EU Regulatory Applicability
CloakAPI is operated by Klokk Nettablering, a sole-proprietor business established in Norway (EEA). We sell into the European Union under the international-from-day-one principle (see ADR-008 in our public engineering record). This page documents which EU regulations apply to CloakAPI today, the legal trigger that switches each on, and the concrete obligations we have already met or are tracking on our roadmap. It is intended as a public artefact for prospective customers, security researchers, and supervisory authorities. It is not legal advice; controllers and supervisory authorities remain the final arbiter of applicability.
Summary table
| Regulation | Status today | Trigger that changes status |
|---|---|---|
| GDPR (Reg. 2016/679) | Applies | Already in effect; we are a processor for customers and controller for our own data. |
| ePrivacy Directive (2002/58) | Applies | Already in effect; covered by /legal/privacy — cookie-less, no third-party trackers. |
| NIS2 Directive (2022/2555) | Below threshold | Crosses to applies when CloakAPI exceeds 50 staff or €10M annual turnover (Art. 2 — medium/large enterprise threshold). |
| DORA (Reg. 2022/2554) | Partial — via customers | Already in force from 2025-01-17; CloakAPI becomes a "critical ICT third-party service provider" only if a financial entity's ICT-services concentration on us meets the ESAs' designation criteria (Art. 31). |
| EU AI Act (Reg. 2024/1689) | Partial — deployer-side | Phased application from 2025-02-02 (prohibited practices) to 2027-08-02 (full). CloakAPI is a downstream proxy — no substantial model modification — obligations inherited from upstream GPAI providers; high-risk use-cases (Annex III) inherit deployer obligations. |
| DSA (Reg. 2022/2065) | Not applicable | Applies to "online platforms" hosting user-generated content for the public. CloakAPI is a B2B/B2D API with no UGC surface (Art. 3(i)). |
| CRA (Reg. 2024/2847) | Applies from 2027-12-11 | Products with digital elements placed on the EU market: CloakAPI SDKs, verifier CLI, and desktop app fall in scope; main reporting obligations apply from 2026-09-11. |
1. NIS2 (Directive (EU) 2022/2555)
NIS2 applies to "essential" and "important" entities operating in 18 listed sectors, including "digital infrastructure" and "ICT service management" (Annex I) and "digital providers" (Annex II). CloakAPI qualifies as a provider of managed ICT services on sector classification grounds.
The size cap-and-collar in Article 2(1) restricts in-scope entities to medium and large enterprises as defined by Recommendation 2003/361/EC, i.e. organisations with at least 50 staff or annual turnover above €10 million. Klokk Nettablering is a sole-proprietor business and is therefore below the size threshold; NIS2 obligations do not apply by operation of law today.
Trigger to re-evaluate
- Headcount reaches 50, or
- Annual turnover exceeds €10 million, or
- A Member State designates CloakAPI under Art. 2(2) on sole-provider / cross-border-impact grounds.
Voluntary alignment shipped today
- Incident-response runbook with the NIS2 Art. 23 24-hour early-warning workflow (CSIRT notification draft + ENISA contact).
- Risk-management baseline: industry-standard information-security controls catalogued in our DPA Annex III TOMs and our security headers + CVE audit cron.
- Supply-chain due diligence: CycloneDX SBOM at /legal/sbom.json; license + dep policy CI guard.
2. DORA (Regulation (EU) 2022/2554)
DORA applies in full from 2025-01-17 to financial entities and to ICT third-party service providers they contract with. CloakAPI sells to fintechs as part of our addressable market, which means we may become contractually subject to DORA via a customer financial entity.
What we do for financial-entity customers today
- Offer DORA-aligned contractual clauses on request (Art. 30(2)–(3)): right to audit, sub-contracting controls, exit assistance, incident notification, location of data processing.
- Participate in customer ICT incident reporting workflows on best-efforts basis: 1-hour notification of confirmed major incidents to the customer's primary contact.
- Maintain a register of information for ICT services provided (Art. 28(3)).
Critical ICT third-party designation
CloakAPI is not a "critical ICT third-party service provider" under Art. 31: that designation is reserved for providers serving a systemically significant share of the EU financial market and is made by the Joint Committee of the European Supervisory Authorities. We track the designation criteria and will publicly disclose any change in status here within 7 days of notification.
3. EU AI Act (Regulation (EU) 2024/1689)
The AI Act applies in phases between 2025-02-02 (prohibited practices) and 2027-08-02 (full application). CloakAPI proxies general-purpose AI (GPAI) systems supplied by third parties (Anthropic, OpenAI, Google, xAI, DeepSeek — see /legal/subprocessors).
