Regulatory Framework — impactassessment.eu

European & National Regulations

GDPR — Articles 35 & 36

General Data Protection Regulation. Articles 35 (DPIA) and 36 (prior consultation) establish the obligation to assess the impact of high-risk processing.

Since 2018

AI Act — Article 27

Artificial Intelligence Act. Article 27 obliges deployers of high-risk AI systems to conduct FRIA before deployment. Deadline: August 2, 2026.

August 2026

NIS2 — Directive (EU) 2022/2555

Network and Information Security Directive. Requires cybersecurity risk assessments for essential and important entities.

Transposed 2024

DORA — Regulation (EU) 2022/2554

Digital Operational Resilience Act. Applicable to the financial sector. Requires ICT risk management and resilience testing.

January 2025

CSRD — Directive (EU) 2022/2464

Corporate Sustainability Reporting Directive. Requires double materiality assessment.

2024-2026

DL 44/2023 — RIA in Portugal

Decree-Law establishing the Regulatory Impact Assessment regime in Portugal, including the SME Test.

2023

Relevant International Standards

Standard	Scope	Impact Assessment Relevance
ISO 27001	Information security	Reference framework for NIS2/DORA cybersecurity risk assessments
ISO 27701	Privacy management	ISO 27001 extension for GDPR; methodological support for DPIAs
ISO 42001	AI management	Framework for responsible AI management; FRIA support

Official Sources

For full legal texts, we recommend: EUR-Lex (EU legislation), Diário da República (Portuguese legislation), CNPD (Portuguese DPA) and EDPB (European Data Protection Board).

Consult a Specialist

Clarify your questions about the regulatory framework with our specialists.

Get in Touch

Request a free assessment or ask us about regulatory impact assessments.

Contact

Email: info@impactassessment.eu

Phone: (+351) 285 107 010