Context and regulatory compliance

Context and stakeholder analysis

Fellow Digitals performs context and stakeholder analyses to identify internal and external factors that may affect information security and privacy. These analyses take into account developments in legislation and regulation, technological changes, customer expectations, and dependencies on suppliers and other third parties. Relevant stakeholders are identified and their interests are considered to ensure that security and privacy measures remain appropriate and aligned with business and regulatory requirements.

Threat analysis

As part of this context analysis, a structured threat analysis process is applied. Potential threats to information security and privacy are identified and assessed to determine their relevance and impact. The outcomes support risk‑based decision‑making and the selection of appropriate controls. Where relevant, threat‑related information may be shared internally or with customers or suppliers, and additional requirements may apply for specific customer segments or regulatory regimes.

Regulatory compliance

Compliance with applicable laws, regulations, and guidance from supervisory authorities is addressed through a defined procedure. New or amended requirements are assessed for impact and translated into suitable measures within the Information Security Management System (ISMS). These measures may include updates to policies, procedures, contractual arrangements, privacy statements, or working practices.

Fellow Digitals also assesses the applicability of relevant European regulatory frameworks, including the Network and Information Security Directive (NIS2) and the Digital Operational Resilience Act (DORA).

Based on the current scope, services, and organizational context, Fellow Digitals is not classified as an essential or important entity under NIS2 and is not directly subject to DORA requirements. However, we recognize that customers operating within these regulatory frameworks may impose specific security and resilience requirements, which are addressed through our ISMS and contractual arrangements where applicable.

These assessments form part of our broader approach to regulatory compliance and are revisited as regulatory interpretations, organizational scope, and service offerings evolve.

Information classification and data retention

As part of regulatory compliance and context management, supporting controls are in place to ensure appropriate handling of information. Information is classified based on confidentiality, integrity, availability, and privacy impact, supporting consistent handling and access control. Retention periods are defined in accordance with applicable laws and regulations, including the GDPR, and internal requirements, ensuring that personal data is retained only as long as necessary for its intended purpose.

Document management

Policies, procedures, and records are managed through a structured document management process to support version control, availability, and traceability.

Intellectual property

Measures are in place to protect intellectual property and to ensure compliance with applicable licensing and ownership requirements. This supports the controlled use of software, content, and other intellectual assets, and helps prevent unauthorized use, distribution, or infringement.

Use of AI tools

Guidelines govern the responsible use of AI tools, with attention to information security and privacy considerations. Fellow Digitals assesses the use of AI functionalities within its services in the context of applicable regulatory frameworks, including considerations related to the EU AI Act.

Based on this assessment, the AI‑supported features within our platforms are not designed or used for high‑risk use cases as defined in Annex III of the EU AI Act, such as automated decision‑making for access to education or the evaluation of learning outcomes. Where AI is applied, it is used in a supportive manner and under human oversight.