Comprehensive monitoring of EU, UK, Ireland, USA, and international cybersecurity, AI, and data protection enforcement - mapped to institutional doctrine response.
EU cyber and digital regulation operates as a single horizontal stack. DORA, NIS2 and the Cyber Resilience Act form the security core; GDPR, DSA, DMA and the EU AI Act extend into data, market, and AI accountability. Enforcement is layered — national Competent Authorities under ENISA coordination, with ESAs for finance and the EU AI Office for frontier AI.
| Regulation | Status | Key Deadline | Scope & Key Requirements | Enforcement Authority | Doctrine Response |
|---|---|---|---|---|---|
| DORA EU 2022/2554 | In Force | 17 Jan 2025 — Active enforcement. Register of Information submitted Q1 2026; on-site ICT risk inspections underway; first compulsion payments issued. Only 50% of entities reached full compliance by end-2025 (Deloitte). | Financial sector ICT resilience. Firms must withstand, respond to, and recover from ICT disruptions. Strict 4-hour incident reporting for major incidents. | EBA / EIOPA / ESMA | Evidence Chain Model™ + Recoverability Mandate™ |
| NIS2 Directive EU 2022/2555 | Transposition | 17 Oct 2024 — 22 of 27 EU member states now transposed as of Apr 2026; remaining holdouts subject to EC infringement proceedings — EC issued reasoned opinions to 19 Member States on 7 May 2025 (including Bulgaria, Czechia, Denmark, Estonia, Ireland, Spain, France, Cyprus, Latvia, Luxembourg, Hungary, Netherlands, Austria, Poland, Portugal, Slovenia, Finland, Sweden). Austria NISG 2026, Poland KSC Act and the Dutch Cyberbeveiligingswet each introduce national variations in penalty regimes. Belgium became first EU state to open a hard NIS2 conformity-assessment window on 18 Apr 2026 (BELAC-accredited CAB sign-off required for essential entities). Germany — IT Security Act / NIS2UmsuCG in force 6 Dec 2025; BSI registration portal opened 6 Jan 2026 with a 6 Mar 2026 deadline — reported ~11,500 of ~29,500 in-scope entities registered by Apr 2026 (heise/DLA Piper/Freshfields), a ~61% shortfall signalling likely enforcement action. EC proposed targeted NIS2 amendments 20 Jan 2026 to simplify compliance for 28,700 companies including 6,200 SMEs; EU Digital Omnibus trilogue 28 Apr 2026 expected to formalise extensions. First administrative penalties issued Q1 2026; first audits due 30 Jun 2026. Fines up to €10M or 2% global turnover. CyberSmart Apr 2026 survey of 670 in-scope businesses across 8 countries: 84% of entities facing active enforcement self-report as not ready (Skadden/EC/CyberSmart, Apr 2026). | Replaces NIS1. Mandatory cybersecurity requirements for essential sectors (energy, health, finance, transport) and digital services. Mandates strict risk management, governance, and incident reporting. Art. 20 imposes personal liability on directors. | National CAs + ENISA | Decision Rights Architecture™ + Board-Survivable Cyber Architecture™ |
| EU AI Act EU 2024/1689 | Phased Rollout | 2 Aug 2026 — Most remaining provisions apply. EU Digital Omnibus proposes extending stand-alone high-risk AI systems to Dec 2027, embedded systems to Aug 2028. AI sandboxes due by Aug 2026 (may be delayed to Dec 2027). Watermarking deadline may shift to Feb 2027. Council agreed streamlining position Mar 2026; political trilogue scheduled 28 Apr 2026 — Parliament and Council both now supporting hard-date replacement of EC's conditional mechanism: 2 Dec 2027 for stand-alone high-risk systems (Annex III) and 2 Aug 2028 for AI embedded in regulated products (Annex I). Bias-detection data-processing safeguards remain the last major convergence point (Addleshaw Goddard/A&O Shearman/IAPP, Apr 2026). | Risk-based AI classification: Prohibited (social scoring, cognitive manipulation), High-Risk (critical infrastructure, employment, law enforcement), Limited Risk (transparency rules for chatbots/deepfakes), Minimal Risk. GPAI models must comply with transparency and copyright obligations. Penalties: up to 7% global annual turnover for high-risk violations. | National Market Surveillance + EU AI Office | AI Accountability Stack™ |
| Cyber Resilience Act EU 2024/2847 | Phased Rollout | 11 Sep 2026 — Vulnerability reporting obligations begin; 11 Dec 2027 — Full application | Manufacturers of products with digital elements must meet high-security standards throughout product lifecycle. Mandates "security by design," automatic updates, and vulnerability handling obligations. Conformity assessment bodies begin notifying 11 Jun 2026. Commission first standardisation deliverables expected Q3 2026. Non-compliant products face serious penalties across all 900 member states from Dec 2027 (Hogan Lovells/Keysight, Apr 2026). | National Market Surveillance Authorities | Evidence Chain Model™ + Contract Control Matrix™ |
| EU Cybersecurity Act EU 2019/881 + 2026 Revision | Revision Proposed | 20 Jan 2026 — COM(2026)900 published; EDPB-EDPS Joint Opinion 4/2026 (Apr 2026) supports proposal while raising data-protection concerns; in EU legislative procedure — trilogue political agreement targeted early 2027 | Strengthened ENISA and established EU-wide ICT certification framework. COM(2026)900 published 20 Jan 2026: adds managed security services to certification, significantly expands ENISA's operational support role (€341M budget 2028–2034), and addresses ICT supply-chain security as a strategic risk. | ENISA + National Certification Authorities | Evidence Chain Model™ |
| Cyber Solidarity Act EU 2025 | Implementation | In force 4 Feb 2025 — €36M Cybersecurity Reserve launched; cross-border SOC hubs deploying | Establishes EU-wide Security Operations Centre network for active threat detection. Creates Cyber Emergency Mechanism and €36M Cybersecurity Reserve for cross-border incident response. ENISA Single Reporting Platform launching September 2026. | ENISA + National SOCs | Recoverability Mandate™ |
| eIDAS2 EU Digital Identity Regulation | Implementation | Dec 2026 — All 900 Member States must provide EU Digital Identity Wallets | Provides secure, trustworthy digital identity solutions across Europe. Member states must offer EU Digital Identity Wallets to all citizens and residents. Pilot programmes expanding; technical specifications and implementing regulations finalised. | National Supervisory Bodies | Decision Rights Architecture™ |
| ISO/IEC 42001:2023 AI Management System | Mainstream 2026 | Certification available now — first international standard for AI management systems. Specifies requirements for establishing, implementing, maintaining, and continually improving an AIMS within the context of an organisation. Aligned to the EU AI Act Articles 9, 10, 12, 14, 15 and 17 (risk management, data governance, logging, human oversight, accuracy/robustness, quality management). Mainstream adoption accelerated 2025–2026: Microsoft 365 Copilot certified (2025), SAP AI services certified (2025), multiple Big 4 assurance practices now offering 42001 readiness assessments. Frequently certified alongside ISO 27001 and ISO 27701 as the AI-governance assurance stack. | Accredited Certification Bodies (UKAS, ANAB, COFRAC, DAkkS) | AI Accountability Stack™ + Evidence Chain Model™ |
| Regulation | Status | Key Requirements | Enforcement Authority | Doctrine Response |
|---|---|---|---|---|
| GDPR EU 2016/679 | In Force | Data protection by design and by default. 72-hour breach notification. DPIAs mandatory for high-risk processing. Cross-border transfer safeguards (SCCs, adequacy decisions). Fines up to 4% of global turnover. Total EU enforcement exceeds €7.1B; Irish DPC has issued €4.04B. 2026 Coordinated Enforcement Framework focuses on transparency obligations. | National DPAs (CNIL, ICO, BfDI) | Evidence Chain Model™ + Board-Survivable Cyber Architecture™ |
| ePrivacy Directive 2002/58/EC | In Force | Regulates cookies, electronic marketing, email spam, and privacy of electronic communications. Awaiting ePrivacy Regulation replacement. | National DPAs | Contract Control Matrix™ |
| Digital Markets Act DMA | In Force | Designates gatekeepers (Meta, Alphabet, Apple, etc.) — mandates interoperability, prohibits self-preferencing, prevents combining user data across services without consent. | European Commission (DG COMP) | Decision Rights Architecture™ |
| Digital Services Act DSA | In Force | Strict risk assessment and independent audits for VLOPs (45M+ EU users). Faster removal of illegal content. Algorithmic transparency obligations. | European Commission + National Digital Services Coordinators | AI Accountability Stack™ |
| PSD2 / PSD3 & PSR Payment Services Directive / Regulation | PSD2 In Force · PSD3/PSR Adopted | PSD2 (Directive (EU) 2015/2366) remains in force and underpins Strong Customer Authentication (SCA), open banking APIs, and payments fraud liability. PSD3 (Directive) and the new PSR (Payment Services Regulation) reached provisional political agreement 27 Nov 2025 between Parliament and Council; technical legal-linguistic finalisation ongoing, OJ publication expected end Q2 2026 with an 18-month transitional period. PSD3/PSR strengthen SCA, expand scope to crypto-asset and open-finance service providers, tighten fraud-liability allocation between PSPs and consumers, and formalise supervisory powers for EBA and national competent authorities. Critical for ICT-outsourcing interplay with DORA Article 28 and for regulatory alignment with the EU AI Act where AI-driven fraud detection is used (Norton Rose Fulbright/Linklaters/DLA Piper, Mar 2026). | EBA + National Competent Authorities (CBI, BaFin, ACPR, etc.) | Contract Control Matrix™ + AI Accountability Stack™ |
| EU Digital Omnibus Package COM(2025) Nov 2025 — Simplification Reform | Proposed | Proposed by EC 19 Nov 2025; in trilogue (Council agreed streamlining position Mar 2026; political trilogue scheduled 28 Apr 2026). Proposes targeted GDPR amendments for harmonisation and compliance simplification; extends AI Act high-risk system deadlines by up to 16 months (stand-alone systems to Dec 2027, embedded to Aug 2028); introduces single notification portal for data breach reporting across multiple regimes. Affects ~28,700 companies including 6,200 SMEs (EC / digital-strategy.ec.europa.eu, Nov 2025). | European Commission + European Parliament + Council | Evidence Chain Model™ + AI Accountability Stack™ |
| EU Data Act EU 2023/2854 | In Force (Phase 2: Sep 2026) | Regulation (EU) 2023/2854 in force 11 Jan 2024; applied from 12 Sep 2025. Core B2B data-sharing obligations active: users of connected products may access their usage data free of charge; data holders must share data with third parties on fair, reasonable, and non-discriminatory (FRAND) terms. Cloud-switching obligations (no-fee switching, data portability, technical equivalence) active Sep 2025. From 12 Sep 2026: "access by design" obligation (Art. 3(1)) — connected products placed on the market must be designed so that product data is directly accessible by default to users in a secure, structured, machine-readable format in real time. Complete ban on charges for cloud-service switching from 12 Jan 2027. Enforcement decentralised at Member State level; Germany and France have designated competent authorities; penalties up to 4–5% of global annual turnover per jurisdiction (EUR-Lex / Bird & Bird, 2026). | National Competent Authorities + European Commission | Contract Control Matrix™ + Decision Rights Architecture™ |
| EU Data Governance Act EU 2022/868 — DGA | In Force | Regulation (EU) 2022/868 applicable from 24 Sep 2023. Establishes framework for: (1) reuse of publicly-held protected data; (2) regulation of data intermediation services (data marketplaces, data brokers) — providers must notify competent authority and comply with neutrality/transparency obligations; (3) voluntary data altruism organisations for general-interest purposes. As of 2026 take-up is limited — 11 registered data intermediaries and 1 data altruism organisation EU-wide; Commission sent reasoned opinions to 10 Member States on 16 Dec 2024 for failure to designate competent authorities. Complementary to the EU Data Act (IoT/connected product data) and GDPR (personal data); underpins Common European Data Spaces across health, energy, agriculture, finance, and manufacturing (EC / data.europa.eu, 2025–2026). | National Competent Authorities + European Commission + EDPB | Decision Rights Architecture™ + Contract Control Matrix™ |
| GDPR Procedural Regulation EU 2025/2518 — Cross-Border Enforcement | In Force — Applies Apr 2027 | Regulation (EU) 2025/2518 entered into force 1 January 2026; applies to cross-border GDPR complaints lodged after 2 April 2027. Addresses long-standing criticism of the One-Stop-Shop mechanism (GDPR Art. 56) — introduces binding admissibility standards harmonised across all EU DPAs, mandatory investigation deadlines preventing enforcement delays, and clarified EDPB binding-decision authority. 2026 is the supervisory authority (SA) preparation period — DPAs must operationalise harmonised complaint-intake forms, defined investigation timelines, and structured cooperation protocols before April 2027. Directly affects the Irish DPC as lead SA for Meta (€1.3B), TikTok (€530M), WhatsApp (€225M), LinkedIn (€310M) and most major US tech firms. Significant IT-system and staffing investment required across national DPAs (Arthur Cox / FEBIS / Caldwell Law, 2025–2026). | National DPAs (lead DPAs under Art. 56 GDPR) + EDPB | Evidence Chain Model™ + Decision Rights Architecture™ |
Netherlands requires essential/important entities to complete self-assessment by June 2026. Austria NISG 2026 enters force October 2026.
