Directives
Internal compliance framework and policies for the AI Act, NIS2, and GDPR.
Directives contents
| Directive | Description |
|---|---|
| Governance & Responsibilities | Governance structure and roles |
| AI Governance | Governance of AI systems |
| Data Protection | GDPR and personal data protection |
| Security Governance | NIS2 and cybersecurity |
| Incident Management | Incident response |
| Audit & Monitoring | Audit and monitoring |
| Technological Sovereignty | Data and technological sovereignty |
Executive Summary
This directive defines how the organization responsibly uses, develops, and deploys artificial intelligence and processes personal data in compliance with EU legislation:
- AI Act (EU 2024/1689): Risk-based regulation of AI systems
- NIS2 (Cybersecurity Act): Information security
- GDPR (EU 2016/679): Personal data protection
Our policy: To provide stakeholders (customers, employees, regulators) with assurance that AI and data are managed ethically, securely, and in compliance with the law.
Governance overview
%3btext-align:center%3b%7d%23mermaid-0 .edgeLabel p%7bbackground-color:rgba(232%2c232%2c232%2c 0.8)%3b%7d%23mermaid-0 .edgeLabel rect%7bopacity:0.5%3bbackground-color:rgba(232%2c232%2c232%2c 0.8)%3bfill:rgba(232%2c232%2c232%2c 0.8)%3b%7d%23mermaid-0 .labelBkg%7bbackground-color:rgba(232%2c 232%2c 232%2c 0.5)%3b%7d%23mermaid-0 .cluster rect%7bfill:%23ffffde%3bstroke:%23aaaa33%3bstroke-width:1px%3b%7d%23mermaid-0 .cluster text%7bfill:%23333%3b%7d%23mermaid-0 .cluster span%7bcolor:%23333%3b%7d%23mermaid-0 div.mermaidTooltip%7bposition:absolute%3btext-align:center%3bmax-width:200px%3bpadding:2px%3bfont-family:arial%2csans-serif%3bfont-size:12px%3bbackground:hsl(80%2c 100%25%2c 96.2745098039%25)%3bborder:1px solid %23aaaa33%3bborder-radius:2px%3bpointer-events:none%3bz-index:100%3b%7d%23mermaid-0 .flowchartTitleText%7btext-anchor:middle%3bfont-size:18px%3bfill:%23333%3b%7d%23mermaid-0 rect.text%7bfill:none%3bstroke-width:0%3b%7d%23mermaid-0 .icon-shape%2c%23mermaid-0 .image-shape%7bbackground-color:rgba(232%2c232%2c232%2c 0.8)%3btext-align:center%3b%7d%23mermaid-0 .icon-shape p%2c%23mermaid-0 .image-shape p%7bbackground-color:rgba(232%2c232%2c232%2c 0.8)%3bpadding:2px%3b%7d%23mermaid-0 .icon-shape .label rect%2c%23mermaid-0 .image-shape .label rect%7bopacity:0.5%3bbackground-color:rgba(232%2c232%2c232%2c 0.8)%3bfill:rgba(232%2c232%2c232%2c 0.8)%3b%7d%23mermaid-0 .label-icon%7bdisplay:inline-block%3bheight:1em%3boverflow:visible%3bvertical-align:-0.125em%3b%7d%23mermaid-0 .node .label-icon path%7bfill:currentColor%3bstroke:revert%3bstroke-width:revert%3b%7d%23mermaid-0 :root%7b--mermaid-font-family:arial%2csans-serif%3b%7d%3c/style%3e%3cg%3e%3cmarker id='mermaid-0_flowchart-v2-pointEnd' class='marker flowchart-v2' viewBox='0 0 10 10' refX='5' refY='5' markerUnits='userSpaceOnUse' markerWidth='8' markerHeight='8' orient='auto'%3e%3cpath d='M 0 0 L 10 5 L 0 10 z' class='arrowMarkerPath' style='stroke-width: 1%3b stroke-dasharray: 1%2c 0%3b'/%3e%3c/marker%3e%3cmarker id='mermaid-0_flowchart-v2-pointStart' class='marker flowchart-v2' viewBox='0 0 10 10' refX='4.5' refY='5' markerUnits='userSpaceOnUse' markerWidth='8' markerHeight='8' orient='auto'%3e%3cpath d='M 0 5 L 10 10 L 10 0 z' class='arrowMarkerPath' style='stroke-width: 1%3b stroke-dasharray: 1%2c 0%3b'/%3e%3c/marker%3e%3cmarker id='mermaid-0_flowchart-v2-circleEnd' class='marker flowchart-v2' viewBox='0 0 10 10' refX='11' refY='5' markerUnits='userSpaceOnUse' markerWidth='11' markerHeight='11' orient='auto'%3e%3ccircle cx='5' cy='5' r='5' class='arrowMarkerPath' style='stroke-width: 1%3b stroke-dasharray: 1%2c 0%3b'/%3e%3c/marker%3e%3cmarker id='mermaid-0_flowchart-v2-circleStart' class='marker flowchart-v2' viewBox='0 0 10 10' refX='-1' refY='5' markerUnits='userSpaceOnUse' markerWidth='11' markerHeight='11' orient='auto'%3e%3ccircle cx='5' cy='5' r='5' class='arrowMarkerPath' style='stroke-width: 