GDPR + AI Act §50 + EAA — EU Compliance Scanner
The only audit scanner that covers all four EU regulatory layers in one pass: GDPR (cookie consent + privacy + security headers + Schrems II), AI Act §50 (AI-content disclosure, in force 2 August 2026), the European Accessibility Act (WCAG 2.1 AA, in force since 28 June 2025), and Schrems II / SCCs (US subprocessor disclosure). Built by a Danish company, audited against the actual EU regulatory clock.
Free first scan · No credit card · No legal advice — we surface what auditors check, you keep the legal review.
The four EU regulatory layers
1. GDPR (Regulation (EU) 2016/679 — in force since 2018)
Applies to anyone processing personal data of EU residents, regardless of where the business is registered. Technical-observable signals we check:
- Cookie consent banner presence and correct gating (no analytics before consent — the most common GDPR violation in 2024-2026 enforcement)
- Privacy policy link discoverable from footer + reachable URL
- HTTPS enforced sitewide; no mixed content; no insecure redirect chains
- Security headers required under Article 32 “appropriate technical measures”: HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy
- Cookies carry Secure + HttpOnly + SameSite attributes
- Tracking scripts (GA4, Meta Pixel, GTM) gated behind explicit consent
2. AI Act §50 (Regulation (EU) 2024/1689 Article 50 — in force 2 August 2026)
Requires anyone publishing AI-generated content on the open web to disclose that fact in machine-readable form. Applies to operators serving the EU regardless of where established. We check:
- Pages that look AI-generated (heuristic content analysis) lack a visible AI-content disclosure
- Missing structured data marking content as AI-generated (Schema.org
CreativeWork.isAIGeneratedor equivalent) - AI-assistant leak phrases (“as an AI language model”) — embarrassing AND a clear compliance fail
3. EAA (Directive (EU) 2019/882 — in force 28 June 2025)
The European Accessibility Act requires e-commerce, banking, transport ticketing, e-readers, and other consumer-facing digital services serving EU residents to meet WCAG 2.1 AA. Eleven months into enforcement at time of writing. We check:
- Accessibility statement published and discoverable
- Equivalent text for non-text content (alt-text coverage)
- Color-contrast ratios on body text + interactive elements
- Keyboard-navigability signals + visible focus states
- No auto-playing audio over 3 seconds without user control
- Captions / transcripts on prerecorded video where present
- Viewport configuration that doesn't disable pinch-zoom
4. Schrems II / SCCs (CJEU C-311/18 — in force since 2020)
Invalidated the Privacy Shield framework. Requires Standard Contractual Clauses plus supplementary measures for any personal-data transfer from the EU to a country without an adequacy decision. We check:
- US-based subprocessor signatures in page source: Google Analytics, Stripe, Intercom, HubSpot, Salesforce, OpenAI, Sentry, etc.
- Privacy policy references SCCs and supplementary safeguards for each US transfer
- Cookie banner correctly classifies third-country transfers
Why a Danish-built EU scanner
Seoxpert is operated by Cloud Ninja Consulting ApS — a Danish company subject to the same regulatory clock we audit against. We follow EDPB guidance, Datatilsynet enforcement priorities, the European Commission's AI Act implementation roadmap, and EAA national-transposition status across all 27 member states. That's the difference from a US-built “compliance scanner” that hasn't read the regulation.
See our own imprint, privacy policy, and cookies page for the same compliance posture applied to the scanner itself.
Who needs an EU compliance scan?
Any website serving EU residents — which is most of the internet. The regulations apply by destination, not by where the business is registered. Particularly load-bearing for: e-commerce stores (EAA + GDPR + Schrems II all hit), SaaS using US analytics (Schrems II), publishers running AI content (AI Act §50 in 11 months), agencies onboarding new client sites (faster than reading their TOS). Catching a missing accessibility statement before an EAA complaint is much cheaper than catching it after.
What it does not replace
Seoxpert is a technical scanner. It checks what HTTP, page source, and structured data reveal. It does not review your data-processing agreements (DPAs), your record of processing activities (RoPA), a Schrems II transfer-impact assessment, a DPIA where applicable, or an AI Act risk classification. A full EU compliance programme combines the scanner (catches what auditors check first) with a legal review (covers the procedural layer). Think of the scanner as the part that catches the embarrassing technical gaps — not as a substitute for legal advice.
How much does it cost?
- Free — €0: 4 scans/month, 1 domain, weekly+ scheduled scans + regression alerts. No card required. Same scanner, full EU compliance results.
- Pro — €19.99/month: 100 scans/month across 10 domains. API access, deploy hooks, signed webhooks.
- Agency — €89/month: 500 scans/month across 50 domains. Daily + weekday schedules, white-label reports for client compliance deliverables.
See full details on the pricing page.
Frequently asked questions
What does Seoxpert's EU compliance scanner check?
Four EU regulatory layers in one pass: (1) GDPR — cookie consent, privacy policy, security headers, insecure cookies, analytics-before-consent. (2) AI Act §50 — AI-content disclosure (in force 2 August 2026). (3) EAA (European Accessibility Act) — accessibility statement + WCAG 2.1 AA technical checks (in force since 28 June 2025). (4) Schrems II / SCCs — US subprocessor detection and SCC disclosure cross-check.
What is AI Act §50 and does it apply to my site?
AI Act §50 (Regulation (EU) 2024/1689 Article 50) requires anyone publishing AI-generated content on the open web to disclose that fact in machine-readable form. In force from 2 August 2026. Applies to operators serving the EU regardless of where established. Sites that publish AI-summarised content, AI-written blog posts, or AI-generated translations need visible disclosure plus structured-data markup.
What is the EAA and what does it require for websites?
European Accessibility Act (Directive (EU) 2019/882) — in force since 28 June 2025. Requires e-commerce, banking, transport ticketing, e-readers, and other consumer-facing digital services serving EU residents to meet WCAG 2.1 AA. Required artefacts: a published accessibility statement, equivalent text for non-text content, keyboard navigability, sufficient color contrast, no auto-playing audio over 3 seconds, captions on prerecorded video.
How does the scanner handle Schrems II / international transfers?
Schrems II (CJEU C-311/18) requires SCCs plus supplementary measures for personal-data transfers from the EU to countries without an adequacy decision. The scanner detects US-based subprocessor signatures in your page source — Google Analytics, Stripe, Intercom, HubSpot, Salesforce, OpenAI, Sentry — and cross-references against your privacy policy to flag any that lack SCC + supplementary-safeguard disclosure.
Can I run compliance checks on client sites?
Yes. The Pro plan covers 10 domains; Agency covers 50. Scheduled scans + deploy webhooks mean you catch compliance regressions the day they ship — not when a client notices. White-label PDF reports (Agency tier) let you deliver findings under your own brand.
Does this replace a legal compliance review?
No. The scanner covers the technical observable layer. A full compliance programme also needs a DPA review, RoPA, Schrems II transfer-impact assessment, DPIA where applicable, and AI Act risk classification if you offer regulated AI. Use the scan to catch what auditors check first; budget a separate legal review for the procedural layer.
Related compliance resources
Scan your site for compliance issues now.
Free first scan · No credit card required