EU parliamentary chamber
// why now

The proof burden is shifting.

Three regulatory clocks are converging. Each moves the burden from claim to evidence.

EU · 2025–2026 AI Act · DORA · NIS2 Board-level
Request investor accessSee the product →
// what's at stake

Evidence has moved from "nice to have" to "fileable on demand."

RISK

Administrative fines

Up to €35M or 7% of global turnover under the AI Act.

OPS

Audit-on-demand

Regulators can require evidence within days, not quarters.

MARKET

Counterparty pressure

Insurers, banks and procurement now request proof artefacts in RFPs.

// regulatory timeline

Three clocks. One destination.

  1. 17 Jan 2025
    DORA

    Digital Operational Resilience Act in force

    Financial entities must demonstrate operational resilience and provide incident evidence on demand to ESAs and competent authorities.

  2. 2025 → 2026
    NIS2 / Cbw

    National NIS2 transpositions land

    Member-state laws (NL: Cybersecuritywet) extend incident-reporting and traceability duties to critical infrastructure, suppliers and managed-service providers.

  3. 2 Aug 2026
    EU AI Act

    Article 12 logging obligations apply

    Providers and deployers of high-risk AI must keep automatic, tamper-evident logs sufficient to trace system behaviour over its lifecycle.

Compliance officer reviewing evidence dashboards
// the new operating reality

Internal logs were never built to settle disputes.

The teams holding the bag are CISOs, compliance officers and fund operations. They need proof that survives staff turnover, vendor swaps and forensic discovery — proof that a third party can re-verify without calling back to the system that produced it.

  • Tamper-evident by construction — not by policy.
  • Portable across vendors and storage tiers.
  • Offline-verifiable, even years after the event.
Back to brief
Request investor accessProduct