Proposes 6-month extension (to Feb 2027) for synthetic audio/image/video content on market before Aug 2026, pending Code of Practice.
Majority of AI Act provisions apply. Conformity assessments, CE marking, EU database registration required. Transparency obligations on AI-generated content labelling activate.
The UK has shifted from "EU-lite" to a distinct "pro-innovation" regulatory environment — sector regulators (ICO, FCA, Ofcom, NCSC) apply principles within their own domains rather than a single horizontal AI Act. UK Data Adequacy with the EU was renewed in December 2025 through 2031, preserving cross-border data flows.
| Regulation | Status | Key Requirements | Enforcement Authority | Doctrine Response |
|---|---|---|---|---|
| UK FCA PS21/3 Operational Resilience | In Force | Financial firms must identify important business services, set impact tolerances, and test ability to remain within tolerances under severe-but-plausible scenarios. Full compliance 31 Mar 2025. | FCA / PRA | Recoverability Mandate™ + Decision Rights Architecture™ |
| FCA/PRA/BoE PS26/2 + PS7/26 Unified Operational Incident & Third-Party Reporting | Published — Applies 18 Mar 2027 | Published 18 March 2026 by FCA (PS26/2), PRA (PS7/26) and Bank of England — unified, single-portal regime for reporting operational incidents and material third-party arrangements to all three regulators simultaneously; effective 18 March 2027. Single notification template + single register template + single submission portal (FCA Connect) reduces duplication for dual-regulated firms. FCA Connect is the centralised reporting platform handling notifications for all three regulators from a single submission. Incident reporting threshold: firms expected to report within 24 hours of determining threshold is met. Material third-party definition harmonised across regulators' statutory objectives; annual register mandatory using aligned templates. Initial / interim / final reporting stages merged into one consolidated report aligned with international standards. Supporting guidance: FCA Finalised Guidance FG26/3 (incidents) and FG26/4 (third-party arrangements). Overlaps significantly with DORA Articles 19 & 28 for cross-border EU/UK groups — enabling aligned reporting posture. Replaces legacy fragmented multi-regulator notification processes (FCA PS26/2 / PRA PS7/26 / BoE, March 2026). | FCA / PRA / Bank of England | Decision Rights Architecture™ + Recoverability Mandate™ |
| UK GDPR + DPA 2018 | In Force | Appropriate technical and organisational security measures. 72-hour breach reporting to ICO. DPA 2018 supplements UK GDPR for law enforcement and intelligence processing. | ICO | Evidence Chain Model™ + Board-Survivable Cyber Architecture™ |
| NIS Regulations 2018 | In Force | Operators of essential services (energy, health, transport) and digital service providers must implement robust security measures and report incidents. | Sector-specific CAs (Ofcom, Ofgem, ICO) | Recoverability Mandate™ |
| NCSC CAF Cyber Assessment Framework | In Force | UK national framework for assessing cyber security of operators of essential services and critical national infrastructure. Four objectives: Managing Security Risk (A), Protecting Against Cyber Attack (B), Detecting Cyber Security Events (C), Minimising Impact of Incidents (D). 14 security principles assessed via NCSC-led or sector CA-led assessments. | NCSC / Sector CAs (Ofgem, Ofcom, CAA, NHSE) | Decision Rights Architecture™ + Board-Survivable Cyber Architecture™ |
| GovAssure UK Government Cyber Assurance Scheme | In Force | Cabinet Office cross-government cyber assurance programme requiring all UK government departments and arm's-length bodies (ALBs) to complete an annual self-assessment against the NCSC Cyber Assessment Framework (CAF). Departments score across all 900 CAF security principles; results reported to Cabinet Office. GovAssure replaces legacy HMG Security Policy Framework cyber elements and aligns with the National Cyber Strategy 2022–2030. From 2024, outcomes feed into HM Treasury-level departmental risk ratings and inform cross-government security investment decisions. | Cabinet Office / NCSC | Board-Survivable Cyber Architecture™ + Decision Rights Architecture™ |
| ECAF Electricity Cyber Assessment Framework (Ofgem) | In Force | Ofgem-enforced cyber assessment framework for UK electricity sector operators of essential services — generation, transmission, distribution, and supply licensees. Applies CAF 14 security principles to IT/OT convergence environments. Profile-based assessment: Ofgem issues improvement plans where gaps are identified. Non-compliance reportable under NIS Regulations 2018. | Ofgem | Control Collapse Model™ + Recoverability Mandate™ |
| Cyber Security & Resilience Bill 2025 | In Progress | Expands NIS Regulations scope to more digital services and supply chains. Tightens incident reporting rules. Increases fines and enhances regulator enforcement powers. Introduced 12 Nov 2025 (House of Commons); completed committee stage; now at report stage. DSIT published Policy Statement of Intent 1 Apr 2026, incorporating lessons from EU NIS2 and international partner consultations. Bill updated 14 Apr 2026 (parliament.uk). Expected to receive Royal Assent in 2026 (Commons Library, Apr 2026; DSIT Policy Statement, 1 Apr 2026). | DSIT / Sector CAs | Decision Rights Architecture™ + Recoverability Mandate™ |
| Product Security Act 2022 PSTI Act | In Force | Security requirements for consumer-connectable products — bans default passwords, mandates vulnerability disclosure, requires minimum security update periods. Non-compliance: fines up to £10M or 4% global turnover, plus £20,000/day for ongoing contraventions (OPSS, 2024). | OPSS | Contract Control Matrix™ |
| Telecoms Security Act 2021 | In Force | Stricter security duties on public telecom providers. Supply chain security requirements for network equipment and services. | Ofcom | Contract Control Matrix™ |
| Computer Misuse Act 1990 | In Force | Criminal offences for unauthorised access to computer material, unauthorised modification, and making/supplying tools for computer misuse. | CPS / NCA | Board-Survivable Cyber Architecture™ |
| Data (Use and Access) Act 2025 | Phased Commencement | Royal Assent 19 Jun 2025. Provisions being brought into force through a series of commencement SIs: No. 5 (SI 2026/31) — intimate image offences, 6 Feb 2026; No. 6 (SI 2026/82) — data protection and privacy provisions (Part 5), 5 Feb 2026; No. 8 (SI 2026/317) — further provisions, 31 Mar 2026. Reforms data protection to simplify compliance for research and AI; clarifies international transfer mechanisms post-Brexit (legislation.gov.uk, SIs 2026/31, 2026/82, 2026/317). | ICO | AI Accountability Stack™ |
| AI Regulation Bill 2025 Private Members' Bill | Proposed | Bill [HL] completed all House of Lords stages (1st reading to 3rd reading); now in House of Commons (2026) for initial stages. Proposes central AI Authority with mandatory registration and reporting for high-risk AI models. Government maintains voluntary sector-led approach; enactment not guaranteed (bills.parliament.uk/bills/3942). | Proposed AI Authority | AI Accountability Stack™ |
| CBEST / STAR-FS / CQUEST BoE/FCA/PRA Threat-Led Testing | In Force | CBEST is the Bank of England / PRA / FCA intelligence-led red-team programme for systemically critical UK financial-services firms — testers emulate real-world adversaries against production systems using threat-intelligence-driven TTPs aligned to MITRE ATT&CK. STAR-FS extends the same methodology to wider financial-market participants (CREST-delivered). CQUEST provides a lighter-touch questionnaire-led cyber self-assessment used for non-systemic firms. 2025 CBEST thematic published Jan 2026 sets out the most common TTPs observed and recurring remediation challenges; PRA supervisory priorities for 2026 confirm continued CBEST/STAR-FS for higher-impact firms with CQUEST for others (Bank of England, FCA, KPMG PRA priorities 2026). | Bank of England / PRA / FCA / CREST | Board-Survivable Cyber Architecture™ + Evidence Chain Model™ |
| Cyber Essentials / Plus NCSC IASME — Mandatory for UK-Gov Contracts | In Force | NCSC-backed baseline cyber-hygiene certification administered by IASME. Five control themes: firewalls, secure configuration, user access control, malware protection, security update management. Cyber Essentials Plus adds independent hands-on technical assessment. Mandatory for many UK central-government contracts handling personal or sensitive data (Procurement Policy Note PPN 09/23 / PPN 09/14 successor). Material uplift post-NCSC 2024 refresh — cloud services explicitly in scope, MFA requirements tightened. Widely used by SME suppliers to demonstrate minimum security maturity to enterprise buyers, insurers, and public-sector primes. | NCSC / IASME (Delivery Partner) | Evidence Chain Model™ + Contract Control Matrix™ |
The UK has shifted from "EU-lite" to a distinct "pro-innovation" regulatory environment — avoiding one-size-fits-all legislation in favour of giving specific powers to existing sector regulators. Despite 2026 reforms, the UK maintains Data Adequacy with the EU (renewed December 2025 until 2031), allowing cross-border data flows without additional safeguards.
| Regulatory Area | Primary UK Legislation | Lead Regulator | 2026 Status & Key Requirements | Doctrine Response |
|---|---|---|---|---|
| Data Protection | Data (Use and Access) Act 2026 (DUAA) | ICO | Active. Streamlines GDPR; allows "opt-out" for analytics cookies and provides broader consent for scientific research. | Evidence Chain Model™ |
| Artificial Intelligence | Sectoral Principles (Non-statutory) | Distributed (ICO, FCA, CMA) | Active. No single "AI Act." Regulators apply five principles (Safety, Fairness, Transparency, Accountability, Contestability) within their own industries. | AI Accountability Stack™ |
| Cybersecurity | Cyber Security & Resilience Bill 2026 | NCSC | Enforced. Extends NIS1 to include data centres and Managed Service Providers. Mandatory 24-hour incident reporting. | Recoverability Mandate™ + Decision Rights Architecture™ |
| IoT / Smart Tech | PSTI Act 2022 | OPSS | Strict Enforcement. Bans universal default passwords. Mandatory "Security Update" period labels on consumer products. | Contract Control Matrix™ |
| Online Safety | Online Safety Act 2023 | Ofcom | Active enforcement. CSEA reporting duty in force 7 Apr 2026. Ofcom orders 40+ services to revise risk assessments. 77 of top 100 pornography services now have age assurance. Categorisation register delayed to Jul 2026. Technology notices guidance due Apr 2026. | Decision Rights Architecture™ |
| Digital Markets | DMCC Act 2024 | CMA (DMU) | Active. Targets "Strategic Market Status" firms to prevent anti-competitive behaviour in mobile ecosystems and search. | Contract Control Matrix™ |
| Feature | United Kingdom (2026) | Ireland / EU (2026) |
|---|---|---|
| AI Oversight | Sector-led: No new laws; existing regulators (FCA, ICO) adapt principles to their domains. | Centralised: The EU AI Act provides a single, horizontal law for all sectors. |
| Cookie Consent | Less Strict: Moving toward "Opt-out" for non-intrusive tracking. | Strict: "Reject All" buttons must be as prominent as "Accept All." |
| Cyber Liability | Supply Chain Focus: Targets providers like data centres and IT managed services. | Board Liability: Personal legal liability for CEOs/Boards under NIS2 Art. 20. |
| Automated Decisions | Flexible: Broadens "lawful bases" for AI-driven decision making. | Restricted: Users have a strong "Right to Explanation" and human intervention. |
| Data Adequacy | Maintained & Renewed: Adequacy renewed December 2025 until 2031 — data flows from Dublin to London without extra paperwork. | Standard: GDPR adequacy decisions and SCCs govern cross-border transfers. |
Retailers and importers face massive fines if selling smart devices with default passwords or missing security update information.
Ofcom's final codes take effect, requiring platforms to proactively block non-consensual intimate imagery.
UK AI Safety Institute begins mandatory pre-deployment testing for "frontier" AI models developed or significantly deployed within the UK.
ICO published draft guidance on data protection investigation and enforcement procedures under new powers granted by the Data Use and Access Act.
Final policy statements introducing unified operational incident reporting framework. Single submission process across regulators now active.
Ireland's regulatory environment has transitioned from high-level EU directives to specific, enforceable Irish statutes. Ireland holds a unique "Single Point of Contact" role for many multinational tech firms — Irish regulators often act as lead enforcer for the entire EU under the "One-Stop-Shop" mechanism.
