## List of Powers for Authorities / List of Obligations
The following elements may be used in regulations to:
\- authorise public authorities to act in a particular way vis-à-vis
natural or legal persons, other public authorities or other States;
\- oblige natural or legal persons and authorities to take certain
measures directly by virtue of the regulation.
The list was in the first round drawn up on the basis of model laws
developed by the Regulatory Institute
([www.howtoregulate.org](http://www.howtoregulate.org/)) because
these model laws integrate regulatory knowledge from many jurisdictions
and sectors alike. They therefore provide an excellent international and
cross-sectoral basis. It was entirely drawn up by various artificial
intelligence programmes, known as Large Language Models (LLMs)[^1]. It
is the result of a long series of instructions and tasks that took the
human in charge several days to complete, whilst the document was only
marginally revised by humans.
Namely the LLM interface Perplexity[^2] has in many cases suggested
additional very sensible rules based on regulations that have been
sifted through around the world. In doing so, Perplexity continued the
Regulatory Institute's approach of learning from regulators in all
sectors around the world and making the knowledge gathered available
globally and across sectors. It is this approach that has been continued
by regulatory practitioners supporting the Regulatory Institute who
manually redacted the text to a modest extent. The document is therefore
the result of three rounds of international gathering of regulatory
knowledge. Feel free to suggest further improvements.
We asked the LLMs to provide their references. The elements, and
therefore the references, come from legislation all over the world, but
mainly from wealthy jurisdictions. The letters "ML" stand for "Model Law
of the Regulatory Institute". You can therefore find the relevant model
law provisions via this website:
[https://www.howtoregulate.org/category/ri-model-laws/](https://www.howtoregulate.org/category/ri-model-laws/).
The list overlaps slightly with the parallel list of sanctions and
accompanying measures which is recommended as an extension of this list
for cases where this list is not considered sufficient[^3]. The
difference between the two lists is that this list here is aiming at
directly ensuring compliance whereas the list of sanctions pursues the
goal of compliance only indirectly. Both lists complement the document
"Cross-sectoral standard provisions for regulation", which already
contains some basic powers and obligations.
Despite many deletions, the list might still contain some redundancies.
We also feel that the order of the elements could still be improved.
Finally, we are concerned that some of the references might not be
correct or do not contain an empowerment, but only an obligation
directly applicable by virtue of the law. Nonetheless, the list can
already be used as a quarry to make draft legislation more complete in
terms of empowerment. The list can also be used as a source of
inspiration for the establishment of obligations for natural or legal
persons and authorities at the level of the regulation itself.
### Generic:
#### A. External (= authority) Compliance Measures and Information Gathering
We include here powers and measures of information gathering that would
not make sense if exercised by actors other than public authorities.
Therefore, this section contains pure authority powers for which there
is no parallel obligation of private actors established by law.
\[The Competent Authority may:\]
1. Conduct on-site inspections, with or without prior notice. \[ML
Corruption, Section 28.II.29; ML Environmental Liability, Section
79.I.a\]
2. Enter and inspect premises, including private spaces with judicial
authorization. \[ML Corruption, Section 28.II.17; ML
Alcohol-Cannabis-Tobacco, Section 69.I.s\]
3. Request information related to activities covered by the Act, even
from third parties or entities located in foreign countries. \[ML
Corruption, Section 28.II.1; ML Alcohol-Cannabis-Tobacco, Section
69.I.a\]
4. Investigate and inspect accounts, books, documents, or other
articles. \[ML Corruption, Section 28.II.1; ML
Alcohol-Cannabis-Tobacco, Section 69.I.a\]
5. Require from any person the production of accounts, books,
documents, and take copies or make photographs. \[ML Corruption,
Section 28.II.2; ML Alcohol-Cannabis-Tobacco, Section 69.I.b\]
6. Take copies of and analyse data and software related to activities
covered by the Act. \[ML Corruption, Section 28.II.18; ML
Alcohol-Cannabis-Tobacco, Section 69.I.t\]
7. Request the conversion of encoded data into information readable for
humans. \[ML Corruption, Section 28.II.4; ML
Alcohol-Cannabis-Tobacco, Section 69.I.d\]
8. Seize relevant data, documents or other evidence. \[ML Corruption,
Section 28.II.30; ML Environmental Liability, Section 79.I.b\]
9. Order the cessation of any activity that interferes with the
authority's ability to monitor or enforce compliance. \[Hong Kong:
Environmental Impact Assessment Ordinance, Cap. 499, Section 5\]
10. Convene stakeholder advisory groups and conduct public
consultations. \[ML Corruption, Section 28.II.40; ML
Alcohol-Cannabis-Tobacco, Section 69.I.pppp\]
11. Compel attendance of witnesses, including third parties, to provide
evidence under subpoena. \[ML Corruption, Section 28.II.19; ML
Alcohol-Cannabis-Tobacco, Section 69.I.q\]
12. Interview witnesses and require the production of records, including
financial records. \[ML Corruption, Section 28.II.31; ML
Environmental Liability, Section 79.I.c\]
13. Use artificial intelligence and other advanced technological means
for detection and analysis of infringements committed by regulated
entities or actors. \[ML Corruption, Section 28.II.77; ML
Alcohol-Cannabis-Tobacco, Section 69.I.x\]
14. Conduct surveillance activities to detect potential infringements
committed by regulated entities or actors. \[ML Corruption, Section
28.II.50; ML Alcohol-Cannabis-Tobacco, Section 69.I.u\]
15. Order the creation and maintenance of detailed records related to
high-risk activities. \[ML Corruption, Section 28.II.98; ML
Alcohol-Cannabis-Tobacco, Section 69.I.vv\]
16. Deploy undercover investigators to gather evidence of suspected
infringements. \[Criminal Investigation (Covert Operations) Act 2009
of South Australia, Section 4(1)\]
17. Use unmanned vehicle technologies for surveillance of regulated
activities. \[India Drone Rules 2021\]
18. Use satellite technologies for compliance monitoring. \[UK
Deforestation Regulation (UKDR)\]
19. Impose requirements for incident response planning and testing. \[US
Federal Information Security Modernization Act, Section 3554; EU
GDPR, Article 32\]
20. Require the submission of plans or programs to address
non-compliance or prevent future infringements. \[New Zealand:
Resource Management Act 1991, Section 35\]
21. Require the provision of financial guarantees to ensure compliance.
\[Directive 2013/30/EU on the safety of offshore oil and gas
operations, Article 21\]
22. Order the confiscation of a domain and request the domain registrar
to cooperate for such confiscation. \[ML Alcohol-Cannabis-Tobacco,
Section 69.I.e\]
23. Close the facilities of infringing persons in cases of particularly
grave or repetitive deliberate infringements. \[U.S. Food, Drug, and
Cosmetic Act, Section 303; UK Proceeds of Crime Act 2002, Section
245A; ML Animal Protection, Section 80.IV.j\]
24. Order the winding up of an undertaking as a last resort. \[ML
Corruption, Section 28.II.43; ML Alcohol-Cannabis-Tobacco, Section
69.I.j\]
25. Order the dissolution of the legal entity/person responsible for
offenses. \[ML Corruption, Section 45.IV.12; ML
Alcohol-Cannabis-Tobacco, Section 69.I.j; U.S. Clayton Act, Section
7; U.K. Insolvency Act, Section 124A\]
26. Order the separation of certain business activities to prevent
conflicts of interest. \[U.S. Glass-Steagall Act of 1933 (repealed),
but concept still applied in financial regulations\]
