@complior/engine 0.9.0

package/data/regulations/eu-ai-act/applicability-tree.json

@@ -0,0 +1,160 @@
+{
+  "applicability_tree": {
+    "regulation_id": "eu-ai-act",
+    "root_question": "Q1",
+    "questions": [
+      {
+        "id": "Q1",
+        "text": "Does your company develop, sell, import, distribute, or USE any AI-powered tools or systems?",
+        "help_text": "This includes using third-party AI tools like ChatGPT, Copilot, AI-powered CRM, AI recruitment tools, AI analytics, etc. — not just building your own AI. 'AI system' under the EU AI Act is broadly defined as any machine-based system that infers outputs (predictions, content, recommendations, decisions) from its inputs.",
+        "answers": [
+          {
+            "text": "Yes, we develop/build AI products or models",
+            "next": "Q2"
+          },
+          {
+            "text": "Yes, we use/deploy AI tools built by others",
+            "next": "Q2"
+          },
+          {
+            "text": "Yes, we both build and use AI",
+            "next": "Q2"
+          },
+          {
+            "text": "No, we don't use any AI",
+            "next": null,
+            "result_if_final": "does-not-apply",
+            "explanation_if_final": "The EU AI Act applies to operators of AI systems. If your company does not develop, deploy, import, distribute, or use AI systems in any capacity, the Act does not apply to you. However, consider whether tools you use may contain AI components (e.g., AI features in Microsoft 365, Salesforce Einstein, etc.)."
+          }
+        ]
+      },
+      {
+        "id": "Q2",
+        "text": "Does your company have any connection to the European Union?",
+        "help_text": "Connection means ANY of: (a) your company is established/located in the EU, (b) you sell/offer AI products or services to customers in the EU, (c) the output of your AI is used by anyone in the EU, (d) your AI system affects people located in the EU. The EU AI Act has extraterritorial reach — similar to GDPR.",
+        "answers": [
+          {
+            "text": "Yes, we are established in the EU or EEA",
+            "next": "Q3"
+          },
+          {
+            "text": "Yes, we serve customers or users in the EU (even though we're based elsewhere)",
+            "next": "Q3"
+          },
+          {
+            "text": "Yes, our AI's output is used by people in the EU",
+            "next": "Q3"
+          },
+          {
+            "text": "No EU connection at all — no EU customers, users, or affected persons",
+            "next": null,
+            "result_if_final": "does-not-apply",
+            "explanation_if_final": "The EU AI Act applies based on market presence and output use in the EU. If your AI system has genuinely zero connection to the EU (no EU customers, no EU users, no outputs used in the EU), the Act does not apply. But verify carefully — even indirect connections (e.g., a US client with EU operations using your tool) may bring you in scope."
+          }
+        ]
+      },
+      {
+        "id": "Q3",
+        "text": "Is your AI use purely for personal, non-professional purposes OR exclusively for scientific research before market placement?",
+        "help_text": "The AI Act exempts: (a) individuals using AI for personal non-professional activities, (b) AI developed solely for scientific R&D before any market placement or deployment. Military/defence/national security AI is also excluded.",
+        "answers": [
+          {
+            "text": "Yes, purely personal use or pre-market R&D only",
+            "next": null,
+            "result_if_final": "does-not-apply",
+            "explanation_if_final": "The EU AI Act exempts purely personal non-professional AI use and pre-market scientific R&D. However, once the system is placed on the market or put into service (even for free), the exemption ends."
