bmad-plus 0.7.5 → 0.8.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +450 -425
- package/LICENSE +21 -21
- package/README.md +555 -447
- package/osint-agent-package/README.md +88 -88
- package/osint-agent-package/SETUP_KEYS.md +108 -108
- package/osint-agent-package/agents/osint-investigator.md +80 -80
- package/osint-agent-package/install.ps1 +87 -87
- package/osint-agent-package/install.sh +76 -76
- package/osint-agent-package/skills/bmad-osint-investigate/SKILL.md +147 -147
- package/osint-agent-package/skills/bmad-osint-investigate/osint/SKILL.md +452 -452
- package/osint-agent-package/skills/bmad-osint-investigate/osint/assets/dossier-template.md +116 -116
- package/osint-agent-package/skills/bmad-osint-investigate/osint/references/content-extraction.md +100 -100
- package/osint-agent-package/skills/bmad-osint-investigate/osint/references/enrichment-databases-fr.md +148 -148
- package/osint-agent-package/skills/bmad-osint-investigate/osint/references/platforms.md +130 -130
- package/osint-agent-package/skills/bmad-osint-investigate/osint/references/psychoprofile.md +69 -69
- package/osint-agent-package/skills/bmad-osint-investigate/osint/references/tools.md +281 -281
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/_http.py +101 -101
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/apify.py +266 -260
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/brightdata.py +101 -101
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/diagnose.py +141 -141
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/exa.py +79 -79
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/jina.py +71 -71
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/mcp-client.py +136 -136
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/parallel.py +85 -85
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/perplexity.py +102 -102
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/tavily.py +72 -72
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/volley.py +208 -208
- package/osint-agent-package/skills/bmad-osint-investigator/SKILL.md +15 -15
- package/package.json +62 -57
- package/readme-international/README.de.md +576 -426
- package/readme-international/README.es.md +578 -518
- package/readme-international/README.fr.md +576 -516
- package/src/bmad-plus/agents/agent-architect-dev/SKILL.md +96 -96
- package/src/bmad-plus/agents/agent-architect-dev/bmad-skill-manifest.yaml +13 -13
- package/src/bmad-plus/agents/agent-maker/SKILL.md +201 -201
- package/src/bmad-plus/agents/agent-maker/bmad-skill-manifest.yaml +13 -13
- package/src/bmad-plus/agents/agent-orchestrator/SKILL.md +137 -137
- package/src/bmad-plus/agents/agent-orchestrator/bmad-skill-manifest.yaml +13 -13
- package/src/bmad-plus/agents/agent-quality/SKILL.md +83 -83
- package/src/bmad-plus/agents/agent-quality/bmad-skill-manifest.yaml +13 -13
- package/src/bmad-plus/agents/agent-shadow/SKILL.md +71 -71
- package/src/bmad-plus/agents/agent-shadow/bmad-skill-manifest.yaml +13 -13
- package/src/bmad-plus/agents/agent-strategist/SKILL.md +80 -80
- package/src/bmad-plus/agents/agent-strategist/bmad-skill-manifest.yaml +13 -13
- package/src/bmad-plus/agents/pack-animated/animated-website-agent.md +325 -325
- package/src/bmad-plus/agents/pack-animated/templates/animated-website-workflow.md +55 -55
- package/src/bmad-plus/agents/pack-backup/backup-agent.md +71 -71
- package/src/bmad-plus/agents/pack-backup/templates/backup-workflow.md +51 -51
- package/src/bmad-plus/agents/pack-seo/SKILL.md +171 -171
- package/src/bmad-plus/agents/pack-seo/checklist.md +140 -140
- package/src/bmad-plus/agents/pack-seo/pagespeed-playbook.md +320 -320
- package/src/bmad-plus/agents/pack-seo/ref/audit-schema.json +187 -187
- package/src/bmad-plus/agents/pack-seo/ref/cwv-thresholds.md +87 -87
- package/src/bmad-plus/agents/pack-seo/ref/eeat-criteria.md +123 -123
- package/src/bmad-plus/agents/pack-seo/ref/geo-signals.md +167 -167
- package/src/bmad-plus/agents/pack-seo/ref/hreflang-rules.md +153 -153
- package/src/bmad-plus/agents/pack-seo/ref/quality-gates.md +133 -133
- package/src/bmad-plus/agents/pack-seo/ref/schema-catalog.md +91 -91
- package/src/bmad-plus/agents/pack-seo/ref/schema-templates.json +356 -356
- package/src/bmad-plus/agents/pack-seo/seo-chief.md +294 -294
- package/src/bmad-plus/agents/pack-seo/seo-judge.md +241 -241
- package/src/bmad-plus/agents/pack-seo/seo-scout.md +171 -171
- package/src/bmad-plus/agents/pack-seo/templates/seo-audit-workflow.md +241 -241
- package/src/bmad-plus/data/role-triggers.yaml +209 -209
- package/src/bmad-plus/module-help.csv +10 -10
- package/src/bmad-plus/module.yaml +283 -280
- package/src/bmad-plus/packs/pack-animated/animated-website-agent.md +325 -0
- package/src/bmad-plus/packs/pack-animated/templates/animated-website-workflow.md +55 -0
- package/src/bmad-plus/packs/pack-backup/backup-agent.md +71 -0
- package/src/bmad-plus/packs/pack-backup/templates/backup-workflow.md +51 -0
- package/src/bmad-plus/packs/pack-dev-studio/README.md +162 -162
- package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/analyst-agent.md +73 -73
- package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/document-project.md +61 -61
- package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/domain-research.md +95 -95
- package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/market-research.md +95 -95
- package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/prfaq.md +134 -134
- package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/product-brief.md +80 -80
- package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/tech-writer-agent.md +73 -73
- package/src/bmad-plus/packs/pack-dev-studio/categories/analysis/technical-research.md +95 -95
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/architect-agent.md +73 -73
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/create-architecture.md +73 -73
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/create-epics-stories.md +92 -92
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/generate-project-context.md +80 -80
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/implementation-readiness.md +90 -90
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-01-init.md +153 -153
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-01b-continue.md +173 -173
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-02-context.md +224 -224
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-03-starter.md +329 -329
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-04-decisions.md +318 -318
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-05-patterns.md +359 -359
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-06-structure.md +379 -379
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-07-validation.md +361 -361
- package/src/bmad-plus/packs/pack-dev-studio/categories/architecture/steps/step-08-complete.md +81 -81
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/checkpoint-preview.md +67 -67
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-01-gather-context.md +85 -85
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-02-review.md +35 -35
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-03-triage.md +49 -49
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review-steps/step-04-present.md +131 -131
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/code-review.md +89 -89
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/correct-course.md +300 -300
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/create-story.md +428 -428
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-agent.md +73 -73
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-story-checklist.md +80 -80
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/dev-story.md +484 -484
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/investigate.md +193 -193
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/qa-e2e-tests.md +175 -175
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/quick-dev.md +110 -110
