Regulatory Intelligence

Live Regulatory Landscape

Comprehensive monitoring of EU, UK, Ireland, USA, and international cybersecurity, AI, and data protection enforcement - mapped to institutional doctrine response.

🇪🇺 European Union — Cyber, AI & Data Protection

— frameworks shown

EU cyber and digital regulation operates as a single horizontal stack. DORA, NIS2 and the Cyber Resilience Act form the security core; GDPR, DSA, DMA and the EU AI Act extend into data, market, and AI accountability. Enforcement is layered — national Competent Authorities under ENISA coordination, with ESAs for finance and the EU AI Office for frontier AI.

EU Cybersecurity Regulations

Regulation	Status	Key Deadline	Scope & Key Requirements	Enforcement Authority	Doctrine Response
DORA EU 2022/2554	In Force	17 Jan 2025 — Active enforcement. Register of Information submitted Q1 2026; on-site ICT risk inspections underway; first compulsion payments issued. Only 50% of entities reached full compliance by end-2025 (Deloitte).	Financial sector ICT resilience. Firms must withstand, respond to, and recover from ICT disruptions. Strict 4-hour incident reporting for major incidents.	EBA / EIOPA / ESMA	Evidence Chain Model™ + Recoverability Mandate™
NIS2 Directive EU 2022/2555	Transposition	17 Oct 2024 — 14 of 27 EU member states now transposed as of Apr 2026; 13 states still subject to EC infringement proceedings. EC proposed targeted NIS2 amendments 20 Jan 2026 to simplify compliance for 28,700 companies including 6,200 SMEs; EU Digital Omnibus trilogue 28 Apr 2026 expected to formalise extensions. First administrative penalties issued Q1 2026; first audits due 30 Jun 2026. Fines up to €10M or 2% global turnover (Skadden/EC, Apr 2026).	Replaces NIS1. Mandatory cybersecurity requirements for essential sectors (energy, health, finance, transport) and digital services. Mandates strict risk management, governance, and incident reporting. Art. 20 imposes personal liability on directors.	National CAs + ENISA	Decision Rights Architecture™ + Board-Survivable Cyber Architecture™
EU AI Act EU 2024/1689	Phased Rollout	2 Aug 2026 — Most remaining provisions apply. EU Digital Omnibus proposes extending stand-alone high-risk AI systems to Dec 2027, embedded systems to Aug 2028. AI sandboxes due by Aug 2026 (may be delayed to Dec 2027). Watermarking deadline may shift to Feb 2027. Council agreed streamlining position Mar 2026; political trilogue scheduled 28 Apr 2026 — agreement expected before European Parliament recess (Addleshaw Goddard/A&O Shearman, Apr 2026).	Risk-based AI classification: Prohibited (social scoring, cognitive manipulation), High-Risk (critical infrastructure, employment, law enforcement), Limited Risk (transparency rules for chatbots/deepfakes), Minimal Risk. GPAI models must comply with transparency and copyright obligations. Penalties: up to 7% global annual turnover for high-risk violations.	National Market Surveillance + EU AI Office	AI Accountability Stack™
Cyber Resilience Act EU 2024/2847	Phased Rollout	11 Sep 2026 — Vulnerability reporting obligations begin; 11 Dec 2027 — Full application	Manufacturers of products with digital elements must meet high-security standards throughout product lifecycle. Mandates "security by design," automatic updates, and vulnerability handling obligations. Conformity assessment bodies begin notifying 11 Jun 2026. Commission first standardisation deliverables expected Q3 2026. Non-compliant products face serious penalties across all 27 member states from Dec 2027 (Hogan Lovells/Keysight, Apr 2026).	National Market Surveillance Authorities	Evidence Chain Model™ + Contract Control Matrix™
EU Cybersecurity Act EU 2019/881 + 2026 Revision	Revision Proposed	20 Jan 2026 — COM(2026)11 published; EDPB-EDPS Joint Opinion 4/2026 (Apr 2026) supports proposal while raising data-protection concerns; in EU legislative procedure — trilogue political agreement targeted early 2027	Strengthened ENISA and established EU-wide ICT certification framework. COM(2026)11 published 20 Jan 2026: adds managed security services to certification, significantly expands ENISA's operational support role (€341M budget 2028–2034), and addresses ICT supply-chain security as a strategic risk.	ENISA + National Certification Authorities	Evidence Chain Model™
Cyber Solidarity Act EU 2025	Implementation	In force 4 Feb 2025 — €36M Cybersecurity Reserve launched; cross-border SOC hubs deploying	Establishes EU-wide Security Operations Centre network for active threat detection. Creates Cyber Emergency Mechanism and €36M Cybersecurity Reserve for cross-border incident response. ENISA Single Reporting Platform launching September 2026.	ENISA + National SOCs	Recoverability Mandate™
eIDAS2 EU Digital Identity Regulation	Implementation	Dec 2026 — All 27 Member States must provide EU Digital Identity Wallets	Provides secure, trustworthy digital identity solutions across Europe. Member states must offer EU Digital Identity Wallets to all citizens and residents. Pilot programmes expanding; technical specifications and implementing regulations finalised.	National Supervisory Bodies	Decision Rights Architecture™
ISO 42001	Published	Certification available now	International standard for AI management systems. Provides framework for establishing, implementing, and improving AI governance within organisations.	Accredited Certification Bodies	AI Accountability Stack™ (aligned)

EU Data Protection & Digital Markets

Regulation	Status	Key Requirements	Enforcement Authority	Doctrine Response
GDPR EU 2016/679	In Force	Data protection by design and by default. 72-hour breach notification. DPIAs mandatory for high-risk processing. Cross-border transfer safeguards (SCCs, adequacy decisions). Fines up to 4% of global turnover. Total EU enforcement exceeds €7.1B; Irish DPC has issued €4.04B. 2026 Coordinated Enforcement Framework focuses on transparency obligations.	National DPAs (CNIL, ICO, BfDI)	Evidence Chain Model™ + Board-Survivable Cyber Architecture™
ePrivacy Directive 2002/58/EC	In Force	Regulates cookies, electronic marketing, email spam, and privacy of electronic communications. Awaiting ePrivacy Regulation replacement.	National DPAs	Contract Control Matrix™
Digital Markets Act DMA	In Force	Designates gatekeepers (Meta, Alphabet, Apple, etc.) — mandates interoperability, prohibits self-preferencing, prevents combining user data across services without consent.	European Commission (DG COMP)	Decision Rights Architecture™
Digital Services Act DSA	In Force	Strict risk assessment and independent audits for VLOPs (45M+ EU users). Faster removal of illegal content. Algorithmic transparency obligations.	European Commission + National Digital Services Coordinators	AI Accountability Stack™
EU Digital Omnibus Package COM(2025) Nov 2025 — Simplification Reform	Proposed	Proposed by EC 19 Nov 2025; in trilogue (Council agreed streamlining position Mar 2026; political trilogue scheduled 28 Apr 2026). Proposes targeted GDPR amendments for harmonisation and compliance simplification; extends AI Act high-risk system deadlines by up to 16 months (stand-alone systems to Dec 2027, embedded to Aug 2028); introduces single notification portal for data breach reporting across multiple regimes. Affects ~28,700 companies including 6,200 SMEs (EC / digital-strategy.ec.europa.eu, Nov 2025).	European Commission + European Parliament + Council	Evidence Chain Model™ + AI Accountability Stack™

🇬🇧 United Kingdom — Post-Brexit Regulatory Stack

— frameworks shown

The UK has shifted from "EU-lite" to a distinct "pro-innovation" regulatory environment — sector regulators (ICO, FCA, Ofcom, NCSC) apply principles within their own domains rather than a single horizontal AI Act. UK Data Adequacy with the EU was renewed in December 2025 through 2031, preserving cross-border data flows.

