@tantainnovative/ndpr-toolkit 5.1.4 → 5.3.0

package/dist/headless.d.ts

@@ -27,9 +27,183 @@ declare interface BreachCategory {
 declare type BreachCompositeState = {
     reports: BreachReport[];
     assessments: RiskAssessment[];
-    notifications: RegulatoryNotification[];
+    notifications: RegulatoryNotification_2[];
 };
 
+export declare interface BreachNotificationAssessment {
+    /** Whether all applicable mandated content items are satisfied. */
+    complete: boolean;
+    /** Completeness of applicable content items, 0–100. */
+    completeness: number;
+    /** GAID 2025 Article 33(5) / NDPA S. 40(2) content of the notification to the Commission. */
+    notificationToCommission: BreachNotificationItem[];
+    /** NDPA S. 40(3) communication to data subjects — populated only when high-risk. */
+    dataSubjectCommunication: BreachNotificationItem[];
+    /** Whether a data-subject communication is owed (high risk). */
+    dataSubjectCommunicationRequired: boolean;
+    timing: BreachNotificationTiming;
+    /** Labels of unsatisfied applicable items. */
+    missing: string[];
+    /** Actionable next steps, including timing warnings. */
+    recommendations: string[];
+    asOf: number;
+}
+
+declare interface BreachNotificationAssessment_2 {
+    /** Whether all applicable mandated content items are satisfied. */
+    complete: boolean;
+    /** Completeness of applicable content items, 0–100. */
+    completeness: number;
+    /** GAID 2025 Article 33(5) / NDPA S. 40(2) content of the notification to the Commission. */
+    notificationToCommission: BreachNotificationItem_2[];
+    /** NDPA S. 40(3) communication to data subjects — populated only when high-risk. */
+    dataSubjectCommunication: BreachNotificationItem_2[];
+    /** Whether a data-subject communication is owed (high risk). */
+    dataSubjectCommunicationRequired: boolean;
+    timing: BreachNotificationTiming_2;
+    /** Labels of unsatisfied applicable items. */
+    missing: string[];
+    /** Actionable next steps, including timing warnings. */
+    recommendations: string[];
+    asOf: number;
+}
+
+export declare interface BreachNotificationItem {
+    /** Stable identifier for the requirement. */
+    id: string;
+    /** Human-readable requirement. */
+    label: string;
+    /** Authoritative citation, e.g. `GAID 2025 Art. 33(5)(a)`. */
+    section: string;
+    /** Whether the report satisfies it. */
+    satisfied: boolean;
+}
+
+declare interface BreachNotificationItem_2 {
+    /** Stable identifier for the requirement. */
+    id: string;
+    /** Human-readable requirement. */
+    label: string;
+    /** Authoritative citation, e.g. `GAID 2025 Art. 33(5)(a)`. */
+    section: string;
+    /** Whether the report satisfies it. */
+    satisfied: boolean;
+}
+
+/**
+ * Personal-data-breach notification completeness checker for NDPA 2023
+ * Section 40, as detailed by NDPC General Application and Implementation
+ * Directive (GAID) 2025 Article 33.
+ *
+ * Section 40(2) requires a data controller to notify the Commission within 72
+ * hours of becoming aware of a breach likely to result in a risk to data
+ * subjects' rights and freedoms. GAID 2025 Article 33(5)(a)–(h) enumerates the
+ * content that a notification to the Commission "shall include". Where the
+ * breach is likely to result in a *high* risk, Section 40(3) additionally
+ * requires the controller to communicate the breach to affected data subjects
+ * in plain and clear language.
+ *
+ * This assesses a `BreachReport` against those requirements: which mandated
+ * content items are present, whether the 72-hour window is met, and whether a
+ * data-subject communication is owed. It is a documentation-completeness aid,
+ * not legal advice — verify against current NDPC guidance.
+ *
+ * @see NDPA 2023 Section 40 (Personal data breaches)
+ * @see NDPC GAID 2025 Article 33 (Data Breach Notification)
+ */
+
+export declare interface BreachNotificationOptions {
+    /** Risk assessment for the breach; drives whether data-subject communication is required. */
+    assessment?: RiskAssessment;
+    /** The regulatory notification actually sent, if any — used to judge timeliness. */
+    notification?: RegulatoryNotification_2;
+    /** Reference "now" in epoch ms. Defaults to `Date.now()`. */
+    asOf?: number;
+    /** Notification window in hours. Defaults to 72 (NDPA S. 40(2)). */
+    deadlineHours?: number;
+    /**
+     * Explicit high-risk flag (NDPA S. 40(3)). When omitted, derived from
+     * `assessment.highRisksToRightsAndFreedoms`.
