The scanner · methodology

We check 153 things that EU regulators, lawyers and users expect from your website.

Spread across 7 compliance areas, mapped to EU-wide legislation. Run automatically in ±60 seconds. One page free, whole site from €2.50.

Start a free check See a sample report →

Why this matters

€2.1bn
GDPR fines in 2024
European data protection authorities issued over €2.1 billion in fines in 2024. The EDPB reports rising enforcement against SMEs across the bloc.
4% turnover
GDPR ceiling
GDPR Art. 83 sets a maximum of €20M or 4% of global annual turnover (whichever is higher). National DPAs decide the band per case.
28 June 2025
EAA in force
The European Accessibility Act applies across every EU member state. National transpositions set the fine bands (typically €100k–€900k per breach).
< 1 hour
Typical fix
A single issue can cost more than years of prevention. Most fixes in our report take under an hour to implement.

The 7 areas, in detail.

What we check, specifically
Origin detection via reverse image search (TinEye index, ±50M images)
Match against known stock libraries (Getty, Shutterstock, Adobe Stock)
EXIF & metadata analysis for licence indicators
Detection of AI-generated images (Stable Diffusion, Midjourney signatures)
Directive 2001/29/EC (InfoSoc)
Berne Convention art. 5
CJEU C-160/15 (GS Media)
Sample finding
High
Potentially unlicensed Getty Images photo found on /about-us.
The risk if you ignore this
Demand letters from cross-border copyright firms (CopyTrack, Pixsy, Permission Machine). Settlements €800–€1,500 per image. The EU Copyright Directive (2001/29/EC) is implemented in every member state — claims are enforceable in the user’s country.
What we check, specifically
Cookie banner: pre-consent detection (scripts firing before "Accept")
Privacy notice: presence + 13 mandatory items under GDPR Art. 13
Processor register: third-party scripts identified and mapped
International transfers: detection of US/non-adequate endpoints (Schrems II)
Data subject rights: contact route for SARs/erasure requests in place
GDPR Art. 6, 13, 28, 32, 83
ePrivacy Directive 2002/58/EC
Schrems II
Sample finding
Critical
Google Analytics loads before cookie consent.
The risk if you ignore this
National DPAs (CNIL, BfDI, AEPD, AP, etc.) can fine up to €20M or 4% of global turnover under GDPR Art. 83. The EDPB harmonises calculation guidelines across the bloc — penalties for SMEs commonly land between €5k and €100k per breach.
What we check, specifically
Alt text on meaningful images (WCAG 1.1.1)
Colour contrast: text at least 4.5:1, large text 3:1 (WCAG 1.4.3)
Keyboard navigation: tab order, visible focus states
Form fields: labels, error messages, screen-reader compatibility
Video & audio: captions, transcripts (WCAG 1.2.x)
PDF accessibility: tagged structure, reading order (Premium only)
EAA Directive 2019/882
Directive 2016/2102
EN 301 549
WCAG 2.2 AA
Sample finding
High
12 images without alt text (WCAG 1.1.1).
The risk if you ignore this
The EAA (Directive 2019/882) applies since 28 June 2025. National regulators enforce nationally-set fine bands — typically €100k–€900k per breach. Public-sector sites are additionally covered by the Web Accessibility Directive (2016/2102) since 2018.
What we check, specifically
TLS configuration: certificate validity, cipher suites, protocol versions
HTTP security headers: CSP, HSTS, X-Frame-Options, Referrer-Policy
Known vulnerabilities: jQuery, WordPress, plugins (CVE database matching)
Mixed content: HTTP resources on HTTPS pages
Subresource Integrity (SRI) on external scripts
GDPR Art. 32
NIS2 Directive 2022/2555
ENISA guidelines
Sample finding
High
Content-Security-Policy header missing.
The risk if you ignore this
No direct fine, but GDPR Art. 32 requires "appropriate technical and organisational measures". A breach caused by a known unpatched vulnerability is an aggravating factor in every DPA’s fining methodology. NIS2 Directive (2022/2555) adds reporting obligations for essential entities.
What we check, specifically
Trader identification: business name, address, registration number (e-Commerce Directive art. 5)
VAT number: visible where the trader is VAT-registered
Terms & Conditions: present, downloadable, incorporated at point of contract
Contact route: email or form, not solely a premium-rate number
Hosting provider: country of establishment / contact disclosed where required
Directive 2000/31/EC art. 5
Directive 2011/83/EU art. 6
UCPD 2005/29/EC
Sample finding
Medium
Business registration number missing from website footer.
The risk if you ignore this
The e-Commerce Directive (2000/31/EC) art. 5 requires identification disclosures. Each member state has its own enforcement body and fine schedule — see the country-specific pages for NL, DE, FR, UK.
What we check, specifically
Double opt-in: confirmation email on sign-up
Unsubscribe link: present and functional in every email
Consent records: timestamp, IP, form text retained
Specific checkbox for marketing — not pre-ticked (CJEU Planet49)
Send from your own domain (SPF/DKIM aligned)
ePrivacy Dir. 2002/58 art. 13
GDPR Art. 7
CJEU C-673/17 (Planet49)
Sample finding
Medium
Newsletter form without double opt-in.
The risk if you ignore this
ePrivacy Directive art. 13 requires prior consent for B2C marketing. National telecoms regulators (BIPT, Bundesnetzagentur, ACM, Ofcom...) enforce with national fine bands. CJEU Planet49 (C-673/17) confirmed that pre-ticked boxes do not constitute valid consent.
What we check, specifically
Order button: clearly indicates obligation to pay (Consumer Rights Directive art. 8(2))
14-day right of withdrawal: model form available, instructions in checkout
Price presentation: total price incl. VAT and delivery shown before order
Delivery time: stated concretely (no vague terms like "fast")
Statutory vs commercial guarantees: clearly distinguished
Directive 2011/83/EU art. 8
Directive 2011/83/EU art. 9
Omnibus Directive 2019/2161
Sample finding
High
Order button does not clearly state the payment obligation (CRD art. 8).
The risk if you ignore this
Under Consumer Rights Directive 2011/83/EU art. 8(2), an unclear order button means the consumer is not bound by the contract. Plus national consumer-protection enforcement (DGCCRF, ACM, Trading Standards, AGCM, Verbraucherzentrale, etc.).

