GDPR · ePrivacy · NIS2

Continuous compliance monitoringfor digital trust.

Vakteye monitors how your website actually behaves — cookies, trackers, consent flows and data sharing — and produces audit-ready evidence for GDPR, ePrivacy and NIS2.

Book strategic review

Built for compliance in enterprise environments
GDPR
ePrivacy
NIS2
WCAG 2.1

Europe has already passed €6.11B in GDPR fines.

Since GDPR became applicable on 25 May 2018, CMS records 2,685 published fines across Europe up to its 1 March 2026 cut-off. NIS2 adds cyber-security fine ceilings up to €10M or 2% of worldwide turnover. Avanza below is one concrete example.

€6.11B

known GDPR fines in Europe

GDPR fines2,685

GDPR total€6.11B

NIS2 ceiling€10M / 2%

CMS GDPR Enforcement Tracker Report 2025/2026 Directive (EU) 2022/2555 Art. 34 IMY Avanza decision DI-2021-5544

15 Nov 2019

Meta Pixel is used

Purpose: Facebook marketing optimization.

Nov 2019 – Jun 2021

Sub-functions activate

Personal data is wrongly transferred to Meta.

2 Jun 2021

Avanza becomes aware

The pixel is disabled after about 19 months.

24 Jun 2024

IMY: 15M SEK fine

Decision DI-2021-5544: GDPR Art. 5(1)(f) and 32(1).

Avanza

19 months

before the issue became known

Vakteye

First scan

direct detection

Evidence for privacy operations

Prove your consent works in production.

Vakteye verifies trackers, consent behavior, and data transfers, then turns every scan into signed evidence for legal, security, and GTM teams.

Book a demo

Why this matters

Your website can look compliant and still behave differently.

Vakteye compares what the visitor sees, what the browser sends, what the policy promises, and keeps the evidence ready when someone asks.

Live site

Policy

Evidence

First fix

Observe

What the browser actually does

Consent clicks, scripts, storage, network calls, headers, TLS, forms, and exposure are captured as behavior.

Compare

What the policy says

GDPR Art. 13 promises are checked against observed trackers, transfers, cookies, scripts, and forms.

Act

What should change first

Findings are grouped by legal risk, security exposure, and the fastest practical fix.

Differentiation

Less noise. More proof.

Add your URL, register the site, and Vakteye handles the scan. You get clear proof of what happened and what must be fixed.

Policy versus reality

A compliant-looking banner is not enough. We compare policy language with live trackers, transfers, cookies, scripts, and form behavior.

Consent tested in-browser

Reject, accept, settings, pre-consent cookies, cookie flags, local storage, zombie cookies, and post-reject calls are tested in real sessions.

Security context included

Headers, TLS, vulnerable JavaScript, exposed services, admin panels, secrets, subdomains, SQLi, XSS, and CSRF signals are kept in view.

Analyst judgement

Automation captures the facts. Ambiguous findings get analyst context before they become business, legal, or technical decisions.

Use cases

From URL to proof without extra work.

Each flow shows what happened, why it matters, and what Vakteye handles next before the full technical report is needed.

Shorter path from consent test to fix

See whether reject, accept, settings, cookies, storage, and network calls behave differently.

Catch policy contradictions before they spread

Policy claims are compared with the vendors, transfers, scripts, and forms observed during the scan.

Keep security findings beside legal risk

Headers, TLS, exposed services, secrets, forms, and accessibility issues stay in the same decision view.

Meet reviews with confidence

Screenshots, HAR files, cookie timelines, source links, timestamps, and reviewer notes stay attached.

Automation plus judgement

Fast where machines are strong. Careful where interpretation matters.

Vakteye behaves like a continuous compliance platform with an expert review layer. Clear findings move quickly. Ambiguous findings are checked before they are presented as risk.

Automated capture

Browser and security checks record what the site actually does in production.