UK Cybersecurity & Data Protection

Regulation	Status	Key Requirements	Enforcement Authority	Doctrine Response
UK FCA PS21/3 Operational Resilience	In Force	Financial firms must identify important business services, set impact tolerances, and test ability to remain within tolerances under severe-but-plausible scenarios. Full compliance 31 Mar 2025.	FCA / PRA	Recoverability Mandate™ + Decision Rights Architecture™
UK GDPR + DPA 2018	In Force	Appropriate technical and organisational security measures. 72-hour breach reporting to ICO. DPA 2018 supplements UK GDPR for law enforcement and intelligence processing.	ICO	Evidence Chain Model™ + Board-Survivable Cyber Architecture™
NIS Regulations 2018	In Force	Operators of essential services (energy, health, transport) and digital service providers must implement robust security measures and report incidents.	Sector-specific CAs (Ofcom, Ofgem, ICO)	Recoverability Mandate™
NCSC CAF Cyber Assessment Framework	In Force	UK national framework for assessing cyber security of operators of essential services and critical national infrastructure. Four objectives: Managing Security Risk (A), Protecting Against Cyber Attack (B), Detecting Cyber Security Events (C), Minimising Impact of Incidents (D). 14 security principles assessed via NCSC-led or sector CA-led assessments.	NCSC / Sector CAs (Ofgem, Ofcom, CAA, NHSE)	Decision Rights Architecture™ + Board-Survivable Cyber Architecture™
GovAssure UK Government Cyber Assurance Scheme	In Force	Cabinet Office cross-government cyber assurance programme requiring all UK government departments and arm's-length bodies (ALBs) to complete an annual self-assessment against the NCSC Cyber Assessment Framework (CAF). Departments score across all 14 CAF security principles; results reported to Cabinet Office. GovAssure replaces legacy HMG Security Policy Framework cyber elements and aligns with the National Cyber Strategy 2022–2030. From 2024, outcomes feed into HM Treasury-level departmental risk ratings and inform cross-government security investment decisions.	Cabinet Office / NCSC	Board-Survivable Cyber Architecture™ + Decision Rights Architecture™
ECAF Electricity Cyber Assessment Framework (Ofgem)	In Force	Ofgem-enforced cyber assessment framework for UK electricity sector operators of essential services — generation, transmission, distribution, and supply licensees. Applies CAF 14 security principles to IT/OT convergence environments. Profile-based assessment: Ofgem issues improvement plans where gaps are identified. Non-compliance reportable under NIS Regulations 2018.	Ofgem	Control Collapse Model™ + Recoverability Mandate™
Cyber Security & Resilience Bill 2025	In Progress	Expands NIS Regulations scope to more digital services and supply chains. Tightens incident reporting rules. Increases fines and enhances regulator enforcement powers. Introduced 12 Nov 2025 (House of Commons); completed committee stage; now at report stage. DSIT published Policy Statement of Intent 1 Apr 2026, incorporating lessons from EU NIS2 and international partner consultations. Bill updated 14 Apr 2026 (parliament.uk). Expected to receive Royal Assent in 2026 (Commons Library, Apr 2026; DSIT Policy Statement, 1 Apr 2026).	DSIT / Sector CAs	Decision Rights Architecture™ + Recoverability Mandate™
Product Security Act 2022 PSTI Act	In Force	Security requirements for consumer-connectable products — bans default passwords, mandates vulnerability disclosure, requires minimum security update periods. Non-compliance: fines up to £10M or 4% global turnover, plus £20,000/day for ongoing contraventions (OPSS, 2024).	OPSS	Contract Control Matrix™
Telecoms Security Act 2021	In Force	Stricter security duties on public telecom providers. Supply chain security requirements for network equipment and services.	Ofcom	Contract Control Matrix™
Computer Misuse Act 1990	In Force	Criminal offences for unauthorised access to computer material, unauthorised modification, and making/supplying tools for computer misuse.	CPS / NCA	Board-Survivable Cyber Architecture™
Data (Use and Access) Act 2025	Phased Commencement	Royal Assent 19 Jun 2025. Provisions being brought into force through a series of commencement SIs: No. 5 (SI 2026/31) — intimate image offences, 6 Feb 2026; No. 6 (SI 2026/82) — data protection and privacy provisions (Part 5), 5 Feb 2026; No. 8 (SI 2026/317) — further provisions, 31 Mar 2026. Reforms data protection to simplify compliance for research and AI; clarifies international transfer mechanisms post-Brexit (legislation.gov.uk, SIs 2026/31, 2026/82, 2026/317).	ICO	AI Accountability Stack™
AI Regulation Bill 2025 Private Members' Bill	Proposed	Bill [HL] completed all House of Lords stages (1st reading to 3rd reading); now in House of Commons (2026) for initial stages. Proposes central AI Authority with mandatory registration and reporting for high-risk AI models. Government maintains voluntary sector-led approach; enactment not guaranteed (bills.parliament.uk/bills/3942).	Proposed AI Authority	AI Accountability Stack™

🇬🇧 UK Digital & AI Regulation Matrix (2026)

The UK has shifted from "EU-lite" to a distinct "pro-innovation" regulatory environment — avoiding one-size-fits-all legislation in favour of giving specific powers to existing sector regulators. Despite 2026 reforms, the UK maintains Data Adequacy with the EU (renewed December 2025 until 2031), allowing cross-border data flows without additional safeguards.

Regulatory Area	Primary UK Legislation	Lead Regulator	2026 Status & Key Requirements	Doctrine Response
Data Protection	Data (Use and Access) Act 2026 (DUAA)	ICO	Active. Streamlines GDPR; allows "opt-out" for analytics cookies and provides broader consent for scientific research.	Evidence Chain Model™
Artificial Intelligence	Sectoral Principles (Non-statutory)	Distributed (ICO, FCA, CMA)	Active. No single "AI Act." Regulators apply five principles (Safety, Fairness, Transparency, Accountability, Contestability) within their own industries.	AI Accountability Stack™
Cybersecurity	Cyber Security & Resilience Bill 2026	NCSC	Enforced. Extends NIS1 to include data centres and Managed Service Providers. Mandatory 24-hour incident reporting.	Recoverability Mandate™ + Decision Rights Architecture™
IoT / Smart Tech	PSTI Act 2022	OPSS	Strict Enforcement. Bans universal default passwords. Mandatory "Security Update" period labels on consumer products.	Contract Control Matrix™
Online Safety	Online Safety Act 2023	Ofcom	Active enforcement. CSEA reporting duty in force 7 Apr 2026. Ofcom orders 40+ services to revise risk assessments. 77 of top 100 pornography services now have age assurance. Categorisation register delayed to Jul 2026. Technology notices guidance due Apr 2026.	Decision Rights Architecture™
Digital Markets	DMCC Act 2024	CMA (DMU)	Active. Targets "Strategic Market Status" firms to prevent anti-competitive behaviour in mobile ecosystems and search.	Contract Control Matrix™

UK vs Ireland/EU — Critical Regulatory Differences (2026)

Feature	United Kingdom (2026)	Ireland / EU (2026)
AI Oversight	Sector-led: No new laws; existing regulators (FCA, ICO) adapt principles to their domains.	Centralised: The EU AI Act provides a single, horizontal law for all sectors.
Cookie Consent	Less Strict: Moving toward "Opt-out" for non-intrusive tracking.	Strict: "Reject All" buttons must be as prominent as "Accept All."
Cyber Liability	Supply Chain Focus: Targets providers like data centres and IT managed services.	Board Liability: Personal legal liability for CEOs/Boards under NIS2 Art. 20.
Automated Decisions	Flexible: Broadens "lawful bases" for AI-driven decision making.	Restricted: Users have a strong "Right to Explanation" and human intervention.
Data Adequacy	Maintained & Renewed: Adequacy renewed December 2025 until 2031 — data flows from Dublin to London without extra paperwork.	Standard: GDPR adequacy decisions and SCCs govern cross-border transfers.

April 2026

PSTI Enforcement

Retailers and importers face massive fines if selling smart devices with default passwords or missing security update information.

May 2026

Online Safety — Hash Matching

Ofcom's final codes take effect, requiring platforms to proactively block non-consensual intimate imagery.

August 2026

AI Safety Institute Testing

UK AI Safety Institute begins mandatory pre-deployment testing for "frontier" AI models developed or significantly deployed within the UK.

🇮🇪 Ireland — EU "One-Stop-Shop" Jurisdiction

— frameworks shown

Ireland's regulatory environment has transitioned from high-level EU directives to specific, enforceable Irish statutes. Ireland holds a unique "Single Point of Contact" role for many multinational tech firms — Irish regulators often act as lead enforcer for the entire EU under the "One-Stop-Shop" mechanism.

