Originals

Finding upcoming regulations

The web is full of articles about new laws and regulations, but many sites from law firms write more like: “you know there is this new regulation”, “do you really know, what this implies to your company? “, “Relax, we can help you”. Some sites like openkritis.de really summarize the originals, and give status updates. Tech-News like Heise write every now and then about upcoming regulations, that all can serve as a starting point and to get an overview of the landscape. My latest gold nuggets are

• https://www.kaizenner.eu/laws
• https://bundestagszusammenfasser.de/

The originals

But at the end, there is only one source of truth: The original document. The European Union (Eur-Lex) and many nation states directly publish all finally released regulations and even work-in-progress. The well known search engines help to find it. When getting into the role as ISO and getting notice about NIS2, I started to read about new regulations and discovered CRA, DSA, DMA, DA etc. Are the relevant for the company I am working for? What does it mean in details? Goal: Reading the originals to the point required to assess the relevance and document the assessment to never have to read to original again.

Approach to read and document

Reading texts like EU laws is not much fun, but the following approach served me well.

• Screening the original and finding the paragraphs which are most relevant,

• skipping the pages with reasoning, cross references and other stuff, which seems irrelevant for now. - - Searching for the following answers and taking notes about my findings:

  • For whom (company) or what (product) does it apply? Are we in scope?
  • State of law: When will it be activated, direcly from EU, or by national law? Any grace periods?
  • Any special inclusions or exclusions (companies, products, …)?

• If is seems to apply, then I dig deeper:

  • What is new, what to implement, to adhere, to do in detail?
  • Is it detailed enough, or does it need other documents?
  • Does it apply to only some products, some departments, …?

Approval from legal department

I am not a lawyer, I have no background in law, so for NIS2 I decided to cross-check my analysis with our legal department. Handing in the written analysis with references into the original document gives a good starting point to ask for verifications and approval. Based on the feedback I revise the document. That way, I learned more details, saved the legal team some time and have an approved documentation about relevance of that particular law wrt to our company.

Using generative AI

Using Langdoc as a frontend for ChatGPT or similar, I tried to speed the above process and learned these points:

• Based on the knowledge horizon (date of training data), the model may know the law of interest or not.
• A RAG (retrieval augmented generation) based tool like Langdoc with dedicated model or Perplexity is much better to find current state of documents.
• Downloading the original document and uploading it to the AI-tool serves very well.

Then prompting for the questions and pointing to the document gave me very good results and references to the particular pages. That way I saved 80 % of time while having my answers and can verify them with a single click.