27. Mandate changes in corporate governance structure. \[U.S.
Sarbanes-Oxley Act of 2002, Section 301; U.S. Bankruptcy Code,
Section 1123\]
28. Order the divestment of certain business units or assets that have
been used in the commission of infringements. \[ML Corruption,
Section 28.II.95\]
29. Place the offending entity under judicial administration. \[ML
Corruption, Section 45.IV.12; ML Alcohol-Cannabis-Tobacco, Section
69.I.i\]
30. Impose mandatory training programs for employees of infringing
entities \[ML Corruption, Section 28.II.88; ML
Alcohol-Cannabis-Tobacco, Section 69.I.nnnn\]
31. Order the offender to fund research or education initiatives related
to the infringement. \[Extrapolated\]
32. Use predictive analytics to identify potential future infringements
and/or other relevant events and changes. \[Extrapolated\]
33. Seek court orders to compel cooperation if a person or entity fails
to comply with an investigative request. \[ML Corruption, Section
28.II.32; ML Alcohol-Cannabis-Tobacco, Section 69.I.ssss\]
34. Enter into settlement agreements with entities under investigation.
\[ML Corruption, Section 28.II.38; ML Alcohol-Cannabis-Tobacco,
Section 69.I.rrrr\]
35. Provide training and education on compliance for regulated entities
or individuals \[Canada: Food and Drug Regulations, C.R.C., c.
870, s. 32; ML Corruption, Section 28.II.35; ML
Alcohol-Cannabis-Tobacco, Section 69.I.mmmm\]
36. Delegate empowerments to other or local authorities. \[ML
Corruption, Section 28.II.28; ML Alcohol-Cannabis-Tobacco, Section
69.I.uuuu\]
37. Order the establishment of a public inquiry or investigation into a
matter of public interest or concern. \[Singapore: Commissions of
Inquiry Act, Chapter 50, Section 3\]
#### B. Both Internal and External Compliance Measures
We include here compliance measures that would make sense if exercised
by public authorities or private actors[^4] who have to apply the law.
Accordingly, legislation may provide for the measure:
- to be taken by the authority;
- to be ordered by the authority (with or without discretion) and taken
by private actors; or
- to be taken by private actors directly by virtue of the law.
\[The Competent Authority may (mandate to) / The private actor[^5] or
other entity must:\]
38. Implement a specific internal reporting mechanism for potential
infringements. \[ML Corruption, Section 28.II.96; ML
Alcohol-Cannabis-Tobacco, Section 69.I.zz\]
39. Report periodically on compliance matters. \[ML Corruption, Section
28.II.48; ML Environmental Liability, Section 84.I\]
40. Conduct and submit periodic risk assessments related to potential
infringements. \[ML Corruption, Section 28.II.93; ML Environmental
Liability, Section 5.II\]
41. Grant monetary awards to informers or cooperators who have caused
property gains or prevented damage to public entities. \[ML
Corruption, Section 28.II.67; ML Alcohol-Cannabis-Tobacco, Section
69.I.hhhh\]
42. Establish an electronic interface for anonymous reporting of
infringements. \[ML Corruption, Section 28.II.69; ML
Alcohol-Cannabis-Tobacco, Section 69.I.jjjj\]
43. Establish and operate an alert portal for reporting incidents
related to the Act. \[ML Corruption, Section 28.II.74; ML
Alcohol-Cannabis-Tobacco, Section 69.I.kkkk\]
44. Establish a dedicated compliance hotline for employees and
stakeholders. \[ML Corruption, Section 28.II.111; ML
Alcohol-Cannabis-Tobacco, Section 69.I.llll\]
45. Create a secure digital platform for whistleblowers to submit and
track their reports. \[ML Corruption, Section 28.II.69\]
46. Establish and operate whistleblower protection programs \[New
Zealand: Protected Disclosures (Protection of Whistleblowers) Act
2022, Section 15; ML Corruption, Sections 28.II.49 and 36; ML
Alcohol-Cannabis-Tobacco, Section 69.I.ffff\]
47. Take measures to revoke disadvantageous measures taken against
whistleblowers or informers. \[ML Corruption, Section 28.II.65; ML
Alcohol-Cannabis-Tobacco, Section 69.I.iiii\]
48. Establish a whistleblower reintegration program for those who faced
career disruption. \[ML Corruption, Section 28.II.66; New Zealand:
Protected Disclosures Act 2000, Section 22\]
49. Implement a whistleblower mental health support program.
\[Extrapolated from ML Corruption, Section 28.II.66\]
50. Compensate informers for damage, advise them, and organize change of
identity. \[ML Corruption, Section 28.II.66; ML
Alcohol-Cannabis-Tobacco, Section 69.I.gggg\]
51. Communicate warnings and recommendations to the general public. \[ML
Corruption, Section 28.II.2; ML Alcohol-Cannabis-Tobacco, Section
69.I.b\]
52. Create public awareness campaigns related to the infringement or
regulatory issue. \[EU Directive 2003/33/EC on the promotion of
clean and energy-efficient road transport vehicles, Article 6\]
53. Establish "compliance ambassador" programs in schools, universities
and other social structures. \[Extrapolated\]
54. Develop online compliance education platforms for regulated
entities. \[Extrapolated from ML Corruption, Section 28.II.35\]
55. Develop gamified/rewarded compliance training applications for
employees. \[Extrapolated\]
56. Establish mandatory training programs for employees of infringing
entities or departments thereof. \[ML Corruption, Section 28.II.88;
ML Alcohol-Cannabis-Tobacco, Section 69.I.nnnn\]
57. Implement specific supply chain due diligence procedures. \[ML
Corruption, Section 28.II.107; ML Alcohol-Cannabis-Tobacco, Section
69.I.fff\]
58. Establish specific due diligence procedures for high-risk
transactions or relationships. \[ML Corruption, Section 28.II.99; ML
Alcohol-Cannabis-Tobacco, Section 69.I.aaa\]
59. Implement real-time monitoring systems for high-risk industries or
activities. \[Extrapolated\]
60. Implement multi-factor and/or biometric verification systems for
high-risk transactions. \[Extrapolated\]
61. Use blockchain or other distributed ledger technologies for enhanced
transparency and traceability \[Extrapolated\]
62. Implement automatised, including blockchain-based, tracking systems
for supply chain monitoring. \[Extrapolated\]
63. Implement automatised, including blockchain-based, systems for
transparent and immutable record-keeping. \[Extrapolated\]
64. Deploy Internet of Things devices or similar devices for continuous
monitoring of regulated processes and/or gaining other relevant
information. \[Extrapolated\]
65. Utilise open source intelligence tools and technologies, including
social media monitoring tools and technologies, to detect potential
infringements, monitor regulated activities and/or gaining other
relevant information. \[Extrapolated\]
66. Adopt specific industry standards or best practices related to
compliance. \[ML Corruption, Section 28.II.102; ML
Alcohol-Cannabis-Tobacco, Section 69.I.ccc\]
67. Implement specific compliance measures or programs. \[ML Corruption,
Section 45.IV.4; ML Alcohol-Cannabis-Tobacco, Section 69.I.vv; UK
Bribery Act 2010, Section 7\]
68. Implement a comprehensive compliance program with regular reporting
requirements. \[US Sarbanes-Oxley Act, Section 302(a)\]
69. Create a dedicated compliance budget as a percentage of annual
revenue. \[Extrapolated from ML Corruption, Section 28.II.42; U.S.
