| AI-CAIQ (STAR-for-AI) — evidence-generated self-assessment |
1.0 |
2 |
1 |
0 |
0 |
0 |
50% |
| AI Solutions Framework — Enterprise AI-Adoption Control Framework (IG1–IG3) |
1.0 |
15 |
6 |
0 |
0 |
0 |
40% |
| CSA AI Controls Matrix (AICM) — execution-layer resolution |
1.0 |
14 |
11 |
0 |
0 |
0 |
79% |
| AICPA SSTS — Statements on Standards for Tax Services |
2024 |
4 |
0 |
4 |
0 |
0 |
50% |
| AIDA — Artificial Intelligence and Data Act (Bill C-27, federal) |
AIDA — Artificial Intelligence and Data Act, Part 3 of Bill C-27 (44th Parliament). Tabled; lapsed on prorogation Jan 2025. Mapped as a forward-looking design anchor, not enacted law. |
5 |
0 |
0 |
5 |
0 |
25% |
| AIFMD / UCITS — Fund Manager Authority, Risk Management & Investment Limits |
Directive 2011/61/EU & Directive 2009/65/EC |
4 |
0 |
4 |
0 |
0 |
50% |
| Alberta PIPA — Personal Information Protection Act (Alberta) |
Alberta PIPA — Personal Information Protection Act, S.A. 2003, c. P-6.5 (Alberta) |
3 |
3 |
0 |
0 |
0 |
100% |
| API 580 / API 581 — Risk-Based Inspection (RBI) for fixed equipment in the oil, gas and petrochemical industry |
2016 |
4 |
0 |
2 |
2 |
0 |
38% |
| APRA CPS 230 — Operational Risk Management |
CPS 230 (effective 1 July 2025) |
6 |
6 |
0 |
0 |
0 |
100% |
| ASD Essential Eight + ASD AI guidance |
ASD Essential Eight Maturity Model (Nov 2023) + ASD AI guidance (2024) |
4 |
4 |
0 |
0 |
0 |
100% |
| Datenschutzgesetz (DSG, BGBl. I Nr. 165/1999, as amended 2018) |
BGBl. I Nr. 165/1999 (as amended 2018) |
3 |
3 |
0 |
0 |
0 |
100% |
| Australian Government Mandatory AI Guardrails |
Voluntary AI Safety Standard / Proposals Paper (DISR, September 2024) |
10 |
9 |
0 |
0 |
0 |
90% |
| Australia Group — Biological & Chemical Dual-Use Export Controls |
2023 |
4 |
0 |
4 |
0 |
0 |
50% |
| BC PIPA — Personal Information Protection Act (British Columbia) |
BC PIPA — Personal Information Protection Act, S.B.C. 2003, c. 63 (British Columbia) |
3 |
3 |
0 |
0 |
0 |
100% |
| BCBS 239 — Risk Data Aggregation & Risk Reporting Principles |
BCBS 239 (Principles for effective risk data aggregation and risk reporting, January 2013) |
14 |
7 |
0 |
0 |
0 |
50% |
| Loi du 30 juillet 2018 — Belgian Data Protection Act |
Loi du 30 juillet 2018 relative à la protection des personnes physiques à l’égard des traitements de données à caractère personnel |
3 |
3 |
0 |
0 |
0 |
100% |
| Personal Data Protection Act (amended 2019 to implement the GDPR) |
PDPA (amended 2019) |
3 |
3 |
0 |
0 |
0 |
100% |
| BSI AIC4 — AI Cloud Service Compliance Criteria |
2021 |
3 |
2 |
0 |
0 |
0 |
67% |
| Canada Consumer-Driven Banking Framework (open banking) |
Consumer-Driven Banking Framework — Consumer-Driven Banking Act (enacted via Budget Implementation Act, 2024, No. 1), framework being stood up by the Financial Consumer Agency of Canada |
