The scanner · methodology

We check 153 things that the APD/GBA, FPS Economy and your users expect from your website.

Spread across 7 compliance areas. Run automatically in ±60 seconds. One page free, whole site from €2.50.

Start a free check See a sample report →

Why this matters

€2.1bn
GDPR fines in 2024
European data protection authorities issued over €2.1 billion in fines in 2024. The Belgian APD/GBA is among the most active enforcers per capita.
€800–1500
Per image
Copyright agencies such as Permission Machine, Pixsy and Belgian specialist firms regularly send demand letters. Settlements up to €1,500 per photo.
€80,000
CEL fine ceiling
Since 28 June 2025 the Law of 17 March 2024 transposes the EAA. The FPS Economy can impose administrative fines up to €80,000 — or 4% of annual turnover for legal persons.
< 1 hour
Typical fix
A single issue can cost more than years of prevention. Most fixes in our report take under an hour to implement.

The 7 areas, in detail.

What we check, specifically
Origin detection via reverse image search (TinEye index, ±50M images)
Match against known stock libraries (Getty, Shutterstock, Adobe Stock)
EXIF & metadata analysis for licence indicators
Detection of AI-generated images (Stable Diffusion, Midjourney signatures)
CEL XI.165
CEL XI.335
Cass. C.13.0322.F
Sample finding
High
Potentially unlicensed Getty Images photo found on /about-us.
The risk if you ignore this
Demand letters and court summons under Book XI of the Code of Economic Law (copyright). Damages €800–€1,500 per image, plus procedural compensation. Bad-faith infringement can lead to doubled damages (CEL XI.335).
What we check, specifically
Cookie banner: pre-consent detection (scripts firing before "Accept")
Privacy notice: presence + 13 mandatory items under GDPR Art. 13
Processor register: third-party scripts identified and mapped
International transfers: detection of US/non-EU endpoints (Schrems II)
Data subject rights: contact route for SARs/erasure requests in place
GDPR Art. 6, 13, 28
Law of 30 July 2018
Law of 13 June 2005 art. 129
Sample finding
Critical
Google Analytics loads before cookie consent.
The risk if you ignore this
APD/GBA fines up to €20M or 4% of global turnover. The APD/GBA invalidated the IAB Europe TCF (Decision 21/2022) and actively enforces on cookies. For SMEs typically €5,000–€100,000 per breach.
What we check, specifically
Alt text on meaningful images (WCAG 1.1.1)
Colour contrast: text at least 4.5:1, large text 3:1 (WCAG 1.4.3)
Keyboard navigation: tab order, visible focus states
Form fields: labels, error messages, screen-reader compatibility
Video & audio: captions, transcripts (WCAG 1.2.x)
PDF accessibility: tagged structure, reading order (Premium only)
Law of 17 March 2024
EAA Directive 2019/882
WCAG 2.2 AA
EN 301 549
Sample finding
High
12 images without alt text (WCAG 1.1.1).
The risk if you ignore this
The Law of 17 March 2024 transposes the EAA, enforceable since 28 June 2025. The Directorate-General for Economic Inspection (FPS Economy) can impose administrative fines up to €80,000 per breach.
What we check, specifically
TLS configuration: certificate validity, cipher suites, protocol versions
HTTP security headers: CSP, HSTS, X-Frame-Options, Referrer-Policy
Known vulnerabilities: jQuery, WordPress, plugins (CVE database matching)
Mixed content: HTTP resources on HTTPS pages
Subresource Integrity (SRI) on external scripts
GDPR Art. 32
NIS2 Directive 2022/2555
CCB guidance
Sample finding
High
Content-Security-Policy header missing.
The risk if you ignore this
No direct fine, but GDPR Art. 32 requires "appropriate technical measures". A breach via a known vulnerability is an aggravating factor in APD/GBA fining methodology. NIS2 transposition adds incident-reporting duties.
What we check, specifically
CBE number & VAT number: present and visible (CEL III.74)
Registered office: present in footer or contact page
Terms & Conditions: present, downloadable as PDF
Contact route: email or form (CEL VI.45)
Online dispute resolution: link to ODR platform for e-commerce
CEL III.74
CEL VI.45
CEL XV.83
Sample finding
Medium
CBE number missing from website (CEL III.74).
The risk if you ignore this
Breaches of CEL III.74 can lead to cease-and-desist actions by competitors or consumer associations (Test-Achats) and fines from the Economic Inspectorate up to €80,000 (CEL XV.83). For legal persons, up to 4% of annual turnover.
What we check, specifically
Double opt-in: confirmation email on sign-up
Unsubscribe link: present and functional in every email
Consent records: timestamp, IP, form text retained
Specific checkbox for marketing — not pre-ticked
Send from your own domain (SPF/DKIM aligned)
CEL VI.110
GDPR Art. 7
Law of 13 June 2005 art. 14
Sample finding
Medium
Newsletter form without double opt-in.
The risk if you ignore this
CEL VI.110 prohibits unsolicited electronic communications without prior consent. The Economic Inspectorate can draw up PV; fines up to €80,000. The APD/GBA handles the GDPR aspect (processing without lawful basis).
What we check, specifically
Order button text: "Order with obligation to pay" or equivalent (CEL VI.45 §3)
Cancellation form: 14-day cooling-off available, instructions in checkout
Price presentation: total price incl. VAT and shipping visible before order
Delivery time: stated concretely (no vague terms like "fast")
Statutory vs commercial guarantees: clearly distinguished
CEL VI.45
CEL VI.47 (right to cancel)
Directive 2011/83/EU
Sample finding
High
Order button without "with obligation to pay" wording (CEL VI.45 §3).
The risk if you ignore this
An unclear order button makes the contract void against the consumer (CEL VI.45 §4). Plus Economic Inspectorate fines up to €80,000 (CEL XV.83) and potential cease-and-desist actions.

Methodology

How we run it — without the black box.

See our open-source work on GitHub →

01

Research into applicable rules

We track EU-wide legislation (GDPR, EAA, ePrivacy) and the Belgian transposition (CEL Book VI/XII, Law of 13 June 2005 on electronic communications, APD/GBA guidance). When the APD/GBA or FPS Economy tightens a rule, our checklist is updated.

02

Automated validation

Every testable rule gets a deterministic check: a real browser loads the page (Playwright/Chrome), we read DOM, headers, requests and TLS configuration. No "AI magic" where code can give an honest answer.

03

AI for more complex checks

For rules that aren't a simple checkbox — completeness of a privacy notice, dark patterns in a checkout, tone of consent copy — we use a combination of the latest local and cloud models, tuned for this purpose. Used in a targeted way and always traceable back to the source rule.

Want to know where your site stands?

One page free. No registration. Results in 60 seconds — with concrete next steps.

Start a free check →

We check 153 things that the APD/GBA, FPS Economy and your users expect from your website.

The 7 areas, in detail.

Image copyright

Accessibility

Security

Legal pages

E-Commerce

How we run it — without the black box.

Research into applicable rules

Automated validation

AI for more complex checks

Want to know where your site stands?

We check 153 things that the APD/GBA, FPS Economy and your users expect from your website.

The 7 areas, in detail.

Image copyright

GDPR & Privacy

Accessibility

Security

Legal pages

Newsletter

E-Commerce

How we run it — without the black box.

Research into applicable rules

Automated validation

AI for more complex checks

Want to know where your site stands?