EU Regulatory Applicability

Version 1.0 · Effective 2026-05-23 · Next review 2026-11-23 · Document owner: DPO (dpo@cloakapi.io)

CloakAPI is operated by Klokk Nettablering, a sole-proprietor business established in Norway (EEA). We sell into the European Union under the international-from-day-one principle (see ADR-008 in our public engineering record). This page documents which EU regulations apply to CloakAPI today, the legal trigger that switches each on, and the concrete obligations we have already met or are tracking on our roadmap. It is intended as a public artefact for prospective customers, security researchers, and supervisory authorities. It is not legal advice; controllers and supervisory authorities remain the final arbiter of applicability.

Summary table

RegulationStatus todayTrigger that changes status
GDPR (Reg. 2016/679)AppliesAlready in effect; we are a processor for customers and controller for our own data.
ePrivacy Directive (2002/58)AppliesAlready in effect; covered by /legal/privacy — cookie-less, no third-party trackers.
NIS2 Directive (2022/2555)Below thresholdCrosses to applies when CloakAPI exceeds 50 staff or €10M annual turnover (Art. 2 — medium/large enterprise threshold).
DORA (Reg. 2022/2554)Partial — via customersAlready in force from 2025-01-17; CloakAPI becomes a "critical ICT third-party service provider" only if a financial entity's ICT-services concentration on us meets the ESAs' designation criteria (Art. 31).
EU AI Act (Reg. 2024/1689)Partial — deployer-sidePhased application from 2025-02-02 (prohibited practices) to 2027-08-02 (full). CloakAPI is a downstream proxy — no substantial model modification — obligations inherited from upstream GPAI providers; high-risk use-cases (Annex III) inherit deployer obligations.
DSA (Reg. 2022/2065)Not applicableApplies to "online platforms" hosting user-generated content for the public. CloakAPI is a B2B/B2D API with no UGC surface (Art. 3(i)).
CRA (Reg. 2024/2847)Applies from 2027-12-11Products with digital elements placed on the EU market: CloakAPI SDKs, verifier CLI, and desktop app fall in scope; main reporting obligations apply from 2026-09-11.

1. NIS2 (Directive (EU) 2022/2555)

NIS2 applies to "essential" and "important" entities operating in 18 listed sectors, including "digital infrastructure" and "ICT service management" (Annex I) and "digital providers" (Annex II). CloakAPI qualifies as a provider of managed ICT services on sector classification grounds.

The size cap-and-collar in Article 2(1) restricts in-scope entities to medium and large enterprises as defined by Recommendation 2003/361/EC, i.e. organisations with at least 50 staff or annual turnover above €10 million. Klokk Nettablering is a sole-proprietor business and is therefore below the size threshold; NIS2 obligations do not apply by operation of law today.

Trigger to re-evaluate

Voluntary alignment shipped today

2. DORA (Regulation (EU) 2022/2554)

DORA applies in full from 2025-01-17 to financial entities and to ICT third-party service providers they contract with. CloakAPI sells to fintechs as part of our addressable market, which means we may become contractually subject to DORA via a customer financial entity.

What we do for financial-entity customers today

Critical ICT third-party designation

CloakAPI is not a "critical ICT third-party service provider" under Art. 31: that designation is reserved for providers serving a systemically significant share of the EU financial market and is made by the Joint Committee of the European Supervisory Authorities. We track the designation criteria and will publicly disclose any change in status here within 7 days of notification.

3. EU AI Act (Regulation (EU) 2024/1689)

The AI Act applies in phases between 2025-02-02 (prohibited practices) and 2027-08-02 (full application). CloakAPI proxies general-purpose AI (GPAI) systems supplied by third parties (Anthropic, OpenAI, Google, xAI, DeepSeek — see /legal/subprocessors).

Classification

Obligations met today

4. ePrivacy Directive (Directive 2002/58/EC + amendments)

Covered in detail by /legal/privacy. CloakAPI sets zero non-essential cookies, uses cookieless first-party analytics (self-hosted Plausible CE), and self-hosts fonts — so Article 5(3) "consent or strictly necessary" does not require a cookie banner. See the agent-25 / agent-26 audits archived under /srv/cloakapi/goal-run/verify-50/agent-25 for the verification transcript.

5. DSA (Regulation (EU) 2022/2065)

The DSA applies to providers of "intermediary services" with a focus on online platforms and very large online platforms / search engines (VLOPs/VLOSEs). CloakAPI is a B2B / B2D API that does not host user-generated content for the public, does not operate a platform-like marketplace, and is not a search engine. Article 3(i)–(j) and Recital 13 confirm that pure API back-end services to business customers are out of scope.

Status: not applicable. We will revisit if we introduce a public user-generated content surface (e.g. a community board hosting third-party prompts/responses).

6. Cyber Resilience Act (Regulation (EU) 2024/2847)

The CRA applies to "products with digital elements" placed on the Union market. CloakAPI distributes SDKs (Python, TypeScript, Go), a verifier CLI, browser extensions, and a desktop application — all of which are products with digital elements within the meaning of Art. 3(1).

Main obligations apply from 2027-12-11. The reporting obligation for actively exploited vulnerabilities and severe incidents applies earlier, from 2026-09-11 (Art. 14). We are voluntarily aligning the workflow today.

Obligations met today

Obligations on the roadmap (before 2027-12-11)

7. Change log

DateChange
2026-05-23v1.0 published — initial public applicability assessment shipped by agent-31.

8. Related public documents