Regulations · 10 shipped profiles
EU and UK regimes, encoded as composable runtime profiles.
Each profile pins the policy clauses, the audit fields, the retention window, the allowed residency, and the framework citations. Multiple profiles compose deterministically — strictest retention wins, intersected residency, union of audit fields, strongest immutability.
EU regulations
- EU
EU AI Act
Regulation (EU) 2024/1689 — Artificial Intelligence Act
EU-wide horizontal regulation classifying AI systems by risk; agentic LLM workflows for credit, employment, public services land in 'high-risk' Annex III.
GPAI Code of Practice enforceable from 2 August 2026
- EU
GDPR
Regulation (EU) 2016/679 — General Data Protection Regulation
EU personal-data regulation; LLM prompt/response handling falls under purpose limitation (Art. 5), lawful basis (Art. 6), and automated decision-making (Art. 22).
In force since 25 May 2018
- EU
DORA
Regulation (EU) 2022/2554 — Digital Operational Resilience Act
EU financial-services operational resilience regulation; ICT third-party LLM providers and agent runtimes are in scope.
Effective since 17 January 2025
- EU
NIS2
Directive (EU) 2022/2555 — Network and Information Security Directive 2
EU cybersecurity directive expanding scope to essential and important entities — many AI-driven platforms now fall in scope.
National transposition deadline 17 October 2024
- EU
EHDS
Regulation (EU) 2025/327 — European Health Data Space
EU horizontal regulation on primary and secondary use of electronic health data; agent workflows on EHR data are constrained.
Entered into force 26 March 2025; phased application through 2031
UK regulations
- UK
UK GDPR
UK General Data Protection Regulation (Data Protection Act 2018)
Post-Brexit UK domestic equivalent of GDPR; same shape with ICO as supervisor and divergence on adequacy + age of consent.
In force; ICO is supervisory authority
- UK
FCA SYSC
FCA SYSC 4 + Consumer Duty (PRIN 12 / GC23/2)
UK FCA Handbook on senior-management arrangements, systems and controls; Consumer Duty's good-outcomes obligation now binds AI-driven decisions.
Consumer Duty effective 31 July 2023 (new); 31 July 2024 (closed)
- UK
PRA SS1/23
PRA Supervisory Statement SS1/23 — Model Risk Management
PRA model-risk-management principles for UK PRA-regulated banks and PRA-designated insurers; explicitly covers AI/ML models.
Effective 17 May 2024
- UK
PRA SS2/21
PRA Supervisory Statement SS2/21 — Outsourcing and Third-Party Risk Management
PRA third-party risk-management expectations; LLM providers (OpenAI, Anthropic, Google) and agent runtimes are third parties under SS2/21.
Effective 31 March 2022
- UK
NHS DSPT
NHS Data Security and Protection Toolkit
Mandatory annual self-assessment for any organisation accessing NHS patient data; covers the 10 National Data Guardian standards.
Annual submission cycle; FY2025-26 standard in force
How profiles compose
Activate multiple profiles in regulus init or
application.yaml; Regulus resolves them into a
single effective policy at startup:
- Retention: strictest wins (e.g. EU AI Act 10 years vs GDPR 6 years → 10 years).
- Residency: intersected (e.g.
uk-gdpr= UK only,gdpr= EU only → empty intersection requires explicit override). - Audit fields: union (any field any profile requires lands in the envelope).
- Immutability: strongest wins (DORA's tamper-evident requirement raises the bar across all profiles).
- HITL thresholds: lowest threshold wins (any profile's high-risk classification triggers HITL).