🇮🇪 Ireland Digital Regulation Matrix (2026)

Regulatory Area	Key Irish Legislation	Primary Oversight Body	2026 Status & Key Focus	Doctrine Response
Data Protection	Data Protection Act 2018 (Revised 2026)	Data Protection Commission (DPC)	Active. Enhanced focus on "Dark Patterns" in UI/UX and mandatory "Right to be Forgotten" for children's data.	Evidence Chain Model™ + Board-Survivable Cyber Architecture™
Cybersecurity	National Cyber Security Bill 2024/26	National Cyber Security Centre (NCSC)	Pre-enactment (NIS2). National Cyber Security Bill at advanced legislative stage — included as "priority" legislation in Government Programme Autumn 2025. NCSC expects enactment by end of 2026; introduces self-registration requirement (tentative July 2026 launch; 3-month window for entities to register). Places the NCSC on a statutory footing; introduces personal liability for Board members regarding cyber negligence. EC formal notice issued for failure to transpose by Oct 2024 deadline; referral to CJEU remains possible (Bird & Bird/NCSC/Enactia, Apr 2026).	Decision Rights Architecture™ + Board-Survivable Cyber Architecture™
Artificial Intelligence	Regulation of AI Bill 2026	AI Office of Ireland (Oifig IS)	Transitional (targeting 1 Aug 2026 statutory establishment). General Scheme of AI Bill 2026 published Feb 2026; Oifig IS currently operating on an administrative basis coordinating AI Act enforcement across existing sector regulators (Central Bank, DPC, etc.).	AI Accountability Stack™
Data Sharing / IoT	Data Bill 2025/26	CCPC & ComReg	Implementation. Transposes the EU Data Act; ensures users can access and move data generated by connected devices (IoT).	Contract Control Matrix™
Online Safety	Online Safety & Media Regulation Act	Coimisiún na Meán	Active. Governs harmful content on social media and video platforms; can issue fines up to €20m or 10% of turnover.	Decision Rights Architecture™
Digital Services	Digital Services Act 2024 (Revised 2026)	Coimisiún na Meán	Active. Regulates online marketplaces and intermediaries to prevent illegal content and ensure transparency in advertising.	AI Accountability Stack™

Critical Threshold

Cyber Incident: 24 Hours

Under the 2026 Cyber Security Bill (NIS2), "Essential" and "Important" entities must provide an early warning to the NCSC within 24 hours of a significant incident.

Critical Threshold

AI Fines: Up to €35m / 7%

The AI Bill introduces penalties up to €35m or 7% of global turnover for prohibited AI practices. Dual-supervision applies when AI processes personal data (DPC + AI Office).

Critical Threshold

AI High-Risk Registry

Providers of high-risk AI systems (recruitment, credit scoring) must register in the National AI Register managed by Oifig IS before deployment.

🇺🇸 United States — Federal, Sector & State Layers

— frameworks shown

The US operates a multi-layered regulatory stack: federal cyber rules (CIRCIA, CMMC, SEC, HIPAA), sector regulators (FTC, HHS OCR, NYDFS, TSA, CISA), and an expanding patchwork of state AI and privacy laws. EO 14179 (Jan 2025) rescinded the Biden AI EO and shifted federal AI policy toward deregulation, but state-level AI statutes (Colorado, Texas, California) and sector rules remain in force.

🇺🇸 US Cybersecurity, Healthcare & AI Regulation Matrix (2026)

Regulation	Status	Key Requirements	Enforcement Authority	Doctrine Response
SEC Cyber Rules US — Global Impact	In Force	Material cyber incident disclosure within 4 business days. Annual reporting of cyber risk management, strategy, and governance. Board-level oversight requirements.	SEC / DOJ	Board-Survivable Cyber Architecture™
US Data Security Rule 28 CFR Part 202 — Global Impact	In Force	Implements Executive Order 14117. Prohibits and restricts US persons from engaging in covered data transactions that give "countries of concern" (China, Russia, Iran, North Korea, Cuba, Venezuela) or covered persons access to bulk US sensitive personal data (genomic, biometric, health, geolocation, financial, personal identifiers) and US government-related data. Effective 8 Apr 2025; full compliance (due diligence, audit, reporting) required from 6 Oct 2025. Extraterritorial reach — UK/EU firms with US operations or US-person data in scope. Civil penalties up to ~$377K per violation or 2× transaction value; criminal penalties up to $1M and 20 years imprisonment (DOJ NSD, 2025).	DOJ National Security Division	Contract Control Matrix™ + Evidence Chain Model™
HIPAA Security Rule 45 CFR Part 164 subpart C	In Force	Covered entities and business associates must implement administrative, physical, and technical safeguards for ePHI. Risk analysis, access controls, audit logs, encryption "where reasonable and appropriate." Breaches affecting 500+ individuals reportable to HHS OCR within 60 days. Civil penalties up to $2.13M per violation category per year (2025 adjusted).	HHS Office for Civil Rights (OCR)	Evidence Chain Model™ + Board-Survivable Cyber Architecture™
HIPAA Security Rule NPRM Proposed Amendment 2025	Proposed	HHS OCR Notice of Proposed Rulemaking published 6 Jan 2025. Removes "addressable" vs "required" distinction — all implementation specifications become mandatory. Adds explicit MFA, encryption (at-rest and in-transit), asset inventory, network segmentation, annual compliance audits, and 72-hour incident restoration requirements. Final rule expected 2026 post-comment-review.	HHS OCR	Recoverability Mandate™ + Evidence Chain Model™
HIPAA Privacy Rule + HITECH	In Force	Governs use and disclosure of Protected Health Information. HITECH Act (2009) expanded HIPAA, introduced breach notification, and increased penalties. 2024 Reproductive Health amendment restricts disclosure of reproductive health data for criminal investigations (effective 25 Dec 2024).	HHS OCR / State AGs	Contract Control Matrix™
CIRCIA Cyber Incident Reporting for Critical Infrastructure Act 2022	Rulemaking Pending	The Act (2022) is in force; CISA implementing regulations (final rule) delayed to May 2026+. Core proposed obligations: 72h reporting for significant cyber incidents; 24h for ransomware payments; covers 16 critical infrastructure sectors. Non-compliance triggers CISA subpoena authority and DOJ referral. DHS appropriations lapse in March–April 2026 caused postponement of scheduled CIRCIA town hall meetings, likely pushing final rule beyond May 2026 (CISA NPRM; CyberScoop / Davis Wright Tremaine, 2025–2026).	CISA	Recoverability Mandate™ + Decision Rights Architecture™
CMMC 2.0 32 CFR Part 170 / 48 CFR (DFARS)	In Force	Cybersecurity Maturity Model Certification — mandatory for ~300,000 Defense Industrial Base contractors. Three-tier model (Level 1 Foundational → Level 3 Expert) mapped to NIST SP 800-171 / 800-172. Final DFARS clause 252.204-7021 phased in through contracts from late 2025 onward; C3PAO third-party assessment required at Levels 2 and 3.	DoD CIO / DCMA / C3PAOs	Contract Control Matrix™ + Board-Survivable Cyber Architecture™
NYDFS Cybersecurity Regulation 23 NYCRR Part 500 (Amendment 2)	In Force	New York Department of Financial Services rule for covered financial entities. Amendment 2 (Nov 2023) phased-in through Nov 2025: CISO annual report to board, MFA on all remote access and privileged accounts, endpoint detection & response, documented incident response plan, 72-hour notification of cybersecurity events, annual certification by senior officer or board.	NYDFS	Decision Rights Architecture™ + Evidence Chain Model™
FTC Safeguards Rule 16 CFR Part 314 (GLBA)	In Force	Non-bank financial institutions must implement written information security program with designated Qualified Individual, risk assessment, access controls, encryption, MFA, continuous monitoring, annual penetration testing, incident response plan, and board reporting. 2023 amendment added 30-day breach notification to FTC for events affecting 500+ consumers.	FTC	Contract Control Matrix™ + Evidence Chain Model™
SOX (Sarbanes-Oxley Act) 15 U.S.C. § 7201 — IT Audit & Financial Controls	In Force	Sarbanes-Oxley Act 2002 imposes IT general controls (ITGC) and application controls requirements on public companies and their subsidiaries with US listings. Section 302 (CEO/CFO quarterly certifications) and Section 404 (annual management & auditor attestation of internal controls over financial reporting) drive significant information security obligations: access controls, change management, segregation of duties, audit logging, and vulnerability management. SOX PCAOB AS 2201 sets external auditor standards for ICFR. SOC 1 Type II (formerly SAS 70) reports are the primary third-party assurance mechanism for service organisations in scope. Financial institutions and global companies with NYSE/NASDAQ listings are in scope regardless of HQ jurisdiction.	SEC / PCAOB	Audit-Proof by Design™ + Decision Rights Architecture™
FedRAMP 40 U.S.C. § 11331 / OMB M-24-15	In Force	Federal Risk and Authorization Management Program. Cloud services used by federal agencies must achieve authorization (Low / Moderate / High / Li-SaaS) against NIST SP 800-53 controls. 2024 modernization (FedRAMP 20x) introduces continuous ATO model. Agencies must obtain authorization before procurement.	GSA FedRAMP PMO / JAB	Contract Control Matrix™
NIST CSF 2.0 + AI RMF 1.0	Reference	NIST Cybersecurity Framework 2.0 (Feb 2024) adds Govern function; widely referenced by regulators (SEC, FTC, HHS, DoD). NIST AI Risk Management Framework 1.0 (Jan 2023) + Generative AI Profile (Jul 2024) provide voluntary structure for AI governance adopted by federal agencies under OMB M-24-10.	NIST (voluntary) / adopted by sector regulators	AI Accountability Stack™ + Decision Rights Architecture™
EO 14144 Strengthening & Promoting Innovation in the Nation's Cybersecurity (Jan 2025)	In Force	Final Biden cyber EO signed 16 Jan 2025. Mandates secure software development attestations for federal vendors, post-quantum cryptography transition milestones, software bill of materials (SBOM), and AI cyber-defence research. Partially modified by Trump EO 14306 (Jun 2025) but core secure-software and PQC provisions remain.	OMB / CISA / NIST	Contract Control Matrix™
EO 14179 Removing Barriers to American Leadership in AI (Jan 2025)	In Force	Rescinded Biden EO 14110 (Oct 2023). Directs federal agencies to review and remove AI-related regulations deemed to impede innovation. OMB M-25-21 and M-25-22 (Apr 2025) revised federal AI use policy. Does not remove statutory AI obligations or state AI laws; voluntary NIST AI RMF guidance remains.	OMB / OSTP	AI Accountability Stack™
Colorado AI Act SB 24-205 — first comprehensive state AI law	Effective 30 Jun 2026	Imposes duty of reasonable care on developers and deployers of "high-risk AI systems" (consequential decisions in employment, education, finance, healthcare, housing, insurance, legal services) to prevent algorithmic discrimination. Requires impact assessments, risk management program, annual AG filing, and consumer disclosure & appeal rights. Enforced by Colorado AG. Note: Implementation delayed from 1 Feb 2026 to 30 Jun 2026 by SB 25B-004, signed 28 Aug 2025; Colorado legislature actively considering further substantive amendments before the June 2026 effective date (Colorado General Assembly, SB25B-004, Aug 2025).	Colorado Attorney General	AI Accountability Stack™ + Evidence Chain Model™
Texas Responsible AI Governance Act TRAIGA — HB 149	In Force	In force since 1 Jan 2026. Prohibits AI systems intentionally developed for unlawful discrimination, social scoring, or manipulating human behaviour to cause harm. Governmental use restrictions on biometric ID and emotion recognition. Creates Texas AI Council. Enforced by Texas AG with civil penalties up to $200,000 per violation and 60-day cure period (Texas HB 149 / TRAIGA, eff. 1 Jan 2026).	Texas Attorney General	AI Accountability Stack™
California AI Statutes SB 942 Transparency · SB 53 Frontier AI · AB 2013	In Force	SB 942 California AI Transparency Act (effective 1 Jan 2026) requires AI-generated content disclosure and provenance tools for large AI platforms. SB 53 Transparency in Frontier Artificial Intelligence Act (signed Sep 2025) mandates safety framework publication and critical-safety-incident reporting for frontier model developers. AB 2013 training-data transparency effective Jan 2026.	California AG / CPPA	AI Accountability Stack™
NYC Local Law 144 AEDT — Automated Employment Decision Tools	In Force	Employers using automated decision tools for hiring or promotion of NYC-based candidates must conduct annual independent bias audit, publish summary of results, and provide candidate notice at least 10 business days before use. Civil penalties up to $1,500 per violation per day.	NYC Department of Consumer & Worker Protection	AI Accountability Stack™
CCPA / CPRA California Consumer Privacy Act as amended by CPRA	In Force	Rights of access, deletion, correction, portability, opt-out of sale/sharing, and limit-use of sensitive personal information for California residents. CPPA regulations on automated decision-making technology (ADMT), risk assessments, and cyber audits finalised 2025. Civil penalties up to $7,500 per intentional violation plus statutory damages for breaches.	California Privacy Protection Agency (CPPA) / CA AG	Evidence Chain Model™ + Contract Control Matrix™
State Comprehensive Privacy Laws 20+ states — VCDPA, CPA, CTDPA, UCPA, OCPA, TIPA, DPDPA, ICDPA, TDPSA, MCDPA, NHCDPA, NJDPA, MCDPA, INCDPA, KCDPA, RIDPA, MNCDPA, MDPA, etc.	Patchwork — In Force	As of 2026, 20+ states have enacted comprehensive consumer privacy laws with broadly similar rights (access, delete, correct, opt-out of targeted advertising, sale, profiling). Sensitive-data opt-in in most. Global Privacy Control signal recognition mandatory in several (CA, CO, CT, TX). Each state AG enforces; no federal preemption.	State Attorneys General	Contract Control Matrix™
TSA Security Directives Pipeline SD-02 · Rail · Aviation	In Force	Post-Colonial Pipeline. Pipeline Security Directive 2021-02 (revised 2024) mandates TSA-approved cybersecurity implementation plans, annual assessments, and 24-hour incident reporting to CISA. Parallel directives for passenger/freight rail and aviation operators of TSA-regulated critical infrastructure.	TSA / CISA	Recoverability Mandate™ + Decision Rights Architecture™
FISMA + FedRAMP SI-Cyber 44 U.S.C. §§ 3551–3558	In Force	Federal Information Security Modernization Act — requires federal agencies and contractors operating federal information systems to implement NIST SP 800-53 controls, annual independent assessments, and continuous monitoring reported through CISA CDM programme.	OMB / CISA / Agency CIO	Evidence Chain Model™