+     */
+    highRisk?: boolean;
+}
+
+/**
+ * Personal-data-breach notification completeness checker for NDPA 2023
+ * Section 40, as detailed by NDPC General Application and Implementation
+ * Directive (GAID) 2025 Article 33.
+ *
+ * Section 40(2) requires a data controller to notify the Commission within 72
+ * hours of becoming aware of a breach likely to result in a risk to data
+ * subjects' rights and freedoms. GAID 2025 Article 33(5)(a)–(h) enumerates the
+ * content that a notification to the Commission "shall include". Where the
+ * breach is likely to result in a *high* risk, Section 40(3) additionally
+ * requires the controller to communicate the breach to affected data subjects
+ * in plain and clear language.
+ *
+ * This assesses a `BreachReport` against those requirements: which mandated
+ * content items are present, whether the 72-hour window is met, and whether a
+ * data-subject communication is owed. It is a documentation-completeness aid,
+ * not legal advice — verify against current NDPC guidance.
+ *
+ * @see NDPA 2023 Section 40 (Personal data breaches)
+ * @see NDPC GAID 2025 Article 33 (Data Breach Notification)
+ */
+
+declare interface BreachNotificationOptions_2 {
+    /** Risk assessment for the breach; drives whether data-subject communication is required. */
+    assessment?: RiskAssessment_2;
+    /** The regulatory notification actually sent, if any — used to judge timeliness. */
+    notification?: RegulatoryNotification;
+    /** Reference "now" in epoch ms. Defaults to `Date.now()`. */
+    asOf?: number;
+    /** Notification window in hours. Defaults to 72 (NDPA S. 40(2)). */
+    deadlineHours?: number;
+    /**
+     * Explicit high-risk flag (NDPA S. 40(3)). When omitted, derived from
+     * `assessment.highRisksToRightsAndFreedoms`.
+     */
+    highRisk?: boolean;
+}
+
+export declare interface BreachNotificationTiming {
+    /** `discoveredAt` + the notification window. */
+    deadline: number;
+    /** Whole hours between discovery and `asOf`. */
+    hoursSinceDiscovery: number;
+    /** Whether a regulatory notification has been recorded. */
+    notified: boolean;
+    /** When the regulatory notification was sent, if any. */
+    notifiedAt?: number;
+    /** Whether the notification (or, if none, `asOf`) falls within the deadline. */
+    withinDeadline: boolean;
+    /** Whole hours from `asOf` to the deadline (negative once past). */
+    hoursRemaining: number;
+    /** Whether the deadline has been missed. */
+    overdue: boolean;
+    /** Late filings must state the reasons for the delay (NDPA S. 40(2)). */
+    requiresDelayJustification: boolean;
+}
+
+declare interface BreachNotificationTiming_2 {
+    /** `discoveredAt` + the notification window. */
+    deadline: number;
+    /** Whole hours between discovery and `asOf`. */
+    hoursSinceDiscovery: number;
+    /** Whether a regulatory notification has been recorded. */
+    notified: boolean;
+    /** When the regulatory notification was sent, if any. */
+    notifiedAt?: number;
+    /** Whether the notification (or, if none, `asOf`) falls within the deadline. */
+    withinDeadline: boolean;
+    /** Whole hours from `asOf` to the deadline (negative once past). */
+    hoursRemaining: number;
+    /** Whether the deadline has been missed. */
+    overdue: boolean;
+    /** Late filings must state the reasons for the delay (NDPA S. 40(2)). */
+    requiresDelayJustification: boolean;
+}
+
 /**
  * Represents a data breach report
  */
@@ -118,6 +292,218 @@ export declare interface BreachReport {
     }>;
 }
 
+/**
+ * Represents a data breach report
+ */
+declare interface BreachReport_2 {
+    /** Unique identifier for the breach report */
+    id: string;
+    /** Title/summary of the breach */
+    title: string;
+    /** Detailed description of the breach */
+    description: string;
+    /** Category of the breach */
+    category: string;
+    /** Timestamp when the breach was discovered */
+    discoveredAt: number;
+    /** Timestamp when the breach occurred (if known) */
+    occurredAt?: number;
+    /** Timestamp when the breach was reported internally */
+    reportedAt: number;
+    /** Person who reported the breach */
+    reporter: {
+        name: string;
+        email: string;
+        department: string;
+        phone?: string;
+    };
+    /** Systems or data affected by the breach */
+    affectedSystems: string[];
+    /** Types of data involved in the breach */
+    dataTypes: string[];
+    /** Whether sensitive personal data is involved (NDPA Section 30) */
+    involvesSensitiveData?: boolean;
+    /** Estimated number of data subjects affected */
+    estimatedAffectedSubjects?: number;
+    /**
+     * Approximate number of personal data RECORDS concerned (distinct from subject count).