Legal and security mapping

Signals are mapped to GDPR, ePrivacy, LEK, NIS2, and practical remediation.

Human review

Lower-confidence findings get analyst context so decisions are based on evidence, not noise.

Executive summary

What changed, why it matters, and the first fixes.

Technical proof

Screenshots, HAR logs, browser events, cookies, storage, and timelines.

Audit trail

Timestamps, legal basis, confidence levels, source links, and review notes.

Certificate and badge

Passing scans can issue a Privacy Verified badge with public verification evidence.

Evidence ledger · an example

12 months.
6 months unwatched.

What happened on your site between the audits?

12 months for a typical customer. First half: unwatched. First scan: evidence ready for regulatory review.

Pattern from Vakteye pilot customers — SaaS, e-commerce, healthcare (2025–2026).

Your ledger starts at the first scan.

Before Vakteye

6 months · May 2025 → Oct 2025

unseen findings on your site

blind weeks without monitoring

estimated fine exposure

20–94 MSEK

internal alerts

No internal alerts. Nobody knew until someone outside pointed it out.

VakteyeVakteye onboarded

3 Nov 2025

With Vakteye

6 months · Nov 2025 → today

< 24h

from finding to signed alert

signed weeks in a row

open findings now

continuous monitoring

24/7

Every week a signed report from a compliance analyst. Done before IMY asks.

Proof · 12 months

Click a Tap red for findings — green for proof.

Active findings

Under review

Compliant · signed

Not watched

Vakteye onboarded3 Nov 2025

2025

2026

Apr

May

Jun

Jul

Aug

Sep

Oct

Nov

Dec

Jan

Feb

Mar

Apr

NIS2 / Swedish Cybersecurity Act in force · 15 Jan 2026

Vakteye-ready from day 1 · 0 open findings

Before

9 findings

Vakteye onboarded3 Nov 2025

With

0 open

Active findings · nobody knew

W28 · Jul 7 – Jul 13, 2025

2 findings active for 7 days with no internal alert.

Legal bases triggered

T1 · 4% / EUR 20MT2 · 2% / EUR 10M

GDPR Art. 5GDPR Art. 6GDPR Art. 7GDPR Art. 32ePrivacy 5(3)LEK 9 §28Swedish Data Protection Act

Reject button non-functional

CRITICAL

ePrivacy Art. 5(3) · EDPB consent guidelines

CMP bug: “Reject all” clicks register as “Accept”. Active all week.

Similar IMY case: IMY-2024-Apoteket · SEK 37MEstimated exposure: 8–37 MSEK

Pre-ticked consent boxes

HIGH

GDPR Art. 7(2) · CJEU Planet49

Marketing toggles pre-ticked in CMP settings.

With Vakteye, the answer is ready before the question is asked.

Book a demo See a real proof bundle →

Anonymized example. All finding types, legal references and IMY enforcement decisions are real and documented.

A note from KeyMan

After 25 years with Sweden's biggest organisations, I know what executives need to stay compliant.

At KeyMan, we've spent decades placing IT and security specialists with banks, government agencies, and municipalities across Sweden. Compliance has moved from a quiet legal concern to one of the most serious questions on the executive table.

Mats Mårtensson

CEO, KeyMan

Board-ready

A clear answer leadership can stand behind.

Executive summary

What matters, what changed, and what needs attention.

Reviewed weekly

A named reviewer signs the result before it is shared.

Evidence ready

If the board, legal team, or regulator asks, the proof is already prepared.

Next step

See the risk in your own website.

Book a short review. We scan live pages, show the evidence, and explain what should be fixed first.

Book strategic review Compare plans

Regulatory research

Primary-source enforcement analysis from IMY, CNIL, DPC, and EU guidance.

Plan model

Plans vary by domains, scan frequency, frameworks, and review scope.

Trust page

How Vakteye evidence, badges, and scanner disclosure work.

Continuous compliance monitoringfor digital trust.