4 |
4 |
0 |
0 |
0 |
100% |
| nFADP / revDSG — revised Federal Act on Data Protection (in force 1 Sept 2023) |
nFADP (in force 2023) |
4 |
4 |
0 |
0 |
0 |
100% |
| CISA CDM — Continuous Diagnostics and Mitigation (AI-agent asset accountability) |
CISA CDM Program — DEFEND capability areas A–D |
11 |
11 |
0 |
0 |
0 |
100% |
| CLIA — US Clinical Laboratory Improvement Amendments (42 CFR Part 493) |
42 CFR Part 493 |
6 |
3 |
1 |
0 |
0 |
58% |
| Colorado SB21-169 — Insurers' Use of External Consumer Data & AI |
Colorado SB21-169 (Restrict Insurers' Use of External Consumer Data; C.R.S. §10-3-1104.9) + Division of Insurance regulations |
4 |
3 |
0 |
0 |
0 |
75% |
| UK Companies Act 2006 — Records, True & Fair Accounts & Companies House Filing |
2006 |
5 |
0 |
5 |
0 |
0 |
50% |
| COSHH — Control of Substances Hazardous to Health Regulations 2002 (UK) |
2002 |
3 |
0 |
3 |
0 |
0 |
50% |
| CWC + BWC — Chemical Weapons Convention & Biological Weapons Convention |
1997-2024 |
4 |
0 |
4 |
0 |
0 |
50% |
| Law 125(I)/2018 (providing for the protection of natural persons with regard to the processing of personal data) |
Law 125(I)/2018 |
3 |
3 |
0 |
0 |
0 |
100% |
| Zákon č. 110/2019 Sb., o zpracování osobních údajů |
Act 110/2019 Sb. |
3 |
3 |
0 |
0 |
0 |
100% |
| BDSG — Bundesdatenschutzgesetz (Federal Data Protection Act, 2018) |
BDSG 2018 |
4 |
4 |
0 |
0 |
0 |
100% |
| Databeskyttelsesloven (Lov nr. 502 af 23. maj 2018) |
Lov nr. 502 (2018) |
3 |
3 |
0 |
0 |
0 |
100% |
| DoD 5015.02-STD — Electronic Records Management Software Applications Design Criteria |
2007 |
5 |
3 |
0 |
0 |
0 |
60% |
| Dodd-Frank §922 + SEC Rule 21F — Whistleblower Programme |
Dodd-Frank Act §922 (15 U.S.C. §78u-6) + SEC Rules 21F (whistleblower programme) |
3 |
2 |
0 |
0 |
0 |
67% |
| DORA — Digital Operational Resilience Act |
Regulation (EU) 2022/2554 |
73 |
59 |
0 |
14 |
0 |
86% |
| DORA ICT Incident Reporting — Article 19 + classification RTS |
DORA — Regulation (EU) 2022/2554, Article 19 (ICT-related incident reporting) + RTS/ITS on incident classification and reporting |
4 |
3 |
0 |
0 |
0 |
75% |
| EC-Council ADG — Adopt · Defend · Govern |
2026 |
35 |
33 |
0 |
2 |
0 |
96% |
| EEOC Uniform Guidelines on Employee Selection Procedures |
Uniform Guidelines on Employee Selection Procedures (1978, 29 CFR Part 1607) |
2 |
1 |
1 |
0 |
0 |
75% |
| LOPDGDD — Ley Orgánica 3/2018 de Protección de Datos Personales y garantía de los derechos digitales |
Ley Orgánica 3/2018 |
4 |
4 |
0 |
0 |
0 |
100% |
| EU Sixth Anti-Money Laundering Directive (6AMLD) |
Directive (EU) 2018/1673 |
4 |
0 |
4 |
0 |
0 |
50% |
| EU AI Act — Regulation (EU) 2024/1689 |
2024/1689 |
141 |
98 |
19 |
16 |
0 |
79% |
| EU AI Act — Article 50 chatbot transparency (Regulation (EU) 2024/1689) |