+     * Required content under NDPA Section 40(1)(a) and Section 40(2).
+     */
+    approximateRecordCount?: number;
+    /**
+     * Categories of data subjects affected (e.g. customers, employees, minors, patients).
+     * Required content under NDPA Section 40(1)(a) and Section 40(2).
+     */
+    dataSubjectCategories?: string[];
+    /**
+     * Likely consequences of the breach for affected data subjects (e.g. identity theft,
+     * financial loss, reputational damage). Reported to the NDPC and, where applicable,
+     * communicated to data subjects under Section 40(3).
+     */
+    likelyConsequences?: string;
+    /**
+     * Measures taken or proposed to mitigate adverse effects of the breach.
+     * Required content for Section 40(3) communications to data subjects.
+     */
+    mitigationMeasures?: string;
+    /**
+     * Whether this is a phased / interim report submitted before full investigation
+     * is complete. The NDPC permits phased reporting where complete information is
+     * not available within 72 hours.
+     */
+    isPhasedReport?: boolean;
+    /**
+     * ID of the prior phased report this report supplements, if any.
+     */
+    supplementsReportId?: string;
+    /**
+     * Data Protection Officer contact details. The DPO is the named contact point
+     * for the NDPC per NDPA Section 32(3)(c). Required content in the regulatory
+     * report (Section 40(2)).
+     */
+    dpoContact?: {
+        name: string;
+        email: string;
+        phone?: string;
+    };
+    /** Whether the breach is ongoing or contained */
+    status: 'ongoing' | 'contained' | 'resolved';
+    /** Initial actions taken to address the breach */
+    initialActions?: string;
+    /** Attachments related to the breach */
+    attachments?: Array<{
+        id: string;
+        name: string;
+        type: string;
+        url: string;
+        addedAt: number;
+    }>;
+}
+
+/**
+ * Compliance Audit Returns (CAR) scheduling under the NDPC General Application
+ * and Implementation Directive (GAID) 2025.
+ *
+ * A Data Controller/Processor of Major Importance (DCPMI) must conduct an
+ * initial compliance audit within 15 months of commencing data processing, and
+ * thereafter file a Compliance Audit Return with the NDPC annually (default
+ * deadline 31 March, filed through the NDPC Information Management Portal/NIMP).
+ *
+ * This computes the schedule (initial-audit due date, the next annual filing
+ * deadline relative to a reference date) and a light status. NDPC deadlines
+ * shift (the 2026 filing was extended to 30 May), so the annual deadline is
+ * configurable and per-year overrides are supported. The audit *content* itself
+ * is the organisation's compliance posture — pair this with `getComplianceScore`.
+ *
+ * @see NDPC General Application and Implementation Directive (GAID) 2025
+ */
+
+export declare interface CARInput {
+    /** ISO date (YYYY-MM-DD) the organisation commenced data processing. */
+    commencementDate: string;
+    /** Reference date to evaluate against (YYYY-MM-DD). Defaults to today. */
+    asOf?: string;
+    /** DCPMI tier; CAR applies to DCPMIs only. Omit to assume applicable. */
+    tier?: DCPMITier_2;
+}
+
+/**
+ * Compliance Audit Returns (CAR) scheduling under the NDPC General Application
+ * and Implementation Directive (GAID) 2025.
+ *
+ * A Data Controller/Processor of Major Importance (DCPMI) must conduct an
+ * initial compliance audit within 15 months of commencing data processing, and
+ * thereafter file a Compliance Audit Return with the NDPC annually (default
+ * deadline 31 March, filed through the NDPC Information Management Portal/NIMP).