Critical Threshold

CIRCIA: 24h / 72h

Critical infrastructure entities must report ransomware payments within 24 hours and substantial cyber incidents within 72 hours to CISA — fastest US federal reporting clock.

Critical Threshold

HIPAA: $2.13M per Category

2025 adjusted penalties — HHS OCR can impose up to $2.13M per violation category per calendar year for wilful neglect, plus state AG and private-action exposure post-HITECH.

Critical Threshold

State AI Laws Live Feb 2026

Colorado AI Act (1 Feb 2026) and Texas TRAIGA (1 Jan 2026) activate the first comprehensive US state AI compliance regimes — impact assessments, risk programs, and AG notification required before deployment of high-risk AI systems.

🌐 Cross Border — Transfers, Safe Harbour, Shared Themes

— frameworks shown

The transatlantic transfer regime sits on the EU-US Data Privacy Framework (with UK and Swiss extensions), standard contractual clauses, and binding corporate rules — backed by US statutory safe-harbours under HIPAA, COPPA, FERPA and GLBA. This panel aggregates the cross-border mechanisms and cross-regulatory themes that apply regardless of home jurisdiction.

🔐 US Data Protection & Safe Harbour / Cross-Border Transfer Frameworks

Since the CJEU struck down Safe Harbour (Schrems I, 2015) and Privacy Shield (Schrems II, 2020), the transatlantic transfer regime has been rebuilt on the EU-US Data Privacy Framework, with a UK extension and a Swiss extension. US federal and sector rules provide additional de-identification and lawful-basis "safe harbours" that often operate alongside the DPF. Any UK/EU controller transferring personal data to the US should confirm which mechanism is current and retain TIA (Transfer Impact Assessment) evidence.

