@tantainnovative/ndpr-toolkit 5.1.4 → 5.3.0

package/dist/index.d.mts

@@ -123,6 +123,12 @@ export declare interface ApiAdapterSuccessContext<T = unknown> {
  */
 export declare function appendAuditEntry(entry: ConsentAuditEntry, storageKey?: string): void;
 
+/**
+ * Assess a breach report against the NDPA S. 40 / GAID 2025 Article 33
+ * notification requirements.
+ */
+export declare function assessBreachNotification(report: BreachReport, options?: BreachNotificationOptions): BreachNotificationAssessment;
+
 /**
  * Analyzes all processing activities and returns compliance gaps including
  * missing DPO approval, overdue reviews, undocumented justifications,
@@ -259,6 +265,36 @@ export declare interface BreachFormSubmission {
     }>;
 }
 
+export declare interface BreachNotificationAssessment {
+    /** Whether all applicable mandated content items are satisfied. */
+    complete: boolean;
+    /** Completeness of applicable content items, 0–100. */
+    completeness: number;
+    /** GAID 2025 Article 33(5) / NDPA S. 40(2) content of the notification to the Commission. */
+    notificationToCommission: BreachNotificationItem[];
+    /** NDPA S. 40(3) communication to data subjects — populated only when high-risk. */
+    dataSubjectCommunication: BreachNotificationItem[];
+    /** Whether a data-subject communication is owed (high risk). */
+    dataSubjectCommunicationRequired: boolean;
+    timing: BreachNotificationTiming;
+    /** Labels of unsatisfied applicable items. */
+    missing: string[];
+    /** Actionable next steps, including timing warnings. */
+    recommendations: string[];
+    asOf: number;
+}
+
+export declare interface BreachNotificationItem {
+    /** Stable identifier for the requirement. */
+    id: string;
+    /** Human-readable requirement. */
+    label: string;
+    /** Authoritative citation, e.g. `GAID 2025 Art. 33(5)(a)`. */
+    section: string;
+    /** Whether the report satisfies it. */
+    satisfied: boolean;
+}
+
 /**
  * Breach notification management component. Implements NDPA Section 40 requirements for
  * managing breach notifications, tracking 72-hour NDPC reporting deadlines, and coordinating
@@ -346,6 +382,63 @@ export declare interface BreachNotificationManagerProps {
     showDeadlineAlerts?: boolean;
 }
 
+/**
+ * Personal-data-breach notification completeness checker for NDPA 2023
+ * Section 40, as detailed by NDPC General Application and Implementation
+ * Directive (GAID) 2025 Article 33.
+ *
+ * Section 40(2) requires a data controller to notify the Commission within 72
+ * hours of becoming aware of a breach likely to result in a risk to data
+ * subjects' rights and freedoms. GAID 2025 Article 33(5)(a)–(h) enumerates the
+ * content that a notification to the Commission "shall include". Where the
+ * breach is likely to result in a *high* risk, Section 40(3) additionally
+ * requires the controller to communicate the breach to affected data subjects
+ * in plain and clear language.
+ *
+ * This assesses a `BreachReport` against those requirements: which mandated
+ * content items are present, whether the 72-hour window is met, and whether a
+ * data-subject communication is owed. It is a documentation-completeness aid,
+ * not legal advice — verify against current NDPC guidance.
+ *
+ * @see NDPA 2023 Section 40 (Personal data breaches)
+ * @see NDPC GAID 2025 Article 33 (Data Breach Notification)
+ */
+
+export declare interface BreachNotificationOptions {
+    /** Risk assessment for the breach; drives whether data-subject communication is required. */
+    assessment?: RiskAssessment;
+    /** The regulatory notification actually sent, if any — used to judge timeliness. */
+    notification?: RegulatoryNotification;
+    /** Reference "now" in epoch ms. Defaults to `Date.now()`. */
+    asOf?: number;
+    /** Notification window in hours. Defaults to 72 (NDPA S. 40(2)). */
+    deadlineHours?: number;
+    /**
+     * Explicit high-risk flag (NDPA S. 40(3)). When omitted, derived from
+     * `assessment.highRisksToRightsAndFreedoms`.
+     */
+    highRisk?: boolean;
+}
+
+export declare interface BreachNotificationTiming {
+    /** `discoveredAt` + the notification window. */
+    deadline: number;
+    /** Whole hours between discovery and `asOf`. */
+    hoursSinceDiscovery: number;
+    /** Whether a regulatory notification has been recorded. */
+    notified: boolean;
+    /** When the regulatory notification was sent, if any. */
+    notifiedAt?: number;
+    /** Whether the notification (or, if none, `asOf`) falls within the deadline. */
+    withinDeadline: boolean;
+    /** Whole hours from `asOf` to the deadline (negative once past). */
+    hoursRemaining: number;
+    /** Whether the deadline has been missed. */
+    overdue: boolean;
+    /** Late filings must state the reasons for the delay (NDPA S. 40(2)). */
+    requiresDelayJustification: boolean;
+}
+
 /**
  * Represents a data breach report
  */
@@ -639,6 +732,74 @@ export declare function calculateBreachSeverity(report: BreachReport, assessment
     justification: string;
 };
 
