v2.4.0 | Report Errata
docs security docs security

Regime Determination

The first step in the cross-regulatory mapping is determining which cybersecurity regimes apply to the specific AI system. The AI Act applies to all high-risk AI systems. NIS2 applies if the deploying entity is an essential or important entity under Directive (EU) 2022/2555 (covering sectors including energy, transport, health, digital infrastructure, public administration, and ICT service management). The CRA applies if the system is a product with digital elements placed on the EU market. DORA applies if the deploying entity is a financial entity under Regulation (EU) 2022/2554.

The regime determination is produced by the AI System Assessor during Phase 2 (Risk Assessment) and reviewed by the Legal and Regulatory Advisor. For each regime, the determination records whether it applies, the basis for the determination (entity classification, product classification, sector), and any borderline cases with the reasoning for the conclusion. Where a determination is borderline, treating the system as within scope is the safer position.

The regime determination shapes the entire Module 9 structure: which cross-regulatory mapping tables are needed, whether the CRA deemed compliance pathway applies, which incident reporting streams are required, and which third-party risk management requirements must be satisfied.

Key outputs

  • Per-regime applicability determination (AI Act, NIS2, CRA, DORA)
  • Basis and reasoning for each determination
  • Borderline case documentation
  • Module 9 AISDP documentation
On This Page