+          },
+          {
+            "text": "No, it's used in a professional or commercial context",
+            "next": "Q4"
+          }
+        ]
+      },
+      {
+        "id": "Q4",
+        "text": "What is your company's role with respect to AI systems?",
+        "help_text": "Provider = you build/develop the AI (or have it built) and offer it under your name. Deployer = you use AI tools built by others in your business operations. You can be both if you build some AI and use third-party AI tools.",
+        "answers": [
+          {
+            "text": "We are a PROVIDER — we build/develop AI products",
+            "next": "Q5"
+          },
+          {
+            "text": "We are a DEPLOYER — we use AI tools from other companies",
+            "next": "Q5"
+          },
+          {
+            "text": "We are BOTH — we build some AI and deploy others",
+            "next": "Q5"
+          },
+          {
+            "text": "We import or distribute AI systems into the EU",
+            "next": "Q5"
+          }
+        ]
+      },
+      {
+        "id": "Q5",
+        "text": "Could any of your AI systems fall under a PROHIBITED practice? (social scoring, subliminal manipulation, exploitation of vulnerable groups, untargeted facial scraping, emotion recognition in workplace/school, real-time biometric ID in public spaces)",
+        "help_text": "These are completely banned under Article 5. Think about whether any AI tool you build or use could: manipulate behavior without awareness, exploit children/elderly/disabled, score people's social behavior, scrape faces from internet, detect emotions in office/classroom, or identify people in real-time in public via biometrics.",
+        "answers": [
+          {
+            "text": "Yes, or possibly — need to check",
+            "next": null,
+            "result_if_final": "applies",
+            "explanation_if_final": "CRITICAL: The EU AI Act applies to you, and you may be operating a prohibited AI system. Prohibited practices carry the highest fines (€35M or 7% of global turnover). You should immediately conduct a detailed assessment of each AI system against Article 5 prohibited practices and cease any prohibited use. Prohibition has been in force since February 2, 2025."
+          },
+          {
+            "text": "No, none of our AI does any of these things",
+            "next": "Q6"
+          }
+        ]
+      },
+      {
+        "id": "Q6",
+        "text": "Is any of your AI used in a HIGH-RISK area? (hiring/HR, credit/lending, insurance, education grading, healthcare/medical devices, critical infrastructure, law enforcement, border control, justice system)",
+        "help_text": "High-risk covers AI used in decisions that significantly affect people's lives: getting a job, a loan, insurance, grades, medical treatment, interactions with police, immigration decisions, or court proceedings. Also includes AI as safety component in regulated products (medical devices, machinery, vehicles, etc.).",
+        "answers": [
+          {
+            "text": "Yes, we build or use AI in one or more of these areas",
+            "next": null,
+            "result_if_final": "applies",
+            "explanation_if_final": "The EU AI Act FULLY applies to you with HIGH-RISK obligations. As a provider, you need: risk management system, technical documentation, conformity assessment, CE marking, registration in EU database, post-market monitoring, and more. As a deployer, you need: use per instructions, human oversight, monitoring, log retention, and for public entities a Fundamental Rights Impact Assessment. High-risk rules apply from August 2, 2026 (Annex III) or August 2, 2027 (Annex II product-related). Start preparing NOW."
+          },
+          {
+            "text": "No, our AI is in other areas (marketing, content, customer service, analytics, etc.)",
+            "next": "Q7"
+          }
+        ]
+      },
+      {
+        "id": "Q7",
+        "text": "Does your AI system directly interact with people (chatbot, voice assistant) OR generate synthetic content (text, images, audio, video)?",
+        "help_text": "This covers any AI that 'talks to' users (customer service bots, AI assistants, virtual agents) or creates content that could be mistaken for human-made (AI-generated articles, images, videos, audio, deep fakes).",
+        "answers": [
+          {
+            "text": "Yes, it interacts with people or generates content",
+            "next": null,
+            "result_if_final": "applies",
+            "explanation_if_final": "The EU AI Act applies to you with TRANSPARENCY obligations (Article 50). You must: disclose AI interaction to users ('You are talking to an AI'), mark AI-generated content as AI-generated in machine-readable format, and label deep fakes clearly. These transparency rules apply from August 2, 2026. Additionally, AI literacy obligation (Art. 4) and general obligations already apply."
+          },
+          {
+            "text": "No, it's backend AI with no direct user interaction or content generation",
+            "next": null,
+            "result_if_final": "partially-applies",
+            "explanation_if_final": "The EU AI Act applies with MINIMAL obligations. You must still: (1) ensure AI literacy of your staff (Art. 4 — already in force since Feb 2025), (2) ensure no prohibited practices, and (3) comply with any voluntary codes of conduct you've adopted (Art. 95). While the regulatory burden is light, you should maintain an AI inventory and regularly reassess risk classification, as AI uses may evolve into higher-risk categories."
