Changelog

Track what's new on cyber-laws.com. We continuously improve the Applicability Checker and add content based on community feedback.

January 2026

🎯 Three-Tier Confidence System

January 1, 2026

AI hints now use a clearer confidence scale to help you evaluate suggestions:

High confidence (green): Auto-selected — AI is confident this applies
Low confidence (yellow): Review recommended — verify before relying on this
Very low confidence (red): Extra scrutiny needed — AI is uncertain

📊 Enhanced Progress Tracking

January 1, 2026

Document and domain scanners now show real-time progress updates during AI analysis. Watch the progress bar advance smoothly as results stream in — no more waiting at 0% wondering if it's working.

🇪🇺 EU-Based AI Analysis Option

January 1, 2026

For users who prefer EU data residency, we now support Mistral AI — a French AI provider. Select your preferred region in the scanner settings.

⚖️ NIS2 Size-Based Exemptions

January 2, 2026

Micro and small enterprises are now correctly exempt from NIS2 per Article 2(1), with proper handling of Article 2(2-4) exceptions:

Size exemptions: Micro (<10 staff) and small (<50 staff) entities are exempt unless in covered exception categories
Article 2(2) exceptions: Trust services, DNS providers, telecom providers, and domain registrars apply regardless of size
Designated entities: Member State designated critical entities always see NIS2 regardless of size (Art. 2(3))

🏛️ Critical Entity Designation

January 2, 2026

New checkbox for organizations officially designated by national authorities:

NIS2 override: Designated entities see NIS2 regardless of organization size
CER applicability: Critical Entities Resilience Directive now correctly triggers for designated entities
Non-EU nexus: If designated by an EU Member State, that designation creates the EU nexus — no need to select "Serves EU customers"

🐛 Fix: Critical Entity + EU Customers Filtering

January 2, 2026

Fixed issues with the "Designated Critical Entity" checkbox when combined with other location filters.

Issue 1: Adding critical entity designation to an existing selection would incorrectly reduce visible regulations
Issue 2: CER (Critical Entities Resilience Directive) would disappear when adding "Serves EU customers" to an existing critical entity selection
After: Critical entity designation is now properly additive — it adds NIS2/CER to your results without affecting other applicable regulations. CER stays visible when you add more filters.

⚖️ Legal Note

A critical entity designation creates EU nexus specifically for NIS2 and CER. It does not automatically trigger other regulations like GDPR — a designated entity may still need to separately indicate if they serve EU customers for those regulations to apply.

🧪 Quality: 2,837 Automated Tests

January 2026

Expanded test suite to 2,837 tests covering filter behavior, scanner reliability, and legal accuracy scenarios.

December 2025

🔍 Company Scanner (Beta) — NEW!

December 19, 2025

Introducing AI-powered company analysis to speed up your regulation discovery:

Auto-detect regulations: Enter a company domain and let AI analyze industry, location, and activities
Pre-filled criteria: Scanner suggests relevant checkboxes based on company profile
Review and adjust: AI hints explain why each criterion was selected — dismiss or keep as needed
Share results: Scanned profiles generate shareable URLs

⚠️ Beta Limitations

1 scan per minute (AI calls are resource-intensive)
Results are AI-assisted suggestions — always verify
Use the manual form for complete control

🤖 AI Act Jurisdictional Tags

December 21, 2025

Enhanced AI Act filtering with Article 2 jurisdictional precision:

General Purpose AI (GPAI): For providers of foundation models like GPT, Claude, Gemini
AI output used in EU: Article 2(1)(c) "long arm" — catches non-EU companies whose AI outputs affect EU users, even through intermediaries
Prohibited AI Practices: Check if your AI use case is banned under Article 5 (social scoring, subliminal manipulation, etc.)

Key behavior: "AI output used in EU" is the only tag that triggers the AI Act for non-EU companies without needing "EU customers" — capturing indirect supply chain exposure.

🚆 Transport Sector Details — NEW!

December 21, 2025

Better precision for transport operators with sub-sector breakdowns:

Aviation: Airlines, airports, air traffic control (triggers Aviation Part-IS)
Rail: Railway operators and infrastructure managers
Maritime: Shipping, ports, and vessel traffic services
Road: Intelligent transport systems and freight operators
Marine Equipment: Manufacturers of MED-certified equipment (correctly exempt from CRA)

Aligned with NIS2 Annex I.4 transport sector definitions.

🐛 Fix: Regulation Count Display

December 21, 2025

Fixed "Showing 29 of 27 regulations" display bug — count now correctly shows 29 total regulations.