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/retrospective.md +1511 -1511
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/sprint-planning.md +298 -298
- package/src/bmad-plus/packs/pack-dev-studio/categories/implementation/sprint-status.md +296 -296
- package/src/bmad-plus/packs/pack-dev-studio/categories/planning/create-prd.md +29 -29
- package/src/bmad-plus/packs/pack-dev-studio/categories/planning/create-ux-design.md +74 -74
- package/src/bmad-plus/packs/pack-dev-studio/categories/planning/edit-prd.md +29 -29
- package/src/bmad-plus/packs/pack-dev-studio/categories/planning/pm-agent.md +73 -73
- package/src/bmad-plus/packs/pack-dev-studio/categories/planning/prd.md +89 -89
- package/src/bmad-plus/packs/pack-dev-studio/categories/planning/ux-designer-agent.md +73 -73
- package/src/bmad-plus/packs/pack-dev-studio/categories/planning/validate-prd.md +29 -29
- package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/advanced-elicitation.md +141 -141
- package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/adversarial-review.md +37 -37
- package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/bmad-help.md +75 -75
- package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/brainstorming.md +6 -6
- package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/customize.md +110 -110
- package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/distillator.md +176 -176
- package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/edge-case-hunter.md +67 -67
- package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/editorial-review-prose.md +86 -86
- package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/editorial-review-structure.md +179 -179
- package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/index-docs.md +66 -66
- package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/party-mode.md +127 -127
- package/src/bmad-plus/packs/pack-dev-studio/categories/utilities/shard-doc.md +105 -105
- package/src/bmad-plus/packs/pack-dev-studio/dev-studio-orchestrator.md +120 -120
- package/src/bmad-plus/packs/pack-dev-studio/shared/architecture-decision-template.md +12 -12
- package/src/bmad-plus/packs/pack-dev-studio/shared/bwml-spec.md +328 -328
- package/src/bmad-plus/packs/pack-dev-studio/shared/module-help.csv +32 -32
- package/src/bmad-plus/packs/pack-dev-studio/upstream-sync.yaml +81 -81
- package/src/bmad-plus/packs/pack-memory/README.md +106 -106
- package/src/bmad-plus/packs/pack-memory/memory-orchestrator.md +79 -79
- package/src/bmad-plus/packs/pack-memory/shared/karpathy-guardrails.md +86 -86
- package/src/bmad-plus/packs/pack-memory/shared/memory-protocol.md +143 -143
- package/src/bmad-plus/packs/pack-memory/templates/context.md +39 -39
- package/src/bmad-plus/packs/pack-memory/templates/decisions.md +25 -25
- package/src/bmad-plus/packs/pack-memory/templates/identity.yaml +39 -39
- package/src/bmad-plus/packs/pack-memory/templates/lessons.md +31 -31
- package/src/bmad-plus/packs/pack-memory/templates/patterns.md +24 -24
- package/src/bmad-plus/packs/pack-memory/templates/session-handoff.md +25 -25
- package/src/bmad-plus/packs/pack-memory/zecher-agent.md +157 -157
- package/src/bmad-plus/packs/pack-seo/SKILL.md +171 -0
- package/src/bmad-plus/packs/pack-seo/checklist.md +140 -0
- package/src/bmad-plus/packs/pack-seo/pagespeed-playbook.md +320 -0
- package/src/bmad-plus/packs/pack-seo/ref/audit-schema.json +187 -0
- package/src/bmad-plus/packs/pack-seo/ref/cwv-thresholds.md +87 -0
- package/src/bmad-plus/packs/pack-seo/ref/eeat-criteria.md +123 -0
- package/src/bmad-plus/packs/pack-seo/ref/geo-signals.md +167 -0
- package/src/bmad-plus/packs/pack-seo/ref/hreflang-rules.md +153 -0
- package/src/bmad-plus/packs/pack-seo/ref/quality-gates.md +133 -0
- package/src/bmad-plus/packs/pack-seo/ref/schema-catalog.md +91 -0
- package/src/bmad-plus/packs/pack-seo/ref/schema-templates.json +356 -0
- package/src/bmad-plus/packs/pack-seo/seo-chief.md +294 -0
- package/src/bmad-plus/packs/pack-seo/seo-judge.md +241 -0
- package/src/bmad-plus/packs/pack-seo/seo-scout.md +171 -0
- package/src/bmad-plus/packs/pack-seo/templates/seo-audit-workflow.md +241 -0
- package/src/bmad-plus/packs/pack-shield/README.md +110 -110
- package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/csrd-agent.md +262 -262
- package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/section508-agent.md +179 -179
- package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/wcag-agent.md +201 -201
- package/src/bmad-plus/packs/pack-shield/categories/ai-governance/eu-ai-act-agent.md +97 -97
- package/src/bmad-plus/packs/pack-shield/categories/ai-governance/iso42001-agent.md +251 -251
- package/src/bmad-plus/packs/pack-shield/categories/ai-governance/nist-ai-rmf-agent.md +133 -133
- package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/cis-controls-agent.md +221 -221
- package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/ism-agent.md +150 -150
- package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/iso27001-agent.md +167 -167
- package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nis2-agent.md +83 -83
- package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-800-53-agent.md +250 -250
- package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-csf-agent.md +218 -218
- package/src/bmad-plus/packs/pack-shield/categories/data-privacy/ccpa-agent.md +94 -94
- package/src/bmad-plus/packs/pack-shield/categories/data-privacy/dpdpa-agent.md +136 -136
- package/src/bmad-plus/packs/pack-shield/categories/data-privacy/gdpr-agent.md +296 -296
- package/src/bmad-plus/packs/pack-shield/categories/data-privacy/iso27701-agent.md +134 -134
- package/src/bmad-plus/packs/pack-shield/categories/data-privacy/lgpd-agent.md +129 -129
- package/src/bmad-plus/packs/pack-shield/categories/defense-export/cmmc-agent.md +127 -127
- package/src/bmad-plus/packs/pack-shield/categories/defense-export/ear-agent.md +272 -272
- package/src/bmad-plus/packs/pack-shield/categories/defense-export/itar-agent.md +202 -202
- package/src/bmad-plus/packs/pack-shield/categories/defense-export/tsa-agent.md +367 -367
- package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/dora-agent.md +510 -510
- package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/fedramp-agent.md +247 -247
- package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/hipaa-agent.md +173 -173
- package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/pci-dss-agent.md +239 -239
- package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/soc2-agent.md +266 -266
- package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/swift-csp-agent.md +164 -164
- package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-classifier.md +131 -131
- package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-fria.md +155 -155
- package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-incidents.md +187 -187
- package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-roles.md +113 -113
- package/src/bmad-plus/packs/pack-shield/categories/workflows/breach-sentinel.md +197 -197
- package/src/bmad-plus/packs/pack-shield/categories/workflows/cookie-policy-gen.md +180 -180
- package/src/bmad-plus/packs/pack-shield/categories/workflows/dpia-sentinel.md +235 -235
- package/src/bmad-plus/packs/pack-shield/categories/workflows/legitimate-interest.md +159 -159
- package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-advisor.md +133 -133
- package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-notice-gen.md +160 -160
- package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-policy-gen.md +135 -135
- package/src/bmad-plus/packs/pack-shield/references/ccpa/ccpa-gdpr-comparison.md +117 -117
- package/src/bmad-plus/packs/pack-shield/references/ccpa/consumer-rights-workflows.md +177 -177
- package/src/bmad-plus/packs/pack-shield/references/cis-controls/framework-mappings.md +162 -162
- package/src/bmad-plus/packs/pack-shield/references/cis-controls/implementation-guidance.md +235 -235
