v2.4.0 | Report Errata
docs operations docs operations

Level 4: Compliance, Legal & Data Protection — Personnel & Function Level 4 comprises the AI Governance Lead, Legal and Regulatory Advisor, and DPO Liaison. They provide oversight of the system’s compliance posture, regulatory risk, and legal obligations. This level receives regular reporting from Levels 1–3: technical monitoring summaries, operator escalation reports, product management observations, and non-conformity register updates. Level 4 interprets these reports in the context of the EU AI Act, GDPR, and sector-specific legislation. It assesses whether observed issues constitute regulatory non-compliance, determines whether escalation to Level 5 (executive) is warranted, and initiates formal corrective action where required. Level 4 is also responsible for maintaining the AISDP as a living document, ensuring that operational findings are reflected in the documentation, and managing the organisation’s relationship with competent authorities. Key outputs

  • Compliance posture oversight across AI Act, GDPR, sector regulation
  • Reporting from Levels 1–3 interpreted for regulatory implications
  • Formal corrective action initiation
  • AISDP maintenance and authority relationship management

Level 4: Regulatory Horizon Scanning The Legal and Regulatory Advisor monitors guidance published by the European AI Office, enforcement actions taken by national competent authorities, developments in harmonised standards, and amendments to the Act’s Annexes. Each development is assessed for its impact on the organisation’s AI systems and, where relevant, triggers AISDP updates, reclassification reviews, or operational changes. Horizon scanning also covers sector-specific regulatory developments (financial services regulation, healthcare regulation, employment law), GDPR interpretive guidance that affects AI data processing, and case law emerging from the AI Liability Directive and national courts. This broader regulatory context shapes the compliance requirements the AISDP must satisfy. Horizon scanning findings are documented in the regulatory monitoring register and reported at the quarterly oversight review. Material developments are escalated immediately to the AI Governance Lead. Key outputs

  • AI Office, NCA, harmonised standards, and Annex amendment monitoring
  • Cross-regulatory scanning (GDPR, sector-specific, liability)
  • Documented findings in regulatory monitoring register
  • Immediate escalation for material developments

Level 4: Escalation Triggers Level 4 escalation triggers include any Level 1–3 escalation that may constitute a regulatory breach, post-market monitoring data suggesting the system no longer meets Articles 9–15, and external events affecting the compliance posture (enforcement actions against comparable systems, published vulnerability disclosures, changes in regulatory expectations). Level 4 escalation reaches Level 5 (executive leadership) when the issue requires strategic decision-making, resource allocation beyond current budgets, or risk appetite adjustment. Level 4 also triggers the serious incident reporting process when applicable. External events may require urgent response. An enforcement action against a competitor’s comparable system signals heightened regulatory scrutiny; the Legal and Regulatory Advisor assesses whether the organisation’s system is exposed to the same vulnerability and recommends proactive remediation. Key outputs

  • Regulatory breach escalation from Levels 1–3
  • Articles 9–15 non-compliance signals from PMM data
  • External event response (enforcement actions, vulnerabilities)
  • Escalation to Level 5 for strategic decisions
On This Page