+/**
+ * Compliance Audit Returns (CAR) scheduling under the NDPC General Application
+ * and Implementation Directive (GAID) 2025.
+ *
+ * A Data Controller/Processor of Major Importance (DCPMI) must conduct an
+ * initial compliance audit within 15 months of commencing data processing, and
+ * thereafter file a Compliance Audit Return with the NDPC annually (default
+ * deadline 31 March, filed through the NDPC Information Management Portal/NIMP).
+ *
+ * This computes the schedule (initial-audit due date, the next annual filing
+ * deadline relative to a reference date) and a light status. NDPC deadlines
+ * shift (the 2026 filing was extended to 30 May), so the annual deadline is
+ * configurable and per-year overrides are supported. The audit *content* itself
+ * is the organisation's compliance posture — pair this with `getComplianceScore`.
+ *
+ * @see NDPC General Application and Implementation Directive (GAID) 2025
+ */
+
+export declare interface CARInput {
+    /** ISO date (YYYY-MM-DD) the organisation commenced data processing. */
+    commencementDate: string;
+    /** Reference date to evaluate against (YYYY-MM-DD). Defaults to today. */
+    asOf?: string;
+    /** DCPMI tier; CAR applies to DCPMIs only. Omit to assume applicable. */
+    tier?: DCPMITier;
+}
+
+export declare interface CAROptions {
+    /** Default annual filing deadline (month is 1-12). Defaults to 31 March. */
+    annualDeadline?: {
+        month: number;
+        day: number;
+    };
+    /** Per-year overrides for the annual deadline, e.g. `{ 2026: '2026-05-30' }`. */
+    deadlineOverrides?: Record<number, string>;
+    /** Months after commencement the initial audit is due. Defaults to 15. */
+    initialAuditWithinMonths?: number;
+}
+
+/**
+ * Classify an organisation's DCPMI status, registration tier, annual fee, and
+ * Compliance Audit Returns obligations under NDPC GAID 2025.
+ */
+export declare function classifyDCPMI(input: DCPMIInput, options?: DCPMIClassificationOptions): DCPMIClassification;
+
+export declare interface ComplianceAuditReturn {
+    /** Whether CAR applies (false for non-DCPMI organisations). */
+    applicable: boolean;
+    schedule: {
+        commencementDate: string;
+        initialAuditWithinMonths: number;
+        /** Commencement date + the initial-audit window. */
+        initialAuditDueDate: string;
+        /** The next annual filing deadline on or after `asOf`. */
+        nextFilingDeadline: string;
+        /** The year the next filing deadline falls in. */
+        filingYear: number;
+    };
+    status: {
+        /** Whether the initial-audit obligation has arisen (asOf ≥ due date). */
+        initialAuditDue: boolean;
+        /** Whole days from `asOf` to the next filing deadline. */
+        daysUntilNextDeadline: number;
+    };
+    notes: string[];
+    asOf: string;
+}
+
 /** A single gap found during NDPA compliance evaluation. */
 declare interface ComplianceGap {
     /** Machine-readable requirement identifier. */
@@ -1408,6 +1569,90 @@ declare interface DataCategory {
     selected: boolean;
 }
 
