insight
bpExpertsContact

Business Flows

Compliance

The regulations that shape process design — each broken into clause-level obligations with their risk, penalties and the controls that satisfy them, linked to the processes they govern.

EU Artificial Intelligence Act

Official source →

EU/2024/1689 · European Union · effective 2024-08-01

Max penalty: EUR 35,000,000 or 7% of global annual turnover (prohibited practices)

5 obligations mapped to processes

Article 26HIGH

Obligations of deployers of high-risk AI systems

Article 5CRITICAL

Prohibited AI practices

Article 50MEDIUM

Transparency obligations for certain AI systems

Article 6 + Annex IIICRITICAL

High-risk AI system classification

Articles 9-15HIGH

Obligations for high-risk AI systems

General Data Protection Regulation (GDPR)

Official source →

EU/2016/679 · European Union · effective 2018-05-25

Max penalty: EUR 20,000,000 or 4% of global annual turnover

9 obligations mapped to processes

Article 13-14HIGH

Information to be provided to data subjects

Article 22CRITICAL

Automated individual decision-making, including profiling

Article 25HIGH

Data protection by design and by default

Article 28HIGH

Processor obligations and Data Processing Agreements

Article 32HIGH

Security of processing

Article 35CRITICAL

Data Protection Impact Assessment (DPIA)

Article 5CRITICAL

Principles relating to processing of personal data

Article 6CRITICAL

Lawfulness of processing

Article 83CRITICAL

General conditions for imposing administrative fines

GxP — EU Annex 11: Computerised Systems

Official source →

EU/Annex11/2011 · EU + USA (FDA) · effective 2011-06-30

Max penalty: Manufacturing licence revocation; product recall; criminal prosecution

4 obligations mapped to processes

ALCOA+ / MHRA Data Integrity Guidance 2018 / FDA Data Integrity 2018CRITICAL

Data integrity — ALCOA+ principles

Annex 11 §4CRITICAL

Validation of computerised systems

Annex 11 §8 + 21 CFR Part 11.10(e)CRITICAL

Audit trail and electronic records integrity

EU GMP Chapter 8 / ICH Q10HIGH

Deviation management and CAPA

ISO/IEC 27001:2022 Information Security Management

Official source →

ISO/IEC 27001:2022 · International · effective 2022-10-25

3 obligations mapped to processes

Annex A — A.5.19 to A.5.23HIGH

Supplier relationships and cloud service security

Annex A — Controls A.5 to A.8HIGH

Organisational, people, physical and technological controls

Clause 6.1HIGH

Information security risk assessment and treatment

Sarbanes-Oxley Act (SOX)

Official source →

US/107-204 · USA (applies to all SEC-listed companies globally) · effective 2002-07-30

Max penalty: Up to USD 5M fine + 20 years imprisonment for wilful violation (CEO/CFO)

3 obligations mapped to processes

SOX ITGC — Segregation of DutiesHIGH

Segregation of duties in financial processes

Section 302CRITICAL

CEO and CFO certification of financial statements

Section 404CRITICAL

Internal controls over financial reporting (ICFR)

See how each obligation maps to specific processes — with the key controls and BPM/AI relevance — with the Business Flows Assistant.

Open the Business Flows Assistant