Framework / Rule	Status	Scope & Key Provisions	Authority	Doctrine Response
EU-US Data Privacy Framework DPF — Adequacy Decision (EU) 2023/1795	In Force	European Commission adequacy decision adopted 10 Jul 2023, permitting personal data transfers to self-certified US organisations without SCCs or BCRs. Certification administered by US Department of Commerce; enforceable by FTC or DoT. Underpinned by EO 14086 signals-intelligence safeguards and the new Data Protection Review Court (DPRC). First periodic review completed Oct 2024; second review due 2027.	European Commission · US DoC · FTC · DPRC	Contract Control Matrix™ + Evidence Chain Model™
UK Extension to EU-US DPF UK-US "Data Bridge"	In Force	Data Protection (Adequacy) (United States of America) Regulations 2023 — in force 12 Oct 2023. Permits transfers of UK personal data to US organisations that have additionally self-certified to the UK Extension of the DPF. Requires specific categories (journalistic, HR, sensitive) to be flagged at certification; ICO retains supervisory jurisdiction for UK data subjects.	UK DSIT · ICO · US DoC	Contract Control Matrix™
Swiss-US Data Privacy Framework	In Force	Swiss FDPIC recognition of US DPF for transfers under the Federal Act on Data Protection (nFADP). Active since 15 Sep 2024. Self-certification adds a Swiss annex to the US DoC DPF programme; FDPIC supervisory role preserved.	Swiss FDPIC · US DoC	Contract Control Matrix™
EO 14086 + DPRC Signals Intelligence Safeguards (Oct 2022)	In Force	Executive Order "Enhancing Safeguards for United States Signals Intelligence Activities" — legal backbone of the DPF. Limits bulk collection to defined national-security purposes, imposes necessity/proportionality tests, and establishes the Data Protection Review Court as binding redress for EU/UK/Swiss data subjects. Retained under the 2025 administration.	ODNI · DoJ · DPRC	Evidence Chain Model™
Standard Contractual Clauses EU SCCs 2021/914 · UK IDTA / Addendum	In Force	Alternative GDPR/UK GDPR lawful-transfer mechanism when DPF self-certification is not available. Requires documented Transfer Impact Assessment (TIA) under Schrems II — assessing US surveillance exposure and supplementary measures (encryption, pseudonymisation, contractual controls). UK IDTA or International Data Transfer Addendum used for UK-origin data.	Data exporter (accountability) · EDPB · ICO	Contract Control Matrix™ + Evidence Chain Model™
Binding Corporate Rules BCRs — GDPR Art. 47	In Force	Intra-group transfer mechanism for multinationals with US affiliates. Requires lead DPA approval, binding internal policies, third-party beneficiary rights, and ongoing audit. EDPB Recommendations 1/2022 set updated requirements; ICO operates parallel UK BCR approval route.	Lead EU DPA · ICO · EDPB	Decision Rights Architecture™ + Contract Control Matrix™
HIPAA De-Identification "Safe Harbor" 45 CFR § 164.514(b)(2)	In Force	Two HIPAA-recognised de-identification methods: Expert Determination and Safe Harbor. Safe Harbor requires removal of 18 specified identifiers (names, geographic subdivisions smaller than state, dates more granular than year for ages <90, contact details, SSNs, device IDs, biometrics, etc.) and no actual knowledge that remaining data could identify an individual. De-identified data falls outside HIPAA restrictions.	HHS OCR	Evidence Chain Model™
COPPA Safe Harbor Programs 16 CFR § 312.11	In Force	FTC-approved self-regulatory safe harbours for the Children's Online Privacy Protection Act (operators of sites/apps directed at children under 13). Participation in an approved program (e.g. kidSAFE, PRIVO, TRUSTe/TrustArc, ESRB) shifts primary enforcement to the program with annual audits and FTC oversight. 2025 COPPA Rule update strengthens parental-consent and data-minimisation obligations.	FTC (oversight) · Approved SRO programs	Contract Control Matrix™
FERPA 20 U.S.C. § 1232g · 34 CFR Part 99	In Force	Family Educational Rights and Privacy Act — protects student education records at institutions receiving US Department of Education funds. Restricts disclosure without parental / eligible-student consent; includes a school-official exception that many EdTech vendors rely on (contractual FERPA safe-harbour language). 2024 NPRM proposes expanded rights and tighter EdTech vendor controls.	US Department of Education — SPPO	Contract Control Matrix™
GLBA Privacy Rule Regulation P — 12 CFR Part 1016	In Force	Gramm-Leach-Bliley Act privacy rule. Financial institutions must provide initial and annual privacy notices, offer opt-out of non-affiliate data sharing, and comply with reuse/redisclosure limits. Operates alongside FTC Safeguards Rule (security) to form the US financial privacy stack.	CFPB · FTC · Federal banking agencies	Contract Control Matrix™
APEC Cross-Border Privacy Rules CBPR / Global CBPR Forum	In Force	Voluntary certification for transfers across APEC / Global CBPR Forum economies (US, Japan, Korea, Singapore, Canada, Australia, Taiwan, Philippines, UK associate participation). US administered by FTC-recognised Accountability Agents (e.g. TrustArc, Schellman). Provides a parallel safe-harbour style framework for non-EU international transfers.	Global CBPR Forum · FTC · Accountability Agents	Contract Control Matrix™
DPF Active Monitoring Schrems III Risk	Monitoring	NOYB/Schrems has signalled a third challenge to the EU-US DPF on the grounds that EO 14086 still permits bulk collection and DPRC independence concerns. Case pending before CJEU would, if successful, again invalidate transatlantic transfers under the DPF. Firms relying solely on DPF self-certification should maintain SCC/TIA fall-back posture.	CJEU (pending) · EDPB · noyb	Contract Control Matrix™ + Evidence Chain Model™

Critical Threshold

DPF Self-Certification Renewal

DPF participants must re-certify annually with the US Department of Commerce. Lapsed certification immediately invalidates the adequacy basis — data exporters must fall back to SCCs+TIA or suspend transfers.

Critical Threshold

HIPAA Safe Harbor — 18 Identifiers

A single retained identifier (even ZIP3 in low-population regions, or a date of service more granular than year) defeats the Safe Harbor — Expert Determination becomes the only remaining de-identification route.

Critical Threshold

Schrems III Watch

Firms transferring EU/UK data to the US should maintain SCC+TIA as a parallel fallback. A CJEU challenge to the DPF could again suspend the adequacy path on short notice, as happened in 2015 and 2020.

🏛 International Enterprise Audit & Risk Management Standards

These frameworks are not jurisdiction-specific regulations but internationally adopted enterprise standards — referenced by procurement teams, enterprise buyers, regulators, and assurance providers across financial services, healthcare, cloud, and critical infrastructure sectors. Demonstrating alignment with or certification against these standards is a core enterprise readiness signal for vendor due diligence and regulated sector deployment.

Standard / Framework	Status	Scope & Key Requirements	Authority / Body	Doctrine Response
ISO 27005:2022 Information Security Risk Management	Current Edition	ISO/IEC 27005:2022 provides guidelines for information security risk management aligned with ISO 27001. Third edition (2022) introduces a risk-treatment-process loop aligned to ISO 31000, replaces the legacy asset-threat-vulnerability paradigm with a scenario-based approach, and integrates directly with ISO 27001:2022 Annex A controls. Covers risk identification, analysis, evaluation, treatment, monitoring, and review. Mandatory reference for ISO 27001 certification audits — ISMS risk assessment methodology must align with 27005 principles. Required reading for any organisation undergoing ISO 27001 Lead Auditor or Lead Implementer assessment.	ISO / IEC JTC 1/SC 27	Decision Rights Architecture™ + Evidence Chain Model™
SOC 2 Type 2 AICPA Trust Services Criteria — AT-C Section 205	Active Standard	AICPA System and Organisation Controls (SOC) 2 Type 2 is the primary enterprise assurance report for technology service providers and SaaS companies handling customer data. Evaluates design and operating effectiveness of controls across five Trust Services Criteria: Security (mandatory), Availability, Processing Integrity, Confidentiality, and Privacy. Type 2 covers a minimum 6-month observation period (typically 12 months). Widely required by enterprise procurement, financial services buyers, and US federal contractors. SOC 2 + ISO 27001 dual-certification is increasingly the baseline expectation for regulated sector cloud deployment. The 2022 AICPA SOC for Cybersecurity supplement adds threat-intelligence and supply-chain controls aligned with NIST CSF 2.0.	AICPA / Licensed CPA Firms	Contract Control Matrix™ + Evidence Chain Model™
Basel II / Basel III BCBS Operational Risk & Capital Frameworks	In Force (Basel III fully effective Jan 2025)	Basel Committee on Banking Supervision (BCBS) frameworks governing capital adequacy and operational risk management for internationally active banks. Basel II introduced the three-pillar framework (minimum capital, supervisory review, market discipline) and the Advanced Measurement Approach (AMA) for operational risk. Basel III (2010–2017, phased in through Jan 2025) strengthened capital buffers, introduced liquidity ratios (LCR, NSFR), leverage ratio, and the Standardised Approach for Counterparty Credit Risk. Operational risk — including cyber and technology risk — is now captured under the Standardised Measurement Approach (SMA). EBA Guidelines on ICT and Security Risk Management (2019) and the 2023 EBA Outsourcing Guidelines operationalise Basel III operational risk requirements for EU banks. Directly relevant to AI governance platforms deployed into financial services: model risk, vendor risk, and operational resilience requirements flow from Basel capital frameworks.	BCBS / EBA / PRA / FRB / OCC	Sovereign Banking Protocol™ + Decision Rights Architecture™

Cross-Regulatory Focus Areas

Incident Reporting

Strict timelines across all frameworks: 4 hours (DORA/financial), 24 hours (NIS2 early warning), 72 hours (GDPR breach notification). Non-compliance triggers personal liability for directors.

Supply Chain Security

DORA, NIS2, CRA, and the Telecoms Security Act all emphasise securing the entire ICT supply chain. Third-party risk management is now a regulatory requirement, not a best practice.

Active Surveillance

The EU Cyber Solidarity Act establishes SOC networks for cross-border threat detection. Combined with ENISA strengthening under the revised CSA, the EU is building active defence capability.

