v2.4.0 | Report Errata
docs security docs security

Per-Jurisdiction Authority Contacts

A regulator contact register is maintained by the AI Governance Lead, listing for each member state where the system is deployed: the AI Act market surveillance authority, the NIS2 competent authority or CSIRT, the DORA competent financial authority (if applicable), the ENISA reporting portal for CRA notifications, and the contact details, preferred communication channels, and reporting portals for each.

The register enables the incident response team to initiate reporting immediately without first researching which authority to contact. During a multi-regime incident with DORA’s four-hour deadline running, the team cannot afford to spend time identifying the correct authority and contact channel. The register is updated whenever authority designations change and tested during annual tabletop exercises.

For inspection readiness, the organisation should anticipate that different authorities may examine the same system from different regulatory perspectives. Module 9’s evidence pack should serve both NIS2 audits and AI Act inspections without requiring reorganisation under time pressure.

Key outputs

  • Regulator contact register per jurisdiction and per regime
  • Contact details, communication channels, and reporting portals
  • Annual testing during tabletop exercises
  • Module 9 and Module 11 AISDP documentation
On This Page