Regulatory mapping
For each framework, the Quvant artifact that produces verifiable proof. Designed to meet the requirements of DORA, the EU AI Act and NIS2.
Requirement → Quvant artifact
| Framework | Article | What it requires | How Quvant meets it |
|---|---|---|---|
| DORA (Reg. EU 2022/2554) | Art. 17 | Documented RCA with verifiable classification and follow-up | Evidence Pack with chain of evidence + Dissent Record |
| DORA (Reg. EU 2022/2554) | Art. 17 | Evidence available for Banca d'Italia / CONSOB / IVASS inspection | Exportable SHA-256 audit trail |
| EU AI Act (Reg. EU 2024/1689) | Art. 12 | Logging with sufficient traceability for high-risk AI systems | Immutable append-only log for every analysis |
| EU AI Act (Reg. EU 2024/1689) | Art. 14 | Human oversight with override capability | Automatic stop below the confidence threshold |
| NIS2 (Dir. EU 2022/2555) | Art. 23 | Notification and documentation of significant incidents | Evidence Pack structured for regulator notification |
| D.Lgs. 23/2025 | DORA transposition | Direct applicability to Italian operators from 17/01/2025 | Full coverage of national requirements |
By framework
DORA — Reg. EU 2022/2554
The Digital Operational Resilience Act mandates digital operational resilience and documented ICT incident management for EU financial entities.
Art. 17: classification, documentation and verifiable follow-up of every significant ICT incident.
Evidence Pack with chain of evidence and Dissent Record; exportable SHA-256 audit trail for Banca d'Italia / CONSOB / IVASS inspection.
EU AI Act — Reg. EU 2024/1689
The EU AI regulation sets traceability and human-oversight obligations for high-risk AI systems.
Art. 12: logging with sufficient traceability. Art. 14: human oversight with override capability.
Immutable append-only log for every analysis; automatic stop below the confidence threshold, with a documented rationale.
NIS2 — Dir. EU 2022/2555
The NIS2 directive extends cybersecurity and incident-notification obligations to a broad set of essential and important entities.
Art. 23: notification and documentation of significant incidents within the prescribed timelines.
Structured Evidence Pack, ready for regulator notification, with timeline and verifiable proof.
Quvant produces artifacts aligned with the cited requirements. This is not legal advice nor a guarantee of compliance: adequacy against any specific obligation must be assessed with your legal and compliance team.
Want to see a real artifact?
Download a sample Evidence Pack and see what audit-grade proof looks like.