Beyond checklists: automated legal compliance check in regulatory sandboxes

This paper presents an integrated architecture for automated legal compliance assessment designed for use within Regulatory Sandboxes processes, with a first implementation targeting the essential cybersecurity requirements outlined in Annex I, Part I of the Cyber Resilience Act. The work addresses the difficulty of operationalising and enforcing a heterogeneous regulatory landscape, encompassing European Union regulations, national laws, and technical standards, particularly in the context of rapidly evolving and innovative products whose functionalities and risk profiles may change faster than the applicable legal frameworks. To implement the automated legal compliance assessment tool, we combine three complementary approaches. First, we formalise regulatory requirements using Catala, a domain-specific language based on prioritised default logic that captures the rule–exception structure of legal texts and guarantees total, deterministic evaluations. Second, we employ Large Language Model as a preprocessing tool that extracts and structures relevant information from manufacturers’ documentation submitted in a format consumable by the Catala engine. Third, we ensure integrity, nonrepudiation, and auditability of both inputs and results through a permissioned blockchain infrastructure built on Hyperledger Fabric, which anchors cryptographic hashes of documents and assessments. The overall system is implemented as a microservice architecture comprising a web-based User Interface, an API gateway and orchestrator, Large Language Model analysis services, the Catala compliance engine, and blockchain-backed persistence. A Proof of Concept focused on formal compliance demonstrates the feasibility and benefits of this tripartite approach, laying the groundwork for the logical translation of additional regulatory frameworks.