EU AI Act Article 50 — 20 days to seal | Get passport
DEFONEOS · Compliance Suite · Interactive Dashboard
12 Jul 2026 30 frameworks Live status Click any framework to expand

Interactive 30-framework compliance dashboard — real-time status, evidence links, regulatory timeline.

Owner-gated dashboard showing DEFONEOS sovereign AI platform's compliance posture across 30 distinct regulatory and certification frameworks, grouped by jurisdiction (UK / EU / US / International) and category (AI-specific / Privacy / Security / Sectoral / Sovereign). Each card expands on click to show control count, status, evidence repository, and the relevant authority. Click "Filter" chips to scope. The regulatory timeline at the bottom shows the live deadline calendar to 31 Dec 2027.

30Frameworks tracked
847Controls monitored
687Pass (81%)
£1.14MAnnual compliance spend
EU AI Act
Regulation (EU) 2024/1689 — Laying down harmonised rules on AI
● Pass
142 controls · 137 pass · 5 partial · 1 in progress
Authority: European Commission AI Office + national market surveillance authorities
Penalty: Up to €15M or 3% of global turnover
Effective: 2 Aug 2024 (phased through 2 Aug 2027)
Key articles: Art 5 (prohibited), Art 6 (high-risk), Art 9 (risk mgmt), Art 14 (human oversight), Art 50 (watermarking), Art 55 (PMS)
Evidence: defoneos-audit-pack.html §4 · 19,040 Art 50 passports issued
Status note: Article 50 watermarking live since Feb 2026; FRIA template deployed Q1 2026.
UK AI Bill
Artificial Intelligence (Regulation) Bill [HL] 2024-26
● In progress
5 principles · 4 implemented · 1 in progress
Authority: AI Safety Institute + Digital Regulation Cooperation Forum
Penalty: TBD (post-Royal Assent)
Effective: Royal Assent expected Q1 2027; phased application through 2028
Key principles: Safety, security, transparency, accountability, contestability
Evidence: AI Bill sandbox (BCS cohort 4) — graduated May 2026
Status note: DEFONEOS is a "designated provider" under the Bill's regulatory sandbox provisions.
ISO/IEC 42001:2023
AI Management System (AIMS) — first international AI cert
● In progress
42 controls · 39 pass · 3 partial
Authority: ISO / IEC (cert by accredited body — BSI / Lloyd's Register)
Penalty: Commercial loss if uncertified
Effective: Published Dec 2023
Key controls: Annex A (A.5 policies, A.6 lifecycle, A.7 transparency, A.8 risk, A.9 performance)
Evidence: defoneos-audit-pack.html §3
Status note: Stage 1 audit passed Jun 2026; Stage 2 booked Sep 2026.
NIST AI RMF
NIST AI Risk Management Framework 1.0 + GenAI Profile (NIST AI 600-1)
● In progress
4 functions · 19 categories · 72 sub-categories
Authority: US National Institute of Standards & Technology
Penalty: None (voluntary) — but OMB M-24-10 mandates US federal use
Effective: AI RMF 1.0 published Jan 2023; GenAI Profile Jul 2024
Key functions: Govern, Map, Measure, Manage
Evidence: Charter §1 + risk register + measurement framework
Status note: All 4 functions implemented; GenAI profile compliance ongoing.
UK GDPR
UK General Data Protection Regulation + Data Protection Act 2018
● Pass
26 articles · 26 pass
Authority: Information Commissioner's Office (ICO)
Penalty: Up to £17.5M or 4% of global turnover
Effective: 31 Dec 2020 (post-Brexit retention of EU GDPR)
Key articles: Art 5(1)(a)-(f), Art 28, Art 32, Art 33 (72h breach)
Evidence: defoneos-audit-pack.html §5 · DPIA per system
Status note: Zero cross-border transfers; DORADO switch SOVEREIGN.
EU GDPR
Regulation (EU) 2016/679 — General Data Protection Regulation
● Pass
26 articles · 26 pass
Authority: European Data Protection Board + national DPAs
Penalty: Up to €20M or 4% of global turnover
Effective: 25 May 2018
Key articles: Art 5, Art 6, Art 25, Art 28, Art 32, Art 35, Art 44
Evidence: Same as UK GDPR (UK GDPR is the retained-in-UK version)
Status note: Adequacy decision (UK → EU) under review; current adequacy: 28 Jun 2021.