Methodology

How we run it — without the black box.

See our open-source work on GitHub →

01

Research into applicable rules

We track EU-wide legislation (GDPR, EAA, ePrivacy Directive, Consumer Rights Directive) and the national overlays per country. When a regulator tightens a rule or publishes new fining guidance, our checklist is updated.

02

Automated validation

Every testable rule gets a deterministic check: a real browser loads the page (Playwright/Chrome), we read DOM, headers, requests and TLS configuration. No "AI magic" where code can give an honest answer.

03

AI for more complex checks

For rules that aren't a simple checkbox — completeness of a privacy notice, dark patterns in a checkout, tone of consent copy — we use a combination of the latest local and cloud models, tuned for this purpose. Used in a targeted way and always traceable back to the source rule.

Want to know where your site stands?

One page free. No registration. Results in 60 seconds — with concrete next steps.

Start a free check →

We check 153 things that EU regulators, lawyers and users expect from your website.

The 7 areas, in detail.

Image copyright

Accessibility

Security

Legal pages

E-Commerce

How we run it — without the black box.

Research into applicable rules

Automated validation

AI for more complex checks

Want to know where your site stands?

We check 153 things that EU regulators, lawyers and users expect from your website.

The 7 areas, in detail.

Image copyright

GDPR & Privacy

Accessibility

Security

Legal pages

Newsletter

E-Commerce

How we run it — without the black box.

Research into applicable rules

Automated validation

AI for more complex checks

Want to know where your site stands?