Newsletter Article

Global Cyber & AI Regulation: Logging & Evidence Compliance Matrix

8 FRAMEWORKS · 4 JURISDICTIONS · 1 QUESTION EACH ASKS

Can you prove what happened, when, and to whom? Filter by your role to see which frameworks apply, what they require you to log and retain, how fast you have to report, and what non-compliance costs — plus the two ISO standards increasingly demanded in procurement, even though they carry no statutory penalty of their own.

Snare Insider Newsletter Series Article

Make sure you Subscribe

4hs

DORA’s fastest reporting clock, initial notification after classification

10M

NIS2’s maximum fine for essential entities, or 2% of global turnover

6mo

Minimum automatic log retention required under the EU AI Act

8

Frameworks now converging on the same evidentiary expectations

SEC Cybersecurity Disclosure Rules (US)

Applies to
US public companies (SEC registrants); foreign private issuers via Form 6-K

Logging / monitoring requirement
No prescriptive logging mandate, but registrants need log-based visibility to identify and assess incidents and make timely materiality determinations

Retention
Not specified by the rule itself; general federal books-and-records rules apply separately

Key reference
17 CFR Item 1.05 of Form 8-K; Item 106 of Regulation S-K

Penalty exposure
SEC enforcement action; civil penalties and potential officer/director liability determined case-by-case (no fixed statutory cap)

Key date
Effective since Dec 2023; ongoing SEC guidance and enforcement through 2026

Reporting timeline
4 business days after determining an incident is material — approximated below as ~96 hours on the shared scale

EU AI Act

Applies to
Providers and deployers of high-risk AI systems

Logging / monitoring requirement
Automatic event logging over the system’s operational lifetime (Article 12)

Retention
Minimum 6 months; longer per intended use (Article 26(6))

Key reference
Regulation (EU) 2024/1689, Articles 12, 26(6), 73, 99

Penalty exposure
Record-keeping breaches: up to €15M or 3% global turnover (Art. 99); higher tiers for prohibited practices

Key date
Transparency obligations from 2 Aug 2026 (some deadlines shifted under May 2026 simplification agreement)

Reporting timeline
Serious incidents: without undue delay, max 15 days (shorter for severe/fatal cases) (Article 73)

Essential Eight

Applies to
Australian Government entities (mandated); DISP members (ML2 baseline); recommended for all AU organisations

Logging / monitoring requirement
Centralised event logging; tamper protection; monitoring of internet-facing/cloud & SaaS control planes; PowerShell & command-line logging

Retention
Per ISM guidance (varies by system criticality); no single fixed period

Key reference
ASD Essential Eight Maturity Model → “Essentials” series (2026)

Penalty exposure
No direct fine; affects DISP membership, government contract eligibility and audit findings

Key date
Retirement confirmed 24 Jun 2026; consultation closes 12 Jul 2026; ~24-month transition

Reporting timeline
N/A — maturity framework, not an incident-reporting regime

ISO/IEC 27001:2022

Applies to
Any organisation seeking ISMS certification (global, voluntary; frequently required contractually or for procurement)

Logging / monitoring requirement
Produce, store, protect and analyse logs of user activity, exceptions, faults and security events (Annex A 8.15); clock sync (A.8.17); log monitoring (A.8.16)

Retention
Not fixed by the standard; organisation-defined based on risk assessment (commonly 1–3 years in practice)

Key reference
ISO/IEC 27001:2022 Annex A, Controls 8.15, 8.16, 8.17

Penalty exposure
No statutory fine; non-conformity risks loss or suspension of certification and contractual/procurement eligibility

Key date
Current edition published Oct 2022; 2013-edition transition deadline closed 31 Oct 2025

Reporting timeline
N/A — maturity framework, not an incident-reporting regime

ISO/IEC 42001:2023

Applies to
Any organisation providing or using AI systems (global, voluntary; increasingly requested in AI vendor due diligence)

Logging / monitoring requirement
AI system event logging across the lifecycle — training, validation, deployment and inference — based on risk assessment (Annex A.6.2.8)

Retention
Not fixed by the standard; organisation-defined per risk assessment and applicable law (can be aligned to the EU AI Act’s 6-month floor)

Key reference
ISO/IEC 42001:2023, Annex A.6.2.8; Clauses 7.5, 8.3, 9.1

Penalty exposure
No statutory fine; non-conformity risks loss of certification and reduced standing in AI procurement/due diligence

Key date
Published Dec 2023; certification uptake accelerating through 2026

Reporting timeline
N/A — maturity framework, not an incident-reporting regime

DORA (EU)