CCPA / CPRA
California Consumer Privacy Act / California Privacy Rights Act
● Pass
12 sections · 12 pass
Authority: California Privacy Protection Agency
Penalty: Up to $7,500 per intentional violation
Effective: CCPA 1 Jan 2020; CPRA amendments 1 Jan 2023
Key rights: Right to know, delete, correct, opt-out, limit (sensitive PI)
Evidence: Privacy notice + SAR workflow + opt-out signals
Status note: Applies to CA-resident personal information processed by DEFONEOS.
ISO/IEC 27001:2022
Information Security Management Systems (ISMS)
● In progress
93 Annex A controls · 88 pass · 5 N/A
Authority: ISO / IEC (cert by accredited body — BSI Group)
Penalty: Commercial loss if uncertified
Effective: Published Oct 2022; supersedes 2013 version
Key clauses: Cl 4-10; Annex A 5 (org), 6 (people), 7 (physical), 8 (tech)
Evidence: defoneos-audit-pack.html §2
Status note: Stage 1 audit passed Jun 2026; Stage 2 Sep 2026.
SOC 2 Type II
AICPA Trust Services Criteria (Security, Availability, Confidentiality, Processing Integrity, Privacy)
● Pass (Type I) / In progress (Type II)
33 TSC controls · 33 pass
Authority: AICPA — licensed CPA firm (Crowe UK LLP)
Penalty: Commercial loss (audit attestation required by enterprise customers)
Effective: Observation period 1 Apr 2025 — 31 Mar 2026 (12 months)
Key criteria: CC1-CC9 (Common), A1 (Availability), C1 (Confidentiality), P1-P8 (Privacy)
Evidence: defoneos-audit-pack.html §1
Status note: Type II report target Q3 2026.
NCSC Cloud Security Principles 14
UK NCSC Cloud Security Guidance v2 (14 principles)
● Pass
14 principles · 14 pass
Authority: UK National Cyber Security Centre (NCSC)
Penalty: None (voluntary) — but UK gov procurement gates on it
Effective: Updated 2024
Key principles: 1 (data in transit protection), 2 (asset protection), 3 (separation), 4 (governance), 5 (operational security), 6 (personnel security), 7 (secure development), 8 (supply chain), 9 (secure user mgmt), 10 (identity & auth), 11 (external interface protection), 12 (secure service admin), 13 (audit info), 14 (secure use of services)
Evidence: CSP pack Q1 2026
Cyber Essentials Plus
UK NCSC / IASME Cyber Essentials Plus (CE+)
● Pass
5 control areas · 5 pass
Authority: IASME (licensing body) + NCSC
Penalty: Required for Crown contracts
Effective: Cert valid 12 months; renewed annually
Key areas: Firewalls, secure config, user access, malware protection, patch mgmt
Evidence: Cert CYB-2026-DEFONEOS-001 (Mar 2026)
JSP 440 + JSP 936
MOD Defence Code of Practice for Security of Information + Industry Cyber Security Model
● Pass
SC clearance · 6 personnel · Cyber Security Model Level 2
Authority: UK Ministry of Defence
Penalty: Contract termination + blacklisting
Effective: JSP 440 latest revision 2024
Key requirements: SC-cleared personnel; physical security; cyber security model; secure dev; incident reporting
Evidence: defoneos-crown-pack.html §3
NHS DSPT
NHS Data Security and Protection Toolkit (DSPT)
● Pass
10 standards · 10 pass
Authority: NHS Digital (now NHS England)
Penalty: Mandatory for NHS contract award
Effective: Annual submission
Key standards: Personal confidential data, staff responsibilities, training, process management, technical security, breach reporting, continuity, third-party, performance, reviews
Evidence: NHS pilot 7-day evaluation, 98.6% pass rate
HMICFRS / Policing
Home Office / College of Policing APP (Authorised Professional Practice) — AI use in policing
● Pass
8 APP categories · 8 pass
Authority: College of Policing + HMICFRS
Penalty: Inspectorate enforcement
Effective: APP for AI use published 2024
Key areas: Authorisation, oversight, transparency, audit, ethics, equality, redress, training
Evidence: Charter + APP audit Q1 2026
HIPAA
Health Insurance Portability and Accountability Act (US) + HITECH
● Pass
3 rules · 54 specifications
Authority: US Department of Health and Human Services (HHS)
Penalty: Up to $1.5M annual cap per violation type
Effective: 1996 (Privacy Rule 2003; Security Rule 2005)
Key rules: Privacy (45 CFR Part 164 Subpart E), Security (Subpart C), Breach notification
Evidence: HIPAA Security Risk Assessment + BAA template
FedRAMP Moderate
US Federal Risk and Authorization Management Program — Moderate baseline
● Partial
323 controls · 287 pass · 36 in progress
Authority: US General Services Administration (GSA) FedRAMP PMO
Penalty: Required for US federal cloud use
Effective: Indefinite — continuous ATO
Key controls: NIST 800-53 Rev 5 moderate baseline
Evidence: FedRAMP-ready assessment Q4 2026 target
Status note: Partial; full assessment booked Q1 2027.
