Regulations
Transform complex regulations into clear operational obligations
Regulatory Overview
NIS2 Directive
Cybersecurity requirements for essential and important entities.
DORA
Operational resilience requirements for financial sector ICT providers.
EU AI Act
Governance and documentation requirements for AI systems.
Applicable Regulations — Key Articles
NIS2 Directive Applicable
Requires appropriate and proportionate technical, operational, and organisational measures to manage risks to network and information systems, including multi-factor authentication and encryption.
Mandates early warning within 24 hours, incident notification within 72 hours, and final report within one month for significant incidents.
Encourages voluntary cybersecurity information-sharing between entities and national authorities to improve collective resilience.
DORA Potentially applicable
Requires financial entities to establish a comprehensive ICT risk management framework covering identification, protection, detection, response, and recovery.
Mandates documented business continuity policies, response and recovery plans, and regular testing of ICT continuity arrangements.
Requires ongoing monitoring and oversight of third-party ICT service providers, including contractual provisions and exit strategies.
EU AI Act Applicable
High-risk AI systems must have a risk management system that identifies, analyses, evaluates, and mitigates risks throughout the system lifecycle.
Requires comprehensive technical documentation for high-risk AI systems covering design, development, training data, performance metrics, and monitoring.
High-risk AI systems must be designed to allow effective human oversight, including the ability to override, interrupt, or intervene in system outputs.
Regulatory Obligations
| Regulation | Article | Obligation | Evidence | Priority | Status | Owner | Action |
|---|---|---|---|---|---|---|---|
| NIS2 | Art. 21 | Cybersecurity risk management | 3 linked | High | Compliant | M. Kowalski | |
| NIS2 | Art. 21 | Multi-factor authentication | 2 linked | High | Compliant | T. Schmidt | |
| NIS2 | Art. 23 | Incident reporting within 24h | 1 linked | Critical | Partial | M. Kowalski | |
| NIS2 | Art. 23 | Incident root cause analysis | 0 linked | High | Missing | T. Schmidt | |
| DORA | Art. 5 | ICT governance and organisation | 1 linked | High | Partial | M. Kowalski | |
| DORA | Art. 6 | ICT risk management framework | 1 linked | High | Partial | T. Schmidt | |
| DORA | Art. 11 | Business continuity planning | 2 linked | High | Compliant | J. Dreyer | |
| DORA | Art. 19 | Cyber threat intelligence sharing | 0 linked | Medium | Missing | T. Schmidt | |
| DORA | Art. 25 | ICT third-party testing | 1 linked | Medium | Partial | J. Dreyer | |
| DORA | Art. 28 | Third-party ICT monitoring | 0 linked | High | Missing | T. Schmidt | |
| AI Act | Art. 9 | AI risk management system | 0 linked | High | Missing | M. Kowalski | |
| AI Act | Art. 10 | Data and data governance | 0 linked | High | Missing | T. Schmidt | |
| AI Act | Art. 11 | Technical documentation | 1 linked | High | Partial | J. Dreyer | |
| AI Act | Art. 13 | Transparency obligations | 2 linked | Medium | Compliant | L. Dubois | |
| AI Act | Art. 14 | Human oversight requirements | 0 linked | High | Missing | M. Kowalski | |
| AI Act | Art. 52 | Transparency for AI interaction | 1 linked | Medium | Partial | L. Dubois |
Regulatory Insights
Summary: Your organisation is actively tracking 3 EU regulations with 16 mapped obligations. 5 obligations are fully compliant, 4 are partially addressed, and 7 require immediate action — primarily in AI governance (AI Act Art. 9, 10, 14) and vendor risk management (DORA Art. 28). The highest priority gaps are incident reporting (NIS2 Art. 23) and third-party ICT monitoring (DORA Art. 28).