Detailed mapping of Vellaveto features to European regulatory requirements.
Regulation (EU) 2024/1689 — effective August 2, 2026.
| Article | Requirement | Vellaveto Feature |
|---|---|---|
| Art 50(2) | Transparency: mark AI-generated output | VerdictExplanation with configurable verbosity injected into _meta |
| Art 10 | Data governance for training/validation | DataGovernanceRecord with classification, purpose, provenance, retention |
| Art 12 | Record-keeping and traceability | Tamper-evident audit: SHA-256 chains, Merkle proofs, Ed25519 checkpoints |
| Art 14 | Human oversight | RequireApproval verdict, human-in-the-loop workflow with timeout |
| Art 9 | Risk management system | Policy engine with risk scoring, ABAC, behavioral anomaly detection |
Italy's implementation of Directive (EU) 2022/2555 on cybersecurity.
| Requirement | Vellaveto Feature |
|---|---|
| Incident notification (24h pre-notifica, 72h notifica, 1M relazione) | Incident reporting templates and audit evidence export |
| Supply chain security | ETDI cryptographic tool verification, version pinning, attestation chains |
| Access control and identity management | ABAC, RBAC, NHI lifecycle, delegation chains, SSO (OIDC/SAML) |
| Continuous monitoring and logging | Real-time audit, SIEM export (CEF/syslog/webhook), anomaly detection |
| Risk assessment | Policy simulation, gap analysis (7 frameworks), compliance evidence |
| Business continuity | HA clustering, leader election, cross-transport smart fallback |
Regulation (EU) 2022/2554 on digital operational resilience for financial services.
| Chapter | Requirement | Vellaveto Feature |
|---|---|---|
| Ch II | ICT risk management framework | Policy engine, risk scoring, circuit breakers, behavioral monitoring |
| Ch III | ICT incident management | Structured audit events, incident workflow, automated classification |
| Ch V | ICT third-party risk | Supply chain verification, tool registry trust scoring, vendor attestation |
Automated access review reports with CC6 evidence generation. Trust services criteria mapped to Vellaveto controls. HTML and JSON report export.
AI management system controls mapped to policy engine features. Risk assessment, monitoring, and continuous improvement evidence.
All 10 risks mitigated: prompt injection (ASI01), tool poisoning (ASI02), insecure output (ASI03), rug pull (ASI04), memory poisoning (ASI05), and more.
38/38 CoSAI controls implemented. Adversa TOP 25: 25/25. 7-framework gap analysis with remediation guidance.
Our Compliance-as-a-Service offering provides auditor-ready evidence packages.