Legal/Compliance Engine (Module 6) and Phase 5 of the response chain. The engine translates a classified incident into regulatory obligations, generates report templates for authorities while honouring statutory deadlines, and maintains an auditable decision log. Doctrine: claim ≤ proof — no report leaves the system without an associated chain of evidence.
The engine reads the legal flags set by the Classification Engine, maps them to regimes (AI Act / NIS2 / national cybersecurity law / GDPR / DORA), computes deadlines from the moment of detection, and suggests the competent authority. The operator decides on dispatch — the system provides complete, consistent material.
The Classification Engine sets the following boolean flags on the incident record. Each active flag triggers the corresponding report template and a deadline clock.
| Flag | Operational definition | Regime / basis | Effect |
|---|---|---|---|
AI_ACT_RELEVANT | Incident concerns an AI system within the meaning of Regulation (EU) 2024/1689 (provider/deployer). | AI Act | Risk assessment + transparency obligations (art. 50). |
AI_HIGH_RISK | System falls under high risk per Annex III (incl. credit scoring, biometrics, HR). | AI Act, Annex III | Stricter oversight and logging obligations. |
AI_SERIOUS_INCIDENT | Serious AI incident: death/injury, serious harm to critical infrastructure, breach of fundamental rights, damage to property/environment. | AI Act, art. 73 | Notification to the market surveillance authority. |
GDPR_PERSONAL_DATA | Personal data is present in the incident (customers, employees, beneficiaries). | GDPR (EU) 2016/679 | Assessment of whether a breach occurred. |
GDPR_BREACH | Personal data breach: loss of confidentiality/integrity/availability of personal data. | GDPR art. 33/34 | Notification to the supervisory authority ≤72h; possible notice to individuals. |
NIS2_RELEVANT | Essential/important entity covered by the NIS2 Directive; incident significant to service continuity. | Directive (EU) 2022/2555 | 24h / 72h / final report path. |
KSC_RELEVANT | Entity/incident covered by the national cybersecurity system (NIS2 implementation in PL). | National Cybersecurity Act | Notification to the competent CSIRT. |
CRITICAL_INFRA | Concerns critical infrastructure (finance, energy, health, transport, water). | Sectoral + NIS2 | Elevated priority and escalation. |
LAW_ENFORCEMENT | Suspicion of a criminal offence; justification for notifying law enforcement. | Criminal / procedural code | Preservation of evidence, notification. |
FRAMEWORK/NORM The above is an interpretation of obligations based on the publicly known text of the regulations — not legal advice for a specific set of facts.
AI_SERIOUS_INCIDENT = true. The provider of a high-risk AI system reports the serious incident to the market surveillance authority of the state where the incident occurred.| Report field | Source in the system |
|---|---|
| AI system identifier, version, role (provider/deployer) | Agent registry / incident metadata |
| Incident description and nature of the serious harm | Incident Intake + Evidence Layer |
| Cause-and-effect chain (where established) | Analysis / action trace |
| Remedial and corrective measures | Playbook Engine — action log |
| Evidence (hash, timestamp, chain-of-custody) | Evidence Board |
FRAMEWORK/NORM The AI Act provides for prompt reporting once a causal link (or its reasonable likelihood) is established, with deadlines depending on the scale of impact. The system does not replace the provider's legal assessment.
| Stage | Deadline | Content | Recipient |
|---|---|---|---|
| Early warning | ≤ 24h from detection of a significant incident | Initial signal: whether unlawful/malicious activity is suspected, possible cross-border impact. | Competent CSIRT / authority |
| Incident notification | ≤ 72h from detection | Update to the early warning: significance assessment, indicators of compromise (IoC), preliminary classification. | Competent CSIRT / authority |
| Final report | ≤ 1 month from the incident notification | Detailed description, root cause, applied measures, cross-border effects. | Competent CSIRT / authority |
FRAMEWORK/NORM The 24h/72h/1-month path mirrors the regime of NIS2 art. 23. While an incident is ongoing, interim reports may be requested by the authority.
≤ 72h from becoming aware of the breach, unless it is unlikely to result in a risk to the rights and freedoms of individuals.
Contains: nature of the breach, categories and approximate number of individuals/records, likely consequences, applied measures.
Where the breach may cause a high risk to rights and freedoms — without undue delay, in plain and clear language.
Exceptions: effective encryption of data, measures eliminating the high risk, disproportionate effort (public communication).
GDPR_PERSONAL_DATA flag → automatic assignment of the Legal/DPO role.GDPR_BREACH (loss of confidentiality/integrity/availability). Decision + rationale recorded in the log.Every decision affecting the legal regime or a high-risk action is logged verifiably (who, when, on what evidentiary basis). This is the foundation of auditability towards financial, data protection, and AI market surveillance authorities.
| ID | Decision | Role | Evidentiary basis | Status | Timestamp |
|---|---|---|---|---|---|
| HITL-0417 | Classifying the event as GDPR_BREACH | Legal/DPO | EV-2211 (access log) | SIMULATION | 2026-07-04 09:12Z |
| HITL-0418 | Approval of the NIS2 24h notification | Operator | EV-2212, EV-2213 | SIMULATION | 2026-07-04 09:40Z |
| HITL-0419 | Refusal of autonomous account blocking by an agent | AI Safety Officer | TRACE-8890 | SIMULATION | 2026-07-04 10:05Z |
The rows above are SIMULATION — demonstration data illustrating the log structure, not real decisions.
The engine generates an evidence bundle attached to each report. Integrity is ensured by a chained hash (chain-of-custody), so that the material is usable in proceedings before an authority or court.
POST /api/incidents/:id/export
{
"format": "evidence-bundle", // pdf-signed | json-manifest | evidence-bundle
"include": ["timeline","evidence","classification","decisions","report"],
"seal": "sha256-chain", // hash of each artifact + aggregate hash
"recipient": "CSIRT | DPA | market-surveillance"
}
--> 200 { "bundle_id":"EXB-0091", "sealed_hash":"…", "artifacts": 14 }
FRAMEWORK/NORM The calendar mirrors statutory deadlines; it does not refer to any real incident. Clocks start only after a real event has been classified.
| Obligation | Date | Status |
|---|---|---|
| Prohibited AI practices + AI literacy obligations | 2 Feb 2025 | IN FORCE |
| General-purpose AI models (GPAI) | 2 Aug 2025 | IN FORCE |
| Art. 50 — transparency (labelling AI content/interactions, deepfakes) | 2 Aug 2026 | ENTERING |
| High-risk systems — Annex III (scoring, HR, biometrics) | 2 Feb 2026 → 2 Dec 2027 | DEFERRED (Digital Omnibus) |
Related: Legal Board · Classification Engine · Evidence Board · AI Act Playbook · Data breach Playbook · Banking demo