Regulatory Mapping The 61 artefacts address obligations across ten legal instruments: the EU AI Act (Regulation (EU) 2024/1689), GDPR (Regulation (EU) 2016/679), CRA (Regulation (EU) 2024/2847), DORA (Regulation (EU) 2022/2554), NIS2 (Directive (EU) 2022/2555), the EU Charter of Fundamental Rights, Directive 2019/1937 (Whistleblower Protection), Regulation (EC) No 765/2008 (CE marking), Directive 2019/790 (Copyright in the Digital Single Market), and ISO/IEC standards (42001, 23894, 25010, 25012, 27001, 38507). Every artefact maps to at least one AI Act provision. Fourteen artefacts address GDPR requirements in addition. Nine address CRA, DORA, or NIS2 cybersecurity obligations. The heaviest regulatory concentration falls on four AI Act articles: Article 9 (risk management, referenced by 12 artefacts), Article 12 (record-keeping, 11 artefacts), Article 72 (PMM, 10 artefacts), and Article 18 (documentation retention, 9 artefacts). Key outputs

• Per-artefact regulatory provision mapping
• Per-regulation artefact count and coverage analysis