AI Governance Playbook
Open search
Other Regulations

Regulations that intersect with AI governance.

AI governance doesn't exist in isolation. These EU and international frameworks affect how AI systems are deployed, operated, and governed across regulated industries.

Why these matter for AI

Understanding the regulatory landscape helps ensure AI deployments are compliant across multiple frameworks, not just the EU AI Act.

Data flows

AI systems depend on data transmission across networks. Connectivity regulations affect how data moves, where it's processed, and what security controls apply.

Infrastructure resilience

AI deployments require reliable infrastructure. Network resilience requirements under DNA and EECC affect AI availability and continuity planning.

Privacy and consent

AI training and inference often involve personal data. ePrivacy and GDPR set boundaries on data collection, consent, and automated processing.

Algorithmic transparency

DSA requires transparency in recommender systems and content moderation. AI systems on platforms must explain how decisions are made.

Regulatory coverage

GDPR (AI Provisions)

In force

The General Data Protection Regulation contains specific provisions affecting AI: Article 22 on automated decision-making, data minimisation principles, and rights to explanation.

AI relevance: AI systems making decisions about individuals require lawful basis, human oversight options, and transparency about automated processing logic.
Detailed coverage coming soon

Digital Networks Act (DNA)

Proposed

EU proposal to modernise and harmonise connectivity rules across Member States. Covers single-passport authorisation, spectrum modernisation, copper-to-fibre transition, and satellite frameworks.

AI relevance: Affects AI systems that rely on network infrastructure, connectivity services, and data transmission across EU borders.
View detailsImpact wizardRegulatory crosswalk

ePrivacy Directive

In force

Regulates electronic communications privacy, including cookies, direct marketing, and confidentiality of communications.

AI relevance: AI systems processing communication data or deploying tracking technologies must comply with consent and privacy requirements.
Detailed coverage coming soon

European Electronic Communications Code (EECC)

In force

Framework for electronic communications networks and services, covering authorisation, access, spectrum, and universal service.

AI relevance: AI-powered communications services and network management tools must operate within EECC parameters.
Detailed coverage coming soon

Digital Services Act (DSA)

In force

Regulates digital services and platforms, addressing illegal content, transparency, and algorithmic accountability.

AI relevance: AI recommendation systems, content moderation, and algorithmic decision-making fall under DSA transparency and accountability rules.
Detailed coverage coming soon

Digital Markets Act (DMA)

In force

Regulates large digital platforms designated as gatekeepers, ensuring fair competition and interoperability.

AI relevance: AI systems integrated with gatekeeper platforms must comply with interoperability and data portability requirements.
Detailed coverage coming soon

NIS2 Directive

In force

Network and Information Security Directive 2 establishes cybersecurity requirements for essential and important entities across critical sectors.

AI relevance: AI systems in critical infrastructure must meet cybersecurity risk management, incident reporting, and supply chain security requirements.
Detailed coverage coming soon

Digital Operational Resilience Act (DORA)

In force

Financial sector regulation requiring ICT risk management, incident reporting, resilience testing, and third-party risk management.

AI relevance: AI systems in financial services must meet operational resilience standards, including testing, incident handling, and vendor oversight.
Detailed coverage coming soon

MiFID II (Algorithmic Trading)

In force

Markets in Financial Instruments Directive includes specific requirements for algorithmic and high-frequency trading systems.

AI relevance: AI-powered trading systems require risk controls, kill switches, testing environments, and regulatory reporting capabilities.
Detailed coverage coming soon

MDR/IVDR (Medical Devices)

In force

Medical Device Regulation and In Vitro Diagnostic Regulation govern software as medical devices, including AI-powered diagnostics.

AI relevance: AI diagnostic tools, clinical decision support, and medical imaging analysis must meet medical device certification requirements.
Detailed coverage coming soon

Cyber Resilience Act (CRA)

Proposed

Proposed regulation establishing cybersecurity requirements for products with digital elements throughout their lifecycle.

AI relevance: AI systems embedded in connected products must meet security-by-design requirements and vulnerability handling obligations.
Detailed coverage coming soon

Data Act

In force

Regulates data sharing, access to machine-generated data, cloud switching, and interoperability requirements.

AI relevance: AI systems using IoT data or cloud services must enable data portability and fair access to machine-generated insights.
Detailed coverage coming soon

Data Governance Act (DGA)

In force

Framework for data intermediaries, data altruism organisations, and reuse of protected public sector data.

AI relevance: AI training on public sector data or through data intermediaries must follow DGA governance and trust requirements.
Detailed coverage coming soon

Focus on AI-specific governance?

For AI-specific requirements, start with the EU AI Act guide or use the Controls library to identify required safeguards.

EU AI Act guideView controls