Compliance
EU AI Act Compliance for SOC Automation
The Act expects human oversight, traceable logging, and bounded risk management for every autonomous decision. Morpheus produces them as records, not assertions.
2 Aug 2026
High-risk obligations apply
€35M / 7%
Maximum fine for non-compliance
4 levels
Configurable human oversight
1 audit trail
Across regulations
What the AI Act Expects of SOC Automation
The EU AI Act applies a risk-based classification. Critical-infrastructure operators and law enforcement entities are squarely in scope under Annex III. Many enterprise SOC deployments fall under the Article 6(3) carve-out for narrow preparatory tasks. The classification question is for each deployment. The architectural standard is the same either way.
What the Act expects of any AI inside security operations is consistent: a human-oversight path on autonomous decisions (Art. 14), a traceable log that reconstructs reasoning (Art. 12), a defined risk envelope (Art. 9), and continuous post-market monitoring (Art. 72). Legacy SOAR cannot satisfy any of these by architecture. Morpheus AI is built to high-risk-system standards regardless of how a deployment classifies, so compliance posture follows from how the platform runs.
Three Answers, Three Articles
The three obligations cited most often in procurement diligence. How Morpheus answers each.
Article 14 — Human Oversight That Scales
Four autonomy levels (Deterministic, AI-Assisted, AI-Led, Autonomous) give the deployer a configurable oversight dial. Adaptive Tasking pulls cases back to lower autonomy mid-investigation. The mode, the override, the dismissal, and the pause are all logged. See the four autonomy levels →
Article 12 — One Audit Trail Per Incident
One unified case record per incident. Reasoning chain, evidence tree, confidence score per node, every analyst interaction, and the Attack Path Discovery output. Exportable on demand. No assembly across log stores. See how Morpheus investigates →
Article 9 — Bounded Agentic Reasoning
70–80% deterministic framework with bounded reasoning scoped inside it. Every autonomous task operates within four bounds: scope, capability, authority, time. The bounds are the documented risk mitigations. Read about bounded agentic reasoning →
Provider vs. Deployer: Who Owes What
D3 is the provider under Article 16. The customer is the deployer under Article 26. The split that compliance officers screenshot and forward to legal.
| Obligation | Article | Owner | How Morpheus enables it |
|---|---|---|---|
| Risk management system | 9 | Provider | Deterministic framework + bounded agentic reasoning |
| Technical documentation | 11 + Annex IV | Provider | Conformity package available under NDA |
| Record-keeping (logging) | 12 | Provider designs; deployer retains | One audit trail per incident |
| Transparency to deployer | 13 | Provider | Instructions for use; capability disclosure |
| Human oversight | 14 | Provider designs; deployer operates | Four autonomy levels + Adaptive Tasking |
| Accuracy, robustness, cybersecurity | 15 | Provider | Self-Healing Integrations; deterministic guardrails |
| Quality management system | 17 | Provider | ISO 27001 + SOC 2 Type II foundation |
| Deployer obligations | 26 | Deployer | Configurable autonomy per tenant or case type |
| Post-market monitoring | 72 | Provider | API drift detection + auto-remediation |
One Architecture, Many Mandates
The case record that produces evidence for EU AI Act Article 12 also maps to NIS2 Article 21 documentation, DORA incident-reporting requirements, and GDPR Article 22 automated-decision-making documentation. One incident. One record. Four mandates. See NIS2 compliance and DORA compliance.
The Enforcement Timeline
- 2 August 2024. Act enters into force.
- 2 February 2025. Prohibited practices apply; AI literacy obligations live.
- 2 August 2025. General-purpose AI model rules apply to new models.
- 2 August 2026. High-risk AI obligations apply (the date that drives 2026 procurement).
- 2 August 2027. GPAI rules apply to models placed on market before Aug 2025.
DACH note: Germany’s BSI is the most active enforcement body for high-risk AI. Most DE, AT, and CH CISOs treat the 2 August 2026 date as a procurement deadline for SOC tooling that processes alerts at scale.
faqs
Frequently Asked Questions
What compliance officers, CISOs, and procurement teams ask before signing.
Is Morpheus a high-risk AI system under the EU AI Act?
Classification depends on deployment. Morpheus is high-risk when deployed by critical-infrastructure operators (Annex III §2) or law enforcement entities (Annex III §6). Typical enterprise SOC triage often falls under the Article 6(3) carve-out for preparatory tasks that feed human analyst decisions. D3 builds Morpheus to high-risk-system standards regardless, so deployers in scope are covered and deployers outside scope inherit the same controls.
When we use Morpheus, are we the deployer or the provider?
The customer is the deployer under Article 26. D3 Security is the provider under Article 16. Provider obligations cover design, documentation, conformity assessment, quality management, post-market monitoring, and serious-incident reporting. Deployer obligations cover operating within provider instructions, qualified human oversight, monitoring against expected performance, log retention, worker information, and fundamental-rights impact assessment where required.
How does Morpheus support Article 14 human-oversight requirements?
Four autonomy levels (Deterministic, AI-Assisted, AI-Led, Autonomous) function as the deployer’s oversight dial, configurable per tenant or per case type. Adaptive Tasking pulls cases back into lower autonomy levels mid-investigation. The mode, every override, every dismissal, and every pause are logged with analyst identity, timestamp, and stated reason. The Act’s four capacities (intervene, override, decide not to use, safely interrupt) are produced as records.
What logging does Morpheus produce to support Article 12?
One unified case record per incident. The Cybersecurity Triage Reasoning Graph captures the reasoning chain, the evidence tree, confidence scores per node, every analyst interaction, and the Attack Path Discovery output. The same record maps to NIS2 Article 21 documentation, DORA incident-reporting requirements, and GDPR Article 22 documentation for automated decision-making with legal effects.
When do EU AI Act obligations apply to SOC automation?
Chapter III high-risk obligations apply on 2 August 2026. General-purpose AI model rules applied to new models from 2 August 2025 and to pre-existing models from 2 August 2027. Prohibited practices and AI literacy obligations have been live since 2 February 2025. Most 2026 SOC procurement cycles are anchored on the 2 August 2026 date.
Does Morpheus support transparency obligations to affected workers and data subjects?
Yes. Case summaries are analyst-readable. Evidence trees explain the reasoning behind autonomous decisions. The Article 13 deployer instruction package documents capabilities and limitations in plain language. Article 26(7) worker-information requirements are supported by the platform’s documented autonomy settings and the analyst-readable case record. GDPR Article 22 documentation pulls from the same audit trail.
How does Morpheus’s risk management address Article 9?
Three architectural commitments. 70–80% of reasoning runs through deterministic code paths, so the risk surface is bounded by design. Bounded agentic reasoning enforces four explicit bounds per task (scope, capability, authority, time) that map directly to Article 9 risk-mitigation documentation. Self-Healing Integrations maps to Article 72 post-market monitoring as a property of how integrations operate.
Can one Morpheus audit trail support EU AI Act, NIS2, and DORA at the same time?
Yes. The case record is constructed once and mapped to the reporting cadence of each mandate. NIS2 Article 21 documentation, DORA incident classification and reporting, EU AI Act Articles 12 and 14 evidence, and GDPR Article 22 automated-decision-making documentation all draw from the same unified record.
See the architecture the AI Act expects.
Morpheus produces the records every Chapter III obligation asks for, as a property of how the platform runs.