Ireland's regulatory environment has transitioned from high-level EU directives to specific, enforceable Irish statutes. Ireland holds a unique "Single Point of Contact" role for many multinational tech firms — Irish regulators often act as lead enforcer for the entire EU under the "One-Stop-Shop" mechanism.
| Regulatory Area | Key Irish Legislation | Primary Oversight Body | 2026 Status & Key Focus | Doctrine Response |
|---|---|---|---|---|
| Data Protection | Data Protection Act 2018 (Revised 2026) | Data Protection Commission (DPC) | Active. Enhanced focus on "Dark Patterns" in UI/UX and mandatory "Right to be Forgotten" for children's data. | Evidence Chain Model™ + Board-Survivable Cyber Architecture™ |
| Cybersecurity | National Cyber Security Bill 2024/26 | National Cyber Security Centre (NCSC) | Pre-enactment (NIS2). National Cyber Security Bill at advanced legislative stage — included as "priority" legislation in Government Programme Autumn 2025. NCSC expects enactment by end of 2026; introduces self-registration requirement (tentative July 2026 launch; 3-month window for entities to register). Places the NCSC on a statutory footing; introduces personal liability for Board members regarding cyber negligence. EC formal notice issued for failure to transpose by Oct 2024 deadline; referral to CJEU remains possible (Bird & Bird/NCSC/Enactia, Apr 2026). | Decision Rights Architecture™ + Board-Survivable Cyber Architecture™ |
| Artificial Intelligence | Regulation of AI Bill 2026 | AI Office of Ireland (Oifig IS) | Transitional (targeting 1 Aug 2026 statutory establishment). General Scheme of AI Bill 900 published Feb 2026; Oifig IS currently operating on an administrative basis coordinating AI Act enforcement across existing sector regulators (Central Bank, DPC, etc.). | AI Accountability Stack™ |
| Data Sharing / IoT | Data Bill 2025/26 | CCPC & ComReg | Implementation. Transposes the EU Data Act; ensures users can access and move data generated by connected devices (IoT). | Contract Control Matrix™ |
| Online Safety | Online Safety & Media Regulation Act | Coimisiún na Meán | Active. Governs harmful content on social media and video platforms; can issue fines up to €20m or 10% of turnover. | Decision Rights Architecture™ |
| Digital Services | Digital Services Act 2024 (Revised 2026) | Coimisiún na Meán | Active. Regulates online marketplaces and intermediaries to prevent illegal content and ensure transparency in advertising. | AI Accountability Stack™ |
Under the 2026 Cyber Security Bill (NIS2), "Essential" and "Important" entities must provide an early warning to the NCSC within 24 hours of a significant incident.
The AI Bill introduces penalties up to €35m or 7% of global turnover for prohibited AI practices. Dual-supervision applies when AI processes personal data (DPC + AI Office).
Providers of high-risk AI systems (recruitment, credit scoring) must register in the National AI Register managed by Oifig IS before deployment.
The Competition & Consumer Protection Commission and the Data Protection Commission convene a joint AI consumer-protection workshop on 7 May 2026, examining unfair automated pricing, synthetic-media manipulation, and GDPR Article 22 automated-decision compliance. Entities using consumer-facing AI should review transparency obligations and complaint-handling procedures. NCSC-IE concurrent threat bulletin (4 May 2026): elevated advisory on AI-assisted phishing targeting Irish financial-services sector — correlates with EDPB CEF 2026 findings on cross-border AI processing. (DPC/CCPC/EC/NCSC-IE/CBI/CISA/EDPB, 4 May 2026)
The US operates a multi-layered regulatory stack: federal cyber rules (CIRCIA, CMMC, SEC, HIPAA), sector regulators (FTC, HHS OCR, NYDFS, TSA, CISA), and an expanding patchwork of state AI and privacy laws. EO 14179 (Jan 2025) rescinded the Biden AI EO and shifted federal AI policy toward deregulation, but state-level AI statutes (Colorado, Texas, California) and sector rules remain in force.
The US operates a multi-layered regulatory stack: federal cyber rules (CIRCIA, CMMC, SEC, HIPAA), sector regulators (FTC, HHS OCR, NYDFS, TSA, CISA), and an expanding patchwork of state AI and privacy laws. EO 14179 (Jan 2025) rescinded the Biden AI EO and shifted federal AI policy toward deregulation, but state-level AI statutes (Colorado, Texas, California) and sector rules remain in force. UK and EU firms with US operations, US-person data, or federal contracts are typically in scope.
| Regulation | Status | Key Requirements | Enforcement Authority | Doctrine Response |
|---|---|---|---|---|
| SEC Cyber Rules US — Global Impact | In Force | Material cyber incident disclosure within 4 business days. Annual reporting of cyber risk management, strategy, and governance. Board-level oversight requirements. | SEC / DOJ | Board-Survivable Cyber Architecture™ |
| US Data Security Rule 28 CFR Part 202 — Global Impact | In Force | Implements Executive Order 14117. Prohibits and restricts US persons from engaging in covered data transactions that give "countries of concern" (China, Russia, Iran, North Korea, Cuba, Venezuela) or covered persons access to bulk US sensitive personal data (genomic, biometric, health, geolocation, financial, personal identifiers) and US government-related data. Effective 8 Apr 2025; full compliance (due diligence, audit, reporting) required from 6 Oct 2025. Extraterritorial reach — UK/EU firms with US operations or US-person data in scope. Civil penalties up to ~$377K per violation or 2× transaction value; criminal penalties up to $1M and 20 years imprisonment (DOJ NSD, 2025). | DOJ National Security Division | Contract Control Matrix™ + Evidence Chain Model™ |
| HIPAA Security Rule 45 CFR Part 164 subpart C | In Force | Covered entities and business associates must implement administrative, physical, and technical safeguards for ePHI. Risk analysis, access controls, audit logs, encryption "where reasonable and appropriate." Breaches affecting 500+ individuals reportable to HHS OCR within 60 days. Civil penalties up to $2.13M per violation category per year (2025 adjusted). | HHS Office for Civil Rights (OCR) | Evidence Chain Model™ + Board-Survivable Cyber Architecture™ |
| HIPAA Security Rule NPRM Proposed Amendment 2025 | Proposed | HHS OCR Notice of Proposed Rulemaking published 6 Jan 2025. Removes "addressable" vs "required" distinction — all implementation specifications become mandatory. Adds explicit MFA, encryption (at-rest and in-transit), asset inventory, network segmentation, annual compliance audits, and 72-hour incident restoration requirements. Final rule expected 2026 post-comment-review. | HHS OCR | Recoverability Mandate™ + Evidence Chain Model™ |
| HIPAA Privacy Rule + HITECH | In Force | Governs use and disclosure of Protected Health Information. HITECH Act (2009) expanded HIPAA, introduced breach notification, and increased penalties. 2024 Reproductive Health amendment restricts disclosure of reproductive health data for criminal investigations (effective 25 Dec 2024). | HHS OCR / State AGs | Contract Control Matrix™ |
| HITRUST CSF v11 Health Information Trust Alliance Common Security Framework | Active (v11.4 — Apr 2025) | HITRUST CSF is the de facto enterprise cybersecurity assurance framework for the US healthcare sector — required by most major US health plans, hospital systems, and pharma BAAs as a condition of vendor onboarding. Harmonises HIPAA Security Rule, NIST CSF 2.0, NIST SP 800-53 r5, ISO/IEC 27001:2022, PCI DSS v4.0.1, GDPR, CCPA, FedRAMP, and 40+ other authoritative sources into a single control framework with three certifiable assurance tiers: e1 (essentials, ~44 controls), i1 (implemented, ~182 controls), r2 (risk-based, validated assessment 200–2,000+ controls). v11.4 (April 2025) added AI-system controls aligned to NIST AI RMF 1.0 and ISO/IEC 42001:2023. Mutual recognition with HHS OCR HIPAA audit programme. Increasingly adopted by US public-sector and federal contractors as a HIPAA-defensible assurance baseline. | HITRUST Alliance / HHS OCR (mutual recognition) | Evidence Chain Model™ + Contract Control Matrix™ |
| CIRCIA Cyber Incident Reporting for Critical Infrastructure Act 2022 | Rulemaking Pending | The Act (2022) is in force; CISA implementing regulations (final rule) delayed to May 2026+. Core proposed obligations: 72h reporting for significant cyber incidents; 24h for ransomware payments; covers 16 critical infrastructure sectors. Non-compliance triggers CISA subpoena authority and DOJ referral. DHS appropriations lapse in March–April 2026 caused postponement of scheduled CIRCIA town hall meetings, likely pushing final rule beyond May 2026 (CISA NPRM; CyberScoop / Davis Wright Tremaine, 2025–2026). | CISA | Recoverability Mandate™ + Decision Rights Architecture™ |
| CMMC 2.0 32 CFR Part 170 / 48 CFR (DFARS) | In Force | Cybersecurity Maturity Model Certification — mandatory for ~300,000 Defense Industrial Base contractors. Three-tier model (Level 1 Foundational → Level 3 Expert) mapped to NIST SP 800-171 / 800-172. Final DFARS clause 252.204-7021 phased in through contracts from late 2025 onward; C3PAO third-party assessment required at Levels 2 and 3. | DoD CIO / DCMA / C3PAOs | Contract Control Matrix™ + Board-Survivable Cyber Architecture™ |
| NYDFS Cybersecurity Regulation 23 NYCRR Part 500 (Amendment 2) | In Force | New York Department of Financial Services rule for covered financial entities. Amendment 2 (Nov 2023) phased-in through Nov 2025: CISO annual report to board, MFA on all remote access and privileged accounts, endpoint detection & response, documented incident response plan, 72-hour notification of cybersecurity events, annual certification by senior officer or board. | NYDFS | Decision Rights Architecture™ + Evidence Chain Model™ |
| FFIEC IT Examination Handbook Federal Financial Institutions Examination Council — Architecture, Infrastructure & Operations + Cybersecurity Assessment Tool | Active Supervisory Standard | The FFIEC IT Examination Handbook is the binding supervisory expectation for US banks, savings associations, credit unions, and bank holding companies — examined by the Fed, OCC, FDIC, NCUA and CFPB. Booklets cover Information Security, Architecture & Infrastructure, Operations, Outsourcing Technology Services, Business Continuity Management, Wholesale Payment Systems, Retail Payment Systems, Audit, and Management. The FFIEC Cybersecurity Assessment Tool (CAT) is being formally retired on 31 Aug 2025 in favour of the NIST CSF 2.0 + Cyber Risk Institute (CRI) Profile v2.1 — examiners now expect institutions to map cyber maturity to CSF 2.0 functions (Govern, Identify, Protect, Detect, Respond, Recover). Key cross-references: GLBA Safeguards Rule, SEC Reg S-P, NYDFS 23 NYCRR 500, OCC Heightened Standards (12 CFR Part 30 App D), and OSFI B-13 (cross-border for Canadian-parent banks). Findings flow through MRA / MRIA escalation; repeat or systemic deficiencies trigger formal enforcement (consent orders, civil money penalties, board removal). | FFIEC (Fed / OCC / FDIC / NCUA / CFPB) | Sovereign Banking Protocol™ + Decision Rights Architecture™ |
| FTC Safeguards Rule 16 CFR Part 314 (GLBA) | In Force | Non-bank financial institutions must implement written information security program with designated Qualified Individual, risk assessment, access controls, encryption, MFA, continuous monitoring, annual penetration testing, incident response plan, and board reporting. 2023 amendment added 30-day breach notification to FTC for events affecting 500+ consumers. | FTC | Contract Control Matrix™ + Evidence Chain Model™ |
| SOX (Sarbanes-Oxley Act) 15 U.S.C. § 7201 — IT Audit & Financial Controls | In Force | Sarbanes-Oxley Act 2002 imposes IT general controls (ITGC) and application controls requirements on public companies and their subsidiaries with US listings. Section 302 (CEO/CFO quarterly certifications) and Section 404 (annual management & auditor attestation of internal controls over financial reporting) drive significant information security obligations: access controls, change management, segregation of duties, audit logging, and vulnerability management. SOX PCAOB AS 2201 sets external auditor standards for ICFR. SOC 1 Type II (formerly SAS 70) reports are the primary third-party assurance mechanism for service organisations in scope. Financial institutions and global companies with NYSE/NASDAQ listings are in scope regardless of HQ jurisdiction. | SEC / PCAOB | Audit-Proof by Design™ + Decision Rights Architecture™ |