🇨🇭 Switzerland — National Cyber, Data & AI Regulation

— frameworks shown

Switzerland operates outside the EU but maintains alignment with EU data-protection via adequacy. The revised Federal Act on Data Protection (revFADP/nFADP) entered into force 1 Sep 2023, and the Information Security Act (ISA) built a federal cyber baseline. FINMA governs financial-sector operational risk; NCSC Switzerland is the national CERT.

Regulation	Status	Key Requirements	Enforcement Authority	Doctrine Response
revFADP / nFADP Federal Act on Data Protection	In Force	Revised Federal Data Protection Act in force 1 Sep 2023. Modernises Swiss data law to broadly match GDPR: extended definitions, DPIA obligation, 72h breach notification to FDPIC, new right to data portability. Penal fines up to CHF 250,000 on responsible individuals (not corporate entities).	FDPIC + Cantonal DPAs	Evidence Chain Model™
Information Security Act ISG / LSI	In Force	Federal Information Security Act entered into force 1 Jan 2024. Applies to Confederation, cantons (where using federal info), and operators of critical infrastructure. Mandatory incident reporting to NCSC Switzerland within 24h, federal information-classification regime, and personnel security vetting.	NCSC Switzerland + Chancellery	Recoverability Mandate™
FINMA Circular 2023/1 Operational Risks & Resilience	In Force	FINMA's supervisory circular on operational risks and resilience — in force 1 Jan 2024 for banks and insurers. Requires critical business-function mapping, tolerance for disruption, testing via severe-but-plausible scenarios, and third-party ICT dependency register (aligned with DORA).	FINMA	Recoverability Mandate™ + Evidence Chain Model™
Cyber Reporting Duty Art. 74a ISA	In Force	In force 1 Apr 2024 — critical-infrastructure operators must report cyber attacks to NCSC Switzerland within 24h of detection. Initial reporting scope covers financial, energy, transport, health, telecom sectors; administrative fines up to CHF 100,000 for breach of reporting duty.	NCSC Switzerland	Decision Rights Architecture™
Swiss-US DPF Swiss Data Privacy Framework	In Force	Swiss FDPIC recognition of US DPF (since 15 Sep 2024) — permits transfers of Swiss personal data to self-certified US entities under the Swiss Annex of the DPF, preserving data-subject redress via DPRC.	FDPIC + US DoC	Contract Control Matrix™

🇨🇦 Canada — National Cyber, Data & AI Regulation

— frameworks shown

Canada's federal regime rests on PIPEDA for the private sector, alongside provincial statutes (notably Quebec's Law 25). Bill C-27 (Digital Charter Implementation Act) was reintroduced in 2025 and remains pending; it bundles a new privacy law (CPPA), an AI law (AIDA), and a tribunal. Bill C-26 adds a critical-cyber-systems framework for federally regulated sectors.

Regulation	Status	Key Requirements	Enforcement Authority	Doctrine Response
PIPEDA Personal Information Protection and Electronic Documents Act	In Force	Federal private-sector privacy law. Consent-based collection/use/disclosure of personal information in commercial activities. Mandatory breach-of-security-safeguards notification to OPC and affected individuals where real risk of significant harm. Fines up to CAD 100,000 per violation (pre-CPPA framework).	Office of the Privacy Commissioner (OPC)	Evidence Chain Model™
Quebec Law 25 An Act to Modernize Legislative Provisions	In Force	Three-phase rollout: Sep 2022 (privacy officer, breach notification), Sep 2023 (consent, transparency, rights), Sep 2024 (portability). Strictest Canadian privacy regime — GDPR-adjacent. Fines up to CAD 25M or 4% global turnover. Mandatory Privacy Impact Assessments for cross-border transfers.	Commission d'accès à l'information (CAI)	Evidence Chain Model™ + Contract Control Matrix™
Bill C-27 / CPPA Consumer Privacy Protection Act (lapsed — replacement expected)	Lapsed / Expected	Bill C-27 (Digital Charter Implementation Act) lapsed on the Order Paper when Parliament was prorogued January 2025 before receiving Royal Assent. The Liberal government, re-elected April 2025, has signalled intent to introduce a replacement federal private-sector privacy statute in 2026. As of April 2026, no replacement bill has been formally tabled; Privacy Commissioner testified to INDU Committee on expected legislation (priv.gc.ca / IAPP, Jan–Apr 2026). Canada remains governed by PIPEDA (2000) at the federal level pending new legislation.	OPC (current); Privacy Tribunal (proposed)	Evidence Chain Model™
Bill C-27 / AIDA Artificial Intelligence and Data Act (lapsed)	Lapsed	AIDA (Part 3 of Bill C-27) lapsed when Parliament was prorogued January 2025. Canada has no federal AI law in force as of April 2026. The re-elected Liberal government has signalled that AI regulation will now proceed as a separate initiative from privacy reform, allowing more focused policy development. No replacement AI bill has been tabled as of April 2026 (IAPP Canada, 2025; Osler, 2026).	ISED (planned AI Commissioner — not established)	AI Accountability Stack™
Bill C-8 / CCSPA Critical Cyber Systems Protection Act (reintroduced as C-8)	Passed Commons / In Senate	Originally Bill C-26 (died on Order Paper Jan 2025). Reintroduced as Bill C-8 by the Minister of Public Safety, 18 Jun 2025. Passed Third Reading in the House of Commons 26 Mar 2026 (following Speaker's ruling removing prior-judicial-authorisation provisions and committee amendments adding encryption protections); received First Reading in the Senate 26 Mar 2026. Senate Second Reading and committee referral expected imminently. Creates regulatory regime for "designated operators" in federally regulated critical sectors (finance, energy/pipelines, telecom, transport). Mandatory cybersecurity programs, supply-chain risk management, 72h incident reporting to CSE-CCCS. Penalties up to CAD 15M; personal officer liability. Includes 5-year mandatory ministerial review post-Royal Assent (Fasken / parl.ca C-8 45-1, Apr 2026).	Governor in Council + CSE / CCCS	Recoverability Mandate™
OSFI B-13 Technology and Cyber Risk Management	In Force	Office of the Superintendent of Financial Institutions guideline for federally regulated financial institutions. In force 1 Jan 2024 — governance, risk management, cyber incident reporting within 24h of determination of reportable incident, third-party technology risk.	OSFI	Evidence Chain Model™

No regulations match your search in this jurisdiction.

Try clearing filters or switching to another jurisdiction tab.

Last updated: 19 April 2026 · Sources: EUR-Lex, European Commission, FCA, PRA, ICO, SEC, ENISA, UK Parliament, DPC, NCSC Ireland, Oifig IS, Ofcom, CMA, OPSS, HHS OCR, CISA, FTC, NIST, NYDFS, CPPA, US DoC

Live Status

Regulatory Enforcement Countdown

Real-time tracking of critical compliance deadlines. These timers update live — when they reach zero, enforcement begins.

Critical Deadline

EU AI Act — Full Application

---Days

--Hours

--Min

--Sec

EU 2024/1689 Art. 113 — High-risk AI obligations enforceable

Active Enforcement

DORA — Supervisory Reviews

LIVEStatus

---Days Active

EU 2022/2554 — In force since 17 January 2025

Imminent

EU Digital Omnibus Trilogue

---Days

--Hours

--Min

--Sec

Political agreement expected — proposes extending AI Act high-risk deadlines + GDPR simplification + single breach notification portal

Monitoring

NIS2 — Transposition Status

13States Non-Transposed

---Days Overdue

EU 2022/2555 — Deadline was 17 October 2024 · 13 of 27 states yet to transpose; EC infringement proceedings ongoing · First audits due 30 June 2026 · First penalties issued Q1 2026 · Digital Omnibus trilogue 28 Apr 2026

Self-Assessment

Governance Readiness Score

Evaluate your organisation's cyber governance maturity in 60 seconds. This diagnostic maps your current posture against DORA, NIS2, and EU AI Act enforcement requirements.

1. Does your board receive structured cyber risk reports at least quarterly?

2. Do you have documented Decision Rights for cyber incident escalation?

3. Can you produce an evidence chain for any control within 24 hours?

4. Have you stress-tested your operational resilience under a severe-but-plausible scenario?

5. Do you have AI governance controls mapped to EU AI Act requirements?

6. Are your third-party/outsourcing contracts governed by enforceable cyber controls?

Compliance is a commercial weapon for those who understand it and an extinction event for those who do not.

DORA. NIS2. EU AI Act. CRA. The organisations that move first set the enforcement standard for everyone else.

