https://trusq.io/en/ 2026-06-29T08:00:00Z Dirk Baaijenhttps://www.linkedin.com/in/dirkbaayen https://trusq.io/en/california-ai-transparency-act.html2026-06-29T08:00:00Z

California's AI Transparency Act (SB 942, amended by AB 853) takes effect on 2 August 2026, aligned with the EU AI Act. Large generative-AI providers must offer a free detection tool, embedded provenance metadata and an optional visible label; platform duties follow in 2027–2028.

https://trusq.io/en/california-admt-regulations.html2026-06-29T08:00:00Z

California's privacy regulator finalised binding CCPA rules on automated decisionmaking technology (ADMT), risk assessments and cybersecurity audits. In force since 1 January 2026, they reach AI-driven decisions through privacy law, not an AI act, with phased duties from 2027.

https://trusq.io/en/eidas-2-european-digital-identity-wallet.html2026-06-29T08:00:00Z

Regulation (EU) 2024/1183 requires Member States to provide a free digital identity wallet within ~24 months of the implementing acts entering into force (24 December 2024), and obliges regulated sectors and very large online platforms to accept it within ~36 months of that same date.

https://trusq.io/en/eaa-scope-products-and-services.html2026-06-29T08:00:00Z

Directive (EU) 2019/882 (European Accessibility Act) imposes accessibility requirements on five product categories and six service categories; micro-enterprises providing services are fully exempt, and self-service terminals in use before 28 June 2025 may continue operating until end of economic…

https://trusq.io/en/algorithm-register-dutch-government.html2026-06-29T08:00:00Z

The Dutch Algorithm Register (algoritmes.overheid.nl) is the central public platform where government organisations voluntarily publish information about the algorithms they use; registration in the Dutch register is not legally mandatory, but public authorities deploying high-risk AI systems…

https://trusq.io/en/ehds-european-health-data-space.html2026-06-29T08:00:00Z

Regulation (EU) 2025/327 grants EU citizens direct rights over their health data and opens that data — under strict conditions — for research and innovation through two separate pillars.

https://trusq.io/en/mdr-ai-act-overlap-medical-software.html2026-06-29T08:00:00Z

Medical software with AI components falls simultaneously under the MDR and the AI Act; the high-risk classification via the MDR route (Article 6(1) AI Act) does not apply until 2 August 2027.

https://trusq.io/en/esrs-reporting-standards-under-csrd.html2026-06-29T08:00:00Z

Commission Delegated Regulation (EU) 2023/2772 establishes twelve sector-agnostic European Sustainability Reporting Standards (ESRS) that undertakings must use when preparing their sustainability report under the CSRD.

https://trusq.io/en/qualified-trust-services-eidas.html2026-06-29T08:00:00Z

The eIDAS Regulation defines which trust services qualify as "qualified", sets the requirements for that status, and establishes a supervision framework — including precise timelines for conformity assessment reporting.

https://trusq.io/en/dsa-extra-obligations-very-large-online-platforms-vlop.html2026-06-29T08:00:00Z

The Digital Services Act imposes the heaviest obligations on platforms with more than 45 million monthly EU users, including annual independent audits, systemic risk assessments, and direct supervision by the European Commission.

https://trusq.io/en/data-act-b2g-data-sharing-exceptional-need.html2026-06-29T08:00:00Z

The Data Act obliges businesses to share data with public sector bodies, but only under two strictly defined grounds of exceptional need — a public emergency or a statutory public interest task for which no alternative data source is available.

https://trusq.io/en/data-act-obligations-manufacturers-connected-products-iot.html2026-06-29T08:00:00Z

Regulation (EU) 2023/2854 imposes concrete design obligations on manufacturers of connected products so that users and third parties can access generated data; the Article 7 exemption applies exclusively to Chapter II (Articles 3–6).

https://trusq.io/en/cbam-obligations-for-importers.html2026-06-29T08:00:00Z

What EU importers of carbon-intensive goods must do to comply with the Carbon Border Adjustment Mechanism in the definitive phase from 2026 onwards.

https://trusq.io/en/csrd-guide-sustainability-reporting.html2026-06-29T08:00:00Z

The Corporate Sustainability Reporting Directive (Directive (EU) 2022/2464) requires large and listed EU companies to produce detailed sustainability reports under the ESRS standards; implementation is phased and was partially delayed by the Stop-the-Clock Directive (2025).

https://trusq.io/en/digital-accessibility-en-301-549-wcag.html2026-06-29T08:00:00Z

The European Accessibility Act has required providers of digital products and services to comply with EN 301 549 v3.2.1 since 28 June 2025; that harmonised standard incorporates WCAG 2.1 Level AA but also contains additional requirements.

https://trusq.io/en/european-accessibility-act-guide.html2026-06-29T08:00:00Z

The European Accessibility Act (Directive 2019/882) requires businesses with more than 10 employees or annual turnover above €2 million to make products and digital services accessible to people with disabilities, as of 28 June 2025.

https://trusq.io/en/mobility-package-driving-rest-times-cabotage.html2026-06-29T08:00:00Z

EU Mobility Package I (2020) amends rules on driving and rest times for truck drivers and restricts cabotage through a mandatory four-day cooling-off period.

https://trusq.io/en/efti-electronic-freight-transport-information-eu.html2026-06-29T08:00:00Z

Regulation (EU) 2020/1056 requires Member States to accept digital freight documents on certified eFTI platforms during inspections from 9 July 2027, establishing the legal basis for paperless freight transport across all EU transport modes.

https://trusq.io/en/government-algorithm-transparency-eu-ai-act.html2026-06-29T08:00:00Z

The EU AI Act (2024/1689) requires public authorities deploying high-risk AI systems to register them in an EU database, document their operation transparently, and notify affected individuals; the Netherlands leads with a voluntary Algorithm Register expected to become legally mandatory.

https://trusq.io/en/fria-fundamental-rights-impact-assessment-public-sector.html2026-06-29T08:00:00Z

Public authorities and private providers of public services must conduct a Fundamental Rights Impact Assessment (FRIA) before first deploying a high-risk AI system and must notify the results to the market surveillance authority.

https://trusq.io/en/ivdr-guide-in-vitro-diagnostics.html2026-06-29T08:00:00Z

Regulation (EU) 2017/746 (IVDR) sets stringent requirements for in vitro diagnostic medical devices on the EU market, with risk-based classes A–D and extended transition periods running until 31 December 2029 at the latest.

https://trusq.io/en/dsa-notice-and-action-illegal-content.html2026-06-29T08:00:00Z

The DSA obliges hosting service providers to operate an accessible reporting mechanism for illegal content and to respond to received notices within a reasonable time.

https://trusq.io/en/data-act-cloud-switching-and-portability.html2026-06-29T08:00:00Z

The Data Act requires cloud providers to enable barrier-free switching and prohibits switching charges from 12 January 2027.

https://trusq.io/en/nis2-duty-of-care-security-measures.html2026-06-29T08:00:00Z

Article 21 of the NIS2 Directive requires essential and important entities to implement ten concrete, risk-based security measures for which management bears ultimate responsibility.

https://trusq.io/en/double-materiality-csrd.html2026-06-29T08:00:00Z

The CSRD requires in-scope undertakings to assess sustainability matters from two simultaneous perspectives: the undertaking's impacts on people and the environment, and the influence of sustainability factors on the undertaking's financial position.

https://trusq.io/en/ai-rules-financial-sector.html2026-06-28T08:00:00Z

One entry point for banks, insurers and fintech: which AI and digital rules affect your institution — from DORA and the AI Act to credit scoring, AML and insurance — each with a source-traceable file and the financial scan.

https://trusq.io/en/dora-readiness-roadmap.html2026-06-28T08:00:00Z

DORA has applied since 17 January 2025. A practical roadmap to get a grip: determine scope, map ICT dependencies and the register, set up risk management and incident reporting, plan resilience testing, and review your vendor contracts.

https://trusq.io/en/dora-register-of-information.html2026-06-28T08:00:00Z

DORA requires financial entities to maintain a register of information on all contractual arrangements for ICT services, at entity, sub-consolidated and consolidated level. Supervisors request it annually; it also feeds the designation of critical ICT providers.

https://trusq.io/en/does-my-firm-fall-under-dora.html2026-06-28T08:00:00Z

DORA applies to an exhaustively listed set of financial entities — from banks and insurers to payment institutions, crypto providers and their critical ICT providers. Small, non-interconnected entities may use a simplified framework. This explainer helps you determine whether you are in scope.

https://trusq.io/en/ai-act-board-briefing.html2026-06-28T08:00:00Z

A concise template to get the AI Act and AI use onto the board table: what is happening, which risks and deadlines, which decisions are needed, and which oversight questions the board should ask. Adopt it for your next board/management meeting.

https://trusq.io/en/ai-vendor-questionnaire.html2026-06-28T08:00:00Z

A ready-to-use questionnaire to vet an AI tool supplier before purchase on role (provider/deployer), data and training, security, sub-processors, AI Act status and exit. Adopt the questions into your procurement or vendor assessment.

https://trusq.io/en/ai-rules-manufacturing.html2026-06-28T08:00:00Z

One entry point for manufacturing: which AI and digital rules affect production and products — from the Cyber Resilience Act and NIS2 to the Machinery Regulation and AI in industrial processes — each with a source-traceable file.

https://trusq.io/en/ai-use-policy-template.html2026-06-28T08:00:00Z

A directly usable template for an internal AI use policy — what is and isn't allowed, which data may go into AI tools, approval of new tools, and the link to AI literacy (art. 4). Adopt it and adapt it to your organisation.

https://trusq.io/en/dga-data-altruism.html2026-06-28T08:00:00Z

Data altruism under the Data Governance Act is the voluntary sharing of data, without reward, for objectives of general interest such as research or policy. Recognised data altruism organisations meet transparency and safeguard requirements.

https://trusq.io/en/dga-data-intermediation.html2026-06-28T08:00:00Z

Anyone acting as a data intermediary connecting data providers and users falls under the Data Governance Act's notification regime and must guarantee neutrality: not using the intermediated data for their own purposes, with structural separation from other services.

https://trusq.io/en/data-governance-act-guide.html2026-06-28T08:00:00Z

The Data Governance Act (Regulation (EU) 2022/868) has applied since 24 September 2023 and builds trust for data sharing: re-use of public-sector data, notified data intermediation services, data altruism and the European Data Innovation Board. With the Data Act, the basis under the EU data spaces.

https://trusq.io/en/ai-agents-security.html2026-06-28T08:00:00Z

AI agents with tool access widen the attack surface: prompt injection, permission misuse and data leaks. Management requires least privilege, isolation, monitoring and human confirmation for sensitive actions — overlapping with NIS2 and the Cyber Resilience Act.

https://trusq.io/en/ai-agents-logistics-planning.html2026-06-28T08:00:00Z

AI agents can plan, re-plan and adjust in logistics — from trip planning to chain coordination. That touches the AI Act (oversight, classification), the Data Act (chain data) and liability for autonomous decisions.

https://trusq.io/en/ai-agents-for-executives.html2026-06-28T08:00:00Z

For executives, AI agents are not about technology but about control: who owns it, which actions may the agent take itself, how do we oversee it, and who is liable? This sets out the board-level core questions.

https://trusq.io/en/ai-agent-governance-checklist.html2026-06-28T08:00:00Z

If you deploy AI agents, arrange scope, permissions, oversight, logging, security and responsibility up front. This checklist runs through the governance points that set agents apart from ordinary AI tools.

https://trusq.io/en/ai-agents-human-oversight.html2026-06-28T08:00:00Z

The more autonomously an AI agent acts, the more oversight matters. Human oversight (AI Act art. 14 for high-risk) means, for agents: bounded permissions, intervention and stop capabilities, and logging that makes actions explainable after the fact.

https://trusq.io/en/ai-agent-vs-chatbot.html2026-06-28T08:00:00Z

A chatbot answers; an AI agent plans, uses tools and acts on its own. That difference drives your risk and obligations — an agent that takes actions touches not just the AI Act but also the GDPR, liability and oversight duties.

https://trusq.io/en/data-processing-agreement-gdpr-ai.html2026-06-28T08:00:00Z

If an AI vendor processes personal data on your behalf, Article 28 GDPR requires a written data processing agreement with fixed minimum content. This explainer sets out what it must contain and what to watch for with AI services.

https://trusq.io/en/dsa-online-marketplace.html2026-06-28T08:00:00Z

Online marketplaces under the DSA must identify and verify traders (know-your-business-customer), design their interface so traders can meet their information duties, and inform consumers about illegal products.

https://trusq.io/en/dsa-online-platform-obligations.html2026-06-28T08:00:00Z

Online platforms under the DSA must comply with an internal complaint mechanism, advertising transparency, protection of minors and a ban on dark patterns, among others. Small enterprises are partly exempt.

