Compliance¶
One page per regulation Regulus ships a profile for. Each page follows the same shape so a reader can self-identify in 20 seconds and find the engineering answer in two minutes — see ADR-009 for the editorial standard.
- In one sentence — what this regulation is.
- Who does it apply to? — concrete self-identification examples.
- The two-minute explainer — narrative.
- What it actually requires of an engineer.
- What Regulus does for you.
- Saves you ~ — honest engineer-week estimate.
- Code: minimal.
- Code: production.
- How to verify.
- What an auditor will ask.
- What this doesn't cover — explicit out-of-scope.
- Citations.
If a regulation feels unfamiliar, jump back to Concepts first — every page here assumes you know the EU vs UK landscape and the controller / processor / deployer trio.
EU¶
- EU AI Act — Risk tiers, logging, human oversight, transparency
- GDPR — Data-protection foundation
- DORA — ICT operational resilience for EU financial services
- NIS2 — Cybersecurity for essential / important entities
- EHDS — European Health Data Space
UK¶
- UK GDPR + DPA 2018 — UK data protection
- FCA SYSC + Consumer Duty — UK conduct of financial services
- PRA SS1/23 — Model risk management
- PRA SS2/21 — Outsourcing and third-party risk
- NHS DSPT — NHS data security toolkit
Cross-cutting¶
- Coverage matrix — regulation × control × ADK hook × test fixture (now includes NIST AI RMF + ISO 42001 framework columns)
- Time saved — honest cost of building each control yourself
- Audit walkthrough — what we showed the auditor
Related: AI governance frameworks¶
Regulations are mandatory. Frameworks like NIST AI RMF and ISO/IEC 42001 are voluntary best-practice anchors most mature operators adopt alongside their regulation profiles. See the Governance section and Concepts → Frameworks vs regulations.