+export declare interface DCPMIClassification {
+    /** Registration tier (or `'none'` when not a DCPMI). */
+    tier: DCPMITier;
+    /** Whether the organisation is a Data Controller/Processor of Major Importance. */
+    isDCPMI: boolean;
+    /** Annual registration fee in Nigerian Naira (0 when not a volume-tiered DCPMI). */
+    annualFeeNGN: number;
+    registration: {
+        /** Whether NDPC registration is required. */
+        required: boolean;
+        /** OHL renews registration annually; UHL/EHL register once and file CAR annually. */
+        renewsAnnually: boolean;
+    };
+    compliance: {
+        /** Whether the organisation must file annual Compliance Audit Returns (CAR). */
+        auditReturnsAnnual: boolean;
+        /** Initial compliance audit is due within this many months of commencing processing. */
+        initialAuditWithinMonths: number;
+    };
+    /** Human-readable caveats and next steps. */
+    notes: string[];
+    /** The count actually used for classification, after defensive normalisation. */
+    dataSubjectsConsidered: number;
+}
+
+export declare interface DCPMIClassificationOptions {
+    thresholds?: Partial<DCPMIThresholds>;
+    fees?: Partial<DCPMIFees>;
+}
+
+export declare interface DCPMIFees {
+    UHL: number;
+    EHL: number;
+    OHL: number;
+}
+
+export declare interface DCPMIInput {
+    /** Distinct data subjects whose data was processed in the relevant six-month window. */
+    dataSubjectsInSixMonths?: number;
+    /** True if the Commission has separately designated/listed the organisation as a DCPMI. */
+    isDesignated?: boolean;
+}
+
+export declare interface DCPMIThresholds {
+    /** Lower bound (inclusive) for OHL. */
+    ohl: number;
+    /** Lower bound (inclusive) for EHL. */
+    ehl: number;
+    /** A count strictly greater than this is UHL. */
+    uhl: number;
+}
+
+/**
+ * Data Controller/Processor of Major Importance (DCPMI) classification under the
+ * NDPC General Application and Implementation Directive (GAID) 2025.
+ *
+ * Volume-based tiers — data subjects processed within a six-month window:
+ *   - UHL (Ultra High Level):    more than 5,000  → ₦250,000 / year
+ *   - EHL (Extra High Level):    1,000 – 5,000    → ₦100,000 / year
+ *   - OHL (Ordinary High Level): 200 – 999        → ₦10,000  / year
+ *   - below 200:                 not a DCPMI by volume
+ *
+ * Boundaries: the 1,000 mark resolves to EHL (so OHL is 200–999); UHL is
+ * strictly greater than 5,000 (so 5,000 itself is EHL). The NDPC has revised
+ * classification metrics before and shifts filing deadlines, so thresholds and
+ * fees are configurable — treat the defaults as the September 2025 GAID
+ * baseline, not a constant.
+ *
+ * `isDesignated` marks an organisation the Commission has otherwise listed as a
+ * DCPMI; it is then a DCPMI regardless of volume. Below the volume tiers such an
+ * organisation is reported as `'listed'` with the fee left at 0 and a note to
+ * confirm the applicable tier/fee with the NDPC.
+ *
+ * @see NDPC General Application and Implementation Directive (GAID) 2025
+ * @see NDPC Guidance Notice on the Registration of Data Controllers and Processors of Major Importance
+ */
+export declare type DCPMITier = 'UHL' | 'EHL' | 'OHL' | 'listed' | 'none';
+
+/** September 2025 GAID baseline annual fees (NGN). */
+export declare const DEFAULT_DCPMI_FEES_NGN: DCPMIFees;
+
+/** September 2025 GAID baseline — override via {@link DCPMIClassificationOptions} as the rules evolve. */
+export declare const DEFAULT_DCPMI_THRESHOLDS: DCPMIThresholds;
+
 /**
  * Default NDPA-compliant privacy policy sections.
  * Each section uses {{variable}} placeholders that are resolved at generation time.
@@ -2231,6 +2476,11 @@ export declare interface FormatDSRRequestStructuredResult {
     data?: DSRRequest;
 }
 