2024/1689 |
3 |
2 |
0 |
0 |
0 |
67% |
| EU AI Act — Annex III High-Risk Insurance |
Regulation (EU) 2024/1689 (EU AI Act) — Annex III high-risk insurance use-cases (life & health risk assessment / pricing) |
4 |
3 |
0 |
0 |
0 |
75% |
| EU DAC — Directive on Administrative Cooperation (DAC6 mandatory disclosure + DAC7) |
dac6-dac7 |
4 |
0 |
4 |
0 |
0 |
50% |
| EU Evidence Regulation 2020/1783 + eIDAS — Evidence Authenticity & Transmission |
Regulation (EU) 2020/1783 (taking of evidence in civil/commercial matters) + eIDAS Regulation (EU) 910/2014 (electronic evidence integrity) |
3 |
2 |
0 |
0 |
0 |
67% |
| EU Whistleblower Directive — Directive (EU) 2019/1937 |
Directive (EU) 2019/1937 (protection of persons who report breaches of Union law) |
4 |
3 |
0 |
0 |
0 |
75% |
| FATF 40 Recommendations — International AML/CFT Standards |
2012 (as amended) |
5 |
0 |
5 |
0 |
0 |
50% |
| FCA COBS — Conduct of Business Sourcebook (UK Investment Conduct) |
FCA Handbook COBS |
4 |
0 |
4 |
0 |
0 |
50% |
| FDA + EMA — AI / Provenance Expectations for AI-Derived Candidates in Regulated Pipelines |
2024-2025 |
4 |
0 |
4 |
0 |
0 |
50% |
| Fed SR 11-7 — Supervisory Guidance on Model Risk Management |
SR 11-7 / OCC 2011-12 (Supervisory Guidance on Model Risk Management, April 2011) |
5 |
4 |
0 |
0 |
0 |
80% |
| FedRAMP — Federal Risk and Authorization Management Program |
Rev 5 |
159 |
144 |
0 |
15 |
0 |
93% |
| Tietosuojalaki (1050/2018) — Data Protection Act |
1050/2018 |
3 |
3 |
0 |
0 |
0 |
100% |
| Loi Informatique et Libertés (Act No. 78-17, as amended) + CNIL |
Act No. 78-17 (as amended) |
4 |
4 |
0 |
0 |
0 |
100% |
| FRC Ethical Standard — Integrity, Objectivity & Independence for Auditors & Accountants |
2024 |
4 |
0 |
4 |
0 |
0 |
50% |
| FRCP e-Discovery — Rules 26 / 34 / 37 + FRE 502 (privilege) |
FRCP (2015 e-discovery amendments; Rules 26 / 34 / 37 + FRE 502) |
4 |
3 |
0 |
0 |
0 |
75% |
| FRE 901 / 902 — Authentication & Self-Authentication of Evidence |
FRE 901 / 902 (Authentication & Self-Authentication; 2017 ESI amendments) |
3 |
2 |
0 |
0 |
0 |
67% |
| GDPR — General Data Protection Regulation |
Regulation (EU) 2016/679 |
92 |
79 |
1 |
6 |
0 |
88% |
| GDPR Article 22 — Automated Decision-Making |
Regulation (EU) 2016/679 (GDPR) — Article 22 (automated individual decision-making, including profiling) + Articles 13–15 / Recital 71 |
4 |
3 |
0 |
0 |
0 |
75% |
| GDPR (Whistleblowing) — Special-Category & Data-Minimisation in Reports |
Regulation (EU) 2016/679 (GDPR) — whistleblowing data-protection slice (Art. 5, 6, 9, 15, 21) |
3 |
2 |
0 |
0 |
0 |
67% |
| Google SRE — Change Management (progressive rollout & rollback) |
SRE Book |
2 |
1 |
0 |
0 |
0 |
50% |
| Law 4624/2019 (measures implementing the GDPR) |
Law 4624/2019 |
3 |
3 |
0 |
0 |
0 |
100% |