- package/src/bmad-plus/packs/pack-shield/references/cis-controls/safeguards-detail.md +252 -252
- package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-assessment.md +170 -170
- package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-levels.md +113 -113
- package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-practices.md +211 -211
- package/src/bmad-plus/packs/pack-shield/references/csrd/compliance-program.md +281 -281
- package/src/bmad-plus/packs/pack-shield/references/csrd/double-materiality.md +253 -253
- package/src/bmad-plus/packs/pack-shield/references/csrd/esrs-standards.md +401 -401
- package/src/bmad-plus/packs/pack-shield/references/dora/article-reference.md +441 -441
- package/src/bmad-plus/packs/pack-shield/references/dora/incident-classification.md +297 -297
- package/src/bmad-plus/packs/pack-shield/references/dora/rts-its-guide.md +306 -306
- package/src/bmad-plus/packs/pack-shield/references/dora/third-party-risk.md +349 -349
- package/src/bmad-plus/packs/pack-shield/references/dpdpa/gdpr-comparison.md +173 -173
- package/src/bmad-plus/packs/pack-shield/references/dpdpa/rights-and-obligations.md +426 -426
- package/src/bmad-plus/packs/pack-shield/references/dpdpa/rules-2025.md +599 -599
- package/src/bmad-plus/packs/pack-shield/references/dpdpa/sections-reference.md +319 -319
- package/src/bmad-plus/packs/pack-shield/references/ear/ccl-eccn-guide.md +250 -250
- package/src/bmad-plus/packs/pack-shield/references/ear/compliance-program.md +280 -280
- package/src/bmad-plus/packs/pack-shield/references/ear/license-exceptions.md +207 -207
- package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/gpai-governance.md +267 -267
- package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/obligations-high-risk.md +287 -287
- package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/risk-classification.md +182 -182
- package/src/bmad-plus/packs/pack-shield/references/fedramp/appendices-guide.md +209 -209
- package/src/bmad-plus/packs/pack-shield/references/fedramp/control-families.md +281 -281
- package/src/bmad-plus/packs/pack-shield/references/fedramp/poam-guide.md +93 -93
- package/src/bmad-plus/packs/pack-shield/references/fedramp/readiness-checklist.md +134 -134
- package/src/bmad-plus/packs/pack-shield/references/fedramp/sap-sar-guide.md +86 -86
- package/src/bmad-plus/packs/pack-shield/references/fedramp/ssp-guide.md +129 -129
- package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/documents.md +192 -192
- package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/dpa-template.md +121 -121
- package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/privacy-notice.md +87 -87
- package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/breach-notification.md +293 -293
- package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/privacy-rule.md +276 -276
- package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/security-rule.md +299 -299
- package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/templates.md +568 -568
- package/src/bmad-plus/packs/pack-shield/references/ism/control-applicability.md +181 -181
- package/src/bmad-plus/packs/pack-shield/references/ism/guidelines-overview.md +183 -183
- package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2013.md +203 -203
- package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2022.md +132 -132
- package/src/bmad-plus/packs/pack-shield/references/iso27001/control-mapping.md +153 -153
- package/src/bmad-plus/packs/pack-shield/references/iso27701/annex-a-controls.md +195 -195
- package/src/bmad-plus/packs/pack-shield/references/iso27701/regulatory-mapping.md +229 -229
- package/src/bmad-plus/packs/pack-shield/references/iso27701/transition-guide.md +219 -219
- package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-ai-risk-assessment.md +258 -258
- package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-clauses-requirements.md +279 -279
- package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-controls-annex-a.md +155 -155
- package/src/bmad-plus/packs/pack-shield/references/itar/compliance-program.md +174 -174
- package/src/bmad-plus/packs/pack-shield/references/itar/licensing-guide.md +146 -146
- package/src/bmad-plus/packs/pack-shield/references/itar/usml-categories.md +93 -93
- package/src/bmad-plus/packs/pack-shield/references/lgpd/anpd-enforcement.md +147 -147
- package/src/bmad-plus/packs/pack-shield/references/lgpd/compliance-program.md +272 -272
- package/src/bmad-plus/packs/pack-shield/references/lgpd/lgpd-articles.md +271 -271
- package/src/bmad-plus/packs/pack-shield/references/nis2/article-21-measures.md +153 -153
- package/src/bmad-plus/packs/pack-shield/references/nis2/iso27001-nis2-mapping.md +68 -68
- package/src/bmad-plus/packs/pack-shield/references/nist-800-53/assessment-rmf.md +349 -349
- package/src/bmad-plus/packs/pack-shield/references/nist-800-53/baselines-tailoring.md +277 -277
- package/src/bmad-plus/packs/pack-shield/references/nist-800-53/control-families.md +450 -450
- package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-core.md +361 -361
- package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-profiles.md +192 -192
- package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-10-to-20-mapping.md +143 -143
- package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-20-functions-categories.md +278 -278
- package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-implementation-tiers.md +135 -135
- package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-requirements.md +366 -366
- package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-saq-guide.md +217 -217
- package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-v4-changes.md +190 -190
- package/src/bmad-plus/packs/pack-shield/references/section-508/wcag-mapping.md +160 -160
- package/src/bmad-plus/packs/pack-shield/references/soc2/controls.md +241 -241
- package/src/bmad-plus/packs/pack-shield/references/soc2/evidence.md +236 -236
- package/src/bmad-plus/packs/pack-shield/references/soc2/policies.md +254 -254
- package/src/bmad-plus/packs/pack-shield/references/soc2/vendor.md +276 -276
- package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-assessment.md +202 -202
- package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-controls.md +545 -545
- package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-crmp-requirements.md +359 -359
- package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-directives-overview.md +187 -187
- package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-incident-reporting.md +187 -187
- package/src/bmad-plus/packs/pack-shield/references/wcag/criteria-detail.md +510 -510
- package/src/bmad-plus/packs/pack-shield/shared/audit-report-template.md +103 -103
- package/src/bmad-plus/packs/pack-shield/shared/cross-framework-mapper.md +103 -103
- package/src/bmad-plus/packs/pack-shield/shared/gap-analysis-template.md +83 -83
- package/src/bmad-plus/packs/pack-shield/shield-orchestrator.md +229 -229
- package/src/bmad-plus/packs/pack-shield/upstream-sync.yaml +68 -68
- package/src/bmad-plus/skills/bmad-plus-autopilot/SKILL.md +99 -99
- package/src/bmad-plus/skills/bmad-plus-parallel/SKILL.md +93 -93
- package/src/bmad-plus/skills/bmad-plus-sync/SKILL.md +69 -69
- package/tools/cli/commands/autoconfig.js +498 -489
- package/tools/cli/commands/doctor.js +222 -222
- package/tools/cli/commands/install.js +739 -739
- package/tools/cli/commands/memory.js +194 -194
- package/tools/cli/commands/scan.js +360 -350
- package/tools/cli/commands/uninstall.js +96 -96
- package/tools/cli/commands/update.js +174 -174
- package/tools/cli/i18n.js +763 -763
|
@@ -1,287 +1,287 @@
|
|
|
1
|
-
# EU AI Act — High-Risk AI System Obligations Reference
|
|
2
|
-
|
|
3
|
-
All obligations below apply to **providers** unless stated otherwise. Annex III systems: applies from **2 August 2026**. Annex I safety component systems: applies from **2 August 2027**.