https://trusq.io/en/dsa-guide.html2026-06-28T08:00:00Z

The Digital Services Act (Regulation (EU) 2022/2065) has applied since 17 February 2024 to all intermediary services in the EU, with heavier duties the larger and more visible you are. This guide places you in the right tier.

https://trusq.io/en/dora-resilience-testing.html2026-06-28T08:00:00Z

DORA requires financial entities to test their digital resilience periodically. Significant entities must also perform a threat-led penetration test (TLPT) at least every three years.

https://trusq.io/en/dora-third-party-ict-risk.html2026-06-28T08:00:00Z

DORA sets requirements for ICT outsourcing: mandatory contract clauses, a register of information on all ICT providers, and an EU oversight framework for ICT providers designated as critical.

https://trusq.io/en/dora-incident-reporting.html2026-06-28T08:00:00Z

DORA requires financial entities to classify and report major ICT incidents to the competent supervisor, with an initial, intermediate and final report. Significant cyber threats may be reported voluntarily.

https://trusq.io/en/dora-ict-risk-management.html2026-06-28T08:00:00Z

DORA requires financial entities to maintain a coherent ICT risk management framework with ultimate responsibility at the management body. Small, non-interconnected entities may use a simplified framework.

https://trusq.io/en/dora-guide.html2026-06-28T08:00:00Z

DORA (Regulation (EU) 2022/2554) has applied since 17 January 2025 to financial entities and their critical ICT providers. Five pillars: ICT risk management, incident reporting, resilience testing, third-party ICT risk and information sharing. This guide points the way per pillar.

https://trusq.io/en/council-of-europe-ai-convention.html2026-06-27T08:00:00Z

The Council of Europe Framework Convention on AI is the first legally binding international AI treaty. The EU ratified it on 15 May 2026, after Parliament's consent on 11 March 2026. It binds states, not companies: principles and remedies that parties must transpose into national law.

https://trusq.io/en/taiwan-ai-basic-act.html2026-06-26T08:00:00Z

On 14 January 2026 Taiwan's AI Basic Act took effect: a 20-article framework law setting seven governance principles and tasking the government, led by the National Science and Technology Council, with risk classification, data governance and worker protection.

https://trusq.io/en/ecb-ssm-ai-banking-supervision.html2026-06-25T08:00:00Z

For the 2026-2028 cycle the ECB places AI under its operational-resilience priority, and in February 2026 two Supervisory Board members set out the stance: with 85%+ of supervised banks using AI, govern it within existing frameworks rather than new rules, with a sharper focus on generative AI.

https://trusq.io/en/iosco-ai-capital-markets-supervisory-toolkit.html2026-06-25T08:00:00Z

On 25 May 2026 IOSCO published its final report "Supervisory Toolkit for AI Use in Capital Markets" (FR/02/2026): non-binding tools for securities supervisors across governance, third-party risk, disclosure and recordkeeping, covering the full AI lifecycle including GenAI and agentic AI.

https://trusq.io/en/securing-ai-critical-infrastructure.html2026-06-24T08:00:00Z

A single AI system in a port often falls under three frameworks at once: the AI Act (Art. 15) secures the AI system itself, the Cyber Resilience Act the product, and NIS2 obliges the operator as an essential entity. This piece explains how they meet and who is responsible for what.

https://trusq.io/en/unesco-recommendation-ai-ethics.html2026-06-24T08:00:00Z

UNESCO's 2021 Recommendation on the Ethics of AI is the nearest thing to a universal AI standard — adopted by 193 states. It is non-binding but broad, resting on 11 policy areas and a Readiness Assessment used by 70+ countries. Its 4th Global Forum convenes in Riyadh on 14–17 September 2026.

https://trusq.io/en/oecd-due-diligence-responsible-ai.html2026-06-24T08:00:00Z

In February 2026 the OECD published Due Diligence Guidance for Responsible AI — not a new set of principles, but a six-step process that translates its 2024 AI Principles and its 2023 Guidelines for Multinational Enterprises into concrete due diligence across the AI value chain.

https://trusq.io/en/right-to-explanation-ai-decision.html2026-06-23T08:00:00Z

If you are affected by a decision based (in part) on a high-risk AI system, Article 86 of the AI Act gives you the right to a clear explanation of the AI system's role and the main elements of the decision — from the deployer, on top of your GDPR rights.

https://trusq.io/en/uk-ai-growth-lab.html2026-06-23T08:00:00Z

On 8 June 2026 the UK launched its AI Growth Lab — a cross-economy regulatory sandbox, starting with legal services. But the version that went live is "advisory": it coordinates regulators and gives guidance, and cannot relax a single rule until Parliament passes the enabling law.

https://trusq.io/en/gulf-ai-regulation.html2026-06-29T08:00:00Z

The Gulf states treat AI as an economic engine. On 14 June 2026 the UAE merged its AI, data and digital-government bodies into one Federal Authority for AI and Data, reporting to the Cabinet; Saudi Arabia steers through SDAIA. Growth comes first, not a binding AI law like the EU's.

https://trusq.io/en/national-ai-supervisors.html2026-06-25T08:00:00Z

The AI Act is largely enforced nationally. In the Netherlands a draft Implementation Act (consultation 20 April–1 June 2026) gives the AP and RDI a coordinating role over ten existing market surveillance authorities, with the AFM and DNB supervising the financial sector.

https://trusq.io/en/us-unbiased-ai-procurement.html2026-06-22T08:00:00Z

From 11 March 2026 every US federal agency must write two "Unbiased AI Principles" — truth-seeking and ideological neutrality — into its contracts for large language models. OMB Memorandum M-26-04 implements Executive Order 14319; non-compliant vendors face termination for default.

https://trusq.io/en/hr-ai-roles-provider-deployer.html2026-06-22T08:00:00Z

In HR AI the builder of the ATS or HR tech is usually the provider and the employer the deployer. But an employer can become a provider itself through own branding or substantial modification (Art. 25). The role determines which duties apply.

https://trusq.io/en/ai-onboarding-internal-mobility.html2026-06-22T08:00:00Z

Talent marketplaces, skills matching and career paths with AI seem neutral, but they reach the high-risk line as soon as they steer promotion or progression decisions (Annex III, point 4). Then the AI Act, GDPR, transparency and equal opportunity apply internally too.

https://trusq.io/en/hr-ai-vendor-due-diligence.html2026-06-22T08:00:00Z

Procuring HR AI or ATS software means inheriting AI Act obligations. This checklist gives the questions to ask the vendor before you sign — high-risk or not, CE marking, technical documentation, bias tests, logging — plus the contractual safeguards and the oversight that follows.

https://trusq.io/en/gdpr-article-88-employee-data.html2026-06-22T08:00:00Z

GDPR Article 88 lets Member States set their own rules for processing in the employment context. The Netherlands has no specific Art. 88 law, so the general GDPR plus the Dutch Implementation Act apply. With the weak basis of consent, purpose limitation and the role of works councils.

https://trusq.io/en/dpia-hr-ai.html2026-06-22T08:00:00Z

A DPIA (Art. 35 GDPR) is mandatory for large-scale, systematic monitoring and for high-risk AI in HR. This article explains what it must contain and how to combine the DPIA with the FRIA (fundamental rights assessment, Art. 27 AI Act) into one process. With a practical step plan.

https://trusq.io/en/hr-ai-compliance-roadmap.html2026-06-22T08:00:00Z

A practical roadmap to make HR AI compliant: inventory every system, classify by risk, run a DPIA and FRIA, inform workers and involve the works council, set up human oversight, logging and bias monitoring, and lock down supplier arrangements.

https://trusq.io/en/wearables-neurotech-workplace.html2026-06-22T08:00:00Z

Fitness trackers, stress sensors, smart badges and EEG/brain monitoring quickly hit both the AI Act's emotion-recognition ban and the GDPR rules on special-category data. This is where the legal line lies and why "voluntary" in an employment relationship is rarely voluntary.

https://trusq.io/en/pay-transparency-ai.html2026-06-22T08:00:00Z

The EU Pay Transparency Directive (2023/970) must be transposed by 7 June 2026. AI can support equal-pay analysis but can also introduce bias into pay decisions. With GDPR points of attention and practical steps for employers.

https://trusq.io/en/ai-strategic-workforce-planning.html2026-06-22T08:00:00Z

AI for strategic workforce planning and skills forecasting at organisation level is usually not high-risk under the AI Act. But once it steers individual decisions, it can tip over. Data quality, governance and transparency remain crucial.

https://trusq.io/en/ai-productivity-scoring-bossware.html2026-06-22T08:00:00Z

Continuous AI monitoring and performance scoring ("bossware") collides with GDPR proportionality, purpose limitation and transparency, with good employership and with the works council's consent right. Covert or all-encompassing measurement is not allowed.

https://trusq.io/en/ai-employee-sentiment-analysis.html2026-06-22T08:00:00Z

AI inferring employee mood from email, chat, surveys or speech brushes against the emotion-recognition ban (Art. 5 AI Act) and the GDPR. Aggregated and anonymous is sometimes possible; individual monitoring almost never.

https://trusq.io/en/ai-temporary-agency-work.html2026-06-22T08:00:00Z

Matching AI in agency work and secondment is high-risk (recruitment). The tool vendor is usually provider, the agency deployer; the hirer can become co-responsible. The GDPR demands a clear allocation of roles.

https://trusq.io/en/people-analytics-attrition-prediction.html2026-06-22T08:00:00Z

AI predicting which workers will leave (flight-risk) is legally highly problematic: purpose limitation, proportionality, GDPR Art. 22, and the risk of a self-fulfilling prediction and discrimination. Only aggregated is it sometimes defensible.

https://trusq.io/en/ai-video-interview-analysis.html2026-06-22T08:00:00Z

Video AI that scores face, voice or "personality" is high-risk under the AI Act. Inferring emotions in the workplace is in addition prohibited. Its validity is questionable and the GDPR bar is high.

https://trusq.io/en/us-ai-innovation-security-eo.html2026-06-22T08:00:00Z

On 2 June 2026 the White House issued an executive order on advanced AI innovation and security: it hardens federal cyber defences, sets up a voluntary pre-deployment benchmarking framework for frontier models and directs criminal enforcement against AI misuse — while barring mandatory licensing.

https://trusq.io/en/take-it-down-act-platform-duties.html2026-06-22T08:00:00Z

From 19 May 2026 online platforms must operate a notice-and-removal process for non-consensual intimate images, including AI deepfakes, and remove valid reports within 48 hours. The FTC enforces this as an unfair or deceptive act, with civil penalties of up to $53,088 per violation.

https://trusq.io/en/ai-fraud-detection-government.html2026-06-22T08:00:00Z

After the SyRI ruling (District Court of The Hague, 2020) and the Dutch childcare-benefits scandal, government fraud detection with AI is high-risk under Annex III. The lessons: no opaque risk scores, no proxy discrimination, but proportionality, explainability and a rights assessment.

https://trusq.io/en/ai-act-defence-national-security.html2026-06-22T08:00:00Z

The AI Act does not apply to AI systems used exclusively for military, defence or national-security purposes. Article 2 carves these out, but the boundaries are narrow: dual-use, civilian deployment and fundamental rights remain in scope.

https://trusq.io/en/ai-insurance-liability-cover.html2026-06-22T08:00:00Z

Whether AI harm is insured depends on the policy, not the AI Act. The revised Product Liability Directive widens liability exposure, while insurers struggle with opaque, self-learning and agentic systems.

https://trusq.io/en/real-world-testing-sandboxes.html2026-06-22T08:00:00Z

The AI Act offers two controlled testing routes: regulatory sandboxes under supervision (Articles 57-59) and testing in real-world conditions outside the sandbox (Article 60). Both carry strict safeguards, such as informed consent and the right to have data erased.

https://trusq.io/en/ai-disinformation-elections.html2026-06-22T08:00:00Z

AI disinformation around elections is caught by several regimes at once: the AI Act's transparency duty for deepfakes, the DSA's risk obligations for large platforms, and existing law. No regime bans disinformation as such.

https://trusq.io/en/ai-consumer-protection.html2026-06-22T08:00:00Z

AI that misleads or pressures consumers falls under the ban on unfair commercial practices — alongside the AI Act. Manipulative interfaces, fake reviews and personalised deception are prohibited, even where the AI Act does not classify them as high-risk.

https://trusq.io/en/ai-act-non-eu-companies.html2026-06-22T08:00:00Z

The AI Act also applies to companies outside the EU if their AI system or its output is used in the Union. Non-EU providers often have to appoint an authorised representative in the EU.

https://trusq.io/en/ai-non-discrimination.html2026-06-22T08:00:00Z

An AI system that treats people unequally is caught not only by the AI Act but also by existing equal-treatment law. The two regimes apply side by side — and the ban on discrimination applies even where your AI system is not high-risk.

