Start scan
Back to scan

Compliance guide

What BlindSpot checks and how to use the reports

BlindSpot is not a legal opinion. It is an evidence pack for CTOs, DPOs, security leads, and product owners who need to see which AI compliance controls were checked, what passed, what failed, and who should fix it.

1. Enter the domain

BlindSpot crawls the public website and common support, search, policy, and widget paths.

2. Review discovered AI surfaces

SCAN-Agent lists chatbots, AI search, generated content, API chat endpoints, and third-party AI widgets.

3. Open Compliance reports

Each regulation shows area, article, goal, checked evidence, pass/fail/review status, owner, and remediation.

4. Export the evidence pack

The PDF includes the same regulation reports, findings, query ledger, certificate, and next steps.

Coverage

Regulations in scope

AI transparency and risk classification

EU AI Act

Usage: A public user interacts with an AI system, sees AI-generated content, or is affected by AI-assisted decisions.

Product, AI governance, Legal

Articles

  • Art. 50 transparency
  • Art. 9 risk management for high-risk systems

BlindSpot checks

  • AI interaction disclosure before the first chat, search, or generated answer
  • Risk class: prohibited, high-risk, limited-risk, or minimal-risk
  • Human oversight and escalation for decisions that affect users
  • Generated-content labeling where the website publishes AI output

Evidence returned

  • Screenshot or crawl evidence of the AI surface
  • Pass/fail result for transparency disclosure
  • Risk triggers used by GUIDE-Agent
  • Remediation owner and next action

Personal data notice, security, DPIA, and breach readiness

GDPR

Usage: The AI surface collects, processes, stores, infers, or exposes personal data from EU users.

DPO, Security, Engineering

Articles

  • Art. 13/14 privacy notice
  • Art. 32 security of processing
  • Art. 35 data protection impact assessment
  • Art. 33/34 breach notification

BlindSpot checks

  • Privacy notice mentions AI processing, purpose, retention, and controller contact
  • Prompt tests do not expose personal data or internal instructions
  • DPIA trigger detection for high-risk or sensitive processing
  • Vendor and DPA evidence for third-party AI services

Evidence returned

  • Query payload and returned result
  • Detected leaked data types, if any
  • Mapped GDPR articles
  • DPO-ready remediation steps

Cybersecurity risk management and incident reporting

NIS2

Usage: The company is an essential or important entity, or the AI surface creates supplier, logging, or incident-response exposure.

CISO, Security operations, Vendor manager

Articles

  • Art. 21 cybersecurity risk-management measures
  • Art. 23 reporting obligations

BlindSpot checks

  • Critical AI findings that create ICT risk
  • Vendor and supply-chain exposure
  • Logging and monitoring evidence
  • Incident escalation readiness for AI-related compromise

Evidence returned

  • Security finding severity
  • Supplier or unknown-vendor marker
  • Logging evidence status
  • Incident-reporting next steps

Consent before terminal access, cookies, widgets, and communications processing

ePrivacy

Usage: A chat widget, AI widget, tracker, cookie, or third-party script loads before consent or reads user-device information.

DPO, Marketing operations, Frontend

Articles

  • Art. 5 confidentiality and consent

BlindSpot checks

  • Whether widgets load before cookie or consent choice
  • Whether AI chat starts before disclosure or permission
  • Whether tracking or stored identifiers appear before consent
  • Whether user communication data is processed by the AI surface

Evidence returned

  • Crawl result showing widget load timing
  • Consent banner and disclosure status
  • Fail/pass decision for pre-consent loading
  • Frontend remediation owner

Financial-sector ICT third-party and operational resilience risk

DORA

Usage: The audited company is a financial entity or uses AI vendors as part of regulated ICT services.

Operational resilience, Procurement, Legal

Articles

  • Art. 28 ICT third-party risk
  • Art. 30 contractual provisions

BlindSpot checks

  • Financial-sector detection
  • AI vendor and third-party ICT dependency
  • Contract and DPA evidence gaps
  • Operational-resilience ownership for AI incidents

Evidence returned

  • Applicable or not-applicable flag
  • Vendor name and confidence
  • Contract evidence status
  • Procurement or legal remediation owner

Result states

How to read pass, fail, review, and N/A

Pass

The check returned the expected safe result or no mapped breach was detected.

Fail

The returned result failed the control, exposed a mapped issue, or produced a critical finding.

Review

The result is incomplete, ambiguous, sector-dependent, or requires DPO/legal/security confirmation.

N/A

The framework does not apply to the detected sector or available evidence. DORA is usually N/A outside financial services.

How the compliance report should be used

From demo scan to remediation plan

  1. Use the domain scan to find public AI modules first. Do not assume internal AI tools are covered unless they are exposed in the supplied asset or project path.
  2. Open the regulation report that matters most to the company sector. Retail teams usually start with EU AI Act, GDPR, and ePrivacy. Financial teams also review DORA.
  3. Read the query ledger before claiming a vulnerability. A failed check must show what was executed, what came back, and why BlindSpot rejected the control.
  4. Assign the remediation owner shown in the report. Product handles disclosure, engineering handles controls, DPO/legal validates privacy duties, and security owns incident response.
  5. Export the PDF evidence pack for follow-up. The pack is a starting point for expert review, not a formal certification by itself.

Official references

Source material used for article mapping

EU AI Act, Regulation (EU) 2024/1689GDPR, Regulation (EU) 2016/679NIS2, Directive (EU) 2022/2555ePrivacy Directive 2002/58/ECDORA, Regulation (EU) 2022/2554