|
|
4
|
-
|
|
5
|
-
---
|
|
6
|
-
|
|
7
|
-
## Art. 9 — Risk Management System
|
|
8
|
-
|
|
9
|
-
**Purpose:** Identify and mitigate risks to health, safety, and fundamental rights throughout the AI system lifecycle.
|
|
10
|
-
|
|
11
|
-
**Requirements:**
|
|
12
|
-
- Continuous, iterative process maintained from development through decommissioning
|
|
13
|
-
- Must cover **all phases**: development, testing, pre-deployment assessment, post-market monitoring
|
|
14
|
-
- **5-step process:**
|
|
15
|
-
1. Identify all known and reasonably foreseeable risks (normal use, reasonably foreseeable misuse)
|
|
16
|
-
2. Estimate and evaluate risks under all intended and reasonably foreseeable uses
|
|
17
|
-
3. Evaluate risks emerging from post-market monitoring data
|
|
18
|
-
4. Adopt appropriate and targeted risk mitigation measures (Art. 9(4))
|
|
19
|
-
5. Assess residual risk acceptability; document reasoning
|
|
20
|
-
- **Risk mitigation priority hierarchy (Art. 9(4)):**
|
|
21
|
-
1. Design-based risk elimination first
|
|
22
|
-
2. Adequate mitigation measures if elimination not possible
|
|
23
|
-
3. Information provision to deployers and users
|
|
24
|
-
- **Testing (Art. 9(7)):** Before market placement; against pre-defined metrics and probabilistic thresholds; representative test data
|
|
25
|
-
- **Under-18 impact:** Special attention required for systems likely to adversely impact minors
|
|
26
|
-
|
|
27
|
-
**Documentation required:** Risk management system must be documented and form part of technical documentation (Art. 11, Annex IV).
|
|
28
|
-
|
|
29
|
-
---
|
|
30
|
-
|
|
31
|
-
## Art. 10 — Data and Data Governance
|
|
32
|
-
|
|
33
|
-
**Purpose:** Ensure training, validation, and testing datasets are appropriate for the intended purpose.
|
|
34
|
-
|
|
35
|
-
**Dataset requirements (Art. 10(2)):**
|
|
36
|
-
- Relevant to intended purpose
|
|
37
|
-
- Sufficiently representative of the persons/contexts the system will encounter
|
|
38
|
-
- Free of errors (where appropriate)
|
|
39
|
-
- Complete for the intended purpose
|
|
40
|
-
- Statistically appropriate for target geographic, contextual, and behavioral population
|
|
41
|
-
|
|
42
|
-
**Data governance practices (Art. 10(3)):**
|
|
43
|
-
- Design choices documentation
|
|
44
|
-
- Data collection method documentation
|
|
45
|
-
- Data origin examination and documentation
|
|
46
|
-
- Annotation, labeling, cleaning, enrichment, and aggregation procedures
|
|
47
|
-
- Bias examination and identification
|
|
48
|
-
- Gap identification in relevant properties
|
|
49
|
-
|
|
50
|
-
**Special category data (Art. 10(5)) — bias detection exception:**
|
|
51
|
-
Processing of special-category personal data (GDPR Art. 9) permitted ONLY when ALL conditions met:
|
|
52
|
-
1. No adequate alternative data source exists
|
|
53
|
-
2. Technical and organizational protections are in place (anonymization, pseudonymization where possible)
|
|
54
|
-
3. Access controls ensure minimum necessary access
|
|
55
|
-
4. No third-party data transfer
|
|
56
|
-
5. Data deleted upon completion of bias detection
|
|
57
|
-
6. Documented justification maintained
|
|
58
|
-
|
|
59
|
-
---
|
|
60
|
-
|
|
61
|
-
## Art. 11 — Technical Documentation
|
|
62
|
-
|
|
63
|
-
**Who:** Providers (before market placement), kept up-to-date throughout lifecycle.
|
|
64
|
-
|
|
65
|
-
**Content specified in Annex IV:**
|
|
66
|
-
- General description: intended purpose, provider identity, version, interactions with other systems
|
|
67
|
-
- Detailed description of elements and development process: training methodologies, design choices, algorithms, data used
|
|
68
|
-
- Information about training data (including general description, origin, annotation procedures, design choices)
|
|
69
|
-
- Assessment of the measures required to interpret outputs and enable human oversight
|
|
70
|
-
- Detailed description of the system design (architecture, source code or training code access if applicable)
|
|
71
|
-
- Validation and testing: procedures, applied metrics, performance benchmarks, testing datasets
|
|
72
|
-
- Risk management system documentation (Art. 9)
|
|
73
|
-
- Changes made to system over lifecycle
|
|
74
|
-
- List of harmonised standards applied (or description of alternative solutions for conformity)
|
|
75
|
-
- EU Declaration of Conformity
|
|
76
|
-
|
|
77
|
-
**Retention:** 10 years after market placement or putting into service.
|
|
78
|
-
|
|
79
|
-
---
|
|
80
|
-
|
|
81
|
-
## Art. 12 — Record-Keeping / Automatic Logging
|
|
82
|
-
|
|
83
|
-
**Who:** Providers must build in automatic logging capability; deployers must retain logs.
|
|
84
|
-
|
|
85
|
-
**Provider obligations:**
|
|
86
|
-
- High-risk systems must be capable of automatically generating event logs throughout operation
|
|
87
|
-
- Logging capability enables post-deployment reconstruction of circumstances surrounding risks
|
|
88
|
-
- For biometric identification: logs must enable identification of persons involved and circumstances
|
|
89
|
-
|
|
90
|
-
**Deployer obligations (Art. 26(6)):**
|
|
91
|
-
- Retain automatically generated logs for **minimum 6 months** from use, or as required by applicable Union/national law (whichever longer)
|
|
92
|
-
- Public sector deployers: stricter retention may apply under public records obligations
|
|
93
|
-
|
|
94
|
-
---
|
|
95
|
-
|
|
96
|
-
## Art. 13 — Transparency and Provision of Information to Deployers
|
|
97
|
-
|
|
98
|
-
**Purpose:** Enable deployers to understand and correctly use the AI system.
|
|
99
|
-
|
|
100
|
-
**System design requirement:** High-risk AI systems must be designed with sufficient transparency for deployers to interpret outputs and use appropriately.
|
|
101
|
-
|
|
102
|
-
**Instructions for use must include:**
|
|
103
|
-
- Provider identity, address, registration data
|
|
104
|
-
- System characteristics, capabilities, and intended purpose
|
|
105
|
-
- Performance metrics: level of accuracy, robustness, cybersecurity
|
|
106
|
-
- Known or foreseeable circumstances that may lead to risks
|
|
107
|
-
- System performance for specific persons/groups
|
|
108
|
-
- Specifications for input data (data types, formats, dimensions)
|
|
109
|
-
- Information on changes made vs prior versions
|
|
110
|
-
- Human oversight measures (Art. 14) and technical measures to enable oversight
|
|
111
|
-
- Computational resources required; expected system lifetime
|
|
112
|
-
- Description of logging mechanisms (Art. 12)
|
|
113
|
-
- Any predetermined modifications or updates
|
|
114
|
-
|
|
115
|
-
**Format:** Concise, complete, correct, clear, relevant; provided in digital and, where appropriate, physical format; accessible to deployers in appropriate language.