| HAARF — Healthcare AI Agents Regulatory Framework |
1.0 |
279 |
262 |
15 |
0 |
2 |
97% |
| Act CXII of 2011 on Informational Self-Determination and Freedom of Information (Info Act, GDPR-aligned) |
Act CXII of 2011 |
3 |
3 |
0 |
0 |
0 |
100% |
| ICH Q1 — Stability Testing |
ICH Q1A(R2) (2003) |
2 |
0 |
1 |
0 |
0 |
25% |
| ICH Q10 — Pharmaceutical Quality System |
ICH Q10 (2008) |
5 |
3 |
1 |
0 |
0 |
70% |
| ICH Q2(R2) — Validation of Analytical Procedures |
ICH Q2(R2) (2023) |
4 |
3 |
0 |
0 |
0 |
75% |
| ICH Q3 — Impurities |
ICH Q3A(R2)/Q3B(R2)/Q3C(R8)/Q3D(R2) |
2 |
0 |
1 |
0 |
0 |
25% |
| ICH Q5 — Quality of Biotechnological Products |
ICH Q5A(R2)/Q5B/Q5C/Q5D/Q5E |
2 |
0 |
1 |
0 |
0 |
25% |
| ICH Q6 — Specifications |
ICH Q6A/Q6B |
2 |
0 |
1 |
0 |
0 |
25% |
| ICH Q7 — Good Manufacturing Practice for Active Pharmaceutical Ingredients |
ICH Q7 (2000) |
5 |
4 |
0 |
0 |
0 |
80% |
| ICH Q8(R2) — Pharmaceutical Development |
ICH Q8(R2) (2009) |
4 |
3 |
0 |
0 |
0 |
75% |
| ICH Q9(R1) — Quality Risk Management |
ICH Q9(R1) (2023) |
4 |
3 |
0 |
0 |
0 |
75% |
| Data Protection Act 2018 |
DPA 2018 |
4 |
4 |
0 |
0 |
0 |
100% |
| IEC 61508:2010 — Functional safety of electrical/electronic/programmable electronic safety-related systems |
2010 |
6 |
0 |
5 |
1 |
0 |
46% |
| IEC 61511:2016 — Functional safety: Safety instrumented systems for the process industry sector |
2016 |
5 |
0 |
4 |
1 |
0 |
45% |
| IMDA AI Verify |
AI Verify (IMDA / AI Verify Foundation) |
4 |
4 |
0 |
0 |
0 |
100% |
| Investment Mandate / IPS — Investment Policy Statement & Discretionary Mandate Authority |
2026 |
4 |
0 |
4 |
0 |
0 |
50% |
| IRS Circular 230 — Regulations Governing Practice before the Internal Revenue Service |
2014-rev |
5 |
0 |
5 |
0 |
0 |
50% |
| ISA (UK) — International Standards on Auditing (UK) |
2024 |
4 |
0 |
4 |
0 |
0 |
50% |
| ISO 14001 — Environmental Management Systems |
2015 |
3 |
0 |
3 |
0 |
0 |
50% |
| ISO 15189:2022 — Medical laboratories — Requirements for quality and competence |
2022 |
6 |
5 |
0 |
0 |
0 |
83% |
| ISO 15489-1:2016 — Information and Documentation · Records Management |
2016 |
6 |
3 |
0 |
0 |
0 |
50% |
| ISO 16175-1:2020 — Processes and Functional Requirements for Software for Managing Records (digital records) |
2020 |
5 |
3 |
0 |
0 |
0 |
60% |
| ISO/IEC 17025:2017 — General requirements for the competence of testing and calibration laboratories |
2017 |
6 |
3 |
1 |
0 |
0 |
58% |
| ISO 23081-1:2017 — Managing Metadata for Records (records metadata) |
2017 |
5 |
3 |
0 |
0 |
0 |
60% |
| ISO/IEC 27001:2022 — Information Security Management Annex A + Clauses 4-10 |
2022 |
118 |
83 |
6 |
29 |
0 |
79% |
| ISO/IEC 27035 — Incident Management |
ISO/IEC 27035 — Information security incident management (Parts 1–3) |
4 |
3 |
0 |
0 |
0 |
75% |
