Disclaimer. This mapping is provided for orientation and procurement conversations only. It does not constitute legal advice and is not a substitute for an attested audit or certification. Article and control numbering reflect the most widely-cited references and may be updated as the relevant standards evolve.
Capability-to-framework matrix
| Capability | EU AI Act | ISO/IEC 42001 | NIS2 | SOC 2 (CC) | GDPR |
|---|---|---|---|---|---|
| AI system inventory | Art. 16, 50, provider obligations | A.6.2.6, A.6.2.7 | Art. 21(2)(a), asset management | CC3.2, risk identification | Art. 30, record of processing |
| Risk classification & assessment | Art. 6, 9, risk management system | A.5, A.6.1 | Art. 21(2)(b) | CC3.3 | Art. 35, DPIA |
| Human oversight & approval | Art. 14 | A.9.2 | Art. 21(2)(d) | CC1.4, CC2.3 | Art. 22, automated decisions |
| Data governance | Art. 10 | A.7 | Art. 21(2)(e) | CC6.1, CC6.5 | Art. 5, 25, by design |
| Logging & audit trail | Art. 12, 13 | A.8.4 | Art. 21(2)(g) | CC7.2 | Art. 30, 32 |
| Vendor & sub-processor governance | Art. 25, 28 | A.10 | Art. 21(2)(j) | CC9.2 | Art. 28 |
| Incident reporting | Art. 73 | A.9.3 | Art. 23 | CC7.3, CC7.4 | Art. 33, 34 |
| Transparency & disclosure | Art. 13, 52 | A.8.2 | Not applicable | CC2.2 | Art. 13, 14 |
How customers use this
- Procurement & vendor review. Drop into your AI vendor assessment to show where Fideria covers obligations.
- Internal audit. Start from a capability you need evidence for and trace to the underlying control.
- Regulator dialogue. Use the matrix as a shared language between IT, Legal and the business.
What Fideria does not claim
- We do not certify your AI systems on your behalf.
- We do not replace your DPO, CISO, internal audit or legal counsel.
- We do not currently hold SOC 2 Type II or ISO 27001 certification, see Security for the current posture and roadmap.
Need a deeper mapping?
Request the extended control mapping (CSV).
Shared on request to qualified procurement and audit teams.