Applies to
EU financial entities (banks, insurers, investment firms, payment institutions, crypto-asset providers) and their critical ICT third-party providers

Logging / monitoring requirement
ICT risk management framework must support incident detection, classification and logging (Article 17)

Retention
Incident register retained for a minimum of 5 years

Key reference
Regulation (EU) 2022/2554, Articles 17–19

Penalty exposure
Administrative penalties set by national competent authorities (no single EU-wide cap in DORA itself)

Key date
Applicable since 17 Jan 2025

Reporting timeline
Initial notification ≤ 4h from classification (≤24h from detection) → 72h intermediate report → 1-month final report

NIS2 (EU)

Applies to
EU essential/important entities across 18 sectors incl. MSSPs, cloud, data centres, CDNs, trust services (generally ≥50 employees or >€10M turnover)

Logging / monitoring requirement
Monitoring & logging capabilities; logging system availability independently monitored from the environment it observes

Retention
Not fixed at EU level; set by national transposition / risk-based

Key reference
Directive (EU) 2022/2555, Articles 21 & 23

Penalty exposure
Essential entities: up to €10M or 2% global turnover. Important entities: up to €7M or 1.4%

Key date
Transposition deadline 17 Oct 2024; first compliance audits due 30 Jun 2026

Reporting timeline
24h early warning → 72h notification → 1-month final report

AU Ransomware Payment Reporting

Applies to
AU entities with turnover > AUD $3M; SOCI critical infrastructure responsible entities (any turnover)

Logging / monitoring requirement
Not directly mandated, but complete authentication, endpoint, network and privileged-access logs are needed to satisfy the report

Retention
Not specified in the Act; practical need for pre-incident retention

Key reference
Cyber Security Act 2024 (Cth) Part 3, s26(2); Ransomware Payment Reporting Rules 2025, s6

Penalty exposure
Civil penalty up to 60 penalty units (currently AUD $19,800)

Key date
Commenced 30 May 2025; active enforcement since 1 Jan 2026

Reporting timeline
72 hours from payment or awareness of payment

EU AI Act

Applies to
Providers and deployers of high-risk AI systems

Logging / monitoring requirement
Automatic event logging over the system’s operational lifetime (Article 12)

Retention
Minimum 6 months; longer per intended use (Article 26(6))

Key reference
Regulation (EU) 2024/1689, Articles 12, 26(6), 73, 99

Penalty exposure
Record-keeping breaches: up to €15M or 3% global turnover (Art. 99); higher tiers for prohibited practices

Key date
Transparency obligations from 2 Aug 2026 (some deadlines shifted under May 2026 simplification agreement)

Reporting timeline
Serious incidents: without undue delay, max 15 days (shorter for severe/fatal cases) (Article 73)

Essential Eight

Applies to
Australian Government entities (mandated); DISP members (ML2 baseline); recommended for all AU organisations

Logging / monitoring requirement
Centralised event logging; tamper protection; monitoring of internet-facing/cloud & SaaS control planes; PowerShell & command-line logging

Retention
Per ISM guidance (varies by system criticality); no single fixed period

Key reference
ASD Essential Eight Maturity Model → “Essentials” series (2026)

Penalty exposure
No direct fine; affects DISP membership, government contract eligibility and audit findings

Key date
Retirement confirmed 24 Jun 2026; consultation closes 12 Jul 2026; ~24-month transition

Reporting timeline
N/A — maturity framework, not an incident-reporting regime

NIS2 (EU)

Applies to
EU essential/important entities across 18 sectors incl. MSSPs, cloud, data centres, CDNs, trust services (generally ≥50 employees or >€10M turnover)

Logging / monitoring requirement
Monitoring & logging capabilities; logging system availability independently monitored from the environment it observes

Retention
Not fixed at EU level; set by national transposition / risk-based

Key reference
Directive (EU) 2022/2555, Articles 21 & 23

Penalty exposure
Essential entities: up to €10M or 2% global turnover. Important entities: up to €7M or 1.4%

Key date
Transposition deadline 17 Oct 2024; first compliance audits due 30 Jun 2026

Reporting timeline
24h early warning → 72h notification → 1-month final report

AU Ransomware Payment Reporting

Applies to
AU entities with turnover > AUD $3M; SOCI critical infrastructure responsible entities (any turnover)

Logging / monitoring requirement
Not directly mandated, but complete authentication, endpoint, network and privileged-access logs are needed to satisfy the report

Retention
Not specified in the Act; practical need for pre-incident retention

Key reference
Cyber Security Act 2024 (Cth) Part 3, s26(2); Ransomware Payment Reporting Rules 2025, s6

Penalty exposure
Civil penalty up to 60 penalty units (currently AUD $19,800)

