K0NSULT // ai-truth/ipIII
k0nsult.cloud / ai-truth / ipIII / compliance / en

Compliance & reporting

Legal/Compliance Engine (Module 6) and Phase 5 of the response chain. The engine translates a classified incident into regulatory obligations, generates report templates for authorities while honouring statutory deadlines, and maintains an auditable decision log. Doctrine: claim ≤ proof — no report leaves the system without an associated chain of evidence.

Disclaimer. Templates and mappings are framework-level and educational — they are not a certification, audit, or legal opinion. They support the preparation of a notification but do not replace the decision of a DPO/lawyer, the assessment of the competent authority, or the official notification channel (data protection authority / CSIRT / market surveillance authority). Final qualification and dispatch belong to authorised persons.
Phase 5 in the chain: REPORTEVIDENCESTATUSCLASSIFICATIONRISKPLAYBOOKACTIONVALIDATIONFILING ▸RESILIENCE
Compliance is not a separate process — it is a function of the incident's evidentiary state.

The engine reads the legal flags set by the Classification Engine, maps them to regimes (AI Act / NIS2 / national cybersecurity law / GDPR / DORA), computes deadlines from the moment of detection, and suggests the competent authority. The operator decides on dispatch — the system provides complete, consistent material.

1. Legal flags — glossary

The Classification Engine sets the following boolean flags on the incident record. Each active flag triggers the corresponding report template and a deadline clock.

FlagOperational definitionRegime / basisEffect
AI_ACT_RELEVANTIncident concerns an AI system within the meaning of Regulation (EU) 2024/1689 (provider/deployer).AI ActRisk assessment + transparency obligations (art. 50).
AI_HIGH_RISKSystem falls under high risk per Annex III (incl. credit scoring, biometrics, HR).AI Act, Annex IIIStricter oversight and logging obligations.
AI_SERIOUS_INCIDENTSerious AI incident: death/injury, serious harm to critical infrastructure, breach of fundamental rights, damage to property/environment.AI Act, art. 73Notification to the market surveillance authority.
GDPR_PERSONAL_DATAPersonal data is present in the incident (customers, employees, beneficiaries).GDPR (EU) 2016/679Assessment of whether a breach occurred.
GDPR_BREACHPersonal data breach: loss of confidentiality/integrity/availability of personal data.GDPR art. 33/34Notification to the supervisory authority ≤72h; possible notice to individuals.
NIS2_RELEVANTEssential/important entity covered by the NIS2 Directive; incident significant to service continuity.Directive (EU) 2022/255524h / 72h / final report path.
KSC_RELEVANTEntity/incident covered by the national cybersecurity system (NIS2 implementation in PL).National Cybersecurity ActNotification to the competent CSIRT.
CRITICAL_INFRAConcerns critical infrastructure (finance, energy, health, transport, water).Sectoral + NIS2Elevated priority and escalation.
LAW_ENFORCEMENTSuspicion of a criminal offence; justification for notifying law enforcement.Criminal / procedural codePreservation of evidence, notification.

FRAMEWORK/NORM The above is an interpretation of obligations based on the publicly known text of the regulations — not legal advice for a specific set of facts.

2. Report templates for authorities

2.1 AI Act art. 73 — serious incident

Trigger: AI_SERIOUS_INCIDENT = true. The provider of a high-risk AI system reports the serious incident to the market surveillance authority of the state where the incident occurred.
Report fieldSource in the system
AI system identifier, version, role (provider/deployer)Agent registry / incident metadata
Incident description and nature of the serious harmIncident Intake + Evidence Layer
Cause-and-effect chain (where established)Analysis / action trace
Remedial and corrective measuresPlaybook Engine — action log
Evidence (hash, timestamp, chain-of-custody)Evidence Board

FRAMEWORK/NORM The AI Act provides for prompt reporting once a causal link (or its reasonable likelihood) is established, with deadlines depending on the scale of impact. The system does not replace the provider's legal assessment.

2.2 NIS2 — three-stage notification path

StageDeadlineContentRecipient
Early warning≤ 24h from detection of a significant incidentInitial signal: whether unlawful/malicious activity is suspected, possible cross-border impact.Competent CSIRT / authority
Incident notification≤ 72h from detectionUpdate to the early warning: significance assessment, indicators of compromise (IoC), preliminary classification.Competent CSIRT / authority
Final report≤ 1 month from the incident notificationDetailed description, root cause, applied measures, cross-border effects.Competent CSIRT / authority

FRAMEWORK/NORM The 24h/72h/1-month path mirrors the regime of NIS2 art. 23. While an incident is ongoing, interim reports may be requested by the authority.

2.3 GDPR art. 33 / 34 — personal data breach

art. 33 — notification to the supervisory authority

≤ 72h from becoming aware of the breach, unless it is unlikely to result in a risk to the rights and freedoms of individuals.

Contains: nature of the breach, categories and approximate number of individuals/records, likely consequences, applied measures.

art. 34 — notice to individuals

Where the breach may cause a high risk to rights and freedoms — without undue delay, in plain and clear language.