|
|
116
|
-
|
|
117
|
-
---
|
|
118
|
-
|
|
119
|
-
## Art. 14 — Human Oversight
|
|
120
|
-
|
|
121
|
-
**Purpose:** Enable effective human monitoring during operation to identify and correct AI errors.
|
|
122
|
-
|
|
123
|
-
**System design obligations (providers, Art. 14(3)):**
|
|
124
|
-
High-risk AI systems must be designed to allow natural persons to:
|
|
125
|
-
- Understand system capabilities and limitations
|
|
126
|
-
- Recognize **automation bias** (over-reliance on AI outputs)
|
|
127
|
-
- Correctly interpret AI outputs (including interpretability features)
|
|
128
|
-
- Decide not to use, or disregard, override, or reverse AI outputs
|
|
129
|
-
- Intervene through a **stop button** or similar interrupt mechanism
|
|
130
|
-
|
|
131
|
-
**Deployer implementation obligations (Art. 14(4)):**
|
|
132
|
-
- Assign human oversight to natural persons with necessary competence, authority, and resources
|
|
133
|
-
- Train oversight persons on system capabilities/limitations and automation bias risk
|
|
134
|
-
|
|
135
|
-
**Biometric identification specific (Art. 14(5)):**
|
|
136
|
-
- Minimum **two separate persons** must independently verify and confirm identification before action is taken
|
|
137
|
-
|
|
138
|
-
**Proportionality:** Oversight measures are built in by providers proportionate to risks and level of autonomy; deployers may need to supplement with organizational measures.
|
|
139
|
-
|
|
140
|
-
---
|
|
141
|
-
|
|
142
|
-
## Art. 15 — Accuracy, Robustness, and Cybersecurity
|
|
143
|
-
|
|
144
|
-
**Accuracy:**
|
|
145
|
-
- System must achieve appropriate accuracy levels for intended purpose throughout its lifecycle
|
|
146
|
-
- Declared accuracy levels and metrics must be in instructions for use (Art. 13)
|
|
147
|
-
- Training, validation, and testing data must be statistically appropriate to achieve declared levels
|
|
148
|
-
|
|
149
|
-
**Robustness:**
|
|
150
|
-
- Resilience against errors, faults, or inconsistencies during operation and foreseeable misuse
|
|
151
|
-
- Consistent performance throughout operational lifetime
|
|
152
|
-
- Where appropriate: technical redundancy solutions, backup plans, fail-safe mechanisms
|
|
153
|
-
- For continuous learning systems: eliminate/reduce risks of feedback loops amplifying biased outputs
|
|
154
|
-
|
|
155
|
-
**Cybersecurity:**
|
|
156
|
-
Resilience against attempts to alter use, outputs, or performance, including:
|
|
157
|
-
- **Data poisoning attacks** (contaminating training data)
|
|
158
|
-
- **Model poisoning attacks** (manipulating model weights)
|
|
159
|
-
- **Adversarial examples** (crafted inputs causing misclassification)
|
|
160
|
-
- **Confidentiality attacks** (extracting training data or model internals)
|
|
161
|
-
- **Model flaws exploitation** (taking advantage of design weaknesses)
|
|
162
|
-
|
|
163
|
-
**Technical solutions appropriate to context:** Air-gapping sensitive components, adversarial testing, input validation, output monitoring.
|
|
164
|
-
|
|
165
|
-
---
|
|
166
|
-
|
|
167
|
-
## Art. 16 — Provider Obligations (Complete 12-Item Checklist)
|
|
168
|
-
|
|
169
|
-
Before placing on market or putting into service, providers must:
|
|
170
|
-
|
|
171
|
-
1. ☐ Ensure system complies with Section 2 requirements (Arts. 9–15)
|
|
172
|
-
2. ☐ Display name, trademark, and contact address on system, packaging, or documentation
|
|
173
|
-
3. ☐ Establish and implement quality management system (Art. 17)
|
|
174
|
-
4. ☐ Keep technical documentation (Art. 11, Annex IV)
|
|
175
|
-
5. ☐ Retain automatically generated logs (Art. 12) where under provider's control
|
|
176
|
-
6. ☐ Complete required conformity assessment (Art. 43) before market placement
|
|
177
|
-
7. ☐ Draw up EU Declaration of Conformity (Art. 47)
|
|
178
|
-
8. ☐ Affix CE marking (Art. 48)
|
|
179
|
-
9. ☐ Register in EU AI database (Art. 49) before market placement
|
|
180
|
-
10. ☐ Take immediate corrective action for non-conforming systems; notify authorities and deployers (Art. 20)
|
|
181
|
-
11. ☐ Demonstrate conformity upon request of national competent authority
|
|
182
|
-
12. ☐ Ensure accessible design where required (Directives 2016/2102, 2019/882)
|
|
183
|
-
|
|
184
|
-
---
|
|
185
|
-
|
|
186
|
-
## Art. 17 — Quality Management System (13 Required Components)
|
|
187
|
-
|
|
188
|
-
Documented policies and procedures covering:
|
|
189
|
-
|
|
190
|
-
1. **Regulatory compliance strategy** including conformity assessment procedures and modifications management
|
|
191
|
-
2. **Design techniques** — procedures for designing, controlling, and verifying the AI system
|
|
192
|
-
3. **Development quality control** procedures
|
|
193
|
-
4. **Testing and validation** — before, during, and after development
|
|
194
|
-
5. **Technical standards application** — harmonised standards and common specifications
|
|
195
|
-
6. **Data management** — acquisition, labeling, storage, filtering, retention, cleaning procedures
|
|
196
|
-
7. **Risk management** per Art. 9
|
|
197
|
-
8. **Post-market monitoring** per Art. 72
|
|
198
|
-
9. **Serious incident reporting** per Art. 73 — communication with national authorities
|
|
199
|
-
10. **Authority communication** procedures for corrective actions and recalls (Art. 20)
|
|
200
|
-
11. **Record-keeping and documentation** — retention periods and access procedures
|
|
201
|
-
12. **Resource management** including supply-chain security measures
|
|
202
|
-
13. **Accountability framework** — clear responsibility assignment for all above components
|
|
203
|
-
|
|
204
|
-
**Proportionality:** QMS must be proportionate to provider organization size. Existing sectoral QMS may be adapted/integrated.
|
|
205
|
-
|
|
206
|
-
---
|
|
207
|
-
|
|
208
|
-
## Art. 26 — Deployer Obligations
|
|
209
|
-
|
|
210
|
-
1. **Instructions compliance:** Use system in accordance with provider's instructions for use (Art. 13)
|
|
211
|
-
2. **Staff assignment:** Assign human oversight to persons with necessary competence, training, authority, and resources
|
|
212
|
-
3. **Input data control:** Where deployer controls input data — ensure it is relevant and sufficiently representative
|
|
213
|
-
4. **Continuous monitoring:** Monitor operations; if risk identified — notify provider/importer/distributor AND market surveillance authority; suspend use where appropriate
|
|
214
|
-
5. **Serious incidents:** Immediately notify provider, then importer/distributor and market surveillance authority
|
|
215
|
-
6. **Log retention:** Retain automatically generated logs for **at least 6 months**
|
|
216
|
-
7. **Worker notification:** In employment/worker management contexts — inform workers and representatives before deployment
|
|
217
|
-
8. **Public authority registration:** Public authorities must register use in EU AI database (Art. 60) before deployment; cannot use unregistered high-risk systems
|
|
218
|
-
9. **GDPR:** Conduct data protection impact assessments where required under GDPR Art. 35
|
|
219
|
-
10. **Fundamental Rights Impact Assessment:** Required for public authorities before deploying certain high-risk systems under Art. 27
|
|
220
|
-
|
|
221
|
-
---
|
|
222
|
-
|
|
223
|
-
## Arts. 43–49 — Conformity Assessment and CE Marking
|
|
224
|
-
|
|
225
|
-
### Art. 43 — Conformity Assessment Paths
|
|
226
|
-
|
|
227
|
-
**Annex III — Point 1 Systems (Biometrics):** Provider chooses between:
|
|
228
|
-
- **(A) Self-assessment** — Internal control via Annex VI procedure; OR
|
|
229
|
-
- **(B) Notified body** — Third-party assessment under Annex VII (QMS review + technical documentation assessment)
|
|
230
|
-
|
|
231
|
-
Notified body (B) is **mandatory** when:
|
|
232
|
-
- No harmonised standards covering the system exist
|
|
233
|
-
- Standards exist but provider has not applied them (or only partially)