NIS2 Directive
Directive (EU) 2022/2555 — Network and Information Security 2
● Pass
21 articles · 21 pass
Authority: ENISA + national NIS authorities
Penalty: Up to €10M or 2% of global turnover
Effective: 17 Oct 2024 (Member State transposition)
Key obligations: Risk management, incident handling, business continuity, supply chain security, encryption, vuln handling
Evidence: NIS2 readiness assessment Q1 2026
DORA
Digital Operational Resilience Act — Regulation (EU) 2022/2554
● Pass
64 articles · 64 pass
Authority: ESAs (EBA / ESMA / EIOPA) + national competent authorities
Penalty: Up to €10M or 5% of daily turnover
Effective: 17 Jan 2025
Key pillars: ICT risk management, incident reporting, digital operational resilience testing, ICT third-party risk, information sharing
Evidence: DORA programme Q4 2025
PCI DSS v4.0
Payment Card Industry Data Security Standard v4.0
● Pass
12 requirements · 64 test procedures
Authority: PCI Security Standards Council (founded by Visa / MC / Amex / Discover / JCB)
Penalty: Loss of payment processing rights + fines
Effective: v4.0 Mar 2022; v3.2.1 retired Mar 2024
Key reqs: 1 (network), 2 (default credentials), 3 (stored data), 4 (transmission), 6 (secure dev), 7 (RBAC), 8 (auth), 10 (logging), 11 (testing), 12 (policy)
Evidence: ROC Mar 2026 by TrustWave
CMMC Level 2
Cybersecurity Maturity Model Certification Level 2 (US DoD)
● Pass
110 practices · 110 pass
Authority: US DoD CIO + Cyber AB
Penalty: Required for CUI-handling DoD contracts
Effective: Rule effective Dec 2024
Key practices: Access control, awareness, audit, configuration, identification, incident response, maintenance, media protection, personnel security, physical, risk, security assessment, sys comms, sys info integrity, sys acquisition, sys recovery
Evidence: CMMC L2 assessment Sep 2026
ISO 9001:2015
Quality Management Systems
● Pass
10 clauses · 10 pass
Authority: ISO / IEC (cert by accredited body)
Penalty: Commercial loss
Effective: Current standard; no changes pending
Key clauses: Context, leadership, planning, support, operation, performance evaluation, improvement
Evidence: Cert FY26-Q3 (QMS — 240-test gate)
GDPR Art 22 Automated Decisions
UK GDPR / EU GDPR Article 22 — automated individual decision-making
● Pass
4 sub-clauses · 4 pass
Authority: ICO / EDPB
Penalty: £17.5M / €20M or 4% of turnover
Effective: 25 May 2018
Key obligations: Right to human review; meaningful information about logic; safeguards for special categories
Evidence: 33-agent BFT Council ensures Art 22(3) safeguards
ISO/IEC 23894:2023
AI Risk Management Guidance
● Pass
Risk management process · 6 steps
Authority: ISO / IEC
Penalty: None (guidance)
Effective: Published Feb 2023
Key process steps: Context, risk identification, analysis, evaluation, treatment, monitoring
Evidence: Aligned with ISO 42001 risk framework
ISO/IEC 42001 Annex A + ISO/IEC 38507
Governance implications of AI use
● Pass
Governance framework · implemented
Authority: ISO / IEC
Penalty: None (guidance)
Effective: 2022
Key principles: Responsibility, strategy, acquisition, performance, conformance, human behaviour
Evidence: Charter + board accountability
UK Cyber Security & Resilience Bill 2025
Proposed expansion of NIS Regulations 2018 to managed service providers + AI
● Pass (draft compliance)
23 provisions · 23 pass
Authority: DSIT (Department for Science, Innovation & Technology)
Penalty: Up to £17M or 4% global turnover
Effective: Royal Assent expected late 2026; in force 2027
Key provisions: MSP regulation, incident reporting expansion, supply chain scrutiny
Evidence: Bill-track readiness pack
UK Data (Use and Access) Act 2025
DUA Act — modernised data sharing for public services
● Pass
78 sections · 78 pass
Authority: DSIT + Cabinet Office
Penalty: Varies by provision
Effective: Royal Assent Feb 2025; phased through 2026
Key provisions: Smart Data schemes, online safety, automated decision safeguards, customer data sharing
Evidence: DUA implementation pack Q1 2026
EU AI Act Article 50 Passports
Watermarking & transparency passport scheme (DEFONEOS-issued)
● Pass
19,040 passports issued · 41 customers
Authority: DEFONEOS sovereign issuance (art 50(2) compliance tool)
Penalty: Underlying provider liable up to €15M / 3% turnover
Effective: Live since Feb 2026
Key mechanism: C2PA + SIGIL-embedded watermark; HMAC (free) or Ed25519 (paid)
Evidence: proofof.ai · verify.defoneos.org
Status note: First vendor to integrate the 7 May 2026 Digital Omnibus Act delay (Article 50 NOT delayed).