Exceptions: effective encryption of data, measures eliminating the high risk, disproportionate effort (public communication).

3. DPO / Legal workflow

  1. Trigger: the incident receives the GDPR_PERSONAL_DATA flag → automatic assignment of the Legal/DPO role.
  2. Breach assessment: the DPO decides whether the event is a GDPR_BREACH (loss of confidentiality/integrity/availability). Decision + rationale recorded in the log.
  3. 72h clock: from becoming aware of the breach, the system counts down the art. 33 deadline; a visible counter on the Legal Board.
  4. Risk assessment for individuals: if high risk → the art. 34 path is triggered.
  5. Draft + dispatch: template populated with data from the Evidence Layer; the DPO approves, the Operator sends.
  6. Closure: delivery confirmation + the authority's case number attached to the record.

4. Human-in-the-loop decision log

Every decision affecting the legal regime or a high-risk action is logged verifiably (who, when, on what evidentiary basis). This is the foundation of auditability towards financial, data protection, and AI market surveillance authorities.

IDDecisionRoleEvidentiary basisStatusTimestamp
HITL-0417Classifying the event as GDPR_BREACHLegal/DPOEV-2211 (access log)SIMULATION2026-07-04 09:12Z
HITL-0418Approval of the NIS2 24h notificationOperatorEV-2212, EV-2213SIMULATION2026-07-04 09:40Z
HITL-0419Refusal of autonomous account blocking by an agentAI Safety OfficerTRACE-8890SIMULATION2026-07-04 10:05Z

The rows above are SIMULATION — demonstration data illustrating the log structure, not real decisions.

5. Evidentiary export

The engine generates an evidence bundle attached to each report. Integrity is ensured by a chained hash (chain-of-custody), so that the material is usable in proceedings before an authority or court.

POST /api/incidents/:id/export
{
  "format": "evidence-bundle",     // pdf-signed | json-manifest | evidence-bundle
  "include": ["timeline","evidence","classification","decisions","report"],
  "seal": "sha256-chain",          // hash of each artifact + aggregate hash
  "recipient": "CSIRT | DPA | market-surveillance"
}
--> 200 { "bundle_id":"EXB-0091", "sealed_hash":"…", "artifacts": 14 }
Principle: the export contains only artifacts with a confirmed evidentiary status. GAP elements are explicitly marked as absence of evidence — they are never presented as fact.

6. Deadline calendar (norm frameworks)

24h
NIS2 — early warning
from detection of a significant incident
72h
NIS2 notification / GDPR art. 33
from detection / awareness
1 mo.
NIS2 — final report
from the incident notification
prompt
AI Act art. 73 / GDPR art. 34
once established / at high risk

FRAMEWORK/NORM The calendar mirrors statutory deadlines; it does not refer to any real incident. Clocks start only after a real event has been classified.

7. AI Act context — application timeline

ObligationDateStatus
Prohibited AI practices + AI literacy obligations2 Feb 2025IN FORCE
General-purpose AI models (GPAI)2 Aug 2025IN FORCE
Art. 50 — transparency (labelling AI content/interactions, deepfakes)2 Aug 2026ENTERING
High-risk systems — Annex III (scoring, HR, biometrics)2 Feb 2026 → 2 Dec 2027DEFERRED (Digital Omnibus)
Note on status: the deferral of obligations for high-risk Annex III systems (incl. credit scoring relevant to banks) from 2 Feb 2026 to 2 Dec 2027 stems from the Digital Omnibus package. The art. 50 (transparency) framework applies from 2 Aug 2026 unchanged. Track European Commission communications — dates may be further adjusted. MEDIA SIGNAL for the deferral itself; the content of art. 50 — PUBLIC CLAIM based on the text of the regulation.

8. Definition of done v1.0 (Legal/Compliance Engine)

  1. Glossary of 9 legal flags with operational definitions — DONE.
  2. Mapping flag → regime → deadline → authority — DONE.
  3. AI Act art. 73 template (serious incident) — DONE.
  4. NIS2 path 24h / 72h / final report — DONE.
  5. GDPR art. 33 (supervisory authority) and art. 34 (individuals) templates — DONE.
  6. DPO workflow with 72h clock — DONE.
  7. Human-in-the-loop decision log (verifiable) — DONE.
  8. Evidentiary export with chain-of-custody (chained hash) — DONE.
  9. Deadline calendar as norm frameworks (not incidents) — DONE.
  10. Integration with the Classification Engine (reading flags) — TO BE WIRED (interface defined).
  11. Integration with the Evidence Board (artifact source) — TO BE WIRED.
  12. AI Act context (art. 50 / Annex III deferral) documented — DONE.
  13. claim ≤ proof doctrine enforced in export — DONE.
Disclaimer: this page is a reference compliance skeleton, not legal advice. Templates and deadlines describe the publicly known text of the regulations (AI Act, NIS2, GDPR, National Cybersecurity Act). Assessment of a specific set of facts belongs to the entity's DPO / legal counsel. Any log rows marked SIMULATION are demonstration data.

Related: Legal Board · Classification Engine · Evidence Board · AI Act Playbook · Data breach Playbook · Banking demo