Skip to content

Compliance

One page per regulation Regulus ships a profile for. Each page follows the same shape so a reader can self-identify in 20 seconds and find the engineering answer in two minutes — see ADR-009 for the editorial standard.

  1. In one sentence — what this regulation is.
  2. Who does it apply to? — concrete self-identification examples.
  3. The two-minute explainer — narrative.
  4. What it actually requires of an engineer.
  5. What Regulus does for you.
  6. Saves you ~ — honest engineer-week estimate.
  7. Code: minimal.
  8. Code: production.
  9. How to verify.
  10. What an auditor will ask.
  11. What this doesn't cover — explicit out-of-scope.
  12. Citations.

If a regulation feels unfamiliar, jump back to Concepts first — every page here assumes you know the EU vs UK landscape and the controller / processor / deployer trio.

EU

  • EU AI Act — Risk tiers, logging, human oversight, transparency
  • GDPR — Data-protection foundation
  • DORA — ICT operational resilience for EU financial services
  • NIS2 — Cybersecurity for essential / important entities
  • EHDS — European Health Data Space

UK

Cross-cutting

  • Coverage matrix — regulation × control × ADK hook × test fixture (now includes NIST AI RMF + ISO 42001 framework columns)
  • Time saved — honest cost of building each control yourself
  • Audit walkthrough — what we showed the auditor

Regulations are mandatory. Frameworks like NIST AI RMF and ISO/IEC 42001 are voluntary best-practice anchors most mature operators adopt alongside their regulation profiles. See the Governance section and Concepts → Frameworks vs regulations.