+/**
+ * Derive the CAR schedule and status for a DCPMI under NDPC GAID 2025.
+ */
+export declare function generateComplianceAuditReturn(input: CARInput, options?: CAROptions): ComplianceAuditReturn;
+
 /**
  * Generates a summary of all lawful basis documentation across processing activities.
  *
@@ -4354,6 +4604,14 @@ export declare interface UseAdaptivePolicyWizardReturn {
  */
 export declare function useBreach({ categories, initialReports, adapter, storageKey, useLocalStorage, onReport, onAssessment, onNotification, }: UseBreachOptions): UseBreachReturn;
 
+/**
+ * React hook that memoises the `assessBreachNotification` utility — checks a
+ * breach report's completeness against the NDPA S. 40 / GAID 2025 Article 33
+ * notification requirements (mandated content, the 72-hour window, and any
+ * data-subject communication owed on high risk).
+ */
+export declare function useBreachNotificationAssessment(report: BreachReport, options?: BreachNotificationOptions): BreachNotificationAssessment;
+
 declare interface UseBreachOptions {
     /**
      * Available breach categories
@@ -4457,6 +4715,13 @@ declare interface UseBreachReturn {
     isLoading: boolean;
 }
 
+/**
+ * React hook that memoises the `generateComplianceAuditReturn` utility — derives
+ * a DCPMI's Compliance Audit Returns schedule (initial-audit due date, next
+ * annual filing deadline) and status under NDPC GAID 2025.
+ */
+export declare function useComplianceAuditReturn(input: CARInput, options?: CAROptions): ComplianceAuditReturn;
+
 /**
  * Computes an NDPA compliance score and returns a structured report
  * (score, rating, per-module breakdown, recommendations).
@@ -4674,6 +4939,13 @@ declare interface UseCrossBorderTransferReturn {
     isLoading: boolean;
 }
 
+/**
+ * React hook that memoises the `classifyDCPMI` utility — derives an organisation's
+ * Data Controller/Processor of Major Importance tier, annual registration fee,
+ * and Compliance Audit Returns obligations under NDPC GAID 2025.
+ */
+export declare function useDCPMI(input: DCPMIInput, options?: DCPMIClassificationOptions): DCPMIClassification;
+
 /**
  * Convenience wrapper around `usePrivacyPolicy`. With `orgInfo` provided
  * and `autoGenerate` enabled (default), `policy` is non-null on the first

package/dist/index.d.ts

@@ -123,6 +123,12 @@ export declare interface ApiAdapterSuccessContext<T = unknown> {
  */
 export declare function appendAuditEntry(entry: ConsentAuditEntry, storageKey?: string): void;
 
+/**
+ * Assess a breach report against the NDPA S. 40 / GAID 2025 Article 33
+ * notification requirements.
+ */
+export declare function assessBreachNotification(report: BreachReport, options?: BreachNotificationOptions): BreachNotificationAssessment;
+
 /**
  * Analyzes all processing activities and returns compliance gaps including
  * missing DPO approval, overdue reviews, undocumented justifications,
@@ -259,6 +265,36 @@ export declare interface BreachFormSubmission {
     }>;
 }
 
+export declare interface BreachNotificationAssessment {
+    /** Whether all applicable mandated content items are satisfied. */
+    complete: boolean;
+    /** Completeness of applicable content items, 0–100. */
+    completeness: number;
+    /** GAID 2025 Article 33(5) / NDPA S. 40(2) content of the notification to the Commission. */
+    notificationToCommission: BreachNotificationItem[];
+    /** NDPA S. 40(3) communication to data subjects — populated only when high-risk. */
+    dataSubjectCommunication: BreachNotificationItem[];
+    /** Whether a data-subject communication is owed (high risk). */
+    dataSubjectCommunicationRequired: boolean;
+    timing: BreachNotificationTiming;
+    /** Labels of unsatisfied applicable items. */
+    missing: string[];
+    /** Actionable next steps, including timing warnings. */
+    recommendations: string[];
+    asOf: number;
+}
+
+export declare interface BreachNotificationItem {
+    /** Stable identifier for the requirement. */
+    id: string;
+    /** Human-readable requirement. */
+    label: string;
+    /** Authoritative citation, e.g. `GAID 2025 Art. 33(5)(a)`. */
+    section: string;
+    /** Whether the report satisfies it. */
+    satisfied: boolean;
+}
+
 /**
  * Breach notification management component. Implements NDPA Section 40 requirements for
  * managing breach notifications, tracking 72-hour NDPC reporting deadlines, and coordinating
@@ -346,6 +382,63 @@ export declare interface BreachNotificationManagerProps {
     showDeadlineAlerts?: boolean;
 }
 
