When a regulator asks how you governed a decision, VICCA ONE is your answer. A cryptographically sealed, publicly verifiable determination of your governance defensibility.
What VICCA ONE Is
VICCA ONE evaluates an organisation's decision-making posture against regulatory control frameworks and produces a cryptographically sealed, publicly verifiable determination of defensibility.
The kind that stands up in front of a National Competent Authority. That satisfies board-level due diligence requirements. That provides the sealed evidence counterparties and investors increasingly demand before engaging with regulated AI systems.
What It Is Not
The Process
The organisation's identity is established and locked. System name, system type, deployment model, jurisdictions, data categories. This becomes the immutable reference frame for the entire assessment. Once locked, it cannot be changed.
Structured evidence collection. The organisation provides documentary evidence against each regulatory control. VICCA ONE classifies each input as MATURE — fully implemented, documented, operational; PARTIAL — in development or inconsistent; or ABSENT — not in place.
VICCA ONE evaluates every applicable control and produces a Statement of Applicability — a control-by-control determination. Each control receives one of four statuses: DEFENSIBLE, CONDITIONALLY DEFENSIBLE, NOT DEFENSIBLE, or REFUSED where insufficient information exists.
The aggregate of all control determinations produces a single global governance posture. DEFENSIBLE — the organisation can defend its posture. CONDITIONALLY DEFENSIBLE — defensible with stated conditions. NOT DEFENSIBLE — material governance gaps exist requiring remediation.
The determination is cryptographically sealed and a Governance Defensibility Certificate is issued. The certificate contains a reference number, assessment date, framework results, SHA-256 authority hash, and a QR verification code linked to verify.anaxstandard.com. The certificate is not a document. It is a sealed evidence record.
Determination Outcomes
All evaluated controls meet the required standard of evidence. The organisation can defend its decision-making posture under article-level inspection. A Governance Defensibility Certificate is issued immediately.
The majority of controls are satisfied, but specific conditions apply. The certificate is issued with conditions clearly stated. A remediation path is provided. The organisation can typically achieve full defensibility within 60–90 days.
One or more critical controls cannot be defended under regulatory scrutiny. No certificate is issued. A detailed remediation plan is provided with a prioritised action sequence. Reassessment is available once remediation is complete.
Regulatory Frameworks
Five shown in depth. Thirty-nine in force.
Across every major jurisdiction — including the frameworks most providers never touch.
Assessment Tiers
Choose the tier that matches your regulatory exposure and the level of scrutiny your institution faces.
Regulatory Pressure
Digital Operational Resilience Act obligations are live. National Competent Authorities are examining ICT governance, third-party risk, and operational continuity controls.
High-risk AI system obligations are in force. Providers and deployers must demonstrate governance that withstands article-level regulatory scrutiny.
Senior management and board members bear personal accountability for governance failures under both DORA and the EU AI Act. Documentation is no longer sufficient.
A Big Four DORA readiness engagement takes 3–6 months and costs €80,000–€500,000. ANAX delivers a sealed, board-ready determination in 1–7 days.
What Regulators Actually Ask
"Demonstrate how your governance satisfies DORA Article 21."
"Explain how your AI governance system satisfies EU AI Act Article 9 risk management requirements."
Most organisations provide documentation. Regulators evaluate something else: whether governance decisions are defensible. VICCA ONE produces that defensibility — deterministically, in writing, cryptographically sealed.
Who VICCA ONE Is Built For
Banks, payment institutions, lenders, and regulated financial entities under DORA and EBA guidelines.
Organisations deploying automated decision systems under EU AI Act high-risk classification and Article 9 exposure.
Technology operators supporting regulated entities and regulated workflows requiring demonstrable governance posture.
NCA inspection preparation · EU AI Act compliance deadline · Board governance review · Counterparty due diligence · M&A transaction
A sealed, board-restricted Governance Defensibility Report and a publicly verifiable ANAX Certificate. Permanently on record.
Four structured forms covering organisational context, operational controls, ICT governance, and AI documentation. Typically 2–3 hours of structured input.
Frequently Asked Questions
No. ANAX assessments are governance defensibility evaluations based on declared operational inputs. They do not constitute legal advice. Organisations should obtain independent legal advice on their specific regulatory obligations.
A Big Four DORA readiness engagement takes 3–6 months and costs €80,000–€500,000. ANAX delivers a sealed, board-ready determination in 1–7 days. The ANAX certificate is permanently verifiable — something no Big Four engagement produces.
The report is addressed to your Board of Directors and Senior Management. It is board-restricted and confidential. Distribution is governed by the terms of your engagement.
You receive your sealed report and ANAX certificate within the stated delivery window. Your remediation roadmap identifies the specific actions required to close governance gaps. We are available to support implementation and re-assessment.
Public Verification
Every Governance Defensibility Certificate issued by VICCA ONE is permanently registered in a public verification registry. Any counterparty, regulator, or board member can verify its authenticity in seconds — without contacting you.
Who Uses Verification
Begin Your Determination
Request a VICCA ONE assessment. Our team will scope your regulatory exposure, confirm the appropriate tier, and begin your formal determination within five business days.