# Regulatory Compliance This section maps Flopsar against the principal European Union regulations that bear on a fault detection and diagnosis platform deployed in production environments. Each regulation has its own page; this page explains how they fit together and, most importantly, **who the regulated party is** in each case. That last point is the key to reading this section correctly. The regulations covered here do not all impose obligations on the same party. Some bind Flopsar Technology Sp. z o.o. as the **manufacturer** of the product. Others bind the **customer** as the operator of a service or as a controller of data, and reach Flopsar Technology Sp. z o.o. only indirectly, through the customer's own supply-chain and risk-management obligations. ## Who is regulated by what Reading the four pages in this section is easier once the roles are clear. **The Cyber Resilience Act binds Flopsar Technology Sp. z o.o. directly, as the manufacturer.** This is the one regulation in this section under which Flopsar Technology Sp. z o.o. is itself the regulated party. It governs the security of the product: secure design and development, vulnerability handling, the support period, the EU declaration of conformity, and CE marking. Almost all of the work described elsewhere in Trust & Compliance and in Security exists to meet it. **NIS2 binds the customer, as the operator of an essential or important entity.** Flopsar Technology Sp. z o.o. is not, by virtue of developing and licensing software, an entity in scope of NIS2. NIS2 reaches Flopsar Technology Sp. z o.o. only indirectly, when a customer that is in scope imposes supply-chain requirements on its software suppliers. **DORA binds the customer, where the customer is a financial entity.** As with NIS2, Flopsar Technology Sp. z o.o. is not a financial entity and is not a designated critical ICT third-party service provider, so it is not under direct DORA supervision. DORA reaches Flopsar Technology Sp. z o.o. through the contractual requirements that financial-sector customers place on their ICT third-party service providers. **The GDPR binds the customer, as the controller of personal data, in the ordinary case.** Because Flopsar is an on-premise product, Flopsar Technology Sp. z o.o. does not process personal data on the customer's behalf and is neither a controller nor a processor in respect of a customer's deployment. Flopsar Technology Sp. z o.o. is a controller only for the limited personal data it handles in direct interactions, such as support requests and vulnerability reports. In short: **the Cyber Resilience Act is ours; NIS2, DORA, and the GDPR are primarily our customers', and we support them.** ## How the on-premise model shapes all four A single property of the product runs through every page in this section and materially reduces Flopsar's regulatory footprint under each regulation: **Flopsar is on-premise**. It is installed and operated within the customer's own infrastructure; it has no remote-management channel, no "phone home" telemetry, and no operational dependency on infrastructure operated by Flopsar Technology Sp. z o.o. The consequences recur throughout this section: * Under the **GDPR**, Flopsar Technology Sp. z o.o. has no access to the customer's data and is therefore not a processor. * Under **NIS2** and **DORA**, the supply-chain and concentration risks that the customer must manage are lower, because there is no service dependency on Flopsar Technology Sp. z o.o. and the customer's applications continue to run if Flopsar is removed. * Under the **Cyber Resilience Act**, the absence of any outbound telemetry is itself a security property that supports several of the essential requirements. A plain-language description of the on-premise model and of exactly what data is and is not processed is on the Privacy & Data Handling page. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.flopsar.com/7/regulatory-compliance.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.