+ *
+ * This computes the schedule (initial-audit due date, the next annual filing
+ * deadline relative to a reference date) and a light status. NDPC deadlines
+ * shift (the 2026 filing was extended to 30 May), so the annual deadline is
+ * configurable and per-year overrides are supported. The audit *content* itself
+ * is the organisation's compliance posture — pair this with `getComplianceScore`.
+ *
+ * @see NDPC General Application and Implementation Directive (GAID) 2025
+ */
+
+declare interface CARInput_2 {
+    /** ISO date (YYYY-MM-DD) the organisation commenced data processing. */
+    commencementDate: string;
+    /** Reference date to evaluate against (YYYY-MM-DD). Defaults to today. */
+    asOf?: string;
+    /** DCPMI tier; CAR applies to DCPMIs only. Omit to assume applicable. */
+    tier?: DCPMITier;
+}
+
+export declare interface CAROptions {
+    /** Default annual filing deadline (month is 1-12). Defaults to 31 March. */
+    annualDeadline?: {
+        month: number;
+        day: number;
+    };
+    /** Per-year overrides for the annual deadline, e.g. `{ 2026: '2026-05-30' }`. */
+    deadlineOverrides?: Record<number, string>;
+    /** Months after commencement the initial audit is due. Defaults to 15. */
+    initialAuditWithinMonths?: number;
+}
+
+declare interface CAROptions_2 {
+    /** Default annual filing deadline (month is 1-12). Defaults to 31 March. */
+    annualDeadline?: {
+        month: number;
+        day: number;
+    };
+    /** Per-year overrides for the annual deadline, e.g. `{ 2026: '2026-05-30' }`. */
+    deadlineOverrides?: Record<number, string>;
+    /** Months after commencement the initial audit is due. Defaults to 15. */
+    initialAuditWithinMonths?: number;
+}
+
+export declare interface ComplianceAuditReturn {
+    /** Whether CAR applies (false for non-DCPMI organisations). */
+    applicable: boolean;
+    schedule: {
+        commencementDate: string;
+        initialAuditWithinMonths: number;
+        /** Commencement date + the initial-audit window. */
+        initialAuditDueDate: string;
+        /** The next annual filing deadline on or after `asOf`. */
+        nextFilingDeadline: string;
+        /** The year the next filing deadline falls in. */
+        filingYear: number;
+    };
+    status: {
+        /** Whether the initial-audit obligation has arisen (asOf ≥ due date). */
+        initialAuditDue: boolean;
+        /** Whole days from `asOf` to the next filing deadline. */
+        daysUntilNextDeadline: number;
+    };
+    notes: string[];
+    asOf: string;
+}
+
+declare interface ComplianceAuditReturn_2 {
+    /** Whether CAR applies (false for non-DCPMI organisations). */
+    applicable: boolean;
+    schedule: {
+        commencementDate: string;
+        initialAuditWithinMonths: number;
+        /** Commencement date + the initial-audit window. */
+        initialAuditDueDate: string;
+        /** The next annual filing deadline on or after `asOf`. */
+        nextFilingDeadline: string;
+        /** The year the next filing deadline falls in. */
+        filingYear: number;
+    };
+    status: {
+        /** Whether the initial-audit obligation has arisen (asOf ≥ due date). */
+        initialAuditDue: boolean;
+        /** Whole days from `asOf` to the next filing deadline. */
+        daysUntilNextDeadline: number;
+    };
+    notes: string[];
+    asOf: string;
+}
+
 /** A single gap found during NDPA compliance evaluation. */
 declare interface ComplianceGap {
     /** Machine-readable requirement identifier. */
@@ -519,6 +905,162 @@ declare interface DataCategory {
     selected: boolean;
 }
 
+export declare interface DCPMIClassification {
+    /** Registration tier (or `'none'` when not a DCPMI). */
+    tier: DCPMITier_2;
+    /** Whether the organisation is a Data Controller/Processor of Major Importance. */
+    isDCPMI: boolean;
+    /** Annual registration fee in Nigerian Naira (0 when not a volume-tiered DCPMI). */
+    annualFeeNGN: number;
+    registration: {
+        /** Whether NDPC registration is required. */
+        required: boolean;
+        /** OHL renews registration annually; UHL/EHL register once and file CAR annually. */
+        renewsAnnually: boolean;
+    };