| ISO 31000:2018 — Risk management — Guidelines |
2018 |
5 |
0 |
2 |
3 |
0 |
35% |
| ISO/IEC 42001:2023 — AI Management System (AIMS) |
2023 |
80 |
76 |
3 |
1 |
0 |
97% |
| ISO 45001 — Occupational Health & Safety Management Systems |
2018 |
4 |
0 |
4 |
0 |
0 |
50% |
| ISO 55000 / ISO 55001:2014 — Asset management — Management systems |
2014 |
4 |
0 |
3 |
1 |
0 |
44% |
| ISO/IEC 20000-1 — Service Management (change management, §8.5.1) |
2018 |
2 |
1 |
0 |
0 |
0 |
50% |
| Codice in materia di protezione dei dati personali (D.Lgs. 196/2003, as amended by D.Lgs. 101/2018) |
D.Lgs. 196/2003 (am. 101/2018) |
3 |
3 |
0 |
0 |
0 |
100% |
| ITIL 4 — Change Enablement (change authority & assessment) |
4 |
2 |
1 |
0 |
0 |
0 |
50% |
| Loi du 1er août 2018 portant organisation de la Commission nationale pour la protection des données |
Loi du 1er août 2018 |
3 |
3 |
0 |
0 |
0 |
100% |
| MAS FEAT Principles |
MAS FEAT Principles (2018) + Veritas |
4 |
4 |
0 |
0 |
0 |
100% |
| MAS Technology Risk Management Guidelines |
MAS Technology Risk Management Guidelines (Jan 2021) |
4 |
4 |
0 |
0 |
0 |
100% |
| Mastercard Chargeback Standards — Dispute Resolution & Arbitration |
Mastercard Chargeback Standards — Dispute Resolution & Arbitration (Chargeback Guide) |
4 |
3 |
0 |
0 |
0 |
75% |
| MHRA Medical Devices Regulations 2002 |
2002-as-amended-2024 |
53 |
50 |
3 |
0 |
0 |
97% |
| MHRA Post-Market Surveillance Regulations 2025 |
2025-06 |
36 |
36 |
0 |
0 |
0 |
100% |
| MHRA SaMD & AI Change Program |
2023 |
41 |
41 |
0 |
0 |
0 |
100% |
| MiFID II — Markets in Financial Instruments Directive II (Investment Services Conduct) |
Directive 2014/65/EU |
4 |
0 |
4 |
0 |
0 |
50% |
| MoReq2010 — Modular Requirements for Records Systems |
2011 |
5 |
3 |
0 |
0 |
0 |
60% |
| MSHA — Mine Safety and Health Administration standards (30 CFR) |
2024 |
4 |
0 |
3 |
1 |
0 |
44% |
| NAIC Model Bulletin on the Use of AI by Insurers |
NAIC Model Bulletin on the Use of Artificial Intelligence Systems by Insurers (adopted December 2023) |
4 |
3 |
0 |
0 |
0 |
75% |
| NERC CIP — Critical Infrastructure Protection Reliability Standards (North American bulk electric system) |
2024 |
5 |
0 |
3 |
2 |
0 |
40% |
| NIS2 — Network and Information Security Directive |
Directive (EU) 2022/2555 |
46 |
41 |
1 |
4 |
0 |
92% |
| NIS2 Incident Reporting — Article 23 (24h / 72h) |
NIS2 — Directive (EU) 2022/2555, Article 23 (incident reporting: 24h early warning / 72h notification / final report) |
3 |
2 |
0 |
0 |
0 |
67% |
| NIST SP 800-207 — Zero Trust Architecture |
1.0 (August 2020) |
40 |
36 |
2 |
2 |
0 |
94% |
| NIST SP 800-53 Rev 5 — Configuration Management (CM) family |
Rev 5 |
2 |
1 |
0 |
0 |
0 |
50% |
| NIST AI Risk Management Framework 1.0 + Playbook |
1.0 |
101 |
88 |
9 |
4 |
0 |
93% |
