RTFCT
CIVITAS

EXPOSURE

Map your regulatory exposure.

Understand which AI regulations apply to your organization and when they take effect.

EXPOSURE ASSESSMENT

Which regulations apply to you?

AI coverage is not one-size-fits-all. Your exposure depends on your jurisdiction, industry, AI use cases, and system classifications. Use this assessment to understand your specific obligations.

JURISDICTION

Where your organization operates and where your users are located determines which AI laws apply.

KEY QUESTIONS

  • Do you operate in the European Union?
  • Do you have users or customers in the EU?
  • Do you operate in any US state with AI laws?
  • Do you have users or customers in any US state with AI laws?

COVERAGE IMPLICATIONS

  • EU AI Act applies to all AI system operators in the EU
  • EU AI Act applies to AI systems used by EU residents, regardless of operator location
  • State AI laws apply to organizations operating in those states
  • State AI laws may apply based on user location, not just operator location

INDUSTRY

Certain industries have additional AI coverage requirements beyond general regulations.

KEY QUESTIONS

  • Are you in healthcare?
  • Are you in legal services?
  • Are you in financial services?
  • Are you a government contractor?

COVERAGE IMPLICATIONS

  • HIPAA and other healthcare regulations add additional AI coverage requirements
  • ABA Rules and legal ethics requirements add additional AI coverage requirements
  • SEC, FINRA, DORA, and other financial regulations add additional AI coverage requirements
  • FedRAMP, EO 14110, and other government requirements add additional AI coverage requirements

AI USE CASES

Certain AI use cases are classified as high-risk and face stricter coverage requirements.

KEY QUESTIONS

  • Do you use AI for credit scoring or lending decisions?
  • Do you use AI for medical diagnosis or treatment recommendations?
  • Do you use AI for legal analysis or case strategy?
  • Do you use AI for hiring or employment decisions?

COVERAGE IMPLICATIONS

  • Credit scoring and lending AI may be classified as high-risk under EU AI Act and US regulations
  • Medical AI is classified as high-risk under EU AI Act Annex III
  • Legal AI may have special coverage requirements under ABA Rules
  • Employment AI may be classified as high-risk under EU AI Act and US regulations

AI SYSTEM CLASSIFICATION

How your AI systems are classified determines your coverage obligations.

KEY QUESTIONS

  • Do you develop or deploy high-risk AI systems?
  • Do you use third-party AI systems?
  • Do you modify or fine-tune AI systems?
  • Do you use general-purpose AI systems?

COVERAGE IMPLICATIONS

  • High-risk AI system operators have the most stringent coverage obligations
  • Users of high-risk AI systems have coverage obligations
  • Modifying AI systems may make you an operator with full coverage obligations
  • General-purpose AI systems may still be subject to transparency and disclosure requirements

REGULATORY TIMELINE

When do these regulations take effect?

AI coverage is not a future problem. It is happening now, in waves. Understanding the timeline is critical to understanding your urgency.

WAVE 1

AUGUST 2, 2026

EU AI Act Article 50 transparency enforcement begins. Chatbot identification and AI-generated content disclosure become mandatory.

AFFECTED ORGANIZATIONS

All organizations using AI systems accessible to EU users

URGENCY

IMMEDIATE

WAVE 2

JANUARY 1, 2027

US State AI Laws coverage. Colorado SB 24-205 and California CCPA Automated Decision-Making rules become enforceable.

AFFECTED ORGANIZATIONS

Organizations operating in Colorado and California using AI for automated decisions

URGENCY

HIGH

WAVE 3

DECEMBER 2, 2027

EU AI Act Annex III enforcement. Full high-risk operator obligations for AI systems in education, employment, essential services, and certain other categories.

AFFECTED ORGANIZATIONS

Operators of high-risk AI systems in EU and organizations serving EU users

URGENCY

HIGH

WAVE 4

AUGUST 2, 2028

EU AI Act Annex I enforcement. Full enforcement for safety-critical AI systems (medical devices, transportation, etc.).

AFFECTED ORGANIZATIONS

Operators of safety-critical AI systems in EU and organizations serving EU users

URGENCY

CRITICAL

EXPOSURE MATRIX

Your industry + jurisdiction = your exposure.

This matrix shows the coverage exposure for common industry and jurisdiction combinations. Find your cell to understand your likely obligations.

INDUSTRY / JURISDICTIONEUUSGLOBAL
HealthcareHIGH (EU AI Act + HIPAA-equivalent)HIGH (HIPAA + State AI laws)CRITICAL
LegalHIGH (EU AI Act + ABA-equivalent)HIGH (ABA Rules + State AI laws)CRITICAL
FinanceHIGH (EU AI Act + DORA)HIGH (SEC/FINRA + State AI laws)CRITICAL
GovernmentHIGH (EU AI Act + Public sector rules)HIGH (FedRAMP + EO 14110)CRITICAL
Enterprise (General)MEDIUM (EU AI Act transparency)MEDIUM (State AI laws)HIGH
EducationMEDIUM (EU AI Act)LOW-MEDIUM (State AI laws)MEDIUM
Retail/E-commerceLOW-MEDIUM (EU AI Act transparency)LOW (State AI laws)MEDIUM
Media/EntertainmentLOW (EU AI Act transparency)LOW (State AI laws)LOW-MEDIUM

Note: This matrix provides general guidance only. Your specific exposure may vary based on your exact use cases, system classifications, and other factors. Consult with legal counsel for a definitive assessment.

UNDERSTAND YOUR EXPOSURE

Knowledge is the first step. Action is the next.

Now that you understand your regulatory exposure, it is time to take action. The Interceptor provides structural coverage for all four waves of enforcement.

BEGIN ONBOARDING →