The CyberPass Encyclopedia

What we are selling

EU regulatory representation and compliance services for non-EU companies that sell into Europe. Not a SaaS platform. Not a one-time audit. A productized, recurring service.

CyberPass is the operational vehicle through which Benchmarked acts as a client's legally required EU presence and ongoing compliance function. The contract is annual, the function is statutory, and the work is backed by professional indemnity insurance and senior operators in Ljubljana.

The product is structured in two layers — a transactional entry point that opens the conversation, and a recurring layer that holds the relationship.

EU Compliance Audit. A fixed-fee assessment. The wedge. It identifies the client's Article 27 exposure, EU AI Act applicability under Annex III and Article 54, and the specific items that will block their next enterprise procurement cycle. A credit applies if the client upgrades to retainer within sixty days.

To whom we sell

US-headquartered SaaS companies expanding into Europe, hitting walls at procurement. A specific buyer, with a specific moment, and a specific pain.

US-headquartered SaaS companies, Series A through pre-IPO, expanding into Europe. The qualifying signal is one of three walls:

• Revenue blocker. Losing EU enterprise deals because they cannot pass security questionnaires or produce GDPR / ISO 27001 documentation.
• Regulatory deadline. The EU AI Act enters full enforcement on 2 August 2026. Any US firm deploying AI in the EU faces a time-bounded statutory mandate.
• Procurement gate. EU buyers require a named DPO, an Article 27 representative, and a working EU contact address before signing.

PE operating partners running M&A diligence and post-close compliance remediation on EU-exposed portfolio companies. Smaller market (~300–500 buyers), higher ticket, longer cycles.

EU-based companies (they don't need a representative), pre-revenue startups (no procurement pressure yet), and companies with zero EU customers (no trigger). Saying no to these is part of the positioning.

Why this works

The buyer cannot opt out of the purchase. They can only choose the provider. That is the structural advantage.

Under GDPR Article 27 and EU AI Act Articles 22 and 54, non-EU companies processing EU data or deploying AI in the EU are legally required to appoint an EU-established representative. This is not a "nice to have." It is a statutory mandate enforced by twenty-seven supervisory authorities, with fines under Article 99(4)(b) of the AI Act reaching €15 million or 3% of global turnover, whichever is higher.

Our wedge: we are the only operator combining (a) EU Article 27 representation, (b) UK GDPR representation, (c) DPO-as-a-Service, (d) EU AI Act Article 22 / 54 representation, and (e) a path into full GRC, fractional CISO, and ISO 27001 readiness — all under one contract, insurance-backed, with senior named operators. Competitors are either bare mailboxes or expensive law firms. We sit in the middle with productized pricing and an upsell ladder.

The service, step by step

A year in the life of a Complete-tier client — from mandate signature to renewal. This is the operational reality of the offering.

Annual auto-renewal. Standard SaaS-style economics. The account manager flags adjacent needs: "You added ML features last quarter — AI Act Article 22 applies." Or: "Your next enterprise deal is asking for ISO 27001 — we have a 90-day readiness program." This is where €1,490 / yr clients become €5,500 / yr clients, and €5,500 / yr clients become €12,000+ clients.

What we need to fulfill the service

The infrastructure, people, and instruments required to operate the offering at scale. Most is built; one critical piece — insurance — must be bound before general availability.

• Mandate template, vetted by EU privacy counsel — ready
• E&O / professional indemnity insurance: €2M per claim / €5M aggregate, placed via Hiscox / Tokio Marine HCC / Markel through Slovenian broker GrECo, €4–8K / year premium. Must be bound before signing new Article 27 mandates.
• Article 27(5) joint liability — insurance covers this; mandate language must reference it

• Dedicated EU contact address in Ljubljana with secure mail handling and digital forwarding
• DSAR intake and tracking system — ticketing tool plus SOP
• Article 30 register template, per-client instance
• Breach response runbook with 72-hour notification SOP
• Standard privacy-notice insert language for clients
• AI Act-specific document retention vault — encrypted, audit-logged, ten-year retention

• Senior named DPO (you, or a designated EU-qualified person) for the DPO-as-a-Service function
• Junior operator(s) to handle DSAR forwarding, mail triage, intake — scales with client count
• EU privacy counsel on retainer for mandate edge cases and DPA escalations

• Pricing page live with three-tier structure
• "Get a quote" flow with one-business-day turnaround
• Audit one-pager as the entry SKU
• Content engine: LinkedIn articles on Article 27, AI Act, DORA — the inbound spine of this business
• Partner channels: US tech law firms (Cooley, Orrick, Fenwick, Gunderson, Wilson Sonsini) — their clients hit these walls constantly; we are their referral solution

The economics

A recurring-revenue compliance business with the economics of SaaS and the moat of regulation. Roughly 70% gross margin at the Complete tier.

