Regulatory compliance

Compliance is engineering work, not paperwork at the end. The regulations below shape the systems Cuko Ltd builds: how data flows, how identities are anchored, how incidents are detected and reported, and how the controls hold up under audit.

Each block lists the articles I implement against, the deliverables produced, and an indication of past delivery. For depth on a specific regulation or article, get in touch.

→ MiCA

Markets in Crypto-Assets Regulation

MiCA (Regulation (EU) 2023/1114) is the EU's harmonised framework for crypto-asset issuers and crypto-asset service providers (CASPs). Stablecoin and asset-referenced-token requirements applied from 30 June 2024; CASP requirements applied from 30 December 2024.

Articles I implement against

Title III: Asset-referenced token requirements — issuer authorisation, reserve composition, redemption rights
Title IV: E-money token requirements — equivalence to e-money, scheme governance
Title V: CASP authorisation, ongoing requirements, conduct of business
Articles 67–69: Prudential safeguards, governance arrangements, business continuity
Articles 75–79: Conflicts of interest, complaints handling, custody and administration

What I deliver

Licence-readiness assessments; governance and three-lines-of-defence design; conflict-of-interest registers; complaints-handling pipelines tied to ticketing; segregation of client-asset accounting; ESMA and EBA technical-standard alignment.

→ DORA

Digital Operational Resilience Act

DORA (Regulation (EU) 2022/2554) establishes uniform requirements for the digital operational resilience of financial entities in the EU. It applied from 17 January 2025 and covers ICT risk management, incident reporting, resilience testing, and third-party-risk oversight.

Articles I implement against

Articles 5–10: ICT risk-management framework, identification, protection, detection, response, recovery
Articles 17–23: ICT-related incident management — classification, major-incident notification, root-cause analysis
Articles 24–27: Digital operational resilience testing — scenario-based tests and threat-led penetration testing
Articles 28–30: Third-party ICT risk — register of information, contractual arrangements, exit strategies

What I deliver

ICT-risk frameworks aligned to ISO 27001 and NIST CSF; incident-classification rules wired into observability stacks; register-of-information templates; threat-led penetration test scopes; exit-strategy runbooks for critical third-party ICT providers.

→ EU AI Act

EU Artificial Intelligence Act

The EU AI Act (Regulation (EU) 2024/1689) entered into force in August 2024 with staged application: prohibitions from February 2025, GPAI obligations from August 2025, high-risk system obligations from August 2026, and full application from August 2027.

Articles I implement against

Article 6: High-risk AI system classification
Article 12: Record-keeping — automatic logging of events for post-market traceability
Article 14: Human oversight design
Article 17: Quality-management system for providers
Article 72: Post-market monitoring

What I deliver

Risk classifications; tamper-evident logging architectures; human-oversight UX patterns; quality-management frameworks; post-market monitoring pipelines; CE-marking documentation packs.

→ Engaging

Where to start

Compliance work usually begins with a one-week diagnostic — current state mapped against the regulation, gap register produced, prioritised remediation plan delivered to the board. Diagnostic outputs convert directly into a build engagement if you choose to proceed.

Book Book a discovery call ↗

Email [email protected]

More All engagement modes →

Regulatory compliance

UK GDPR and EU GDPR

Articles I implement against

What I deliver

Markets in Crypto-Assets Regulation

Articles I implement against

What I deliver

Digital Operational Resilience Act

Articles I implement against

What I deliver

EU Artificial Intelligence Act

Articles I implement against

What I deliver

Where to start