diff --git a/frontend/src/pages/CompliancePage.tsx b/frontend/src/pages/CompliancePage.tsx
index 721dff9..29ced56 100644
--- a/frontend/src/pages/CompliancePage.tsx
+++ b/frontend/src/pages/CompliancePage.tsx
@@ -1,6 +1,6 @@
 import { useState } from "react";
 import { useQuery, useMutation, useQueryClient } from "@tanstack/react-query";
-import { Loader2, AlertCircle, Download, FileText, Plus, ExternalLink, BookOpen } from "lucide-react";
+import { Loader2, AlertCircle, Download, FileText, Plus, ExternalLink, BookOpen, AlertTriangle, FlaskConical } from "lucide-react";
 import {
   getComplianceFrameworks,
   getFrameworkStatus,
@@ -49,6 +49,48 @@ export default function CompliancePage() {
   const controls = frameworkStatus?.controls || [];
   const activeFramework = frameworks?.find((f) => f.id === activeFrameworkId) ?? null;
 
+  // Mapping confidence notices for frameworks that lack an official CTID ATT&CK mapping
+  type ConfidenceLevel = "community" | "experimental";
+  const MAPPING_NOTICES: Record<string, { level: ConfidenceLevel; source: string; notice: string }> = {
+    "DORA": {
+      level: "community",
+      source: "ENISA guidance + TIBER-EU threat-led testing framework",
+      notice:
+        "No official MITRE CTID ATT&CK mapping exists for DORA (EU 2022/2554). " +
+        "The technique mappings in Aegis are based on ENISA ICT risk management guidelines and the TIBER-EU " +
+        "threat-led penetration testing framework — both authoritative sources for this regulation. " +
+        "They reflect regulatory intent and established industry practice, but have not been " +
+        "formally certified. We recommend reviewing coverage with a compliance specialist " +
+        "before submitting to supervisory authorities (EBA / ESMA / EIOPA / ECB).",
+    },
+    "ISO/IEC 27001:2022": {
+      level: "community",
+      source: "ISO/IEC 27002:2022 + industry consensus",
+      notice:
+        "No official MITRE CTID ATT&CK mapping exists for ISO/IEC 27001:2022. " +
+        "ISO charges for its published standards, which prevents the open-source community from " +
+        "producing a formally certified mapping. The technique mappings in Aegis are based on " +
+        "ISO/IEC 27002:2022 implementation guidance (the companion standard) and widely adopted " +
+        "industry practice from the security community. They are directionally correct and " +
+        "representative, but should be validated against your organisation's specific control " +
+        "implementation before use in a formal ISO 27001 audit or certification exercise.",
+    },
+    "ISO/IEC 42001:2023": {
+      level: "experimental",
+      source: "Interpretation — MITRE ATT&CK Enterprise v14 has no AI-specific techniques",
+      notice:
+        "ISO/IEC 42001 was published in December 2023. MITRE ATT&CK Enterprise v14 does not yet " +
+        "include adversarial techniques specifically targeting AI systems (model poisoning, " +
+        "adversarial examples, training data exfiltration, etc.). " +
+        "The mappings in Aegis cover threats to the IT INFRASTRUCTURE that supports AI systems — " +
+        "data pipelines, model-serving APIs, ML framework supply chains, and cloud AI services — " +
+        "using the closest available ATT&CK techniques. " +
+        "This is a best-effort directional mapping intended to identify where Red Team coverage " +
+        "of AI infrastructure is lacking. It should NOT be treated as a formal ISO 42001 " +
+        "compliance assessment until MITRE publishes dedicated AI attack techniques.",
+    },
+  };
+
   const handleExportCSV = async () => {
     if (activeFrameworkId) {
       await downloadComplianceCSV(activeFrameworkId);
@@ -197,6 +239,46 @@ export default function CompliancePage() {
         </div>
       )}
 
+      {/* Mapping confidence notice — shown for frameworks without official CTID mapping */}
+      {activeFramework && MAPPING_NOTICES[activeFramework.name] && (() => {
+        const notice = MAPPING_NOTICES[activeFramework.name];
+        const isExperimental = notice.level === "experimental";
+        return (
+          <div className={`rounded-xl border px-5 py-4 ${
+            isExperimental
+              ? "border-orange-500/30 bg-orange-500/5"
+              : "border-amber-500/25 bg-amber-500/5"
+          }`}>
+            <div className="flex items-start gap-3">
+              {isExperimental
+                ? <FlaskConical className="mt-0.5 h-4 w-4 shrink-0 text-orange-400" />
+                : <AlertTriangle className="mt-0.5 h-4 w-4 shrink-0 text-amber-400" />
+              }
+              <div className="flex-1 min-w-0">
+                <div className="flex flex-wrap items-center gap-2 mb-2">
+                  <span className={`text-xs font-semibold ${isExperimental ? "text-orange-300" : "text-amber-300"}`}>
+                    {isExperimental ? "Experimental mapping — use with caution" : "Community-based mapping — not officially certified"}
+                  </span>
+                  <span className={`rounded-full border px-2 py-0.5 text-[10px] font-medium ${
+                    isExperimental
+                      ? "border-orange-500/30 bg-orange-500/10 text-orange-400"
+                      : "border-amber-500/25 bg-amber-500/10 text-amber-400"
+                  }`}>
+                    {isExperimental ? "Experimental" : "Community"}
+                  </span>
+                </div>
+                <p className={`text-xs leading-relaxed mb-2 ${isExperimental ? "text-orange-200/80" : "text-amber-200/70"}`}>
+                  {notice.notice}
+                </p>
+                <p className={`text-[10px] ${isExperimental ? "text-orange-400/60" : "text-amber-400/50"}`}>
+                  <span className="font-semibold">Mapping source:</span> {notice.source}
+                </p>
+              </div>
+            </div>
+          </div>
+        );
+      })()}
+
       {/* Summary cards */}
       {summary && (
         <div className="grid grid-cols-2 gap-4 lg:grid-cols-5">