Feb 2, 2026
Systematic Cross-Regulation Threat Topology for EU AI Governance
Rian Czerwiński, Wiktoria Leks
A single frontier AI training run can simultaneously trigger obligations under the EU AI Act, GDPR, Copyright Directive, and NIS, yet no systematic framework maps these compounding regulatory threats across stakeholder types and jurisdictions. We present a systematic threat topology covering 19 EU-level regulations across five stakeholder categories (frontier model developers, deployment platforms, hardware providers, open-source developers, and research organizations), with geographic enforcement modifiers for all 27 Member States. Our methodology employs an activity-based stakeholder taxonomy, temporal activation mapping, and a KNOW/GUESS/UNKNOWN epistemic framework that quantifies regulatory uncertainty rather than obscuring it. Key findings include: (1) cross-regulation compounding creates multiplicative compliance surfaces where identical development activities trigger 3–5 regulatory regimes simultaneously; (2) enforcement concentration: five DPAs account for over 85% of €5.88B in cumulative GDPR fines, creates significant compliance cost differentials depending on establishment jurisdiction; (3) temporal cascading between February 2025 and August 2027 activates obligations under four major regulatory categories in overlapping waves, with August 2025 marking a critical inflection point for frontier AI providers. We release the full 41-page threat matrix as open infrastructure for practitioners navigating EU AI compliance during this implementation period.
The paper’s research topic is important and interesting - practitioners really do seem to be exposed to multiple overlapping regulations. However, the analysis of interactions itself is undersupplied in the paper: there are multiple claims that cross-regulation compounding has multiplicative effects, but it doesn’t actually show what those effects are and why they happen. E.g. the tension between GDPR disclosure and AI Act transparency is mentioned but never developed. Also, we're told about the KNOW/GUESS/UNKNOWN framework but we aren’t shown a breakdown of what proportion of the matrix falls into each category, or how this varies by stakeholder type.
This seems like ambitious work that could aid a variety of stakeholders in complying with a variety of EU AI regulations. I encourage you to seek feedback from any applicable stakeholders to understand better if this would be useful in practice. I expect that existing stakeholders have a complex process for staying on top of regulations and it is unclear how this work fits into that… or is this intended to be more helpful to a new stakeholder who has only just begun to develop their own processes?
One issue to consider is how to keep this document up-to-date, as the value to the reader depends on it being current. Similarly, I wonder how existing stakeholders manage this problem.
Cite this work
@misc {
title={
(HckPrj) Systematic Cross-Regulation Threat Topology for EU AI Governance
},
author={
Rian Czerwiński, Wiktoria Leks
},
date={
2/2/26
},
organization={Apart Research},
note={Research submission to the research sprint hosted by Apart.},
howpublished={https://apartresearch.com}
}