| FedRAMP 40 U.S.C. § 11331 / OMB M-24-15 | In Force | Federal Risk and Authorization Management Program. Cloud services used by federal agencies must achieve authorization (Low / Moderate / High / Li-SaaS) against NIST SP 800-53 controls. 2024 modernization (FedRAMP 20x) introduces continuous ATO model. Agencies must obtain authorization before procurement. | GSA FedRAMP PMO / JAB | Contract Control Matrix™ |
| NIST CSF 2.0 + AI RMF 1.0 | Reference | NIST Cybersecurity Framework 2.0 (Feb 2024) adds Govern function; widely referenced by regulators (SEC, FTC, HHS, DoD). NIST AI Risk Management Framework 1.0 (Jan 2023) + Generative AI Profile (Jul 2024) provide voluntary structure for AI governance adopted by federal agencies under OMB M-24-10. Apr 2026 update: NIST released concept note (7 Apr 2026) for an AI RMF Profile on Trustworthy AI in Critical Infrastructure — guiding critical-infrastructure operators to specific AI risk-management practices; initial public draft expected mid-2026. NIST AI RMF 1.1 addenda and expanded sector profiles anticipated through 2026. | NIST (voluntary) / adopted by sector regulators | AI Accountability Stack™ + Decision Rights Architecture™ |
| EO 14144 Strengthening & Promoting Innovation in the Nation's Cybersecurity (Jan 2025) | In Force | Final Biden cyber EO signed 16 Jan 2025. Mandates secure software development attestations for federal vendors, post-quantum cryptography transition milestones, software bill of materials (SBOM), and AI cyber-defence research. Partially modified by Trump EO 14306 (Jun 2025) but core secure-software and PQC provisions remain. | OMB / CISA / NIST | Contract Control Matrix™ |
| EO 14179 Removing Barriers to American Leadership in AI (Jan 2025) | In Force | Rescinded Biden EO 14110 (Oct 2023). Directs federal agencies to review and remove AI-related regulations deemed to impede innovation. OMB M-25-21 and M-25-22 (Apr 2025) revised federal AI use policy. Does not remove statutory AI obligations or state AI laws; voluntary NIST AI RMF guidance remains. | OMB / OSTP | AI Accountability Stack™ |
| Colorado AI Act SB 24-205 — first comprehensive state AI law | Effective 30 Jun 2026 | Imposes duty of reasonable care on developers and deployers of "high-risk AI systems" (consequential decisions in employment, education, finance, healthcare, housing, insurance, legal services) to prevent algorithmic discrimination. Requires impact assessments, risk management program, annual AG filing, and consumer disclosure & appeal rights. Enforced by Colorado AG. Note: Implementation delayed from 1 Feb 2026 to 30 Jun 2026 by SB 25B-004, signed 28 Aug 2025; Colorado legislature actively considering further substantive amendments before the June 2026 effective date (Colorado General Assembly, SB25B-004, Aug 2025). | Colorado Attorney General | AI Accountability Stack™ + Evidence Chain Model™ |
| Texas Responsible AI Governance Act TRAIGA — HB 149 | In Force | In force since 1 Jan 2026. Prohibits AI systems intentionally developed for unlawful discrimination, social scoring, or manipulating human behaviour to cause harm. Governmental use restrictions on biometric ID and emotion recognition. Creates Texas AI Council. Enforced by Texas AG with civil penalties up to $200,000 per violation and 60-day cure period (Texas HB 149 / TRAIGA, eff. 1 Jan 2026). | Texas Attorney General | AI Accountability Stack™ |
| California AI Statutes SB 942 Transparency · SB 53 Frontier AI · AB 2013 | In Force | SB 942 California AI Transparency Act (effective 1 Jan 2026) requires AI-generated content disclosure and provenance tools for large AI platforms. SB 53 Transparency in Frontier Artificial Intelligence Act (signed Sep 2025) mandates safety framework publication and critical-safety-incident reporting for frontier model developers. AB 2013 training-data transparency effective Jan 2026. | California AG / CPPA | AI Accountability Stack™ |
| NYC Local Law 144 AEDT — Automated Employment Decision Tools | In Force | Employers using automated decision tools for hiring or promotion of NYC-based candidates must conduct annual independent bias audit, publish summary of results, and provide candidate notice at least 10 business days before use. Civil penalties up to $1,500 per violation per day. | NYC Department of Consumer & Worker Protection | AI Accountability Stack™ |
| CCPA / CPRA California Consumer Privacy Act as amended by CPRA | In Force | Rights of access, deletion, correction, portability, opt-out of sale/sharing, and limit-use of sensitive personal information for California residents. CPPA regulations on automated decision-making technology (ADMT), risk assessments, and cyber audits finalised 2025. Civil penalties up to $7,500 per intentional violation plus statutory damages for breaches. | California Privacy Protection Agency (CPPA) / CA AG | Evidence Chain Model™ + Contract Control Matrix™ |
| State Comprehensive Privacy Laws 20+ states — VCDPA, CPA, CTDPA, UCPA, OCPA, TIPA, DPDPA, ICDPA, TDPSA, MCDPA, NHCDPA, NJDPA, MCDPA, INCDPA, KCDPA, RIDPA, MNCDPA, MDPA, etc. | Patchwork — In Force | As of 2026, 20+ states have enacted comprehensive consumer privacy laws with broadly similar rights (access, delete, correct, opt-out of targeted advertising, sale, profiling). Sensitive-data opt-in in most. Global Privacy Control signal recognition mandatory in several (CA, CO, CT, TX). Each state AG enforces; no federal preemption. Maryland MODPA — widely regarded as the strictest US state statute — moved into enforcement on 1 Apr 2026 (two-stage: effective 1 Oct 2025, application 1 Apr 2026): strict data-minimisation, a flat prohibition on selling sensitive data (even with consent), under-18 targeted-advertising ban, and Maryland AG enforcement with 60-day cure and civil penalties up to $10,000 first violation / $25,000 subsequent (MD AG / Koley Jessen / OneTrust, Apr 2026). | State Attorneys General | Contract Control Matrix™ |
| TSA Security Directives Pipeline SD-02 · Rail · Aviation | In Force | Post-Colonial Pipeline. Pipeline Security Directive 2021-02 (revised 2024) mandates TSA-approved cybersecurity implementation plans, annual assessments, and 24-hour incident reporting to CISA. Parallel directives for passenger/freight rail and aviation operators of TSA-regulated critical infrastructure. | TSA / CISA | Recoverability Mandate™ + Decision Rights Architecture™ |
| NERC CIP North American Electric Reliability Corporation — Critical Infrastructure Protection (CIP-002 through CIP-014) | In Force (CIP-015-1 effective 1 Oct 2028) | NERC CIP is the mandatory bulk-electric-system cybersecurity standard for North American transmission and generation operators, enforced under FERC delegated authority across the US (50 states) and provincial regulators in Canada. The CIP suite (CIP-002 asset categorisation through CIP-014 physical security) governs identification, secure access, system management, incident response, recovery, vulnerability assessment, configuration change management, information protection, and supply-chain risk for high/medium/low-impact BES Cyber Systems. CIP-013-2 (supply-chain risk management) and CIP-003-9 (low-impact electronic access) are the most active enforcement areas. CIP-015-1 (Internal Network Security Monitoring) was approved by FERC in June 2024 with a 1 Oct 2028 effective date. Penalties up to US$1.4M per violation per day under FPA Section 316A; 2025 settlements crossed US$30M aggregate (NERC public notices). Cross-mapped to ISO/IEC 27019:2024, NIST SP 800-82r3, and IEC 62443. | NERC / FERC / Regional Entities (MRO, NPCC, RF, SERC, Texas RE, WECC) | Evidence Chain Model™ + Board-Survivable Cyber Architecture™ |
| FISMA + FedRAMP SI-Cyber 44 U.S.C. §§ 3551–3558 | In Force | Federal Information Security Modernization Act — requires federal agencies and contractors operating federal information systems to implement NIST SP 800-53 controls, annual independent assessments, and continuous monitoring reported through CISA CDM programme. | OMB / CISA / Agency CIO | Evidence Chain Model™ |
| 21 CFR Part 11 FDA Electronic Records & Electronic Signatures | In Force | FDA regulation governing electronic records and electronic signatures used in FDA-regulated activities (pharma, medical device, biologics, food, tobacco). Applies to any system that creates, modifies, maintains, archives, retrieves, or transmits records subject to FDA predicate rules (GxP). Controls include audit trails, access controls, electronic signature authenticity, validation of computerised systems (CSV/CSA), and record integrity (ALCOA+ principles). Closely paired with EU Annex 11, MHRA Data Integrity guidance, and PIC/S PI 041-1. Enforcement via FDA 483s, Warning Letters, consent decrees, and Application Integrity Policy (AIP) actions. | FDA / OCI / CDER / CBER / CDRH | Evidence Chain Model™ + Contract Control Matrix™ |
| FDA Software as a Medical Device (SaMD) 21 CFR Part 820 / QSR / FDA AI/ML Action Plan | In Force | FDA regulatory framework for software that qualifies as a medical device. Builds on IMDRF SaMD risk categorisation (Class I–IV). Premarket pathways: 510(k), De Novo, PMA. FDA AI/ML Action Plan (2021) and Predetermined Change Control Plan (PCCP) guidance (Dec 2024) enable continuously-learning ML-DSF (Digital Health / AI-enabled device software functions) to update post-market under a pre-approved change envelope. Final QMSR (Quality Management System Regulation, Feb 2026) aligns 21 CFR Part 820 with ISO 13485:2016. Cybersecurity premarket submissions must meet §524B (PATCH Act) requirements — SBOM, CVE monitoring, update plan. | FDA CDRH / Digital Health Center of Excellence | Evidence Chain Model™ + Board-Survivable Cyber Architecture™ |
| NIST Privacy Framework NIST PF 1.0 / Core Functions: Identify-P, Govern-P, Control-P, Communicate-P, Protect-P | Active Standard | NIST Privacy Framework 1.0 (Jan 2020) is the de facto US privacy risk-management companion to NIST CSF 2.0. Voluntary, outcome-based; structured around five Core Functions that extend cybersecurity risk management into privacy engineering. Referenced in HHS, DoC, and agency privacy impact assessments; commonly mapped to CCPA/CPRA, state comprehensive privacy laws, HIPAA Privacy Rule, and FTC Section 5 unfairness/deception theory. Update underway for PF 1.1 to reflect state-law convergence, AI-system privacy impacts, and cross-border transfer obligations (draft expected 2026). | NIST ITL / Privacy Engineering Program | Decision Rights Architecture™ + Contract Control Matrix™ |
Critical infrastructure entities must report ransomware payments within 24 hours and substantial cyber incidents within 72 hours to CISA — fastest US federal reporting clock.
2025 adjusted penalties — HHS OCR can impose up to $2.13M per violation category per calendar year for wilful neglect, plus state AG and private-action exposure post-HITECH.
Texas TRAIGA live since 1 Jan 2026; Colorado AI Act deferred to 30 Jun 2026 (SB 25B-004) with further amendments in negotiation. Impact assessments, risk programmes, and AG notification remain required before high-risk deployment — US state AI compliance has bifurcated into an active Texas regime and a pending Colorado one.
The transatlantic transfer regime sits on the EU-US Data Privacy Framework (with UK and Swiss extensions), standard contractual clauses, and binding corporate rules — backed by US statutory safe-harbours under HIPAA, COPPA, FERPA and GLBA. This panel aggregates the cross-border mechanisms and cross-regulatory themes that apply regardless of home jurisdiction.
Since the CJEU struck down Safe Harbour (Schrems I, 2015) and Privacy Shield (Schrems II, 2020), the transatlantic transfer regime has been rebuilt on the EU-US Data Privacy Framework, with a UK extension and a Swiss extension. US federal and sector rules provide additional de-identification and lawful-basis "safe harbours" that often operate alongside the DPF. Any UK/EU controller transferring personal data to the US should confirm which mechanism is current and retain TIA (Transfer Impact Assessment) evidence.
