Four regulations converge on the same algorithm. Your compliance structure was built for one at a time
Broadcasters, publishers, streaming platforms, telecommunications operators, content distributors. Media and telecom companies operate at the intersection of the AI Act, the Digital Services Act, the Digital Markets Act, and intellectual property regulation, with AI now embedded across content, network operations, and customer experience.
How AI is changing media and telecom
The dominant approach in media and telecom has been to address each regulation in isolation. Privacy and data protection in one team, content moderation under DSA in another, network security under telecom regulations in a third, and AI as an emerging topic still being assigned ownership.
That distribution worked when each regulation addressed a distinct activity. When AI sits at the intersection of all four, no single compliance track covers the full picture.
A recommender system deployed by a streaming platform falls under the AI Act, the DSA, the DMA, and intellectual property law simultaneously, depending on what content it surfaces, to whom, and on which conditions. A generative AI tool used to produce news content touches AI Act provider and deployer obligations, DSA transparency requirements, and intellectual property rights of the training data sources. A network optimization AI in a telecom operator falls under critical infrastructure rules, the AI Act, and sectoral telecommunications regulation. Each of these regulations was written independently, and they all apply at once.
What risks does this create
The risks are structural, and they are amplified by the public-facing nature of media and telecom operations.
Regulatory convergence that single-function teams cannot manage
DSA, DMA, AI Act, and intellectual property obligations are owned by different legal and compliance teams in most organizations. When a recommender algorithm simultaneously triggers all four, no single team has the mandate to govern it. The result is a governance gap that regulators will eventually find, and that litigation will eventually exploit.
Content AI at a new evidentiary standard
Generative AI used in content production, moderation, or recommendation needs to demonstrate provenance, fairness, and transparency at a level that self-attestation does not satisfy. The DSA explicitly requires algorithmic transparency for recommender systems on Very Large Online Platforms. The AI Act adds risk management obligations on top. For companies operating at the scale where these obligations apply, independent certification is the most defensible approach to demonstrating compliance.
Network AI inside critical infrastructure
Telecom operators deploying AI in network management, capacity optimization, fraud detection, or emergency routing are simultaneously subject to AI Act high-risk obligations and to telecommunications-specific oversight under NIS2 and sectoral regulations. Governing these through separate compliance channels produces the fragmentation that regulators penalize.
Intellectual property exposure in generative AI
Media companies deploying AI that generates or synthesizes content from training data carry copyright exposure that data protection frameworks do not address. The EU AI Act's transparency requirements for GPAI models add a further layer. Neither framework alone resolves the problem.
The question that has changed
The question has moved from which regulation applies to this AI deployment, to whether you can demonstrate a governance framework that satisfies all the regulations that apply simultaneously, without creating fragmentation between teams that own different parts of the same problem.
How these risks can be mitigated
The mitigation path runs through coordination, not parallel compliance tracks.
AI governance as a coordination structure
ISO/IEC 42001 provides the management system structure that integrates obligations across DSA, DMA, AI Act, and sectoral regulations into a single auditable framework. The legal analysis for each regulation still happens. ISO/IEC 42001 is the operational layer that makes acting on it governable.
Separate evidentiary standards for content AI
Generative AI, recommender systems, and content moderation AI each require documented controls specific to their risk profile. A single policy across all three will not hold under the evidentiary standard regulators apply to each.
Network AI addressed inside the critical infrastructure framework
For telecom operators, AI in network functions needs to be addressed within the NIS2 and AI Act critical infrastructure obligations simultaneously. ISO/IEC 42001 integrated with ISO/IEC 27001 provides the management system that covers both.
For media and telecom companies, the convergence of regulations requires a governance architecture. Certification provides the independent evidence that the architecture actually operates.
How we help media and telecom companies
ISO/IEC 42001 Certification for Media and Telecom
ANAB-accredited certification scoped to the multi-regulatory reality of these sectors. Integrates with existing ISO/IEC 27001 ISMS and with sectoral compliance frameworks.
Multi-Regulatory AI Assessment
Inventory of AI deployments mapped against AI Act, DSA, DMA, and intellectual property obligations. Identifies the convergence points and governance gaps that single-regulation reviews miss.
