EXHIBIT R · REGULATORY MANIFESTlast fact-checked · Apr 30, 2026

Seven laws.
Three already enforceable.
One audit away.

Pick a law. See the fine, the date, and what it actually requires. The full statute lives one click away.

Informational. Not legal advice. Vera tracks AI regulation publicly because accurate references help everyone. Talk to qualified counsel for an opinion on your specific situation.

Step 1 · annual revenue (USD)
$50M
$1M$50M$500M$2B

Move the slider. The right side shows the maximum statutory exposure across the four laws with hard fine ceilings. Real-world penalties are tiered and rarely max, but every number on the right is theoretically reachable.

Maximum statutory exposure
$39.1M
per year, summed across four enforcement regimes
EUEU AI Act · Art. 5$35.0M
CACA SB 942 · 1 yr · daily$1.8M
HIPAAHIPAA · per category/yr$2.1M
TXTX TRAIGA · per violation$200K
TIER I · UNCAPPED EXPOSURE
§ 01

EU AI Act· Regulation (EU) 2024/1689

● 81 days
until Aug 2, 2026
€35M
or 7% of worldwide turnover · per prohibited-practice violation
Binds you when
Output reaches a user in the EU.
TL;DR

€35M or 7% of worldwide turnover for prohibited practices. Applies to any AI provider whose output reaches a user in the EU, regardless of where the company is based.

Footnote

August 2, 2026 is the binding date for high-risk obligations. The November 2025 Digital Omnibus proposal could link this to harmonized standards readiness, but the date has not moved.

Before deployment· 7
  1. 01Risk management system· Art. 9
  2. 02Data governance· Art. 10
  3. 03Technical documentation per Annex IV· Art. 11
  4. 04Transparency mechanisms designed· Art. 13
  5. 05Human oversight measures designed· Art. 14
  6. 06Accuracy, robustness, cybersecurity validated· Art. 15
  7. 07CE marking and EU database registration· Art. 71
During deployment· 3
  1. 01Automatic logging of operation· Art. 12
  2. 02Post-market monitoring· Art. 72
  3. 03Serious incident reporting · 2 / 10 / 15-day windows· Art. 73
EXPOSURE TIERS · 3
Prohibited practices (Art. 5)€35M / 7%
High-risk obligations€15M / 3%
Misleading information€7.5M / 1%
Source: Regulation (EU) 2024/1689 · last verified Apr 30, 2026

Are you covered? Eight questions.

0 / 8 answered
Q.01Can you produce, on demand, every prompt and tool call that led to a customer-facing AI decision in the last 90 days?
Q.02Are your AI logs cryptographically signed in a way a regulator can verify offline?
Q.03Do you have a documented human-oversight policy for high-risk AI workflows?
Q.04Can you identify, within minutes, every AI-generated communication that left your firm yesterday?
Q.05Do you have a current Business Associate Agreement with every AI vendor that touches PHI?
Q.06If an EU regulator asked tomorrow, could you produce automatic operation logs covering the past six months?
Q.07Have you completed an impact assessment for every consequential-decision AI deployed in Colorado-touching workflows?
Q.08Do your AI-generated outputs carry both manifest and latent disclosures where required?
Standing by
Eight questions. None of them rhetorical. Each one maps to a specific obligation that takes effect this year.
See how Vera closes them →
EXHIBIT A · WHAT REGULATORS ASK FORchain · 5/5 verified

Every action. Hashed. Signed. Replayable.

Each block hashes the previous. Tamper with any step, the chain breaks. The artifact below is what gets handed to an auditor. The animation runs the chain once a second so you can watch the order propagate.

Step 01fetch_credit_reportd93c9c02…0011
Step 02analyze_applicationf706a2b4…c188
Step 03assess_risk1d9f7b2e…aa5c
Step 04human_approvala91e0c45…8842
Step 05make_decision7a5e9f06…79ae

The deadlines are real.
So is the chain.

Vera records every agent action into a tamper-evident, signed audit chain. When a regulator asks, the answer is provable in seconds.

Get started →