Is ISO/IEC 42001 Becoming the Default Evidence Layer for EU AI Act Readiness?
A certificate is not a legal conformity assessment. Say that first, because the market is starting to blur the two.

A certificate is not a legal conformity assessment. Say that first, because the market is starting to blur the two.


The question is no longer whether the EU Digital Identity Wallet ships. It is whether your organization can accept one when a user presents it, and whether you are legally obliged to.

When one of your cloud, data-centre, or managed-service providers lands on the European Supervisory Authorities' annual list of critical ICT third-party service providers, the relationship stops being a private commercia…

The EU Data Act, Regulation (EU) 2023/2854, has applied since 12 September 2025. That is not a proposal date or a transposition target.

The transitional window closed on 1 July 2026. Crypto-asset service providers that had been operating across the EU under national regimes have now either secured authorization under MiCA, or they have lost the legal bas…

Phase 1 of the CMMC Program is the point where cybersecurity stops being a clause you scroll past and becomes a gate on the award itself.

Most sustainability teams built their CSRD program the way you build a bridge: survey the ground once, pour the foundations, and assume the terrain will hold. Then the 2025 Omnibus moved the ground.

Most records of processing activities are not records. They are archaeology. A spreadsheet built for a data-mapping exercise two years ago, updated the week before an audit, and otherwise untouched while the actual proce…

The European Health Data Space is not a future regulation you can park. Regulation (EU) 2025/327 was adopted on 11 February 2025 and is already in force. The application dates are fixed.

The Colorado AI Act stopped being a future problem on June 30, 2026. As enacted, SB 24-205 wrote its operative duties to apply "on and after February 1, 2026." A 2025 amendment, SB 25-004, pushed the applicability date t…

Your NYDFS certification is not a form. It is an attestation that the data behind it exists, is current, and could be produced on demand. That distinction is where most covered entities will get caught in 2026.

EMIR did not get rewritten. It got a new gravity well. For more than a decade, the question under the European Market Infrastructure Regulation was binary: is this class of OTC derivative subject to the clearing obligati…

DORA (Regulation (EU) 2022/2554) entered application on 17 January 2025. The first full annual cycle has now run its course. That changes the question for compliance officers.

The algorithm decision is already made. NIST made it for you when it published FIPS 203 in August 2024 and named ML-KEM the standard mechanism for establishing a shared secret key that survives a quantum computer.

India built its privacy law in two layers, and most teams only read the first one. The Digital Personal Data Protection Act, 2023 is the statute.

Most CMMC programs are built to pass a date. The certification assessment is treated as the deliverable.

Most teams treat "August 2026" as the moment every high-risk AI obligation switches on. It is not that clean. The AI Act applies from 2 August 2026 as its general date.

CPS 230 commenced on 1 July 2025. The transitional grace for pre-existing service provider contracts runs out on the earlier of the next renewal date or 1 July 2026. That second date is now weeks away.

A defense contract can now be lost on a number you posted to a government database yourself.

A gatekeeper designation under the EU's Digital Markets Act is not a verdict you serve and move past. It is the start of a compliance relationship that never closes.

DORA entered application on 17 January 2025. A year on, most financial entities have a register of information and a testing programme.

Your legal team signed off on an AI vendor last quarter. Your data science group shipped a model into a customer-facing workflow the quarter before.

The CER Directive has a date on it now, and it is close. By 17 July 2026, every EU member state must finish identifying which organizations on its territory count as critical entities.

There is a category error sitting at the center of most SFDR programs. It is the assumption that the Sustainable Finance Disclosure Regulation asks you to produce documents. It does not.

Most CSRD programmes start in the wrong building. They start in sustainability or corporate communications, with a glossary, a stakeholder survey, and a deck about purpose.

The most expensive misreading of the SEC cybersecurity disclosure rules is also the most common one: that you have four business days from discovering an incident to file. You do not.

For three years, "we are still inside the transitional window" was a defensible answer to a DFS examiner. That answer is gone. The Second Amendment to 23 NYCRR 500 took effect November 1, 2023.

The Texas Data Privacy and Security Act is no longer a future obligation. The Act took effect July 1, 2024, and its last deferred provision, the authorized-agent and universal opt-out mechanism in Section 541.055(e), too…

Your control matrix looks finished. Every line item maps to a Trust Services Criterion. CC6.1 has an owner, CC7.2 has a policy, CC8.1 points at your change process.

If your device runs software, the EU MDR already regulates its cybersecurity. Not as a recommendation, and not in a separate annex you can defer.

Most teams chasing ISO 27001 spend ninety percent of their energy on Annex A. They build a control matrix, argue about whether they need a clear-desk policy, and treat the rest of the standard as a cover sheet.

Most payment firms are doing the regulatory equivalent of packing for a trip whose itinerary hasn't been confirmed.

"Addressable" is the most expensive word in the HIPAA Security Rule, because most teams read it as "optional." It is not optional.

If you sell cloud, managed services, software, or any ICT capability into EU banks, investment firms, payment institutions, or insurers, DORA is already in your contracts.

Here is a question worth asking your compliance team this quarter: which of your obligations under the EU Data Act are currently covered by your data governance program? If the answer is "the Data Act is a privacy thing,…

Most teams reading NIS2 for the first time go looking for a control list and come back frustrated. Article 21 does not hand you 114 controls the way ISO 27001 Annex A does.

Article 28 is the contractual backbone of every controller–processor relationship under GDPR. Here is what the text actually requires, where organisations fall short, and how to close the gap before a supervisory authority does.

Prohibited AI practices have been enforceable since February 2025. GPAI model obligations landed in August 2025. Now the clock is ticking on Article 50 transparency duties — they apply from 2 August 2026. Here is what you must have in place today, and what to build before next summer.

DORA Article 28 turns the register of information from a vendor list into a supervised, always-current record. Here is exactly what it must contain, who maintains it, and what an inspection probes.

The annual audit gives you a photograph of a river. Continuous compliance gives you the water itself. It is time to stop framing snapshots as truth and start treating control posture as the living system it actually is.

The NIS2 Directive's EU-wide transposition deadline passed in October 2024, but member-state implementation is patchy — leaving essential and important entities caught between inconsistent national rules and real enforcement exposure. Here is the plain-language compliance agenda.

Most risk platforms give you a number. Aigis GRC gives you three — and the story behind each one. Here is how the inherent–effectiveness–residual stack works, and why it matters when a regulator or board asks you to show your work.

Running GDPR, SOC 2, ISO 27001, and DORA audits back-to-back shouldn't mean rebuilding your evidence pack four times. A unified control library maps once and satisfies many — here's how to build one that actually holds up.

An illustrative composite — not a specific customer. Running SOC 2 and ISO 27001 as two separate audits burns time, money, and engineering bandwidth a growth-stage fintech rarely has. Here is how a single overlapping evidence cycle could satisfy both.
One email. What changed across 216 instruments, why it matters for teams like yours, and the control to check before your next audit.
Aigis GRC is built by operators who spent years navigating audits and managing risk registers in spreadsheets. Security Insights is where that experience gets written down: analysis grounded in real data from CIS, NIST, DBIR, and regulatory guidance — not opinion.
About Aigis GRCFormer CIO & CISO across FCA-regulated fintech, IoT, and cyber defense. 25 years on the operator side of GDPR, ISO 27001, and financial-services audits.
Systems architect, embedded firmware to cloud-scale AI. Designed the Aigis intelligence engine: regulation ingestion, risk modeling, and compliance automation.