+    compliance: {
+        /** Whether the organisation must file annual Compliance Audit Returns (CAR). */
+        auditReturnsAnnual: boolean;
+        /** Initial compliance audit is due within this many months of commencing processing. */
+        initialAuditWithinMonths: number;
+    };
+    /** Human-readable caveats and next steps. */
+    notes: string[];
+    /** The count actually used for classification, after defensive normalisation. */
+    dataSubjectsConsidered: number;
+}
+
+declare interface DCPMIClassification_2 {
+    /** Registration tier (or `'none'` when not a DCPMI). */
+    tier: DCPMITier;
+    /** Whether the organisation is a Data Controller/Processor of Major Importance. */
+    isDCPMI: boolean;
+    /** Annual registration fee in Nigerian Naira (0 when not a volume-tiered DCPMI). */
+    annualFeeNGN: number;
+    registration: {
+        /** Whether NDPC registration is required. */
+        required: boolean;
+        /** OHL renews registration annually; UHL/EHL register once and file CAR annually. */
+        renewsAnnually: boolean;
+    };
+    compliance: {
+        /** Whether the organisation must file annual Compliance Audit Returns (CAR). */
+        auditReturnsAnnual: boolean;
+        /** Initial compliance audit is due within this many months of commencing processing. */
+        initialAuditWithinMonths: number;
+    };
+    /** Human-readable caveats and next steps. */
+    notes: string[];
+    /** The count actually used for classification, after defensive normalisation. */
+    dataSubjectsConsidered: number;
+}
+
+export declare interface DCPMIClassificationOptions {
+    thresholds?: Partial<DCPMIThresholds_2>;
+    fees?: Partial<DCPMIFees_2>;
+}
+
+declare interface DCPMIClassificationOptions_2 {
+    thresholds?: Partial<DCPMIThresholds>;
+    fees?: Partial<DCPMIFees>;
+}
+
+declare interface DCPMIFees {
+    UHL: number;
+    EHL: number;
+    OHL: number;
+}
+
+declare interface DCPMIFees_2 {
+    UHL: number;
+    EHL: number;
+    OHL: number;
+}
+
+export declare interface DCPMIInput {
+    /** Distinct data subjects whose data was processed in the relevant six-month window. */
+    dataSubjectsInSixMonths?: number;
+    /** True if the Commission has separately designated/listed the organisation as a DCPMI. */
+    isDesignated?: boolean;
+}
+
+declare interface DCPMIInput_2 {
+    /** Distinct data subjects whose data was processed in the relevant six-month window. */
+    dataSubjectsInSixMonths?: number;
+    /** True if the Commission has separately designated/listed the organisation as a DCPMI. */
+    isDesignated?: boolean;
+}
+
+declare interface DCPMIThresholds {
+    /** Lower bound (inclusive) for OHL. */
+    ohl: number;
+    /** Lower bound (inclusive) for EHL. */
+    ehl: number;
+    /** A count strictly greater than this is UHL. */
+    uhl: number;
+}
+
+declare interface DCPMIThresholds_2 {
+    /** Lower bound (inclusive) for OHL. */
+    ohl: number;
+    /** Lower bound (inclusive) for EHL. */
+    ehl: number;
+    /** A count strictly greater than this is UHL. */
+    uhl: number;
+}
+
+/**
+ * Data Controller/Processor of Major Importance (DCPMI) classification under the
+ * NDPC General Application and Implementation Directive (GAID) 2025.
+ *
+ * Volume-based tiers — data subjects processed within a six-month window:
+ *   - UHL (Ultra High Level):    more than 5,000  → ₦250,000 / year
+ *   - EHL (Extra High Level):    1,000 – 5,000    → ₦100,000 / year
+ *   - OHL (Ordinary High Level): 200 – 999        → ₦10,000  / year
+ *   - below 200:                 not a DCPMI by volume
+ *
+ * Boundaries: the 1,000 mark resolves to EHL (so OHL is 200–999); UHL is
+ * strictly greater than 5,000 (so 5,000 itself is EHL). The NDPC has revised
+ * classification metrics before and shifts filing deadlines, so thresholds and
+ * fees are configurable — treat the defaults as the September 2025 GAID
+ * baseline, not a constant.
+ *
+ * `isDesignated` marks an organisation the Commission has otherwise listed as a
+ * DCPMI; it is then a DCPMI regardless of volume. Below the volume tiers such an
+ * organisation is reported as `'listed'` with the fee left at 0 and a note to
+ * confirm the applicable tier/fee with the NDPC.