|
|
234
|
-
- Common specifications are unavailable or not used
|
|
235
|
-
- Standards published with restrictions that limit presumption of conformity
|
|
236
|
-
|
|
237
|
-
**Annex III — Points 2–8 Systems (Areas 2–8):** Self-assessment only — no notified body assessment available.
|
|
238
|
-
|
|
239
|
-
**Annex I Products (safety components):** Conformity assessment integrated into the existing conformity procedure for the product under Annex I legislation.
|
|
240
|
-
|
|
241
|
-
**Law enforcement / immigration / EU institutions:** Market surveillance authority acts as notified body.
|
|
242
|
-
|
|
243
|
-
**Substantial modifications:** Require full reassessment; except predetermined learning modifications documented in original technical file and declared in conformity declaration.
|
|
244
|
-
|
|
245
|
-
### Art. 47 — EU Declaration of Conformity
|
|
246
|
-
- Drawn up by provider (or authorised representative); provider assumes full responsibility
|
|
247
|
-
- Must confirm compliance with all applicable AI Act requirements (Section 2)
|
|
248
|
-
- Must identify: system name, provider, version, intended purpose, conformity assessment procedure followed, standards applied
|
|
249
|
-
- Machine-readable format; translation required into languages required by national authorities
|
|
250
|
-
- Maintained for **10 years** from market placement
|
|
251
|
-
|
|
252
|
-
### Art. 48 — CE Marking
|
|
253
|
-
- Visible, legible, indelible affixation on system, packaging, or documentation
|
|
254
|
-
- Only affixed after successful conformity assessment and drawing up of EU Declaration of Conformity
|
|
255
|
-
- Subject to general principles of CE marking (Regulation 765/2008)
|
|
256
|
-
- Affixed before market placement; re-affixed if system substantially modified
|
|
257
|
-
|
|
258
|
-
### Arts. 49 and 60 — EU AI Database Registration
|
|
259
|
-
|
|
260
|
-
**Provider registration (Art. 49):**
|
|
261
|
-
- Before market placement (Annex III systems — Art. 6(2))
|
|
262
|
-
- Information includes: provider/representative identity; system description, intended purpose, accuracy; conformity assessment procedure; CE marking notified body (if applicable)
|
|
263
|
-
- Provider registration covers all deployers and users of that system
|
|
264
|
-
|
|
265
|
-
**Public authority deployer registration (Art. 60):**
|
|
266
|
-
- Before deployment of registered high-risk systems
|
|
267
|
-
- Additional system-specific information for public authority use
|
|
268
|
-
|
|
269
|
-
**Database operation:** Operational from 2 August 2026 (Commission responsibility, Art. 71).
|
|
270
|
-
|
|
271
|
-
**Publicly accessible information vs. restricted:** Most information public; some law enforcement/immigration information accessible only to competent authorities.
|
|
272
|
-
|
|
273
|
-
---
|
|
274
|
-
|
|
275
|
-
## Art. 27 — Fundamental Rights Impact Assessment (FRIA)
|
|
276
|
-
|
|
277
|
-
**Who:** Public authorities and bodies deploying high-risk AI systems in Annex III Areas 1, 2, 4, 5(b–d), 6, 7, and 8.
|
|
278
|
-
|
|
279
|
-
**Content:**
|
|
280
|
-
- Description of the deployer's processes in which the system will be used
|
|
281
|
-
- Time period, frequency, and number of persons affected
|
|
282
|
-
- The specific categories of persons likely to be affected
|
|
283
|
-
- Specific risks of harm to categories of affected persons
|
|
284
|
-
- Human oversight measures (Art. 14) planned
|
|
285
|
-
- Measures to address fundamental rights risks
|
|
286
|
-
|
|
287
|
-
**Relationship to GDPR DPIA:** Where GDPR DPIA is also required, the FRIA may be conducted alongside or integrated into the DPIA.
|
|
1
|
+
# EU AI Act — High-Risk AI System Obligations Reference
|
|
2
|
+
|
|
3
|
+
All obligations below apply to **providers** unless stated otherwise. Annex III systems: applies from **2 August 2026**. Annex I safety component systems: applies from **2 August 2027**.
|
|
4
|
+
|
|
5
|
+
---
|
|
6
|
+
|
|
7
|
+
## Art. 9 — Risk Management System
|
|
8
|
+
|
|
9
|
+
**Purpose:** Identify and mitigate risks to health, safety, and fundamental rights throughout the AI system lifecycle.
|
|
10
|
+
|
|
11
|
+
**Requirements:**
|
|
12
|
+
- Continuous, iterative process maintained from development through decommissioning
|
|
13
|
+
- Must cover **all phases**: development, testing, pre-deployment assessment, post-market monitoring
|
|
14
|
+
- **5-step process:**
|
|
15
|
+
1. Identify all known and reasonably foreseeable risks (normal use, reasonably foreseeable misuse)
|
|
16
|
+
2. Estimate and evaluate risks under all intended and reasonably foreseeable uses
|
|
17
|
+
3. Evaluate risks emerging from post-market monitoring data
|
|
18
|
+
4. Adopt appropriate and targeted risk mitigation measures (Art. 9(4))
|
|
19
|
+
5. Assess residual risk acceptability; document reasoning
|
|
20
|
+
- **Risk mitigation priority hierarchy (Art. 9(4)):**
|
|
21
|
+
1. Design-based risk elimination first
|
|
22
|
+
2. Adequate mitigation measures if elimination not possible
|
|
23
|
+
3. Information provision to deployers and users
|
|
24
|
+
- **Testing (Art. 9(7)):** Before market placement; against pre-defined metrics and probabilistic thresholds; representative test data
|
|
25
|
+
- **Under-18 impact:** Special attention required for systems likely to adversely impact minors
|
|
26
|
+
|
|
27
|
+
**Documentation required:** Risk management system must be documented and form part of technical documentation (Art. 11, Annex IV).