At the Complete tier (€5,500 / yr) the unit economics are strong. Variable cost per client per year is roughly:

• Insurance allocation — €100
• Mail and address — €200
• DSAR labor (1–3 hours) — €300
• Quarterly review (4 × 1 hr) — €800
• Article 30 maintenance — €200

To hit €10K / month profit on CyberPass alone: roughly twenty-five to thirty Complete-tier clients, or a mix weighted toward Enterprise. Achievable in twelve months with a working content, outbound, and law-firm-referral engine.

The strategic point: this is a recurring-revenue compliance business with the economics of SaaS and the moat of regulation. The regulation creates the demand. The mandate locks in the relationship. The upsell ladder — audit → Essential → Complete → Enterprise → ISO 27001 → fractional CISO → full GRC — compounds account value over time.

Article 27 GDPR — the mandate

The legal trigger, the four duties, and the joint liability provision that gives this service commercial value.

Any controller or processor not established in the EU that offers goods or services to EU data subjects, or monitors their behavior, must in writing designate a representative established in the EU. The representative is the addressee for supervisory authorities and data subjects for all matters under the GDPR.

1. Be the point of contact for EU supervisory authorities (Slovenian IP, Irish DPC, French CNIL, others) and data subjects in all GDPR matters.
2. Maintain the Article 30 record of processing activities on behalf of the client and make it available to authorities on request.
3. Cooperate with supervisory authorities in any investigation or enforcement action.
4. Be subject to enforcement proceedings for any infringement by the client. This is Art. 27(5) — joint liability.

Article 27(5) provides that enforcement proceedings can be initiated against the representative as if they were the controller. Fines under Article 83 reach up to €20 million or 4% of global turnover. This is why "EU mailbox" providers survive by charging €500 / year and accepting the risk thinly. We charge €1,490 to €5,500+ because we operate the function rather than nominally hold the address.

AI Act Articles 22 & 54

Two parallel regimes for non-EU providers of high-risk AI systems and general-purpose AI models. Different triggers; same Representative requirement.

Any provider not established in the EU that places a high-risk AI system on the EU market, or puts it into service in the EU, must — prior to making the system available — appoint by written mandate an authorized representative established in the EU.

1. Biometric identification and categorization
2. Critical infrastructure management — water, gas, electricity, transport
3. Education and vocational training — exam scoring, admissions
4. Employment and worker management — CV screening, performance evaluation, termination
5. Access to essential services — creditworthiness, insurance pricing, emergency triage
6. Law enforcement — evidence evaluation, risk prediction
7. Migration, asylum, border control
8. Administration of justice and democratic processes

1. Verify that the EU Declaration of Conformity (Art. 47) and Technical Documentation (Art. 11) have been drawn up, and that the appropriate conformity assessment procedure has been completed.
2. Keep the technical documentation, declaration of conformity, conformity assessment, and provider contact details available to authorities for ten years after the system is placed on the market.
3. Provide all information and documentation necessary to demonstrate conformity to a national authority upon request, and cooperate with any investigation.
4. Terminate the mandate if the provider acts contrary to AI Act obligations, and inform the relevant authority and notified body when doing so.

Article 54 is the parallel obligation for general-purpose AI model providers — foundation models, LLMs, diffusion models. Same structure, slightly different documentation: technical documentation under Article 53, model card, training data summary.

Article 99(4)(b) provides for fines on the representative up to €15 million or 3% of worldwide annual turnover, whichever is higher, for non-compliance with the representative's duties. This is direct exposure, not derivative.

What we handle, concretely

The actual work, parsed by regime — Article 27 GDPR on the left of the brain, Articles 22 and 54 AI Act on the right.

• Execute the written mandate appointing Benchmarked d.o.o. as Art. 27 representative
• Assign EU contact address (Ljubljana) with mail handling
• Onboard the client's Article 30 record into our register
• Provide privacy notice language naming us as representative
• Update intake with their lawful bases, data categories, sub-processors, transfer mechanisms

• Receive and triage all communications addressed to the EU representative
• Forward DSARs to client (Essential) or fully coordinate the 30-day response (Complete+)
• Receive supervisory authority correspondence and respond (DPO function on Complete+) or escalate with recommended action
• Coordinate the 72-hour breach notification under Article 33 if a breach occurs
• Maintain the Article 30 register and update it on the agreed cadence
• Annual, quarterly, or monthly compliance review depending on tier

• Execute the written mandate
• Verify that the client has produced: EU Declaration of Conformity, Annex IV technical documentation, conformity assessment under Annex VI or VII, registration in the EU AI database, and post-market monitoring plan
• If documentation is missing or incomplete, we either decline the mandate or scope a remediation engagement — this is upsell territory, typically €30–80K of Qualitum conformity support
• Set up the ten-year retention vault — encrypted, audit-logged storage
• Register ourselves with the relevant national competent authority as the representative

• Maintain the document vault for ten years after the system is placed on the market
• Respond to competent authority requests for documentation
• Monitor the client for material changes to the system that would trigger re-assessment
• Maintain post-market monitoring records (provided by client; we hold them)
• Coordinate serious incident reporting under Article 73 if incidents occur
• Terminate the mandate and notify the authority if the client materially breaches their obligations

For Article 54 GPAI it is substantively the same operational pattern, applied to the model rather than a specific system.

