DORA · NIS2 · MiCA · EU AI Act · CFPB §1033 — enforcement clocks are set (EU AI Act high-risk deadline deferred to 2 Dec 2027 by the Digital Omnibus), the controls overlap by 60–70%, and every mandate exports as JSON the audit team can replay. Eleven scenarios and the AML / sanctions / KYB / CRR tools underneath them are the dual- and triple-compliance evidence track.
For teams working with ComplyAdvantage · Sumsub · Hummingbird · Unit21 · ThetaRay · readable by Tier-1 risk & compliance teams
Start at operational resilience (DORA / NIS2) where the overlap is highest. Move into the AI-risk and crypto-rail surface (EU AI Act, FATF Travel Rule). Cover the financial crime stack (AML TM, KYB, sanctions, CRR). Pin the US extension last (CFPB §1033), which is the only one whose schedule is genuinely uncertain.
Control-overlap Venn for DORA (EU 2022/2554) + NIS2 (EU 2022/2555). 4-hour NCA notification window classification, Policy Mandate export. The reference point for "controls overlap by 60–70%."
Five-pillar DORA maturity + an Article 28 third-party concentration deep-dive — HHI index, sub-outsourcing depth, CIF tier flags, EBA RTS 2024/1773 alignment. Policy Mandate output an agentic compliance runtime can execute against.
Map FS AI use cases (every RegTech screening model is one) to Annex III risk classes. €15M / 3% (high-risk); €35M / 7% for prohibited practices. Article 6 evidence requirements — for the model risk team to file once, audit to read forever. High-risk deadline deferred to 2 Dec 2027.
Originator + beneficiary data-sufficiency scored across FATF, EU TFR (Reg. 2023/1113), FinCEN, UK MLR, MAS. Per-jurisdiction breakdown, sunrise-issue awareness, Policy Mandate — the harmonisation surface the crypto-rails RegTech buyer ships against.
Six rule families, per-rule thresholds, false-positive / true-positive modeled against a synthetic 100K-tx population. Live precision & recall, analyst FTE estimate, AP2 ruleset export.
Interactive SVG ownership-chain graph across four disclosure regimes (FinCEN CTA / EU 6AMLD / UK PSC / MAS). Three switchable scenarios — including a sanctioned-proximity case and a circular-ownership cycle. Per-UBO effective-share computation, AP2 evidence-grade mandate.
FATF mutual-evaluation readiness scoring + OFAC / EU sanctions programme effectiveness review. The pair RegTech buyers wire into customer-onboarding pipelines.
8-dimension AML/KYC CRR scoring — geography, PEP, industry, channel, volume, ownership, adverse media, product. Radar visualisation, EDD trigger identification, review cadence, Policy Mandate export.
Personal financial data rights mapping for US covered FIs — phased compliance April 2026 → April 2030, current CFPB reconsideration acknowledged in the schedule view.
Four-stage AML ops chain: CRR scoring (T110) → TM rule calibration (T116) → SAR narrative generation (T121) → AP2 AML Policy Mandate export (T131). Presets for VASP, trade finance, and retail. Single deterministic flow.
Score your AML programme against AMLA requirements applicable 10 July 2027. Five-pillar gap assessment: CDD/EDD (eIDAS-compliant), KYC ongoing monitoring, transaction monitoring (€10k cash ban), SAR/STR, sanctions. Direct supervision of ~40 institutions from 2028. Policy Mandate export.
The DORA NCA-notification clock is 4 hours. EU AI Act enforcement is on the calendar. MiCA Phase 2 is live. CFPB §1033's first cohort lands April 2026 (subject to reconsideration; build for the worst-case schedule).
No covered firm gets to pick one regime to comply with. They ship overlap evidence, jurisdiction by jurisdiction, framework by framework. The catalog's RegTech cluster encodes the overlap up front: the DORA Dedup collapses DORA + NIS2 into a single Venn. The EU AI Act Mapper assigns Annex III classes against the live regulation, not the consultation draft. The CFPB §1033 Mapper accepts the post-reconsideration ambiguity rather than pretending it doesn't exist.
Every scenario exports as an Policy Mandate the audit team — or an agent runtime — can replay. The catalog underneath is what the buyer's screening and TM pipelines already reach for; surfaced here as the scenario path that proves the surface composes.
The scenarios are the packaged surface; the tools are where the model-risk team digs in. Every tool exports Policy Mandate schema and ships an MCP tool definition.
The Tool Chain Composer renders the AINumbers catalog as a DAG with the 45 showcase scenarios highlighted. The regtech cluster — DORA, AML, KYB, sanctions, CRR — is the densest sub-graph in the catalog.
We help institutions operationalize obligations like DORA, MiCA, the EU AI Act, CFPB §1033 and AML — past the checklist and into production. Tell us what's on your enforcement calendar.
Talk to our team →