https://trusq.io/en/eu-declaration-of-conformity-art47.html2026-06-22T08:00:00Z

The EU declaration of conformity is the written statement by which the provider itself confirms that a high-risk AI system meets the AI Act. Article 47 sets out its content, language and retention; the provider bears full responsibility for it.

https://trusq.io/en/common-ai-act-mistakes.html2026-06-22T08:00:00Z

The biggest AI Act pitfalls are not exotic edge cases: overlooking hidden AI, misjudging your role, classifying too heavily or too lightly, forgetting transparency, and treating compliance as a one-off project.

https://trusq.io/en/ai-act-authorised-representative.html2026-06-22T08:00:00Z

A provider established outside the EU must appoint a written authorised representative in the Union before placing a high-risk AI system on the market. Article 22 makes that person the European point of contact for authorities, with its own duties and power to end the mandate.

https://trusq.io/en/cost-of-ai-act-compliance.html2026-06-22T08:00:00Z

The cost of AI Act compliance depends mainly on your risk class, role and number of AI systems. The law requires proportionality, so most organisations with low-risk AI face limited costs.

https://trusq.io/en/ai-act-distributor-duties.html2026-06-22T08:00:00Z

A distributor makes a high-risk AI system available without being its provider or importer. Article 24 asks for a lighter but real check: confirm CE marking, declaration of conformity and documentation are present, and do not pass it on where there is doubt.

https://trusq.io/en/ai-act-readiness-90-days.html2026-06-22T08:00:00Z

A concrete 90-day plan to build AI Act readiness, split into three one-month phases: inventory and classify, close the gaps, and embed governance with ongoing oversight.

https://trusq.io/en/ai-act-importer-duties.html2026-06-22T08:00:00Z

Anyone placing a high-risk AI system from outside the EU on the market is an importer and must verify before import that the provider has handled conformity. Article 23 makes the importer a gatekeeper, with its own recording, retention and stop duties.

https://trusq.io/en/ai-act-compliance-roadmap.html2026-06-22T08:00:00Z

A practical roadmap to becoming AI Act compliant — from inventorying your AI systems and determining your role and risk class to governance, documentation and ongoing oversight.

https://trusq.io/en/ai-safety-institutes.html2026-06-22T08:00:00Z

Since the AI Safety Summit at Bletchley Park (2023), countries have built AI Safety Institutes to test advanced models and share knowledge. It is an international network alongside — not instead of — binding legislation like the EU AI Act. Tone and focus shift from summit to summit.

https://trusq.io/en/africa-ai-governance.html2026-06-22T08:00:00Z

The African Union adopted a continental AI strategy in 2024 to steer development across the continent. Beneath it move national initiatives, with countries such as Mauritius, Egypt, Rwanda and Nigeria leading. The emphasis is on capacity building and opportunity, with governance still emerging.

https://trusq.io/en/singapore-ai-governance.html2026-06-22T08:00:00Z

Singapore regulates AI not with a binding law but with voluntary instruments: the Model AI Governance Framework (with a separate version for generative AI) and the AI Verify testing toolkit. The aim is trust through testable practice rather than legal obligations up front.

https://trusq.io/en/canada-aida-ai-law.html2026-06-22T08:00:00Z

Canada sought a federal AI law through the Artificial Intelligence and Data Act (AIDA), part of Bill C-27. That bill died in early 2025 when Parliament was prorogued. What remains is a voluntary code of conduct and existing law — not a binding AI act like the EU's.

https://trusq.io/en/ai-act-for-developers.html2026-06-22T08:00:00Z

If you build or fine-tune AI, you are often a provider under the AI Act — the role with the heaviest obligations. This guide translates the legal text into what a developer and product team must concretely arrange: technical documentation, data quality, logging and human oversight by design.

https://trusq.io/en/ce-marking-notified-bodies.html2026-06-22T08:00:00Z

High-risk AI receives a CE marking after a successful conformity assessment. Sometimes the provider assesses itself; sometimes an independent notified body must be involved. This guide explains when each route applies and what the CE marking means.

https://trusq.io/en/ai-act-for-procurement.html2026-06-22T08:00:00Z

Whoever procures AI often becomes a deployer under the AI Act and carries their own obligations. A supplier claiming to be "AI Act compliant" is no guarantee. This guide explains what to ask up front and which clauses belong in the contract.

https://trusq.io/en/ai-act-for-cisos.html2026-06-22T08:00:00Z

The AI Act sets requirements in Article 15 for the accuracy, robustness and cybersecurity of high-risk AI. For the CISO this stacks on top of NIS2 and the Cyber Resilience Act. This guide explains the overlap and what security teams must concretely arrange.

https://trusq.io/en/ai-act-for-dpos.html2026-06-22T08:00:00Z

The AI Act and the GDPR overlap but are not the same. The DPO is not automatically responsible for AI compliance, yet plays a key role wherever AI processes personal data. This guide maps the touchpoints: DPIAs, legal grounds, transparency and the limits of the DPO role.

https://trusq.io/en/instructions-transparency-art13.html2026-06-22T08:00:00Z

Article 13 requires high-risk AI to be transparent enough and to come with instructions that let the deployer understand and use the system correctly. Those instructions must cover purpose, performance, limits and oversight measures. This guide explains what belongs in them.

https://trusq.io/en/ai-act-for-directors.html2026-06-22T08:00:00Z

The AI Act makes the board ultimately responsible for responsible AI use. Fines reach 35 million euro or 7% of global turnover. This guide explains what the board must steer on, how to organise oversight, and where personal risk lies.

https://trusq.io/en/accuracy-robustness-art15.html2026-06-22T08:00:00Z

Article 15 requires high-risk AI to achieve an appropriate level of accuracy, robustness and cybersecurity across its lifetime. The system must withstand errors, faults and attacks such as data poisoning and adversarial input. This guide explains what that means.

https://trusq.io/en/record-keeping-art12.html2026-06-22T08:00:00Z

Article 12 requires high-risk AI systems to automatically record events (logs) over their lifetime. Logging enables risk monitoring, traceability and after-the-fact investigation. This guide explains what the logs must contain at minimum and how long to keep them.

https://trusq.io/en/human-oversight-art14.html2026-06-22T08:00:00Z

Article 14 requires providers of high-risk AI to build in effective human oversight. People must be able to understand the output, ignore it, override it or stop the system — and resist automation bias. This guide explains how to design that.

https://trusq.io/en/ai-and-cybersecurity-cra.html2026-06-22T08:00:00Z

AI products must be both safe and cyber-resilient. The Cyber Resilience Act sets security requirements for products with digital elements, while the AI Act requires cybersecurity of high-risk systems — two frameworks meeting on one product.

https://trusq.io/en/ai-and-competition-law.html2026-06-22T08:00:00Z

Algorithms can engage competition law. Price coordination via algorithms can form a prohibited cartel under Article 101 TFEU, while dominant AI and data platforms may fall under the prohibition on abuse of a dominant position (Article 102).

https://trusq.io/en/ai-and-sustainability-energy.html2026-06-22T08:00:00Z

AI consumes a lot of energy. The AI Act requires providers of general-purpose AI models to document energy consumption, while the CSRD forces large companies to report on the environmental impact of their activities — including AI.

https://trusq.io/en/ai-and-accessibility.html2026-06-22T08:00:00Z

AI must be usable by people with disabilities. From June 2025 the European Accessibility Act sets accessibility requirements for many digital products and services, while the AI Act counters discriminatory outcomes of AI systems.

https://trusq.io/en/ai-in-nonprofits.html2026-06-22T08:00:00Z

Charities use AI for fundraising and donor profiling with limited resources. The same rules apply as for businesses: the GDPR for profiling and the AI Act for risky applications — nonprofit status grants no exemption.

https://trusq.io/en/ai-in-hospitality-tourism.html2026-06-22T08:00:00Z

Hospitality and tourism use AI for dynamic pricing, recommendations and guest profiling. The AI Act rarely treats this as high-risk, but the GDPR is decisive: profiling, automated decisions and transparency call for clear legal bases.

https://trusq.io/en/ai-act-for-smes.html2026-06-22T08:00:00Z

The AI Act applies to SMEs too, but builds in relief: proportionate documentation, priority and lower cost in regulatory sandboxes, and fines with an SME cap. This guide shows what to watch for as a small business.

https://trusq.io/en/preparing-ai-compliance-audit.html2026-06-22T08:00:00Z

In an audit a supervisor first requests your documentation. Those with technical documentation, risk management, logging, a declaration of conformity and governance in order pass the test. This guide summarises what to have ready.

https://trusq.io/en/ai-act-complaint-enforcement.html2026-06-22T08:00:00Z

Anyone can file a complaint with the national market surveillance authority if an AI system breaches the AI Act. The supervisor investigates, can request documentation, require measures and impose fines. The process runs from report to decision and appeal.

https://trusq.io/en/ai-in-telecom.html2026-06-22T08:00:00Z

Telecom operators use AI for network optimisation and fraud detection. The AI Act mainly affects fraud detection that assesses customers, while NIS2 imposes strict requirements on the cybersecurity and incident reporting of this essential infrastructure.

https://trusq.io/en/ai-office-role-powers.html2026-06-22T08:00:00Z

The AI Office within the European Commission coordinates implementation of the AI Act and is the exclusive supervisor of GPAI models. It draws up codes of practice, conducts investigations and can have fines imposed on model providers.

https://trusq.io/en/ai-in-agriculture.html2026-06-22T08:00:00Z

AI in agriculture — from precision farming to autonomous tractors — rarely falls under the AI Act's high-risk category, but it does fall under the Machinery Regulation for safe autonomous machines and under rules on who owns the farm data.

https://trusq.io/en/ai-in-media-journalism.html2026-06-22T08:00:00Z

AI touches journalism on three fronts: Article 50 of the AI Act requires transparency on deepfakes and AI text, the DSA regulates the spread of disinformation on platforms, and the European Media Freedom Act protects editorial independence and sources.

https://trusq.io/en/ai-and-children-minors.html2026-06-22T08:00:00Z

Stricter rules apply to children. The AI Act prohibits manipulation and exploitation of vulnerability (Art. 5), the GDPR sets requirements for consent and profiling, and the DSA bans profiling-based advertising aimed at minors.

https://trusq.io/en/copyright-ai-output.html2026-06-22T08:00:00Z

Under EU law, copyright arises only in a person's own intellectual creation. Output generated purely by AI is therefore in principle not protected by copyright; only sufficient human creative choices can attract protection. Settle ownership and use by contract instead.

https://trusq.io/en/open-source-ai-models.html2026-06-22T08:00:00Z

The AI Act eases some GPAI obligations for models released under a free and open licence, but the exemption is narrow and conditional. Copyright policy and a training-data summary still apply, and where there is systemic risk the exemption falls away entirely.

https://trusq.io/en/ai-trade-secrets-confidentiality.html2026-06-22T08:00:00Z

Feeding confidential information into an external AI model can undermine trade-secret status and breach confidentiality or GDPR obligations. Protection depends on secrecy measures; uncontrolled sharing erodes them. Manage it with policy, contract and access rules.

https://trusq.io/en/rag-enterprise-ai-governance.html2026-06-22T08:00:00Z

RAG connects a generative model to your own sources so answers come from company documents. That lowers fabrication but shifts the risk to access, confidentiality and provenance. Governance turns on source scoping, authorisation, logging and human oversight.

https://trusq.io/en/ai-in-housing-allocation.html2026-06-22T08:00:00Z

AI that decides who gets access to housing strikes at the core of the high-risk regime. Annex III of the AI Act covers access to essential private and public services; on top of that, the GDPR prohibits discrimination and sets demands on automated decisions.

https://trusq.io/en/explainability-government-algorithms.html2026-06-22T08:00:00Z

Transparency of government algorithms runs along two axes: collective openness via the algorithm register and the FRIA, and individual explanation to the citizen via administrative law and the GDPR. The AI Act requires intelligibility and logging. Explanation is a legal duty, not a favour.

https://trusq.io/en/eu-database-registration-article-49.html2026-06-22T08:00:00Z

Article 49 of the AI Act requires providers and certain deployers to register high-risk systems in a public EU database before deployment. The registration makes visible which systems are on the market and is a condition for lawful use.

https://trusq.io/en/ai-anti-money-laundering.html2026-06-22T08:00:00Z

AI for anti-money laundering and transaction monitoring is not in Annex III of the AI Act, so usually not high-risk. The centre of gravity is the EU AML package and the GDPR. Watch the overlap with the fraud carve-out and bias in flagging suspicious transactions.

https://trusq.io/en/ai-in-legal-services.html2026-06-22T08:00:00Z

AI in law firms and legal services is rarely high-risk, but sets sharp demands on reliability, confidentiality and transparency. Hallucinations, professional secrecy and GDPR processing set the limits, alongside the AI Act's transparency duties.

