◆ GOV-002 · VICCA ONE

The formal
determination.

When a regulator asks how you governed a decision, VICCA ONE is your answer. A cryptographically sealed, publicly verifiable determination of your governance defensibility.

The question regulators are now asking
"Can your governance posture withstand article-level inspection?"
See the Process
A
ANAX Standard · VICCA ONE
Governance Certificate
Global Determination
DEFENSIBLE
Certificate Reference
VC-2025-EUR-004471
Framework Determinations
DORA 2022 Defensible
EU AI Act 2024 Defensible
GDPR 2016/679 Defensible
ISO 27001:2022 Conditional
NIS2 2024 Defensible
Authority Hash · SHA-256
a3f8c1d2e9b4076f5a2c8d1e3b7f9a4c2d6e8f1b3c5a7d9e2f4b6c8d0e2f4a6

A formal authority
assessment. Not a
compliance tool.

VICCA ONE evaluates an organisation's decision-making posture against regulatory control frameworks and produces a cryptographically sealed, publicly verifiable determination of defensibility.

The kind that stands up in front of a National Competent Authority. That satisfies board-level due diligence requirements. That provides the sealed evidence counterparties and investors increasingly demand before engaging with regulated AI systems.

Not a compliance checklist. Checklists document intent. VICCA ONE determines defensibility.
Not a gap analysis tool. Gap analyses identify problems. VICCA ONE produces a sealed formal determination.
Not a report generator. Reports describe. The Governance Defensibility Certificate constitutes legal proof.
Not an annual audit. ISO checks your policies once a year. VICCA ONE certifies how your decisions behave.

Five steps to a sealed
determination

01
Client Context
LOCK

The organisation's identity is established and locked. System name, system type, deployment model, jurisdictions, data categories. This becomes the immutable reference frame for the entire assessment. Once locked, it cannot be changed.

Identity Lock Jurisdiction Map System Classification
02
Operational Intelligence Layer
OIL

Structured evidence collection. The organisation provides documentary evidence against each regulatory control. VICCA ONE classifies each input as MATURE — fully implemented, documented, operational; PARTIAL — in development or inconsistent; or ABSENT — not in place.

Mature Partial Absent
03
Authority Determination
DETERMINATION

VICCA ONE evaluates every applicable control and produces a Statement of Applicability — a control-by-control determination. Each control receives one of four statuses: DEFENSIBLE, CONDITIONALLY DEFENSIBLE, NOT DEFENSIBLE, or REFUSED where insufficient information exists.

Statement of Applicability Control-by-Control
04
Global Outcome
POSTURE

The aggregate of all control determinations produces a single global governance posture. DEFENSIBLE — the organisation can defend its posture. CONDITIONALLY DEFENSIBLE — defensible with stated conditions. NOT DEFENSIBLE — material governance gaps exist requiring remediation.

Global Posture Remediation Plan
05
Sealed Certificate
CERTIFICATE

The determination is cryptographically sealed and a Governance Defensibility Certificate is issued. The certificate contains a reference number, assessment date, framework results, SHA-256 authority hash, and a QR verification code linked to verify.anaxstandard.com. The certificate is not a document. It is a sealed evidence record.

SHA-256 Sealed QR Verification Public Registry

Three possible verdicts.
One sealed record.

Defensible

Your governance posture can withstand regulatory scrutiny

All evaluated controls meet the required standard of evidence. The organisation can defend its decision-making posture under article-level inspection. A Governance Defensibility Certificate is issued immediately.

Conditionally Defensible

Posture is defensible with stated conditions

The majority of controls are satisfied, but specific conditions apply. The certificate is issued with conditions clearly stated. A remediation path is provided. The organisation can typically achieve full defensibility within 60–90 days.

Not Defensible

Material governance gaps exist

One or more critical controls cannot be defended under regulatory scrutiny. No certificate is issued. A detailed remediation plan is provided with a prioritised action sequence. Reassessment is available once remediation is complete.

Every framework evaluated.
Simultaneously.

DORA
Digital Operational Resilience Act 2022
29 controls
EU AI Act
Artificial Intelligence Act 2024
41 controls
GDPR
General Data Protection Regulation
24 controls
ISO 27001
Information Security Management 2022
93 controls
NIS2
Network & Information Security Directive 2
21 controls

Five shown in depth. Thirty-nine in force.

Across every major jurisdiction — including the frameworks most providers never touch.

European Union
DORAEU AI ActEU AI Act — GPAIGDPRNIS2Solvency IIIDD
United Kingdom
UK AI FrameworkUK AI SafetyFCA Consumer DutyFCA PS21/3SM&CRLloyd's Minimum StandardsMLR 2017
United States
NIST AI RMFNIST AI 600-1NIST CSF 2.0CCPA / CPRAHIPAA / HITECHNY DFS 500US State AI Laws
Asia-Pacific
Singapore Model AISouth Korea AI ActChina AI Regulations
Middle East
UAE AI GovernanceSaudi Arabia AI Governance
International & G7
G7 Hiroshima ProcessOECD AI PrinciplesISO/IEC 42001ISO/IEC 27701ISO 22301Canada AIDA
Financial Crime & Security
EU AMLR 2024Greece AMLPCI DSS v4SOC 2

Three tiers of
formal determination

Choose the tier that matches your regulatory exposure and the level of scrutiny your institution faces.