Federal Sentencing Guidelines for Organizations, Section 8B2.1\]
70. Create dedicated funds for research and development in
compliance-related technologies. \[Extrapolated\]
71. Establishment of a public-private partnership or collaborative
initiative. \[Hong Kong: Innovation and Technology Ordinance, Cap.
669, Section 6\]
72. Create virtual reality simulations for compliance scenario training.
\[Extrapolated\]
73. Use artificial intelligence for predictive compliance risk
assessment. \[Extrapolated from ML Corruption, Section 28.II.77\]
74. Develop machine learning algorithms for detecting patterns of
non-compliance. \[Extrapolated from ML Corruption, Section
28.II.77\]
75. Utilise natural language processing for automated contract
compliance checking. \[Extrapolated\]
76. Create AI-powered chatbots for compliance guidance and reporting.
\[Extrapolated\]
77. Implement augmented reality systems for on-site compliance
inspections. \[Extrapolated\]
78. Develop neuromorphic computing systems for advanced pattern
recognition in compliance data. \[Extrapolated\]
79. Create digital twin technologies for simulating and predicting
compliance scenarios. \[Extrapolated\]
80. Install monitoring or control devices at the expense of the
regulated entity. \[Hong Kong: Air Pollution Control Ordinance, Cap.
311, Section 21\]
81. Appoint a compliance officer in entities found to have committed
serious infringements. \[ML Corruption, Section 28.II.90; ML
Alcohol-Cannabis-Tobacco, Section 69.I.xx; United States: Foreign
Corrupt Practices Act, 15 U.S.C. § 78dd-1; EU: Directive 2014/65/EU
on markets in financial instruments, Article 9\]Implement specific
customer or third-party screening procedures. \[ML Corruption,
Section 28.II.101; ML Alcohol-Cannabis-Tobacco, Section 69.I.bbb\]
82. Appoint an independent external compliance monitor. \[ML Corruption,
Section 45.IV.12; ML Alcohol-Cannabis-Tobacco, Section 69.I.xx; U.K.
Companies Act, Section 168; U.S. Foreign Corrupt Practices Act,
Section 8A; U.S. Department of Justice, Criminal Division,
Evaluation of Corporate Compliance Programs\]
83. Establish third-party monitoring of compliance. \[ML Corruption,
Section 28.II.94; ML Alcohol-Cannabis-Tobacco, Section 69.I.h\]
84. Establish external audits. \[ML Corruption, Section 45.IV.5; ML
Alcohol-Cannabis-Tobacco, Section 69.I.h; U.S. Foreign Corrupt
Practices Act, Section 8A\]
85. Conduct compliance audits \[ML Corruption, Section 28.II.46; ML
Environmental Liability, Section 79.I.d; Sarbanes-Oxley Act, Section
404; EU Audit Regulation, Article 6\]
86. Create industry-specific compliance certification programs.
\[Extrapolated from ML Corruption, Section 28.II.139\]
87. Participate in industry-wide compliance initiatives. \[U.S.
Dodd-Frank Wall Street Reform and Consumer Protection Act, Section
956; ML Corruption, Section 28.II.108; ML Alcohol-Cannabis-Tobacco,
Section 69.I.bbbb\]
88. Adopt specific industry standards or best practices related to
compliance. \[ML Corruption, Section 28.II.102; ML
Alcohol-Cannabis-Tobacco, Section 69.I.ccc\]
89. Participate to public-private partnerships for developing compliance
technologies. \[Extrapolated\]
90. Participate in industry-specific regulatory sandboxes for testing
innovative compliance solutions. \[Extrapolated\]
91. Participate in peer evaluation programs with other actors
\[Extrapolated\]
92. Commission third-party risk assessments. \[US Sarbanes-Oxley Act,
Section 404; EU GDPR, Article 28\]
93. Implement a comprehensive third-party risk management program.
\[U.S. Office of the Comptroller of the Currency, Bulletin 2013-29;
extrapolated from ML Corruption, Section 28.II.99\]
94. Use specific procedures or protocols for risk assessment or
management. \[New Zealand: Health and Safety at Work Act 2015,
Section 35; Singapore: Securities and Futures Act, Chapter 289,
Section 231\]
95. Implement specific risk management measures. \[ML Corruption,
Section 28.II.45; ML Environmental Liability, Section 10\]
#### C. Pure Internal Compliance Measures
We include here compliance measures that would only make sense if taken
by private actors who have to apply the law. Public authorities can
prescribe these measures, but they cannot take them instead of the
actors who have to apply the law.
\[The Competent Authority may mandate to / The private actor[^6] must:\]
96. Establish a compliance management system. \[South Korea: Act on the
Regulation of Registration, etc. of Chemical Substances, Article
44\]
97. Implement internal control mechanisms in regulated entities. \[ML
Corruption, Section 28.II.81; ML Alcohol-Cannabis-Tobacco, Section
69.I.tt; Canada: Proceeds of Crime (Money Laundering) and Terrorist
Financing Act, S.C. 2000, c. 17, s. 9\]
98. Modify business practices found to facilitate infringements. \[ML
Corruption, Section 28.II.84; ML Alcohol-Cannabis-Tobacco, Section
69.I.uu\]
99. Implement enhanced compliance measures. \[ML Corruption, Section
28.II.42; ML Alcohol-Cannabis-Tobacco, Section 69.I.vv\]
100. Implement specific technological solutions to prevent future
infringements. \[ML Corruption, Section 28.II.89; ML
Alcohol-Cannabis-Tobacco, Section 69.I.ww; Singapore: Water Supply
(Water Fittings) Regulations, Chapter 378, Regulation 6\]
101. Establish an ethics committee with external members. \[ML
Corruption, Section 28.II.105; ML Alcohol-Cannabis-Tobacco, Section
69.I.eee\]
102. Establish a compliance committee within the board of directors of
infringing entities. \[ML Corruption, Section 28.II.92; ML
Alcohol-Cannabis-Tobacco, Section 69.I.yy; New Zealand: Financial
Markets Conduct Act 2013, Section 461\]
103. Implement specific customer or third-party screening procedures.
\[ML Corruption, Section 28.II.101; ML Alcohol-Cannabis-Tobacco,
Section 69.I.bbb\]
104. Implement know-your-customer (KYC) protocols \[US Bank Secrecy Act,
Section 5318; EU Anti-Money Laundering Directive, Article 13\]
105. Develop and implement a corrective action plan. \[Canada: Canadian
Environmental Protection Act, 1999, S.C. 1999, c. 33, s. 317\]
106. Provide public access to information related to the infringement or
regulatory issue. \[Hong Kong: Code on Access to Information,
Section 2.2\]
107. Establish a training or education program or initiative. \[South
Korea: Vocational Education and Training Promotion Act, Article
15\]
108. Report on and disclose certain facts \[EU: Directive 2013/50/EU on
the transparency of measures regulating the pricing of medicinal
products for human use and their inclusion in the scope of national
health insurance systems, Article 3\]
109. Establish a stakeholder engagement or advisory process. \[Canada:
Impact Assessment Act, S.C. 2019, c. 28, s. 1, s. 22\]