+/**
+ * Personal-data-breach notification completeness checker for NDPA 2023
+ * Section 40, as detailed by NDPC General Application and Implementation
+ * Directive (GAID) 2025 Article 33.
+ *
+ * Section 40(2) requires a data controller to notify the Commission within 72
+ * hours of becoming aware of a breach likely to result in a risk to data
+ * subjects' rights and freedoms. GAID 2025 Article 33(5)(a)–(h) enumerates the
+ * content that a notification to the Commission "shall include". Where the
+ * breach is likely to result in a *high* risk, Section 40(3) additionally
+ * requires the controller to communicate the breach to affected data subjects
+ * in plain and clear language.
+ *
+ * This assesses a `BreachReport` against those requirements: which mandated
+ * content items are present, whether the 72-hour window is met, and whether a
+ * data-subject communication is owed. It is a documentation-completeness aid,
+ * not legal advice — verify against current NDPC guidance.
+ *
+ * @see NDPA 2023 Section 40 (Personal data breaches)
+ * @see NDPC GAID 2025 Article 33 (Data Breach Notification)
+ */
+
+export declare interface BreachNotificationOptions {
+    /** Risk assessment for the breach; drives whether data-subject communication is required. */
+    assessment?: RiskAssessment;
+    /** The regulatory notification actually sent, if any — used to judge timeliness. */
+    notification?: RegulatoryNotification;
+    /** Reference "now" in epoch ms. Defaults to `Date.now()`. */
+    asOf?: number;
+    /** Notification window in hours. Defaults to 72 (NDPA S. 40(2)). */
+    deadlineHours?: number;
+    /**
+     * Explicit high-risk flag (NDPA S. 40(3)). When omitted, derived from
+     * `assessment.highRisksToRightsAndFreedoms`.
+     */
+    highRisk?: boolean;
+}
+
+export declare interface BreachNotificationTiming {
+    /** `discoveredAt` + the notification window. */
+    deadline: number;
+    /** Whole hours between discovery and `asOf`. */
+    hoursSinceDiscovery: number;
+    /** Whether a regulatory notification has been recorded. */
+    notified: boolean;
+    /** When the regulatory notification was sent, if any. */
+    notifiedAt?: number;
+    /** Whether the notification (or, if none, `asOf`) falls within the deadline. */
+    withinDeadline: boolean;
+    /** Whole hours from `asOf` to the deadline (negative once past). */
+    hoursRemaining: number;
+    /** Whether the deadline has been missed. */
+    overdue: boolean;
+    /** Late filings must state the reasons for the delay (NDPA S. 40(2)). */
+    requiresDelayJustification: boolean;
+}
+
 /**
  * Represents a data breach report
  */
@@ -639,6 +732,74 @@ export declare function calculateBreachSeverity(report: BreachReport, assessment
     justification: string;
 };
 