| NIST Cybersecurity Framework 2.0 — Core + Tiers + Profiles |
2.0 (February 2024) |
130 |
105 |
10 |
15 |
0 |
88% |
| NIST CSF 2.0 — RESPOND & RECOVER |
NIST Cybersecurity Framework 2.0 (2024) — RESPOND (RS) + RECOVER (RC) Functions |
4 |
3 |
0 |
0 |
0 |
75% |
| UAVG — Uitvoeringswet Algemene verordening gegevensbescherming (GDPR Implementation Act, 2018) |
UAVG 2018 |
3 |
3 |
0 |
0 |
0 |
100% |
| Personopplysningsloven (LOV-2018-06-15-38) — GDPR incorporated via the EEA Agreement |
LOV-2018-06-15-38 |
3 |
3 |
0 |
0 |
0 |
100% |
| Nucleic-Acid Synthesis Screening — IBBIS Common Mechanism + IGSC Harmonized Screening Protocol |
2023 |
4 |
0 |
4 |
0 |
0 |
50% |
| NYC Local Law 144 — Automated Employment Decision Tools |
2023 (in force 2023-07-05) |
3 |
1 |
2 |
0 |
0 |
67% |
| NYDFS Insurance Circular Letter on AI |
NYDFS Insurance Circular Letter No. 7 (2024) — Use of AI Systems and External Consumer Data in Underwriting and Pricing |
4 |
3 |
0 |
0 |
0 |
75% |
| NZ Algorithm Charter for Aotearoa New Zealand |
Algorithm Charter for Aotearoa New Zealand (2020) |
3 |
3 |
0 |
0 |
0 |
100% |
| New Zealand Privacy Act 2020 |
Privacy Act 2020 (NZ) |
4 |
4 |
0 |
0 |
0 |
100% |
| OECD Good Laboratory Practice (Principles, 1998) + FDA 21 CFR Part 58 — non-clinical lab data integrity |
1998 (No. 1) + FDA 21 CFR 58 |
6 |
4 |
1 |
0 |
0 |
75% |
| OECD Pillar Two — GloBE Rules (Global Minimum Tax) & BEPS |
2023-globe |
4 |
0 |
4 |
0 |
0 |
50% |
| OSFI Guideline B-10 — Third-Party Risk Management |
OSFI Guideline B-10 — Third-Party Risk Management (effective 1 May 2024) |
3 |
3 |
0 |
0 |
0 |
100% |
| OSFI Guideline B-13 — Technology & Cyber Risk Management |
OSFI Guideline B-13 — Technology and Cyber Risk Management (effective 1 January 2024) |
4 |
4 |
0 |
0 |
0 |
100% |
| OSFI Guideline E-23 — Model Risk Management |
OSFI Guideline E-23 — Model Risk Management (revised, effective 1 May 2027; applies to all federally regulated financial institutions, model definition expanded to include AI/ML) |
4 |
3 |
0 |
1 |
0 |
81% |
| OSHA PSM — Process Safety Management of Highly Hazardous Chemicals (29 CFR 1910.119) |
1992 |
4 |
0 |
3 |
1 |
0 |
44% |
| PCI DSS 4.0 — Payment Card Industry Data Security Standard |
4.0 |
146 |
111 |
1 |
34 |
0 |
82% |
| PCMLTFA / FINTRAC — Anti-Money-Laundering & Terrorist-Financing |
PCMLTFA — Proceeds of Crime (Money Laundering) and Terrorist Financing Act, S.C. 2000, c. 17, and its Regulations (consolidated current-to-2024), administered by FINTRAC |
4 |
4 |
0 |
0 |
0 |
100% |
| Permit-to-Work Systems (HSE HSG250 guidance) |
HSG250 |
3 |
0 |
3 |
0 |
0 |
50% |
| PHIPA (Ontario) — Personal Health Information Protection Act, 2004 |
PHIPA — Personal Health Information Protection Act, 2004, S.O. 2004, c. 3, Sched. A (consolidated current-to-2024, incl. electronic-audit-log + de-identification amendments) |