1%3b stroke-dasharray: 1%2c 0%3b'/%3e%3c/marker%3e%3cmarker id='mermaid-0_flowchart-v2-crossEnd' class='marker cross flowchart-v2' viewBox='0 0 11 11' refX='12' refY='5.2' markerUnits='userSpaceOnUse' markerWidth='11' markerHeight='11' orient='auto'%3e%3cpath d='M 1%2c1 l 9%2c9 M 10%2c1 l -9%2c9' class='arrowMarkerPath' style='stroke-width: 2%3b stroke-dasharray: 1%2c 0%3b'/%3e%3c/marker%3e%3cmarker id='mermaid-0_flowchart-v2-crossStart' class='marker cross flowchart-v2' viewBox='0 0 11 11' refX='-1' refY='5.2' markerUnits='userSpaceOnUse' markerWidth='11' markerHeight='11' orient='auto'%3e%3cpath d='M 1%2c1 l 9%2c9 M 10%2c1 l -9%2c9' class='arrowMarkerPath' style='stroke-width: 2%3b stroke-dasharray: 1%2c 0%3b'/%3e%3c/marker%3e%3cg class='root'%3e%3cg class='clusters'/%3e%3cg class='edgePaths'%3e%3cpath d='M473%2c80.247L417.167%2c89.373C361.333%2c98.498%2c249.667%2c116.749%2c193.833%2c129.375C138%2c142%2c138%2c149%2c138%2c152.5L138%2c156' id='L_CEO_CTO_0' class='edge-thickness-normal edge-pattern-solid edge-thickness-normal edge-pattern-solid flowchart-link' style='%3b' data-edge='true' data-et='edge' data-id='L_CEO_CTO_0' data-points='W3sieCI6NDczLCJ5Ijo4MC4yNDczMTE4Mjc5NTY5OX0seyJ4IjoxMzgsInkiOjEzNX0seyJ4IjoxMzgsInkiOjE2MH1d' marker-end='url(%23mermaid-0_flowchart-v2-pointEnd)'/%3e%3cpath d='M498.987%2c110L490.489%2c114.167C481.991%2c118.333%2c464.996%2c126.667%2c456.498%2c134.333C448%2c142%2c448%2c149%2c448%2c152.5L448%2c156' id='L_CEO_CISO_0' class='edge-thickness-normal edge-pattern-solid edge-thickness-normal edge-pattern-solid flowchart-link' style='%3b' data-edge='true' data-et='edge' data-id='L_CEO_CISO_0' data-points='W3sieCI6NDk4Ljk4Njg0MjEwNTI2MzIsInkiOjExMH0seyJ4Ijo0NDgsInkiOjEzNX0seyJ4Ijo0NDgsInkiOjE2MH1d' marker-end='url(%23mermaid-0_flowchart-v2-pointEnd)'/%3e%3cpath d='M707.013%2c110L715.511%2c114.167C724.009%2c118.333%2c741.004%2c126.667%2c749.502%2c134.333C758%2c142%2c758%2c149%2c758%2c152.5L758%2c156' id='L_CEO_DPO_0' class='edge-thickness-normal edge-pattern-solid edge-thickness-normal edge-pattern-solid flowchart-link' style='%3b' data-edge='true' data-et='edge' data-id='L_CEO_DPO_0' data-points='W3sieCI6NzA3LjAxMzE1Nzg5NDczNjksInkiOjExMH0seyJ4Ijo3NTgsInkiOjEzNX0seyJ4Ijo3NTgsInkiOjE2MH1d' marker-end='url(%23mermaid-0_flowchart-v2-pointEnd)'/%3e%3cpath d='M733%2c80.247L788.833%2c89.373C844.667%2c98.498%2c956.333%2c116.749%2c1012.167%2c129.375C1068%2c142%2c1068%2c149%2c1068%2c152.5L1068%2c156' id='L_CEO_LEGAL_0' class='edge-thickness-normal edge-pattern-solid edge-thickness-normal edge-pattern-solid flowchart-link' style='%3b' data-edge='true' data-et='edge' data-id='L_CEO_LEGAL_0' data-points='W3sieCI6NzMzLCJ5Ijo4MC4yNDczMTE4Mjc5NTY5OX0seyJ4IjoxMDY4LCJ5IjoxMzV9LHsieCI6MTA2OCwieSI6MTYwfV0=' marker-end='url(%23mermaid-0_flowchart-v2-pointEnd)'/%3e%3c/g%3e%3cg class='edgeLabels'%3e%3cg class='edgeLabel'%3e%3cg class='label' data-id='L_CEO_CTO_0' transform='translate(0%2c 0)'%3e%3cforeignObject width='0' height='0'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' class='labelBkg' style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b'%3e%3cspan class='edgeLabel'%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg class='edgeLabel'%3e%3cg class='label' data-id='L_CEO_CISO_0' transform='translate(0%2c 0)'%3e%3cforeignObject width='0' height='0'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' class='labelBkg' style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b'%3e%3cspan class='edgeLabel'%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg class='edgeLabel'%3e%3cg class='label' data-id='L_CEO_DPO_0' transform='translate(0%2c 0)'%3e%3cforeignObject width='0' height='0'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' class='labelBkg' style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b'%3e%3cspan class='edgeLabel'%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg class='edgeLabel'%3e%3cg class='label' data-id='L_CEO_LEGAL_0' transform='translate(0%2c 0)'%3e%3cforeignObject width='0' height='0'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' class='labelBkg' style='display: table-cell%3b white-space: nowrap%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b'%3e%3cspan class='edgeLabel'%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3c/g%3e%3cg class='nodes'%3e%3cg class='node default' id='flowchart-CEO-0' transform='translate(603%2c 59)'%3e%3crect class='basic label-container' style='' x='-130' y='-51' width='260' height='102'/%3e%3cg class='label' style='' transform='translate(-100%2c -36)'%3e%3crect/%3e%3cforeignObject width='200' height='72'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' style='display: table%3b white-space: break-spaces%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b width: 200px%3b'%3e%3cspan class='nodeLabel'%3e%3cp%3eCEO / Board%3cbr /%3eOverall compliance responsibility%3c/p%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg class='node default' id='flowchart-CTO-2' transform='translate(138%2c 211)'%3e%3crect class='basic label-container' style='' x='-130' y='-51' width='260' height='102'/%3e%3cg class='label' style='' transform='translate(-100%2c -36)'%3e%3crect/%3e%3cforeignObject width='200' height='72'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' style='display: table%3b white-space: break-spaces%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b width: 200px%3b'%3e%3cspan class='nodeLabel'%3e%3cp%3eCTO%3cbr /%3eAI systems governance%2c risk classification%3c/p%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg class='node default' id='flowchart-CISO-4' transform='translate(448%2c 211)'%3e%3crect class='basic label-container' style='' x='-130' y='-51' width='260' height='102'/%3e%3cg class='label' style='' transform='translate(-100%2c -36)'%3e%3crect/%3e%3cforeignObject width='200' height='72'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' style='display: table%3b white-space: break-spaces%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b width: 200px%3b'%3e%3cspan class='nodeLabel'%3e%3cp%3eCISO%3cbr /%3eNIS2 compliance%2c incident response%2c security%3c/p%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg class='node default' id='flowchart-DPO-6' transform='translate(758%2c 211)'%3e%3crect class='basic label-container' style='' x='-130' y='-51' width='260' height='102'/%3e%3cg class='label' style='' transform='translate(-100%2c -36)'%3e%3crect/%3e%3cforeignObject width='200' height='72'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' style='display: table%3b white-space: break-spaces%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b width: 200px%3b'%3e%3cspan class='nodeLabel'%3e%3cp%3eDPO%3cbr /%3eGDPR compliance%2c DSAR%2c privacy impact%3c/p%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3cg class='node default' id='flowchart-LEGAL-8' transform='translate(1068%2c 211)'%3e%3crect class='basic label-container' style='' x='-130' y='-51' width='260' height='102'/%3e%3cg class='label' style='' transform='translate(-100%2c -36)'%3e%3crect/%3e%3cforeignObject width='200' height='72'%3e%3cdiv xmlns='http://www.w3.org/1999/xhtml' style='display: table%3b white-space: break-spaces%3b line-height: 1.5%3b max-width: 200px%3b text-align: center%3b width: 200px%3b'%3e%3cspan class='nodeLabel'%3e%3cp%3eLegal / Compliance Officer%3cbr /%3eRegulatory strategy%2c contracts%2c sanctions%3c/p%3e%3c/span%3e%3c/div%3e%3c/foreignObject%3e%3c/g%3e%3c/g%3e%3c/g%3e%3c/g%3e%3c/g%3e%3c/svg%3e)
Governance Cadence
| Frequency | Meeting | Participants |
|---|---|---|
| Monthly | Compliance sync | CTO, CISO, DPO |
| Quarterly | Board review | C-level, Board |
| Annually | External audit | All + Auditor |
Document version
| Version | Date | Changes |
|---|---|---|
| 1.0 | 1 January 2026 | Initial release |
Next review: Q1 2027