110. Use specific methodologies or techniques for decision-making.
\[Hong Kong: Town Planning Ordinance, Cap. 131, Section 16\]
111. Establish a monitoring or evaluation program or initiative. \[South
Korea: Framework Act on the Management of Disasters and Safety,
Article 28\]
112. Use specific procedures or protocols for incident response or
crisis management. \[EU: Directive 2008/114/EC on the
identification and designation of European critical infrastructures
and the assessment of the need to improve their protection, Article
8\]
113. Require the submission of periodic compliance reports. \[EU:
Directive 2014/59/EU establishing a framework for the recovery and
resolution of credit institutions and investment firms, Article
100\]
114. Establish a certain system of maintenance of records in particular
when related to compliance. \[South Korea: Act on External Audit of
Stock Companies, Article 57; South Korea: Act on Real Name
Financial Transactions and Confidentiality, Article 23\]
115. Feed a public registry or database. \[EU: Regulation (EU) 2017/1129
on the prospectus to be published when securities are offered to
the public or admitted to trading on a regulated market, Article
14\]
116. Implement specific performance indicators or benchmarks. \[EU:
Directive 2009/72/EC concerning common rules for the internal
market in electricity, Article 22; Hong Kong: Waterworks Ordinance,
Cap. 102, Section 50\]
117. Use specific evaluation or assessment methods. \[Singapore:
Enlistment Act, Chapter 93, Section 21; Canada: Pest Control
Products Act, S.C. 2002, c. 28, s. 35\]
118. Provide information or assistance to other government departments
or agencies. \[Canada: Financial Administration Act, R.S.C.,
1985, c. F-11, s. 6\]
119. Provide information or assistance to other regulatory authorities.
\[Hong Kong: Competition Ordinance, Cap. 619, Section 43; New
Zealand: Local Government Official Information and Meetings Act
1987, Section 17\]
120. Provide information or assistance to other regulated entities or
individuals in relation to compliance or best practices. \[South
Korea: Act on the Consumer Protection in Electronic Commerce, etc.,
Article 37\]
121. Provide information or assistance to non-governmental organisations
or advocacy groups. \[New Zealand: Ombudsmen Act 1975, Section 22\]
122. Provide information or assistance to professional or industry
associations. \[Singapore: Legal Profession Act, Chapter 161,
Section 98\]
123. Provide information or data to facilitate research or policy
development. \[EU: Regulation (EU) 2018/1806 on the monitoring and
reporting of CO2 emissions from and fuel consumption of new
heavy-duty vehicles, Article 8\]
124. Provide information or assistance to consumers or users. \[Hong
Kong: Trade Descriptions Ordinance, Cap. 362, Section 21\]
125. Implement specific accessibility or accommodation measures.
\[Canada: Accessible Canada Act, S.C. 2019, c. 10, s. 5\]
126. Establish a research or development program or initiative.
\[Canada: Department of Health Act, R.S.C., 1985, c. H-3, s. 4\]
127. Establish a compliance committee within the board of directors of
infringing entities. \[U.K. Corporate Governance Code, Provision
22; U.S. Securities and Exchange Commission, Proposed Rule 13h-1;
ML Corruption, Section 28.II.92 and Section 28.II.127; ML
Alcohol-Cannabis-Tobacco, Section 69.I.yy and Section 69.I.bbbbb\]
128. Establish ethics committees with external members. \[ML Corruption,
Section 28.II.105; ML Alcohol-Cannabis-Tobacco, Section 69.I.eee\]
129. Establish an independent audit committee to oversee compliance.
\[US Dodd-Frank Wall Street Reform and Consumer Protection Act,
Section 955(a)\]
130. Create a cross-functional crisis management team for handling
severe compliance breaches. \[U.S. Federal Financial Institutions
Examination Council, Business Continuity Planning, Section 6;
Extrapolated from ML Corruption, Section 28.II.42\]
#### D. Conflicts, Damage Reduction and Compensation
\[The Competent Authority may (mandate to) / The private actor[^7]
must:\]
131. Provide technical assistance or support to affected parties or the
public. \[New Zealand: Hazardous Substances and New Organisms Act
1996, Section 107\]
132. Establish a consumer redress scheme. \[United Kingdom: Financial
Services and Markets Act 2000, Section 404\]
133. Establish a dispute resolution mechanism or process. \[Singapore:
Electronic Transactions Act, Chapter 88, Section 20\]
134. Use a specific conflict resolution or mediation processes. \[New
Zealand: Residential Tenancies Act 1986, Section 162; EU: Directive
2008/52/EC on certain aspects of mediation in civil and commercial
matters, Article 4\]
135. Create consumer ombudsman positions within infringing entities.
\[Swedish Consumer Agency Act, Section 12; ML Corruption, Section
28.II.121; ML Alcohol-Cannabis-Tobacco, Section 69.I.yyyy\]
136. Disclose information to affected parties or the public. \[Canada:
Personal Information Protection and Electronic Documents Act, S.C.
2000, c. 5, s. 8; Hong Kong: Control of Exemption Clauses
Ordinance, Cap. 71, Section 5\]
137. Provide information or assistance to the media or the public.
\[South Korea: Act on the Protection of and Support for Victims of
Crime, Article 21\]
138. Inform clients of non-compliant actors about their rights and
applicable legal requirements. \[ML Corruption, Section 28.II.25;
ML Alcohol-Cannabis-Tobacco, Section 69.I.oooo\]
139. Reimburse costs incurred by the authority in investigating or
remedying the infringement. \[South Korea: Soil Environment
Conservation Act, Article 38\]
#### E. International Cooperation of Authorities
\[The Competent Authority may:\]
140. Cooperate with international counterparts on cross-border
enforcement. \[ML Corruption, Section 28.II.36; ML
Alcohol-Cannabis-Tobacco, Section 69.I.yyy\]
141. Disseminate information on infringements to authorities of other
jurisdictions. \[ML Corruption, Section 28.II.22; ML
Alcohol-Cannabis-Tobacco, Section 69.I.zzz\]
142. Establish information-sharing protocols with foreign regulators for
transnational investigations. \[Extrapolated from ML Corruption,
Section 44\]
143. Create cross-border task forces for coordinated enforcement
actions. \[Extrapolated from ML Corruption, Section 44\]
144. Participate in peer evaluation programs with other competent
authorities. \[ML Corruption, Section 28.II.79; ML
Alcohol-Cannabis-Tobacco, Section 69.I.aaaa\]
145. Develop shared databases of compliance best practices with
international counterparts. \[Extrapolated from ML Corruption,
Section 44\]
146. Apply to courts for orders recognizing and enforcing foreign
decisions. \[ML Corruption, Section 28.II.68; ML
Alcohol-Cannabis-Tobacco, Section 69.I.tttt\]
147. Order the provision of information or assistance to international
organizations or foreign authorities. \[EU: Directive 2014/41/EU on
the European Investigation Order in criminal matters, Article 10\]
148. Order the provision of information or assistance to other
jurisdictions or regulatory authorities. \[Singapore: Mutual
Assistance in Criminal Matters Act, Chapter 185, Section 19\]
149. Order the provision of information or assistance to international
organizations or foreign authorities in relation to transnational
crimes or security threats. \[Canada: Criminal Code, R.S.C.,
1985, c. C-46, s. 83.28\]
### Sector specific:
We list here a number of sector-specific elements as additional
inspiration, most of which make most sense when imposed by a competent
authority on a case-by-case basis. However, they can also be transformed
into a proper generic obligation imposed on private actors by law.
