Regulatory & Compliance

CipherLaw advises technology companies on the regulatory landscape governing AI and cybersecurity systems. Our practice helps clients understand compliance obligations, implement appropriate governance frameworks, and adapt to evolving regulatory requirements across jurisdictions.

The regulatory environment for AI is developing rapidly. The EU AI Act has established the first comprehensive framework for AI governance, with extraterritorial reach affecting companies operating in or selling into European markets. In the United States, a patchwork of federal guidance, state legislation, and sector-specific requirements creates compliance complexity for companies deploying AI systems. Cybersecurity regulation continues to expand, with new disclosure obligations and technical requirements emerging at federal and state levels.

We help clients navigate this landscape—identifying applicable requirements, assessing compliance gaps, and implementing practical solutions that enable innovation while managing regulatory risk.

AI Regulatory Compliance

We advise on compliance with AI-specific regulations and guidance across jurisdictions.

The EU AI Act imposes obligations based on risk classification. High-risk AI systems—including those used in employment, credit, education, and critical infrastructure—face requirements for risk management, data governance, transparency, human oversight, and conformity assessment. General-purpose AI models, including foundation models, carry additional obligations around technical documentation, training data transparency, and copyright compliance. We help clients determine how their systems are classified, what obligations apply, and how to implement compliant practices.

In the United States, we monitor and advise on the evolving federal and state landscape. This includes FTC enforcement priorities around AI claims and algorithmic fairness, SEC disclosure guidance for public companies deploying AI, EEOC positions on AI in employment decisions, and state laws such as the Colorado AI Act. For companies in regulated industries, we address sector-specific AI requirements from agencies including the FDA, banking regulators, and insurance commissioners.

We conduct compliance assessments that map client AI systems against applicable requirements, identify gaps, and prioritize remediation based on risk and business impact.

Data Privacy & Training Data

AI systems implicate data protection law at multiple points—collection of training data, processing during inference, and handling of outputs that may contain personal information.

We advise on compliance with GDPR, CCPA/CPRA, and the growing number of state privacy laws affecting data practices. This includes evaluating lawful bases for processing, implementing required disclosures, managing data subject rights, and addressing cross-border transfer requirements. For AI systems specifically, we help clients navigate questions around automated decision-making provisions, profiling restrictions, and transparency obligations.

Training data practices present particular compliance considerations. We advise on data sourcing, documentation of provenance, consent and licensing requirements, and the intersection of privacy law with copyright and IP considerations that arise in AI training.

Cybersecurity Compliance

We advise on cybersecurity regulatory requirements applicable to technology companies, with particular focus on companies developing AI and security products.

This includes SEC cybersecurity disclosure rules requiring material incident reporting and annual disclosure of risk management practices. We help clients develop disclosure frameworks and incident response protocols that meet regulatory expectations. For companies in regulated sectors, we address requirements under HIPAA, GLBA, PCI-DSS, and other frameworks governing security practices.

We also advise on emerging state cybersecurity requirements and help clients implement governance structures that satisfy multiple overlapping obligations efficiently.

Terms of Service & Commercial Agreements

Regulatory compliance extends to client-facing documentation and commercial relationships. We draft and review terms of service, acceptable use policies, and privacy notices that address AI-specific considerations—including limitations on prohibited uses, allocation of responsibility for outputs, and compliance with transparency requirements.

For commercial agreements, we address regulatory allocation between parties, compliance representations, audit rights, and liability provisions appropriate to the regulatory environment. Where clients are deploying AI systems subject to the EU AI Act or other frameworks, we ensure contractual documentation reflects applicable obligations.

Risk Assessment & Governance

We help clients implement governance frameworks that support ongoing compliance as regulations evolve.

This includes developing AI risk assessment processes aligned with the NIST AI Risk Management Framework and EU AI Act requirements. We advise on governance structures—including roles, policies, and oversight mechanisms—appropriate to the client's risk profile and regulatory exposure. For companies subject to high-risk AI requirements, we help design and document the risk management systems, testing protocols, and human oversight measures required for compliance.

We also advise on documentation practices, helping clients establish records sufficient to demonstrate compliance and respond to regulatory inquiries.

Regulatory Monitoring

The regulatory landscape for AI is changing quickly. We provide ongoing monitoring of developments relevant to client operations, including proposed regulations, agency guidance, enforcement actions, and compliance deadlines.

Monitoring is tailored to client-specific regulatory exposure—tracking developments in jurisdictions and sectors where the client operates. We provide periodic briefings on material developments and advise on adjustments to compliance practices as requirements evolve.

Engagement Terms

We offer fixed-fee arrangements for defined compliance assessments and advisory projects. Ongoing monitoring and general counsel arrangements are structured as monthly retainers scaled to scope and intensity of coverage.