Complete taxonomy of the regulatory impact assessment ecosystem — from GDPR to AI Act, from cybersecurity to sustainability.
Regulatory impact assessments are organised in three levels: generic cross-cutting assessments applicable to any sector, regulation-specific assessments required by each European regulation, and sectoral assessments adapted to particular industries. This taxonomy enables organisations to quickly identify their obligations and select appropriate services.
Data Protection Impact Assessment, required by the GDPR (Article 35). Mandatory when processing is likely to result in a high risk to the rights and freedoms of natural persons.
GDPR Art. 35 Mandatory Since 2018
Specialised portal: aipd.pt →Fundamental Rights Impact Assessment, introduced by the AI Act (Article 27). Mandatory for deployers of high-risk AI systems that are public bodies or private entities providing public services. Deadline: August 2, 2026.
AI Act Art. 27 August 2026 Public Sector
Specialised portal: aidf.pt →Cybersecurity Impact Assessment, arising from the NIS2 Directive and DORA Regulation. Mandatory ICT risk assessments for essential entities, important entities and financial entities.
NIS2 DORA In force
Specialised portal: aics.pt →Regulatory Impact Assessment in the context of the EU Better Regulation programme and DL 44/2023 in Portugal (SME Test). Mandatory for legislative and regulatory acts.
DL 44/2023 Better Regulation Public Sector
Specialised portal: impactoregulatorio.pt →Environmental Impact Assessments (EIA), sustainability impact assessments (CSRD — double materiality), accessibility impact assessments (EAA) and other sector-specific assessments.
EIA CSRD Accessibility
| Category | Regulation | Mandatory since | Max penalty | Target audience |
|---|---|---|---|---|
| DPIA | GDPR Art. 35 | May 2018 | 4% turnover / EUR 20M | Data controllers |
| FRIA | AI Act Art. 27 | August 2026 | Up to EUR 35M / 7% | High-risk AI deployers |
| CSIA | NIS2 / DORA | 2024-2025 | Up to EUR 10M / 2% | Essential/financial entities |
| RIA | DL 44/2023 | 2023 | N/A (State obligation) | Legislature / Public sector |
| Cross-cutting | EIA, CSRD, EAA | Variable | Variable | By sector |
Request a free assessment to identify which impact assessments apply to your organisation.
Request a free assessment or ask us about regulatory impact assessments.