+ *
+ * @see NDPC General Application and Implementation Directive (GAID) 2025
+ * @see NDPC Guidance Notice on the Registration of Data Controllers and Processors of Major Importance
+ */
+declare type DCPMITier = 'UHL' | 'EHL' | 'OHL' | 'listed' | 'none';
+
+/**
+ * Data Controller/Processor of Major Importance (DCPMI) classification under the
+ * NDPC General Application and Implementation Directive (GAID) 2025.
+ *
+ * Volume-based tiers — data subjects processed within a six-month window:
+ *   - UHL (Ultra High Level):    more than 5,000  → ₦250,000 / year
+ *   - EHL (Extra High Level):    1,000 – 5,000    → ₦100,000 / year
+ *   - OHL (Ordinary High Level): 200 – 999        → ₦10,000  / year
+ *   - below 200:                 not a DCPMI by volume
+ *
+ * Boundaries: the 1,000 mark resolves to EHL (so OHL is 200–999); UHL is
+ * strictly greater than 5,000 (so 5,000 itself is EHL). The NDPC has revised
+ * classification metrics before and shifts filing deadlines, so thresholds and
+ * fees are configurable — treat the defaults as the September 2025 GAID
+ * baseline, not a constant.
+ *
+ * `isDesignated` marks an organisation the Commission has otherwise listed as a
+ * DCPMI; it is then a DCPMI regardless of volume. Below the volume tiers such an
+ * organisation is reported as `'listed'` with the fee left at 0 and a note to
+ * confirm the applicable tier/fee with the NDPC.
+ *
+ * @see NDPC General Application and Implementation Directive (GAID) 2025
+ * @see NDPC Guidance Notice on the Registration of Data Controllers and Processors of Major Importance
+ */
+declare type DCPMITier_2 = 'UHL' | 'EHL' | 'OHL' | 'listed' | 'none';
+
 /** Options for DOCX export of the finalised policy. */
 declare interface DOCXExportOptions {
     includeTOC?: boolean;
@@ -1314,6 +1856,57 @@ declare interface RegulatoryNotification {
     };
 }
 
+/**
+ * Represents a notification sent to the NDPC (Nigeria Data Protection Commission)
+ */
+declare interface RegulatoryNotification_2 {
+    /** Unique identifier for the notification */
+    id: string;
+    /** ID of the breach this notification is for */
+    breachId: string;
+    /** Timestamp when the notification was sent */
+    sentAt: number;
+    /** Method used to send the notification */
+    method: 'email' | 'portal' | 'letter' | 'other';
+    /** Reference number assigned by the NDPC (if available) */
+    referenceNumber?: string;
+    /** Contact person at the NDPC */
+    ndpcContact?: {
+        name: string;
+        email: string;
+        phone?: string;
+    };
+    /** Content of the notification */
+    content: string;
+    /** Attachments included with the notification */
+    attachments?: Array<{
+        id: string;
+        name: string;
+        type: string;
+        url: string;
+    }>;
+    /** Follow-up communications with the NDPC */
+    followUps?: Array<{
+        timestamp: number;
+        direction: 'sent' | 'received';
+        content: string;
+        attachments?: Array<{
+            id: string;
+            name: string;
+            type: string;
+            url: string;
+        }>;
+    }>;
+    /**
+     * @deprecated Use ndpcContact instead. Kept for backward compatibility.