If the client fails

You are not a substitute for the client doing the underlying work. You are the EU-facing layer over their compliance program. This must be held clearly in every conversation.

• Operate their actual data protection program — privacy notices, lawful bases, retention, security controls
• Respond to the substance of any DSAR — only they have the data; we coordinate, they extract and review
• Make the substantive decision on any DPA inquiry — we draft, they approve
• Implement any required remediation
• Maintain data security under Article 32 and breach detection
• Manage their sub-processor relationships and SCCs

The consequences cascade:

1. We escalate internally according to the SLA in the mandate
2. After defined escalation steps fail, we terminate the mandate — the mandate explicitly permits this
3. We notify the supervisory authority that we no longer represent them
4. The client is now an unrepresented non-EU controller — they are in breach of Article 27 immediately, and any data subject or DPA action proceeds against them directly, without an EU contact
5. They typically face an Article 83 fine and cannot legally process EU data until they appoint a new representative

• Build and maintain the AI system to meet Articles 8–15 — risk management, data governance, technical documentation, record-keeping, transparency, human oversight, accuracy / robustness / cybersecurity
• Complete the conformity assessment
• Sign and publish the Declaration of Conformity
• Register the system in the EU AI database
• Operate post-market monitoring
• Report serious incidents under Article 73 within the statutory windows
• Apply CE marking
• Provide instructions for use to deployers

1. We have a statutory duty to terminate the mandate and notify the authority — Art. 22(3)(e)
2. The system is then on the EU market without a representative — directly unlawful
3. Authorities can prohibit market availability, order withdrawal, and impose fines up to €15M / 3% turnover under Article 99(4)(a)
4. Deployers — the client's EU customers — are required under Article 26 to stop using the system

The split — us versus them

A clean line, held in every sales conversation and every mandate. This is the deliverable map.

This split is enforced in the mandate and reinforced in onboarding. Every time a prospect asks "can you just handle our whole compliance program for €5K / year?" — the answer is no, and the upsell path is into Qualitum, fractional CISO, or ISO 27001 readiness, where we do run programs.

Insurance — coverage and mechanics

Professional indemnity protects us from our errors and from the joint-liability tail. It does not transfer the client's primary regulatory risk to us. Be very clear about this with sophisticated buyers.

1. Negligent performance — failure to forward a DSAR on time, failure to maintain the Article 30 record, failure to file a breach notification within 72 hours, errors in advice given to the client
2. Article 27(5) joint liability — being named in enforcement proceedings for the client's GDPR infringement. The policy must explicitly include this language; standard PI does not.
3. Article 99(4)(b) representative liability — being named in AI Act enforcement against the representative directly for representative-specific duties
4. Defense costs — legal fees defending against a DPA action or claim. Often the largest line item.
5. Breach of confidentiality by us in handling client data

• The client's own GDPR fines for their own infringements (Art. 83 fines against the controller)
• The client's AI Act fines for their substantive non-compliance (Art. 99(4)(a))
• Criminal acts or willful misconduct by us
• Fines that are uninsurable as a matter of public policy in the relevant jurisdiction — some EU member states limit insurability of regulatory fines

The policy must be bound before signing the first paying client. This is not optional. Selling representative services without bound coverage is both commercially fragile (sophisticated buyers ask for the certificate) and personally exposing — you carry the joint liability without backstop. The website FAQ language about insurance "available under NDA" is a placeholder until binding completes; that line should not survive into general availability.

It is a general policy, with per-claim and aggregate limits across the entire book of business. Not per-client. Specced at:

Premium scales with declared revenue and client count, not with each individual mandate. As the book grows past ~50 clients and ~€500K revenue, expect the premium to step up — likely €12–20K at that scale.

Two mechanisms:

1. Liability cap in the mandate. Every mandate caps our liability to fees paid in the prior 12 months. Standard professional services language, enforceable except where statute overrides it. Article 99 direct fines on the representative cannot be contractually waived to the regulator, but the client cannot recover them from us beyond the cap either.
2. Underwriting at intake. For Article 22 high-risk AI clients we run an internal risk assessment before binding the mandate — system classification, documentation completeness, deployer footprint. We refuse mandates where the documentation is materially deficient. This is also why Article 22 / 54 has a €2,500 onboarding fee — the verification work is real.

The sales bottom line

Everything above, distilled into the answer you give when a sophisticated buyer asks: "What am I actually getting, and what's my exposure?"

That is the entire commercial proposition in two sentences. Everything else in this encyclopedia exists to support those two sentences — to make sure the operations are real, the insurance is bound, the mandate language is clean, the split is held, and the buyer leaves the call knowing exactly what they have purchased.