K0NSULT // ai-truth/ipIII
k0nsult.cloud / ai-truth / ipIII / legal-board / en

Legal Board โ€” Legal & Regulatory Case Board

๐Ÿ‡ต๐Ÿ‡ฑ Polski ๐Ÿ‡ฌ๐Ÿ‡ง English

The Legal/Compliance layer of the system. Every incident that carries active legal flags (AI Act, GDPR, NIS2) starts reporting clocks toward the competent authorities. This board shows the cases, their flags, the applicable deadlines, the owner (Legal/DPO/AI Safety Officer) and the status of the legal decision โ€” from open to reported/closed.

SIMULATION / demonstration data. The cases, owners and deadlines in the table are illustrative (demo) โ€” they do not reflect real proceedings. The normative frameworks below (AI Act art.73, NIS2 24h/72h/1 month, GDPR art.33/34) are based on the publicly known text of the regulations and are framework/educational references, not a description of any actual incident and not a certification. They do not constitute legal advice.
A legal flag is a clock. A clock is a deadline. A deadline is proof of compliance.

Setting the NIS2_RELEVANT, GDPR_BREACH or AI_SERIOUS_INCIDENT flag is not an informational label โ€” it starts a counted reporting obligation. The system tracks the running deadline and requires an artefact confirming that notification was filed.

Cases with legal flags SIMULATION

caseflagsauthority deadlineownerdecision statusprio
LGL-3011
customer data leak
GDPR_BREACHPERSONAL_DATANIS2_RELEVANT GDPR 72h โ†’ 18h left
NIS2 24h โ†’ sent
Legal/DPO GDPR art.33 IN PROGRESS P0
LGL-3009
serious AI system incident (scoring)
AI_HIGH_RISKAI_SERIOUS_INCIDENTLAW_ENFORCEMENT? AI Act art.73 โ†’ without undue delay AI Safety Officer QUALIFICATION ANALYSIS P0
LGL-3006
ransomware โ€” essential service
NIS2_RELEVANTCRITICAL_INFRAKSC_RELEVANT NIS2 early 24h โ†’ sent
72h report โ†’ 44h left
Operator + Legal 24h FILED P0
LGL-3002
phishing โ†’ mailbox takeover
PERSONAL_DATAAI_ACT? GDPR risk assessment โ†’ in progress Legal/DPO ASSESSING IF BREACH P1
LGL-2998
voice deepfake โ€” fraud attempt
FALSE_IDENTITYLAW_ENFORCEMENT notification to law enforcement Legal + CISO REPORTED P1
LGL-2990
misconfig โ€” log exposure
PERSONAL_DATA? art.34 assessment (notifying individuals) Legal/DPO NO PROOF OF SCOPE P2

The "decision status" column inherits evidentially from the Evidence Board โ€” a case cannot be marked "REPORTED as breach" while the data scope is still in GAP status.

Normative frameworks โ€” reporting deadlines

Below: obligation frameworks derived from the publicly known text of the regulations. Character: norm / framework, not a description of an incident. Always verify against the current text of the act and its national implementation.

AI Act โ€” art. 73: reporting of serious incidents

Providers of high-risk AI systems report a serious incident to the market surveillance authority of the state in which the incident occurred, without undue delay after establishing a causal link (or the reasonable likelihood of one) between the AI system and the incident.

Causal link establishedโ†’without undue delayโ†’market surveillance authorityโ†’cooperation / corrective action

Triggering flags: AI_HIGH_RISK + AI_SERIOUS_INCIDENT. Note the specific deadlines that depend on the type of effect (e.g. fatal events โ€” shorter). Subject to the AI Act's entry into force and transitional provisions.

NIS2 โ€” notification obligation (3 stages)

24h early warningโ†’72h incident notification (assessment)โ†’1 month final report

Addressee: the competent CSIRT / national authority. In PL this is linked to KSC_RELEVANT (the National Cybersecurity System Act). Flag: NIS2_RELEVANT; for essential services also CRITICAL_INFRA.

GDPR โ€” art. 33 and art. 34: personal data breach

Breach detectedโ†’art.33 ยท โ‰ค72h to the DPAโ†’risk assessment for individualsโ†’art.34 notify individuals (high risk)

Flags: GDPR_PERSONAL_DATA, GDPR_BREACH. Maintain a breach register (art.33(5)) regardless of whether notification was required.

Matrix: flag โ†’ obligation โ†’ addressee

flagobligation (framework)deadlineaddresseeowner
AI_SERIOUS_INCIDENTreport a serious AI incidentwithout undue delaymarket surveillance authorityAI Safety Officer
NIS2_RELEVANT3-stage notification24h / 72h / 1 monthCSIRT / national authorityOperator + Legal
KSC_RELEVANTKSC obligations (PL)per the KSC Actnational-level CSIRTOperator + Legal
GDPR_BREACHart.33 notificationโ‰ค 72hData Protection AuthorityLegal/DPO
PERSONAL_DATA + high riskart.34 communicationwithout undue delaythe data subjectsLegal/DPO
LAW_ENFORCEMENTnotification of a crimepromptlylaw enforcementLegal + CISO

Principles of the legal board

1. The clock starts from knowledge, not from will. The deadline runs from becoming aware of / establishing the breach โ€” the system timestamps that moment as immutable.
2. A decision not to report is also a decision. A "no risk" justification must be documented and pinned evidentially (Evidence Board), otherwise the case stays open.
3. Proof of scope before breach qualification. Without a confirmed data scope, a case does not move into "breach reported" โ€” it stays GAP.
4. This is a framework, not advice. The board supports deadline discipline; the final legal qualification belongs to Legal/DPO against the current state of the law.

Related boards

Evidence Board โ†’

The legal decision status inherits from the evidence โ€” a GAP blocks breach qualification.

Response Board โ†’

Notifying an authority is an action with a due_at deadline and proof of filing.

Compliance & reporting โ†’

Templates and a register of letters to authorities (DPA, CSIRT, market surveillance).

AI Act Playbook โ†’

The path for qualifying a serious AI incident and filing the art.73 report.

GDPR breach assessment โ€” not just "the 72h clock"

The art.33 clock starts from establishing the breach, but whether to notify depends on the risk assessment. DPO decision checklist:

QuestionConsequence
Is this a personal data breach?No โ†’ outside GDPR art.33/34
Is there a risk to the rights and freedoms of individuals?Yes โ†’ notify the DPA โ‰ค72h (art.33)
Is the risk high?Yes โ†’ communicate to individuals (art.34)
When did "establishing the breach" occur?Start of the 72h clock
Was the data encrypted / unreadable?May lower the duty to notify individuals
Who made the decision (DPO)?Register entry + justification
Is the data retention justified?Verify the legal basis and period

NIS2 / KSC โ€” entity classification and notification path

FieldValues
Covered sectoryes / no / undetermined
Entity sizemedium / large / other
Essential entityyes / no / undetermined
Important entityyes / no / undetermined
Competent CSIRTNASK / GOV / MON / sectoral
Registration obligationyes / no / undetermined
Notification statusearly warning (24h) / notification (72h) / final (1 month)
Responsibleboard / manager / security owner

Normative framework, not legal advice. Classifying the entity is up to the organisation and its advisors. See Law Change Watch.