6 |
6 |
0 |
0 |
0 |
100% |
| PIPEDA — Personal Information Protection and Electronic Documents Act |
PIPEDA — S.C. 2000, c. 5 (Schedule 1 fair-information principles, consolidated current-to-2024) |
6 |
6 |
0 |
0 |
0 |
100% |
| Ustawa z dnia 10 maja 2018 r. o ochronie danych osobowych (Personal Data Protection Act) |
Ustawa z 10 maja 2018 |
3 |
3 |
0 |
0 |
0 |
100% |
| PRA SS1/23 — Model Risk Management Principles for Banks |
PRA SS1/23 (Model risk management principles for banks, May 2023; effective May 2024) |
6 |
5 |
0 |
0 |
0 |
83% |
| Privacy Act 1988 (Cth) — ADM transparency + APPs |
Privacy Act 1988 (Cth) — ADM transparency amendments + Australian Privacy Principles |
4 |
4 |
0 |
0 |
0 |
100% |
| PSD2 / PSD3 — EU Payment Services Directive |
2015/2366 + RTS (EU) 2018/389 + PSD3 proposal COM(2023)366 |
61 |
59 |
1 |
1 |
0 |
98% |
| PSD2 SCA & Unauthorised-Transaction Liability (Arts. 72-74, 97) |
PSD2 — Directive (EU) 2015/2366, Arts. 72-74 + 97 (SCA & unauthorised-transaction liability) |
4 |
3 |
0 |
0 |
0 |
75% |
| Lei n.º 58/2019 (assegura a execução do RGPD) |
Lei n.º 58/2019 |
3 |
3 |
0 |
0 |
0 |
100% |
| Quebec Law 25 — Private Sector personal-information modernisation |
Quebec Law 25 — Act to modernize legislative provisions as regards the protection of personal information (2021, c.25), amending the Private Sector Act (CQLR c. P-39.1), fully in force 22 Sept 2024 |
5 |
5 |
0 |
0 |
0 |
100% |
| RBNZ BS11 — Outsourcing Policy |
RBNZ BS11 Outsourcing Policy |
3 |
3 |
0 |
0 |
0 |
100% |
| Reg E — EFTA Error Resolution (12 CFR 1005.11) |
EFTA / Regulation E — 12 CFR Part 1005 (error resolution, §1005.11) |
4 |
3 |
0 |
0 |
0 |
75% |
| Reg Z — TILA Billing-Error Resolution (12 CFR 1026.13) |
TILA / Regulation Z — 12 CFR Part 1026 (billing-error resolution, §1026.13) |
4 |
3 |
0 |
0 |
0 |
75% |
| RIDDOR — Reporting of Injuries, Diseases and Dangerous Occurrences Regulations 2013 (UK) |
2013 |
3 |
0 |
3 |
0 |
0 |
50% |
| Law No. 190/2018 (implementing measures for the GDPR) |
Law No. 190/2018 |
3 |
3 |
0 |
0 |
0 |
100% |
| Lag (2018:218) med kompletterande bestämmelser till EU:s dataskyddsförordning |
Lag (2018:218) |
3 |
3 |
0 |
0 |
0 |
100% |
| SEC Cyber Disclosure — Item 1.05 (4 business days) |
SEC Cybersecurity Disclosure Rules (2023) — Regulation S-K Item 1.05 (material incident, 8-K, four business days) + Item 106 |
3 |
2 |
0 |
0 |
0 |
67% |
| SEC Investment Adviser Fiduciary Duty — Advisers Act of 1940 (Duty of Care & Loyalty) |
Investment Advisers Act of 1940 |
4 |
0 |
4 |
0 |
0 |
50% |
| The Sedona Principles — Best Practices for Electronic Document Production |
The Sedona Principles, Third Edition (2018) |
3 |
2 |
0 |
0 |
0 |
67% |
| Act No. 18/2018 Coll. on Personal Data Protection |