European Union Cybersecurity Laws: NIS2 Directive Network Information Security mandatory cybersecurity essential important entities. DORA Digital Operational Resilience Act ICT risk management financial sector. Cyber Resilience Act security requirements products digital elements EU 2024/2847. Cybersecurity Act EU 2019/881 ENISA ICT certification. EU AI Regulations: EU AI Act 2024/1689 risk-based horizontal AI regulation high-risk conformity assessments. EU AI Liability Directive non-contractual civil liability AI. EU Computer Misuse: Budapest Convention ETS 185 cybercrime treaty. Directive 2013/40/EU attacks information systems hacking DDoS malware. EU Data Protection: GDPR EU 2016/679 data protection 72-hour breach notification DPIAs fines 4 percent global turnover. ePrivacy Directive cookies direct marketing. Data Act EU 2023/2854 IoT data access. United Kingdom Cybersecurity: NIS Regulations 2018 network information systems. Product Security Telecomms Infrastructure Act 2022 IoT connectable products. NCSC Cyber Essentials baseline controls. UK AI Laws: Online Safety Act 2023 algorithmic transparency illegal content duties of care. ICO AI Guidance data protection. AI Safety Act forthcoming. UK Computer Misuse Act 1990 unauthorised access modification amended Police Justice Act 2006. Investigatory Powers Act 2016 lawful interception equipment interference. UK Data Protection: UK GDPR Data Protection Act 2018 post-Brexit retained GDPR. Data Use Access Bill 2025. Ireland Cybersecurity: NIS2 Regulations 2024 SI 322/2024 NCSC Ireland. DORA Central Bank Ireland enforcement. Criminal Justice Offences Information Systems Act 2017 computer crime. Ireland AI: EU AI Act AI Office of Ireland Oifig IS DCCAE. National AI Strategy AI Here for Good. Ireland Computer Misuse Criminal Justice Offences Information Systems Act 2017 unlawful access data interference. Data Protection Act 2018 DPC Data Protection Commission one-stop-shop supervisory authority GDPR. Germany Cybersecurity: IT Security Act 2.0 BSIG BSI Federal Office Information Security KRITIS. NIS2UmsuCG NIS2 transposition expanded critical infrastructure. Germany AI: EU AI Act BNetzA market surveillance authority. German Criminal Code §202a-c §303a-b data espionage unauthorised access computer sabotage. Germany Data Protection: BDSG 2018 Bundesdatenschutzgesetz Federal Data Protection Act GDPR supplement BfDI federal commissioner. TDDDG ePrivacy telecoms digital services. France Cybersecurity: LPM Loi Programmation Militaire 2024 OIV OSE ANSSI cybersecurity obligations. France AI: EU AI Act CNIL Comite National Pilote Ethique Numerique artificial intelligence. France Computer Misuse Code Penal Art 323-1 323-7 unauthorized access data alteration obstruction. France Data Protection: Loi Informatique Libertes CNIL French Data Protection Authority RGPD. Spain Cybersecurity: ENS Esquema Nacional Seguridad Royal Decree 311/2022 national security scheme. CCN-CERT National Cryptologic Centre. Spain AI: AESIA Spanish AI Supervisory Authority national EU AI Act authority. Spain Computer Misuse: Codigo Penal Art 197-264 privacy crimes computer damage hacking. Spain Data Protection: LOPDGDD LO 3/2018 Organic Law Data Protection digital rights AEPD. Italy Cybersecurity: ACN Agenzia Nazionale Cybersicurezza NIS2 D.lgs 138/2024. Italy AI: EU AI Act AGID ACN market surveillance. Italy Computer Misuse: Codice Penale Art 615-ter 635-quater abusive access data system damage. Italy Data Protection: Codice Privacy D.lgs 196/2003 Garante Privacy supervisory authority. Netherlands Cybersecurity: Wbni Network Information Systems Security Act NCSC-NL. Netherlands AI: EU AI Act DTIA Dutch AI Authority. Netherlands Computer Misuse: Computercriminaliteit III 2019 hacking back police digital powers. Netherlands Data Protection: AVG UAVG GDPR Autoriteit Persoonsgegevens AP. Poland Cybersecurity: Ustawa KSC 2018 amended 2023 National Cybersecurity System CSIRT GOV CSIRT NASK. Poland AI: EU AI Act UKE UOKiK market surveillance. Poland Computer Misuse: Kodeks Karny Art 267-269b unauthorized access interception data sabotage. Poland Data Protection: UODO supervisory authority. Switzerland Cybersecurity: ISG Information Security Act federal data critical infrastructure. NCSC Switzerland National Cyber Security Centre. Switzerland AI: Voluntary AI Principles 2023 bilateral EU agreements. Switzerland Computer Misuse: StGB Art 143-150 data theft corruption unauthorized access. Switzerland Data Protection: nDSG new Federal Data Protection Act September 2023 GDPR comparable FDPIC commissioner. United States Cybersecurity: NIST Cybersecurity Framework 2.0 voluntary risk management. CISA Binding Operational Directives federal agencies critical infrastructure. FISMA Federal Information Security Management Act. US AI: Executive Order 14110 AI safe secure trustworthy NIST AI Risk Management Framework 1.0. US Computer Misuse: CFAA Computer Fraud Abuse Act 1986 federal unauthorized access fraud system damage. ECPA Electronic Communications Privacy Act interception stored communications. US Data Protection: CCPA CPRA California Consumer Privacy Act Rights Act. HIPAA health data privacy security. GLBA Gramm-Leach-Bliley Act financial institution data. Canada Cybersecurity: CSE Act 2019 Communications Security Establishment cyber defence. Critical Cyber Systems Protection Act Bill C-26 critical infrastructure. Canada AI: AIDA Artificial Intelligence Data Act Bill C-27 high-impact AI systems. Canada Computer Misuse: Criminal Code s342.1 s430 unauthorized computer use mischief to data. Canada Data Protection: PIPEDA CPPA Consumer Privacy Protection Act OPC Office Privacy Commissioner. Australia Cybersecurity: SOCI Act 2018 amended 2022 Security Critical Infrastructure 11 sectors ASD incident reporting. Cyber Security Act 2024 smart device standards ransomware reporting. Australia AI: AI Ethics Framework voluntary principles mandatory guardrails 2024. Australia Computer Misuse: Cybercrime Act 2001 unauthorized access modification impairment. Criminal Code Act 1995 Part 10.7 computer offences. Australia Data Protection: Privacy Act 1988 amended 2024 Australian Privacy Principles OAIC Office Australian Information Commissioner. Brazil Cybersecurity: National Cybersecurity Strategy E-Ciber ANPD GSI. Brazil AI: AI Bill PL 2338/2023 risk-based Senate. Brazil Computer Misuse: Lei Carolina Dieckmann 12.737/2012 unauthorized device access. Marco Civil Internet 12.965/2014 neutrality data retention user rights. Brazil Data Protection: LGPD Lei 13.709/2018 Brazilian General Data Protection Law GDPR modelled ANPD. India Cybersecurity: CERT-In Directions 2022 mandatory incident reporting 6 hours 180 day log retention. NCIIPC National Critical Information Infrastructure Protection Centre. India AI: NITI Aayog National AI Strategy responsible AI principles. India Computer Misuse: IT Act 2000 s43 s66 unauthorized access hacking. IT Amendment Act 2008 cyber terrorism s66F. India Data Protection: DPDP Act 2023 Digital Personal Data Protection consent-based Data Protection Board. Japan Cybersecurity: Cybersecurity Basic Act 2014 amended 2018 NISC national strategy. Japan AI: AI Strategy 2022 human-centred AI governance guidelines AI Strategy Council. Japan Computer Misuse: Unauthorized Computer Access Law 1999 hacking criminalised. Japan Data Protection: APPI Act Protection Personal Information amended 2022 enhanced rights cross-border transfer PPC enforcement. South Korea Cybersecurity: National Cybersecurity Framework NIS KISA critical infrastructure. South Korea AI: AI Framework Act 2024 risk classification high-impact AI enforcement 2026. South Korea Computer Misuse: Act Promotion IT Networks s48 unauthorized intrusion malware distribution. South Korea Data Protection: PIPA Personal Information Protection Act amended 2023 GDPR adequacy PIPC. China Cybersecurity: Cybersecurity Law 2017 CII protection data localisation. Data Security Law 2021 tiered classification national security. CII Security Protection Regulations 2021. China AI: Generative AI Regulations 2023 security assessments content labelling. Algorithm Recommendation Regulations 2022 transparency user rights. Deep Synthesis Regulations 2022 deepfakes synthetic media labelling. China Computer Misuse: Criminal Law Art 285-287 illegal intrusion sabotage data theft. China Data Protection: PIPL 2021 Personal Information Protection Law consent cross-border transfer MIIT. Singapore Cybersecurity: Cybersecurity Act 2018 CSA CII framework licensed service providers. Singapore AI: Model AI Governance Framework 2020 PDPC AI Verify testing toolkit. Singapore Computer Misuse: Computer Misuse Act Cap 50A unauthorized access data interference cyber-attacks. Singapore Data Protection: PDPA 2012 amended 2020 consent mandatory breach notification data portability PDPC. Saudi Arabia Cybersecurity: NCA Essential Cybersecurity Controls government critical sectors. Cloud Computing Regulatory Framework data residency. Saudi Arabia AI: National AI Strategy 2020 Vision 2030 SDAIA. Saudi Arabia Computer Misuse: Anti-Cyber Crime Law 2007 unauthorized access content offences data theft. Saudi Arabia Data Protection: PDPL 2021 Personal Data Protection Law SDAIA enforcement September 2023. Israel Cybersecurity: INCD Israeli National Cyber Directorate binding directives critical sectors. National Cyber Resilience Framework baseline security. Israel AI: National AI Program Innovation Authority ethics guidelines. Israel Computer Misuse: Computers Law 1995 unauthorized access data disruption. Israel Data Protection: Protection of Privacy Law 5741-1981 amended GDPR alignment PPA Privacy Protection Authority. Turkey Cybersecurity: Presidential Circular Cybersecurity 2019 national strategy BTK UDHB. Turkey AI: National AI Strategy 2021-2025 Presidency Digital Transformation Office. Turkey Computer Misuse: TCK Art 243-245 illegal access data destruction computer fraud. Turkey Data Protection: KVKK Law 6698 2016 Personal Data Protection Law consent KVKK Board. Russia Cybersecurity: Federal Law 187-FZ CII Security 2017 FSTEC FSB. Sovereign Internet Law 2019 Runet routing. Russia AI: National AI Development Strategy 2019 2030 National AI Centre. Russia Computer Misuse: Criminal Code Art 272-274.1 unlawful access malware CII attacks. Russia Data Protection: Federal Law 152-FZ Personal Data data localisation Russians. Malaysia Cybersecurity: National Cyber Security Policy 11-sector CII CyberSecurity Malaysia. Malaysia AI: National AI Roadmap 2021-2025 MDEC. Malaysia Computer Misuse: Computer Crimes Act 1997 Communications Multimedia Act 1998 s233 improper network use. Malaysia Data Protection: PDPA 2010 consent commercial data PDPD commissioner. Indonesia Cybersecurity: BSSN National Cyber Strategy Badan Siber Sandi Negara. Indonesia AI: National AI Strategy 2020-2045 BRIN. Indonesia Computer Misuse: UU ITE Electronic Information Transactions Law 2008 amended 2024 illegal access content crimes. Indonesia Data Protection: UU PDP Law 27/2022 Personal Data Protection GDPR-inspired Kominfo. Thailand Cybersecurity: Cybersecurity Act B.E.2562 2019 National Cybersecurity Committee CII incident response. Thailand AI: AI Ethics Guidelines 2021 NEDA ETDA voluntary. Thailand Computer Misuse: Computer Crimes Act 2007 amended 2017 unauthorized access data disruption. Thailand Data Protection: PDPA B.E.2562 enforced June 2022 GDPR-aligned PDPC. Vietnam Cybersecurity: Cybersecurity Law 2018 Ministry Public Security data localisation content control incident reporting. Vietnam AI: National Strategy R&D AI 2021 MOST. Vietnam Computer Misuse: Criminal Code 2015 Art 289-295 computer crime. Vietnam Data Protection: PDPD Decree 13/2023 consent transfer rules MPS enforcement. South Africa: Cybercrimes Act 2020 illegal access data messages cyberterrorism. POPIA Protection Personal Information Act 4/2013 July 2021 Information Regulator. Draft AI Policy Framework 2023 DSAC. Kenya: Computer Misuse Cybercrimes Act 2018 KE-CIRT CA Kenya. Data Protection Act 2019 GDPR-inspired ODPC commissioner. National AI Strategy 2023. Nigeria: Cybercrimes Act 2015 NITDA NCC unlawful access cyberstalking. NDPR 2019 NDPA 2023 NDPC commissioner. National AI Strategy 2024. Argentina: Ley 26.388 2008 cybercrime unauthorized access. PDPA Ley 25.326/2000 personal data protection GDPR reform. AI Ethics Principles OECD-aligned. Portugal: Lei do Cibercrime 109/2009 Budapest Convention cybercrime. LGPD Lei 58/2019 Portuguese GDPR implementation CNPD. CNCS National Cybersecurity Centre NIS2. Sweden: Cybersecurity Act NIS2 2024 NCSC-SE SAPO. Dataskyddslagen 2018:218 Swedish Data Protection Act IMY supervisory authority. Denmark: Lov om net informationssikkerhed NIS2 CFCS. Databeskyttelsesloven 2018 Datatilsynet supervisory authority. Norway: NSM Norwegian National Security Authority cybersecurity. Personopplysningsloven data protection GDPR Norway. Finland: NIS2 implementation Traficom NCSC-FI cybersecurity. Tietosuojalaki 2018/1050 data protection OKV supervisory authority. Czech Republic: NUKIB National Cybersecurity Agency Cybersecurity Act 2014. UOOU personal data protection GDPR supervisory authority. Hungary: NIS2 implementation 2023 SZTFH. NAIH Infotv Act CXII/2011 Hungarian personal data protection. Romania: CERT-RO DNSC National Directorate Cyber Security NIS2. ANSPDCP GDPR Legea 190/2018 personal data protection. Greece: EETT ADAE NIS2 Greece. HDPA Greek data protection authority GDPR L.4624/2019. Bulgaria: NIS2 implementation CERT Bulgaria DANS. CPDP Bulgarian personal data protection GDPR. Croatia: CERT.hr CARNET SOA NIS2 Croatia. AZOP personal data protection GDPR Croatia. Slovakia: NBU National Security Authority Cybersecurity Act 2018 amended. UOOU personal data protection Slovakia. Slovenia: ZInfV Information Security Act SI-CERT AKOS. ZVOP-2 IP RS personal data protection. Estonia: RIA Information System Authority Cybersecurity Act 2019 e-governance. AKI personal data protection Estonia. Latvia: CERT.lv Information Technologies Security Law 2010. DVI personal data protection Latvia. Lithuania: NKSC National Cyber Security Centre Law on Cybersecurity 2018. VDAI personal data protection Lithuania. Malta: MITA Malta Information Technology Agency NIS2. IDPC personal data protection DPA Cap 586 Malta. Ukraine: SSSCIP cybersecurity strategy 2021-2025. Law Personal Data Protection 2010 EU alignment.

