EU AI Act
Reg. (EU) 2024/1689. Articles 9 (risk), 10 (data), 13 (transparency), 14 (oversight), 15 (accuracy), 26 (deployer obligations), 50 (transparency to users), 72 (post-market monitoring).
Framework reference →
European Union
Runtime authority for EU sovereign AI.
When an EU regulator asks — under Article 9, 10, 14 or 15 of the AI Act, under DORA's third-party-risk regime, under GDPR Art. 22 automated-decision review, or under EDPB transfer-impact guidance — KYE Protocol™ answers from a record sealed at the moment of action. Customer-held keys, EU-region data residency, offline-verifiable from the publisher's JWKS.
EU frameworks mapped to KYE™
Per-requirement bijection — not a slide deck.
GDPR · UK GDPR
Reg. (EU) 2016/679. Art. 22 (automated individual decision-making), Art. 24/25 (controller responsibility + privacy by design), Art. 32 (security), Art. 35 (DPIA).
Coverage detail →DORA
Reg. (EU) 2022/2554. ICT third-party risk, operational resilience testing, critical-or-important-function scoping, ICT incident reporting.
Framework reference →NIS2
Dir. (EU) 2022/2555. Essential + important entities, supply-chain risk, incident-reporting timeline, board accountability.
Coverage detail →ISO/IEC 42001
AI Management System (AIMS) certification — the certification path most EU regulators will reference under AI Act Art. 17 quality-management-system obligations.
Framework reference →EDPB transfer-impact + DPIA
EDPB Recommendations 01/2020 on transfer impact + Guidelines 04/2017 on DPIA. KYE™ evidence packs are the data-flow record DPAs require.
Coverage detail →
EU-sovereign deployment
EU data, EU keys, EU control.
- Data residency — deploy to EU-region Cloudflare resources (D1 + R2 + KV pinned to EU); per-tenant configurable.
- Customer KMS — signing keys live in the customer's HSM or sovereign-cloud KMS; KYE™ never has access to the private key material.
- Open verifier — any DPA, third-party auditor, or supervisory authority can replay an Evidence Pack™ using only the publisher's JWKS. No vendor dependency in the audit path.
- GDPR alignment — PII referenced by URN, not embedded; right-to-erasure is a first-class lifecycle state; transfer-impact assessment is supported by signed routing records.
- Apache 2.0 schemas + vocabulary — the contracts the customer relies on are open. The patent-track runtime construction is paid; the proof formats are not.
EU pilot
Start in shadow mode. Evidence first, enforcement later.
EU pilots run in shadow mode — KYE™ observes the delegated-action chain and produces signed Evidence Packs™ without blocking production. After the pre-agreed evaluation window, the customer promotes specific Guards from shadow to enforce, one at a time, with first-class rollback.
Independent — no government affiliation. KYE Protocol™ is an independent protocol and is not affiliated with, endorsed by, or part of any government, regulator, or official “Sovereign AI” programme. References to regulators and frameworks describe the requirements KYE™ helps you evidence — not any official relationship.