Key date
Commenced 30 May 2025; active enforcement since 1 Jan 2026

Reporting timeline
72 hours from payment or awareness of payment

EU AI Act

Applies to
Providers and deployers of high-risk AI systems

Logging / monitoring requirement
Automatic event logging over the system’s operational lifetime (Article 12)

Retention
Minimum 6 months; longer per intended use (Article 26(6))

Key reference
Regulation (EU) 2024/1689, Articles 12, 26(6), 73, 99

Penalty exposure
Record-keeping breaches: up to €15M or 3% global turnover (Art. 99); higher tiers for prohibited practices

Key date
Transparency obligations from 2 Aug 2026 (some deadlines shifted under May 2026 simplification agreement)

Reporting timeline
Serious incidents: without undue delay, max 15 days (shorter for severe/fatal cases) (Article 73)

ISO/IEC 42001:2023

Applies to
Any organisation providing or using AI systems (global, voluntary; increasingly requested in AI vendor due diligence)

Logging / monitoring requirement
AI system event logging across the lifecycle — training, validation, deployment and inference — based on risk assessment (Annex A.6.2.8)

Retention
Not fixed by the standard; organisation-defined per risk assessment and applicable law (can be aligned to the EU AI Act’s 6-month floor)

Key reference
ISO/IEC 42001:2023, Annex A.6.2.8; Clauses 7.5, 8.3, 9.1

Penalty exposure
No statutory fine; non-conformity risks loss of certification and reduced standing in AI procurement/due diligence

Key date
Published Dec 2023; certification uptake accelerating through 2026

Reporting timeline
N/A — maturity framework, not an incident-reporting regime

SEC Cybersecurity Disclosure Rules (US)

Applies to
US public companies (SEC registrants); foreign private issuers via Form 6-K

Logging / monitoring requirement
No prescriptive logging mandate, but registrants need log-based visibility to identify and assess incidents and make timely materiality determinations

Retention
Not specified by the rule itself; general federal books-and-records rules apply separately

Key reference
17 CFR Item 1.05 of Form 8-K; Item 106 of Regulation S-K

Penalty exposure
SEC enforcement action; civil penalties and potential officer/director liability determined case-by-case (no fixed statutory cap)

Key date
Effective since Dec 2023; ongoing SEC guidance and enforcement through 2026

Reporting timeline
4 business days after determining an incident is material — approximated below as ~96 hours on the shared scale

DORA (EU)

Applies to
EU financial entities (banks, insurers, investment firms, payment institutions, crypto-asset providers) and their critical ICT third-party providers

Logging / monitoring requirement
ICT risk management framework must support incident detection, classification and logging (Article 17)

Retention
Incident register retained for a minimum of 5 years

Key reference
Regulation (EU) 2022/2554, Articles 17–19

Penalty exposure
Administrative penalties set by national competent authorities (no single EU-wide cap in DORA itself)

Key date
Applicable since 17 Jan 2025

Reporting timeline
Initial notification ≤ 4h from classification (≤24h from detection) → 72h intermediate report → 1-month final report

AU Ransomware Payment Reporting

Applies to
AU entities with turnover > AUD $3M; SOCI critical infrastructure responsible entities (any turnover)

Logging / monitoring requirement
Not directly mandated, but complete authentication, endpoint, network and privileged-access logs are needed to satisfy the report

Retention
Not specified in the Act; practical need for pre-incident retention

Key reference
Cyber Security Act 2024 (Cth) Part 3, s26(2); Ransomware Payment Reporting Rules 2025, s6

Penalty exposure
Civil penalty up to 60 penalty units (currently AUD $19,800)

Key date
Commenced 30 May 2025; active enforcement since 1 Jan 2026

Reporting timeline
72 hours from payment or awareness of payment

Sources

Sources: ASD/cyber.gov.au; iTnews; Commonwealth Cyber Security Posture Report 2025; Cyber Security Act 2024 (Cth) & Ransomware Payment Reporting Rules 2025; Directive (EU) 2022/2555 (NIS2); Regulation (EU) 2024/1689 (EU AI Act); Regulation (EU) 2022/2554 (DORA); U.S. SEC Item 1.05 of Form 8-K & Item 106 of Regulation S-K; Cyber Incident Reporting for Critical Infrastructure Act of 2022 and CISA’s proposed rule (6 CFR Part 226); ISO/IEC 27001:2022; ISO/IEC 42001:2023. Figures current as at time of writing and subject to change as consultations close, rules are finalised, and enforcement practice develops. This is not legal advice — confirm specific obligations with qualified counsel.

Snare Solutions
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.