+/**
+ * Compliance Audit Returns (CAR) scheduling under the NDPC General Application
+ * and Implementation Directive (GAID) 2025.
+ *
+ * A Data Controller/Processor of Major Importance (DCPMI) must conduct an
+ * initial compliance audit within 15 months of commencing data processing, and
+ * thereafter file a Compliance Audit Return with the NDPC annually (default
+ * deadline 31 March, filed through the NDPC Information Management Portal/NIMP).
+ *
+ * This computes the schedule (initial-audit due date, the next annual filing
+ * deadline relative to a reference date) and a light status. NDPC deadlines
+ * shift (the 2026 filing was extended to 30 May), so the annual deadline is
+ * configurable and per-year overrides are supported. The audit *content* itself
+ * is the organisation's compliance posture — pair this with `getComplianceScore`.
+ *
+ * @see NDPC General Application and Implementation Directive (GAID) 2025
+ */
+
+export declare interface CARInput {
+    /** ISO date (YYYY-MM-DD) the organisation commenced data processing. */
+    commencementDate: string;
+    /** Reference date to evaluate against (YYYY-MM-DD). Defaults to today. */
+    asOf?: string;
+    /** DCPMI tier; CAR applies to DCPMIs only. Omit to assume applicable. */
+    tier?: DCPMITier;
+}
+
+export declare interface CAROptions {
+    /** Default annual filing deadline (month is 1-12). Defaults to 31 March. */
+    annualDeadline?: {
+        month: number;
+        day: number;
+    };
+    /** Per-year overrides for the annual deadline, e.g. `{ 2026: '2026-05-30' }`. */
+    deadlineOverrides?: Record<number, string>;
+    /** Months after commencement the initial audit is due. Defaults to 15. */
+    initialAuditWithinMonths?: number;
+}
+
+/**
+ * Classify an organisation's DCPMI status, registration tier, annual fee, and
+ * Compliance Audit Returns obligations under NDPC GAID 2025.
+ */
+export declare function classifyDCPMI(input: DCPMIInput, options?: DCPMIClassificationOptions): DCPMIClassification;
+
+export declare interface ComplianceAuditReturn {
+    /** Whether CAR applies (false for non-DCPMI organisations). */
+    applicable: boolean;
+    schedule: {
+        commencementDate: string;
+        initialAuditWithinMonths: number;
+        /** Commencement date + the initial-audit window. */
+        initialAuditDueDate: string;
+        /** The next annual filing deadline on or after `asOf`. */
+        nextFilingDeadline: string;
+        /** The year the next filing deadline falls in. */
+        filingYear: number;
+    };
+    status: {
+        /** Whether the initial-audit obligation has arisen (asOf ≥ due date). */
+        initialAuditDue: boolean;
+        /** Whole days from `asOf` to the next filing deadline. */
+        daysUntilNextDeadline: number;
+    };
+    notes: string[];
+    asOf: string;
+}
+
 /** A single gap found during NDPA compliance evaluation. */
 declare interface ComplianceGap {
     /** Machine-readable requirement identifier. */
@@ -1408,6 +1569,90 @@ declare interface DataCategory {
     selected: boolean;
 }
 
+export declare interface DCPMIClassification {
+    /** Registration tier (or `'none'` when not a DCPMI). */
+    tier: DCPMITier;
+    /** Whether the organisation is a Data Controller/Processor of Major Importance. */
+    isDCPMI: boolean;
+    /** Annual registration fee in Nigerian Naira (0 when not a volume-tiered DCPMI). */
+    annualFeeNGN: number;
+    registration: {
+        /** Whether NDPC registration is required. */
+        required: boolean;
+        /** OHL renews registration annually; UHL/EHL register once and file CAR annually. */
+        renewsAnnually: boolean;
+    };
+    compliance: {
+        /** Whether the organisation must file annual Compliance Audit Returns (CAR). */
+        auditReturnsAnnual: boolean;
+        /** Initial compliance audit is due within this many months of commencing processing. */
+        initialAuditWithinMonths: number;
+    };
+    /** Human-readable caveats and next steps. */
+    notes: string[];
+    /** The count actually used for classification, after defensive normalisation. */
+    dataSubjectsConsidered: number;
+}
+
+export declare interface DCPMIClassificationOptions {
+    thresholds?: Partial<DCPMIThresholds>;
+    fees?: Partial<DCPMIFees>;
+}
+
+export declare interface DCPMIFees {
+    UHL: number;
+    EHL: number;
+    OHL: number;
+}
+
+export declare interface DCPMIInput {
+    /** Distinct data subjects whose data was processed in the relevant six-month window. */
+    dataSubjectsInSixMonths?: number;
+    /** True if the Commission has separately designated/listed the organisation as a DCPMI. */
+    isDesignated?: boolean;
+}
+
+export declare interface DCPMIThresholds {
+    /** Lower bound (inclusive) for OHL. */
+    ohl: number;
+    /** Lower bound (inclusive) for EHL. */
+    ehl: number;
+    /** A count strictly greater than this is UHL. */
+    uhl: number;
+}
+
+/**
+ * Data Controller/Processor of Major Importance (DCPMI) classification under the
+ * NDPC General Application and Implementation Directive (GAID) 2025.
+ *
+ * Volume-based tiers — data subjects processed within a six-month window:
+ *   - UHL (Ultra High Level):    more than 5,000  → ₦250,000 / year
+ *   - EHL (Extra High Level):    1,000 – 5,000    → ₦100,000 / year
+ *   - OHL (Ordinary High Level): 200 – 999        → ₦10,000  / year
+ *   - below 200:                 not a DCPMI by volume
+ *
+ * Boundaries: the 1,000 mark resolves to EHL (so OHL is 200–999); UHL is
+ * strictly greater than 5,000 (so 5,000 itself is EHL). The NDPC has revised
+ * classification metrics before and shifts filing deadlines, so thresholds and
+ * fees are configurable — treat the defaults as the September 2025 GAID
+ * baseline, not a constant.
+ *
+ * `isDesignated` marks an organisation the Commission has otherwise listed as a
+ * DCPMI; it is then a DCPMI regardless of volume. Below the volume tiers such an
+ * organisation is reported as `'listed'` with the fee left at 0 and a note to
+ * confirm the applicable tier/fee with the NDPC.
+ *
+ * @see NDPC General Application and Implementation Directive (GAID) 2025
+ * @see NDPC Guidance Notice on the Registration of Data Controllers and Processors of Major Importance
+ */
+export declare type DCPMITier = 'UHL' | 'EHL' | 'OHL' | 'listed' | 'none';
+
+/** September 2025 GAID baseline annual fees (NGN). */
+export declare const DEFAULT_DCPMI_FEES_NGN: DCPMIFees;
+
+/** September 2025 GAID baseline — override via {@link DCPMIClassificationOptions} as the rules evolve. */
+export declare const DEFAULT_DCPMI_THRESHOLDS: DCPMIThresholds;
+
 /**
  * Default NDPA-compliant privacy policy sections.
  * Each section uses {{variable}} placeholders that are resolved at generation time.
@@ -2231,6 +2476,11 @@ export declare interface FormatDSRRequestStructuredResult {
     data?: DSRRequest;
 }
 