|
|
28
|
+
|
|
29
|
+
---
|
|
30
|
+
|
|
31
|
+
## Art. 10 — Data and Data Governance
|
|
32
|
+
|
|
33
|
+
**Purpose:** Ensure training, validation, and testing datasets are appropriate for the intended purpose.
|
|
34
|
+
|
|
35
|
+
**Dataset requirements (Art. 10(2)):**
|
|
36
|
+
- Relevant to intended purpose
|
|
37
|
+
- Sufficiently representative of the persons/contexts the system will encounter
|
|
38
|
+
- Free of errors (where appropriate)
|
|
39
|
+
- Complete for the intended purpose
|
|
40
|
+
- Statistically appropriate for target geographic, contextual, and behavioral population
|
|
41
|
+
|
|
42
|
+
**Data governance practices (Art. 10(3)):**
|
|
43
|
+
- Design choices documentation
|
|
44
|
+
- Data collection method documentation
|
|
45
|
+
- Data origin examination and documentation
|
|
46
|
+
- Annotation, labeling, cleaning, enrichment, and aggregation procedures
|
|
47
|
+
- Bias examination and identification
|
|
48
|
+
- Gap identification in relevant properties
|
|
49
|
+
|
|
50
|
+
**Special category data (Art. 10(5)) — bias detection exception:**
|
|
51
|
+
Processing of special-category personal data (GDPR Art. 9) permitted ONLY when ALL conditions met:
|
|
52
|
+
1. No adequate alternative data source exists
|
|
53
|
+
2. Technical and organizational protections are in place (anonymization, pseudonymization where possible)
|
|
54
|
+
3. Access controls ensure minimum necessary access
|
|
55
|
+
4. No third-party data transfer
|
|
56
|
+
5. Data deleted upon completion of bias detection
|
|
57
|
+
6. Documented justification maintained
|
|
58
|
+
|
|
59
|
+
---
|
|
60
|
+
|
|
61
|
+
## Art. 11 — Technical Documentation
|
|
62
|
+
|
|
63
|
+
**Who:** Providers (before market placement), kept up-to-date throughout lifecycle.
|
|
64
|
+
|
|
65
|
+
**Content specified in Annex IV:**
|
|
66
|
+
- General description: intended purpose, provider identity, version, interactions with other systems
|
|
67
|
+
- Detailed description of elements and development process: training methodologies, design choices, algorithms, data used
|
|
68
|
+
- Information about training data (including general description, origin, annotation procedures, design choices)
|
|
69
|
+
- Assessment of the measures required to interpret outputs and enable human oversight
|
|
70
|
+
- Detailed description of the system design (architecture, source code or training code access if applicable)
|
|
71
|
+
- Validation and testing: procedures, applied metrics, performance benchmarks, testing datasets
|
|
72
|
+
- Risk management system documentation (Art. 9)
|
|
73
|
+
- Changes made to system over lifecycle
|
|
74
|
+
- List of harmonised standards applied (or description of alternative solutions for conformity)
|
|
75
|
+
- EU Declaration of Conformity
|
|
76
|
+
|
|
77
|
+
**Retention:** 10 years after market placement or putting into service.
|
|
78
|
+
|
|
79
|
+
---
|
|
80
|
+
|
|
81
|
+
## Art. 12 — Record-Keeping / Automatic Logging
|
|
82
|
+
|
|
83
|
+
**Who:** Providers must build in automatic logging capability; deployers must retain logs.
|
|
84
|
+
|
|
85
|
+
**Provider obligations:**
|
|
86
|
+
- High-risk systems must be capable of automatically generating event logs throughout operation
|
|
87
|
+
- Logging capability enables post-deployment reconstruction of circumstances surrounding risks
|
|
88
|
+
- For biometric identification: logs must enable identification of persons involved and circumstances
|
|
89
|
+
|
|
90
|
+
**Deployer obligations (Art. 26(6)):**
|
|
91
|
+
- Retain automatically generated logs for **minimum 6 months** from use, or as required by applicable Union/national law (whichever longer)
|
|
92
|
+
- Public sector deployers: stricter retention may apply under public records obligations
|
|
93
|
+
|
|
94
|
+
---
|
|
95
|
+
|
|
96
|
+
## Art. 13 — Transparency and Provision of Information to Deployers
|
|
97
|
+
|
|
98
|
+
**Purpose:** Enable deployers to understand and correctly use the AI system.
|
|
99
|
+
|
|
100
|
+
**System design requirement:** High-risk AI systems must be designed with sufficient transparency for deployers to interpret outputs and use appropriately.
|
|
101
|
+
|
|
102
|
+
**Instructions for use must include:**
|
|
103
|
+
- Provider identity, address, registration data
|
|
104
|
+
- System characteristics, capabilities, and intended purpose
|
|
105
|
+
- Performance metrics: level of accuracy, robustness, cybersecurity
|
|
106
|
+
- Known or foreseeable circumstances that may lead to risks
|
|
107
|
+
- System performance for specific persons/groups
|
|
108
|
+
- Specifications for input data (data types, formats, dimensions)
|
|
109
|
+
- Information on changes made vs prior versions
|
|
110
|
+
- Human oversight measures (Art. 14) and technical measures to enable oversight
|
|
111
|
+
- Computational resources required; expected system lifetime
|
|
112
|
+
- Description of logging mechanisms (Art. 12)
|
|
113
|
+
- Any predetermined modifications or updates
|
|
114
|
+
|
|
115
|
+
**Format:** Concise, complete, correct, clear, relevant; provided in digital and, where appropriate, physical format; accessible to deployers in appropriate language.
|
|
116
|
+
|
|
117
|
+
---
|
|
118
|
+
|
|
119
|
+
## Art. 14 — Human Oversight
|
|
120
|
+
|
|
121
|
+
**Purpose:** Enable effective human monitoring during operation to identify and correct AI errors.
|
|
122
|
+
|
|
123
|
+
**System design obligations (providers, Art. 14(3)):**
|
|
124
|
+
High-risk AI systems must be designed to allow natural persons to:
|
|
125
|
+
- Understand system capabilities and limitations
|
|
126
|
+
- Recognize **automation bias** (over-reliance on AI outputs)
|
|
127
|
+
- Correctly interpret AI outputs (including interpretability features)
|
|
128
|
+
- Decide not to use, or disregard, override, or reverse AI outputs
|
|
129
|
+
- Intervene through a **stop button** or similar interrupt mechanism
|
|
130
|
+
|
|
131
|
+
**Deployer implementation obligations (Art. 14(4)):**
|
|
132
|
+
- Assign human oversight to natural persons with necessary competence, authority, and resources
|
|
133
|
+
- Train oversight persons on system capabilities/limitations and automation bias risk
|
|
134
|
+
|
|
135
|
+
**Biometric identification specific (Art. 14(5)):**
|
|
136
|
+
- Minimum **two separate persons** must independently verify and confirm identification before action is taken
|
|
137
|
+
|
|
138
|
+
**Proportionality:** Oversight measures are built in by providers proportionate to risks and level of autonomy; deployers may need to supplement with organizational measures.
|
|
139
|
+
|
|
140
|
+
---
|
|
141
|
+
|
|
142
|
+
## Art. 15 — Accuracy, Robustness, and Cybersecurity
|
|
143
|
+
|
|
144
|
+
**Accuracy:**
|
|
145
|
+
- System must achieve appropriate accuracy levels for intended purpose throughout its lifecycle
|
|
146
|
+
- Declared accuracy levels and metrics must be in instructions for use (Art. 13)
|
|
147
|
+
- Training, validation, and testing data must be statistically appropriate to achieve declared levels
|
|
148
|
+
|
|
149
|
+
**Robustness:**
|
|
150
|
+
- Resilience against errors, faults, or inconsistencies during operation and foreseeable misuse
|
|
151
|
+
- Consistent performance throughout operational lifetime
|
|
152
|
+
- Where appropriate: technical redundancy solutions, backup plans, fail-safe mechanisms
|
|
153
|
+
- For continuous learning systems: eliminate/reduce risks of feedback loops amplifying biased outputs
|
|
154
|
+
|
|
155
|
+
**Cybersecurity:**
|
|
156
|
+
Resilience against attempts to alter use, outputs, or performance, including:
|
|
157
|
+
- **Data poisoning attacks** (contaminating training data)
|
|
158
|
+
- **Model poisoning attacks** (manipulating model weights)
|
|
159
|
+
- **Adversarial examples** (crafted inputs causing misclassification)
|
|
160
|
+
- **Confidentiality attacks** (extracting training data or model internals)
|
|
161
|
+
- **Model flaws exploitation** (taking advantage of design weaknesses)
|
|
162
|
+
|
|
163
|
+
**Technical solutions appropriate to context:** Air-gapping sensitive components, adversarial testing, input validation, output monitoring.