Live Regulatory Landscape

🇪🇺 European Union — Cyber, AI & Data Protection

EU Cybersecurity Regulations

EU Data Protection & Digital Markets

🇬🇧 United Kingdom — Post-Brexit Regulatory Stack

UK Cybersecurity & Data Protection

🇬🇧 UK Digital & AI Regulation Matrix (2026)

UK vs Ireland/EU — Critical Regulatory Differences (2026)

PSTI Enforcement

Online Safety — Hash Matching

AI Safety Institute Testing

🇮🇪 Ireland — EU "One-Stop-Shop" Jurisdiction

🇮🇪 Ireland Digital Regulation Matrix (2026)

Cyber Incident: 24 Hours

AI Fines: Up to €35m / 7%

AI High-Risk Registry

🇺🇸 United States — Federal, Sector & State Layers

🇺🇸 US Cybersecurity, Healthcare & AI Regulation Matrix (2026)

CIRCIA: 24h / 72h

HIPAA: $2.13M per Category

State AI Laws Live Feb 2026

🌐 Cross Border — Transfers, Safe Harbour, Shared Themes

🔐 US Data Protection & Safe Harbour / Cross-Border Transfer Frameworks

DPF Self-Certification Renewal

HIPAA Safe Harbor — 18 Identifiers

Schrems III Watch

🏛 International Enterprise Audit & Risk Management Standards

Cross-Regulatory Focus Areas

Incident Reporting

Supply Chain Security

Active Surveillance

🇨🇭 Switzerland — National Cyber, Data & AI Regulation

🇨🇦 Canada — National Cyber, Data & AI Regulation

Regulatory Enforcement Countdown

EU AI Act — Full Application

DORA — Supervisory Reviews

EU Digital Omnibus Trilogue

NIS2 — Transposition Status

Governance Readiness Score

Privacy Policy

Terms of Service

Cookie Policy

Accessibility Statement