I
Deterministic Defensibility
Single framework · Delivery 1–2 days
Single framework assessment — DORA or EU AI Act
Full control-by-control determination
Sealed Governance Defensibility Certificate
SHA-256 authority hash
QR-linked public verification
Ideal for initial posture assessment before NCA inspection or board review.
III
Audit-Ready Verified
Operator-verified · Delivery 5–7 days
All Tier II inclusions
Operator-verified inputs
Evidence sampling and validation
Independent governance verification
NCA submission-ready documentation
Full audit trail with chain of custody
Required when counterparty due diligence, regulatory submission, or NCA inspection demands independently verified inputs.

The problem your organisation
faces right now.

DORA Enforcement Active

Digital Operational Resilience Act obligations are live. National Competent Authorities are examining ICT governance, third-party risk, and operational continuity controls.

EU AI Act Obligations Live

High-risk AI system obligations are in force. Providers and deployers must demonstrate governance that withstands article-level regulatory scrutiny.

Board Accountability Increasing

Senior management and board members bear personal accountability for governance failures under both DORA and the EU AI Act. Documentation is no longer sufficient.

The Alternative

A Big Four DORA readiness engagement takes 3–6 months and costs €80,000–€500,000. ANAX delivers a sealed, board-ready determination in 1–7 days.

The questions your governance
must answer.

EXAMPLE REGULATORY QUESTION

"Demonstrate how your governance satisfies DORA Article 21."

EXAMPLE REGULATORY QUESTION

"Explain how your AI governance system satisfies EU AI Act Article 9 risk management requirements."

Most organisations provide documentation. Regulators evaluate something else: whether governance decisions are defensible. VICCA ONE produces that defensibility — deterministically, in writing, cryptographically sealed.

The institutions that cannot afford
an indefensible governance posture.

Financial Institutions

Banks, payment institutions, lenders, and regulated financial entities under DORA and EBA guidelines.

FinTech & AI Platforms

Organisations deploying automated decision systems under EU AI Act high-risk classification and Article 9 exposure.

Digital Infrastructure

Technology operators supporting regulated entities and regulated workflows requiring demonstrable governance posture.

Typical Triggers

NCA inspection preparation · EU AI Act compliance deadline · Board governance review · Counterparty due diligence · M&A transaction

What You Receive

A sealed, board-restricted Governance Defensibility Report and a publicly verifiable ANAX Certificate. Permanently on record.

What You Need To Prepare

Four structured forms covering organisational context, operational controls, ICT governance, and AI documentation. Typically 2–3 hours of structured input.

What institutions ask
before engagement.

Is this a legal opinion?

No. ANAX assessments are governance defensibility evaluations based on declared operational inputs. They do not constitute legal advice. Organisations should obtain independent legal advice on their specific regulatory obligations.

How is this different from a Big Four engagement?

A Big Four DORA readiness engagement takes 3–6 months and costs €80,000–€500,000. ANAX delivers a sealed, board-ready determination in 1–7 days. The ANAX certificate is permanently verifiable — something no Big Four engagement produces.

Who receives the report?

The report is addressed to your Board of Directors and Senior Management. It is board-restricted and confidential. Distribution is governed by the terms of your engagement.

What happens after the assessment?

You receive your sealed report and ANAX certificate within the stated delivery window. Your remediation roadmap identifies the specific actions required to close governance gaps. We are available to support implementation and re-assessment.

Every Certificate is
publicly verifiable.

Every Governance Defensibility Certificate issued by VICCA ONE is permanently registered in a public verification registry. Any counterparty, regulator, or board member can verify its authenticity in seconds — without contacting you.

verify.anaxstandard.com Live Registry
Enter Certificate Reference to verify
ANAX-2025-GBR-004471-T2
Verify
Certificate Valid · DEFENSIBLE
Reference: ANAX-2025-GBR-004471-T2
Issued: 13 Apr 2025 · Valid: 12 months
Tier: II — Dual Framework
Frameworks: DORA · EU AI Act
Hash: a3f8c1d2e9b4076f5a2c8...
01 National Competent Authorities — Regulators can independently verify that a formal governance determination was conducted, sealed, and issued — before any inspection begins.
02 Counterparties & Investors — Before engaging with your institution, counterparties verify your governance certificate directly. No PDFs exchanged. No calls scheduled. Instant trust.
03 Board & Audit Committees — Internal governance bodies can verify that the certificate displayed in board packs is authentic — sealed, timestamped, and unaltered.
04 Courts & Legal Proceedings — The sealed certificate record constitutes verifiable evidence of governance defensibility — a timestamped, cryptographically sealed determination made prior to the event in question.

Your governance posture
is either defensible
or it is not.

Request a VICCA ONE assessment. Our team will scope your regulatory exposure, confirm the appropriate tier, and begin your formal determination within five business days.

Explore Canal