Flowtriq EU Compliance Frameworks | ePrivacy, DORA, CRA, AI Act, BDSG, ISO 27001
Detection, Mitigation & Response

Detect and mitigate DDoS attacks in under 1 second, respond automatically, and keep your users informed.

All features →
1-Second Detection
Know the instant traffic spikes. PPS checked every second.
Attack Classification
Identifies 8 attack types with protocol-level confidence scores.
Node Firewall Rules
Per-server iptables, null-routes, CDN rules & scripts.
Cloud Scrubbing
Auto-divert to Cloudflare, OVH, or Hetzner on attack detection.
BGP Mitigation
Auto-deploy FlowSpec, RTBH blackhole & rate-limiting via BGP.
Multi-Channel Alerts
Discord, Slack, PagerDuty, OpsGenie, SMS, email, webhooks.
PCAP Capture
Full packet capture with AI-powered forensic analysis.
Layer 7 Detection
HTTP flood, credential stuffing, API abuse & bot detection.
Automated Runbooks
Chain mitigation steps into automated incident response playbooks.
Analytics Baselines Threat Intel & IOC Multi-Node Status Pages Correlation Audit Log Attack Profiles Flow Collection
Learn
Documentation Quick Start API Reference Agent Setup DDoS Protection Landscape State of DDoS 2026 REPORT Free Certifications NEW
Research & Guides
Mirai Botnet Kill Switch Research memcached Amplification Dynamic Baselines PCAP Forensics PagerDuty Setup
Company
About Us Partners Whitelabel / Reseller Affiliate Program Pay with Crypto System Status
Legal & Support
Contact Us Security Trust Center Terms Privacy SLA
Who Uses Flowtriq

From indie hosts to ISPs, see how teams like yours use Flowtriq to detect and stop DDoS attacks.

Talk to Us →
Infrastructure
Hosting Providers ISPs MSPs/MSSPs Small Operators Routers Edge Node Defense
Gaming
Game Server Hosting Game Studios
Business
SaaS Platforms E-Commerce Financial Services Compliance
Trust Center

EU & DACH Frameworks

ePrivacy · DORA · Cyber Resilience Act · EU AI Act · BDSG · nDSG · ISO 27001 · April 2026

ePrivacy ePrivacy Directive (2002/58/EC)

The ePrivacy Directive (implemented in EU member states as national law, e.g., Germany's TTDSG, France's CNIL guidelines) requires prior informed consent before any non-essential cookies or tracking technologies are placed on a user's device. It applies in addition to GDPR.

What applies to flowtriq.com

  • Analytics cookies (Google Analytics 4): Non-essential. Require opt-in consent before firing. Currently load on all page visits.
  • Advertising tags (Google Ads, LinkedIn Insight Tag): Non-essential. Require opt-in consent. Currently load on all page visits.
  • Experience analytics (ContentSquare): Non-essential. Requires consent under strict interpretations (Germany, France).
  • Sales intelligence (Apollo.io): Non-essential. Requires consent in most EU member state implementations.
  • Live chat (Tawk.to): Functional support tool. Activates when a visitor initiates a chat session.
  • Strictly necessary: Session cookies, Cloudflare Turnstile (bot protection for form submissions) — no consent required.
Strictly necessary cookies: Session management cookies and Cloudflare Turnstile (bot protection for form submissions) are strictly necessary and do not require consent. All other tracking technologies on flowtriq.com operate under Flowtriq's consent framework. For questions about cookie usage, contact [email protected].

ePrivacy Regulation

The proposed ePrivacy Regulation (ePR) will replace the Directive with a directly applicable EU Regulation. As of April 2026, the ePR is still in trilogue. When enacted, it will introduce stricter requirements for tracking in messaging apps and may affect notification channel handling. We will update this page when the ePR is finalised.

DORA Digital Operational Resilience Act (EU 2022/2554)

DORA entered application on 17 January 2025. It applies to financial entities in the EU (banks, investment firms, insurance companies, crypto-asset service providers, payment institutions, etc.) and their ICT third-party providers (ITPPs). DORA does not apply directly to Flowtriq as a company, but Flowtriq customers in the financial sector are subject to it and may require specific contractual provisions.

