Skip to main content
NEXUS.ai
Field notes

Writing on what actually applies.

Practical notes on AI Act enforcement, GDPR operationalisation, ISO 42001, SaMD, and the gap between compliance documentation and compliance reality. Written for operators, not lawyers.

Featured AI Governance · 12 March 2026 · 6 min read

EU AI Act — the enforcement deadlines scale-ups keep missing

The EU AI Act is not a single deadline. It is a cascade. Most scale-ups budget for one obligation and get hit by four. Here is the timeline that actually applies, what triggers at each point, and where the under-appreciated risk sits.

Read the full article
Recent writing

All articles.

GRC & Cybersecurity 19 April 2026

SaMD and GDPR data minimisation: the architectural decision that protects the entire stack

Software as a Medical Device is, by its nature, data-hungry. GDPR's data minimisation principle sits in direct tension with clinical utility — and the reconciliation is architectural, not contractual. Most SaMD companies discover this at the wrong stage of product design.

SaMDGDPRData minimisation
Read →
GRC & Cybersecurity 19 April 2026

Third-party risk management for AI integrations: the diligence most programmes are not running

Classic TPRM was built for vendors that process data and run services. AI integrations introduce new risk surfaces — model behaviour, training data provenance, evaluation transparency, governance posture — that standard vendor questionnaires do not surface. If your TPRM programme has not been updated for AI, your supply-chain risk is larger than your register shows.

TPRMAI GovernanceSupply chain
Read →
GRC & Cybersecurity 18 April 2026

NIS2 scope creep: why companies that thought they were out are finding themselves in

NIS2 was sold as a directive for critical infrastructure. Its transposition across Member States has produced a scope that reaches deeper into digital supply chains than most scale-ups budgeted for. If you sell into energy, health, transport, or the public sector, the obligations may already apply to you — even if your own sector is not on the list.

NIS2CybersecurityDigital infrastructure
Read →
AI Governance 16 April 2026

GPAI obligations: what downstream providers keep getting wrong

The EU AI Act's provisions on general-purpose AI models create obligations that cascade through the value chain. Most scale-ups that integrate third-party AI assume the provider carries the weight. That assumption is wrong more often than it is right.

EU AI ActGPAIDownstream providers
Read →
AI Governance 2 April 2026

ISO 42001 and ISO 27001: what overlaps, what does not, and what it means for your ISMS

ISO 42001 is an AI management system. ISO 27001 is an information security management system. They share structure, share evidence, and can share a common operating backbone — but the controls that matter most are different. Here is where they meet, where they diverge, and how to run one programme covering both.

ISO 42001ISO 27001ISMS
Read →
AI Governance 18 February 2026

GDPR and the EU AI Act: where the two regimes stack, and where they fight

Most AI governance programmes treat GDPR and the EU AI Act as adjacent compliance exercises. They are not. They overlap meaningfully, conflict in specific places, and require deliberate design to satisfy both without double-running every control.

EU AI ActGDPRPrivacy
Read →

Prefer a conversation to an article?

30-minute scoping call. Direct line to Hachem.

Request scoping