+/**
+ * Derive the CAR schedule and status for a DCPMI under NDPC GAID 2025.
+ */
+export declare function generateComplianceAuditReturn(input: CARInput, options?: CAROptions): ComplianceAuditReturn;
+
 /**
  * Generates a summary of all lawful basis documentation across processing activities.
  *
@@ -4354,6 +4604,14 @@ export declare interface UseAdaptivePolicyWizardReturn {
  */
 export declare function useBreach({ categories, initialReports, adapter, storageKey, useLocalStorage, onReport, onAssessment, onNotification, }: UseBreachOptions): UseBreachReturn;
 
+/**
+ * React hook that memoises the `assessBreachNotification` utility — checks a
+ * breach report's completeness against the NDPA S. 40 / GAID 2025 Article 33
+ * notification requirements (mandated content, the 72-hour window, and any
+ * data-subject communication owed on high risk).
+ */
+export declare function useBreachNotificationAssessment(report: BreachReport, options?: BreachNotificationOptions): BreachNotificationAssessment;
+
 declare interface UseBreachOptions {
     /**
      * Available breach categories
@@ -4457,6 +4715,13 @@ declare interface UseBreachReturn {
     isLoading: boolean;
 }
 
+/**
+ * React hook that memoises the `generateComplianceAuditReturn` utility — derives
+ * a DCPMI's Compliance Audit Returns schedule (initial-audit due date, next
+ * annual filing deadline) and status under NDPC GAID 2025.
+ */
+export declare function useComplianceAuditReturn(input: CARInput, options?: CAROptions): ComplianceAuditReturn;
+
 /**
  * Computes an NDPA compliance score and returns a structured report
  * (score, rating, per-module breakdown, recommendations).
@@ -4674,6 +4939,13 @@ declare interface UseCrossBorderTransferReturn {
     isLoading: boolean;
 }
 
+/**
+ * React hook that memoises the `classifyDCPMI` utility — derives an organisation's
+ * Data Controller/Processor of Major Importance tier, annual registration fee,
+ * and Compliance Audit Returns obligations under NDPC GAID 2025.
+ */
+export declare function useDCPMI(input: DCPMIInput, options?: DCPMIClassificationOptions): DCPMIClassification;
+
 /**
  * Convenience wrapper around `usePrivacyPolicy`. With `orgInfo` provided
  * and `autoGenerate` enabled (default), `policy` is non-null on the first