GDPR, DORA, and NIS 2 land in your code, not just your policies.
For EU SaaS teams carrying overlapping regulatory duties. The data-protection and resilience obligations that show up in a diff, named at the clause.
A SaaS company operating in the EU often carries several regimes at once: GDPR for personal data, DORA if it serves financial entities, NIS 2 if it is an in-scope operator, and the AI Act if it ships high-risk AI. Much of that is governance, but a real slice is decided in code, and the overlapping duties make it easy to miss which clause a change just touched.
Several regimes, one review
The hard part of EU compliance in code is that one change can implicate more than one regime: a new third-party data flow is both a GDPR transfer question and, for the right entity, a DORA third-party-risk one. heygrc is built to read the change against all the frameworks you selected at once and name each clause it touches, so a developer does not have to hold four regulations in their head to spot that a diff matters.
That breadth is exactly where a specialist reviewer earns its place over a generic code-quality tool.
Changes that read as ordinary code.
A few of the control-relevant changes heygrc is built to flag for this case, each cited to the clause it touches.
A request body with personal data is logged in full
GDPR Art. 5(1)(c)A nightly backup of operational data is removed
DORA Art. 12A new dependency lands with no integrity check
NIS 2 Art. 21(2)(d)
The frameworks that matter most here.
Guide: Catching a GDPR retention bug in code review
heygrc flags control-relevant changes and cites the clause so the issue can be handled in the pull request. It does not certify you, run your audit, or replace your own judgment. heygrc is in early access.