Do you know which compliance obligations apply to you?
Every ISO standard requires you to determine and manage your compliance obligations. Not just laws - regulations, authority directives, permit conditions, and contractual requirements too. AmpliFlow gives you the register your auditor wants to see.
Companies managing compliance obligations with AmpliFlow
The timeline that changes everything
New EU regulations affecting businesses, directly or through your customers and suppliers.
NIS2 Directive / Cybersecurity Act
Expanded cybersecurity requirements for more sectors and the entire supply chain. Enacted in Sweden as the Cybersecurity Act (SFS 2025:1506) from January 2026.
AI Act
Risk-based classification determines requirements. Affects everyone developing or using AI systems. Prohibited systems rules apply from Feb 2025, GPAI rules from Aug 2025.
CSRD - Sustainability Reporting
Wave 1 (large listed companies >500 emp.) reporting now. Wave 2 postponed to FY 2027, Wave 3 to FY 2028 after Stop-the-Clock. Scope 3 reporting requires data from you as a supplier.
DORA - Digital Operational Resilience
Financial sector and its IT suppliers face new requirements for digital resilience, incident reporting, and third-party risk management.
CSDDD - Corporate Due Diligence
Phase 1 (July 2028): companies with >3,000 employees and >EUR 900M turnover. Phase 2 (July 2029): companies with >1,000 employees and >EUR 450M turnover. Obligation to identify and manage risks across the value chain.
CRA - Cyber Resilience Act
Main obligations from December 2027. Reporting of actively exploited vulnerabilities from September 2026. All products with digital elements sold in the EU.
Most organisations lack a working register
Identifying and managing compliance obligations is a requirement in all four ISO standards. Yet we see the same gaps at certification audits, again and again.
No central register
Legal requirements live in spreadsheets, emails, binders, and in key people's heads. Nobody has the complete picture.
Unclear what actually applies
You know requirements exist. But you haven't done a systematic applicability assessment. At audit time, that's a problem.
Nobody owns it formally
Everyone knows roughly who monitors what - until that person leaves. Responsibility for compliance obligations needs to be formally assigned and documented.
The register is never current
Laws change, new regulations arrive, permits renew. Without an active process, the register falls behind quickly.
Four standards, one core requirement
All four ISO standards require identifying and managing compliance obligations. One register covers them all.
Compliance obligations
Determine and have access to compliance obligations related to environmental aspects. Determine how they apply and take them into account in the management system.
Legal requirements and other requirements
Determine and have access to up-to-date legal requirements and other requirements applicable to the organization's hazards and OH&S risks.
Interested party requirements
Determine relevant requirements of interested parties, including applicable statutory and regulatory requirements for products and services.
Interested party requirements
Determine requirements of interested parties relevant to information security, including legal, regulatory, and contractual obligations.
The register your auditor wants to see
AmpliFlow gives you a central register for all compliance obligations with the structure for identification, applicability assessment, and clear responsibility assignment.
Central register for all compliance obligations
Gather laws, regulations, permit conditions, and contractual requirements in one place. Categorize by subject area: environment, health and safety, information security, quality.
Applicability assessment for each requirement
Document whether it applies, how you are affected, and how you comply. Exactly what auditors look for under ISO 14001, 45001, 9001, and 27001.
Responsible person with traceability
Each compliance obligation gets an owner. Clear accountability: the right person monitors the right area, with name and date recorded.
Live register with status management
Mark requirements as new, amended, applied, or repealed. Import existing registers via bulk import. Export for audits.
The auditor asks: "How do you identify relevant compliance obligations?"
With AmpliFlow, you open the register and show: which requirements you have identified, whether they apply, how you comply, who is responsible, and whether anything has changed since the last audit.
Compare that with searching through old spreadsheets, emails, and PDFs before every audit.
The EU regulations adding to your register
Current EU legislation is adding new requirements to your register - directly or through your supply chain. These come on top of national legislation and regulatory authority requirements.
NIS2 Directive / Cybersecurity Act
Expanded cybersecurity requirements for more sectors and the entire supply chain. Enacted in Sweden as the Cybersecurity Act (SFS 2025:1506) from January 2026.
AI Act
Risk-based classification determines requirements. Affects everyone developing or using AI systems. Prohibited systems rules apply from Feb 2025, GPAI rules from Aug 2025.
CSRD - Sustainability Reporting
Wave 1 (large listed companies >500 emp.) reporting now. Wave 2 postponed to FY 2027, Wave 3 to FY 2028 after Stop-the-Clock. Scope 3 reporting requires data from you as a supplier.
DORA - Digital Operational Resilience
Financial sector and its IT suppliers face new requirements for digital resilience, incident reporting, and third-party risk management.
CSDDD - Corporate Due Diligence
Phase 1 (July 2028): companies with >3,000 employees and >EUR 900M turnover. Phase 2 (July 2029): companies with >1,000 employees and >EUR 450M turnover. Obligation to identify and manage risks across the value chain.
CRA - Cyber Resilience Act
Main obligations from December 2027. Reporting of actively exploited vulnerabilities from September 2026. All products with digital elements sold in the EU.
Questions about the compliance obligations register
What is the difference between legal requirements and compliance obligations?
Compliance obligations is the broader term ISO 14001 (clause 6.1.3) uses. It includes laws and regulations but also authority directives, permit conditions, contractual requirements from customers, and voluntary commitments your organisation has made. The register in AmpliFlow covers all of these, not just legislation.
Which subject area should I choose?
AmpliFlow has eight predefined subject areas: Environment, Health and Safety, Information Security, Quality, Energy, Finances, Product Safety, and Other. They map directly to the ISO standards you are certified against. A requirement can belong to multiple subject areas.
How do we meet ISO 14001 requirement 6.1.3?
Clause 6.1.3 requires you to determine which compliance obligations apply, how they apply, and to take them into account in the management system. The register in AmpliFlow gives you the structure: identification, applicability assessment, responsible person, and status. That is exactly what auditors look for.
Can we import an existing legislation register?
Yes, via bulk import. Export the register for audit reports or backup too. All fields are supported in the import: subject area, status, applicability, responsible person, how we meet the requirement.
Does AmpliFlow monitor legal changes automatically?
AmpliFlow gives you a structured register for documenting and following up compliance obligations. For automatic monitoring of legal changes, we recommend combining it with an external monitoring service that sends notifications when laws change.
Does this apply to all ISO standards we are certified against?
Yes. ISO 14001 (6.1.3), ISO 45001 (6.1.3), ISO 9001 (4.2), and ISO 27001 (4.2) all require identifying and managing compliance obligations. One register covers all standards, categorized by subject area.
Build the register that holds up at audit
Book a demo and we will show you how AmpliFlow helps you identify and maintain all compliance obligations - across all ISO standards you work against.
Kontakta oss
Fyll i formuläret så återkommer vi inom 24 timmar. Du kan också nå oss på info@ampliflow.com.