The most expensive part of a new regulation is not the fine for breaking it. It’s the consultant’s bill for figuring out how not to. For a European bank staring down the Digital Operational Resilience Act (DORA), that can mean months of manual work: cross-referencing hundreds of pages of legal text against existing internal controls, policy documents, and supplier contracts to find the gaps. It is a task of pure tedium, measured in person-months and six-figure invoices. ComplyDo, a Berlin startup from Y Combinator’s Fall 2025 batch, is betting that an AI agent can do it for the price of a SaaS subscription [Y Combinator, 2025].
Their engine ingests regulation PDFs,DORA, NIS2, ISO 27001, eIDAS,and a company’s internal documentation. It then attempts to automate the core GRC (Governance, Risk, Compliance) workflow: extracting requirements, mapping them to controls, identifying discrepancies, and monitoring for regulatory updates [ComplyDo, 2026]. The promised payoff is straightforward. Instead of a team of analysts or a boutique consultancy, a compliance officer gets a continuously updated gap report. The company claims this can cut the time for such assessments from months to days [ComplyDo, 2026].
The Wedge of the PDF
ComplyDo’s initial surface is deliberately narrow. It is not selling a sprawling GRC platform that manages audits, incidents, and risk registers. It is starting with the foundational, repetitive, and document-heavy task of the initial gap analysis. This is a clever wedge. The input is a set of PDFs; the output is a spreadsheet or a dashboard highlighting missing controls. The value is immediate for the person who would otherwise have to create that spreadsheet by hand.
The company says it is already trusted by “global leaders and the largest EU enterprises” for use cases like third-party risk assessments and eIDAS audits, though it has not named specific customers [ComplyDo, 2026]. Case studies on its site describe anonymous deployments: one firm uses it as a central engine for supplier evidence mapping; external auditors use it for eIDAS compliance checks [ComplyDo, 2026]. The early signal suggests they are finding traction with the professionals,consultants, auditors, internal GRC teams,for whom this mapping work is a daily tax.
The Risks in the Machine
The bet rests on the AI’s accuracy and the customer’s trust. A regulatory gap analysis is not a place for hallucinations or confident mistakes. A missed requirement could leave a company exposed. ComplyDo will need to prove its agents are more reliable and thorough than a human specialist, or at least reliable enough to act as a super-powered first draft that drastically reduces human effort.
- The black box problem. The AI’s reasoning and sourcing must be transparent enough for an auditor to sign off on. A compliance officer needs to trust, but also verify.
- The integration slog. The tool’s value compounds if it can seamlessly pull data from existing systems like SIEMs, ticketing platforms, and policy repositories. That is a long road of API partnerships and custom connectors.
- The market ceiling. If the product is too good, it could automate the very consulting work that provides its initial beachhead. The long-term play must be to become the essential system for ongoing compliance, not just the one-time assessment.
The founding team of Moritz Moser, Matthias Schneider, and Leo Schuhmann is operating in stealth regarding their backgrounds. The Y Combinator stamp provides a baseline of operational coaching and network, but the path to enterprise credibility in regulated industries is typically built with public customer logos and seasoned sales leadership,neither of which is yet visible [Y Combinator, 2025].
A back-of-the-envelope calculation illustrates the unit economics. A typical gap assessment for a major regulation like DORA might involve two consultants for three months at a blended rate of $300 an hour. That’s roughly $250,000. If ComplyDo can replace 80% of that labor with a $50,000 annual subscription, the ROI for the customer is clear in the first project. The question is whether the remaining 20% of human oversight is still a $200,000 task. For ComplyDo to scale, it must beat not the consultant, but the consultant’s spreadsheet,becoming the indispensable tool that makes the consultant both faster and more accountable.
Sources
- [ComplyDo, 2026] ComplyDo, Compliance on Autopilot, Powered by AI Agents | https://www.complydo.io/
- [Y Combinator, 2025] ComplyDo: Global Compliance for Enterprises | https://www.ycombinator.com/companies/complydo
- [SaaSworthy, March 2026] SaaSworthy feature update on pricing/features | https://www.saasworthy.com/product/complydo-io