+          }
+        ]
+      }
+    ]
+  },
+  "version": {
+    "framework_version": "3.0-production",
+    "processed_date": "2026-02-17",
+    "source_regulation_version": "Regulation (EU) 2024/1689 as published in OJ L 2024/1689",
+    "processing_prompt_version": "12-stage-v2",
+    "last_regulatory_update_checked": "2025-12-17 (Code of Practice on content marking draft)",
+    "next_review_due": "2026-03-01",
+    "notes": "Production-grade framework with granular obligation decomposition, full what_not_to_do coverage, expanded deployer obligations, and comprehensive tech specs for scanner."
+  }
+}

package/data/regulations/eu-ai-act/cross-mapping.json

@@ -0,0 +1,175 @@
+{
+  "cross_mapping_note": "Since the EU AI Act IS the baseline regulation for Complior, this file maps EU AI Act obligations to other known AI regulations. When additional regulations are processed (US state laws, Korea, Canada, etc.), this file will be enriched with specific obligation-level cross-references. For now, it provides the mapping framework and identifies EU AI Act obligations that have known parallels in other jurisdictions.",
+  "cross_mapping": [
+    {
+      "this_obligation": "eu-ai-act-OBL-001",
+      "this_requirement_summary": "AI literacy training for all staff interacting with AI systems",
+      "known_parallels": {
+        "us-co-sb205": {
+          "overlap": "partial",
+          "note": "Colorado SB 205 requires deployers to implement risk management programs which implicitly include training, but no explicit AI literacy mandate."
+        },
+        "eu-gdpr": {
+          "overlap": "partial",
+          "note": "GDPR Art. 39(1)(b) requires DPO to provide awareness-raising and training for staff involved in processing. AI literacy extends this concept to AI-specific knowledge."
+        }
+      },
+      "conflicts_with": []
+    },
+    {
+      "this_obligation": "eu-ai-act-OBL-002",
+      "this_requirement_summary": "Prohibition of specific AI practices (social scoring, manipulation, etc.)",
+      "known_parallels": {
+        "council-of-europe-ai-convention": {
+          "overlap": "partial",
+          "note": "Council of Europe Framework Convention on AI (2024) requires parties to address risks to human rights but does not provide an explicit prohibited practices list."
+        },
+        "brazil-ai-act-draft": {
+          "overlap": "partial",
+          "note": "Brazil's AI Bill includes prohibitions on social scoring and subliminal manipulation, similar scope but differences in exceptions."
+        }
+      },
+      "conflicts_with": []
+    },
+    {
+      "this_obligation": "eu-ai-act-OBL-013",
+      "this_requirement_summary": "Fundamental Rights Impact Assessment (FRIA) before deploying high-risk AI",
+      "known_parallels": {
+        "us-co-sb205": {
+          "overlap": "partial",
+          "strictness": "eu_stricter",
+          "note": "Colorado requires an impact assessment but calls it 'risk management policy and impact assessment'. EU FRIA is more structured with specific elements required under Art. 27(3)."
+        },
+        "us-nyc-ll144": {
+          "overlap": "partial",
+          "strictness": "equivalent",
+          "note": "NYC Local Law 144 requires bias audits for automated employment decision tools. Narrower scope (employment only) but similar concept."
+        },
+        "canada-aida-draft": {
+          "overlap": "partial",
+          "note": "Canada's proposed AIDA includes impact assessment requirements for high-impact AI systems."
+        }
+      },
+      "conflicts_with": []
+    },
+    {
+      "this_obligation": "eu-ai-act-OBL-015",
+      "this_requirement_summary": "Disclose AI interaction to users (chatbot disclosure)",
+      "known_parallels": {
+        "us-ca-bot-disclosure": {
+          "overlap": "full",
+          "strictness": "equivalent",
+          "note": "California SB 1001 (Bot Disclosure Act) requires bots to disclose non-human identity. Similar requirement, narrower scope (CA only)."
+        },
+        "china-ai-provisions": {
+          "overlap": "full",
+          "note": "China's Provisions on the Management of Algorithmic Recommendations (2022) and Generative AI rules require disclosure of AI-generated content."
+        }
+      },
+      "conflicts_with": []
+    },
+    {
+      "this_obligation": "eu-ai-act-OBL-016",
+      "this_requirement_summary": "Mark AI-generated content as artificially generated (machine-readable)",
+      "known_parallels": {
+        "us-executive-order-14110": {
+          "overlap": "partial",
+          "note": "US EO 14110 on AI Safety (2023) directed NIST to develop content authentication standards. Voluntary, not mandatory."