| Framework / Rule | Status | Scope & Key Provisions | Authority | Doctrine Response |
|---|---|---|---|---|
| EU-US Data Privacy Framework DPF — Adequacy Decision (EU) 2023/1795 | In Force | European Commission adequacy decision adopted 10 Jul 2023, permitting personal data transfers to self-certified US organisations without SCCs or BCRs. Certification administered by US Department of Commerce; enforceable by FTC or DoT. Underpinned by EO 14086 signals-intelligence safeguards and the new Data Protection Review Court (DPRC). First periodic review completed Oct 2024; second review due 2027. | European Commission · US DoC · FTC · DPRC | Contract Control Matrix™ + Evidence Chain Model™ |
| UK Extension to EU-US DPF UK-US "Data Bridge" | In Force | Data Protection (Adequacy) (United States of America) Regulations 2023 — in force 12 Oct 2023. Permits transfers of UK personal data to US organisations that have additionally self-certified to the UK Extension of the DPF. Requires specific categories (journalistic, HR, sensitive) to be flagged at certification; ICO retains supervisory jurisdiction for UK data subjects. | UK DSIT · ICO · US DoC | Contract Control Matrix™ |
| Swiss-US Data Privacy Framework | In Force | Swiss FDPIC recognition of US DPF for transfers under the Federal Act on Data Protection (nFADP). Active since 15 Sep 2024. Self-certification adds a Swiss annex to the US DoC DPF programme; FDPIC supervisory role preserved. | Swiss FDPIC · US DoC | Contract Control Matrix™ |
| EO 14086 + DPRC Signals Intelligence Safeguards (Oct 2022) | In Force | Executive Order "Enhancing Safeguards for United States Signals Intelligence Activities" — legal backbone of the DPF. Limits bulk collection to defined national-security purposes, imposes necessity/proportionality tests, and establishes the Data Protection Review Court as binding redress for EU/UK/Swiss data subjects. Retained under the 2025 administration. | ODNI · DoJ · DPRC | Evidence Chain Model™ |
| Standard Contractual Clauses EU SCCs 2021/914 · UK IDTA / Addendum | In Force | Alternative GDPR/UK GDPR lawful-transfer mechanism when DPF self-certification is not available. Requires documented Transfer Impact Assessment (TIA) under Schrems II — assessing US surveillance exposure and supplementary measures (encryption, pseudonymisation, contractual controls). UK IDTA or International Data Transfer Addendum used for UK-origin data. | Data exporter (accountability) · EDPB · ICO | Contract Control Matrix™ + Evidence Chain Model™ |
| Binding Corporate Rules BCRs — GDPR Art. 47 | In Force | Intra-group transfer mechanism for multinationals with US affiliates. Requires lead DPA approval, binding internal policies, third-party beneficiary rights, and ongoing audit. EDPB Recommendations 1/2022 set updated requirements; ICO operates parallel UK BCR approval route. | Lead EU DPA · ICO · EDPB | Decision Rights Architecture™ + Contract Control Matrix™ |
| HIPAA De-Identification "Safe Harbor" 45 CFR § 164.514(b)(2) | In Force | Two HIPAA-recognised de-identification methods: Expert Determination and Safe Harbor. Safe Harbor requires removal of 18 specified identifiers (names, geographic subdivisions smaller than state, dates more granular than year for ages <90, contact details, SSNs, device IDs, biometrics, etc.) and no actual knowledge that remaining data could identify an individual. De-identified data falls outside HIPAA restrictions. | HHS OCR | Evidence Chain Model™ |
| COPPA Safe Harbor Programs 16 CFR § 312.11 | In Force | FTC-approved self-regulatory safe harbours for the Children's Online Privacy Protection Act (operators of sites/apps directed at children under 13). Participation in an approved program (e.g. kidSAFE, PRIVO, TRUSTe/TrustArc, ESRB) shifts primary enforcement to the program with annual audits and FTC oversight. 2025 COPPA Rule update strengthens parental-consent and data-minimisation obligations. | FTC (oversight) · Approved SRO programs | Contract Control Matrix™ |
| FERPA 20 U.S.C. § 1232g · 34 CFR Part 99 | In Force | Family Educational Rights and Privacy Act — protects student education records at institutions receiving US Department of Education funds. Restricts disclosure without parental / eligible-student consent; includes a school-official exception that many EdTech vendors rely on (contractual FERPA safe-harbour language). 2024 NPRM proposes expanded rights and tighter EdTech vendor controls. | US Department of Education — SPPO | Contract Control Matrix™ |
| GLBA Privacy Rule Regulation P — 12 CFR Part 1016 | In Force | Gramm-Leach-Bliley Act privacy rule. Financial institutions must provide initial and annual privacy notices, offer opt-out of non-affiliate data sharing, and comply with reuse/redisclosure limits. Operates alongside FTC Safeguards Rule (security) to form the US financial privacy stack. | CFPB · FTC · Federal banking agencies | Contract Control Matrix™ |
| APEC Cross-Border Privacy Rules CBPR / Global CBPR Forum | In Force | Voluntary certification for transfers across APEC / Global CBPR Forum economies (US, Japan, Korea, Singapore, Canada, Australia, Taiwan, Philippines, UK associate participation). US administered by FTC-recognised Accountability Agents (e.g. TrustArc, Schellman). Provides a parallel safe-harbour style framework for non-EU international transfers. | Global CBPR Forum · FTC · Accountability Agents | Contract Control Matrix™ |
| DPF Active Monitoring Schrems III Risk | Monitoring | NOYB/Schrems has signalled a third challenge to the EU-US DPF on the grounds that EO 14086 still permits bulk collection and DPRC independence concerns. Case pending before CJEU would, if successful, again invalidate transatlantic transfers under the DPF. Firms relying solely on DPF self-certification should maintain SCC/TIA fall-back posture. | CJEU (pending) · EDPB · noyb | Contract Control Matrix™ + Evidence Chain Model™ |
DPF participants must re-certify annually with the US Department of Commerce. Lapsed certification immediately invalidates the adequacy basis — data exporters must fall back to SCCs+TIA or suspend transfers.
A single retained identifier (even ZIP3 in low-population regions, or a date of service more granular than year) defeats the Safe Harbor — Expert Determination becomes the only remaining de-identification route.
Firms transferring EU/UK data to the US should maintain SCC+TIA as a parallel fallback. A CJEU challenge to the DPF could again suspend the adequacy path on short notice, as happened in 2015 and 2020.
These frameworks are not jurisdiction-specific regulations but internationally adopted enterprise standards — referenced by procurement teams, enterprise buyers, regulators, and assurance providers across financial services, healthcare, cloud, and critical infrastructure sectors. Demonstrating alignment with or certification against these standards is a core enterprise readiness signal for vendor due diligence and regulated sector deployment.
| Standard / Framework | Status | Scope & Key Requirements | Authority / Body | Doctrine Response |
|---|---|---|---|---|
| ISO/IEC 27001:2022 Information Security Management Systems — Requirements | Current Edition | ISO/IEC 27001:2022 is the foundational international standard specifying requirements for an Information Security Management System (ISMS). The 2022 revision (published 25 Oct 2022) restructured Annex A into 93 controls across four themes (Organisational, People, Physical, Technological) and added 11 new controls covering threat intelligence, cloud services, ICT readiness for business continuity, configuration management, data leakage prevention, web filtering, and secure coding. The 2013 → 2022 transition deadline expired 31 Oct 2025: pre-2022 certificates are now invalid (BSI, LRQA, SGS, A-LIGN). Mandatory baseline reference for SOC 2 + ISO dual-certification programmes, EU NIS2 Article 21 risk-management evidence, DORA Article 6 (ICT risk management framework) crosswalks, and EU AI Act Article 17 (quality management system) for high-risk AI providers. Treated as the de facto enterprise security ISMS standard for vendor due diligence and regulated-sector procurement. | ISO / IEC JTC 1/SC 27 | Evidence Chain Model™ + Decision Rights Architecture™ |
| ISO 27005:2022 Information Security Risk Management | Current Edition | ISO/IEC 27005:2022 provides guidelines for information security risk management aligned with ISO 27001. Third edition (2022) introduces a risk-treatment-process loop aligned to ISO 31000, replaces the legacy asset-threat-vulnerability paradigm with a scenario-based approach, and integrates directly with ISO 27001:2022 Annex A controls. Covers risk identification, analysis, evaluation, treatment, monitoring, and review. Mandatory reference for ISO 27001 certification audits — ISMS risk assessment methodology must align with 27005 principles. Required reading for any organisation undergoing ISO 27001 Lead Auditor or Lead Implementer assessment. | ISO / IEC JTC 1/SC 27 | Decision Rights Architecture™ + Evidence Chain Model™ |
| SOC 2 Type 2 AICPA Trust Services Criteria — AT-C Section 205 | Active Standard | AICPA System and Organisation Controls (SOC) 2 Type 2 is the primary enterprise assurance report for technology service providers and SaaS companies handling customer data. Evaluates design and operating effectiveness of controls across five Trust Services Criteria: Security (mandatory), Availability, Processing Integrity, Confidentiality, and Privacy. Type 2 covers a minimum 6-month observation period (typically 12 months). Widely required by enterprise procurement, financial services buyers, and US federal contractors. SOC 2 + ISO 27001 dual-certification is increasingly the baseline expectation for regulated sector cloud deployment. The 2022 AICPA SOC for Cybersecurity supplement adds threat-intelligence and supply-chain controls aligned with NIST CSF 2.0. | AICPA / Licensed CPA Firms | Contract Control Matrix™ + Evidence Chain Model™ |
| Basel II / Basel III BCBS Operational Risk & Capital Frameworks | In Force (Basel III fully effective Jan 2025) | Basel Committee on Banking Supervision (BCBS) frameworks governing capital adequacy and operational risk management for internationally active banks. Basel II introduced the three-pillar framework (minimum capital, supervisory review, market discipline) and the Advanced Measurement Approach (AMA) for operational risk. Basel III (2010–2017, phased in through Jan 2025) strengthened capital buffers, introduced liquidity ratios (LCR, NSFR), leverage ratio, and the Standardised Approach for Counterparty Credit Risk. Operational risk — including cyber and technology risk — is now captured under the Standardised Measurement Approach (SMA). EBA Guidelines on ICT and Security Risk Management (2019) and the 2023 EBA Outsourcing Guidelines operationalise Basel III operational risk requirements for EU banks. Directly relevant to AI governance platforms deployed into financial services: model risk, vendor risk, and operational resilience requirements flow from Basel capital frameworks. | BCBS / EBA / PRA / FRB / OCC | Sovereign Banking Protocol™ + Decision Rights Architecture™ |
| ISO 22301:2019 Business Continuity Management Systems | Current Edition | ISO/IEC 22301:2019 is the international standard for Business Continuity Management Systems (BCMS), specifying requirements to plan, establish, implement, operate, monitor, review, maintain and continually improve a documented management system to protect against, reduce the likelihood of, prepare for, respond to and recover from disruptive incidents. Mandatory reference for DORA Article 12 (ICT business continuity policy) and NIS2 Article 21 (business continuity and crisis management). Increasingly required by enterprise procurement and financial-services assurance programmes; frequently certified alongside ISO 27001 as a dual-resilience assurance baseline. | ISO / IEC JTC 1/SC 27 | Recoverability Mandate™ + Evidence Chain Model™ |
| ISO 27701:2019 Privacy Information Management System (PIMS) — GDPR Extension | Current Edition | ISO/IEC 27701:2019 extends ISO 27001 and ISO 27002 with PII-specific requirements, operationalising GDPR, UK GDPR, and Swiss revFADP controls inside an accredited management system. Defines obligations for PII controllers and processors, including DPIA integration, consent, transparency, data-subject rights, and cross-border transfer controls. Increasingly referenced in EU adequacy assessments, UK ICO Code of Practice audits, and Irish DPC Section 149 reviews. Treated by enterprise procurement as the de facto privacy-by-design certification, particularly for SaaS vendors and AI processors under the EU AI Act Article 10 data-governance requirements. | ISO / IEC JTC 1/SC 27 | AI Accountability Stack™ + Contract Control Matrix™ |
| ISO/IEC 27017:2015 Cloud Security Controls — Extension of ISO 27002 | Active Standard | ISO/IEC 27017:2015 is the code of practice for information security controls for cloud services — a sector-specific extension of ISO/IEC 27002 providing 37 cloud-specific control guidelines and 7 additional cloud-only controls covering shared responsibilities between cloud service providers (CSPs) and cloud service customers (CSCs), virtual environment hardening, CSP asset management, and secure access. Widely paired with ISO 27001:2022 for cloud-deployment certification; referenced in EU NIS2 Article 21 risk-management requirements for cloud services, ENISA cloud security guidelines, and FCA/PRA operational-resilience cloud-outsourcing expectations. ISO 27017 and ISO 27018 (privacy in cloud) form the cloud-security assurance baseline expected by enterprise procurement for SaaS/IaaS/PaaS vendors handling regulated data. Revision (ISO/IEC 27017:2025) pending publication alongside ISO 27002 refresh. | ISO / IEC JTC 1/SC 27 | Contract Control Matrix™ + Evidence Chain Model™ |
| ISO/IEC 27018:2019 Privacy in Cloud — PII Protection by Cloud Service Providers | Active Standard | ISO/IEC 27018:2019 establishes controls and guidance for protection of Personally Identifiable Information (PII) processed by public cloud service providers acting as PII processors. Closely aligned to GDPR Article 28 (processor obligations) and Article 32 (security of processing) — provides the cloud-specific control layer inside ISO 27001:2022 ISMS scope for cloud-processor certification. Relevant to DORA Article 28 ICT third-party risk management, FCA/PRA cloud-outsourcing expectations, NIS2 Article 21 cloud-service security requirements, and enterprise GDPR/UK GDPR transfer-risk assessments for SaaS vendors. Paired with ISO 27017 (cloud security controls) and ISO 27701 (PIMS) as the privacy-in-cloud triple stack. Major cloud providers (AWS, Azure, GCP) all maintain ISO 27018 certificates; SaaS vendors in regulated sectors routinely certify ISO 27001 + 27017 + 27018 as a single procurement-ready assurance package. | ISO / IEC JTC 1/SC 27 | Contract Control Matrix™ + AI Accountability Stack™ |
