Rules-to-code compliance testing

Your regulations are written in prose. We compile them into tests.

Rules-to-code turns ambiguous legal text into discrete pass/fail criteria — the unit tests your compliance function never had. We run them against your evidence and tell you exactly where you stand, scored by article and ready for a regulator to inspect.

Book a discovery call See the method
Live conformance test Running
0 %
✓ Conformance verified
DORA 88%
EU AI Act 61%
NIS2 91%
GDPR 74%
FCA Consumer Duty 58%
UK GDPR / DPA 71%
DORA enforceable since Jan 2025 EU AI Act high-risk obligations Aug 2026 NIS2 transposed across the EU GDPR fines up to €20M or 4% of global turnover FCA Consumer Duty in force since Jul 2023 UK GDPR diverging from EU — dual compliance required SMCR individual accountability for senior managers MiCA crypto-asset regulation in force Dec 2024 Operational Resilience PRA/FCA SS1/21 in force €35M max EU AI Act fine 10% of turnover — max DORA penalty
Why this matters now

The tolerance period is over. Regulators want proof.

Most mid-market regulated firms still manage compliance in spreadsheets — relying on consultant opinions rather than structured evidence, and unable to answer the one question a regulator will actually ask: show me your proof.

FCA Consumer Duty
Jul 2023
In force for UK financial services firms. The FCA is actively supervising outcomes and has confirmed that AI-driven decisions — pricing, recommendations, communications, complaints — must still deliver good customer outcomes. Consumer Duty is the primary framework through which the FCA is assessing AI conduct right now.
NIS2
Oct 2024
Transposition deadline passed. Critical-sector firms are already in scope across the EU.
DORA
Jan 2025
Fully enforceable. National Competent Authorities are now conducting active enforcement reviews.
EU AI Act
Dec 2027
⚠ Deferred from Aug 2026 — action still required now
High-risk obligations apply. The deadline has been deferred to December 2027 but conformity assessments should begin immediately — lead times are long and regulators expect visible progress.
What we deliver

Four ways to engage

Every engagement is fixed-fee and fixed-scope. You know exactly what you are getting before we start.

Entry point01

Compliance Stress Test

We apply our rules-to-code methodology to a single regulation — translating legal text into discrete, testable obligations. We run your evidence against every requirement and return a scored conformance report, pass/fail by article, ready for a regulator to inspect.

  • Conformance score by regulatory chapter
  • Risk-rated gap register
  • Auditable, regulator-ready evidence log
  • Prioritised remediation roadmap
2–3 weeks · Fixed fee
Full programme02

Multi-Regulation Assessment

End-to-end conformance testing across multiple regulations in a single engagement. Scope is tailored to the frameworks your firm needs to prioritise — whether that is DORA, the EU AI Act, NIS2, GDPR, FCA Consumer Duty, or a combination. Includes full AI system inventory and risk classification where relevant.

  • Conformance score by regulation and chapter
  • Full AI system inventory & classification
  • Cross-regulation gap analysis and overlap mapping
  • Board-ready summary report
  • Regulator-facing evidence pack
4–6 weeks · Fixed fee
Fractional advisory03

AI Governance Retainer

A retained monthly engagement as your fractional AI Governance Adviser — board reporting, quarterly re-testing, and oversight of new AI deployments.

  • Quarterly conformance re-testing across in-scope regulations
  • Regulatory horizon scanning and impact assessment
  • Board & committee reporting pack
  • Pre-deployment governance review for new AI systems
  • Ongoing access to a fractional AI Governance Adviser
Rolling engagement
AI Infrastructure04

Agentic Compliance Infrastructure

For firms deploying AI agents: we design the governance wrapper — oversight thresholds, tamper-evident logging, and a persistent registry, powered by Aegis Kernel.

  • Aegis Kernel deployment and configuration
  • Human oversight framework design
  • Tamper-evident audit logging (Article 12 aligned)
  • AI system registry and persistent record infrastructure
  • Ongoing monitoring and alerting thresholds
Scoped per engagement
Coverage

One methodology. Any regulation.

Our rules-to-code test suites are built for the regulations that matter most to European regulated firms right now.

DORA
Digital Operational Resilience Act — in force January 2025
EU AI Act
High-risk & GPAI obligations — August 2026
NIS2
Network & Information Security Directive — 2024
GDPR
Data protection & privacy — in force since 2018
FCA Consumer Duty
UK retail conduct standard — in force July 2023
UK GDPR / DPA
UK data protection regime — post-Brexit divergence from EU
SMCR
Senior Managers & Certification Regime — individual accountability
MiCACSRD / ESGBasel III / IVFCA Consumer Duty+ secondary frameworks on request
The method

From regulation to verdict in four steps

Rules-to-code turns regulatory text into discrete, testable criteria — the equivalent of unit tests for your compliance function.

01

Encode the regulation

We decompose each obligation into a discrete, testable criterion — pass/fail, with a defined evidence requirement. Every article, made testable.

02

Collect your evidence

You provide policies, system documentation, contracts, and logs. AI-assisted analysis compresses three weeks of manual review into three to five days.

03

Score and report

Conformance score by chapter. Each gap risk-rated Critical / High / Medium / Low with a specific remediation recommendation. Board-presentable. Regulator-ready.

04

Remediate and monitor

We fix what we find. Quarterly re-testing tracks progress. Aegis Kernel provides the persistent governance layer for firms that want ongoing assurance.

About PROVA

Three decades of enterprise transformation, aimed at the problem that matters right now.

PROVA Governance is led by Martin Guerin, with a career spanning Big 4 advisory firms and a Fortune 500 technology company, and independent consulting across financial services, legal, and professional services in Europe, the UK, and Australia.

This is not a general AI advisory firm that noticed the EU AI Act. It is a specialist practice built on deep regulatory, governance, and enterprise technology expertise — focused on helping regulated firms prove their position, not just describe it.

CISA
Certified Information Systems Auditor

The gold standard for technology audit and governance.

FCMA · CGMA
Chartered Management Accountant

Nearly 30 years of enterprise transformation experience.

Big 4
Global Transformation & Risk Management

Big 4 experience designing and delivering global transformation and risk management programmes, followed by senior leadership at a Fortune 500 technology company.

Aegis
Authorised European Partner — Aegis Kernel

Tamper-evident AI governance infrastructure aligned to EU AI Act Article 12.

Start here

Find out where you actually stand.

Every engagement starts with a 30-minute discovery call. No pitch. No obligation. We identify your most urgent regulatory exposure and recommend the right entry point.