Back to Framework

Regulatory Operations

Control statements and requirements for regulatory operations.

Regulatory Compliance FrameworkRO-1

The organisation shall establish, document, and maintain a comprehensive framework for ensuring compliance with applicable AI regulations and standards. This framework shall include processes for identifying relevant requirements, assessing applicability, implementing necessary controls, and verifying ongoing compliance. The organisation shall maintain systematic processes for tracking and implementing new regulatory requirements, conducting conformity assessments, maintaining necessary certifications, and ensuring timely renewal of compliance documentation. Special attention shall be given to high-risk AI system requirements and prohibited practices. The organisation shall implement processes to track changes that may affect compliance status and maintain evidence of continued conformity with legal obligations

ISO27001:A.18.1
ISO27701:18.2.1 A.7.2.1-A.7.2.4 B.8.2.1-B.8.2.2 B.8.2.4-B.8.2.5
EU AI ACT:5.1 5.2 6.1-6.4 8.1-8.2 40.1 41.1 42.1 43.1-43.4 44.2-44.3 47.1-47.4 49.1-49.3
NIST RMF:Govern 1.1 Map 4.1
SOC2:CC1.5

Transparency, Disclosure and ReportingRO-2

The organisation shall implement mechanisms to ensure appropriate transparency regarding AI systems, including clear notification of AI use, disclosure of automated decision-making, and communication of significant system changes. The organisation shall establish and maintain processes for reporting incidents, safety issues, and non-compliance to relevant authorities and affected stakeholders. This shall include clear procedures for incident detection, assessment, notification timelines, and follow-up actions.

ISO42001:A.8.3 A.8.5
ISO27001:A.6.3
ISO27701:6.2.3 A.7.3.2-A.7.3.3 A.7.3.8-A.7.3.9 A.7.5.3-A.7.5.4 B.8.5.3-B.8.5.6
EU AI ACT:50.1-50.5 86.1-86.3 20.1 20.2 60.7 60.8
NIST RMF:Govern 6.1 Map 4.1
SOC2:CC2.3 P1.1 P1.2 P1.3

Record-KeepingRO-3

The organisation shall maintain comprehensive documentation and records demonstrating compliance with AI regulatory requirements. This shall include technical documentation, conformity assessments, impact analyses, test results, and evidence of ongoing monitoring. The organisation shall establish retention periods aligned with regulatory requirements, implement secure storage systems, and ensure documentation remains accessible to authorised parties throughout required retention periods.

ISO27001:A.7.2
ISO27701:8.2.3 A.7.2.8 A.7.3.1 A.7.4.3 A.7.4.6-A.7.4.8 B.8.2.6 B.8.4.1-B.8.4.2
EU AI ACT:11.1 11.3 18.1 19.1 19.2 71.2 71.3
NIST RMF:Map 4.1 Measure 2.12
SOC2:P3.1 P3.2 P3.3

Post-Market MonitoringRO-4

The organisation shall implement comprehensive post-market monitoring systems for deployed AI systems, including mechanisms for tracking performance, identifying issues, and implementing corrective actions. This shall include processes for reporting incidents to relevant authorities, maintaining required documentation, and conducting periodic reviews of system performance. The organisation shall ensure appropriate escalation paths exist for identified issues and maintain clear procedures for implementing necessary corrective actions.

ISO42001:A.8.3
ISO27701:6.2.3 A.7.3.6-A.7.3.7 A.7.3.10 A.7.4.3 B.8.3.1 B.8.5.7-B.8.5.8
EU AI ACT:72.1-72.4 79.4 80.4-80.5
NIST RMF:Govern 6.1 Measure 2.12
SOC2:CC1.5