How Flowtriq supports DORA-covered customers

DORA ArticleRequirementFlowtriq Capability
Art. 17 ICT-related incident management Sub-second DDoS detection with automated incident classification, severity assignment, timeline recording, and multi-channel alerting. Audit log provides complete incident lifecycle evidence.
Art. 18 Classification of ICT-related incidents and cyber threats Incident severity levels (low/medium/high/critical) with automated classification across seven attack families. Confidence scoring supports proportionality assessments for DORA reporting thresholds.
Art. 19 Major incident reporting to competent authorities Incident reports exportable as JSON/CSV with detection timestamp, attack type, duration, peak impact, and mitigation actions. Meets DORA's required incident notification content fields.
Art. 24 Testing of ICT tools and systems Flowtriq's forensic evidence (PCAPs, timeline, audit log) supports post-incident digital operational resilience testing documentation.
Art. 28–30 ICT third-party risk management; contractual requirements Flowtriq's DPA includes data processor obligations, security measures, audit rights, sub-processor management, and breach notification requirements aligned with DORA's contractual minimum provisions.
Financial sector customers: If you are a DORA-covered entity using Flowtriq as an ICT third-party provider, contact [email protected] to obtain a DORA-specific contract addendum and to request Flowtriq's ICT security policy documentation.

CRA Cyber Resilience Act (EU 2024/2847)

The Cyber Resilience Act entered into force on 10 December 2024, with most obligations applicable from 11 December 2027. It imposes security requirements on manufacturers and developers of products with digital elements (PDEs) sold in the EU, including software. Open-source software made available for commercial purpose is within scope under certain conditions.

Flowtriq products and CRA scope

ProductCRA StatusNotes
ftagent (proprietary) Assessment in progress Proprietary agent distributed to paying customers. Likely classified as a default PDE (not critical). Security update obligations apply.
ftagent-lite (open source, MIT) Assessment needed Open source standalone network monitor. CRA Art. 3(18) exempts open-source software that is "not placed on the market in the course of commercial activity." Whether ftagent-lite qualifies for this exemption depends on whether it is commercially monetised or used in Flowtriq's commercial products.
Terraform Provider (open source) Assessment needed Infrastructure-as-code provider. Same open-source commercial activity analysis applies.

CRA requirements relevant to Flowtriq

  • Security by design: Products must be designed to minimise attack surfaces, default to secure configurations, and prevent unauthorised access. Flowtriq's agent communicates exclusively over TLS with API key authentication.
  • Vulnerability handling: Manufacturers must address vulnerabilities without delay and provide security updates for at least 5 years (or the product's expected lifetime). A vulnerability disclosure policy is in development.
  • SBOM (Software Bill of Materials): CRA requires a machine-readable SBOM for products within scope. We are evaluating tooling for automated SBOM generation from our build pipeline.
  • Incident reporting: Actively exploited vulnerabilities must be reported to ENISA within 24 hours of awareness.

AI Act EU Artificial Intelligence Act (EU 2024/1689)

The EU AI Act entered into force on 1 August 2024 with a phased compliance schedule. It classifies AI systems by risk level and imposes obligations accordingly. Flowtriq uses AI for one specific feature.

Flowtriq's AI use

Flowtriq generates AI-powered incident summaries: plain-language explanations of detected DDoS attacks, including attack type, estimated impact, source analysis, and mitigation actions taken. These summaries assist operations teams in understanding incidents quickly.

AI Act classification

FeatureRisk ClassificationObligations
AI-generated incident summaries Minimal risk AI summaries are informational and do not make autonomous decisions with legal or significant individual impact. Classified as minimal-risk AI. The AI Act's transparency obligation (Art. 50) requires disclosure that content is AI-generated. Flowtriq plans to add a brief disclosure label to all AI-generated summaries.
Planned: All AI-generated incident summaries will include a visible disclosure label ("This summary was generated by AI and may contain inaccuracies. Review the underlying incident data for authoritative details.") to comply with AI Act Art. 50 transparency requirements.