🎯 Scanner Reliability Improvements

December 2025

Better handling of unknown and complex companies:

Two-tier confidence: High-confidence tags auto-selected; lower-confidence shown as clickable suggestions
Clear error messages: When AI can't identify a company, you'll see a helpful explanation instead of empty results
Diversified company flags: Amazon, Microsoft, and other conglomerates now show an info banner prompting you to verify which tags apply to your specific assessment
Suggested tags: Tags with 30-49% confidence shown in a "AI also considered" section — click to add
EU customer fix: EU-based companies now correctly get both "EU-based" AND "EU customers" tags (previously the AI sometimes forgot to select both)
Streamlined AI prompt: ~45% shorter instructions with clearer location logic table — improves accuracy and reduces API costs

🔌 API Now Available (Beta)

December 16, 2025

Query regulation data programmatically for your own tools and integrations:

Applicability Checker API: Same filtering logic as the web tool
JSON responses: Easy to parse and integrate
Free tier: Rate-limited access for everyone
URL state: Share your checkbox selections via compact URLs

Read the API documentation →

December 2025 (Week 2-3)

📊 New Regulations Added

December 14-15, 2025

Data Act (EU) 2023/2854 — IoT data access and cloud portability requirements (applies Sep 2025)
IVDR (EU) 2017/746 — In Vitro Diagnostic Regulation for diagnostic devices (blood analyzers, COVID tests, genetic testing)

Total regulations covered: 29

⚖️ GDPR Establishment Principle Fix

December 14, 2025

Based on LinkedIn feedback, we corrected how GDPR appears for EU-based companies:

Before: GDPR required selecting "personal data processing" activity
After: GDPR now shows for all EU-based entities (Article 3(1) establishment principle)
Non-EU companies serving EU customers still see GDPR (Article 3(2) extraterritorial scope)

🧪 Quality: 1,591 Automated Tests

December 2025

We expanded our test suite to validate filtering accuracy across real-world scenarios:

Tests for every organization type, sector, and activity combination
Real-world company profiles: Siemens Healthineers, Tesla, Philips, Revolut, and more
Regression prevention: Each bug fix includes tests to prevent recurrence
Scanner reliability tests: Error handling, confidence thresholds, UI components
Tag consistency tests: Verify LLM prompt stays in sync with tag definitions

🔧 Filtering Logic Fix: Independent Tags & Ownership Rescue

Major improvement to how regulations are filtered when combining organization types with sector/activity/ownership tags:

Space Sector + Hardware: IRIS² now correctly shows for hardware manufacturers in the space sector
Defense Sector + Any Product Type: EDF, EDIRPA, EDIP show for defense sector manufacturers regardless of product category
Non-EU Ownership + Manufacturers: Defense regulations with ownership restrictions now correctly appear when "Non-EU ownership" is selected — important for companies evaluating EU defense contracts
Personal Data + All Org Types: GDPR/ePrivacy/EHDS correctly show when processing personal data, regardless of specific organization type

Technical: "Independent" tags (sector, activity, customer, ownership) can now rescue regulations from parent-child filtering exclusion when they match.

⚖️ Legal Accuracy Improvements

Refined regulation filtering based on legal review to reduce false positives:

EHR Software & CRA: EHR systems correctly show CRA (as software products) but NOT MDR (not medical devices per se)
NCCS-E Precision: Network Code for Electricity only shows for energy operators, not generic critical infrastructure
EHDS for Research: Research organizations correctly see EHDS for health data secondary use
CRA Exemptions: Automotive manufacturers correctly exempt from CRA (UNECE R155 applies instead)

🏭 Expanded Sector Coverage

Water Sector: Water utilities see NIS2 and CER (no false positives for NCCS-E)
Trust Services: eIDAS 2.0 providers correctly see eIDAS2, CSA, and NIS2
DNS Providers: Correctly identified as NIS2 essential entities (no size exemption)
Financial ICT Providers: fin-ict-provider tag triggers DORA without PSD2
Multi-Role Organizations: Conglomerates can select multiple roles (manufacturer + operator + service provider)

Earlier Updates

📝 Blog Content

NIS2 Directive summary
CER Directive overview
Cyber Resilience Act (CRA) analysis
Network Code on Cybersecurity for Electricity (NCCS-E)
IEC 62443 series overview
CMMC 2.0 guide

🌐 Site Launch

cyber-laws.com goes live
Focus on EU cybersecurity regulations
Dark/light theme
Search (Pagefind)

🗺️ What's Next

Based on your feedback:

Standards mapping: See which frameworks (IEC 62443, ISO 27001) help with compliance
More summaries: DORA, AI Act, MiCA, PSD2
Scanner improvements: More accurate industry detection, additional data sources
API enhancements: Additional endpoints, higher rate limits

Ideas? Discord · LinkedIn

RSS · LinkedIn