The cross-regulatory mapping tables are retained as a standalone Module 9 artefact. The system-specific mapping identifies which regimes apply, maps requirements across seven cybersecurity domains, documents the integration approach for each domain, and records the Legal and Regulatory Advisor’s review and approval.

The mapping tables are updated when the regulatory landscape changes (new implementing acts, Commission guidance, member state transposition updates), when the system’s deployment context changes (new deployment in a different member state or sector), or when the regime determination is revised. Each update is version-controlled with the update rationale documented.

The mapping tables enable efficient preparation for inspections or audits from different regulatory perspectives. An AI Act market surveillance authority, a NIS2 auditor, a CRA notified body, and a DORA financial supervisor may all examine the same system’s cybersecurity controls; the mapping tables show each authority which controls address their specific requirements.

Key outputs

• System-specific cross-regulatory mapping (seven domains, all applicable regimes)
• Version-controlled with update rationale
• Multi-authority inspection readiness
• Module 9 AISDP evidence