Not legal advice. This instrument gives you a structured view of your current state and the technical fix. Which obligations apply, and how, is confirmed by your own counsel.
Scope by role first. Duties for a deployer (you use third-party AI) differ sharply from a provider (you build or rebrand one). Over-scoping is the most common error.
You see only what's disclosed. Off-log AI hides, pair this with a technical exposure scan for the full picture.
Dates move; obligations don't. Mappings re-verified June 2026 against the EU AI Act, the provisional Digital Omnibus, GDPR, DORA and NIS2. Re-verify each cycle.