+        },
+        "china-deep-synthesis-rules": {
+          "overlap": "full",
+          "strictness": "this_is_stricter",
+          "note": "China's Deep Synthesis Provisions (2023) require labeling of AI-generated content. EU AI Act adds machine-readable requirement and is more specific on technical implementation."
+        }
+      },
+      "conflicts_with": []
+    },
+    {
+      "this_obligation": "eu-ai-act-OBL-024",
+      "this_requirement_summary": "Provide explanation of AI decisions to affected persons",
+      "known_parallels": {
+        "eu-gdpr-art22": {
+          "overlap": "partial",
+          "strictness": "this_is_stricter",
+          "note": "GDPR Art. 22 provides right not to be subject to solely automated decisions with legal effects, with right to obtain meaningful information. EU AI Act Art. 86 provides broader right to explanation beyond solely automated decisions."
+        },
+        "us-co-sb205": {
+          "overlap": "partial",
+          "note": "Colorado requires notice and ability to appeal when consequential AI decisions are adverse. Similar but different scope and process."
+        }
+      },
+      "conflicts_with": []
+    },
+    {
+      "this_obligation": "eu-ai-act-OBL-003",
+      "this_requirement_summary": "Risk management system for high-risk AI",
+      "known_parallels": {
+        "iso-42001": {
+          "overlap": "partial",
+          "note": "ISO/IEC 42001 (AI Management System) provides a framework for AI risk management that can support EU AI Act compliance but is voluntary and broader in scope."
+        },
+        "nist-ai-rmf": {
+          "overlap": "partial",
+          "note": "NIST AI Risk Management Framework (AI RMF 1.0) provides voluntary risk management guidance. Good complementary framework but not legally required."
+        }
+      },
+      "conflicts_with": []
+    },
+    {
+      "this_obligation": "eu-ai-act-OBL-022",
+      "this_requirement_summary": "GPAI technical documentation and downstream transparency",
+      "known_parallels": {
+        "us-executive-order-14110": {
+          "overlap": "partial",
+          "note": "US EO 14110 required reporting for large AI models (>10^26 FLOPs) but focused on national security. Different threshold and scope."
+        }
+      },
+      "conflicts_with": [
+        {
+          "regulation": "us-executive-order-14110",
+          "conflict_type": "none",
+          "description": "No true conflict. US EO had a higher compute threshold (10^26 FLOPs) vs EU AI Act (10^25 FLOPs). EU AI Act is stricter and broader.",
+          "resolution": "Comply with EU AI Act threshold (10^25 FLOPs) to cover both."
+        }
+      ]
+    }
+  ],
+  "strictest_rule_wins_matrix": {
+    "description": "When a Complior customer operates under multiple jurisdictions, the platform applies the strictest rule. This matrix summarizes which regulation is typically strictest for key obligation categories.",
+    "categories": {
+      "prohibited_practices": {
+        "strictest": "eu-ai-act",
+        "reason": "Most comprehensive list of prohibited AI practices globally. No other jurisdiction has as broad a prohibition list."
+      },
+      "transparency_disclosure": {
+        "strictest": "eu-ai-act",
+        "reason": "Requires both user-facing disclosure AND machine-readable content marking. Most jurisdictions only require one or the other."
+      },
+      "impact_assessment": {
+        "strictest": "eu-ai-act",
+        "reason": "FRIA under Art. 27 is the most structured impact assessment requirement with specific mandatory elements. Colorado SB 205 is close but less prescriptive."
+      },
+      "data_governance": {
+        "strictest": "eu-ai-act + eu-gdpr (combined)",
+        "reason": "EU AI Act Art. 10 data quality requirements combined with GDPR create the strictest data governance regime globally."
+      },
+      "penalties": {
+        "strictest": "eu-ai-act",
+        "reason": "7% of global turnover for prohibited practices violations is the highest AI-specific fine globally."
+      },
+      "worker_notification": {
+        "strictest": "eu-ai-act",
+        "reason": "Explicit worker notification requirement under Art. 26(7) is unique to EU AI Act."