https://trusq.io/en/post-market-monitoring-article-72.html2026-06-22T08:00:00Z

Article 72 of the AI Act requires providers of high-risk AI to keep actively monitoring systems after deployment. A post-market monitoring system collects and analyses performance data throughout the lifetime and feeds risk management. Compliance does not end at market launch.

https://trusq.io/en/ai-robo-advice-mifid.html2026-06-22T08:00:00Z

Investment advice and robo-advice are not in Annex III of the AI Act, so usually not high-risk. The centre of gravity is MiFID II: suitability assessment, duty of care and transparency. AI does not shift those requirements, but makes explainability and oversight more urgent.

https://trusq.io/en/ai-in-energy.html2026-06-22T08:00:00Z

AI that manages or operates energy supply can be high-risk under the AI Act (Annex III, critical infrastructure). The energy sector also falls under NIS2 for cybersecurity. Two regimes with partly overlapping demands on robustness and oversight.

https://trusq.io/en/ai-in-the-judiciary.html2026-06-22T08:00:00Z

AI that assists judicial authorities in researching facts or applying the law is high-risk under Annex III of the AI Act. Purely administrative support falls outside it. The judge remains the decision-maker; AI may advise, not adjudicate.

https://trusq.io/en/data-quality-governance-article-10.html2026-06-22T08:00:00Z

Article 10 of the AI Act sets requirements for the data used to train, validate and test high-risk AI. Datasets must be relevant, representative, as error-free as possible and complete, with attention to bias. Data governance makes these choices traceable.

https://trusq.io/en/ai-financial-fraud-detection.html2026-06-22T08:00:00Z

AI that detects financial fraud is expressly carved out of the high-risk classification for credit scoring in Annex III. The carve-out is narrow: it covers genuine fraud detection, not credit assessment under a fraud label. The GDPR and governance still apply.

https://trusq.io/en/ai-in-manufacturing.html2026-06-22T08:00:00Z

AI in manufacturing and machinery triggers two regimes at once. An AI system that determines a machine's safety is high-risk under the AI Act (Annex I) and must also meet the new Machinery Regulation. One product, two conformity tracks that have to align.

https://trusq.io/en/algorithmic-decisions-government.html2026-06-22T08:00:00Z

An automated government decision sits under three regimes at once: the AI Act (high-risk), administrative law (reasoning and due care) and GDPR Art. 22 (no solely automated decision with legal effect). They stack; they do not replace one another.

https://trusq.io/en/risk-management-system-article-9.html2026-06-22T08:00:00Z

Article 9 of the AI Act requires providers of high-risk AI to run a continuous risk management system: identify, estimate, mitigate and keep monitoring risks throughout the system's lifetime. It is an iterative process, not a one-off analysis, and sits at the heart of the compliance regime.

https://trusq.io/en/foundation-models-systemic-risk.html2026-06-22T08:00:00Z

On top of the baseline regime for general-purpose AI models, the AI Act adds a heavier regime for models with systemic risk (Art. 51-55). A compute threshold of 10^25 FLOP acts as a presumption; above it, model evaluation, risk mitigation, incident reporting and cybersecurity apply.

https://trusq.io/en/ai-insurance-pricing.html2026-06-22T08:00:00Z

AI for risk assessment and pricing in life and health insurance is high-risk under Annex III of the AI Act. Other lines are not automatically covered, but the GDPR, solidarity rules and the prohibition of discrimination apply broadly.

https://trusq.io/en/ai-in-retail.html2026-06-22T08:00:00Z

Retail and e-commerce use AI for dynamic pricing, recommendations and profiling. These trigger the AI Act (prohibited practices, transparency), the GDPR (profiling, automated decisions) and the DSA (recommender systems, advertising) at the same time.

https://trusq.io/en/ai-public-procurement.html2026-06-22T08:00:00Z

A public body that procures an AI system becomes a deployer under the AI Act, and sometimes a provider itself. Make compliance, documentation and the rights impact assessment hard tender requirements, not loose ends in the contract.

https://trusq.io/en/technical-documentation-annex-iv.html2026-06-22T08:00:00Z

Providers of high-risk AI must draw up technical documentation following Annex IV of the AI Act. This file describes the system, design, data, performance and risk management, and forms the basis for conformity assessment. It must stay current throughout the system's lifetime.

https://trusq.io/en/ai-credit-scoring.html2026-06-22T08:00:00Z

AI that assesses consumer creditworthiness is high-risk under Annex III of the AI Act. On top of that come GDPR Article 22 (automated decisions) and the prohibition of discrimination. Three regimes at once, with bias control at the core.

https://trusq.io/en/ai-payroll-scheduling.html2026-06-21T08:00:00Z

AI that assigns shifts, plans capacity or calculates pay falls under Annex III once it allocates tasks based on behaviour or traits. Beyond the AI Act, working-time rules, schedule predictability and the GDPR apply — plus the risk that dynamic scheduling disadvantages certain groups.

https://trusq.io/en/ai-absence-prediction.html2026-06-21T08:00:00Z

AI predicting which workers will fall ill or be absent touches health data — special-category personal data with a strict prohibition regime (Art. 9 GDPR). The risk of discriminating against sick or disabled workers is high. In most cases such prediction is not lawful.

https://trusq.io/en/ai-learning-development.html2026-06-21T08:00:00Z

AI that recommends learning looks harmless, but once it determines who gets access to training or career paths it engages Annex III (access to vocational training). The risk is unequal development opportunities; the GDPR and bias testing come with it.

https://trusq.io/en/algorithmic-management-work.html2026-06-21T08:00:00Z

Algorithmic management — AI that allocates tasks, steers performance and nudges behaviour — is not limited to delivery platforms. In ordinary organisations it falls under Annex III (task allocation, evaluation) and the GDPR, with human oversight and transparency at its core.

https://trusq.io/en/ai-background-checks-candidates.html2026-06-21T08:00:00Z

AI that screens candidates via social media or background checks quickly clashes with the GDPR: proportionality, special-category data and transparency. Add reliability risks (false matches) and discrimination through irrelevant private information.

https://trusq.io/en/ai-assessments-selection.html2026-06-21T08:00:00Z

Gamified and psychometric AI assessments evaluate candidates and are therefore high-risk (Annex III). Three questions are decisive: does it really measure what matters, is it free of bias, and does it not exclude people with a disability? Emotion analysis via image or voice is moreover prohibited.

https://trusq.io/en/ai-candidate-sourcing.html2026-06-21T08:00:00Z

AI tools that find candidates by scraping public profiles mainly engage the GDPR: even public data needs a basis, transparency and data minimisation. Untargeted scraping of facial images is even prohibited, and once the tool ranks candidates the high-risk regime is added.

https://trusq.io/en/ai-recruitment-chatbots.html2026-06-21T08:00:00Z

A recruitment chatbot must always disclose that it is AI (Art. 50). Once it pre-selects, scores or rejects candidates, it is also a high-risk system (Annex III), with human oversight and the GDPR on top. A "handy assistant" thus quickly becomes a decision tool.

https://trusq.io/en/ai-targeted-job-ads.html2026-06-21T08:00:00Z

AI that shows job ads to specific groups falls explicitly under Annex III of the AI Act as high-risk. The biggest risk is discrimination: an algorithm that shows a vacancy mostly to young men invisibly excludes others. The GDPR and the DSA set additional limits.

https://trusq.io/en/informing-workers-ai-art26.html2026-06-21T08:00:00Z

Before you deploy a high-risk AI system in the workplace, Article 26 of the AI Act requires you to inform the affected workers and their representatives. This duty sits alongside GDPR transparency and the works council's consent right — and is a separate, auditable step.

https://trusq.io/en/works-council-ai.html2026-06-21T08:00:00Z

AI systems for staff often trigger works-council consent rights. The Dutch Works Councils Act requires consent for staff-monitoring and appraisal systems; the AI Act additionally requires informing workers and their representatives. Rolling out without the works council is a real risk.

https://trusq.io/en/ai-performance-promotion-dismissal.html2026-06-21T08:00:00Z

Annex III of the AI Act goes beyond recruitment: AI that helps decide on working conditions, promotion, termination, task allocation and performance evaluation is high-risk too. That catches performance tools and workforce systems many employers already use.

https://trusq.io/en/ai-literacy-hr-teams.html2026-06-21T08:00:00Z

The literacy duty (Art. 4) already applies and weighs heavily for HR: a recruiter operating a high-risk system can only exercise human oversight (Art. 14) if they understand the system. This guide describes what an HR team must know and how to make it demonstrable.

https://trusq.io/en/ai-use-policy-employees.html2026-06-21T08:00:00Z

Employees already use generative AI — often without rules. A use policy bounds the risks: leakage of confidential or personal data, unreliable output, IP questions and transparency. The AI literacy duty (Art. 4) also makes such a policy part of compliance.

https://trusq.io/en/gdpr-employee-data-ai.html2026-06-21T08:00:00Z

HR AI runs on employee data, and that sits under the GDPR. Consent is rarely a valid basis given the power imbalance; you often fall back on legitimate interest or a legal obligation. Special-category data, transparency, data minimisation and a DPIA decide whether it is allowed.

https://trusq.io/en/emotion-recognition-workplace-ban.html2026-06-21T08:00:00Z

Since 2 February 2025 the AI Act prohibits inferring emotions of workers and students with AI — think camera or voice analysis during work or job interviews. The exception for medical or safety purposes is narrow. This is what is banned and where the line lies.

https://trusq.io/en/ai-cv-screening-recruitment.html2026-06-21T08:00:00Z

AI that filters, parses or ranks CVs is the most widely used HR AI — and falls under Annex III of the AI Act as high-risk. That applies to bought-in tools too. This explainer covers the duties, the bias risks and the employer's role.

https://trusq.io/en/ai-contract-clauses.html2026-06-21T08:00:00Z

There is no separate AI contract law, but the AI Act, product liability and the Data Act together determine what you must set contractually: role allocation, compliance warranties, documentation, liability, data and IP, logging and exit. This guide lays out the core clauses.

https://trusq.io/en/ai-in-marketing-advertising.html2026-06-21T08:00:00Z

AI in marketing touches three frameworks at once: the AI Act prohibits manipulation (Art. 5) and requires transparency (Art. 50), the GDPR limits profiling and automated decisions, and the Digital Services Act sets rules for online advertising and the protection of minors.

https://trusq.io/en/ai-governance-framework.html2026-06-21T08:00:00Z

The AI Act, the GDPR and standards such as ISO/IEC 42001 call not for scattered measures but for coherent governance. This guide lays out the building blocks — inventory, roles, policy, literacy, risk and rights assessment, monitoring — and how to start in proportion to your risk.

https://trusq.io/en/ai-liability.html2026-06-21T08:00:00Z

The AI Act governs safety up front, not compensation after the fact. That question shifts to the revised Product Liability Directive (PLD), which treats software and AI explicitly as products and eases the burden of proof — while the separate AI Liability Directive was withdrawn in 2025.

https://trusq.io/en/india-synthetic-content-rules.html2026-06-21T08:00:00Z

On 10 February 2026 India notified G.S.R. 120(E), amending its IT intermediary rules to create a binding regime for 'synthetically generated information'. Without an AI law, India now mandates labelling, embedded provenance metadata and platform verification via intermediary liability.

https://trusq.io/en/ai-in-the-workplace.html2026-06-20T08:00:00Z

AI in recruitment, workforce management and monitoring largely falls under the AI Act (Annex III, high-risk) and the GDPR, with one hard ban: emotion recognition at work. This guide brings together what applies to employers and where to start.

https://trusq.io/en/algorithm-register-government.html2026-06-20T08:00:00Z

Dutch public bodies publish the algorithms they use in the national Algorithm Register, as a transparency instrument. In addition, the AI Act requires registration of high-risk AI in an EU database (Art. 49/71) — also for public authorities as deployers. Two registers, one aim: accountability.

https://trusq.io/en/ai-proctoring-exam-surveillance.html2026-06-20T08:00:00Z

AI proctoring (online exam surveillance) detects prohibited behaviour during tests and therefore falls under Annex III: high-risk. If the system infers emotions, it is even banned (Art. 5). The GDPR also requires a legal basis, proportionality and usually a DPIA — especially for minors.

https://trusq.io/en/us-financial-services-ai-rmf.html2026-06-20T08:00:00Z

On 12 February 2026 the Cyber Risk Institute and the Financial Services Sector Coordinating Council launched the Financial Services AI Risk Management Framework — 230 control objectives that adapt the NIST AI RMF for banks and insurers. It is industry-led and voluntary, not regulation.