Please adapt as illustrated in the following example:
Empowerment:
“The Competent Authority may impose product recall procedures for
non-compliant or dangerous products.”
Obligation:
“Economic actors must apply product recall procedures for non-compliant
or dangerous products.”
#### F. Data and Digital Matters
Admittedly, data and digital matters are relevant for so many sectors
that this section of the list could also be placed in the generic part.
\[The Competent Authority may:\]
150. Require the implementation of specific data protection or privacy
measures. \[Canada: Personal Information Protection and Electronic
Documents Act, S.C. 2000, c. 5, s. 4.7; EU GDPR, Article 25;
California Consumer Privacy Act, Section 1798.100; ML Corruption,
Section 28.II.104; ML Alcohol-Cannabis-Tobacco, Section 69.I.ddd\]
151. Impose restrictions on the collection and use of personal data
without consent. \[EU GDPR, Article 6; US Health Insurance
Portability and Accountability Act, Section 164.502\]
152. Require the anonymization or pseudonymisation of personal data.
\[EU GDPR, Article 25; US Health Insurance Portability and
Accountability Act, Section 164.514\]
153. Require the implementation of a data minimization principle. \[EU
GDPR, Article 5; California Consumer Privacy Act, Section
1798.100\]
154. Mandate the implementation of privacy-by-design principles. \[EU
GDPR, Article 25\]
155. Mandate the use of privacy-enhancing technologies in data
processing activities. \[Extrapolated from ML Corruption, Section
28.II.104; EU GDPR, Article 25\]
156. Mandate the use of privacy-enhancing technologies in data-intensive
industries. \[EU GDPR, Article 25\]
157. Require the appointment of a data protection officer. \[EU GDPR,
Article 37; Brazil General Data Protection Law, Article 41\]
158. Require the establishment of a data protection impact assessment
process. \[EU GDPR, Article 35; Brazil General Data Protection Law,
Article 38\]
159. Require public reporting of data breaches and security incidents.
\[EU GDPR, Article 33; US State Data Breach Notification Laws\]
160. Require entities to notify affected individuals of data breaches.
\[EU GDPR, Article 34; US State Data Breach Notification Laws\]
161. Require the implementation of a data breach response plan. \[EU
GDPR, Article 33; US State Data Breach Notification Laws\]
162. Impose restrictions on the transfer of personal data to third
countries. \[EU GDPR, Chapter V; US Health Insurance Portability
and Accountability Act, Section 164.504\]
163. Impose restrictions on the use of automated decision-making
systems. \[EU GDPR, Article 22; California Consumer Privacy Act,
Section 1798.185\]
164. Mandate the implementation of data portability measures. \[EU GDPR,
Article 20\]
165. Require the adoption of specific data localization requirements for
sensitive information. \[Extrapolated from ML Corruption, Section
28.II.116; Russian Federal Law on Personal Data, Article 18\]
166. Mandate the implementation of specific measures to ensure
algorithmic transparency and explainability. \[Extrapolated from ML
Corruption, Section 28.II.132; EU GDPR, Article 13\]
167. Require the implementation of specific measures to ensure
responsible artificial intelligence use. \[ML Corruption, Section
28.II.132; ML Alcohol-Cannabis-Tobacco, Section 69.I.mmm\]
168. Require the implementation of specific measures to ensure
responsible and ethical use of quantum computing technologies.
\[Extrapolated from ML Corruption, Section 28.II.132; EU Quantum
Manifesto, Section 4.3\]
169. Require the establishment of a dedicated data ethics board within
the organization. \[Extrapolated from ML Corruption, Section
28.II.105\]
170. Order the establishment of an ethical artificial intelligence or
digital innovation program or initiative. \[Canada: Pan-Canadian
Artificial Intelligence Strategy, Section 1\]
171. Impose a requirement for the use of specific standards or
guidelines for the promotion or regulation of ethical artificial
intelligence or digital innovation. \[Hong Kong: Personal Data
(Privacy) Ordinance, Cap. 486, Section 33\]
172. Impose a requirement for the use of specific standards or
guidelines for the promotion or regulation of digital
transformation or innovation. \[Hong Kong: Electronic Transactions
Ordinance, Cap. 553, Section 5\]
173. Order the establishment of a digital transformation or innovation
program or initiative. \[Canada: Department of Canadian Heritage
Act, S.C. 1995, c. 11, s. 4\]
174. Mandate the use of secure data storage solutions. \[US Federal
Information Security Management Act, Section 3544; EU GDPR, Article
32\]
175. Mandate the use of encryption for sensitive data. \[US Health
Insurance Portability and Accountability Act, Section 164.312; EU
GDPR, Article 32\]
176. Mandate the use of secure data backup solutions. \[US Federal
Information Security Modernization Act, Section 3554; EU GDPR,
Article 32\]
177. Impose requirements for secure data disposal. \[US Federal
Information Security Management Act, Section 3544; EU GDPR, Article
32\]
178. Require the implementation of network segmentation to protect
sensitive data. \[US Federal Information Security Management Act,
Section 3544; EU GDPR, Article 32\]