+     */
+    nitdaContact?: {
+        name: string;
+        email: string;
+        phone?: string;
+    };
+}
+
 declare interface RegulatoryReference {
     section: string;
     title: string;
@@ -1404,6 +1997,44 @@ export declare interface RiskAssessment {
     justification: string;
 }
 
+/**
+ * Represents a risk assessment for a data breach
+ */
+declare interface RiskAssessment_2 {
+    /** Unique identifier for the risk assessment */
+    id: string;
+    /** ID of the breach this assessment is for */
+    breachId: string;
+    /** Timestamp when the assessment was conducted */
+    assessedAt: number;
+    /** Person who conducted the assessment */
+    assessor: {
+        name: string;
+        role: string;
+        email: string;
+    };
+    /** Confidentiality impact (1-5) */
+    confidentialityImpact: number;
+    /** Integrity impact (1-5) */
+    integrityImpact: number;
+    /** Availability impact (1-5) */
+    availabilityImpact: number;
+    /** Likelihood of harm to data subjects (1-5) */
+    harmLikelihood: number;
+    /** Severity of potential harm to data subjects (1-5) */
+    harmSeverity: number;
+    /** Overall risk score */
+    overallRiskScore: number;
+    /** Risk level based on the overall score */
+    riskLevel: 'low' | 'medium' | 'high' | 'critical';
+    /** Whether the breach is likely to result in a risk to rights and freedoms */
+    risksToRightsAndFreedoms: boolean;
+    /** Whether the breach is likely to result in a high risk to rights and freedoms */
+    highRisksToRightsAndFreedoms: boolean;
+    /** Justification for the risk assessment */
+    justification: string;
+}
+
 /**
  * Compliance gap found in a processing record
  */
@@ -1625,6 +2256,14 @@ export declare interface UseAdaptivePolicyWizardReturn {
  */
 export declare function useBreach({ categories, initialReports, adapter, storageKey, useLocalStorage, onReport, onAssessment, onNotification, }: UseBreachOptions): UseBreachReturn;
 
+/**
+ * React hook that memoises the `assessBreachNotification` utility — checks a
+ * breach report's completeness against the NDPA S. 40 / GAID 2025 Article 33
+ * notification requirements (mandated content, the 72-hour window, and any
+ * data-subject communication owed on high risk).
+ */
+export declare function useBreachNotificationAssessment(report: BreachReport_2, options?: BreachNotificationOptions_2): BreachNotificationAssessment_2;
+
 export declare interface UseBreachOptions {
     /**
      * Available breach categories
@@ -1661,7 +2300,7 @@ export declare interface UseBreachOptions {
     /**
      * Callback function called when a notification is sent
      */
-    onNotification?: (notification: RegulatoryNotification) => void;
+    onNotification?: (notification: RegulatoryNotification_2) => void;
 }
 
 export declare interface UseBreachReturn {
@@ -1676,7 +2315,7 @@ export declare interface UseBreachReturn {
     /**
      * All regulatory notifications
      */
-    notifications: RegulatoryNotification[];
+    notifications: RegulatoryNotification_2[];
     /**
      * Submit a new breach report
      */
@@ -1704,11 +2343,11 @@ export declare interface UseBreachReturn {
     /**
      * Send a regulatory notification
      */
-    sendNotification: (breachId: string, notificationData: Omit<RegulatoryNotification, 'id' | 'breachId' | 'sentAt'>) => RegulatoryNotification;
+    sendNotification: (breachId: string, notificationData: Omit<RegulatoryNotification_2, 'id' | 'breachId' | 'sentAt'>) => RegulatoryNotification_2;
     /**
      * Get a regulatory notification for a breach
      */
-    getNotification: (breachId: string) => RegulatoryNotification | null;
+    getNotification: (breachId: string) => RegulatoryNotification_2 | null;
     /**
      * Get breaches that require notification within the next X hours
      */
@@ -1728,6 +2367,13 @@ export declare interface UseBreachReturn {
     isLoading: boolean;
 }
 
+/**
+ * React hook that memoises the `generateComplianceAuditReturn` utility — derives
+ * a DCPMI's Compliance Audit Returns schedule (initial-audit due date, next
+ * annual filing deadline) and status under NDPC GAID 2025.
+ */
+export declare function useComplianceAuditReturn(input: CARInput_2, options?: CAROptions_2): ComplianceAuditReturn_2;
+
 /**
  * Computes an NDPA compliance score and returns a structured report
  * (score, rating, per-module breakdown, recommendations).
@@ -1945,6 +2591,13 @@ export declare interface UseCrossBorderTransferReturn {
     isLoading: boolean;
 }
 
+/**
+ * React hook that memoises the `classifyDCPMI` utility — derives an organisation's
+ * Data Controller/Processor of Major Importance tier, annual registration fee,
+ * and Compliance Audit Returns obligations under NDPC GAID 2025.
+ */
+export declare function useDCPMI(input: DCPMIInput_2, options?: DCPMIClassificationOptions_2): DCPMIClassification_2;
+
 /**
  * Convenience wrapper around `usePrivacyPolicy`. With `orgInfo` provided
  * and `autoGenerate` enabled (default), `policy` is non-null on the first