Praxis

The Engineered-Compliance Solution

Engineered Controls for Regulated Environments

Praxis is the productised core of our Governance, Risk & Compliance service. Where most compliance work produces documents, Praxis produces working controls, continuous evidence, and audit-ready artefacts. Whether your systems meet a given obligation is determined by the regulator, but the substrate Praxis helps you build is the evidence they will look at.

We engineer the technical substrate that supports compliance across GDPR, the EU AI Act, and the EU Data Act, designed once and evidenced continuously. A single Article 32 control can support a GDPR obligation, an AI Act robustness requirement, and a Data Act access constraint. Built once, mapped across, and defensible in front of every supervisory authority that depends on it. For crypto-asset issuers and service providers in scope of MiCA, the same substrate extends to licensing, custody, and market-conduct obligations.

The Praxis Compliance Agent

At the heart of every Praxis engagement is a domain agent we build and operate on your behalf. It reads the live regulatory text alongside your own systems, policies, and code, and it runs continuously inside our delivery. Gaps surface as they appear, not at quarter-end. Evidence stays current as your platform changes. When a regulator asks, the pack is ready.

The agent does not replace your legal team or your compliance officer. It removes the parts of the job a machine should be doing, things like tracking which of your microservices logs which fields against which lawful basis, watching for the next ENISA opinion, or generating the artefact a supervisory authority will accept. Your specialists keep the judgement calls only humans should make. Our public thinking on this approach is laid out in the Regulatory Stack series and the launch piece, Engineered Compliance: Why the EU Regulatory Stack Belongs in Code.

Book a roadmap engagement

Where Praxis Engages

Article 32 demands appropriate technical and organisational measures to secure personal data. Most organisations document those measures in policy. Praxis engagements wire them into the systems themselves. We map each control to a verifiable artefact, encryption configurations, access policies enforced in code, breach detection in observability pipelines, and Enclave-backed processing for the most sensitive workloads. The result is an evidence trail a regulator can verify, not a PDF a regulator has to trust.

Article 15 makes cybersecurity and robustness a legal requirement for high-risk AI systems. Praxis engagements operationalise the engineering work that requirement implies. We integrate Sentinel for static and runtime policy enforcement, document the adversarial robustness testing your systems are subjected to, and produce the technical documentation that supports your conformity assessment. The engineering substrate is detailed in [Regulatory Stack, Part 4](/blog/regulatory-stack-part-4/) and the broader liability framing in [Part 3](/blog/regulatory-stack-part-3/).

The EU Data Act creates new obligations around data access and sharing, particularly for connected products and B2B data flows. Praxis engagements engineer the implementation: provable consent capture, cryptographic data lineage, access-purpose enforcement in code, and audit trails that survive regulator scrutiny. The same lineage primitives we use for Sentinel data fingerprinting carry directly into Data Act work.

MiCA introduces licensing, prudential, and conduct obligations for crypto-asset service providers and token issuers operating in the EU. Praxis engagements engineer the substrate: provable custody segregation, real-time market-abuse surveillance, transparency artefacts that match white paper requirements, and the audit trails ESMA and national competent authorities expect to see. Engagements scale to the title of MiCA you are in scope of, whether Title III for asset-referenced and e-money tokens, Title V for CASPs, or both.

Annual compliance scrambles exist because evidence is collected as a one-off exercise. Praxis treats evidence as a continuous stream. The agent we run inside engagements keeps evidence packs aligned with the current state of your platform, so when a regulator asks, the artefact is already current. No archeology, no last-minute reconstruction, no compliance theatre.

Regulation drifts. ENISA publishes new guidance. The EDPB issues an opinion. A delegated act amends a definition. Without continuous tracking, organisations are perpetually six months out of date. The Praxis agent monitors regulatory text, recitals, and authoritative guidance, and we use its output to tell you specifically which of your systems are affected and why. Change management becomes a tractable engineering problem instead of a quarterly legal review.

Most enterprises buy compliance one framework at a time, leading to duplicated controls, duplicated evidence, and duplicated audit costs. Praxis engagements map every implemented control to every framework it answers to. An encryption-at-rest configuration designed to meet GDPR Article 32 also speaks to AI Act Article 15 cybersecurity obligations, several Data Act access constraints, and, for in-scope crypto-asset firms, MiCA's safekeeping requirements. Built once, evidenced once, defensible everywhere.

Our Approach

Document-based compliance assumes the document accurately reflects what the system does. That assumption fails the moment code changes. Praxis closes the gap by implementing controls as code. Sentinel enforces policy at runtime. Enclave protects the data substrate. The Praxis agent verifies both, continuously, inside our engagement. A regulator can verify the proofs themselves, not just the descriptions.

A point-in-time audit certifies what was true on the day of the audit. Everything after is hope. The Praxis agent runs continuous re-attestation against your live systems during our continuous engagements. Every deployment, every policy change, every model update triggers verification. Drift surfaces immediately, not at the next annual review. Control posture becomes a property of the running system, not a snapshot taken from outside it.

Compliance work breaks down at the handoff. Lawyers write requirements engineers cannot implement. Engineers build controls lawyers cannot defend. Praxis exists in the gap. Our team translates between the two without losing fidelity in either direction. Legal gets implementations they can stand behind in front of a regulator. Engineering gets requirements they can build.

Evidence is only useful if a regulator accepts it. Praxis produces evidence the way auditors want it: with cryptographic integrity, clear provenance, and direct mapping to the obligation it speaks to. Hash chains support tamper resistance. Lineage traces show how the evidence was produced. The format follows what supervisory authorities have already indicated they will accept.

The same encryption configuration, the same logging pipeline, the same access policy can speak to GDPR, AI Act, and Data Act obligations simultaneously, if it is engineered with that in mind from the start. Praxis designs for the union, not the intersection. Add a new framework later, and most of the substrate already covers it.

What Praxis Delivers

From regulatory text to running controls

Praxis spans the full path from regulatory interpretation to verifiable production controls. Each engagement scales to the obligations that apply to your organisation.

Regulatory Surface Mapping

Identifies which articles of GDPR, the AI Act, the EU Data Act, and (for crypto-asset firms) MiCA apply to your specific systems, data flows, and AI deployments. The starting point for every Praxis engagement.

Gap Analysis and Remediation Plan

Maps your current state against the applicable obligations. The output is a prioritised remediation roadmap with concrete engineering tasks, not a list of policies to write.

Control Implementation

Builds the actual controls, including Sentinel policy enforcement, Enclave deployments for sensitive workloads, cryptographic lineage, and consent-purpose enforcement in code.

Compliance Agent Inside the Engagement

We deploy the Praxis agent into the engagement with your corpus loaded. It surfaces gaps continuously, prioritises remediation, and tracks both regulatory and system change so your evidence stays current. The agent is operated by our team, not handed off as a product for you to install or maintain.

Evidence Pack Generation

Produces audit-ready evidence packs on demand, with cryptographic integrity and direct mapping to the obligations each artefact speaks to. Built for supervisory authority review.

Continuous Re-Attestation

In continuous engagements, we run ongoing verification against your live systems. Every deployment, policy change, and model update triggers re-attestation. Drift is surfaced as it appears, not at the next annual review.

Regulator Liaison and Translation

Translates between engineering reality and regulator expectations during inspections, supervisory authority correspondence, or conformity assessments. Optional, included in continuous engagements.

Cross-Framework Optimisation

Identifies controls that can speak to multiple frameworks at once, so you build once and evidence many times. Reduces both implementation cost and ongoing audit overhead.