| ISF IRAM2 Information Risk Assessment Methodology v2 — Information Security Forum | Active Methodology | The Information Security Forum's (ISF) Information Risk Assessment Methodology version 2 (IRAM2) is a structured, business-aligned approach to identifying, assessing, and treating information risk — used by ISF member organisations across financial services, healthcare, telecoms, and critical infrastructure. IRAM2 introduces a six-phase risk-assessment lifecycle (Scoping, Business Impact Assessment, Threat Profiling, Vulnerability Assessment, Risk Evaluation, Risk Treatment) and produces a Risk Treatment Plan aligned to ISF's Standard of Good Practice for Information Security. Widely used alongside ISO 27005 and FAIR for multi-methodology risk quantification — IRAM2 provides a prescriptive, practitioner-grade methodology where ISO 27005 provides principles. Referenced in CISO and enterprise-risk frameworks within Tier-1 financial services, frequently cited in internal audit mandates for cyber-risk evidence in DORA Article 5 (ICT risk appetite) and NIS2 Article 21 (risk management measures) compliance documentation. | Information Security Forum (ISF) | Decision Rights Architecture™ + Evidence Chain Model™ |
| IEC 62443 Industrial Automation & Control Systems (IACS/OT) Security | Active Suite (parts -2-1, -3-2, -3-3, -4-1, -4-2) | IEC 62443 is the foundational international standard for securing Industrial Automation and Control Systems (IACS) and Operational Technology (OT) across process industries, utilities, rail, defence and critical-manufacturing sectors. Defines security levels (SL 1–4), zone-and-conduit reference model, secure product development lifecycle (62443-4-1), technical component requirements (62443-4-2), system integration requirements (62443-3-3), and risk-based security programme requirements (62443-2-1). Recognised as the default OT/ICS assurance baseline under NIS2, the Cyber Resilience Act Annex I (products with digital elements), UK CAF/GovAssure for CNI, and US CISA Cross-Sector Cybersecurity Performance Goals. ENISA references IEC 62443 in its CRA conformity-assessment guidance (2025–2026); Germany's BSI and France's ANSSI accept 62443 as a route to sector compliance for OES/ESS. | IEC / ISA99 | Evidence Chain Model™ + Board-Survivable Cyber Architecture™ |
| MITRE ATT&CK Adversarial Tactics, Techniques & Common Knowledge — v15 (2025) | Actively Maintained | MITRE ATT&CK is the globally adopted adversary behaviour knowledge base — tactics, techniques and sub-techniques observed in real-world intrusions across enterprise, mobile, cloud, ICS, and container environments. Underpins threat-led testing regimes including TIBER-EU, CBEST, and the US CISA/NSA red-team programmes; mapped to NIST CSF 2.0 Detect/Respond functions and referenced by the EU AI Act Article 15 (accuracy, robustness, cybersecurity) as an evidence base for adversarial-robustness assurance. Used by every tier-one CTI team, every Tier-1 SOC, and every board-reporting assurance function in regulated industry. ATT&CK v15 (Oct 2024) extended Cloud and Identity coverage; v16 (Apr 2025) introduced a formal ICS–Enterprise mapping aligned to IEC 62443. | MITRE Corporation | Evidence Chain Model™ + AI Accountability Stack™ |
| TIBER-EU 2.0 / DORA TLPT Threat Intelligence-Based Ethical Red-Teaming — ECB Eurosystem framework | Active & DORA-Aligned | TIBER-EU is the European framework for controlled, intelligence-led red-teaming of critical financial-sector systems. The Eurosystem aligned the framework with the Regulatory Technical Standards on Threat-Led Penetration Testing under DORA Articles 26–27 (2024 revision), and the ECB published the TIBER-EU SSM Implementation Guide in November 2025 plus updated Targeted Threat Intelligence Report (TTIR) guidelines in February 2025. Significant Institutions (SIs) identified by competent authorities must complete TLPT at least every three years using TIBER-EU methodology; TLPT scope, threat intelligence, red-team execution, and closure phases are formally inspectable. Sister frameworks: UK CBEST (Bank of England / FCA / PRA), Saudi FEER, Hong Kong iCAST, Singapore AASE. UK PRA confirmed CBEST evolution as the UK route to DORA-equivalent TLPT for cross-border firms. Penalties for failure flow through DORA Article 50 (administrative penalties up to 1% average daily worldwide turnover, doubled for serious breaches). | ECB Eurosystem / National Competent Authorities | Recoverability Mandate™ + Board-Survivable Cyber Architecture™ |
| SABSA Sherwood Applied Business Security Architecture | Active Framework | SABSA is the leading business-driven enterprise security architecture methodology — used across tier-one banks, telcos, regulators and government departments for translating business risk appetite into traceable security, assurance and operational controls. Six architecture layers (Contextual, Conceptual, Logical, Physical, Component, Operational) plus the SABSA Matrix (Assets/Motivation/Process/People/Location/Time). Complements TOGAF and ISO 27001 by giving the architecture-to-control traceability required by FCA/PRA SYSC, DORA Article 6 (ICT risk management framework), and board-level risk assurance. Certified practitioners (SCF, SCP, SCA, SCM) are now a standard requirement for senior security architect and enterprise risk roles in regulated institutions. | SABSA Institute (The SABSA Institute C.I.C.) | Decision Rights Architecture™ + Board-Survivable Cyber Architecture™ |
| TOGAF 10 The Open Group Architecture Framework | Current Edition (10th) | TOGAF is the industry-standard enterprise architecture framework — maintained by The Open Group and used by over 80% of Forbes Global 50 enterprises. TOGAF 10 (2022) modularises the framework around the Architecture Development Method (ADM), the Enterprise Continuum, and extended guidance for digital, agile, security and risk integration. Frequently paired with SABSA for security architecture and with ArchiMate for modelling. Referenced in UK Cabinet Office procurement standards, EU Commission EIRA (European Interoperability Reference Architecture), and financial-services regulator expectations for ICT change control under DORA Article 16 (simplified framework for smaller firms) and Article 6 (full framework). | The Open Group | Decision Rights Architecture™ |
| OWASP Top 10 & ASVS Application Security Baseline — 2021 & ASVS 4.0.3 | Active Standard | OWASP (Open Worldwide Application Security Project) Top 10 is the de facto global baseline for web application security risk — referenced in PCI DSS 4.0, NIST SP 800-218 SSDF, UK NCSC Secure Development & Deployment guidance, and EU CRA Annex I (products with digital elements). OWASP ASVS (Application Security Verification Standard) 4.0.3 provides a more granular 3-level verification taxonomy used in enterprise procurement, bug-bounty scoping, and pen-test statements of work. OWASP SAMM (Software Assurance Maturity Model) v2 is increasingly cited in secure SDLC assurance for regulated-sector software vendors. | OWASP Foundation | Evidence Chain Model™ |
| CIS Controls v8.1 Center for Internet Security Critical Security Controls | Current Version (v8.1, 2024) | CIS Controls v8.1 is the prioritised, prescriptive cybersecurity baseline — 18 top-level controls mapped to NIST CSF 2.0, ISO 27001:2022 Annex A, PCI DSS 4.0, HIPAA Security Rule, and NIS2 Article 21. Implementation Groups (IG1/IG2/IG3) provide a right-sized adoption path for small, enterprise, and high-value-target organisations. CIS Benchmarks (hardened OS, cloud, container, and application configuration guides) are referenced by FedRAMP, US DoD STIG equivalence mappings, and AWS/Azure/GCP security posture defaults. Widely adopted as the practical implementation layer underneath NIST CSF and ISO 27001. | Center for Internet Security (CIS) | Board-Survivable Cyber Architecture™ + Evidence Chain Model™ |
| SWIFT CSP / CSCF v2025 Customer Security Programme / Customer Security Controls Framework | Mandatory for SWIFT Users | SWIFT CSP (Customer Security Programme) is mandatory for every SWIFT member institution — approximately 11,000 banks, payment systems, and market infrastructures globally. The CSCF (Customer Security Controls Framework) v2025 defines 25 security controls across 7 objectives (restrict internet access, segregate critical systems, reduce attack surface, physical security, prevent credential compromise, detect anomalous activity, plan for incident response). Annual self-attestation to SWIFT KYC-SA is mandatory; independent assurance required for higher-risk profiles. Non-attestation triggers counterparty notification and potential de-risking. Directly relevant to DORA Article 28 (ICT third-party risk) and Basel III operational risk. | SWIFT / S.W.I.F.T. SCRL | Sovereign Banking Protocol™ + Contract Control Matrix™ |
| PCI DSS v4.0.1 Payment Card Industry Data Security Standard — PCI SSC (2024, fully effective 31 Mar 2025) | In Force — Future-Dated Requirements Mandatory | PCI DSS v4.0.1 is the global mandatory security standard for every entity that stores, processes or transmits payment-card data — the five card brands (Visa, Mastercard, AmEx, Discover, JCB) enforce compliance through their acquirer programmes and Level-1 merchants face independent QSA assessment. Twelve top-level requirements across six goals; v4.0.1 (June 2024) supersedes v3.2.1 (retired 31 Mar 2024). As of 31 Mar 2025 more than 50 future-dated requirements transitioned from best-practice to mandatory — most material are Req. 6.4.3 (inventory, authorisation and integrity of payment-page scripts) and Req. 11.6.1 (automated change/tamper detection for payment-page HTTP headers and scripts), both aimed at client-side Magecart/e-skimming threats. SAQ A merchants must now attest their site is not susceptible to script-based attacks (PCI SSC bulletin, Apr 2025). Tightly coupled to OWASP Top 10, NIST SP 800-218 SSDF, ISO 27001:2022, and CIS Controls v8.1. Penalties flow through acquirer contracts — monthly fines of US$5,000–$100,000 and potential de-merchanting. Directly relevant to DORA Article 28 (ICT third-party risk) for financial firms and to EU CRA Annex I for payment product manufacturers. | PCI Security Standards Council / Acquirers / Card Brands (Visa · Mastercard · AmEx · Discover · JCB) | Evidence Chain Model™ + Contract Control Matrix™ |
| OWASP Top 10 for LLM Applications OWASP Gen AI Security Project — LLM Top 10 v2.0 | Active Standard | OWASP Top 10 for Large Language Model Applications is the global baseline for LLM-specific application security risks — prompt injection (LLM01), sensitive information disclosure (LLM02), supply-chain (LLM03), data & model poisoning (LLM04), improper output handling (LLM05), excessive agency (LLM06), system-prompt leakage (LLM07), vector & embedding weaknesses (LLM08), misinformation (LLM09), unbounded consumption (LLM10). Referenced by NIST AI RMF Playbook, EU AI Act Annex IV technical documentation, UK AISI model-evaluation guidance, and the NIST CSF 2.0 OLIR (OWASP-LLM-Top10-v2.0-to-CSF-v2.0) published 08 Apr 2026. | OWASP Gen AI Security Project | Evidence Chain Model™ + Decision Rights Architecture™ |
| OWASP Top 10 for Agentic Applications 2026 Edition — Agentic AI Security Baseline | New — 2026 | First globally peer-reviewed framework for autonomous / agentic AI system security — published 2026 by the OWASP Gen AI Security Project with contributions from 100+ industry experts. Extends the LLM Top 10 beyond content-generation risk to the operational risk of agents that plan, act, and make decisions across tool chains. Core threat categories cover goal misalignment, tool misuse, delegated-trust abuse, inter-agent communication (including MCP channels), persistent memory poisoning, and emergent autonomous behaviour. Introduces two mandatory design principles — Least-Agency (extension of Least Privilege) and Strong Observability (goal-state and tool-use logging). Cross-walked to MITRE ATLAS v5.4 agentic techniques and to NIST AI RMF GOVERN function. | OWASP Gen AI Security Project | Decision Rights Architecture™ + Evidence Chain Model™ |
| MITRE ATLAS Adversarial Threat Landscape for AI Systems — v5.4.0 (Feb 2026) | Active — v5.4.0 | MITRE ATLAS is the AI-specific counterpart to MITRE ATT&CK — a living knowledge base of adversarial machine-learning tactics, techniques, and case studies. v5.4.0 (Feb 2026) expanded to 16 tactics, 84 techniques, 32 mitigations, and 42 case studies; added agentic-AI techniques including "Publish Poisoned AI Agent Tool" and "Escape to Host", plus three 2026 case studies covering MCP server compromises, indirect prompt injection via MCP channels, and malicious AI agent deployment. Co-developed with Microsoft, IBM, NVIDIA, Bosch, and Airbus; cited in NIST AI RMF and EU AI Office red-teaming guidance for systemic-risk GPAI models. | MITRE Corporation (ATLAS Project) | Board-Survivable Cyber Architecture™ + Evidence Chain Model™ |
| MITRE D3FEND Defensive Cyber Countermeasure Knowledge Graph | Active — v1.0 (2024+) | MITRE D3FEND is the defensive complement to ATT&CK — a knowledge graph of cyber-defence countermeasures organised by five defensive tactics (Harden, Detect, Isolate, Deceive, Evict) with formal ontology (D3FEND CMO) enabling machine-readable mapping between attacker techniques and defender controls. Used to articulate control coverage in NIST SP 800-53 overlays, CIS Controls mappings, and procurement-stage defensive-capability statements. v1.0 (June 2024) formalised the ontology; continued NSA/IC sponsorship and MITRE ATT&CK-D3FEND crosswalks make it the reference taxonomy for defensible-architecture evidence. | MITRE Corporation / NSA | Board-Survivable Cyber Architecture™ + Evidence Chain Model™ |
| NIST Cyber AI Profile (NISTIR 8596) CSF 2.0 Profile for Artificial Intelligence — Preliminary Draft, Dec 2025 | Draft — Public Comment | NIST's preliminary draft Cybersecurity Framework Profile for Artificial Intelligence (NISTIR 8596), released 16 Dec 2025, overlays three AI Focus Areas — Secure AI, Detect AI-enabled threats, Thwart malicious-use AI — onto the existing CSF 2.0 outcomes. Designed to bridge the CSF and AI RMF so that enterprises can govern AI cyber-risk without running a parallel programme. Initial public draft targeted for 2026 following 45-day comment period; complementary SP 800-53 "Control Overlays for Securing AI Systems" (COSAiS) to follow with implementation-level guidance. Likely to become the reference profile for federal AI-system authorisations (ATOs) under FISMA and FedRAMP. | NIST ITL / AI Safety & Security Program | Board-Survivable Cyber Architecture™ + Decision Rights Architecture™ |
| FAIR Factor Analysis of Information Risk — Risk Quantification Standard | Active Standard | FAIR (Factor Analysis of Information Risk), maintained by the FAIR Institute and adopted by The Open Group (O-RT, O-RA), is the primary international standard for quantitative cyber and operational risk analysis. Decomposes risk into Loss Event Frequency and Loss Magnitude with probabilistic (Monte Carlo) estimation. Increasingly required by audit committees for board-level cyber-risk reporting (aligned with SEC Cyber Rules Item 106 "material" determinations), by insurers for cyber-policy underwriting, and by DORA Article 5 for ICT risk appetite statements. Pairs with NIST SP 800-30 (qualitative), ISO 27005 (process), and COSO ERM (enterprise lens). | FAIR Institute / The Open Group | Decision Rights Architecture™ + Sovereign Banking Protocol™ |