Classification
- Not a GPAI provider (Art. 3(63), Art. 51): CloakAPI does not train, fine-tune, or substantially modify a general-purpose AI model. Tokenisation and receipt-signing operate on the I/O stream, not on the model itself.
- Downstream provider / deployer-of-deployer surface: where a customer deploys CloakAPI as part of a high-risk AI system (Annex III — e.g. credit scoring, HR screening, education access), the customer remains the deployer of that high-risk system. CloakAPI is an "AI system component" supplier and provides upstream documentation pass-through.
- GPAI tier with systemic risk (Art. 51, >1025 training FLOPS): not triggered — we do not train. The trigger is upstream-provider-side.
Obligations met today
- Transparency (Art. 50): every CloakAPI surface that interacts with an end user discloses the AI nature of the service and identifies the underlying upstream model in the response (
x-cloakapi-upstream-modelheader + receipt). - Model-card pass-through: upstream GPAI provider model-cards are linked from docs.cloakapi.io/reference/models.
- Copyright (Art. 53(1)(c)): not applicable to us — we do not train models on third-party content.
- Prohibited practices (Art. 5): we contractually prohibit customers from using CloakAPI for social-scoring, exploitative targeting, and real-time biometric identification (see /legal/terms § Acceptable Use).
- High-risk inheritance: where a customer uses CloakAPI inside an Annex III high-risk system, we provide the technical documentation pack required under Art. 13 and a written supplier statement on request.
4. ePrivacy Directive (Directive 2002/58/EC + amendments)
Covered in detail by /legal/privacy. CloakAPI sets zero
non-essential cookies, uses cookieless first-party analytics (self-hosted Plausible CE), and
self-hosts fonts — so Article 5(3) "consent or strictly necessary" does not require a
cookie banner. See the agent-25 / agent-26 audits archived under
/srv/cloakapi/goal-run/verify-50/agent-25 for the verification transcript.
5. DSA (Regulation (EU) 2022/2065)
The DSA applies to providers of "intermediary services" with a focus on online platforms and very large online platforms / search engines (VLOPs/VLOSEs). CloakAPI is a B2B / B2D API that does not host user-generated content for the public, does not operate a platform-like marketplace, and is not a search engine. Article 3(i)–(j) and Recital 13 confirm that pure API back-end services to business customers are out of scope.
Status: not applicable. We will revisit if we introduce a public user-generated content surface (e.g. a community board hosting third-party prompts/responses).
6. Cyber Resilience Act (Regulation (EU) 2024/2847)
The CRA applies to "products with digital elements" placed on the Union market. CloakAPI distributes SDKs (Python, TypeScript, Go), a verifier CLI, browser extensions, and a desktop application — all of which are products with digital elements within the meaning of Art. 3(1).
Main obligations apply from 2027-12-11. The reporting obligation for actively exploited vulnerabilities and severe incidents applies earlier, from 2026-09-11 (Art. 14). We are voluntarily aligning the workflow today.
Obligations met today
- Vulnerability handling policy (Art. 13): published at /security/vulnerability-disclosure-policy, with safe-harbour, SLAs, and severity classification.
- SBOM (Annex I, §2(1)): CycloneDX 1.6 SBOM at
/legal/sbom.json (also at
/.well-known/sbom.json); 953 components covered. - Security update policy (Annex I, §1(2)(c)): 5-year security update commitment from the date a release is placed on the market — documented in docs.cloakapi.io/policies/security-updates.
- 24-hour reporting workflow (Art. 14): incident-response runbook codifies the ENISA-and-CSIRT 24h early-warning timeline.
- Coordinated disclosure (Art. 13(1)(g)): contact channel at
security@cloakapi.io, advertised in/.well-known/security.txton apex, api, app, security, demo, and openreceipt subdomains (RFC 9116).
Obligations on the roadmap (before 2027-12-11)
- Conformity assessment + CE marking review for the desktop app and verifier CLI (the SDKs are likely "default category" and self-assessable).
- Technical documentation package (Annex VII).
- Authorised representative inside the EU if Klokk Nettablering is reorganised outside the EEA — not currently planned.
7. Change log
| Date | Change |
|---|---|
| 2026-05-23 | v1.0 published — initial public applicability assessment shipped by agent-31. |
8. Related public documents
- Privacy policy — GDPR + ePrivacy.
- Data Processing Agreement — Art. 28 processor terms.
- Sub-processors — v5.0.
- SBOM (CycloneDX 1.6) — CRA evidence.
- Open-source acknowledgements.
- Vulnerability disclosure policy.
- RFC 9116 security.txt.