v2.4.0 | Report Errata
docs security docs security

Mapping Table

The consolidated mapping table maps seven cybersecurity domains across all applicable regimes, identifying where a single implementation satisfies multiple requirements and where regime-specific work is needed. The seven domains are risk management, incident reporting, vulnerability management, supply chain security, penetration testing, security monitoring, and business continuity.

For each domain, the table records the AI Act requirement and Article reference, the NIS2 requirement and Article reference (if applicable), the CRA requirement and Article reference (if applicable), the DORA requirement and Article reference (if applicable), and the integration approach. The integration approach states whether a single control satisfies all applicable regimes, or whether regime-specific extensions are needed. For example, risk management can use whichever framework is broadest (NIS2 or DORA) as the baseline, extending with AI-specific threat categories. Incident reporting requires parallel streams because authorities, timelines, and content differ.

The AI System Assessor produces a system-specific version of this mapping, tailored to the regimes that apply to the specific system. Module 9 holds the system-specific mapping; the Legal and Regulatory Advisor reviews it.

Key outputs

  • Seven-domain cross-regulatory mapping table
  • Per-domain integration approach (single control or regime-specific extensions)
  • System-specific tailoring by the AI System Assessor
  • Module 9 AISDP documentation
On This Page