Skip to main content

EU compliance policy packs

Curated .talon.yaml policy packs for GDPR, NIS2, DORA, and the EU AI Act, selectable from talon init. Each pack is a ready-made starting point that tightens Talon's policy defaults for one regulatory regime and annotates the generated configuration with the articles those settings support.

Claims discipline. Packs provide supporting controls and evidence for the annotated articles. They are not a certification or a compliance determination — review the generated policy with your DPO or counsel. See LIMITATIONS.md.

Selecting packs

Every talon init path accepts packs:

# Interactive wizard — step "Apply EU compliance policy packs?" (multi-select)
talon init

# Starter pack + compliance overlay
talon init --pack openclaw --compliance gdpr

# Scaffold or scripted init
talon init --scaffold --compliance gdpr,nis2
talon init --provider openai --name my-agent --compliance eu-ai-act

# Everything
talon init --pack generic --compliance all

# Catalog
talon init --list-compliance

Multiple packs merge in order; stricter settings win (highest retention, union of frameworks, OR of scan/block flags).

Pack catalog

PackWhat it configuresSupports (linked to internal/compliance/mapping.go)
gdprPII input/output scanning + redaction, EU model routing (tier 1/2), 1y detailed audit retention, redacted-prompt-only storageGDPR Art. 5(1)(c), Art. 30, Art. 32, Art. 44-50
nis2Rate limits, time restrictions, full audit logging with 2y retentionNIS2 Art. 21
doraStrict PII blocking, cost limits, EU-only routing for all tiers, full audit with 5y retentionDORA Art. 6, Art. 11 (plus GDPR Art. 32, Art. 44-50)
eu-ai-actInput/output scanning, full audit trail, limited risk level, human oversight via plan review gateEU AI Act Art. 9, Art. 11, Art. 13, Art. 14

How the article links work

Each control inside a pack carries a structured annotation:

audit:
# supports: gdpr Art. 30 — internal/evidence/store.go (Processing records via signed evidence export)
log_level: detailed
retention_days: 365

Every supports: line must reference a Framework + Article entry in compliance.DefaultMappings() (internal/compliance/mapping.go) — the same mapping table that drives talon compliance report and the dashboard compliance mode. A link-integrity test (internal/pack/overlay_mapping_test.go) fails the build if an annotation points at an article Talon has no shipping control for, so packs can never over-claim.

The generated agent.talon.yaml also gets a header listing every applied pack and the supported articles, so the provenance survives in the file an auditor actually reads.

Scope: curated YAML, not custom Rego

Packs are curated YAML that configures Talon's embedded Rego policies (internal/policy/rego/). Loading custom Rego modules at runtime is deliberately out of scope for these packs (planned v2 — see policies/README.md). This keeps the single-binary, zero-config guarantee: what a pack enables is exactly what talon validate and the policy engine already enforce.

Verifying the result

talon validate # schema + policy validation
talon compliance report --framework gdpr # see covered controls + evidence

The dashboard compliance tab (/dashboard → Compliance) shows the same per-framework coverage with evidence counts, derived from the identical mapping table.