+      }
+    }
+  },
+  "version": {
+    "framework_version": "3.0-production",
+    "processed_date": "2026-02-17",
+    "source_regulation_version": "Regulation (EU) 2024/1689 as published in OJ L 2024/1689",
+    "processing_prompt_version": "12-stage-v2",
+    "last_regulatory_update_checked": "2025-12-17 (Code of Practice on content marking draft)",
+    "next_review_due": "2026-03-01",
+    "notes": "Production-grade framework with granular obligation decomposition, full what_not_to_do coverage, expanded deployer obligations, and comprehensive tech specs for scanner."
+  }
+}

package/data/regulations/eu-ai-act/localization.json

@@ -0,0 +1,186 @@
+{
+  "localization": {
+    "regulation_id": "eu-ai-act",
+    "primary_language": "English (reference text), plus all 24 official EU languages",
+    "ui_language_needed": [
+      "en",
+      "de",
+      "fr",
+      "es",
+      "it",
+      "nl",
+      "pt",
+      "pl",
+      "sv",
+      "da",
+      "fi",
+      "el",
+      "cs",
+      "ro",
+      "hu",
+      "bg",
+      "hr",
+      "sk",
+      "sl",
+      "lt",
+      "lv",
+      "et",
+      "ga",
+      "mt"
+    ],
+    "priority_ui_languages": [
+      "en",
+      "de",
+      "fr",
+      "es",
+      "it",
+      "nl"
+    ],
+    "document_languages": [
+      "English (universal — all templates must be available in EN)",
+      "German (largest EU economy, strong AI ecosystem)",
+      "French (co-official EU language, France has significant AI activity)",
+      "Spanish (large market, Latin America bridge)",
+      "Italian (major economy)",
+      "Dutch (Netherlands is major tech hub)",
+      "Polish (large Eastern EU market)",
+      "Swedish (strong Nordic AI ecosystem)"
+    ],
+    "terminology": [
+      {
+        "english_term": "AI system",
+        "local_terms": {
+          "de": "KI-System",
+          "fr": "système d'IA",
+          "es": "sistema de IA",
+          "it": "sistema di IA",
+          "nl": "AI-systeem",
+          "pt": "sistema de IA",
+          "pl": "system sztucznej inteligencji"
+        },
+        "definition": "A machine-based system designed to operate with varying levels of autonomy that infers from input how to generate outputs (Art. 3(1))",
+        "usage_context": "Core term used throughout all UI screens, documents, and compliance workflows"
+      },
+      {
+        "english_term": "Provider",
+        "local_terms": {
+          "de": "Anbieter",
+          "fr": "fournisseur",
+          "es": "proveedor",
+          "it": "fornitore",
+          "nl": "aanbieder",
+          "pt": "prestador",
+          "pl": "dostawca"
+        },
+        "definition": "Entity that develops an AI system or GPAI model and places it on market under its own name (Art. 3(3))",
+        "usage_context": "Role selector in onboarding, obligation filtering, dashboard labels"
+      },
+      {
+        "english_term": "Deployer",
+        "local_terms": {
+          "de": "Betreiber",
+          "fr": "déployeur",
+          "es": "responsable del despliegue",
+          "it": "deployer (utilizzatore)",
+          "nl": "gebruiksverantwoordelijke",
+          "pt": "responsável pela implantação",
+          "pl": "podmiot stosujący"
+        },
+        "definition": "Entity using an AI system under its authority, except for personal non-professional use (Art. 3(4))",
+        "usage_context": "Role selector in onboarding, obligation filtering, dashboard labels"
+      },
+      {
+        "english_term": "High-risk AI system",
+        "local_terms": {
+          "de": "Hochrisiko-KI-System",
+          "fr": "système d'IA à haut risque",
+          "es": "sistema de IA de alto riesgo",
+          "it": "sistema di IA ad alto rischio",
+          "nl": "AI-systeem met een hoog risico",
+          "pt": "sistema de IA de alto risco",
+          "pl": "system sztucznej inteligencji wysokiego ryzyka"
+        },
+        "definition": "AI system falling under Article 6 criteria (Annex II product safety or Annex III use cases)",
+        "usage_context": "Risk classification results, obligation cards, compliance score breakdown"
+      },
+      {
+        "english_term": "Conformity assessment",
+        "local_terms": {
+          "de": "Konformitätsbewertung",
+          "fr": "évaluation de la conformité",
+          "es": "evaluación de la conformidad",
+          "it": "valutazione della conformità",
