zkRune Logo

zkRune

Regulations

One architecture,
many compliance surfaces.

Almost every new EU regulation creates the same paradox: log every decision on one side, store no personal data on the other. zkRune is the cryptographic architecture that satisfies both at once. This page maps the major regulations to the circuits and integration paths that address them.

Mapping is informational — not a legal opinion. Cite the linked regulator sources and consult counsel before claiming compliance.

Identity

Selective disclosure of identity attributes — prove what's needed, reveal nothing else.

EUDI Wallet · eIDAS 2.0

European Digital Identity Wallet (eIDAS 2.0)

EU+EEA · Member-state wallets due 2026–2027

Rolling out

The paradox

Every EU member state must issue a digital identity wallet supporting selective disclosure. A user proving residency, age, or a professional credential must do so without revealing unrelated attributes.

How zkRune helps

Off-the-shelf circuits for age, membership, credential, and signature attestations — directly aligned with the Architecture Reference Framework's ZKP guidance. Drop into a wallet, attestation issuer, or relying-party verifier.

Mapped circuits

age-verificationmembership-proofcredential-proofsignature-verificationrange-proof

Integration paths

SDKVerify APIOn-chain verifier

AI Governance

Cryptographic record-keeping for high-risk AI decisions, without retaining the raw inputs.

AI Act Art. 12

EU AI Act — Article 12 (record-keeping for high-risk AI)

EU+EEA · Binding 2 August 2026

Rolling out

The paradox

Article 12(4) mandates retention of every input that led to a match for at least six months. GDPR Article 5(1)(c) mandates data minimisation. The two binding obligations directly contradict each other for Annex III systems.

How zkRune helps

Each decision becomes a tamper-evident Groth16 proof — fully verifiable by a market-surveillance authority, containing no raw input, under 200 bytes per record. Anchored on Solana / Ethereum / Sui mainnet.

Mapped circuits

hash-preimagesignature-verificationmembership-proofpatience-proof

Integration paths

SDKVerify APIOn-chain verifier

Digital Platforms

Age-appropriate design and content gating for platforms operating in the EU and UK.

DSA Art. 28

Digital Services Act — Article 28 (age-appropriate design)

EU+EEA · Binding for VLOPs since Aug 2023; all platforms Feb 2024

Binding

The paradox

Online platforms accessible to minors must implement appropriate measures to ensure a high level of privacy, safety, and security. Standard age-verification (collect government ID) is itself a GDPR liability and a breach target.

How zkRune helps

Drop-in age proof generated in the user's browser. Your service receives only the cryptographic assertion that age >= threshold — never the underlying birthdate. Same widget covers UK Online Safety Act requirements.

Mapped circuits

age-verificationrange-proof

Integration paths

WidgetSDKVerify API

UK OSA

UK Online Safety Act — age verification duties

UK · Phased enforcement from 2025; full age duty live

Binding

The paradox

Ofcom enforcement is active and platforms are being named publicly for non-compliance. Storing government ID for age verification creates a parallel data-breach liability.

How zkRune helps

Privacy-preserving age verification mapped to Ofcom's 'highly effective' criteria. No PII retained server-side; proof artefact is the audit record.

Mapped circuits

age-verificationrange-proof

Integration paths

WidgetSDK

Financial Services

Privacy-preserving KYC, solvency, and transaction-risk verification for regulated finance.

MiCA

Markets in Crypto-Assets Regulation (MiCA)

EU+EEA · Binding since 30 June 2024 (CASPs since 30 Dec 2024)

Binding

The paradox

Crypto-asset service providers must perform KYC, beneficial-ownership screening, and travel-rule disclosures while honouring GDPR data-minimisation. Exchanges currently retain identity dossiers indefinitely as a default.

How zkRune helps

Proof of solvency, jurisdictional eligibility, and AML threshold compliance without retaining identity dossiers per customer. Composable with the existing balance-proof on-chain attestation path.

Mapped circuits

balance-proofwhale-holderrange-proofcredential-proofsignature-verification

Integration paths

SDKVerify APIOn-chain verifier

6AMLD

Sixth Anti-Money Laundering Directive (6AMLD)

EU+EEA · Transposed since June 2021

Binding

The paradox

Enhanced due diligence requires beneficial-ownership and PEP screening, but indefinite retention of EDD records is increasingly challenged under GDPR proportionality.

How zkRune helps

Cryptographic proofs that a counter-party was screened against an authoritative list at a moment in time, without retaining the list lookup or the full identity attributes.

Mapped circuits

membership-proofcredential-proofhash-preimagesignature-verification

Integration paths

SDKVerify API

DORA

Digital Operational Resilience Act (DORA)

EU+EEA · Binding since 17 January 2025

Binding

The paradox

Financial entities and their ICT providers must report incidents and operational events with sufficient detail for regulators to assess systemic risk — without exposing customer data in shared incident reports.

How zkRune helps

Cryptographic proofs of incident-relevant facts (event ordering, identity attestations, decision paths) that supervisors can independently verify without seeing the underlying customer records.

Mapped circuits

hash-preimagepatience-proofsignature-verificationmembership-proof

Integration paths

SDKVerify API

PSD2 · SCA

PSD2 — Strong Customer Authentication (SCA)

EU+EEA · Binding since 14 September 2019

Binding

The paradox

Multi-factor authentication and transaction-risk analysis must be auditable, but the underlying behavioural and biometric signals are exactly the data buyers want minimised.

How zkRune helps

Risk-attribute proofs (device binding, balance threshold, behavioural pattern membership) that satisfy SCA exemption criteria without retaining the raw signals.

Mapped circuits

signature-verificationrange-proofbalance-proof

Integration paths

SDKVerify API

Cybersecurity

Operational resilience reporting and critical-infrastructure logging with zero PII retention.

NIS2

NIS2 Directive (network and information security)

EU+EEA · Member-state transposition deadline 17 October 2024 (ongoing)

Transposing

The paradox

Essential and important entities in critical sectors must report security events and demonstrate continuous risk management. Reporting templates require attribute-level detail that conflicts with data-minimisation.

How zkRune helps

Cryptographic attestations of compliance actions (access controls, vendor audits, incident-response steps) verifiable by national CSIRTs without the entity exposing raw operational data.

Mapped circuits

signature-verificationpatience-proofmembership-proofhash-preimage

Integration paths

SDKVerify API

Data Protection

Data-minimisation by architecture — proofs travel, personal data does not.

GDPR Art. 5(1)(c)

GDPR — Article 5(1)(c) data minimisation

EU+EEA · Binding since 25 May 2018

Binding

The paradox

Personal data must be adequate, relevant, and limited to what is necessary. Every other regulation in this list demands more logging, more retention, more attestation — pulling against this baseline.

How zkRune helps

Privacy by architecture: proofs travel, personal data does not. Where every other vendor is solving the tension with policy, zkRune solves it structurally — there is no raw PII to delete because it was never collected server-side.

Mapped circuits

age-verificationbalance-proofmembership-proofcredential-proofhash-preimage

Integration paths

WidgetSDKVerify APIOn-chain verifier

Compliance-driven evaluation?

We work directly with privacy officers, DPOs, and compliance leads on regulation-specific integrations. The fastest path is a 30-minute technical session.

Email compliance@EU AI Act mapping →