Skip to content
TruthVouch Docs

Compliance Frameworks Overview

TruthVouch supports 55+ compliance frameworks spanning 22 jurisdictions. This page organizes frameworks by region and explains what each requires. Use it to understand which regulations apply to your organization and systems.

Framework Selection Guide

Not sure which frameworks apply to you? Answer these questions:

ISO 42001 compliance framework mapping

  1. Where do your users live? (Determines regional compliance rules)
  2. What industry are you in? (Finance, healthcare, education, SaaS, etc.)
  3. Are you pursuing certifications? (ISO 42001, SOC 2, etc.)
  4. Who are your customers? (Government requires NIST AI RMF; enterprises want SOC 2, etc.)

Once you know, find the matching frameworks below and enable them in your compliance program.

Regional Frameworks

European Union & UK

FrameworkScopeArticles/ControlsAuto-CoverageNotes
EU AI ActHigh-risk AI systems37 articles100%Mandatory if serving EU users; risk classification, documentation, incident reporting
GDPRPersonal data processing99 articles95%Data protection, DPIAs, breach notification, data subject rights
UK AI SafetyEmerging AI regulation8 principles80%Post-Brexit UK AI governance framework
UK GDPRUK data protection99 articles95%Similar to GDPR with UK-specific amendments

Read more: EU AI Act Deep Dive, GDPR Compliance

United States & Canada

FrameworkScopeControlsAuto-CoverageNotes
NIST AI RMFAI Risk Management4 functions (Govern, Map, Measure, Manage)90%US government preference; widely adopted by enterprises
CCPACalifornia privacy6 categories85%Consumer privacy rights; expanding to CPRA
AIDACanadian AI Act8 principles80%Proposed; similar to EU AI Act
State AI LawsColorado, Utah, FloridaVarious75%Emerging state-level AI regulations

Read more: NIST AI RMF Guide

Global Standards (Any Jurisdiction)

FrameworkScopeControlsAuto-CoverageNotes
ISO 42001AI Management System22 controls100%Certification available; growing enterprise adoption
SOC 2 Type IIService Organization Controls5 trust areas90%Required for SaaS companies; auditor-verified
ISO 27001Information Security114 controls95%Foundation for data security; complements AI frameworks
COBIT 2019IT Governance40 processes80%Enterprise governance; AI governance subset

Read more: ISO 42001 Guide, SOC 2 Guide

Healthcare & Life Sciences

FrameworkScopeControlsAuto-CoverageNotes
HIPAAUS healthcare privacy & security18 safeguards90%Mandatory for healthcare organizations; PHI protection
FDA AI GuidanceAI/ML in medical devices6 areas85%Pre-market and post-market requirements
HL7 FHIRHealthcare data interoperability12 profiles80%Standards for health data exchange

Read more: HIPAA Compliance

Finance & Insurance

FrameworkScopeControlsAuto-CoverageNotes
FINRAUS brokerage/investment AI8 rules85%Algorithmic trading, robo-advice, market manipulation
Prudential RegulationInsurance & banking12 controls80%UK/EU banking supervision; AI governance requirements
FINMASwiss financial AI10 guidelines80%Swiss banking regulation
Singapore MASSingapore financial AI8 guidelines85%Monetary Authority of Singapore; growing focus

Read more: Finance & Insurance section

Privacy Laws (Global)

FrameworkScopeControlsAuto-CoverageNotes
LGPDBrazil privacy10 principles85%South America’s GDPR equivalent
PDPASingapore privacy9 principles85%Asia-Pacific privacy law
India DPDPIndia data protection8 principles80%India’s new privacy framework
South Korea POPIAKorea personal information7 obligations80%East Asia privacy regulation
Japan APPIJapan privacy8 principles80%Japan’s privacy law with AI amendments
Australia Privacy ActAustralia privacy13 principles85%Australian Privacy Principles; growing AI focus

Read more: Other Frameworks

Emerging Regulations

FrameworkScopeStatusAuto-CoverageNotes
China CAC AI RulesAI content moderationEnacted 202375%China’s AI governance; content safety focus
Saudi Arabia GOSIAI governanceDraft 202470%Middle East AI framework
UAE AI StrategyAI governanceGuidance 202370%United Arab Emirates AI principles