+          "nl": "conformiteitsbeoordeling",
+          "pt": "avaliação da conformidade",
+          "pl": "ocena zgodności"
+        },
+        "definition": "Process of verifying that a high-risk AI system meets all AI Act requirements (Art. 43)",
+        "usage_context": "Provider compliance workflow, assessment status tracking"
+      },
+      {
+        "english_term": "Fundamental rights impact assessment",
+        "local_terms": {
+          "de": "Grundrechte-Folgenabschätzung",
+          "fr": "analyse d'impact sur les droits fondamentaux",
+          "es": "evaluación de impacto en derechos fundamentales",
+          "it": "valutazione d'impatto sui diritti fondamentali",
+          "nl": "effectbeoordeling op grondrechten",
+          "pt": "avaliação de impacto nos direitos fundamentais",
+          "pl": "ocena wpływu na prawa podstawowe"
+        },
+        "definition": "Assessment public/certain private deployers must conduct before deploying high-risk AI (Art. 27)",
+        "usage_context": "FRIA workflow, deployer compliance dashboard, document templates"
+      },
+      {
+        "english_term": "General-purpose AI model",
+        "local_terms": {
+          "de": "KI-Modell mit allgemeinem Verwendungszweck",
+          "fr": "modèle d'IA à usage général",
+          "es": "modelo de IA de uso general",
+          "it": "modello di IA per finalità generali",
+          "nl": "AI-model voor algemene doeleinden",
+          "pt": "modelo de IA de finalidade geral",
+          "pl": "model sztucznej inteligencji ogólnego przeznaczenia"
+        },
+        "definition": "AI model displaying significant generality, capable of performing wide range of distinct tasks (Art. 3(63))",
+        "usage_context": "Classification workflow, GPAI provider obligations section"
+      },
+      {
+        "english_term": "AI literacy",
+        "local_terms": {
+          "de": "KI-Kompetenz",
+          "fr": "maîtrise de l'IA",
+          "es": "alfabetización en materia de IA",
+          "it": "alfabetizzazione in materia di IA",
+          "nl": "AI-geletterdheid",
+          "pt": "literacia em matéria de IA",
+          "pl": "umiejętność korzystania z AI"
+        },
+        "definition": "Skills, knowledge and understanding allowing informed deployment and use of AI systems (Art. 3(56))",
+        "usage_context": "Training module, AI literacy obligation card, compliance checklist"
+      }
+    ],
+    "date_format": "DD/MM/YYYY (EU standard) or YYYY-MM-DD (ISO 8601 for technical/API use)",
+    "currency": "EUR (€) — all fines and financial references in euros",
+    "cultural_notes": [
+      "EU is not a monolithic market — compliance culture, enforcement intensity, and AI adoption vary significantly across Member States",
+      "Germany has the strongest compliance culture and is likely to be among the first/strictest enforcers. Prioritize DE localization.",
+      "France has a strong AI industry (Mistral, etc.) and active regulatory engagement. FR localization is high priority.",
+      "Netherlands is a major tech hub with relatively pragmatic regulatory approach.",
+      "Nordic countries (SE, DK, FI) have high AI adoption and value transparency — green/sustainability positioning resonates.",
+      "Southern/Eastern EU markets may have longer adoption curves but are catching up rapidly.",
+      "Works councils (Betriebsräte in Germany) are a major factor in worker notification obligations — strong cultural and legal importance.",
+      "Data protection culture is deeply ingrained in EU — GDPR compliance is baseline expectation. AI Act compliance should be positioned as GDPR's natural extension.",
+      "Many EU companies already have ISO 27001 or similar certifications — position AI Act compliance as complementary to existing frameworks."
+    ]
+  },
+  "version": {
+    "framework_version": "3.0-production",
+    "processed_date": "2026-02-17",
+    "source_regulation_version": "Regulation (EU) 2024/1689 as published in OJ L 2024/1689",
+    "processing_prompt_version": "12-stage-v2",
+    "last_regulatory_update_checked": "2025-12-17 (Code of Practice on content marking draft)",
+    "next_review_due": "2026-03-01",
+    "notes": "Production-grade framework with granular obligation decomposition, full what_not_to_do coverage, expanded deployer obligations, and comprehensive tech specs for scanner."
+  }
+}