Skip to content
TECHNOMATON | Docs SAI Certified Trainers

Governance & Responsibilities

Version: 1.0 | Effective from: 1 January 2026

1. Purpose

This document defines the organizational structure, roles, and responsibilities for ensuring compliance with the AI Act, NIS2, and GDPR.

2. Roles & Accountability

RoleResponsibilityReports to
CEOOverall compliance responsibility, budget allocationBoard
CTOAI systems governance, risk classification, vendor audit, model monitoringCOO
CISONIS2 compliance, incident response, penetration testing, audit trailCOO
DPOGDPR compliance, DSAR handling, privacy impact assessment, regulatory liaisonCLO
CLO (Legal)Regulatory strategy, AI Act high-risk assessment, contracts, sanctions reviewCEO
Product ManagerUser transparency (AI disclosures), product design privacy, testingCTO
Engineering LeadImplementation of technical controls, data encryption, audit loggingCTO
Compliance OfficerDay-to-day compliance tracking, documentation, training coordinationCLO

3. Governance Cadence

3.1 Monthly sync

Participants: CTO, CISO, DPO, Compliance Officer Agenda:

  • Compliance progress review
  • Incident review (if any)
  • Risk register update
  • Upcoming deadlines

3.2 Quarterly Board review

Participants: CEO, C-level, Board members Agenda:

  • Compliance scorecard
  • Budget vs. actual
  • Key risks and mitigations
  • Regulatory updates

3.3 Annual external audit

Participants: All + External auditor Scope:

  • ISO 27001 audit
  • GDPR readiness assessment
  • AI Act compliance review

4. Decision Matrix

DecisionApproval level
New AI system (low-risk)CTO
New AI system (high-risk)CTO + Legal + CEO
Vendor with data accessCISO + DPO
Data breach responseCEO + CISO + DPO
Policy changeCLO + CEO
Budget >EUR 50kCEO + Board

5. Escalation Path

Level 1: Owner (CTO/CISO/DPO)
    | (if unable to resolve within 24h)
Level 2: C-level meeting
    | (if critical or regulatory)
Level 3: CEO + Legal
    | (if board approval required)
Level 4: Board

6. Documentation Requirements

Document typeRetention
Policy documents5 years after change
Audit logs5 years
DPIA5 years after processing ends
Incident reports5 years
Training records3 years
Meeting minutes3 years

7. Training Requirements

RoleRequired trainingFrequency
All employeesGDPR basicsAnnually
All employeesPhishing awarenessQuarterly
EngineeringSecure codingSemi-annually
Product / Data ScienceAI governance, bias testingQuarterly
LeadershipCompliance risks, incident responseAnnually

8. Certifications

RoleRequired certification
CISOCISSP, CISM, or CEH
DPOCIPP/E or GDPR certification
CTOAI governance training (internal/external)

9. Regulatory Contacts

AuthorityContactPurposeEscalation
National DPA[Country-specific DPA contact]GDPR breaches, complaintsDPO + CEO
National CSIRT[Country-specific CSIRT portal]NIS2 incidentsCISO + CEO
DG Justice (EU)AI Act high-riskLegal + CEO

10. Policy Review

  • Quarterly: Review incident log, compliance metrics, risk register
  • Semi-annually: Update per regulatory changes
  • Annually: Formal policy review + board approval

Next review: Q2 2026