https://trusq.io/en/healthcare-guide.html2026-06-20T08:00:00Z

Healthcare AI touches three regimes at once: the AI Act (high-risk), the MDR for medical devices, and data law (GDPR and the European Health Data Space). This guide brings together what applies to care providers and manufacturers and where to start.

https://trusq.io/en/ai-medical-device-conformity.html2026-06-20T08:00:00Z

If your AI is a medical device, it must meet both the MDR (clinical evaluation, CE) and the AI Act (high-risk requirements). The regulations are meant to run together through a single conformity assessment and one notified body — not two separate tracks.

https://trusq.io/en/european-health-data-space-ehds.html2026-06-20T08:00:00Z

The EHDS gives citizens access to and control over their electronic health data and enables cross-border exchange (primary use), and governs the reuse of health data for research and policy via access bodies (secondary use). Application is phased.

https://trusq.io/en/ai-in-the-public-sector.html2026-06-20T08:00:00Z

AI that determines access to public services or benefits, or is used in law enforcement, migration or justice, is high-risk under the AI Act. As deployers, public bodies must often carry out a fundamental rights assessment (FRIA) and be transparent to citizens.

https://trusq.io/en/ai-in-education.html2026-06-20T08:00:00Z

AI that determines access to education, evaluates learning outcomes or monitors exam behaviour falls under Annex III and is high-risk. Emotion recognition in education is banned. The GDPR (often minors' data) and the AI-literacy duty also apply.

https://trusq.io/en/ai-in-healthcare.html2026-06-20T08:00:00Z

Medical AI often falls under two regimes at once: as a medical device under the MDR (CE marking) and as high-risk AI under the AI Act (Annex I). The regulations align the conformity assessment as far as possible. Health data is also special-category personal data under the GDPR.

https://trusq.io/en/automated-decisions-recruitment.html2026-06-20T08:00:00Z

Rejecting a candidate fully automatically is in principle not allowed: GDPR Art. 22 prohibits decisions based solely on automated processing that significantly affect someone, unless safeguards apply. The AI Act adds human oversight and transparency for high-risk recruitment.

https://trusq.io/en/ai-employee-monitoring.html2026-06-20T08:00:00Z

AI monitoring of employees quickly clashes with the rules: emotion recognition at work is banned (Art. 5), performance monitoring can be high-risk (Annex III), and the GDPR requires a legal basis, transparency and proportionality. Continuous, intrusive monitoring is legally risky.

https://trusq.io/en/ai-recruitment-discrimination.html2026-06-20T08:00:00Z

AI recruitment tools can discriminate unintentionally. For high-risk systems the AI Act requires representative, bias-examined data (Art. 10) and human oversight; equal-treatment law and the GDPR also apply. Mitigating bias is an obligation, not a good intention.

https://trusq.io/en/eidas-guide.html2026-06-20T08:00:00Z

The revised eIDAS Regulation requires member states to offer a European Digital Identity Wallet and renews trust services (signatures, seals). This guide brings together what the wallet means for citizens and businesses, the timeline and the links with transport.

https://trusq.io/en/customs-guide.html2026-06-20T08:00:00Z

The EU is digitalising and tightening the customs and freight process: ICS2 for import security, AEO status as a trusted trader, eFTI and e-CMR for digital freight documents, EMSWe for ports. This guide brings together what applies and where to start.

https://trusq.io/en/nis2-guide.html2026-06-20T08:00:00Z

NIS2 makes cybersecurity a board-level responsibility for essential and important entities — including transport and logistics. This guide brings together who is in scope, which measures and reporting duties apply, management liability, and supply-chain obligations.

https://trusq.io/en/ai-recruitment-hr.html2026-06-20T08:00:00Z

AI in recruitment, selection and workforce management falls under Annex III of the AI Act and counts as high-risk — for every employer, regardless of sector or size. Emotion recognition in the workplace is banned, AI literacy already applies, and the GDPR runs in parallel for automated decisions.

https://trusq.io/en/gpai-enforcement-2026.html2026-06-20T08:00:00Z

From 2 August 2026 the European Commission can enforce the GPAI model rules, fines included (Art. 101). Obligations have applied since 2 August 2025; older models comply by 2 August 2027. The Signatory Taskforce, chaired by the AI Office, steers the Code of Practice.

https://trusq.io/en/ai-copyright-training-data.html2026-06-19T08:00:00Z

Commercial AI training in the EU relies on the text-and-data-mining exception (Art. 4 DSM Directive): it applies unless the rightholder made a machine-readable reservation. The AI Act obliges GPAI providers to respect it. Purely machine-generated output usually carries no copyright.

https://trusq.io/en/agentic-ai-governance.html2026-06-19T08:00:00Z

Agentic AI — systems that plan, use tools and take actions on their own — has no dedicated category in the AI Act. Yet it is covered: through the GPAI regime, risk classification that follows the use, and the transparency and human-oversight duties. Open question: liability for autonomous actions.

https://trusq.io/en/ai-act-high-risk-classification-guidelines.html2026-06-19T08:00:00Z

On 19 May 2026 the Commission published draft guidelines on which AI systems are high-risk under Article 6: the two routes (Annex I and Annex III), the Article 6(3) filter and practical examples. Non-binding; the targeted consultation was extended to 23 July 2026, final text expected later in 2026.

https://trusq.io/en/ai-act-scientific-panel-advisory-forum.html2026-06-19T08:00:00Z

On 1 June 2026 the European Commission appointed the two expert bodies the AI Act foresees: a 60-member Scientific Panel of independent experts (Art. 68) advising on general-purpose AI and systemic risk, and a 174-member Advisory Forum (Art. 67) for broad input. Both serve two-year terms.

https://trusq.io/en/fsb-sound-practices-ai.html2026-06-18T08:00:00Z

On 10 June 2026 the Financial Stability Board issued a consultation report proposing 12 voluntary sound practices for the responsible adoption of AI by financial institutions worldwide. Comments close 22 July 2026. It is a menu, not a standard, and does not target frontier-AI-model risks.

https://trusq.io/en/coe-huderia-cobra-model.html2026-06-17T08:00:00Z

The Council of Europe's binding AI treaty requires a risk and impact assessment but prescribes no method. On 25 February 2026 the Committee of Ministers approved the HUDERIA Model COBRA: the non-binding toolkit that lets parties carry out the human-rights assessment in practice.

https://trusq.io/en/un-ai-governance-panel-dialogue.html2026-06-17T08:00:00Z

In 2026 the United Nations stood up its first AI governance machinery: a 40-member Independent International Scientific Panel, appointed in February and convened in March, and a Global Dialogue on AI Governance whose first session meets in Geneva on 6–7 July 2026.

https://trusq.io/en/hiroshima-ai-reporting-framework.html2026-06-17T08:00:00Z

On 28 May 2026 the OECD launched version 2.0 of the G7 Hiroshima AI Process Reporting Framework. The voluntary transparency tool now splits its questions by role — model developer, application developer, deployer — and addresses agentic AI. More than 50 organisations have pledged to report.

https://trusq.io/en/harmonised-standards-ai-act.html2026-06-17T08:00:00Z

High-risk AI Act compliance rests on harmonised European standards granting a presumption of conformity. CEN-CENELEC's JTC 21 missed its 2025 deadline; October 2025 emergency measures target Q4 2026 delivery — a stated reason the Digital Omnibus pushed Annex III to December 2027.

https://trusq.io/en/uk-ico-ai-code.html2026-06-23T08:00:00Z

The UK still has no horizontal AI statute, but a binding duty now arrives through data-protection law. Regulations in force on 12 May 2026 require the ICO to write a statutory code on AI and automated decision-making, while the Data (Use and Access) Act 2025 rewrites the UK's ADM rules.

https://trusq.io/en/battery-regulation-fleet.html2026-06-16T08:00:00Z

Regulation (EU) 2023/1542 sets rules for the whole battery lifecycle: carbon footprint, recycled content, recycling and due diligence. From 2027 a battery passport applies to EV batteries. What that means when you electrify.

https://trusq.io/en/iso27001-nis2-coverage.html2026-06-16T08:00:00Z

ISO 27001 covers much of the NIS2 risk-management measures, but is not automatic compliance. Incident reporting, management accountability, supply-chain risk and registration must be addressed separately.

https://trusq.io/en/red-cybersecurity-wireless.html2026-06-16T08:00:00Z

Since 1 August 2025 the RED imposes mandatory cybersecurity requirements on wireless, internet-connected devices. If you place connected hardware on the market, you must protect the network, personal data and payments.

https://trusq.io/en/green-claims-directive-transport.html2026-06-16T08:00:00Z

For now, yes, but the EU proposal COM(2023) 166 would require environmental claims like "green" or "carbon-neutral" to be substantiated and verified up front. It is a proposal, not law yet. Start substantiating your claims measurably now.

https://trusq.io/en/trust-and-check-trader.html2026-06-16T08:00:00Z

Trust and Check is a proposed new class of trusted traders that give customs real-time access to their systems. It builds on AEO but is not yet in force — a phased roll-out runs towards 2032-2038.

https://trusq.io/en/eidas-trust-services.html2026-06-16T08:00:00Z

Beyond signatures, eIDAS covers timestamps, electronic registered delivery, website certificates and (under 2.0) archiving. Qualified services appear on the EU trust list and carry stronger legal effects.

https://trusq.io/en/free-flow-non-personal-data.html2026-06-16T08:00:00Z

No, a government may in principle not require you to store your non-personal data in a specific member state. Regulation (EU) 2018/1807 prohibits unjustified data localisation requirements within the EU.

https://trusq.io/en/aeo-status-benefits-requirements.html2026-06-16T08:00:00Z

AEO status marks you as a trusted trader with customs. You get fewer checks, priority treatment and easier access to simplifications. The requirements: a compliance record, sound records, solvency and competence.

https://trusq.io/en/ioss-ecommerce-vat-import.html2026-06-16T08:00:00Z

The IOSS lets you collect VAT at the point of sale for imported parcels worth up to 150 euro. You file one monthly return, and the parcel clears customs faster without import VAT. Without IOSS, the customer pays VAT on delivery.

https://trusq.io/en/data-act-trade-secrets.html2026-06-16T08:00:00Z

Not a free pass to refuse. The Data Act gives users a right to data from connected products, but protects trade secrets: you may take safeguards and, in exceptional cases, refuse where serious harm is shown.

https://trusq.io/en/eudi-wallet-timeline-availability.html2026-06-16T08:00:00Z

eIDAS 2.0 requires every member state to offer an EU Digital Identity Wallet; the rollout runs toward end-2026 and is phased, not yet live everywhere. You use it to log in, prove age and qualifications, and sign documents.

https://trusq.io/en/european-data-spaces.html2026-06-16T08:00:00Z

European data spaces are sectoral agreement frameworks for voluntary, trusted data sharing — not a central database. The mobility data space is the relevant one for transport. Taking part is voluntary and gives access to more and better supply-chain data.

https://trusq.io/en/data-act-frand-compensation.html2026-06-16T08:00:00Z

If the Data Act obliges you to share data, you may charge a reasonable fee based on your costs of making the data available, plus a reasonable margin. For SMEs and non-profits: only the direct costs. Terms must be fair and non-discriminatory (FRAND).

https://trusq.io/en/mobility-package-driving-rest-times.html2026-06-16T08:00:00Z

The EU Mobility Package (2020) bundles three pillars for road transport: stricter driving and rest times plus driver return, market access with a cabotage cooling-off period and vehicle return, and posting rules with remuneration for international drivers.

https://trusq.io/en/qualified-esignature-seal-transport.html2026-06-16T08:00:00Z

Under eIDAS a qualified electronic signature has the same legal effect as a handwritten one. For transport documents such as the eCMR it secures signing, origin and integrity across the EU.

https://trusq.io/en/netherlands-cybersecurity-act-nis2.html2026-06-16T08:00:00Z

The Cybersecurity Act transposes NIS2 into Dutch law: a duty of care, a reporting duty and management liability. The bill is still pending and is expected to enter into force later than the EU deadline.

https://trusq.io/en/gpai-code-of-practice.html2026-06-16T08:00:00Z

The GPAI Code of Practice is a voluntary instrument (Art. 56 AI Act) that lets providers of GPAI models demonstrate compliance with their duties under Arts 53 and 55. Three chapters: transparency, copyright, safety and security.

https://trusq.io/en/ai-act-regulatory-sandboxes-en.html2026-06-16T08:00:00Z

Yes. By 2 August 2026 at the latest every Member State must offer at least one AI regulatory sandbox: a controlled environment to develop and test innovative AI under supervision, with guidance. It does not exempt you from liability.

https://trusq.io/en/ai-act-deployer-becomes-provider-art25.html2026-06-16T08:00:00Z

You become the provider once you put your name or brand on a high-risk system, make a substantial modification, or change its intended purpose so it becomes high-risk. The heavier provider obligations then apply.

