Third-party and vendor risk assessment program for evaluating operational, compliance, and security risks in supply chains and service providers.

Algorithmic impact assessment for consequential automated decisions to identify potential harms and compliance gaps.

Data protection impact assessment (DPIA) process to evaluate privacy and security risks of data processing activities.

Bias audit and impact-ratio testing for automated decisions to assess fairness and discriminatory outcomes.

Incident response plan documenting detection, escalation, and remediation procedures for security and compliance breaches.

Security update provision and defined support period to manage cybersecurity vulnerabilities and product safety risks.

AI system disclosure to end users to inform consumers about automated decision-making and algorithmic systems in use.

EU Artificial Intelligence Act establishes risk-based classification system (high-risk, limited-risk, minimal-risk) requiring impact assessments and governance controls.

GDPR requires risk assessments for automated processing, profiling, and high-risk data transfers; accountability through documented compliance activities.

EU Network and Information Security Directive (NIS2) requires risk management and security assessment frameworks for critical infrastructure operators and essential services.