A small Swedish company building tools the EU regulatory stack actually needs

Who we are

Normiq is built and operated by Abiton Ventures AB, a privately-owned Swedish company (organisation number 559576-3797) registered in Sweden. We are a small, focused team — no investor pressure to grow at the wrong pace, no obligation to bolt on features that don't earn their place.

What we believe

The next decade of European business is going to live and die by its ability to comply with the regulations the EU is shipping faster than at any point in its history. The EU AI Act, the Cyber Resilience Act, NIS2, DORA, the Data Act, CSRD, the Product Liability Directive — and that's just the start. Small and medium businesses cannot keep up with this by hiring a compliance lawyer for every new regulation. They need software that does the preparatory work so that human judgement is reserved for the calls that actually need it.

That is the gap Normiq exists to close.

Why "EU-sovereign" matters to us

We are not "EU-region of a US company." Every piece of customer data we touch stays in European jurisdiction, behind European law, on European-headquartered infrastructure. Our authentication runs on Zitadel (Switzerland — EU adequacy). Our databases are on UpCloud (Finland). Our compute is on Hetzner (Germany / Finland). Our AI models are Mistral (France). Our analytics are Plausible (Estonia, hosted on Hetzner Germany).

This isn't marketing. It's an architectural choice with consequences: if the United States CLOUD Act or FISA 702 ever requires a US-headquartered cloud provider to hand over European customer data, we cannot be compelled. Our customers' AI compliance work cannot leave the European Union.

How we work with AI

Normiq itself uses AI — that is the whole point of the product. But we use it the way the EU AI Act asks everyone to: the AI prepares, a named human decides. Every classification, every risk assessment, every dossier is a draft until a person in your organisation explicitly accepts it. The accepting user is recorded with a timestamp. That is the legally relevant act.

Under Article 6(3)(d) of the EU AI Act, an AI system performing a preparatory task to an Annex III assessment is not itself high-risk. Normiq is built exactly to fit that carve-out. The substantive determination is always yours.

Our principles

• Honest gaps over false confidence. When the AI is uncertain, we surface the uncertainty. Information gaps in a classification are a feature — every gap with a reviewer note reads as due diligence; every gap without one reads as oversight.
• No vendor lock-in. Every customer can export their complete compliance record at any time, in open formats (JSON + JSON Schema + PDF/A-1b), with a self-service endpoint. Switching cost should be hours, not weeks.
• Documents, not vibes. An audit trail without a document is a story. Normiq produces documents — timestamped, attributed, archival-quality.
• Plain language. The team accepting a risk classification is rarely a lawyer. The interface is built for product managers, founders, and operations leads. Where the regulation uses jargon, we translate it.

Where we are based

Registered in Sweden. Hosted in Europe. The team works remotely across the Nordic region. Postal address and registered office are available on request from support@normiq.eu.

Get in touch

• General: support@normiq.eu
• Privacy / data protection: privacy@normiq.eu
• Security disclosures: security@normiq.eu
• The company: abitonventures.com