Back to Product
Compliance EvidenceEU AI Act · High-risk provisions — August 2026

One .cal bundle. Three regulatory frameworks.

The same cryptographically-signed attestation certificate satisfies DORA Art. 17 incident reporting, NIS2 Art. 21 supply-chain monitoring, and EU AI Act Art. 9 runtime audit-trail requirements — without separate tooling, separate processes, or separate evidence trails.

.cal field → article mapping

Each field in the .cal certificate maps to a specific documentary requirement in each framework.

.cal fieldDORA Art. 17NIS2 Art. 21EU AI Act Art. 9
agent_idICT asset identifierThird-party supply-chain referenceHigh-risk AI system identifier
ts_nsIncident timestamp (ns precision)Detection event timestampAudit log entry timestamp
hostAffected ICT componentMonitored infrastructure nodeDeployment environment record
channelDetection mechanism referenceMonitoring scope indicatorRuntime monitoring method
divergenceAnomaly severity indicatorBehavioral deviation measureRisk signal for audit trail
syscall_traceFull incident evidence chainAgent activity logLogging requirement (Art. 9(1)(e))
actionContainment measure recordIncident response documentationHuman oversight action log
signatureNon-repudiation proofCryptographic integrity proofTamper-evident audit record

Per-framework evidence

DORA · Art. 17 · In force Jan 2025

Digital Operational Resilience Act — Incident Reporting

DORA Art. 17 requires financial entities to maintain documented, reproducible evidence of ICT incident timelines, including timestamps, affected assets, the sequence of events, and actions taken. The H7 .cal bundle satisfies this requirement as a single, non-repudiable artifact.

Incident timeline
ts_ns (nanosecond precision) + syscall_trace
Affected ICT asset
agent_id + host
Detection mechanism
channel (L1–L5) + divergence measure
Non-repudiation
Ed25519 signature — offline verifiable
Actions taken
action field + operator containment record
Third-party attribution
agent_id tied to supply-chain component
NIS2 · Art. 21 · In force Oct 2024

Network & Information Security Directive 2 — Supply-Chain Security

NIS2 Art. 21 requires organizations to implement measures to manage risks in their supply chain — including ICT products and services from third parties. H7 provides continuous behavioral attestation of third-party agents, producing a tamper-evident audit trail for every monitored component.

Supply-chain monitoring
Continuous behavioral baseline per agent
Third-party risk evidence
agent_id maps to supply-chain component
Incident detection record
Full .cal bundle per detection event
Continuous monitoring proof
Baseline + per-batch divergence tracking
EU AI Act · Art. 9 · High-risk provisions — August 2026

EU Artificial Intelligence Act — High-Risk AI System Logging

EU AI Act Art. 9 imposes risk management and logging requirements on deployers of high-risk AI systems. H7 addresses the runtime audit-trail requirement: every behavioral anomaly is logged as a cryptographically-signed, offline-verifiable record tied to a specific agent and deployment host.

Runtime logging (Art. 9(1)(e))
syscall_trace: kernel event record
High-risk AI system identifier
agent_id + host
Tamper-evident audit record
Ed25519 signature over all fields
Human oversight documentation
action field: operator-initiated containment
Audit trail continuity
Signed .cal per event — no gaps, no modification
Deployer evidence (not GPAI)
Applies to deployers of high-risk AI agents

What your auditor needs — checklist

Eight items your compliance team or external auditor will verify against each .cal certificate.

IdentityAgent identifier is present and consistent with the deployment manifest
TimestampNanosecond-precision timestamp is within the reported incident window
IntegrityEd25519 signature verifies against the published public key (offline)
Evidence chainSyscall trace covers the full behavioral sequence preceding the alert
ContainmentAction field documents the operator response — not an automated isolation claim
ScopeDetection channel (L1–L5) matches the declared monitoring configuration
ReproducibilityScenario can be reproduced using the demo kit within 10 minutes
ProvenanceCertificate is tied to a specific host — chain-of-custody is preserved

Request a sample audit package. We provide an annotated .cal certificate and regulatory submission template for your first review cycle. contact@pulsaride.com

DORA-compliant in 6 weeks — before August 2026

Apply for a pilot and have H7 generating audit-ready .cal evidence in your environment before the EU AI Act high-risk provisions take effect.

Apply for a Pilot →Request Sample Audit PackageRead the white paper →