Regulatory coverage
Eighty-nine active map rows. Eight jurisdictions. Article level.
Every framework below is implemented as a runtime enforcement engine inside OBEXGATE. Each engine maps to an article, principle, or control reference inside its source regulation, and produces tamper-evident evidence at the point a governed decision is made.
Coverage is not a checklist. It is regulatory logic applied at execution.
89
Active regulatory map rows
88
Implemented rows
1
Not in scope
8
Jurisdictions covered
European Union
EU AI Act (Regulation 2024/1689)
| Framework reference | Coverage |
|---|---|
| Art 5 Prohibited Practices | Unacceptable-risk system prohibition gate |
| Arts 6 to 8 High-Risk Classification | Annex III categories and Art 25 substantial modification detection |
| Art 9 Risk Management System | Continuous risk management lifecycle |
| Art 9 Data Governance | Training, validation, and testing data quality obligations |
| Art 9 Registration | EU AI Act registration requirements |
| Art 10 Data Governance | Data set requirements for high-risk AI |
| Art 10 Data Quality | Bias, relevance, and completeness checks |
| Art 11 Technical Documentation | Annex IV documentation requirements |
| Art 12 Record Keeping | Automatic logging for high-risk systems |
| Art 13 Transparency | User-facing disclosure requirements |
| Art 14 Human Oversight | Human oversight measures and controls |
| Art 15 Accuracy and Robustness | Accuracy, robustness, and cybersecurity requirements |
| Arts 16 to 29 Provider/Deployer | Full obligations bundle for providers and deployers |
| Arts 42 to 49 Conformity | Harmonised standards, notified body designation, certificate lifecycle |
| Annex III High-Risk Systems | High-risk classification gate, wired into operator surface |
| Art 52 Transparency Labelling | Chatbot and deepfake disclosure obligations |
| Arts 55 to 71 Penalties | Financial penalties, enforcement actions, governance oversight |
| Art 72 Penalties | Administrative penalty classification and fine-ceiling enforcement |
| GPAI Arts 50 to 54 | General-purpose AI governance, systemic risk obligations |
GDPR
| Framework reference | Coverage |
|---|---|
| Art 5 Processing Principles | Lawfulness, fairness, transparency, purpose limitation, minimisation, accuracy, storage limitation, integrity |
| Arts 13 and 14 Transparency Notices | Privacy-notice generation for direct and indirect collection |
| Art 17 Right to Erasure | Deletion workflow with downstream propagation |
| Art 20 Data Portability | Machine-readable export surface |
| Art 22 Automated Decisions | Profiling and automated-decision safeguards |
| Art 25 Privacy by Design | PbD and data minimisation controls |
| Art 32 Security of Processing | Encryption, incident response, processor assessment, log retention, secure disposal |
| Art 35 DPIA | Data Protection Impact Assessment workflow |
DORA (Digital Operational Resilience Act)
| Framework reference | Coverage |
|---|---|
| ICT Risk Management | ICT risk management framework requirements |
| Incident Classification | Major incident identification and classification |
| Resilience Testing | TLPT and standard testing programme |
| Third-Party Risk | ICT third-party risk management |
NIS2
| Framework reference | Coverage |
|---|---|
| Risk Management (Art 21) | All ten Art 21(2) security measures (a to j) |
| Incident Reporting | 24-hour early warning, 72-hour notification, final report |
| Board Liability (Arts 20 and 21) | Management body accountability and training |
| Supply Chain Security | Third-party and supply chain risk obligations |
eIDAS 2.0
| Framework reference | Coverage |
|---|---|
| Digital Identity | European Digital Identity Wallet obligations |
| Qualified Electronic Signatures | QES creation, validation, trust service requirements |
United States
Healthcare
| Framework reference | Coverage |
|---|---|
| HIPAA Privacy Rule | PHI handling, minimum necessary, patient rights |
| HIPAA Security Rule | Administrative, physical, technical safeguards |
| HIPAA Breach Notification | Breach risk assessment and notification timelines |
| 42 CFR Part 2 | Substance use disorder record redisclosure restrictions |
| FDA Information Blocking | Interoperability and information blocking prohibitions |
| FDA SaMD | Software as a Medical Device validation requirements |
| ONC HTI-1 (DSI Transparency) | 31-attribute decision support transparency schema, FAVES evaluation |
| ONC Information Blocking (45 CFR Part 171) | Eight recognised exceptions; health IT developers, HINs, HIEs |
Federal and Cross-Sector
| Framework reference | Coverage |
|---|---|
| NIST AI RMF Govern | Governance function |
| NIST AI RMF Map | Risk mapping function |
| NIST AI RMF Measure | Risk measurement function |
| NIST AI RMF Manage | Risk management function |
| FTC Section 5 | Unfair or deceptive AI practices gate |
| FTC Health Breach Notification | Health data breach notification (non-HIPAA covered) |
| FedRAMP | NIST SP 800-53 controls; Low/Moderate/High baselines; SOC 2 and ISO 27001 cross-reference |
| CCPA/CPRA | Six consumer rights engines (access, deletion, portability, opt-out, correction, limit sensitive data use) |
| ISO/IEC 27001:2022 | 93 Annex A controls across four domains; SOC 2 and FedRAMP cross-reference |
| PCI DSS v4.0 | Payment card data security requirements |
SOC 2 / SOC 3
| Framework reference | Coverage |
