Regulatory Compliance for LLMs and AI Systems
This directory contains detailed documentation on various laws, regulations, and standards that affect the development, deployment, and operation of LLMs and AI systems.
Regulation Applicability Matrix
Use this table to quickly identify which regulations might apply to your organization.
- ✓ = Regulation applies
- ? = May apply depending on specific circumstances
- (blank) = Generally does not apply
| Regulation | EU Ops | US Ops | EU Data | US Data | B2C | B2B | Health care | Edu cation | Fin ancial | AI/ML Systems | Cloud Services | Critical Infra |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| GDPR | ✓ | ? | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |
| CCPA/CPRA | ✓ | ✓ | ✓ | ? | ✓ | ✓ | ? | ✓ | ✓ | |||
| LGPD | ? | ? | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |||
| PIPEDA | ? | ? | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |||
| India DPDP | ? | ? | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |||
| HIPAA | ✓ | ✓ | ✓ | ✓ | ✓ | ? | ✓ | |||||
| HITECH | ✓ | ✓ | ✓ | ✓ | ✓ | ? | ✓ | |||||
| FERPA | ✓ | ✓ | ✓ | ? | ✓ | |||||||
| EU AI Act | ✓ | ? | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |
| NYC Bias Law | ✓ | ✓ | ✓ | ✓ | ✓ | |||||||
| Algo Account Act* | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ||||
| CA SB 1047* | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ||||
| US EO on AI | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ||||
| DMCA | ? | ✓ | ✓ | ✓ | ✓ | ? | ✓ | |||||
| EU Copyright | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ||||||
| UK Copyright | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ||||||
| FTC Act | ✓ | ✓ | ✓ | ? | ✓ | ✓ | ✓ | ✓ | ✓ | |||
| EU UCPD | ✓ | ✓ | ✓ | ✓ | ||||||||
| UK CPR | ✓ | ✓ | ✓ | ✓ | ||||||||
| NIS Directive | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ||
| CA Data Breach | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ||||
| MA Data Security | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ||||
| EAR | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | |||||
| ITAR | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ||||||
| Defiance Act* | ✓ | ✓ | ✓ | ✓ | ✓ | |||||||
| PCI DSS | ✓ | ✓ | ✓ | ✓ | ✓ | ✓ | ? | ✓ | ? | ✓ | ? | |
| SOX | ? | ✓ | ? | ✓ | ? | ✓ | ✓ | ? | ✓ | ? | ||
| UK Online Safety | ✓ | ✓ | ✓ | ✓ | ? | ✓ | ? | ✓ | ✓ | ? |
*Proposed legislation
Important Notes:
-
Revenue and Size Thresholds
- CCPA/CPRA: Applies to businesses with >$25M annual revenue
- MA Data Security: No minimum threshold
- EU AI Act: Different requirements based on company size
- Algorithmic Accountability Act: Proposed thresholds for company size
-
Data Volume Thresholds
- CCPA/CPRA: >100,000 consumers/households
- GDPR: No minimum threshold
- India DPDP: Specific volume thresholds for different requirements
-
Geographic Considerations
- Laws may apply based on:
- Location of operations
- Residence of data subjects
- Location of data processing
- Market targeting
- Laws may apply based on:
-
Industry-Specific Requirements
- Healthcare: HIPAA, HITECH
- Education: FERPA
- Financial: Various banking regulations
- Defense: ITAR, EAR
-
Technology-Specific Factors
- AI/ML system complexity
- Automated decision-making
- Data processing methods
- Security requirements
Data Protection and Privacy
Global and Regional Frameworks
- GDPR (EU) - General Data Protection Regulation
- LGPD (Brazil) - Lei Geral de Proteção de Dados
- PIPEDA (Canada) - Personal Information Protection and Electronic Documents Act
- Digital Personal Data Protection Act (India)
United States Privacy Laws
- CCPA/CPRA (California) - California Consumer Privacy Act / California Privacy Rights Act
- California Data Breach Notification Law
- Massachusetts Data Security Regulations
- HIPAA - Health Insurance Portability and Accountability Act
- HITECH Act - Health Information Technology for Economic and Clinical Health Act
- FERPA - Family Educational Rights and Privacy Act
AI-Specific Regulations
Enacted Laws
- EU AI Act - Comprehensive AI regulation framework
- NYC Bias Audit Law - Local Law 144 for automated employment decisions
Proposed Legislation
- Algorithmic Accountability Act (USA)
- California SB 1047 - Safe and Secure Innovation for Frontier AI Models Act
- Defiance Act (USA) - Proposed legislation for deepfake regulation
Executive Actions
- U.S. Executive Order on AI - Safe, Secure, and Trustworthy AI development
Copyright and Intellectual Property
International Frameworks
- EU Copyright Directive - Digital Single Market Copyright Directive
- UK Copyright, Designs and Patents Act
United States
- DMCA - Digital Millennium Copyright Act
Consumer Protection
International Frameworks
United States
- FTC Act - Federal Trade Commission Act
Security and Export Controls
Cybersecurity
- NIS Directive (EU) - Network and Information Security Directive
Export Controls
Using This Documentation
Each regulatory document follows a consistent structure:
- Title & Overview
- Scope & Applicability
- Key Requirements
- Impact on LLM/AI Deployments
- Enforcement & Penalties
- Resources & References
For specific compliance requirements, refer to the individual documentation files. Consider consulting legal experts for interpretation and application to your specific use case.