BDSG German Federal Data Protection Act (BDSG)

Germany's Bundesdatenschutzgesetz (BDSG 2018, amended 2021) supplements GDPR with additional national rules. Key areas relevant to Flowtriq customers in Germany:

  • Employee data (BDSG §26): Processing employee personal data for employment purposes requires a specific legal basis. If Flowtriq is used to monitor employee-operated infrastructure, consider whether §26 applies to audit log data containing employee IP addresses or actions.
  • Data Protection Officer (DPO, BDSG §38): German organisations with 20+ employees regularly involved in automated personal data processing must appoint a DPO. Flowtriq's audit log processing may trigger this threshold for its German customers.
  • Works Council co-determination (BetrVG §87): If Flowtriq is deployed in a German workplace, the works council may have co-determination rights over technical monitoring systems. IT monitoring tools may require works council agreement in Germany.
  • TTDSG (Telecommunications and Telemedia Data Protection Act): Germany's national ePrivacy implementation. Stricter than many EU member states; requires opt-in consent for all non-essential cookies and tracking technologies, including analytics.
German enterprise customers: If you require a BDSG-specific data processing addendum or documentation to support your works council review, contact [email protected].

nDSG Swiss New Federal Act on Data Protection (nDSG / revDSG)

Switzerland's revised Federal Act on Data Protection (nDSG, Revision of the DSG) entered into force on 1 September 2023. Switzerland is not an EU member state, but its law is closely aligned with GDPR.

Key nDSG provisions for Flowtriq

ProvisionnDSG RequirementFlowtriq Position
Cross-border transfers Data transfers to countries without adequate protection require SCCs or other safeguards Switzerland has its own adequacy list. Transfers to Canada (Flowtriq's home country) are adequate. Transfers to US processors require Swiss SCCs, which differ slightly from EU SCCs. Flowtriq uses EU SCCs; Swiss-specific SCCs (or Swiss addenda) may be needed for Swiss customer contracts.
Privacy notices Data subjects must be informed of the identity of the controller, purposes, and categories of recipients Flowtriq's Privacy Policy covers these requirements. A Swiss-specific notice referencing the Federal Data Protection and Information Commissioner (FDPIC) is recommended.
Data breach notification Report to FDPIC "as soon as possible" when breach is likely to result in high risk Flowtriq's breach notification procedures (48-hour customer notification, FDPIC notification where applicable) are compatible.
Profiling with high risk High-risk profiling requires explicit consent or another sufficient basis Flowtriq does not perform profiling of natural persons in its core platform. Network behaviour analysis targets IP addresses and traffic patterns, not individuals.

ISO 27001 ISO/IEC 27001:2022 — Information Security Management

ISO/IEC 27001:2022 is the most widely recognised information security management standard globally. Flowtriq has implemented a substantial subset of ISO 27001 Annex A controls as part of its engineering and operational practices, providing a strong security foundation for EU and DACH enterprise customers.

Controls alignment

Flowtriq's controls alignment across key ISO 27001 Annex A domains:

Control DomainStatusNotes
A.5 — Organisational controls Partial Information security policy, roles, and responsibilities exist. Formal ISMS scope statement and risk register not yet formalised.
A.6 — People controls Partial Employment screening and offboarding processes in place. Formal security awareness training programme in development.
A.8 — Technological controls Strong RBAC, MFA, audit logging (tamper-evident), TLS, secure session management, CSP/security headers, bcrypt password hashing, API keys stored as one-way hashes, HMAC-SHA256 webhook signing.
A.8.16 — Monitoring activities Strong Flowtriq's own platform provides real-time network monitoring and incident detection for Flowtriq's infrastructure.
A.5.30 — ICT readiness for business continuity Implemented 99.9% uptime SLA. Cloudflare redundancy. Status page at flowtriq.com/status.
A.5.23 — Information security for use of cloud services Partial Sub-processor list published. SCC programme in progress.
Security controls documentation: If ISO 27001 alignment documentation is a procurement requirement for your organisation, contact [email protected] for our full security controls documentation.

EU DSM Directive Text & Data Mining Reservation (Directive 2019/790)

Flowtriq has asserted a Text and Data Mining (TDM) reservation under Article 4 of the EU Digital Single Market Directive (2019/790) by setting a TDM-Reservation: 1 HTTP header on all pages. This notifies automated crawlers and AI training systems that the use of Flowtriq's published content for text and data mining purposes requires explicit authorisation. For TDM licensing inquiries, contact [email protected].

Flowtriq, a brand of traztech · flowtriq.com · April 2026
This page is informational and does not constitute legal advice. Applicable obligations depend on your organisation's sector, size, and the EU member states in which you operate.