Six frameworks. One evidence system.
AI software companies don't get to choose which regulations apply to what they ship.
EU Market Exclusion
CRA non-conformity is not a fine with a payment plan. It is EU market exclusion.
Products that cannot demonstrate CRA conformity lose CE marking and EU market access — revenue eliminated, not reduced. For AI software companies with material EU ARR, this is an existential product risk.
AI License Liability
AI coding tools reproduced GPL code in 68% of codebases. Nobody checked.
The 2026 OSSRA found the largest single-year jump in license conflicts ever recorded — driven by AI assistants reproducing copyleft code without attribution. This surfaces at M&A, litigation, or regulatory review. Source: 2026 OSSRA Report.
107% more vulnerabilities. 68% license conflict rate. 24% governing AI code comprehensively. And EU CRA enforcement starts September 2026.
Increase in mean vulnerabilities per codebase in 2026 — driven by AI-assisted development. Source: 2026 OSSRA Report.
Mean open-source vulnerabilities per codebase in 2026. Every actively exploited one triggers a CRA 24-hour reporting clock.
Of codebases contain license conflicts — highest in OSSRA history, driven by AI license laundering from copyleft sources.
Of organizations evaluate AI-generated code comprehensively for IP, license, security, and quality. 76% have blind spots.
BDSA advisories ahead of NVD — critical lead time for AI model package vulnerabilities not yet in public databases.
AI software companies answer to six frameworks — and AI-generated code is in scope for all of them.
| Regulation | Who it affects | Timing | What you must answer | How X-DLM™ helps |
|---|---|---|---|---|
| EU Cyber Resilience Act (CRA) | Any company placing software products with digital elements on the EU/EEA market — including AI software platforms, SaaS products with AI features, AI agents, MLOps tools, developer tools, and infrastructure software. | Vulnerability reporting: September 11, 2026. Full enforcement: December 2027. Effective now for conformity planning. | SBOM (machine-readable), secure-by-design evidence, vulnerability management, 24h/72h/14-day reporting cascade, coordinated vulnerability disclosure, post-market monitoring, CE marking, 10-year documentation retention. | Black Duck generates SBOMs covering AI-generated code, model dependencies, and traditional open source. X-DLM™ routes findings into Polarion with CRA-timed workflows. LiveDocs produces the evidence package. |
| EU AI Act | Developers and deployers of AI systems in the EU — particularly high-risk AI applications in hiring, healthcare, education, credit scoring, law enforcement, biometrics, and critical infrastructure. | High-risk provisions phased in 2025–2026. GPAI model obligations active. Full scope enforcement ongoing. | Risk management, conformity assessment, transparency documentation, human oversight mechanisms, accuracy and robustness logging, training data governance, GPAI model technical documentation. | Polarion provides the traceability and evidence framework for AI system documentation requirements. X-DLM™ links AI model component risk to development decisions. Black Duck assesses model dependencies. |
| NIST SP 800-218 (SSDF) | Software producers selling to US government and federal contractors — increasingly referenced in enterprise procurement as standard secure development evidence. | Active federal procurement requirement. Referenced in enterprise security questionnaires and SOC 2 Type II audit frameworks. | Secure development practices, vulnerability management, SBOM provision, provenance tracking, third-party component control, evidence of process maturity across the SDLC. | Black Duck generates SPDX/CycloneDX SBOMs and supplies component intelligence. Polarion maintains SSDF lifecycle evidence. X-DLM™ synchronizes both for enterprise procurement delivery. |
| NIST AI RMF | Organizations developing or deploying AI systems seeking to demonstrate responsible AI governance — increasingly required in US federal AI procurement and enterprise AI vendor assessments. | Active — referenced in federal AI strategy and enterprise AI governance frameworks. | AI risk identification, measurement, management, and governance across the GOVERN, MAP, MEASURE, and MANAGE functions. Documentation of AI system risk profile and response actions. | Polarion provides the workflow backbone for AI RMF documentation, risk tracking, and governance evidence. X-DLM™ links technical findings to organizational risk management records. |
| Open Source License Obligations (incl. AI-generated code) | Any AI software company using open source components or AI coding assistants that generate code from open source training data — which is every AI software company. | Ongoing — applies at point of code use, product distribution, or commercial licensing. Surfaces acutely at M&A diligence. | License identification for all components including AI-generated snippets, restriction detection, IP exposure management, GPL/LGPL/AGPL compliance, patent risk assessment, commercial use compatibility verification. | Black Duck tracks 3,000+ license types at snippet level. X-DLM™ routes license decisions into Polarion for documented review and sign-off — producing an auditable IP decision log. |
| SOC 2 Type II / Enterprise Security Reviews | AI SaaS vendors and platform companies selling to enterprise buyers — particularly in regulated industries, financial services, healthcare, and government. | Enterprise procurement-driven — annual audits, recurring security questionnaires, and vendor assessment cycles. | Security controls, vulnerability management, change management, risk management, evidence of operating effectiveness, SBOM provision on request, vendor security posture documentation. | X-DLM™ keeps vulnerability response evidence, SBOM records, and security decision trails continuously available — eliminating the pre-audit evidence assembly sprint. |
From AI-generated code to governed CRA evidence trail.
- 01
Detect
Black Duck scans source, binaries, containers, and AI-generated code snippets — identifying vulnerabilities, malware, license conflicts, GPL-laundered fragments, AI model dependencies, and provenance risk at every layer.
- 02
Route
X-DLM™ synchronizes findings into Polarion as governed work items — with CRA practice mapping, assigned owners, escalation timelines, license conflict resolution workflows, and approval chains.
- 03
Govern
Findings are linked to requirements, code, test results, license decisions, risk acceptance records, and release evidence — the CRA secure-by-design evidence chain, built continuously.
- 04
Prove
LiveDocs and Polarion workflow history produce the CRA conformity evidence package on demand — for ENISA reporting, enterprise procurement review, EU AI Act documentation, or M&A diligence.
One evidence system for every framework.
Book a walkthrough of how X-DLM™ operationalizes EU CRA, EU AI Act, NIST SSDF, NIST AI RMF, open source license governance, and SOC 2 evidence for AI software and infrastructure companies — on Siemens Polarion and Black Duck.