179. Require the implementation of access controls for sensitive data.
\[US Health Insurance Portability and Accountability Act, Section
164.308; EU GDPR, Article 32\]
180. Impose requirements for secure remote access to systems. \[US
Federal Information Security Management Act, Section 3544; EU GDPR,
Article 32\]
181. Mandate the use of security tokens for sensitive transactions. \[US
Federal Information Security Modernization Act, Section 3554; EU
GDPR, Article 32\]
182. Mandate the use of secure communication channels for transmitting
sensitive information. \[US Health Insurance Portability and
Accountability Act, Section 164.312; EU GDPR, Article 32\]
183. Require the implementation of monitoring and logging of access to
sensitive data. \[US Federal Information Security Management Act,
Section 3544; EU GDPR, Article 32\]
184. Mandate the use of multi-factor authentication for accessing
sensitive systems. \[US Federal Information Security Modernization
Act, Section 3554; EU GDPR, Article 32\]
185. Require the implementation of secure software development lifecycle
(SDLC) practices. \[US Federal Information Security Modernization
Act, Section 3554; EU Cybersecurity Act, Article 16\]
186. Mandate the use of secure coding practices. \[US Federal
Information Security Modernization Act, Section 3554; EU
Cybersecurity Act, Article 16\]
187. Mandate the use of secure software development practices. \[US
Federal Information Security Modernization Act, Section 3554; EU
Cybersecurity Act, Article 16\]
188. Require the implementation of a security awareness program for
employees. \[US Federal Information Security Modernization Act,
Section 3554; EU GDPR, Article 39\]
189. Require regular training on data protection for employees. \[EU
GDPR, Article 39; US Federal Information Security Management Act,
Section 3544\]
190. Require the regular review and updating of security policies and
procedures. \[US Federal Information Security Modernization Act,
Section 3554; EU GDPR, Article 32\]
191. Mandate the use of firewalls and intrusion detection systems. \[US
Federal Information Security Management Act, Section 3544; EU
Cybersecurity Act, Article 16\]
192. Require the implementation of physical security controls for
sensitive data. \[US Health Insurance Portability and
Accountability Act, Section 164.310; EU GDPR, Article 32\]
193. Mandate the use of secure web applications. \[US Federal
Information Security Modernization Act, Section 3554; EU
Cybersecurity Act, Article 16\]
194. Require the implementation of a security incident management
process. \[US Federal Information Security Management Act, Section
3544; EU GDPR, Article 32\]
195. Impose requirements for secure mobile device management. \[US
Federal Information Security Modernization Act, Section 3554; EU
GDPR, Article 32\]
196. Mandate the establishment of a cybersecurity framework. \[US
Cybersecurity Information Sharing Act, Section 2; EU NIS Directive,
Article 14\]
197. Impose mandatory cybersecurity frameworks for critical
infrastructure sectors. \[US Cybersecurity Information Sharing Act,
Section 2; EU NIS Directive, Article 14\]
198. Mandate the use of secure cloud services. \[US Federal Information
Security Modernization Act, Section 3554; EU Cybersecurity Act,
Article 16\]
199. Order the modification or replacement of non-compliant equipment or
infrastructure. \[Directive 2009/125/EC establishing a framework
for the setting of ecodesign requirements for energy-related
products, Article 16\]
200. Order the implementation of enhanced cybersecurity measures,
including regular penetration testing and vulnerability
assessments. \[U.S. Cybersecurity Maturity Model Certification,
Level 3\]
201. Require entities to conduct regular vulnerability assessments. \[US
Federal Information Security Modernization Act, Section 3554; EU
Cybersecurity Act, Article 16\]
202. Order the creation of dedicated cybersecurity incident response
teams. \[U.S. Cybersecurity Information Sharing Act, Section 4\]
203. Require the adoption of specific measures to prevent and detect
digital fraud and identity theft. \[Extrapolated from ML
Corruption, Section 28.II.112; U.S. Federal Trade Commission, Red
Flags Rule, Section 315.100\]
204. Order the implementation of enhanced measures to ensure the
integrity and security of Internet of Things (IoT) devices. \[U.K.
Code of Practice for Consumer IoT Security, Section 3\]
205. Require the implementation of specific measures to ensure the
protection of children's personal data online. \[U.S. Children's
Online Privacy Protection Act, Section 5\]
206. Require the implementation of specific measures to ensure the
protection of children's privacy online. \[Extrapolated from ML
Corruption, Section 28.II.104; U.S. Children's Online Privacy
Protection Act, Section 5\]
207. 11\. Require the implementation of specific measures to prevent
online child sexual exploitation. \[U.S. PROTECT Act, Section 111\]
208. Order the implementation of enhanced measures to ensure the
integrity and security of online voting systems. \[U.S. Help
America Vote Act, Section 301\]
209. Require the implementation of specific measures to prevent online
radicalization and terrorist content. \[EU Regulation on Preventing
the Dissemination of Terrorist Content Online, Article 6\]
210. Require the implementation of specific measures to prevent online
disinformation and fake news. \[EU Code of Practice on
Disinformation, Section 2.2\]
211. Require the implementation of specific measures to prevent online
fraud and scams. \[U.S. Federal Trade Commission Act, Section 5\]
212. Require the implementation of specific measures to prevent online
hate speech and incitement to violence. \[U.K. Malicious
Communications Act, Section 1\]
213. Order the removal of online content that violates intellectual
property rights. \[U.S. Digital Millennium Copyright Act, Section
512\]
214. Impose restrictions on the use of certain types of online tracking
technologies. \[EU GDPR, Article 5\]
215. Mandate the implementation of specific measures to ensure the
ethical use of artificial intelligence in online services. \[EU
Ethics Guidelines for Trustworthy AI, Section 2.1\]
216. Mandate the implementation of specific measures to ensure the
ethical use of facial recognition technologies. \[EU Ethics
Guidelines for Trustworthy AI, Section 2.1\]
217. Require the implementation of specific measures to prevent online
harassment and cyberbullying. \[U.K. Malicious Communications Act,
Section 1\]
218. Order the implementation of enhanced measures to ensure the
integrity and security of online voting systems. \[U.S. Help
America Vote Act, Section 301\]
219. Require the implementation of specific measures to prevent online
radicalisation and terrorist content. \[EU Regulation on Preventing
the Dissemination of Terrorist Content Online, Article 6\]
220. Order the implementation of enhanced measures to ensure the
transparency and fairness of online political advertising. \[U.S.
Honest Ads Act, Section 2\]
221. Require the implementation of specific measures to prevent online
disinformation and fake news. \[EU Code of Practice on
Disinformation, Section 2.2\]
222. Mandate the implementation of specific measures to ensure the
protection of personal data in online services. \[EU GDPR, Article
5\]
223. Order the implementation of enhanced measures to ensure the
protection of intellectual property rights online. \[U.S. Digital
Millennium Copyright Act, Section 512\]
224. Require the implementation of specific measures to prevent online
fraud and scams. \[U.S. Federal Trade Commission Act, Section 5\]
225. Order the implementation of enhanced measures to ensure the
security of online financial transactions. \[U.S. Payment Card
Industry Data Security Standard, Requirement 6\]
226. Require the implementation of specific measures to prevent online
hate speech and incitement to violence. \[U.K. Malicious
Communications Act, Section 1\]
227. Order the implementation of enhanced measures to ensure the
security of online health data. \[U.S. Health Insurance Portability
and Accountability Act, Section 164.308\]
228. Require the implementation of specific measures to prevent online
child sexual exploitation. \[U.S. PROTECT Act, Section 111\]
#### G. Fair Economy
\[The Competent Authority may:\]
229. Require the implementation of specific conflict of interest
policies and procedures. \[ML Corruption, Section 28.II.114; ML
Alcohol-Cannabis-Tobacco, Section 69.I.hhh; U.S. Securities and
Exchange Commission, Rule 17j-1\]
230. Require the implementation of specific anti-money laundering and
counter-terrorist financing measures. \[ML Corruption, Section
28.II.112; ML Alcohol-Cannabis-Tobacco, Section 69.I.ggg; U.S. Bank
Secrecy Act, Section 352\]
231. Require the implementation of specific measures to prevent insider
trading and market manipulation. \[ML Corruption, Section
28.II.124; ML Alcohol-Cannabis-Tobacco, Section 69.I.iii; U.S.
Securities Exchange Act, Section 10(b)\]
232. Require the implementation of specific measures to ensure fair
competition and prevent anti-competitive practices. \[ML
Corruption, Section 28.II.126; ML Alcohol-CannabisTobacco, Section
69.I.kkk\]
233. Require the implementation of specific measures to prevent
discriminatory practices. \[ML Corruption, Section 28.II.123; U.S.
Equal Employment Opportunity Commission, Title VII\]
234. Impose a requirement for the use of specific procurement or
contracting processes. \[Hong Kong: Public Works Ordinance, Cap.
