Navigate the Regulatory Landscape
EU AI Act, NIS2, GDPR, UNECE R155 — the regulatory surface is expanding. We translate legal requirements into engineering actions.
Complianceisnotacheckboxexercise—itisanengineeringchallenge.TheEUAIActintroducesrisk-basedobligationsforAIsystems.NIS2expandscybersecurityrequirementstothousandsoforganizations.UNECER155gatesvehicletypeapprovaloncertifiedcybersecuritymanagement.Webridgethegapbetweenlegaltextandtechnicalimplementation:riskclassification,gapanalysis,technicaldocumentation,andconformityassessment.
| Sector | EU AI Act | NIS2 | UNECE R155 | GDPR |
|---|---|---|---|---|
| Automotive | ||||
| Healthcare | ||||
| Finance | ||||
| Energy | ||||
| Tech / SaaS |
EU AI Act
Risk classification of your AI systems (Unacceptable / High / Limited / Minimal). Obligations mapping, technical documentation preparation, conformity assessment support. We help you determine if your system is high-risk, what documentation you need, and how to implement the required quality management system.
NIS2 Directive
Cybersecurity risk management for essential and important entities. We assess your current posture against NIS2 requirements: incident reporting procedures, supply chain security, business continuity, vulnerability handling. Gap analysis with remediation roadmap and timeline to compliance.
UNECE R155 & Type Approval
CSMS certification is mandatory for vehicle type approval in UNECE member states. We implement the Cybersecurity Management System per ISO/PAS 5112 audit criteria, prepare engineering evidence, and support you through the Technical Service audit process. Integrated with ISO 21434 engineering activities.
GDPR for AI & Connected Vehicles
Data protection impact assessments for AI systems processing personal data. Vehicle telemetry, driver behavior analytics, V2X communication data — all require GDPR compliance. We provide DPO advisory, legitimate interest assessments, and privacy-by-design architecture reviews.
Frequently Asked Questions
The EU AI Act uses a four-tier risk classification: Unacceptable (banned — social scoring, real-time biometric surveillance), High-Risk (requires conformity assessment — medical devices, employment, law enforcement, critical infrastructure), Limited (transparency obligations — chatbots, deepfakes), and Minimal (no obligations). Most enterprise AI systems fall into the High-Risk or Limited categories.
NIS2 applies to organizations in 18 critical sectors (energy, transport, health, digital infrastructure, ICT service management, etc.) with more than 50 employees or €10M+ annual turnover. It also applies to any organization designated by a member state as essential, regardless of size. Penalties reach up to €10M or 2% of global annual turnover.
UNECE R155 is the regulatory requirement — it mandates that vehicle manufacturers have a certified Cybersecurity Management System (CSMS) for type approval. ISO/SAE 21434 is the engineering standard that describes HOW to implement cybersecurity across the vehicle lifecycle. Following ISO 21434 produces the technical evidence that satisfies R155 audit requirements.
A gap analysis for a single regulation (EU AI Act, NIS2, or UNECE R155) typically takes 4-6 weeks. This includes document review, stakeholder interviews, technical assessment, and a remediation roadmap with prioritized actions. Full implementation support — from gap analysis to audit-ready state — ranges from 3 to 9 months depending on organizational maturity.