Four enforcement regimes.
One architecture to survive all of them.
EU AI Act enforcement begins 2 August 2026. India's DPDPA obligations land 13 May 2027. DORA is already active. The UK DUAA is already in force. Every organisation treating these as separate projects is now operating with a structural liability.
Four regimes. One enforcement architecture.
Between January 2025 and August 2026, four regulatory regimes have converged into a single enforcement surface. Organisations that still treat them as separate projects are not behind the curve — they have already created structural liability.
Enforcement begins. Fines up to 3% of global turnover or €15M for general provisions; up to 7% / €35M for prohibited practices. 28 GPAI Code signatories confirmed. Meta declined.
Active windowMain obligations commence. Rules notified 13 November 2025. Consent Manager registration opens 13 November 2026. Penalties up to ₹250 crore per breach.
Immediate preparationAlready applicable across EU financial services. First 19 Critical ICT Third-Party Providers designated November 2025, including AWS, Azure, Google Cloud, IBM, Oracle, SAP, Salesforce, and SWIFT.
Now in forceSolely-automated decision provisions revised. Mandatory safeguards on transparency, human intervention, and contestability — converging directly with EU AI Act Article 14.
In forceThe convergence of these four regimes was the thesis of an original framework — the 3I-Ecosystem — published as an LL.M dissertation in 2023, three years before any of them enacted.
One practitioner. Three disciplines.
Most advisory firms triangulate governance across three teams — legal, technical, operational. The translation losses happen at every handoff. This practice removes the handoff entirely.
Technical depth that reads contracts
Source-code review. Vendor RAG and agent-tool-misuse risk. MCP integration governance. ISO/IEC 42001 Annex A control mapping at the architecture layer, not the documentation layer. Post-quantum cryptography readiness to NIST PQC FIPS 203, 204, and 205.
Legal authority that understands systems
Cross-jurisdictional contract drafting. SaaS, AI/ML, MSA, DPA, IP licensing. Regulatory opinions under EU AI Act, DPDPA, GDPR, DORA, UK DUAA, RBI, SEBI, and FCA. Privilege-aware analysis. No hand-off to a separate law firm.
Operational credibility with no conflicts
P&L-anchored governance reporting. Risk-maturity modelling against ISACA DTEF and ISO standards. Regulator-interface protocols. Seventeen years of operating-side discipline. Forty-plus GRC audits. Zero compliance penalties. We have no systems to sell, no audit relationships to protect, and no conflicts to manage around the work.
Five practice areas. One convergence map.
AI Governance GRC & ISO 42001
Your AI vendor list contains a GPAI Code non-signatory. The Board chair asked if your AI is "governable." We build the AIMS and the answer simultaneously.
View service →Cybersecurity GRC & Fractional CAIO/CISO
One converged incident-response runbook across four regulatory clocks. ISO 27001, NIST CSF 2.0, COBIT, DORA CTPP exposure — in one integrated programme.
View service →Privacy & DPDPA / GDPR / DUAA
The DPDP Rules 2025 changed your consent stack overnight. Cross-border SCCs are contested. You need one convergence map — not four separate policies.
View service →Technology Law & Contracts
SaaS agreements that predate EU AI Act enforcement. Liability caps from a regime that has since shifted. Re-papering sixty contracts is not a junior-associate task.
View service →Board AI Governance & GRC Convergence Audit
The Big 4 are conflicted — they audit the systems they are also advising you to govern. The independent voice the Audit Committee needs is not from a firm with a platform to sell.
View service →The Convergence Layer: Toward a 3I-Ecosystem Theory of Integrated AI, Privacy, and Cyber-Resilience Regulation across the EU, India, and the UK
The 2023 LL.M dissertation that anticipated EU AI Act, DPDPA, and DORA convergence three years before enactment — formalised as an SSRN working paper and foundational to every engagement this practice takes.
Read all publications →Begin with a Discovery Call.
Twenty-five minutes. No slide deck. One structured assessment of fit and scope. If the engagement is not right, you will know within fifteen minutes.
Book NowAll calls are with the founder directly. Replies to enquiries within 24 working hours.