Content AI Verification
Independent assessment of generative AI, recommender systems, and content moderation AI. Provides documented evidence for regulators, advertisers, and audiences.
Network AI Risk Assessment
For telecom operators: independent assessment of AI in critical network functions, integrated with NIS2 and critical infrastructure obligations.
Zertia Academy — Media and Telecom Track
Training for legal, compliance, content operations, and network engineering teams. Builds shared institutional language across regulatory domains.
What regulators are asking and what certification answers
| Regulatory obligation | What it requires | How Zertia addresses it |
|---|---|---|
| EU AI Act — Art. 26 + Annex III (Deployer obligations, critical infrastructure) | Telecom operators using AI in critical network functions carry high-risk deployer obligations. Document AI systems, implement risk management, maintain human oversight, and keep logs | ISO/IEC 42001 certification integrated with ISO/IEC 27001 ISMS. Our audit scope covers AI Act Art. 26 requirements within the critical infrastructure context. |
| Digital Services Act — Art. 38 (Recommender systems transparency) | Applies to Very Large Online Platforms (VLOPs) with more than 45 million monthly active users in the EU. VLOPs must offer users at least one recommender option not based on profiling, publish algorithmic transparency reports, and conduct risk assessments for recommender systems that may cause systemic harm. Smaller platforms face less prescriptive obligations under the DSA's tiered framework | Multi-Regulatory AI Assessment maps recommender system obligations under DSA against existing governance. Content AI Verification provides independent assessment documentation for DSA compliance files. |
| EU AI Act — Art. 50 (Transparency for AI-generated content) | AI-generated or AI-manipulated content must be labeled. Providers of GPAI models used in content generation must maintain technical documentation and comply with copyright law. Applies to media companies deploying generative AI in production workflows | Covered in certification scope. Provenance documentation, labeling controls, and transparency obligations are assessed as part of the AI management system audit. |
| NIS2 Directive (Essential entities: telecom) | Telecom operators as essential entities under NIS2 must implement cybersecurity risk management measures. NIS2 covers cybersecurity incidents, including those arising from compromised or manipulated AI systems in network operations. An AI model failure that is not security-related does not trigger NIS2 reporting, though operational and regulatory consequences may follow under sectoral law | ISO/IEC 42001 integrated with ISO/IEC 27001. Single governance framework addressing NIS2 cybersecurity obligations and AI management system requirements in a single audit cycle. |
From inquiry to certification
If you're earlier in the process
Get the Media and Telecom AI Roadmap
FreeA structured assessment for broadcasters, publishers, platforms, and telecom operators. Covers AI inventory, multi-regulatory mapping, and governance gap analysis.
Download the roadmapReadiness Audit
Paid · Fixed feeDiagnostic of your AI deployments against ISO/IEC 42001 and the convergence of AI Act, DSA, DMA, and sectoral regulations.
Book a readiness auditIf you're ready for certification
ISO/IEC 42001 Certification
ANAB-accreditedThree-year cycle, fixed fees, ANAB-accredited. Designed for the multi-regulatory reality of these sectors.
Talk to us about certificationA model that adapts to your firm
How we work with you depends on your scale and regulatory footprint. A national broadcaster operates on different terms than a multi-jurisdictional streaming platform. Three engagement models.
See how we engage →-
Startup
Early-stage AI. Light roadmap, certification when you scale.
-
Scaleup
Readiness audit and certification timed to your growth.
-
Enterprise
Full certification with recurring governance and ongoing support.
Zertia is a conformity assessment body accredited by ANAB for ISO/IEC 42001
Our certification activities under ISO/IEC 42001 are conducted under accreditation by ANAB (ANSI National Accreditation Board), a globally recognized accreditation body.
ANAB accreditation confirms that our audit and certification processes meet applicable ISO standards and international requirements for competence, impartiality, and independence. Our methodologies, auditor qualifications, and decision processes are externally assessed against rigorous technical criteria.
For certified organizations, this provides internationally recognized certificates and enhanced credibility with regulators, clients, and investors.
Your fast track to compliance starts here
Our team is ready to support your compliance, cybersecurity, and privacy needs. Complete the contact form or reach out to [email protected], and our experts will guide you through the next steps.