https://trusq.io/en/ai-act-serious-incident-reporting-art73.html2026-06-16T08:00:00Z

Providers of high-risk AI must report serious incidents to the market surveillance authority: without undue delay and within 15 days at most, shorter (2-10 days) in case of death or a widespread infringement.

https://trusq.io/en/combined-transport-directive.html2026-06-16T08:00:00Z

Combined transport (Directive 92/106/EEC) is intermodal transport where the main leg runs by rail, inland waterway or sea and only the initial and final legs by road. The road leg is exempt from cabotage and licensing restrictions.

https://trusq.io/en/weights-dimensions-directive.html2026-06-16T08:00:00Z

Directive 96/53/EC sets the limits: usually 40 tonnes (44 tonnes intermodal) and standard lengths. The proposed revision (COM(2023) 445) would allow more for zero-emission and EMS, but is not yet in force.

https://trusq.io/en/digital-driving-licence-directive.html2026-06-16T08:00:00Z

The EU is revising its driving licence directive to add a digital licence on your phone alongside the physical one. A provisional political agreement (2024-2025) still needs formal adoption and transposition.

https://trusq.io/en/euro7-emission-standard-road.html2026-06-16T08:00:00Z

Euro 7 (Regulation (EU) 2024/1257) succeeds Euro 6/VI and sets limits on exhaust and non-exhaust emissions (brake and tyre wear) plus battery durability. Application dates differ per vehicle category.

https://trusq.io/en/fria-fundamental-rights-art27.html2026-06-16T08:00:00Z

If you deploy high-risk AI as a public body, a provider of public services, or for creditworthiness or life- and health-insurance pricing, Art. 27 AI Act requires a fundamental-rights impact assessment (FRIA) before use.

https://trusq.io/en/conformity-assessment-ce-high-risk.html2026-06-16T08:00:00Z

Before placing a high-risk AI system on the market you run a conformity assessment (Art. 43), draw up technical documentation, issue an EU declaration, affix the CE marking and register in the EU database.

https://trusq.io/en/countemissions-eu-co2-transport-services.html2026-06-16T08:00:00Z

CountEmissions EU is a Commission proposal (COM(2023) 441) for a harmonised method to calculate CO2 from transport, based on ISO 14083. Not yet adopted. Voluntary, unless you publish emissions data.

https://trusq.io/en/ncts-phase5-transit.html2026-06-16T08:00:00Z

NCTS phase 5 renews the EU customs transit system: declarations are aligned with the Union Customs Code (UCC), with new data requirements and the registration of en route events. Deployment was set for 2 December 2024.

https://trusq.io/en/seaport-cybersecurity-nis2-cra.html2026-06-16T08:00:00Z

Seaports fall under NIS2 (Directive (EU) 2022/2555): risk-management measures, management accountability and incident reporting. The Cyber Resilience Act (Regulation (EU) 2024/2847) sets security requirements for digital products in port chains.

https://trusq.io/en/eudr-deforestation-logistics.html2026-06-16T08:00:00Z

The EUDR (Regulation (EU) 2023/1115) bans placing seven commodities on the EU market — cattle, cocoa, coffee, palm oil, rubber, soy and wood — if they come from deforested land. It applies to large operators from 30 December 2026.

https://trusq.io/en/platform-work-directive-couriers.html2026-06-16T08:00:00Z

The Platform Work Directive (EU) 2024/2831 introduces a presumption of employment, limits automated management and requires human oversight. Member States must transpose it by 2 December 2026.

https://trusq.io/en/dora-nis2-overlap.html2026-06-16T08:00:00Z

A logistics organisation generally falls under NIS2 (transport is an essential sector), not DORA. DORA applies to financial entities. If you are both, DORA takes precedence as lex specialis.

https://trusq.io/en/nis2-registration-duty.html2026-06-16T08:00:00Z

Often yes: Member States must set up a registration mechanism, and certain entities (such as DNS, cloud and data-centre providers) register directly. The how and with which authority is set by national law. Here is how to approach it.

https://trusq.io/en/eu-data-governance-act-logistics.html2026-06-16T08:00:00Z

The Data Governance Act (Regulation (EU) 2022/868) builds trusted frameworks for data sharing: recognised data intermediaries, re-use of public-sector data and data altruism. For logistics it lowers the threshold to share supply-chain data safely.

https://trusq.io/en/csrd-voluntary-vsme.html2026-06-16T08:00:00Z

The CSRD requires large companies to report on sustainability. For non-listed SMEs, EFRAG issued the voluntary VSME standard, intended to keep sustainability data requests from the value chain manageable and consistent.

https://trusq.io/en/ai-act-system-inventory.html2026-06-16T08:00:00Z

Inventorying starts with classification: for each AI system, determine whether it is prohibited, high-risk, limited-risk or minimal-risk under Article 6 and Annexes I and III. Then map each system to its role and obligations.

https://trusq.io/en/ai-procuring-gpai-deployer-duties.html2026-06-16T08:00:00Z

The heaviest GPAI duties fall on the provider, not on you. As a deployer your obligations centre on AI literacy (Article 4), transparency (Article 50) and — for high-risk use — the deployer duties in Article 26.

https://trusq.io/en/eu-customs-reform-2028.html2026-06-16T08:00:00Z

In 2023 the Commission proposed the largest customs reform since the customs union: an EU Customs Authority and a central EU Customs Data Hub. The proposal is still in the legislative process; the first Data Hub functions are envisaged towards 2028.

https://trusq.io/en/ai-act-fines-enforcement.html2026-06-16T08:00:00Z

The AI Act has tiered fines: up to EUR 35 million or 7% of worldwide annual turnover for prohibited practices. Enforcement runs through national market surveillance authorities; the AI Office oversees general-purpose AI models.

https://trusq.io/en/data-act-leasing-vehicle-data.html2026-06-16T08:00:00Z

Under the Data Act, the user is whoever owns, rents or leases the connected product. For a leased vehicle this is typically the lessee who actually uses the vehicle, not the leasing company.

https://trusq.io/en/ai-cargo-vision-surveillance.html2026-06-16T08:00:00Z

Camera-based cargo recognition is usually allowed if AI literacy and privacy rules are met. Facial or emotion recognition and biometric identification fall into the prohibited or high-risk categories of the AI Act.

https://trusq.io/en/ai-chatbot-transparency-art50.html2026-06-16T08:00:00Z

If you use an AI chatbot for customer contact, Article 50 of the AI Act requires that the customer knows (or can reasonably know) they are talking to AI. No conformity assessment, but a clear disclosure.

https://trusq.io/en/ai-dynamic-pricing-freight.html2026-06-16T08:00:00Z

AI that sets freight prices dynamically is not as such on the AI Act's high-risk list. AI literacy and transparency duties do apply, and the classification can shift where there are effects on individuals.

https://trusq.io/en/ai-predictive-maintenance-fleet.html2026-06-16T08:00:00Z

Predictive-maintenance AI predicts servicing from sensor data and is usually not high-risk under the AI Act — it does not decide about people. AI literacy (Art. 4) still applies; as a safety component of a regulated vehicle it can be high-risk.

https://trusq.io/en/switzerland-ai-regulation.html2026-06-16T08:00:00Z

Switzerland has no overarching AI law. It takes a sectoral approach, is ratifying the Council of Europe Convention on AI (signed 27 March 2025), and is preparing a consultation bill expected by the end of 2026.

https://trusq.io/en/brazil-ai-law.html2026-06-16T08:00:00Z

With bill PL 2338/2023 Brazil opts for a horizontal, risk-based framework on the EU model. The Senate adopted the text on 10 December 2024; since March 2025 it has been before the Chamber of Deputies and is therefore not yet in force.

https://trusq.io/en/japan-ai-regulation.html2026-06-16T08:00:00Z

With the AI Promotion Act (2025) Japan chose a promotion-first, innovation-led approach: a framework law with no prohibitions, fines or conformity assessment, resting on coordination, an AI Basic Plan and non-binding METI guidelines.

https://trusq.io/en/air-cargo-eu-regulation.html2026-06-16T08:00:00Z

For air cargo, EU aviation security (Regulation (EU) 2015/1998) weighs heaviest: it governs the secure supply chain through regulated agent, known consignor and ACC3. ICS2 adds an obligation to file advance cargo data with customs.

https://trusq.io/en/customs-digitalisation-carriers.html2026-06-16T08:00:00Z

The EU is digitalising customs processes through the Union Customs Code, ICS2 for advance security data and eFTI for electronic freight information. Carriers face digital declarations, data exchange and phased obligations.

https://trusq.io/en/reefer-cold-chain-regulation.html2026-06-16T08:00:00Z

Two EU regimes affect reefer transport: the F-gas Regulation (EU) 2024/573 restricts the refrigerants in your units, and the Data Act (EU) 2023/2854 gives you access to the telematics and sensor data those units generate.

https://trusq.io/en/ics2-import-security-transport.html2026-06-16T08:00:00Z

ICS2 is the EU system for advance cargo safety and security data before goods enter the Union. Carriers and other parties file the Entry Summary Declaration (ENS) in advance so customs can assess risk before arrival.

https://trusq.io/en/cra-iot-procurement-requirements.html2026-06-16T08:00:00Z

Require CE marking, a completed conformity assessment, a secure-by-default configuration and security updates throughout the support period. Fix these and the incident reporting duty in your contracts before full application on 11 December 2027.

https://trusq.io/en/nis2-supply-chain-supplier-measures.html2026-06-16T08:00:00Z

NIS2 requires in-scope organisations to manage supply-chain risk. As a supplier you usually do not fall under the law yourself, but your client may pass requirements on by contract; refusing can mean losing the contract.

https://trusq.io/en/ai-demand-forecasting-planning.html2026-06-16T08:00:00Z

AI for demand forecasting falls under the AI Act, but is usually not a high-risk system. If the same planning drives decisions about staff, Annex III may apply. Function and impact are decisive.

https://trusq.io/en/nis2-board-accountability.html2026-06-16T08:00:00Z

Under NIS2 the management body must approve the cybersecurity measures, oversee their implementation, undergo mandatory training, and can be held liable for breaches of these duties.

https://trusq.io/en/australia-ai-approach.html2026-06-16T08:00:00Z

Australia does not regulate AI through a single horizontal law. The system rests on voluntary ethics principles, a voluntary safety standard and a proposal for mandatory guardrails for high-risk AI, alongside existing sectoral law.

https://trusq.io/en/ai-driver-monitoring-assistance.html2026-06-16T08:00:00Z

In-vehicle AI often falls under the product legislation in Annex I of the AI Act. Whether the high-risk rules apply depends on that sectoral type-approval law — not on Annex III.

https://trusq.io/en/ai-route-optimisation-ai-act.html2026-06-16T08:00:00Z

An AI that purely optimises routes or trips is usually not a high-risk system under the AI Act. If the same AI also drives task allocation or workers' performance, it does fall under Annex III. AI literacy already applies now.

https://trusq.io/en/ai-recruitment-logistics.html2026-06-16T08:00:00Z

Yes. AI systems used in logistics for recruiting and selecting staff fall under Annex III of the AI Act and count as high-risk. The heaviest duties apply in phases; AI literacy already applies now.

https://trusq.io/en/uk-regulating-for-growth-bill.html2026-06-16T08:00:00Z

In the King's Speech of 13 May 2026 the UK chose its AI legislative vehicle — and it is a pro-innovation growth bill, not an AI Act. Cross-cutting AI sandboxes, a strengthened growth duty and ministerial strategic steers, with no frontier safety duties.

https://trusq.io/en/norway-ai-act-eea.html2026-06-16T08:00:00Z

Norway is not in the EU but, as an EEA EFTA state, must adopt the AI Act in its own law. The bill (KI-loven), in consultation from 30 June 2025, incorporates the Regulation through the EEA Agreement; entry into force is targeted for late summer 2026, slowed by EEA-adaptation talks.

https://trusq.io/en/nist-ai-risk-management-framework.html2026-06-15T08:00:00Z

The NIST AI Risk Management Framework is the voluntary US standard for AI risk and the global reference beside the EU AI Act. In 2026 NIST is making it operational — SP 800-53 security-control overlays, a critical-infrastructure profile and a revision of the 2023 framework.

https://trusq.io/en/new-york-raise-act.html2026-06-15T08:00:00Z

New York's RAISE Act, finalised on 27 March 2026 (effective 2027), makes the state the second after California to regulate frontier-AI developers: published safety protocols, 72-hour incident reporting and DFS oversight, on California's 10²⁶ compute threshold.

https://trusq.io/en/nis2-cybersecurity-transport.html2026-06-16T08:00:00Z

Transport is an essential sector under NIS2 (Directive (EU) 2022/2555). Medium and large entities must take risk-management measures, report incidents quickly and place cybersecurity at board level. NL: the Cyberbeveiligingswet (NIS2) takes effect 1 July 2026.

