Restricted-level information, cleared providers beyond that.
Do you train our teams on compliance?+
Yes. Bespoke sessions: operational teams, executive committee, DPO and internal leads. Sector focus available, phishing simulations, awareness of individuals’ rights and of the breach protocol. Compliance only holds if it is understood.
Online diagnosis, response within 48 hours.
Let's get you compliant.
Tell us about your activity, your processing operations and your pain points. We come back with a quantified diagnosis and an action plan within 48 hours.