1200, Section 4\]
235. Order the implementation of specific supply chain due diligence
procedures. \[ML Corruption, Section 28.II.107; ML
Alcohol-Cannabis-Tobacco, Section 69.I.fff\]
236. Require the implementation of specific measures to ensure
responsible supply chain management. \[ML Corruption, Section
28.II.138; ML Alcohol-Cannabis-Tobacco, Section 69.I.ooo\]
237. Require the implementation of specific measures to promote social
responsibility or ethical conduct. \[EU: Directive 2014/95/EU on
the disclosure of non-financial and diversity information by
certain large undertakings and groups, Article 2\]
238. Order the establishment of a labor protection or advocacy program
or initiative. \[Canada: Canada Labour Code, R.S.C., 1985, c.
L-2, s. 127.1\]
239. Impose a requirement for the use of specific standards or
guidelines for occupational health and safety. \[Hong Kong:
Occupational Safety and Health Ordinance, Cap. 509, Section 6\]
240. Require public disclosure of gender pay gap information. \[UK
Equality Act 2010, Regulation 2\]
241. Require public reporting on workforce diversity and inclusion
metrics. \[Australia Workplace Gender Equality Act 2012, Section
13\]
242. Require the implementation of specific measures to ensure fair
labor practices and prevent exploitation. \[ML Corruption, Section
28.II.135; International Labour Organization Declaration on
Fundamental Principles and Rights at Work, Article 2\]
243. Order the provision of information or assistance to other
government departments or agencies in relation to labor protection
or occupational health and safety. \[Singapore: Workplace Safety
and Health Act, Chapter 354A, Section 54\]
244. Require the implementation of specific measures to protect the
interests of small and medium-sized enterprises (SMEs) or promote
entrepreneurship. \[Hong Kong: Competition Ordinance, Cap. 619,
Section 3\]
245. Order the establishment of a program or initiative to support the
development and growth of SMEs. \[Singapore: Enterprise Development
Grant Act, Chapter 94A, Section 4\]
246. Impose a requirement for the use of specific standards or
guidelines for the protection of intellectual property rights.
\[New Zealand: Patents Act 2013, Section 15\]
247. Order the establishment of an investor protection or advocacy
program or initiative. \[South Korea: Financial Investment Services
and Capital Markets Act, Article 112\]
248. Impose a requirement for the use of specific standards or
guidelines for financial reporting or disclosure. \[EU: Directive
2013/34/EU on the annual financial statements, consolidated
financial statements and related reports of certain types of
undertakings, Article 30\]
249. Require the implementation of specific measures to promote
transparency or accountability. \[EU: Directive 2013/34/EU on the
annual financial statements, consolidated financial statements and
related reports of certain types of undertakings, Article 29a\]
250. Require the implementation of specific measures to protect the
interests of the public or promote responsible business conduct and
corporate social responsibility. \[New Zealand: Companies Act 1993,
Section 155\]
251. Order the establishment of a responsible business conduct or
corporate social responsibility program or initiative. \[South
Korea: Framework Act on Corporate Social Responsibility, Article
3\]
252. Impose a requirement for the use of specific standards or
guidelines for the promotion or regulation of responsible business
conduct or corporate social responsibility. \[EU: Directive
2014/95/EU on the disclosure of non-financial and diversity
information by certain large undertakings and groups, Article 2\]
253. Require the implementation of specific measures to protect the
interests of the public or promote financial literacy and consumer
protection. \[Hong Kong: Securities and Futures Ordinance, Cap.
571, Section 393; Singapore: Financial Advisers Act, Chapter 110,
Section 3; New Zealand: Financial Markets Conduct Act 2013, Section
7\]
254. Mandate the implementation of circular economy practices. \[EU
Circular Economy Action Plan, Section 3.1\]
255. Mandate the implementation of diversity and inclusion programs. \[
U.S. Securities and Exchange Commission, Proposed Rule 13h-1\]
256. Mandate the implementation of human rights due diligence. \[UN
Guiding Principles on Business and Human Rights, Principle 17\]
257. Mandate the implementation of fair labor practices. \[International
Labour Organization Declaration on Fundamental Principles and
Rights at Work, Article 2\]
258. Mandate the implementation of sustainable procurement practices.
\[EU Directive on Public Procurement, Article 67\]
259. Order the creation of a dedicated innovation ethics committee to
assess new products and services. \[EU High-Level Expert Group on
Artificial Intelligence, Ethics Guidelines for Trustworthy AI,
Section 2.1\]
260. Mandate the implementation of specific measures to ensure fair and
transparent pricing algorithms. \[EU Platform-to-Business
Regulation, Article 5\]
261. Require the implementation of specific measures to ensure
algorithmic fairness in credit scoring and lending decisions. U.S.
Equal Credit Opportunity Act, Section 701\]
#### H. Products and other Goods
\[The Competent Authority may:\]
262. Require the implementation of specific measures to ensure product
safety and quality control. \[ML Corruption, Section 28.II.129; ML
Alcohol-Cannabis-Tobacco, Section 69.I.lll; U.S. Consumer Product
Safety Act, Section 15\]
263. Impose product recall procedures for non-compliant or dangerous
products. \[ML Corruption, Section 28.II.119; ML
Alcohol-Cannabis-Tobacco, Section 69.I.xxxx\]
264. Impose a temporary ban on the marketing or distribution of a
product. \[Singapore: Sale of Food Act, Chapter 283, Section 16\]
265. Order the recall or disposal of products that pose a risk to public
health or safety. \[South Korea: Food Sanitation Act, Article 50\]
266. Impose restrictions on the import or export of goods related to the
infringement. \[EU: Regulation (EU) No 649/2012 concerning exports
of certain goods and technologies to Iran, Article 11\]
267. Require the labeling or marking of products to indicate compliance
or non-compliance. \[EU: Regulation (EC) No 1272/2008 on
classification, labeling, and packaging of substances and mixtures,
Article 25\]
268. Impose a requirement for the use of specific labeling or packaging
requirements. \[South Korea: Act on the Labeling and Advertisement
of Foods, Article 10\]
269. Impose a requirement for the use of specific standards or
guidelines for product labeling or advertising. \[Hong Kong: Trade
Descriptions Ordinance, Cap. 362, Section 10\]
270. Impose a requirement for the use of specific design or construction
standards. \[Singapore: Building Maintenance and Strata Management
Act, Chapter 30C, Section 96\]
271. Mandate product lifecycle responsibility. \[EU Directive on Waste
Electrical and Electronic Equipment, Article 8\]
#### I. Environment
\[The Competent Authority may:\]
272. Order the establishment of a product stewardship or extended
producer responsibility program. \[New Zealand: Waste Minimisation
Act 2008, Section 15; see also the previous entry\]
273. Mandate the implementation of circular economy principles in
product design and manufacturing. \[EU Circular Economy Action
Plan, Section 3.1\]
274. Mandate the use of sustainable materials in regulated industries.
\[EU Timber Regulation, Article 4\]
275. Require the implementation of specific environmental impact
assessment procedures. \[ML Environmental Liability, Section 3;
U.S. National Environmental Policy Act, Section 102\]
276. Impose mandatory sustainability reporting related to compliance
matters. \[ML Corruption, Section 28.II.106; ML
Alcohol-Cannabis-Tobacco, Section 69.I.sss\]
277. Impose a moratorium on specific activities or developments. \[New
Zealand: Resource Management Act 1991, Section 108\]
278. Order the restoration of damaged or degraded natural resources.
\[Singapore: Parks and Trees Act, Chapter 216, Section 32\]
279. Order the removal or remediation of environmental hazards or
contamination. \[Canada: Fisheries Act, R.S.C., 1985, c. F-14, s.