https://trusq.io/en/does-nis2-apply-to-me.html2026-06-16T08:00:00Z

Transport is an essential sector under NIS2, so the question is mainly your size. Medium and large companies (from ~50 employees) are generally in scope; micro and small usually are not. National transposition sets the details. Here's how to check.

https://trusq.io/en/is-efti-mandatory.html2026-06-14T08:00:00Z

eFTI does not force you to go digital, but it requires authorities to accept electronic freight information from 9 July 2027. Paper is still allowed, but digital-first becomes the norm. What that means in practice for carriers, forwarders and shippers.

https://trusq.io/en/data-act-cloud-switching.html2026-06-14T08:00:00Z

Yes. The Data Act (Regulation (EU) 2023/2854), applicable since 12 September 2025, makes switching between cloud and data-processing services easier through mandatory switching support and a ban on unfair contract terms.

https://trusq.io/en/eidas-and-ecmr.html2026-06-14T08:00:00Z

eIDAS 2.0 provides the trust layer beneath digital freight documents: with the EU Digital Identity Wallet, qualified e-signatures and verifiable credentials, an eCMR can be reliably signed and verified across borders.

https://trusq.io/en/cra-telematics-hardware.html2026-06-14T08:00:00Z

Yes. Telematics, trackers and IoT devices are products with digital elements and fall under the Cyber Resilience Act (Regulation (EU) 2024/2847). Full application applies from 11 December 2027.

https://trusq.io/en/ai-act-driver-monitoring.html2026-06-14T08:00:00Z

Partly. Emotion recognition in the workplace is banned under the AI Act. AI for scheduling, planning or recruitment is high-risk with strict duties. Other monitoring is allowed if AI literacy and privacy rules are met.

https://trusq.io/en/ai-act-literacy-what-to-do.html2026-06-14T08:00:00Z

Since 2 Feb 2025, anyone deploying AI must ensure a sufficient level of AI literacy (Art. 4 AI Act). In transport and logistics this means giving staff who work with AI systems enough knowledge and understanding of their use and risks.

https://trusq.io/en/mobility-data-space-join.html2026-06-14T08:00:00Z

Participation is voluntary, not a legal duty like the Data Act or eFTI. Even so, joining early is strategic: it shapes your future data position and interoperability within the transport and logistics sector.

https://trusq.io/en/emswe-vs-port-community-system-en.html2026-06-14T08:00:00Z

EMSWe is the legal European framework for reporting formalities around a port call through a single national single window. A port community system is a local, commercial port platform — not a statutory single window.

https://trusq.io/en/data-act-enforcement-penalties.html2026-06-14T08:00:00Z

The Data Act applies since 12 Sep 2025. Non-compliance risks civil claims, contract terms that are not binding, and GDPR enforcement where personal data is involved. From 12 Sep 2026 the design obligation applies.

https://trusq.io/en/ets2-contracts.html2026-06-14T08:00:00Z

ETS2 prices road-transport fuel upstream at suppliers; costs feed into the pump price. In contracts, arrange a pass-through/indexation clause, fuel-consumption data sharing and renegotiation points ahead of the 2028 start.

https://trusq.io/en/emswe-what-to-report.html2026-06-14T08:00:00Z

You report all reporting formalities around a port call via the national single window (MNSW). Thanks to the once-only principle you submit the same data only once. EMSWe has applied since 15 August 2025.

https://trusq.io/en/data-act-data-holder-user.html2026-06-14T08:00:00Z

The user is the owner, renter or lessee of a connected product; the data holder is the party that has access to the data from that product and the related service. What this distinction means for transport and logistics.

https://trusq.io/en/csrd-chain-requests.html2026-06-14T08:00:00Z

After the 2026 Omnibus, almost all transport and logistics firms fall outside the direct CSRD duty, yet large clients, banks and insurers still request ESG and CO2 data through the supply chain.

https://trusq.io/en/fueleu-onshore-power.html2026-06-14T08:00:00Z

FuelEU Maritime requires ships above 5,000 GT calling at EU ports to use on-shore power (OPS) or zero-emission technology at berth. The regulation has applied since 1 January 2025, regardless of flag.

https://trusq.io/en/cbam-50-tonne-exemption.html2026-06-14T08:00:00Z

The CBAM exemption applies if you import less than 50 tonnes of CBAM goods (iron/steel, aluminium, cement, fertiliser, hydrogen) per year. Above that you need declarant status and must buy CBAM certificates.

https://trusq.io/en/tachograph-which-deadline.html2026-06-14T08:00:00Z

The deadline depends on your current device: analogue/first-generation digital had to be retrofitted by end 2024 (learning phase until 28 Feb 2025), ST1 to ST2 by 18 Aug 2025, and vans of 2.5-3.5 tonnes in international transport from 1 July 2026.

https://trusq.io/en/fueleu-does-my-ship.html2026-06-14T08:00:00Z

FuelEU Maritime (Regulation (EU) 2023/1805) has applied since 1 January 2025 to ships above 5,000 GT calling at EU ports, regardless of flag. What matters is the tonnage and the EU port call, not the ship's nationality.

https://trusq.io/en/tachograph-van.html2026-06-14T08:00:00Z

Yes, but only from 1 July 2026 and only for vans of 2.5 to 3.5 tonnes used for international transport. The required device is the second-generation smart tachograph (ST2) under the Mobility Package.

https://trusq.io/en/efti-data-set.html2026-06-14T08:00:00Z

The common eFTI data set is the EU-standardised collection of data fields for statutory freight information, detailed through implementing acts. It lets authorities accept electronic freight data uniformly from 9 July 2027.

https://trusq.io/en/ai-act-planning-algorithm-high-risk.html2026-06-14T08:00:00Z

Software that drives rosters, trip planning or recruitment falls under Annex III of the AI Act and counts as high-risk. The heaviest duties apply from 2 Dec 2027; AI literacy already applies now.

https://trusq.io/en/cbam-which-goods.html2026-06-14T08:00:00Z

CBAM applies to imports of iron/steel, aluminium, cement, fertilisers, electricity and hydrogen. Importers below 50 tonnes per year are exempt under the Omnibus de-minimis rule.

https://trusq.io/en/cbam-become-declarant.html2026-06-14T08:00:00Z

Importers of CBAM goods have needed authorised CBAM declarant status since 1 January 2026. The application was due by 31 March 2026; you then buy certificates and file an annual declaration.

https://trusq.io/en/cra-deadlines-en.html2026-06-14T08:00:00Z

The CRA (Regulation (EU) 2024/2847) entered into force on 12 November 2024. Key dates: notification of conformity bodies 11 June 2026, reporting obligation 11 September 2026, full application 11 December 2027.

https://trusq.io/en/data-act-vs-gdpr.html2026-06-14T08:00:00Z

If your connected product's data contains personal data, the Data Act and the GDPR apply side by side. The Data Act governs access and sharing; the GDPR governs the lawful basis and protection of personal data.

https://trusq.io/en/tachograph-what-records.html2026-06-14T08:00:00Z

The second-generation smart tachograph (ST2) records driving and rest times plus, new under the Mobility Package, automatic border crossings and loading/unloading events via satellite positioning.

https://trusq.io/en/eidas-wallet-business.html2026-06-14T08:00:00Z

The EU Digital Identity Wallet is a government-recognised digital wallet under eIDAS 2.0 (Regulation (EU) 2024/1183). Member States must offer it to businesses by end 2026. It enables cross-border identification, e-signatures and verifiable credentials.

https://trusq.io/en/cra-supplier-requirements.html2026-06-14T08:00:00Z

Require suppliers of trackers, telematics and IoT to provide proof of CE marking, conformity assessment, secure-by-default configuration and update guarantees. Fix reporting duties and liability in your contracts before full application on 11 December 2027.

https://trusq.io/en/eu-deadlines-2027-logistics.html2026-06-14T08:00:00Z

In 2027 three EU deadlines apply to transport and logistics: the eFTI acceptance duty (9 July), the AI Act high-risk Annex III obligations (2 December) and the Cyber Resilience Act (11 December). ETS2 follows in 2028.

https://trusq.io/en/ai-act-warehouse-robot-machinery.html2026-06-14T08:00:00Z

Yes, often both. An AI-driven warehouse robot can be a safety component under the Machinery Regulation (EU) 2023/1230 and fall under the AI Act. Moreover, AI literacy (art. 4) applies to everyone who deploys AI.

https://trusq.io/en/ppwr-reusable-transport-packaging.html2026-06-14T08:00:00Z

Under the PPWR (Regulation (EU) 2025/40), transport packaging faces new rules: from 12 Aug 2026 e-commerce parcels may hold max 40% empty space, void space drops to 50% from 2030, plus reuse targets. It applies directly, with no national transposition.

https://trusq.io/en/efti-dangerous-goods.html2026-06-14T08:00:00Z

Under eFTI (Regulation (EU) 2020/1056), ADR freight information is also covered. From 9 July 2027, authorities must accept it electronically via certified platforms. Paper remains allowed. What this means for transporting dangerous goods.

https://trusq.io/en/emswe-once-only-agents.html2026-06-14T08:00:00Z

For ship agents, once-only means you submit the same data around a port call only once, via the national single window (MNSW). EMSWe has applied since 15 August 2025.

https://trusq.io/en/ppwr-when-applies.html2026-06-14T08:00:00Z

The PPWR (Regulation (EU) 2025/40) entered into force on 11 February 2025 and applies from 12 August 2026. From then, empty space in e-commerce parcels is capped at 40%; void space in transport packaging must stay below 50% from 2030.

https://trusq.io/en/cbam-does-my-import-qualify.html2026-06-14T08:00:00Z

CBAM covers imports of iron/steel, aluminium, cement, fertilisers, electricity and hydrogen. Above 50 tonnes a year you need declarant status; below that you are exempt.

https://trusq.io/en/ets2-when-start.html2026-06-14T08:00:00Z

ETS2 has been postponed to 2028 (originally 2027). Monitoring and reporting are already running. The system prices road-transport and building fuels upstream at the fuel supplier.

https://trusq.io/en/data-act-telematics-vehicle-data.html2026-06-14T08:00:00Z

Yes. Data generated by your trucks, on-board units and sensors falls under the Data Act's connected-product rules. As a user you have a right of access — and can have that data shared with a third party. What that means for your fleet.

https://trusq.io/en/ets2-diesel-cost.html2026-06-14T08:00:00Z

From 2028 ETS2 prices road-transport fuel upstream at suppliers, who pass the cost on at the pump. The exact rise per litre is not fixed and depends on the market price per tonne of CO2.

https://trusq.io/en/fueleu-vs-ets-shipping.html2026-06-14T08:00:00Z

FuelEU Maritime steers the fuel — a falling greenhouse gas intensity (well-to-wake) from 2% in 2025 to 80% in 2050. The EU ETS for shipping instead prices emissions (tank-to-wake CO2) via allowances. Two separate regimes that complement each other.

https://trusq.io/en/csrd-still-report.html2026-06-14T08:00:00Z

Probably not directly. The Omnibus narrowed the CSRD scope by about 90%: only EU companies with >5,000 employees and >EUR 1.5bn turnover are still in scope. Even so, large clients, banks and insurers often still request ESG data through the supply chain.

https://trusq.io/en/ppwr-40-percent-rule.html2026-06-14T08:00:00Z

The PPWR 40% rule (Regulation (EU) 2025/40) limits the empty space in an e-commerce parcel to a maximum of 40% from 12 August 2026. As a regulation it applies directly, without national transposition.

https://trusq.io/en/efti-which-documents.html2026-06-14T08:00:00Z

eFTI covers the legally required freight information that travels with a shipment: the consignment note, dangerous-goods data (ADR), waste-shipment documents and permits. Authorities must accept these electronically from 9 July 2027.

https://trusq.io/en/data-act-or-efti.html2026-06-14T08:00:00Z

Short: these are two different data flows. The Data Act covers data from connected products (vehicle, sensor, machine data); eFTI covers submitting statutory freight documents to authorities electronically. Both can apply to you at once.

https://trusq.io/en/nis2-measures-checklist.html2026-06-14T08:00:00Z

NIS2 requires appropriate risk-management measures — from risk analysis, backups and supply-chain security to access control, training and encryption — plus board accountability. A practical checklist for transport and logistics.

https://trusq.io/en/nis2-incident-reporting-24-72.html2026-06-14T08:00:00Z

For a significant incident, NIS2 sets tight deadlines: an early warning within 24 hours, a formal notification within 72 hours and a final report within a month — to the national authority/CSIRT. What counts as significant, and how to set yourself up for it.

https://trusq.io/en/efti-vs-ecmr-difference.html2026-06-14T08:00:00Z

In short: the eCMR is one digital document (the electronic consignment note); eFTI is the broader EU framework for all statutory freight information that authorities must accept electronically. They complement each other. What that distinction means for your digitisation plan.