| COBIT 2019 Control Objectives for Information & Related Technologies — ISACA | Current Edition | COBIT 2019 is ISACA's enterprise IT governance and management framework — structured around 40 governance & management objectives across five domains (EDM, APO, BAI, DSS, MEA). Provides design factors enabling tailoring to enterprise context (risk appetite, regulatory landscape, threat profile). Widely referenced in SOX 404 IT general controls, DORA Article 5 (ICT governance), NIS2 Article 20 (governance obligations), and UK FCA SYSC 4 / PRA Supervisory Statement SS2/21 (operational resilience). Increasingly paired with ITIL v4 (service value system) and TOGAF (enterprise architecture) for integrated governance-operations-architecture reference. | ISACA | Decision Rights Architecture™ |
| ITIL v4 Information Technology Infrastructure Library — Axelos / PeopleCert | Current Edition | ITIL v4 is the de facto global standard for IT service management — structured around the Service Value System (SVS) and 34 management practices (general, service, technical). Directly feeds DORA operational-resilience testing and incident-response expectations, NIS2 Article 21 incident handling requirements, and ISO/IEC 20000-1 certification programmes. ITIL 4 Specialist modules (Create, Deliver & Support; Drive Stakeholder Value; High Velocity IT; Digital & IT Strategy) are the reference qualification baseline for enterprise service-management practitioners. Pairs with COBIT (governance), TOGAF (architecture) and NIST CSF / ISO 27001 (security) for integrated operations reference. | Axelos / PeopleCert | Decision Rights Architecture™ + Evidence Chain Model™ |
| ISO/IEC 27019:2024 Information Security Controls for the Energy Utility Industry | Current Edition | ISO/IEC 27019:2024 is the sector-specific extension of ISO/IEC 27002 for the energy utility industry — covering generation, transmission, distribution, and related process-control and automation systems. Adds utility-specific controls for process control domains, IACS (industrial automation & control systems), SCADA, DCS, and smart-grid / smart-metering infrastructure. Directly referenced in EU NIS2 Annex I (energy sector essential entities), UK NCSC CAF profile for utilities, US NERC CIP (crosswalk), and NIST SP 800-82r3 (OT security). Paired with IEC 62443 for product / component certification. | ISO/IEC JTC 1/SC 27 | Board-Survivable Cyber Architecture™ + Evidence Chain Model™ |
| Three Lines Model IIA Three Lines Model (2020 refresh of Three Lines of Defence) | Active Governance Standard | The Institute of Internal Auditors' Three Lines Model (2020) modernises the classical Three Lines of Defence — reframing the relationship between the governing body, management (1st line — operational; 2nd line — risk & compliance), and internal audit (3rd line — independent assurance) around shared-value creation rather than control. Core reference for DORA Article 6 (ICT risk framework governance), NIS2 Article 20 (management body accountability), UK PRA SS2/21 operational resilience, US SEC Cyber Item 106 governance disclosure, and Basel Committee BCBS 239 / SRP. Extended "Five Lines" variants used in systemically-important financial institutions to separate regulatory liaison and external assurance. | Institute of Internal Auditors (IIA) | Decision Rights Architecture™ + Sovereign Banking Protocol™ |
| DAMA-DMBOK 2 Data Management Body of Knowledge — DAMA International | Current Edition | DAMA-DMBOK 2 is the international reference framework for enterprise data management — organised around 11 knowledge areas (Data Governance, Data Architecture, Data Modelling, Storage & Operations, Data Security, Integration & Interoperability, Document & Content, Reference & Master Data, Data Warehousing & BI, Metadata, Data Quality). Increasingly cited in GDPR Article 5 (accuracy, storage limitation, integrity) accountability documentation, EU Data Act data-portability obligations, EU AI Act Article 10 (data governance for high-risk AI systems), and NIST Privacy Framework Core outcomes. Foundational for Chief Data Officer operating models and regulatory data lineage / BCBS 239 compliance. | DAMA International | Decision Rights Architecture™ + Evidence Chain Model™ |
| NIST SP 800-207 (Zero Trust) Zero Trust Architecture — Aug 2020 | Active Standard | NIST SP 800-207 is the canonical reference for Zero Trust Architecture — defined as an architectural approach where trust is never granted implicitly and must be continually evaluated. Six tenets (per-session access, dynamic authentication, context-aware policy, asset-state monitoring, network-transport assumption of compromise, continuous telemetry) feed every major federal Zero Trust mandate: OMB M-22-09, CISA Zero Trust Maturity Model v2.0, DoD Zero Trust Reference Architecture, and EU ENISA ZTA guidelines. Operationalised via NIST SP 800-207A (ZTA cloud native) and SP 1800-35 (ZTA implementation build guide). | NIST ITL | Board-Survivable Cyber Architecture™ |
| NIST SP 800-82r3 (OT Security) Guide to Operational Technology (OT) Security — Sep 2023 | Current Revision (r3) | NIST SP 800-82 Revision 3 is the global reference for securing operational technology — ICS, SCADA, DCS, PLCs, safety-instrumented systems, and industrial IoT. Aligns OT security controls with NIST CSF 2.0, NIST SP 800-53 moderate and high baselines, and ISA/IEC 62443 product and operator standards. Directly referenced in US CISA Cross-Sector Cybersecurity Performance Goals (CPGs), EU NIS2 Annex I sector-specific guidance, UK NCSC CAF for OT-heavy CNI sectors, and the Purdue Model (zoned architecture). Pairs with ISO/IEC 27019 (energy) and NERC CIP (bulk electric systems). | NIST ITL | Board-Survivable Cyber Architecture™ + Evidence Chain Model™ |
| NIST SP 800-61r3 (Incident Response) Incident Response Recommendations and Considerations for CSF 2.0 — Apr 2025 | Current Revision (r3) | NIST SP 800-61 Revision 3 (Apr 2025) replaces the legacy four-phase incident-response lifecycle with a CSF 2.0-aligned outcome model across all six CSF functions (Govern, Identify, Protect, Detect, Respond, Recover). Incident-response considerations are embedded throughout — not siloed — reflecting modern supply-chain, ransomware, and cloud-scale incident reality. Referenced by DORA Article 17 (ICT-related incident management), NIS2 Article 23 (significant incident reporting), SEC Cyber Rules Item 1.05 materiality triggers, CIRCIA 24/72 hour clocks, and FedRAMP continuous-monitoring requirements. | NIST ITL | Recoverability Mandate™ + Evidence Chain Model™ |
Strict timelines across all frameworks: 4 hours (DORA/financial), 24 hours (NIS2 early warning), 72 hours (GDPR breach notification). Non-compliance triggers personal liability for directors.
DORA, NIS2, CRA, and the Telecoms Security Act all emphasise securing the entire ICT supply chain. Third-party risk management is now a regulatory requirement, not a best practice.
The EU Cyber Solidarity Act establishes SOC networks for cross-border threat detection. Combined with ENISA strengthening under the revised CSA, the EU is building active defence capability.
OT/ICS cybersecurity regulation has accelerated sharply following Colonial Pipeline (2021), Oldsmar Water (2021), and sustained VOLTZITE/Sandworm campaigns against industrial infrastructure. Mandatory frameworks now span energy (NERC CIP, NIS2 Annex I, Ofgem CAF), transport (TSA Directives), water, manufacturing (IEC 62443), and defence supply chains. The convergence of IT and OT networks — Purdue Model collapse, industrial IoT, cloud-connected SCADA — has pushed ICS security from niche to board-level regulatory obligation.
| Framework | Status | Jurisdiction | Scope & OT/ICS Requirements | Authority | Doctrine Response |
|---|---|---|---|---|---|
| IEC 62443 IACS / OT Security — Multi-part series | In Force | 🌐 Global | Foundational international standard for OT/ICS/IACS security. Defines Security Levels (SL 1–4), zone-and-conduit reference model, secure product development lifecycle (62443-4-1), component requirements (62443-4-2), system integration requirements (62443-3-3), and risk-based security programme (62443-2-1). Default OT assurance baseline under EU NIS2, Cyber Resilience Act Annex I, UK CAF/GovAssure, and US CISA CPGs. ISA/IEC 62443-4-1 SDL certification is the primary CRA conformity route for OT products (2025–2026). | IEC / ISA99 | Board-Survivable Cyber Architecture™ |
| NIST SP 800-82r3 Guide to Operational Technology (OT) Security — Sep 2023 | In Force | 🇺🇸 USA / 🌐 Global reference | Primary global reference for ICS, SCADA, DCS, PLCs, safety-instrumented systems, and industrial IoT. Aligns OT controls with NIST CSF 2.0, NIST SP 800-53, and ISA/IEC 62443. Referenced in CISA Cross-Sector CPGs, EU NIS2 Annex I guidance, and UK NCSC CAF for OT-heavy CNI. Defines Purdue Model zoned architecture and OT-specific incident response. Pairs with ISO/IEC 27019 (energy) and NERC CIP (bulk electric). Supersedes 800-82r2; adds cloud-connected OT and industrial IoT guidance. | NIST / CISA | Evidence Chain Model™ |
| NERC CIP CIP-002 through CIP-015 — Bulk Electric System | In Force | 🇺🇸 USA / 🇨🇦 Canada | Mandatory OT cybersecurity for North American bulk electric system — generation, transmission, energy markets. CIP-015-1 (Internal Network Security Monitoring) effective 1 Oct 2028. Active enforcement: CIP-013-2 supply-chain, CIP-003-9 low-impact access. Penalties up to US$1.4M/violation/day; 2025 aggregate settlements crossed US$30M. Cross-mapped to IEC 62443, ISO/IEC 27019, NIST SP 800-82r3. | NERC / FERC / Regional Entities | Recoverability Mandate™ |
| ISO/IEC 27019:2024 Information Security for Energy Utility Industry | In Force | 🌐 Global | Sector-specific extension of ISO/IEC 27002 for energy utilities covering generation, transmission, distribution, and process-control/automation systems. Adds IACS, SCADA, DCS, and smart-grid controls. Referenced in EU NIS2 Annex I, UK NCSC CAF for utilities, US NERC CIP crosswalk, NIST SP 800-82r3. Paired with IEC 62443 for product/component certification. 2024 edition adds OT cloud connectivity and industrial IoT. | IEC / ISO TC57 | Board-Survivable Cyber Architecture™ |
| MITRE ATT&CK for ICS ICS Matrix — v16 (Apr 2025) | In Force | 🌐 Global | ICS-specific adversary behaviour matrix covering tactics and techniques in real-world ICS attacks — Stages 1 & 2 kill-chain (IT compromise → OT lateral movement → physical-process impact). v16 (Apr 2025) introduced formal ICS–Enterprise cross-mapping aligned to IEC 62443. Covers PLCs, HMIs, engineering workstations, safety systems, field devices. Used in CISA ICS-CERT advisories, TIBER-EU OT scenarios, and ENISA CNI threat landscape reports. | MITRE | Evidence Chain Model™ |
| TSA Security Directives — OT Pipeline SD-02C · Rail SD-1580/82 · Aviation | In Force | 🇺🇸 USA | Post-Colonial Pipeline mandatory OT cybersecurity directives for US critical infrastructure transport. Pipeline SD-02C (rev. 2024): TSA-approved cybersecurity implementation plan, annual assessments, 24h incident reporting to CISA, mandatory IT/OT network segmentation. Rail: passenger and freight operators. Aviation: airports and operators with OT exposure. Civil penalties + potential revocation of operating authority for non-compliance. | TSA / CISA / DHS | Decision Rights Architecture™ |
| EU NIS2 — OT / CNI Obligations EU 2022/2555 Annex I — Essential Entities (OT sectors) | Transposition | 🇪🇺 EU | NIS2 Annex I designates OT-heavy sectors as essential entities: Energy (electricity, oil, gas, hydrogen), Transport (air, rail, water, road), Water supply & wastewater, Space. Art. 21 mandates risk-based measures including supply-chain security, OT network segmentation, and ICS-specific incident response. Art. 20 imposes personal liability on senior management. IEC 62443 is recognised as the primary technical reference for OT conformance. First audits due 30 Jun 2026; fines up to €10M or 2% global turnover. | National CAs + ENISA | Board-Survivable Cyber Architecture™ |
| EU Cyber Resilience Act — OT Products EU 2024/2847 — Products with Digital Elements incl. OT/ICS | Phased Rollout | 🇪🇺 EU | CRA applies directly to OT/ICS products on the EU market — PLCs, HMIs, industrial switches, remote-access gateways, safety controllers, and industrial IoT devices as "products with digital elements." Critical/highly-critical (Annex III/IV) require 3rd-party conformity assessment. Vulnerability reporting: 11 Sep 2026. Full application: 11 Dec 2027. CE marking mandatory. IEC 62443-4-1 SDL and 62443-4-2 are primary conformity routes for OT product manufacturers. | National Market Surveillance + ENISA | Evidence Chain Model™ |
| UK CAF — OT / CNI Profile NCSC Cyber Assessment Framework v3.2 — OT/CNI | In Force | 🇬🇧 UK | NCSC CAF 14 security principles applied to OT and IT/OT convergence environments for UK Critical National Infrastructure. Sector regulators enforce: Ofgem (electricity/gas), Ofwat (water), ORR (rail), CAA (aviation). CAF v3.2 (2023) added ICS-specific implementation guidance aligned to IEC 62443. Profile-based assessments; regulators issue improvement plans. Non-compliance under NIS Regulations 2018; fines up to £17M. | NCSC / Ofgem / Ofwat / ORR / CAA | Decision Rights Architecture™ |
| CIRCIA — ICS / Critical Infrastructure Cyber Incident Reporting for Critical Infrastructure Act 2022 | Phased Rollout | 🇺🇸 USA | Covers all 16 CISA critical infrastructure sectors — majority are OT-dependent: Energy, Water, Transport, Manufacturing, Chemical, Nuclear, Agriculture, Healthcare, Communications. Final rule delayed to May 2026+. Core obligations: 72h reporting for significant cyber incidents; 24h for ransomware payments. Non-compliance: CISA subpoena and DOJ referral. Sector rulemaking to align with NERC CIP (energy) and TSA Directives (transport) OT reporting timelines. | CISA / DHS | Evidence Chain Model™ |
| CISA ICS-CERT / CPGs ICS Advisories · Cross-Sector Cybersecurity Performance Goals | In Force | 🇺🇸 USA / 🌐 Global guidance | CISA ICS-CERT issues vulnerability advisories and threat intelligence for ICS — 200+ advisories annually covering PLCs, HMIs, SCADA, and industrial protocols (Modbus, DNP3, EtherNet/IP, OPC-UA). Cross-Sector CPGs define minimum OT security baseline: asset inventory, network segmentation, OT-specific logging, secure remote access, and ICS incident response. CPGs referenced in CIRCIA rulemaking and TSA enforcement. CISA OT Security Guide (2024) pairs with NIST SP 800-82r3 and IEC 62443. | CISA / NCIJTF | Evidence Chain Model™ |
| ENISA OT/ICS Threat Landscape ETL OT/ICS Report — Annual, ENISA | In Force | 🇪🇺 EU | ENISA annual OT/ICS threat landscape covers attack vectors, threat actors (VOLTZITE, Sandworm, APT40, Lazarus Group OT campaigns), and sector vulnerability trends across EU critical infrastructure. Referenced in NIS2 implementation guidance and by National CAs for OT risk-management benchmarking. 2024 report highlighted ransomware-as-a-service targeting OT (35% YoY increase), living-off-the-land in ICS environments, and supply-chain compromise of OT vendor update mechanisms. | ENISA | Board-Survivable Cyber Architecture™ |
Switzerland operates outside the EU but maintains alignment with EU data-protection via adequacy. The revised Federal Act on Data Protection (revFADP/nFADP) entered into force 1 Sep 2023, and the Information Security Act (ISA) built a federal cyber baseline. FINMA governs financial-sector operational risk; NCSC Switzerland is the national CERT.
