MEDIA & TELECOM

Four regulations converge on the same algorithm. Your compliance structure was built for one at a time

Broadcasters, publishers, streaming platforms, telecommunications operators, content distributors. Media and telecom companies operate at the intersection of the AI Act, the Digital Services Act, the Digital Markets Act, and intellectual property regulation, with AI now embedded across content, network operations, and customer experience.

How AI is changing media and telecom

The dominant approach in media and telecom has been to address each regulation in isolation. Privacy and data protection in one team, content moderation under DSA in another, network security under telecom regulations in a third, and AI as an emerging topic still being assigned ownership.

That distribution worked when each regulation addressed a distinct activity. When AI sits at the intersection of all four, no single compliance track covers the full picture.

A recommender system deployed by a streaming platform falls under the AI Act, the DSA, the DMA, and intellectual property law simultaneously, depending on what content it surfaces, to whom, and on which conditions. A generative AI tool used to produce news content touches AI Act provider and deployer obligations, DSA transparency requirements, and intellectual property rights of the training data sources. A network optimization AI in a telecom operator falls under critical infrastructure rules, the AI Act, and sectoral telecommunications regulation. Each of these regulations was written independently, and they all apply at once.

What risks does this create

The risks are structural, and they are amplified by the public-facing nature of media and telecom operations.

Regulatory convergence that single-function teams cannot manage

DSA, DMA, AI Act, and intellectual property obligations are owned by different legal and compliance teams in most organizations. When a recommender algorithm simultaneously triggers all four, no single team has the mandate to govern it. The result is a governance gap that regulators will eventually find, and that litigation will eventually exploit.

Content AI at a new evidentiary standard

Generative AI used in content production, moderation, or recommendation needs to demonstrate provenance, fairness, and transparency at a level that self-attestation does not satisfy. The DSA explicitly requires algorithmic transparency for recommender systems on Very Large Online Platforms. The AI Act adds risk management obligations on top. For companies operating at the scale where these obligations apply, independent certification is the most defensible approach to demonstrating compliance.

Network AI inside critical infrastructure

Telecom operators deploying AI in network management, capacity optimization, fraud detection, or emergency routing are simultaneously subject to AI Act high-risk obligations and to telecommunications-specific oversight under NIS2 and sectoral regulations. Governing these through separate compliance channels produces the fragmentation that regulators penalize.

Intellectual property exposure in generative AI

Media companies deploying AI that generates or synthesizes content from training data carry copyright exposure that data protection frameworks do not address. The EU AI Act's transparency requirements for GPAI models add a further layer. Neither framework alone resolves the problem.

The question that has changed

The question has moved from which regulation applies to this AI deployment, to whether you can demonstrate a governance framework that satisfies all the regulations that apply simultaneously, without creating fragmentation between teams that own different parts of the same problem.

How these risks can be mitigated

The mitigation path runs through coordination, not parallel compliance tracks.

1

AI governance as a coordination structure

ISO/IEC 42001 provides the management system structure that integrates obligations across DSA, DMA, AI Act, and sectoral regulations into a single auditable framework. The legal analysis for each regulation still happens. ISO/IEC 42001 is the operational layer that makes acting on it governable.

2

Separate evidentiary standards for content AI

Generative AI, recommender systems, and content moderation AI each require documented controls specific to their risk profile. A single policy across all three will not hold under the evidentiary standard regulators apply to each.

3

Network AI addressed inside the critical infrastructure framework

For telecom operators, AI in network functions needs to be addressed within the NIS2 and AI Act critical infrastructure obligations simultaneously. ISO/IEC 42001 integrated with ISO/IEC 27001 provides the management system that covers both.

For media and telecom companies, the convergence of regulations requires a governance architecture. Certification provides the independent evidence that the architecture actually operates.

What regulators are asking and what certification answers

Regulatory obligation What it requires How Zertia addresses it
EU AI Act — Art. 26 + Annex III (Deployer obligations, critical infrastructure) Telecom operators using AI in critical network functions carry high-risk deployer obligations. Document AI systems, implement risk management, maintain human oversight, and keep logs ISO/IEC 42001 certification integrated with ISO/IEC 27001 ISMS. Our audit scope covers AI Act Art. 26 requirements within the critical infrastructure context.
Digital Services Act — Art. 38 (Recommender systems transparency) Applies to Very Large Online Platforms (VLOPs) with more than 45 million monthly active users in the EU. VLOPs must offer users at least one recommender option not based on profiling, publish algorithmic transparency reports, and conduct risk assessments for recommender systems that may cause systemic harm. Smaller platforms face less prescriptive obligations under the DSA's tiered framework Multi-Regulatory AI Assessment maps recommender system obligations under DSA against existing governance. Content AI Verification provides independent assessment documentation for DSA compliance files.
EU AI Act — Art. 50 (Transparency for AI-generated content) AI-generated or AI-manipulated content must be labeled. Providers of GPAI models used in content generation must maintain technical documentation and comply with copyright law. Applies to media companies deploying generative AI in production workflows Covered in certification scope. Provenance documentation, labeling controls, and transparency obligations are assessed as part of the AI management system audit.
NIS2 Directive (Essential entities: telecom) Telecom operators as essential entities under NIS2 must implement cybersecurity risk management measures. NIS2 covers cybersecurity incidents, including those arising from compromised or manipulated AI systems in network operations. An AI model failure that is not security-related does not trigger NIS2 reporting, though operational and regulatory consequences may follow under sectoral law ISO/IEC 42001 integrated with ISO/IEC 27001. Single governance framework addressing NIS2 cybersecurity obligations and AI management system requirements in a single audit cycle.
WHERE TO START

From inquiry to certification

If you're earlier in the process

1

Get the Media and Telecom AI Roadmap

Free

A structured assessment for broadcasters, publishers, platforms, and telecom operators. Covers AI inventory, multi-regulatory mapping, and governance gap analysis.

Download the roadmap
2

Readiness Audit

Paid · Fixed fee

Diagnostic of your AI deployments against ISO/IEC 42001 and the convergence of AI Act, DSA, DMA, and sectoral regulations.

Book a readiness audit

If you're ready for certification

ISO/IEC 42001 Certification

ANAB-accredited

Three-year cycle, fixed fees, ANAB-accredited. Designed for the multi-regulatory reality of these sectors.

Talk to us about certification
HOW WE ENGAGE

A model that adapts to your firm

How we work with you depends on your scale and regulatory footprint. A national broadcaster operates on different terms than a multi-jurisdictional streaming platform. Three engagement models.

See how we engage →
  • Startup

    Early-stage AI. Light roadmap, certification when you scale.

  • Scaleup

    Readiness audit and certification timed to your growth.

  • Enterprise

    Full certification with recurring governance and ongoing support.

ACCREDITATION

Zertia is a conformity assessment body accredited by ANAB for ISO/IEC 42001

Our certification activities under ISO/IEC 42001 are conducted under accreditation by ANAB (ANSI National Accreditation Board), a globally recognized accreditation body.

ANAB accreditation confirms that our audit and certification processes meet applicable ISO standards and international requirements for competence, impartiality, and independence. Our methodologies, auditor qualifications, and decision processes are externally assessed against rigorous technical criteria.

For certified organizations, this provides internationally recognized certificates and enhanced credibility with regulators, clients, and investors.

Your fast track to compliance starts here

Our team is ready to support your compliance, cybersecurity, and privacy needs. Complete the contact form or reach out to [email protected], and our experts will guide you through the next steps.