https://trusq.io/en/efti-certified-platform.html2026-06-14T08:00:00Z

eFTI data must be exchanged via certified platforms and service providers. If you want to benefit from the authorities' acceptance duty, you submit electronic freight information through such a platform. What certification means and how to choose.

https://trusq.io/en/data-act-sharing-data-third-parties.html2026-06-14T08:00:00Z

At the user's request, the data holder must make data available to a third party of choice — in a common, machine-readable format and on fair (FRAND) terms. What that means and how to set yourself up for it in transport and logistics.

https://trusq.io/en/data-act-contracts-to-review.html2026-06-14T08:00:00Z

The Data Act bans unfair data clauses and requires fair (FRAND) sharing terms. Review your data, supply, lease and platform contracts for terms that unilaterally block or overprice access or transfer. A practical checklist for transport and logistics.

https://trusq.io/en/india-ai-governance-guidelines.html2026-06-14T08:00:00Z

On 15 February 2026 India's MeitY released its AI Governance Guidelines — a principle-based framework on seven 'sutras'. The defining choice is what it declines: not a new horizontal AI law, but a bet on existing statutes, new institutions and an innovation-first posture.

https://trusq.io/en/ppwr-packaging-logistics.html2026-06-14T08:00:00Z

The Packaging and Packaging Waste Regulation (PPWR, Regulation (EU) 2025/40) applies from 12 August 2026: stricter packaging requirements, a cap on empty space in e-commerce parcels (max 40%) and reuse targets for transport packaging. What that means for logistics and fulfilment.

https://trusq.io/en/cbam-carbon-border-import.html2026-06-14T08:00:00Z

Since 1 January 2026 the definitive CBAM regime (Regulation (EU) 2023/956) applies: importers of steel, aluminium, cement, fertilisers and more must become an 'authorised CBAM declarant' and buy certificates for embedded CO₂. What that means for import and chain logistics.

https://trusq.io/en/eidas-2-digital-identity-wallet.html2026-06-14T08:00:00Z

eIDAS 2.0 (Regulation (EU) 2024/1183) requires Member States to offer an EU Digital Identity Wallet to citizens and businesses by the end of 2026; large platforms must accept it from late 2027. What that means for digital freight documents and B2B trust.

https://trusq.io/en/csrd-sustainability-reporting-transport.html2026-06-14T08:00:00Z

The Omnibus (published February 2026) cuts the CSRD scope by around 90%: only EU companies with more than 5,000 employees and more than €1.5bn turnover remain in scope. 'Stop the clock' delayed deadlines by two years. What that means for transport and logistics.

https://trusq.io/en/ets2-carbon-pricing-road-transport.html2026-06-14T08:00:00Z

ETS2 brings carbon pricing to fuels for road transport and buildings — fuel suppliers must surrender allowances. It starts in 2028 (delayed from 2027), with monitoring already under way. This feeds through into the diesel price, and therefore into freight rates.

https://trusq.io/en/smart-tachograph-mobility-package.html2026-06-14T08:00:00Z

The Mobility Package (Regulation (EU) 2020/1054) requires trucks in international transport to fit the second-generation smart tachograph. Older vehicles had to switch by end 2024; ST1 follows on 18 August 2025, vans 2.5–3.5 t from July 2026. The deadlines at a glance.

https://trusq.io/en/transport-logistics-eu-deadlines.html2026-06-14T08:00:00Z

Data Act, eFTI, EMSWe, AI Act, NIS2, CRA and FuelEU Maritime — the EU deadlines affecting transport and logistics, in chronological order with a link to each file. From what already applies to what is coming in 2027.

https://trusq.io/en/fueleu-maritime-ets-shipping.html2026-06-14T08:00:00Z

Since 1 January 2025 FuelEU Maritime (Regulation (EU) 2023/1805) applies: ships above 5,000 GT calling at EU ports must cut the greenhouse-gas intensity of their energy — 2% in 2025, rising to 80% by 2050. Together with the EU ETS for shipping it puts a price on emissions.

https://trusq.io/en/ecmr-electronic-consignment-note.html2026-06-14T08:00:00Z

The eCMR is the digital consignment note with the same legal value as paper, based on the Additional Protocol to the CMR Convention (2008, in force 2011). More EU countries recognise it, and with eFTI the paper original disappears. What it means for road hauliers.

https://trusq.io/en/cyber-resilience-act-connected-products.html2026-06-14T08:00:00Z

The Cyber Resilience Act (Regulation (EU) 2024/2847) sets EU-wide security requirements for products with digital elements — from telematics to IoT sensors. Full application on 11 December 2027, reporting duties already from September 2026. What it means for transport and logistics.

https://trusq.io/en/mobility-data-space.html2026-06-14T08:00:00Z

The common European mobility data space unlocks fragmented transport and mobility data. Participation is voluntary for now — unlike the Data Act or eFTI — but your future data position and interoperability depend on it. State of play and what to prepare now.

https://trusq.io/en/emswe-maritime-single-window.html2026-06-14T08:00:00Z

Since 15 August 2025 the EMSWe Regulation (EU) 2019/1239 applies: reporting formalities around a port call run via a single national window, with a harmonised data set and the once-only principle. What that means for operators, agents and ports.

https://trusq.io/en/efti-electronic-freight-information.html2026-06-14T08:00:00Z

From 9 July 2027 all EU authorities must accept electronic freight transport information (eFTI), exchanged via certified platforms. What the eFTI Regulation (EU) 2020/1056 means for carriers, forwarders and shippers — and how to prepare now.

https://trusq.io/en/data-act-transport-logistics.html2026-06-14T08:00:00Z

The Data Act has applied since 12 September 2025 and affects anyone with connected vehicles, machines or sensors. It governs who can access the data they generate, enforces fair sharing terms, and makes switching between cloud services easier. What does that mean for transport and logistics?

https://trusq.io/en/vietnam-ai-law.html2026-06-14T08:00:00Z

On 1 March 2026 Vietnam's Law on Artificial Intelligence (134/2025/QH15) took effect — the first standalone, horizontal AI law in Southeast Asia. It borrows the EU's risk-based structure but binds from day one, while keeping an innovation-promotion layer of its own.

https://trusq.io/en/china-ai-regulation.html2026-06-13T08:00:00Z

On 1 January 2026 China's amended Cybersecurity Law took effect, adding an article that lifts AI into foundational legislation. But the new AI clause is promotional — China's binding AI rules stay sectoral, a third model beside the EU's and Korea's horizontal laws.

https://trusq.io/en/state-of-ai-regulation.html2026-06-13T08:00:00Z

One overview of where AI regulation stands in 2026: the phased AI Act, the shifts from the Digital Omnibus, the five regimes, and the international line from the Council of Europe to California and Korea — with links to the detail per topic.

https://trusq.io/en/code-of-practice-ai-content-marking.html2026-06-13T08:00:00Z

On 10 June 2026 the European Commission published the final Code of Practice on marking and labelling AI-generated content — the practical instrument under the Article 50 transparency duty, which formally applies from 2 August 2026.

https://trusq.io/en/california-frontier-ai-act.html2026-06-13T08:00:00Z

California's Transparency in Frontier Artificial Intelligence Act (SB 53) took effect on 1 January 2026. It requires the largest AI developers to publish a safety framework, report critical safety incidents and protect whistleblowers — the first US transparency law aimed squarely at frontier models.

https://trusq.io/en/digital-omnibus-file.html2026-06-28T08:00:00Z

The 7 May 2026 political agreement on the Digital Omnibus shifts the heaviest AI Act dates. On 16 June 2026 the European Parliament adopted the text (423-57-174); only the Council's adoption and Official Journal publication remain. What shifts, what stands, and what is still to be done.

https://trusq.io/en/prohibited-ai-practices.html2026-06-12T08:00:00Z

Since 2 February 2025 the AI Act bans eight categories of AI use outright — from manipulative techniques and social scoring to emotion recognition in the workplace. The fines are the highest in the regulation. Here is what is banned, for whom, and where the edges lie.

https://trusq.io/en/international-ai-governance.html2026-06-12T08:00:00Z

The AI Act is not the only framework that matters. The Council of Europe Convention, the OECD Principles, the NIST AI RMF and ISO/IEC 42001 form the international layer of AI governance. This analysis sorts out what legally binds, what sets norms, and what can be certified.

https://trusq.io/en/uk-ai-approach.html2026-06-16T08:00:00Z

The UK regulates AI without a horizontal statute — five non-binding principles applied by sector regulators. In 2026 that shifts: a statutory AI code arrives via data-protection law, and the government's chosen AI bill is a pro-innovation growth-and-sandbox vehicle, not a frontier statute.

https://trusq.io/en/us-state-ai-laws.html2026-06-15T08:00:00Z

Without a federal AI statute, American states regulate on their own. Texas' TRAIGA has applied since 2026; Colorado replaced its AI Act with a transparency law (SB 26-189, duties from 2027); California and New York regulate frontier models — while the White House moves to preempt state laws.

https://trusq.io/en/gpai-regime-en.html2026-06-12T08:00:00Z

Since 2 August 2025, providers of general-purpose AI models face their own rules, with extra requirements for systemic risk. With the July 2025 Code of Practice, the mandatory training-data template and the AI Office's enforcement powers from 2 August 2026, the regime is complete.

https://trusq.io/en/high-risk-obligations-overview.html2026-06-12T08:00:00Z

The high-risk regime is the centre of gravity of the AI Act. This overview explains the two classification routes (Annex I and Annex III), the obligations of providers and deployers, the filter provision of Article 6, and what the expected delay to December 2027 does and does not mean.

https://trusq.io/en/article-50-transparency.html2026-06-13T08:00:00Z

The transparency obligations of Article 50 touch nearly everyone deploying AI towards the public: chatbots disclose that they are AI, synthetic content is marked machine-readably, deepfakes are labelled. The accompanying marking code of practice was published in final form on 10 June 2026.

https://trusq.io/en/south-korea-ai-basic-act.html2026-06-12T08:00:00Z

On 22 January 2026 South Korea's AI Basic Act took effect — the world's second comprehensive AI law after the EU's, and the first in Asia. It regulates high-impact and generative AI with transparency and human-oversight duties, and reaches foreign providers above set thresholds.

https://trusq.io/en/ai-regulation-logistics-transport.html2026-06-12T08:00:00Z

Warehouse robots, planning algorithms, driver monitoring and traffic management — AI regulation reaches logistics and transport along four different routes, each with its own timeline. This file maps them, from the prohibition that already applies to the machinery requirements of 2027.

https://trusq.io/en/asia-pacific-ai-regulation.html2026-06-12T08:00:00Z

On 22 January 2026 two opposite regulatory models took effect in Asia-Pacific. South Korea enacted a binding, risk-based AI statute; Singapore launched a voluntary framework for agentic AI — systems that act on their own. The contrast maps the choice facing much of the world.

https://trusq.io/en/dutch-ai-risk-report-2026.html2026-06-12T08:00:00Z

The sixth AI & Algorithmic Risks Report Netherlands by the Dutch Data Protection Authority turns its AI impact barometer red. Three headlines: AI in recruitment is growing fast with major risks, transparency and explainability fall short, and preparation for the AI Act is lagging.

https://trusq.io/en/article-4-ai-literacy.html2026-06-11T08:00:00Z

Since 2 February 2025, providers and deployers must take measures to support the development of AI literacy in everyone who works with AI systems on their behalf. The norm is open, but not optional; from 2 August 2026 national supervisors can enforce it.

https://trusq.io/en/ai-act-timeline-of-obligations.html2026-06-11T08:00:00Z

The AI Act takes effect in stages between 2025 and 2028. This timeline sets out which obligations apply on which date, and marks which dates are shifted by the Digital Omnibus agreement of 7 May 2026 — and which expressly are not.

https://trusq.io/en/ai-act-dora-interplay.html2026-06-11T08:00:00Z

Financial institutions deploying AI fall under DORA (since January 2025) and the AI Act at the same time. This analysis maps where the frameworks meet, where the AI Act explicitly defers to financial services law, and where duplicate work looms.

https://trusq.io/en/primary-sources-guide.html2026-06-11T08:00:00Z

To follow AI regulation, reading three primary sources well beats thirty summaries. This guide organises the official repositories — European, Dutch and standardisation — and notes per source what to use it for and what to watch out for.

https://trusq.io/en/mas-mindforge-ai-toolkit-finance.html2026-03-20T08:00:00Z

On 20 March 2026 Singapore's MAS concluded phase two of Project MindForge with an AI Risk Management Toolkit for the financial sector, co-created with a 35-member industry consortium. Its Operationalisation Handbook precedes binding guidelines and spans generative and agentic AI.