The Technical–Regulatory Correspondence Matrix: A Practical Development Framework for Building GDPR- and AI Act-Compliant High-Risk AI Systems

The European Union Artificial Intelligence Act (AI Act) and the General Data Protection Regulation (GDPR) impose stringent and partly overlapping obligations on high-risk AI systems deployed in cybersecurity and critical infrastructure contexts. Yet organisations still lack concrete mechanisms to translate these legal requirements into actionable engineering tasks and auditable evidence along MLOps lifecycles. This paper proposes the Technical--Regulatory Correspondence Matrix (TRCM) as a structured correspondence layer that explicitly links regulatory pillars (derived from the GDPR, the AI Act and emerging AI management system standards) to families of technical dimensions in AI-based security monitoring and incident detection. The TRCM captures the many-to-many relationships between legal obligations and technical activities and is designed to be instantiated for specific high-risk use-case families. We introduce the matrix, define its regulatory and technical dimensions, and apply it to a representative cybersecurity scenario: network anomaly detection operated by essential service operators to protect critical infrastructures. For this use case, we derive a regulatory profile, construct a filtered TRCM and show how obligations on risk management, data governance, robustness, transparency and human oversight can be mapped to concrete controls (for example, data inventories and lineage, stress-testing suites, monitoring and incident response procedures, explainability mechanisms and human--AI interaction patterns) and to associated evidence artefacts embedded as correspondence checkpoints in an MLOps pipeline. We then analyse the operational implications of adopting the TRCM for engineering, compliance, risk and audit functions, arguing that it supports an evidence-by-design posture and observability-driven AI governance in cybersecurity operations. Finally, we discuss the limitations of the current formulation and outline directions for future work on standardisation, automation, handling regulatory tensions between the AI Act and the GDPR, and multi-stakeholder deployments of the TRCM in network security and critical infrastructure ecosystems.