Act No. 18/2018 Coll. |
3 |
3 |
0 |
0 |
0 |
100% |
| SOC 2 — Trust Services Criteria |
TSC 2017 (revised 2022) |
61 |
54 |
2 |
5 |
0 |
92% |
| SOC 2 — CC8 Change Management (Common Criteria) |
2017 TSC |
2 |
1 |
0 |
0 |
0 |
50% |
| SOX §404 — Internal Control over Financial Reporting (tax-provision controls) |
2002 |
4 |
0 |
4 |
0 |
0 |
50% |
| SOX §806 — Whistleblower Anti-Retaliation (18 U.S.C. §1514A) |
Sarbanes-Oxley Act §806 (18 U.S.C. §1514A) — whistleblower anti-retaliation |
3 |
2 |
0 |
0 |
0 |
67% |
| TBS Directive on Automated Decision-Making (Canada federal government) |
Treasury Board Directive on Automated Decision-Making (in force; latest amendments effective 2023) |
4 |
4 |
0 |
0 |
0 |
100% |
| The IIA's Three Lines Model (2020) |
2020 |
6 |
0 |
3 |
3 |
0 |
38% |
| UK AI Assurance (DSIT) |
2024-11 roadmap |
31 |
28 |
2 |
1 |
0 |
94% |
| UK AI Regulatory Framework |
2023-03 white paper / 2024-02 response |
33 |
22 |
6 |
5 |
0 |
80% |
| UK CPR Part 31 + PD 57AD — Disclosure & the Disclosure Certificate |
CPR Part 31 + Practice Direction 57AD (Disclosure in the Business and Property Courts, 2022) |
3 |
2 |
0 |
0 |
0 |
67% |
| UK Failure to Prevent Fraud (Economic Crime and Corporate Transparency Act 2023) |
ECCTA 2023 (in force 1 Sep 2025) |
4 |
0 |
2 |
2 |
0 |
38% |
| UK Equality Act 2010 |
2010 |
2 |
1 |
1 |
0 |
0 |
75% |
| UK GAAP — FRS 102 / FRS 105 Recognition, Measurement & Disclosure |
2024 |
4 |
0 |
4 |
0 |
0 |
50% |
| UK Money Laundering Regulations 2017 (MLR 2017) |
SI 2017/692 (as amended) |
4 |
0 |
3 |
1 |
0 |
44% |
| UK Making Tax Digital (MTD) — Digital Record-Keeping & API Filing |
2024 |
4 |
0 |
4 |
0 |
0 |
50% |
| UK PIDA — Public Interest Disclosure Act 1998 (ERA 1996 Part IVA) |
UK Public Interest Disclosure Act 1998 (Employment Rights Act 1996, Part IVA) |
3 |
2 |
0 |
0 |
0 |
67% |
| UK Senior Managers & Certification Regime (SM&CR) |
2016 (FCA/PRA, as amended) |
4 |
0 |
3 |
1 |
0 |
44% |
| US Bank Secrecy Act / FinCEN — AML Program, CDD & SAR Requirements |
31 U.S.C. 5311 et seq.; 31 CFR Chapter X |
4 |
0 |
4 |
0 |
0 |
50% |
| US EO 14110 — Safe, Secure & Trustworthy AI (biosecurity / dual-use provisions) |
2023 |
4 |
0 |
4 |
0 |
0 |
50% |
| US State AI-Chatbot Laws — consumer chatbot safeguards |
2024-2026 |
9 |
5 |
0 |
0 |
0 |
56% |
| Visa Compelling Evidence 3.0 (CE3.0) |
Visa Compelling Evidence 3.0 (CE3.0) — remedied-dispute evidence requirements (Visa Rules, fraud reason code 10.4) |
4 |
3 |
0 |
0 |
0 |
75% |
| Voluntary Code of Conduct — Advanced Generative AI (Canada) |
Voluntary Code of Conduct on the Responsible Development and Management of Advanced Generative AI Systems (ISED, September 2023) |
3 |
0 |
0 |
3 |
0 |
25% |
| Wolfsberg Group AML Principles & Guidance |
current |
3 |
0 |
3 |
0 |
0 |
50% |