Arrive at your Reg 10 audit already audit-ready.
A DIFC Regulation 10 assessment is a review of evidence. The job before the audit is to build that evidence and keep it current. regulation10.ae produces the full Reg 10 evidence canon — register, DPIA, transparency notice, RoPA, ASO file, Statement of Applicability and an audit-grade evidence pack — and exports it to whichever Approved Certification Body or consultancy you engage.
What an assessment looks for
The auditor reads evidence, not intentions.
An Approved Certification Body or consultancy — for example White Label Consultancy, though the platform is deliberately ACB-agnostic — does not grade your ambitions. They check that each in-scope AI system has a documented purpose, a risk classification, a Data Protection Impact Assessment, a clear accountable owner and a record that the controls you claim are actually running.
Most of the work in passing that review is preparation: pulling the artefacts together, making sure they agree with one another, and proving they have not drifted out of date. That is the work regulation10.ae does for you — so the assessment becomes a confirmation, not a scramble.
You stay in control of who sees the evidence. Export a signed pack, or open a read-only evidence-room for your assessor. The platform never locks you to one body — your evidence is yours to take to any DIFC ACB.
What the platform hands the assessor
- Register entry per system, linked to every artefact
- DPIA, transparency notice and RoPA generated from real facts
- ASO appointment letter + competence file
- ISO 42001 Statement of Applicability with justifications
- Bias, threat-model and drift evidence, dated and attributable
- WORM audit trail with SHA-256 content hashes
- One signed evidence-pack ZIP, exportable to any ACB
Audit-readiness facilities
Every artefact an ACB asks for, produced and kept current.
Each facility below maps to a specific Regulation 10, DPL 2020 or ISO control. They are generated from your system facts, hash-pinned into the audit trail, and bundled into an evidence pack you can hand to any Approved Certification Body.
AI System Register
A live inventory of every in-scope AI system: purpose, data categories, risk class, owners and lifecycle stage. This is the spine an auditor reads first — every other artefact links back to a register entry.
DIFC Reg 10Data Protection Impact Assessment
A structured DPIA per system — necessity, proportionality, risks to data subjects and the mitigations applied. Generated against the system facts in the register, not a blank template.
DPL Art 20Transparency Notice
A plain-English notice that explains automated processing to the people it affects — what the system does, the legal basis, and how to exercise data-subject rights. Satisfies the DPL transparency duty.
DPL Art 13–14ASO appointment + competence file
Reg 10 names one accountable human — the Appointed Senior Officer. The platform produces the appointment letter and a competence file (role, qualifications, training log) so the auditor has a single signature and an evidence trail behind it.
DIFC Reg 10Record of Processing Activities (RoPA)
The Article 15 processing record — purposes, categories of data and recipients, retention and cross-border transfers — kept in step with the register so it is never a stale spreadsheet.
DPL Art 15Statement of Applicability
An ISO/IEC 42001 Annex A Statement of Applicability — each control marked applicable or not, with justification and a link to the evidence that satisfies it. The document a Stage-1 reviewer works through line by line.
ISO 42001 Annex ABias, threat & drift evidence
Quantified evidence from the assurance modules: bias and fairness testing, an adversarial threat model, and drift monitoring over time. Each run is dated and attributable, so the auditor sees an ongoing control, not a one-off screenshot.
DIFC Reg 10WORM audit trail
Every artefact, decision and approval is written to a write-once, read-many audit trail with content hashes. Tamper-evidence is built in: an auditor can confirm nothing was edited after the fact.
DIFC Reg 10Evidence-pack export (ZIP)
One signed ZIP that bundles the register entry, DPIA, transparency notice, RoPA, Statement of Applicability, ASO file and assurance evidence — each with a SHA-256 hash and a manifest. Hand it to any ACB; the platform stays ACB-agnostic.
Exportable to any ACBAuditor evidence-room
A read-only room where your chosen ACB or consultancy reviews the live evidence in place, organised the way an assessor expects. The structure aligns to ISO/IEC 42006:2025 so the review process is familiar from the first click.
ISO/IEC 42006:2025Gap analysis & readiness scoring
Before you book the audit, the platform scores each system against the Reg 10 evidence canon and surfaces the gaps — missing artefacts, stale runs, unsigned approvals — as a ranked, fixable to-do list.
Readiness scoreISO 42001 / 27001 cross-map
A cross-map that shows where your Reg 10 evidence already satisfies ISO/IEC 42001 (AI management) and ISO/IEC 27001 (information security) controls — so a single body of work stands up against more than one framework.
ISO 42001 / 27001Standards alignment
One body of evidence, mapped to the frameworks your assessor already knows.
Reg 10 is the primary obligation, but the same evidence is structured to stand up under the international AI and security standards. That cross-mapping is why a single readiness programme can serve more than one audit.
AI management system
The Statement of Applicability and evidence pack are sized to feed a Stage-1 readiness review against the AI management standard.
Bodies certifying AI
The auditor evidence-room is organised to align with the requirements placed on bodies that audit and certify AI management systems.
Information security
The cross-map shows where your Reg 10 controls already satisfy information-security controls, avoiding duplicate work.
DIFC Data Protection Law
Transparency notices, the RoPA (Art 15) and the DPIA (Art 20) are anchored directly to the data-protection law that Reg 10 sits within.
The path to audit-ready
Audit-ready in about five weeks.
The timeline below is a working guide for a typical portfolio of a handful of systems. Larger estates take longer; a single system can be audit-ready sooner. The readiness score tells you exactly where you stand at every step.
- Week 1
Register your systems
Walk each in-scope AI system through the onboarding wizard. The platform builds the AI System Register and runs the first readiness score, so you can see the size of the job on day one.
- Weeks 2–3
Generate the evidence
The modules produce the DPIA, transparency notice, RoPA and Statement of Applicability against your real system facts, and run the bias, threat and drift checks. Every output lands in the WORM audit trail.
- Week 4
Close the gaps
Work the ranked gap list to zero: missing artefacts, stale runs, unsigned approvals. Confirm the ASO appointment and competence file. Re-score until the readiness number is where you want it.
- Week 5+
Hand off to your ACB
Export the evidence-pack ZIP, or open the read-only auditor evidence-room, for your chosen Approved Certification Body or consultancy. The platform stays ACB-agnostic — your evidence goes wherever your assessor is.
See exactly how audit-ready you are.
Run your AI systems through the readiness assessment. You will get a register, a readiness score and a ranked gap list in the first session — and a clear, ACB-agnostic path to an evidence pack you can hand to any assessor. Audit-ready means evidence for assessment, not a certification claim we cannot make for you.