Regulation and framework library

Understand the rule set before you collect the evidence.

AICVS is EU AI Act-first, but many teams also need ISO/IEC 42001, SOC 2, ISO 27001, DORA, NIS2, or GDPR views. This page explains what each framework usually asks for and which records AICVS can help organise.

Start readiness check Open detailed EU AI Act guide EU AI Act for small teams →
EU AI Act ISO/IEC 42001 SOC 2 ISO 27001 DORA NIS2 and GDPR Evidence graph

Choose a regulation view without losing the shared evidence trail.

The same AI system record can support several reviews. A system owner, risk classification, vendor file, monitoring record, or incident route should not be rebuilt for every framework. AICVS keeps those records connected, then lets teams export the view they need.

EU AI Act

For AI system role, risk tier, high-risk evidence, Annex IV inputs, oversight, monitoring, and incident readiness.

RoleRisk tierAnnex IV
Read details →

ISO/IEC 42001

For AI management system governance, objectives, policy, risk treatment, controls, and continuous review records.

AIMSControlsReview
Read details →

SOC 2

For security, availability, confidentiality, processing integrity, privacy, and AI-specific change evidence.

SecurityVendorsChange
Read details →

ISO 27001

For information security controls that intersect with AI systems, suppliers, access, logging, and secure development.

ISMSAccessSuppliers
Read details →

DORA

For operational resilience where AI or SaaS providers support important financial-sector ICT services.

ICT riskIncidentContinuity
Read details →

NIS2 and GDPR

For cybersecurity and privacy records that often sit beside AI governance, including DPIA and incident hand-off.

CyberDPIAPrivacy
Read details →
EU regulation

EU AI Act

Product-focused AI regulation for organisations that provide, deploy, import, distribute, or use AI systems in the EU market.

Full name
Regulation (EU) 2024/1689
Issued by
European Parliament & Council
Status
In force — high-risk obligations apply 2 Aug 2026
Applies to
Providers, deployers, importers & distributors of AI in the EU
Official text (EUR-Lex) →
What it asks teams to clarify
  • Your organisation role for each AI system.
  • Likely risk tier and high-risk category.
  • Whether GPAI models or personal data are involved.
Records that usually matter
  • AI inventory and intended purpose.
  • Risk management, human oversight, data governance.
  • Annex IV technical documentation inputs and incident route.
How AICVS supports it
  • Role wizard and per-system risk workflow.
  • DPIA/FRIA, explainability, monitoring, and evidence vault.
  • Audit packs and board snapshots based on stored records.
AI management standard

ISO/IEC 42001

An AI management system standard for governance, policy, risk, objectives, responsibilities, and improvement.

Full name
ISO/IEC 42001:2023
Issued by
ISO & IEC
Status
Published Dec 2023 — first AI management system standard
Applies to
Any organisation that provides or uses AI systems
Standard page (ISO) →
What it asks teams to clarify
  • Who owns AI governance and operating reviews.
  • How AI risks are identified, treated, and reviewed.
  • How AI lifecycle controls are maintained.
Records that usually matter
  • AI policy and management objectives.
  • Control owners, risk treatment, review cadence.
  • Evidence of monitoring and corrective actions.
How AICVS supports it
  • System owners and review dates.
  • Suggested controls and status history.
  • Reusable evidence and versioned record ledger.
Assurance review

SOC 2

A service organisation assurance framework often used by SaaS buyers to assess trust service criteria.

Full name
SOC 2 — System & Organization Controls 2
Issued by
AICPA (US)
Status
Active — based on the Trust Services Criteria
Applies to
Service organisations & SaaS handling customer data
About SOC 2 (AICPA) →
What it asks teams to clarify
  • How AI changes are approved and logged.
  • How access and vendor risks are controlled.
  • How security events and evidence are retained.
Records that usually matter
  • Change records and technical scan results.
  • Access review and supplier evidence.
  • Incident response and monitoring logs.
How AICVS supports it
  • Framework-scoped document packs.
  • Code evidence scans and control gap list.
  • Evidence vault links from system records.
Security management

ISO 27001

An information security management standard that often provides the security foundation for AI governance.

Full name
ISO/IEC 27001:2022
Issued by
ISO & IEC
Status
In force — 2022 revision of the ISMS standard
Applies to
Any organisation managing information-security risk
Standard page (ISO) →
What it asks teams to clarify
  • Which AI assets and suppliers are in scope.
  • How access, logging, secure development, and vulnerabilities are handled.
  • How risks and exceptions are reviewed.
Records that usually matter
  • Asset register and supplier assessment.
  • Security controls and development evidence.
  • Vulnerability and incident records.
How AICVS supports it
  • AI inventory and vendor registry.
  • Technical evidence scans.
  • Cross-mapped security gaps in document packs.
Operational resilience

DORA

EU financial-sector rules for digital operational resilience, ICT risk, incidents, testing, and third-party dependencies.

Full name
Regulation (EU) 2022/2554 (DORA)
Issued by
European Parliament & Council
Status
Applies from 17 Jan 2025
Applies to
EU financial entities & their critical ICT providers
Official text (EUR-Lex) →
What it asks teams to clarify
  • Which ICT services and third parties are important.
  • How incidents are detected, escalated, and recorded.
  • How continuity and monitoring are reviewed.
Records that usually matter
  • Vendor dependency and service records.
  • Monitoring plan and incident route.
  • Continuity and review evidence.
How AICVS supports it
  • Vendor and system dependency fields.
  • Monitoring and incident records.
  • Cross-checks in operational evidence packs.
Cybersecurity and privacy

NIS2 and GDPR

NIS2 and GDPR are not AI-only frameworks, but they shape many AI governance records involving cybersecurity, personal data, DPIA, and incident handling.

NIS2
Directive (EU) 2022/2555 — cybersecurity for essential & important entities (national transposition 2024)
GDPR
Regulation (EU) 2016/679 — in force since 25 May 2018; applies to anyone processing EU personal data
Issued by
European Parliament & Council
NIS2 text →    GDPR text →
What they ask teams to clarify
  • How personal data and special category data are used.
  • Whether DPIA or privacy notices are needed.
  • How cyber and data incidents are escalated.
Records that usually matter
  • Data flags, lawful basis notes, DPIA records.
  • Security controls and incident log.
  • Vendor DPA and transfer context.
How AICVS supports it
  • DPIA/FRIA readiness questions.
  • Data flags in system records.
  • Privacy and incident evidence links.

One evidence graph, many framework outputs.

AICVS is designed so the same record can be reused. A vendor file can support EU AI Act provider diligence, SOC 2 supplier review, ISO 27001 supplier controls, and DORA dependency context when relevant.

System
AI systemPurpose, owner, role, risk
VendorDPA, terms, dependency
Data useInputs, personal data, flags
LifecycleDeploy, monitor, review
Controls
Risk treatmentEU AI Act / ISO 42001
Access controlSOC 2 / ISO 27001
Human oversightEU AI Act / ISO 42001
Incident routeDORA / NIS2 / GDPR
Outputs
Evidence vaultVersioned records
Document packFramework scope
Board snapshotPriority gaps
Audit packReview trail

Start with the framework your team needs today.

Choose EU AI Act, ISO 42001, SOC 2, ISO 27001, DORA, NIS2, or GDPR context without turning every review into the same oversized report.

Start readiness check