|---|---|
| SOC 2 Security (CC1 to CC9) | Full security trust service category; RBAC, cryptography, incident response wired |
| SOC 2 Availability (A1) | Availability trust service category |
| SOC 2 Confidentiality (C1 to C2) | Identification and secure disposal |
| SOC 2 Processing Integrity (PI1.1 to PI1.5) | Completeness, accuracy, timeliness, authorisation, unauthorised-change prevention |
| SOC 2 Privacy (P1 to P8) | Full privacy trust service category |
| SOC 3 Report Surface | Unqualified, qualified, or adverse opinion across all five TSC categories |
Brazil
| Framework reference | Coverage |
|---|---|
| LGPD Art 18 Data Subject Rights | Right to access, correction, deletion, portability, confirmation, opposition |
| LGPD Art 20 Right to Explanation | Automated-decision explanation obligation |
| LGPD Art 33 Cross-Border Transfer | International transfer restrictions and safeguards |
| LGPD Art 48 Breach Notification | ANPD and data-subject notification workflow |
| PL-2338/2023 Brazilian AI Bill | Risk classification, transparency, accountability obligations |
| AI Framework: Risk Classification | ANPD AI risk tiers |
| AI Framework: AIA Engine | AI impact assessment workflow |
| AI Framework: ANPD Package | Regulatory submission package generation |
| DPO Registration | Data Protection Officer registration and contact surface |
United Kingdom
| Framework reference | Coverage |
|---|---|
| DUAA Section 80 (Arts 22A to 22D) | Art 22A scope and significant-decision classification; Art 22B special-category data restrictions; Art 22C mandatory safeguards; Art 22D regulation-making powers; DPA 2018 Part 3 Sec. 50A to 50D law enforcement ADM; DPA 2018 Part 4 Sec. 96 to 97 intelligence services ADM |
| UK AI Safety Institute Alignment | UK AI Safety Institute voluntary alignment surface |
| FCA FG21/1 AI/ML Compliance | Financial Conduct Authority AI/ML model risk guidance |
| PRA SS1/23 Model Risk Management | Prudential Regulation Authority model risk management standard |
| UK GDPR Divergence Overlay | UK-specific post-Brexit GDPR divergence surface |
| SMCR | Senior manager accountability and certification obligations |
Australia
| Framework reference | Coverage |
|---|---|
| Privacy Act 1988 APPs 1 to 13 | 13 Australian Privacy Principles; register, assess, query, cross-border transfer (APP 8) |
| Privacy Act 1988 NDB (Part IIIC) | Notifiable Data Breaches; 30-day OAIC notification enforcement |
| AI Ethics Principles (8 principles) | Voluntary 8-principle assessment, scored 1 to 5. Observer mode. |
| AI Safety Standards | Voluntary safety standard assessment. Observer mode. |
New Zealand
| Framework reference | Coverage |
|---|---|
| Privacy Act 2020 IPPs 1 to 13 | 13 Information Privacy Principles |
| Privacy Act 2020 NPB | Notifiable Privacy Breach reporting obligations |
| NZ Unified Query Surface | Aggregated IPP and NPB compliance surface |
Singapore
| Framework reference | Coverage |
|---|---|
| PDPA (Personal Data Protection Act 2012) | Deemed consent, 72-hour breach notification, data portability, transfer restrictions |
| MAS AI Governance (FEAT) | Fairness, Ethics, Accountability, Transparency principles. Financial services sector. |
| AI Verify | AI testing framework. Voluntary. Observer mode. |
Canada
| Framework reference | Coverage |
|---|---|
| PIPEDA 10 Fair Information Principles | Consent framework, accountability, openness, individual access |
| Ontario Bill 194 | AI accountability, children's data protection, privacy impact assessment, cybersecurity, breach notification |
| AIDA (Bill C-27) | Not in scope. Died on the order paper 2025-01-06; 44th Parliament prorogued; no Royal Assent. Engines defined but inactive. |
How OBEXGATE produces a verdict
EVF to PRISM scoring
OBEXGATE implements the Niti Logic EVF to PRISM Scoring Map. Each PRISM framework is scored by deduction from 100 using a 10 by 5 risk-signal weight matrix. Hard floor rules are enforced. Verdict tiers: Compliant (85 or above), Substantially Compliant (70 or above), Material Concerns (55 or above), Non-Compliant (below 55). Overall posture is the worst framework across all five PRISM dimensions.
EVF as the assessment instrument
EVF is the diagnostic that captures how an organisation's governance actually behaves at the execution boundary, with ten domains and the risk signals that surface structural vulnerability. OBEXGATE translates that signal into framework-specific compliance verdicts with the hard floors above.
OBEXGATE as enforcement floor
The 89 active map rows on this page reflect 88 implemented rows and 1 not-in-scope row under methodology-layer products. EVF is the assessment instrument. OBEXGATE produces the runtime evidence and the verdict. The two are designed to operate together.
If an action violates an enforced requirement, it does not run.
Coverage state and revision
Coverage state on this page is current as of 29 April 2026 and reflects the OBEXGATE Regulatory Coverage Catalogue. Coverage is reconciled against codebase state, not aspirational roadmap. Engines listed in scope are running. Engines not in scope are listed for transparency and explicitly noted as inactive.
See which obligations apply before your system runs.
A six-question OBEXGATE assessment delivers a personalised regulatory map, deployment cost estimate, and potential statutory exposure based on how your system behaves under enforcement.