Resources · AI Regulatory Calendar
The obligations that turn AI into a sign-off problem.
Every regime below asks the same thing in a different language: show that your AI system is understood, controlled, and defensible. This is a reference to the regimes enterprises track — what each covers, and who it hits.
How to read this
Regimes, not deadlines
We organise by regime — scope and who it affects — because the obligation outlives any single date. Where we mention timing, we keep it qualitative and label it indicative.
The common test
Across every regime the underlying question is the same: can you produce the evidence that an AI-assisted decision was controlled and can be defended?
Confirm the source
Regulations change. Use this as a map of what to track, then verify specifics against the current official text before you act on them.
The regimes to track
EU AI Act
European Union (extraterritorial)EU Artificial Intelligence Act
What it covers
- Classifies AI systems by risk: prohibited, high-risk, limited-risk, and minimal-risk.
- High-risk systems carry obligations for risk management, data governance, logging, human oversight, accuracy, and technical documentation.
- Adds transparency duties for general-purpose AI and for systems people interact with directly.
Who it affects
Providers and deployers placing AI on the EU market or affecting people in the EU — including credit decisioning, insurance, employment, biometric, and safety-critical use. The reach is extraterritorial: a non-EU enterprise serving EU users is in scope.
Timing
The Act phases obligations in over time — prohibitions first, then duties for general-purpose AI, then the full high-risk regime. Treat any specific date as indicative and confirm against the current official text before you rely on it.
India DPDP Act
IndiaDigital Personal Data Protection Act, 2023
What it covers
- Governs the processing of digital personal data: consent, purpose limitation, and the rights of data principals.
- Places duties on data fiduciaries for security, breach notification, and accountability.
- Where AI systems train on or process personal data, those duties follow the data into the model and its outputs.
Who it affects
Any enterprise processing the personal data of individuals in India — directly relevant to AI systems built on customer, employee, or transaction data. Significant data fiduciaries face heightened obligations.
Timing
The Act is enacted; operational obligations come into force as the rules are notified. Track the rule-making rather than assuming a fixed switch-on date.
RBI / SEBI / IRDAI
India · BFSI and insuranceIndian financial-sector regulators
What it covers
- RBI: model-risk, outsourcing, and IT-governance expectations that extend to AI used in credit, fraud, and customer-facing decisions.
- SEBI: conduct and disclosure expectations where AI touches markets, advisory, or surveillance.
- IRDAI: governance expectations for AI used in underwriting, pricing, and claims in insurance.
Who it affects
Banks, NBFCs, capital-markets participants, and insurers operating in India. The common thread: an examiner can ask you to justify an AI-assisted decision, and "the model is accurate" is not the answer they accept.
Timing
These are supervisory expectations applied on an ongoing basis, not a single dated deadline. Direction of travel: more scrutiny of model risk, explainability, and the evidence behind automated decisions.
FDA AI/ML · HIPAA · MDR
United States · European UnionHealthcare and medical-device regimes
What it covers
- FDA AI/ML guidance: a lifecycle approach to AI-enabled medical devices, including pre-specified change controls for models that learn.
- HIPAA: privacy and security of protected health information that AI systems process or generate.
- EU MDR: conformity and clinical-evidence requirements for software and AI that qualifies as a medical device.
Who it affects
Device makers, digital-health vendors, hospitals, and payers deploying AI in diagnosis, triage, imaging, or clinical workflows. Patient-safety stakes raise the evidentiary bar for sign-off.
Timing
These regimes evolve through guidance and updated frameworks rather than a one-off date. Check the current FDA guidance and MDR transition timelines directly — treat any date here as indicative.
GDPR
European Union (extraterritorial)General Data Protection Regulation
What it covers
- Lawful basis, purpose limitation, and data-subject rights over personal data used to train and run AI.
- Article 22: rights relating to decisions based solely on automated processing, including profiling.
- Obligations for transparency, data-protection impact assessments, and accountability.
Who it affects
Any organisation processing the personal data of people in the EU. For AI, the pressure points are automated decision-making, profiling, and the ability to explain how a model reached an outcome about a person.
Timing
In force and actively enforced. The open questions are not "when" but "can you evidence lawful basis, explainability, and a human in the loop where the regulation requires one."
This list is a starting map, not an exhaustive register. Sector and territory may add obligations — confirm what applies to your stack before you rely on any single entry.
From calendar to evidence
A regime is only a problem if you can’t produce the proof.
Tracking the obligation is the easy half. The hard half is showing — for each AI system in production — that it was controlled and can be defended. That is what we build.
See how we turn these obligations into sign-off-ready evidence in AI Compliance & Evidence, and how the work fits together in how it works.
Map your AI against the regimes that apply to you.
Run a Snapshot to see which systems you can’t yet defend — before a regulator asks.