| Regulation | Status | Key Requirements | Enforcement Authority | Doctrine Response |
|---|---|---|---|---|
| revFADP / nFADP Federal Act on Data Protection | In Force | Revised Federal Data Protection Act in force 1 Sep 2023. Modernises Swiss data law to broadly match GDPR: extended definitions, DPIA obligation, 72h breach notification to FDPIC, new right to data portability. Penal fines up to CHF 250,000 on responsible individuals (not corporate entities). | FDPIC + Cantonal DPAs | Evidence Chain Model™ |
| Information Security Act ISG / LSI | In Force | Federal Information Security Act entered into force 1 Jan 2024. Applies to Confederation, cantons (where using federal info), and operators of critical infrastructure. Mandatory incident reporting to NCSC Switzerland within 24h, federal information-classification regime, and personnel security vetting. | NCSC Switzerland + Chancellery | Recoverability Mandate™ |
| FINMA Circular 2023/1 Operational Risks & Resilience | In Force | FINMA's supervisory circular on operational risks and resilience — in force 1 Jan 2024 for banks and insurers. Requires critical business-function mapping, tolerance for disruption, testing via severe-but-plausible scenarios, and third-party ICT dependency register (aligned with DORA). | FINMA | Recoverability Mandate™ + Evidence Chain Model™ |
| Cyber Reporting Duty Art. 74a ISA | In Force | In force 1 Apr 2024 — critical-infrastructure operators must report cyber attacks to NCSC Switzerland within 24h of detection. Initial reporting scope covers financial, energy, transport, health, telecom sectors; administrative fines up to CHF 100,000 for breach of reporting duty. | NCSC Switzerland | Decision Rights Architecture™ |
| Swiss-US DPF Swiss Data Privacy Framework | In Force | Swiss FDPIC recognition of US DPF (since 15 Sep 2024) — permits transfers of Swiss personal data to self-certified US entities under the Swiss Annex of the DPF, preserving data-subject redress via DPRC. | FDPIC + US DoC | Contract Control Matrix™ |
| CoE AI Convention (Swiss Implementation) Council of Europe Framework Convention on AI, Human Rights, Democracy & Rule of Law | Consultation Draft 2026 | Federal Council ratified the CoE AI Convention 12 Feb 2025 and explicitly rejected a comprehensive "Swiss AI Act"; instead Switzerland keeps a sector-specific approach. FDJP (with DETEC and FDFA) preparing a consultation draft by end-2026 covering transparency, data protection, non-discrimination and oversight; primarily binds state actors. Parallel non-binding accompanying-measures plan due end-2026 for alignment with EU AI Act and key trading partners (admin.ch / Pestalozzi / Lenz & Staehelin / White & Case, Apr 2026). | FDJP / DETEC / FDFA | Sovereign Doctrine Operating System™ |
Canada's federal regime rests on PIPEDA for the private sector, alongside provincial statutes (notably Quebec's Law 25). Bill C-27 (Digital Charter Implementation Act) was reintroduced in 2025 and remains pending; it bundles a new privacy law (CPPA), an AI law (AIDA), and a tribunal. Bill C-26 adds a critical-cyber-systems framework for federally regulated sectors.
| Regulation | Status | Key Requirements | Enforcement Authority | Doctrine Response |
|---|---|---|---|---|
| PIPEDA Personal Information Protection and Electronic Documents Act | In Force | Federal private-sector privacy law. Consent-based collection/use/disclosure of personal information in commercial activities. Mandatory breach-of-security-safeguards notification to OPC and affected individuals where real risk of significant harm. Fines up to CAD 100,000 per violation (pre-CPPA framework). | Office of the Privacy Commissioner (OPC) | Evidence Chain Model™ |
| Quebec Law 25 An Act to Modernize Legislative Provisions | In Force | Three-phase rollout: Sep 2022 (privacy officer, breach notification), Sep 2023 (consent, transparency, rights), Sep 2024 (portability). Strictest Canadian privacy regime — GDPR-adjacent. Fines up to CAD 25M or 4% global turnover. Mandatory Privacy Impact Assessments for cross-border transfers. | Commission d'accès à l'information (CAI) | Evidence Chain Model™ + Contract Control Matrix™ |
| Bill C-27 / CPPA Consumer Privacy Protection Act (lapsed — replacement expected) | Lapsed / Expected | Bill C-27 (Digital Charter Implementation Act) lapsed on the Order Paper when Parliament was prorogued January 2025 before receiving Royal Assent. The Liberal government, re-elected April 2025, has signalled intent to introduce a replacement federal private-sector privacy statute in 2026. As of April 2026, no replacement bill has been formally tabled; Privacy Commissioner testified to INDU Committee on expected legislation (priv.gc.ca / IAPP, Jan–Apr 2026). Canada remains governed by PIPEDA (2000) at the federal level pending new legislation. | OPC (current); Privacy Tribunal (proposed) | Evidence Chain Model™ |
| Bill C-27 / AIDA Artificial Intelligence and Data Act (lapsed) | Lapsed | AIDA (Part 3 of Bill C-27) lapsed when Parliament was prorogued January 2025. Canada has no federal AI law in force as of April 2026. The re-elected Liberal government has signalled that AI regulation will now proceed as a separate initiative from privacy reform, allowing more focused policy development. No replacement AI bill has been tabled as of April 2026 (IAPP Canada, 2025; Osler, 2026). | ISED (planned AI Commissioner — not established) | AI Accountability Stack™ |
| Bill C-8 / CCSPA Critical Cyber Systems Protection Act (reintroduced as C-8) | Passed Commons / In Senate | Originally Bill C-26 (died on Order Paper Jan 2025). Reintroduced as Bill C-8 by the Minister of Public Safety, 18 Jun 2025. Passed Third Reading in the House of Commons 26 Mar 2026 (following Speaker's ruling removing prior-judicial-authorisation provisions and committee amendments adding encryption protections); received First Reading in the Senate 26 Mar 2026. Senate Second Reading and committee referral expected imminently. Creates regulatory regime for "designated operators" in federally regulated critical sectors (finance, energy/pipelines, telecom, transport). Mandatory cybersecurity programs, supply-chain risk management, 72h incident reporting to CSE-CCCS. Penalties up to CAD 15M; personal officer liability. Includes 5-year mandatory ministerial review post-Royal Assent (Fasken / parl.ca C-8 45-1, Apr 2026). | Governor in Council + CSE / CCCS | Recoverability Mandate™ |
| OSFI B-13 Technology and Cyber Risk Management | In Force | Office of the Superintendent of Financial Institutions guideline for federally regulated financial institutions. In force 1 Jan 2024 — governance, risk management, cyber incident reporting within 24h of determination of reportable incident, third-party technology risk. | OSFI | Evidence Chain Model™ |
No regulations match your search in this jurisdiction.
Try clearing filters or switching to another jurisdiction tab.
Last updated: 29 April 2026 · Sources: EUR-Lex, European Commission, FCA, PRA, Bank of England, ICO, SEC, ENISA, UK Parliament, DPC, NCSC Ireland, Oifig IS, Ofcom, CMA, OPSS, NCSC UK, IASME, CREST, HHS OCR, CISA, FTC, NIST, NYDFS, CPPA, US DoC, EBA, ISO, AICPA, MITRE, ISA/IEC, SWIFT, Basel Committee, BCBS, FDPIC, FINMA, NCSC Switzerland, admin.ch, OSFI, CSE-CCCS, CoE, ISF
Real-time tracking of critical compliance deadlines. These timers update live — when they reach zero, enforcement begins.
EU 2024/1689 Art. 113 — High-risk AI obligations enforceable
EU 2022/2554 — In force since 17 January 2025
Political agreement expected — proposes extending AI Act high-risk deadlines + GDPR simplification + single breach notification portal
EU 2022/2555 — Deadline was 17 October 2024 · 13 of 27 states yet to transpose; EC infringement proceedings ongoing · First audits due 30 June 2026 · First penalties issued Q1 2026 · Digital Omnibus trilogue 28 Apr 2026
Evaluate your organisation's cyber governance maturity in 60 seconds. This diagnostic maps your current posture against DORA, NIS2, and EU AI Act enforcement requirements.
1. Does your board receive structured cyber risk reports at least quarterly?
2. Do you have documented Decision Rights for cyber incident escalation?
3. Can you produce an evidence chain for any control within 24 hours?
4. Have you stress-tested your operational resilience under a severe-but-plausible scenario?
5. Do you have AI governance controls mapped to EU AI Act requirements?
6. Are your third-party/outsourcing contracts governed by enforceable cyber controls?
Compliance is a commercial weapon for those who understand it and an extinction event for those who do not.
DORA. NIS2. EU AI Act. CRA. The organisations that move first set the enforcement standard for everyone else.
21 OT/ICS doctrine papers (May 2026) cross-mapped against the regulatory frameworks they engage. Each framework links to the relevant papers.
Each framework is referenced across the 21 institutional doctrine papers. Cross-mapped to the regulator's enforcement vector and the doctrine response that operationalises compliance.
20 Estate / IoT / Smart-Building doctrine papers (April 2026) cross-mapped against the regulatory and standards frameworks they engage. Coverage spans IEC 62443 OT cyber, Purdue Model OT/IT segmentation, ESG and Net Zero (EPBD, CSRD, ISO 50001), the EU Cyber Resilience Act for IoT products, and the BMS / IoT protocol stack.