36\]
280. Order the establishment of an energy efficiency or renewable energy
program or initiative. \[South Korea: Renewable Energy Act, Article
4\]
281. Impose a requirement for the use of specific standards or
guidelines for the promotion or regulation of energy efficiency or
renewable energy. \[EU: Directive 2012/27/EU on energy efficiency,
Article 7\]
282. Require the implementation of specific measures to protect the
interests of the public or promote climate change mitigation and
adaptation. \[Hong Kong: Air Pollution Control Ordinance, Cap. 311,
Section 2B; Singapore: Climate Change Act, Chapter 40A, Section 3;
New Zealand: Climate Change Response (Zero Carbon) Amendment Act
2019, Section 5ZC\]
283. Require the implementation of specific measures to protect the
interests of the public or promote biodiversity conservation and
ecosystem restoration. \[EU: Directive 2014/89/EU establishing a
framework for marine spatial planning, Article 8\]
284. Order the establishment of a biodiversity conservation or ecosystem
restoration program or initiative. \[Canada: Species at Risk Act,
S.C. 2002, c. 29, s. 5\]
285. Impose a requirement for the use of specific standards or
guidelines for the promotion or regulation of biodiversity
conservation or ecosystem restoration. \[Hong Kong: Country Parks
Ordinance, Cap. 208, Section 3\]
286. Mandate the use of renewable energy sources for energy-intensive
regulated activities. \[EU Renewable Energy Directive, Article 3\]
287. Require companies to disclose information about their supply chains
and sourcing practices. \[UK Modern Slavery Act, Section 54\]
288. Require the implementation of human rights due diligence procedures
in global supply chains. \[UN Guiding Principles on Business and
Human Rights, Principle 17\]
289. Mandate the implementation of specific supply chain transparency
measures, including the use of blockchain technology. \[U.S.
Customs and Border Protection, Informed Compliance Publication on
Reasonable Care, Section 4.3\]
#### J. Equality, Vulnerable Persons, Well-being and Health
\[The Competent Authority may:\]
290. Require the implementation of specific measures to protect the
interests of children or vulnerable persons. \[New Zealand:
Children, Young Persons, and Their Families Act 1989, Section 13\]
291. Order the establishment of a child protection or advocacy program
or initiative. \[South Korea: Act on the Protection of Children and
Juveniles from Sexual Abuse, Article 17\]
292. Impose a requirement for the use of specific standards or
guidelines for the care or protection of children or vulnerable
persons. \[EU: Directive 2011/98/EU on a single application
procedure for a single permit for third-country nationals to reside
and work in the territory of a Member State and on a common set of
rights for third-country workers legally residing in a Member
State, Article 12\]
293. Order the provision of information or assistance to other
government departments or agencies in relation to child protection
or the protection of vulnerable persons. \[Canada: Immigration and
Refugee Protection Act, S.C. 2001, c. 27, s. 161\]
294. Require the implementation of specific measures to protect the
interests of indigenous peoples or promote reconciliation. \[New
Zealand: Treaty of Waitangi Act 1975, Section 5\]
295. Order the establishment of a program or initiative to support the
social and economic development of indigenous peoples. \[South
Korea: Framework Act on Indigenous Peoples, Article 14\]
296. Impose a requirement for the use of specific standards or
guidelines for the protection of indigenous rights or cultural
heritage. \[EU: Directive 2001/18/EC on the deliberate release into
the environment of genetically modified organisms, Article 26\]
297. Order the establishment of a sports or recreation program or
initiative. \[Canada: Department of Canadian Heritage Act, S.C.
1995, c. 11, s. 4\]
298. Impose a requirement for the use of specific standards or
guidelines for the promotion or regulation of sports or recreation.
\[Hong Kong: Sports Development Council Ordinance, Cap. 446,
Section 4\]
299. Impose a requirement for the use of specific standards or
guidelines for the promotion or regulation of gender equality or
women's empowerment. \[EU: Directive 2006/54/EC on the
implementation of the principle of equal opportunities and equal
treatment of men and women in matters of employment and occupation,
Article 3\]
300. Mandate the implementation of age (other legitimacy factors)
verification systems. \[UK Online Safety Act 2023, Section 12(4)\]
301. Require the implementation of specific measures to protect the
interests of the public or promote child welfare and protection.
\[Hong Kong: Protection of Children and Juveniles Ordinance, Cap.
213, Section 3\]
302. Order the establishment of a child welfare or protection program or
initiative. \[Singapore: Children and Young Persons Act, Chapter
38, Section 3\]
303. Impose a requirement for the use of specific standards or
guidelines for the promotion or regulation of child welfare or
protection. \[New Zealand: Children, Young Persons, and Their
Families Act 1989, Section 13\]
304. Order the provision of information or assistance to other
government departments or agencies in relation to child welfare and
protection. \[South Korea: Child Welfare Act, Article 4\]
305. Require the implementation of specific measures to prevent online
child sexual exploitation. \[U.S. PROTECT Act, Section 111\]
306. Require the implementation of specific measures to protect the
interests of the public or promote elder care and support. \[EU:
Directive 2011/98/EU, Article 14\]
307. Impose a requirement for the use of specific standards or
guidelines for the promotion or regulation of elder care or
support. \[Hong Kong: Elderly Persons Ordinance, Cap. 419, Section
3\]
308. Order the establishment of a substance abuse prevention or
treatment program or initiative. \[Singapore: Misuse of Drugs Act,
Chapter 185, Section 3\]
309. Impose a requirement for the use of specific standards or
guidelines for the promotion or regulation of substance abuse
prevention or treatment. \[New Zealand: Misuse of Drugs Act 1975,
Section 4\]
310. Require the implementation of specific measures to protect the
interests of the public or promote tobacco control and smoking
cessation. \[EU: Directive 2014/40/EU on the approximation of the
laws, regulations, and administrative provisions of the Member
States concerning the manufacture, presentation, and sale of
tobacco and related products, Article 20\]
311. Impose a requirement for the use of specific standards or
guidelines for the promotion or regulation of tobacco control or
smoking cessation. \[Hong Kong: Smoking (Public Health) Ordinance,
Cap. 371, Section 3\]
312. Require the implementation of specific measures to prevent online
gambling addiction. \[U.K. Gambling Act, Section 4\]
313. Require the implementation of specific measures to prevent
discriminatory practices. \[Extrapolated from ML Corruption,
Section 28.II.123\]
314. Require the implementation of enhanced measures to protect
children's privacy online. \[Extrapolated from ML Corruption,
Section 28.II.104\]
[^1]: By far the best performing LLM for extracting elements from the
Regulatory Institute's model laws was Claude Sonnet 3.5 (Anthropic).
By far the best performing LLM for completing the list with examples
from the internet was Perplexity. However, some contributions were
made by Chat GPT 4o, Deepai and Mistral.
[^2]: Strictly speaking, Perplexity is not an independent LLM, but an
interface that builds on various LLMs.
[^3]: In theory, any kind of obligation can be imposed to sanction a
person.
[^4]: In exceptional cases, those who have to abide by the law or an
authority order are public actors not falling under the term of
“authority”, e.g. public foundations.
[^5]: To be specified.
[^6]: To be specified.
[^7]: To be specified.