Framework Coverage by System Type

Generative AI (ChatGPT-like Systems)

Applies to: Chatbots, content generation, code assistants, summarization tools

Required Frameworks:

  • EU AI Act (high-risk classification)
  • GDPR (if processing EU personal data)
  • ISO 42001 (certification path)
  • NIST AI RMF (if US government customer)

Recommended:

  • SOC 2 (customer trust)
  • CCPA (US operations)

Recommendation Engines

Applies to: Product recommendations, job recommendations, loan approvals, content ranking

Required Frameworks:

  • EU AI Act (likely high-risk)
  • GDPR (data processing)
  • ISO 42001

Recommended:

  • NIST AI RMF
  • Domain-specific (FINRA for lending, HIPAA for health)

Computer Vision / Biometric Systems

Applies to: Facial recognition, identity verification, medical imaging, surveillance

Required Frameworks:

  • EU AI Act (very likely high-risk)
  • GDPR (biometric data)
  • ISO 42001

Recommended:

  • NIST AI RMF
  • HIPAA (if medical imaging)

Autonomous Decision-Making

Applies to: Credit decisions, hiring, benefits eligibility, content moderation

Required Frameworks:

  • EU AI Act (high-risk, Article 4)
  • GDPR (automated decision-making, Article 22)
  • ISO 42001
  • NIST AI RMF

Recommended:

  • CCPA (consumer rights)
  • Domain-specific (FINRA for finance, FDA for medical)

Framework Relationships

EU AI Act + GDPR

These overlap but serve different purposes:

  • EU AI Act — Focuses on AI system transparency, risk management, and testing
  • GDPR — Focuses on personal data processing, individual rights, and DPIAs

Example: A recommendation system for job openings

  • EU AI Act: Document system, perform bias testing, provide explanation to rejected candidates
  • GDPR: Conduct DPIA, document legal basis for processing, honor data subject access requests

NIST AI RMF + ISO 42001

Both define AI governance but with different structures:

  • NIST AI RMF — 4-function framework (Govern, Map, Measure, Manage); strategic
  • ISO 42001 — 22 controls; more prescriptive; certification-ready

Best practice: Map NIST functions to ISO 42001 controls. Most organizations adopt both for US government credibility + global certification.

SOC 2 + ISO 27001

  • SOC 2 — Service organization controls; auditor-verified; required for SaaS
  • ISO 27001 — Information security management system; often a prerequisite for SOC 2

Recommendation: Start with ISO 27001 as foundation; SOC 2 audit validates it.

How to Decide Which Frameworks Apply

Step 1: Map Your Operations

Fill in this table:

QuestionAnswerImplies
Do you have EU users?Yes/NoEU AI Act + GDPR required
Do you process health data?Yes/NoHIPAA (US) or confidentiality laws
Are you SaaS?Yes/NoSOC 2 recommended
Do you have government customers?Yes/NoNIST AI RMF required
Do you pursue ISO certification?Yes/NoISO 42001 required
Are you in finance?Yes/NoFINRA, Prudential, or equivalent
Do you operate in specific regions?[List]Regional privacy laws (CCPA, LGPD, etc.)

Step 2: Enable Frameworks in TruthVouch

  1. Go to Compliance > Frameworks
  2. Check frameworks that match your profile
  3. Click Save
  4. Compliance AI maps all your registered AI systems to framework requirements

Step 3: Run a Scan

  1. Go to Scans > New Scan
  2. Select the frameworks you just enabled
  3. Click Start Scan

See which controls you’re passing and which gaps to remediate.

Framework Implementation Timeline

When starting a compliance program, prioritize frameworks by deadline and impact:

Immediate (0-3 months):

  • EU AI Act (if serving EU)
  • GDPR (if processing EU data)
  • ISO 42001 (certification path)

Short-term (3-6 months):

  • NIST AI RMF (if US government customer)
  • SOC 2 (if SaaS)
  • Domain-specific (HIPAA, FINRA, etc.)

Medium-term (6-12 months):

  • Regional privacy (CCPA, LGPD, PDPA, etc.)
  • Emerging regulations (China CAC, etc.)

Next Steps