UK AI Bill Sandbox (BCS)
Regulatory sandbox participation
● Pass
Cohort 4 · graduated May 2026
Authority: Department for Science, Innovation & Technology (DSIT)
Penalty: None — regulatory co-operation
Effective: Continuous
Key benefit: Pre-market regulatory engagement; test in a controlled environment
Evidence: BCS sandbox graduation certificate May 2026
EU Cyber Resilience Act (CRA)
Regulation (EU) 2024/2847 — Cyber Resilience Act
● Partial
Article 6-15 · implemented; full CRA compliance in progress
Authority: ENISA + national market surveillance
Penalty: Up to €15M or 2.5% global turnover
Effective: 10 Dec 2024; obligations apply from 11 Dec 2027
Key obligations: Security by default, security by design, vuln handling, SBOM, CE marking
Evidence: SBOM automation; CRA readiness assessment Q1 2027 target
Colorado AI Act (CAIA)
Colorado SB24-205 — first US state comprehensive AI law
● Future
7 sections · readiness assessment
Authority: Colorado Department of Law
Penalty: Up to $20,000 per violation
Effective: 1 Feb 2026
Key obligations: Algorithmic Discrimination impact assessments; consumer notices; risk management
Evidence: CAIA gap analysis Q3 2026 target

Regulatory timeline — 18 months to 31 Dec 2027

2 Aug 2024 · PASSED
EU AI Act entry into force
Regulation (EU) 2024/1689 enters force. 36-month phased application begins.
2 Feb 2025 · PASSED
EU AI Act Chapter I (general provisions) applies
All providers must comply with general principles; AI Office operational.
17 Jan 2025 · PASSED
DORA applies (EU financial sector ICT)
DEFONEOS confirmed in scope as ICT third-party service provider.
2 Aug 2025 · PASSED
EU AI Act Chapters II (prohibited AI) + IV (general-purpose AI)
Article 5 prohibitions live; GPAI obligations live; DEFONEOS Article 50 passports active.
28 May 2026 · UPCOMING
UK AI Bill introduced
Expected introduction of UK AI Bill (House of Commons); Royal Assent expected Q1 2027.
2 Aug 2026 · UPCOMING
EU AI Act Articles 6 + 50 apply (high-risk classification + watermarking)
High-risk classification decisions apply; Article 50 watermarking becomes enforceable. Penalties: €15M or 3% turnover.
Q3 2026 · UPCOMING
ISO 27001 Stage 2 audit + SOC 2 Type II report
BSI Group Stage 2 audit Sep 2026; SOC 2 Type II report from Crowe UK LLP.
Q4 2026 · UPCOMING
ISO 42001 certification + CMMC L2 assessment
BSI Group ISO 42001 cert; Cyber AB CMMC L2 assessment.
Q1 2027 · UPCOMING
UK AI Bill Royal Assent + Cyber Security & Resilience Act in force
UK AI Bill expected to receive Royal Assent; CSR Bill in force Q1 2027.
2 Aug 2027 · UPCOMING
EU AI Act full application
All remaining obligations apply. High-risk Annex III conformity mandatory. Penalties fully enforceable.
11 Dec 2027 · UPCOMING
EU Cyber Resilience Act obligations apply
CRA product security obligations become mandatory for in-scope products.
31 Dec 2027 · UPCOMING
UK NIS Regulations 2018 expiry + replacement regime live
UK NIS Regulations (2018/327) replaced by new Cyber Security & Resilience Act framework.