Frameworks

Industry standards and legal requirements, kept distinct

AI adoption rarely touches a single regime, and two very different things are often confused: voluntary industry standards you can be certified against, and legal requirements you must comply with. We keep them clearly separated, then connect them into one coherent path.

Industry standards & certifications

Voluntary, certifiable frameworks that prove maturity to customers and partners. You choose to adopt them, and you can be audited and certified against them.

Legal & regulatory requirements

Binding law. You must comply where it applies, certification or not. Non-compliance carries real liability, fines, and reputational risk.

Industry standards & certifications

Voluntary, certifiable standardization

ISO 9001 Quality

What it is
The international standard for quality management systems (QMS), built on consistency and continual improvement.
How AI intersects
AI changes how work is produced; quality controls must ensure validation of AI outputs isn’t quietly bypassed.
How we help
Embed human validation of AI outputs into your quality processes.

ISO/IEC 27001 Information security

What it is
The international standard for an information security management system (ISMS).
How AI intersects
AI tools and data flows become assets, risks, and controls your ISMS must govern.
How we help
Extend your ISMS to cover AI usage, data handling, and supplier risk.

ISO/IEC 42001 AI management

What it is
The first international standard for an AI management system (AIMS), designed specifically for organizations that build or use AI.
How AI intersects
It is the framework purpose-built to operationalize responsible AI across its full lifecycle.
How we help
Stand up an AIMS that satisfies ISO 42001 and dovetails with your EU AI Act obligations.

TISAX Automotive

What it is
The automotive industry’s assessment and exchange mechanism for information security.
How AI intersects
AI handling of sensitive or prototype data must satisfy TISAX information-security expectations.
How we help
Prepare AI-related practices for TISAX assessment readiness.

SOC 2 Service trust

What it is
An attestation of controls over security, availability, processing integrity, confidentiality, and privacy for service providers.
How AI intersects
AI sub-processors and features fall within the controls auditors test.
How we help
Map AI components to your SOC 2 control set and supporting evidence.

ISO 22301 Business continuity

What it is
The international standard for business continuity management.
How AI intersects
Dependence on AI services creates new continuity and resilience risks to plan for.
How we help
Account for AI dependencies in your continuity and recovery plans.

Legal & regulatory requirements

Binding law you must comply with

EU AI Act AI-specific

What it is
The EU’s risk-based regulation of artificial intelligence, setting obligations by risk tier: prohibited uses, high-risk systems, and transparency duties.
How AI intersects
It directly classifies your AI use cases and assigns concrete obligations, documentation, and human-oversight requirements.
How we help
Use-case classification, readiness assessment, and a remediation roadmap.

GDPR Data protection

What it is
The EU’s General Data Protection Regulation governing the processing of personal data.
How AI intersects
Training data, automated decisions, and profiling raise lawful-basis, transparency, and DPIA obligations.
How we help
DPIAs for AI, lawful-basis analysis, privacy-by-design, and a fractional DPO (Data Protection Officer).

NIS2 Cybersecurity

What it is
The EU directive raising cybersecurity and incident-reporting requirements for essential and important entities.
How AI intersects
AI systems become assets to secure and risks to manage under your cyber-risk regime.
How we help
Fold AI assets into your NIS2 risk management and governance controls.

DORA Financial resilience

What it is
The EU’s Digital Operational Resilience Act for the financial sector and its critical ICT providers.
How AI intersects
AI-driven and third-party ICT services fall under DORA’s resilience, testing, and oversight rules.
How we help
Bring AI and ICT third-party risk into your DORA program.

Cyber Resilience Act (CRA) Product security

What it is
EU rules imposing cybersecurity requirements on products with digital elements across their lifecycle.
How AI intersects
AI-enabled features are digital elements that must meet security-by-design and update obligations.
How we help
Align AI-enabled product features with CRA requirements and documentation.

HIPAA Health data · US

What it is
The US framework protecting health information held by covered entities and their business associates.
How AI intersects
AI processing of protected health information (PHI) must preserve privacy and security safeguards.
How we help
Keep AI workflows that touch PHI within HIPAA’s safeguards.

Which of these apply to you?

We’ll help you understand which frameworks apply and turn them into one manageable plan.