|
|
164
|
+
|
|
165
|
+
---
|
|
166
|
+
|
|
167
|
+
## Art. 16 — Provider Obligations (Complete 12-Item Checklist)
|
|
168
|
+
|
|
169
|
+
Before placing on market or putting into service, providers must:
|
|
170
|
+
|
|
171
|
+
1. ☐ Ensure system complies with Section 2 requirements (Arts. 9–15)
|
|
172
|
+
2. ☐ Display name, trademark, and contact address on system, packaging, or documentation
|
|
173
|
+
3. ☐ Establish and implement quality management system (Art. 17)
|
|
174
|
+
4. ☐ Keep technical documentation (Art. 11, Annex IV)
|
|
175
|
+
5. ☐ Retain automatically generated logs (Art. 12) where under provider's control
|
|
176
|
+
6. ☐ Complete required conformity assessment (Art. 43) before market placement
|
|
177
|
+
7. ☐ Draw up EU Declaration of Conformity (Art. 47)
|
|
178
|
+
8. ☐ Affix CE marking (Art. 48)
|
|
179
|
+
9. ☐ Register in EU AI database (Art. 49) before market placement
|
|
180
|
+
10. ☐ Take immediate corrective action for non-conforming systems; notify authorities and deployers (Art. 20)
|
|
181
|
+
11. ☐ Demonstrate conformity upon request of national competent authority
|
|
182
|
+
12. ☐ Ensure accessible design where required (Directives 2016/2102, 2019/882)
|
|
183
|
+
|
|
184
|
+
---
|
|
185
|
+
|
|
186
|
+
## Art. 17 — Quality Management System (13 Required Components)
|
|
187
|
+
|
|
188
|
+
Documented policies and procedures covering:
|
|
189
|
+
|
|
190
|
+
1. **Regulatory compliance strategy** including conformity assessment procedures and modifications management
|
|
191
|
+
2. **Design techniques** — procedures for designing, controlling, and verifying the AI system
|
|
192
|
+
3. **Development quality control** procedures
|
|
193
|
+
4. **Testing and validation** — before, during, and after development
|
|
194
|
+
5. **Technical standards application** — harmonised standards and common specifications
|
|
195
|
+
6. **Data management** — acquisition, labeling, storage, filtering, retention, cleaning procedures
|
|
196
|
+
7. **Risk management** per Art. 9
|
|
197
|
+
8. **Post-market monitoring** per Art. 72
|
|
198
|
+
9. **Serious incident reporting** per Art. 73 — communication with national authorities
|
|
199
|
+
10. **Authority communication** procedures for corrective actions and recalls (Art. 20)
|
|
200
|
+
11. **Record-keeping and documentation** — retention periods and access procedures
|
|
201
|
+
12. **Resource management** including supply-chain security measures
|
|
202
|
+
13. **Accountability framework** — clear responsibility assignment for all above components
|
|
203
|
+
|
|
204
|
+
**Proportionality:** QMS must be proportionate to provider organization size. Existing sectoral QMS may be adapted/integrated.
|
|
205
|
+
|
|
206
|
+
---
|
|
207
|
+
|
|
208
|
+
## Art. 26 — Deployer Obligations
|
|
209
|
+
|
|
210
|
+
1. **Instructions compliance:** Use system in accordance with provider's instructions for use (Art. 13)
|
|
211
|
+
2. **Staff assignment:** Assign human oversight to persons with necessary competence, training, authority, and resources
|
|
212
|
+
3. **Input data control:** Where deployer controls input data — ensure it is relevant and sufficiently representative
|
|
213
|
+
4. **Continuous monitoring:** Monitor operations; if risk identified — notify provider/importer/distributor AND market surveillance authority; suspend use where appropriate
|
|
214
|
+
5. **Serious incidents:** Immediately notify provider, then importer/distributor and market surveillance authority
|
|
215
|
+
6. **Log retention:** Retain automatically generated logs for **at least 6 months**
|
|
216
|
+
7. **Worker notification:** In employment/worker management contexts — inform workers and representatives before deployment
|
|
217
|
+
8. **Public authority registration:** Public authorities must register use in EU AI database (Art. 60) before deployment; cannot use unregistered high-risk systems
|
|
218
|
+
9. **GDPR:** Conduct data protection impact assessments where required under GDPR Art. 35
|
|
219
|
+
10. **Fundamental Rights Impact Assessment:** Required for public authorities before deploying certain high-risk systems under Art. 27
|
|
220
|
+
|
|
221
|
+
---
|
|
222
|
+
|
|
223
|
+
## Arts. 43–49 — Conformity Assessment and CE Marking
|
|
224
|
+
|
|
225
|
+
### Art. 43 — Conformity Assessment Paths
|
|
226
|
+
|
|
227
|
+
**Annex III — Point 1 Systems (Biometrics):** Provider chooses between:
|
|
228
|
+
- **(A) Self-assessment** — Internal control via Annex VI procedure; OR
|
|
229
|
+
- **(B) Notified body** — Third-party assessment under Annex VII (QMS review + technical documentation assessment)
|
|
230
|
+
|
|
231
|
+
Notified body (B) is **mandatory** when:
|
|
232
|
+
- No harmonised standards covering the system exist
|
|
233
|
+
- Standards exist but provider has not applied them (or only partially)
|
|
234
|
+
- Common specifications are unavailable or not used
|
|
235
|
+
- Standards published with restrictions that limit presumption of conformity
|
|
236
|
+
|
|
237
|
+
**Annex III — Points 2–8 Systems (Areas 2–8):** Self-assessment only — no notified body assessment available.
|
|
238
|
+
|
|
239
|
+
**Annex I Products (safety components):** Conformity assessment integrated into the existing conformity procedure for the product under Annex I legislation.
|
|
240
|
+
|
|
241
|
+
**Law enforcement / immigration / EU institutions:** Market surveillance authority acts as notified body.
|
|
242
|
+
|
|
243
|
+
**Substantial modifications:** Require full reassessment; except predetermined learning modifications documented in original technical file and declared in conformity declaration.
|
|
244
|
+
|
|
245
|
+
### Art. 47 — EU Declaration of Conformity
|
|
246
|
+
- Drawn up by provider (or authorised representative); provider assumes full responsibility
|
|
247
|
+
- Must confirm compliance with all applicable AI Act requirements (Section 2)
|
|
248
|
+
- Must identify: system name, provider, version, intended purpose, conformity assessment procedure followed, standards applied
|
|
249
|
+
- Machine-readable format; translation required into languages required by national authorities
|
|
250
|
+
- Maintained for **10 years** from market placement
|
|
251
|
+
|
|
252
|
+
### Art. 48 — CE Marking
|
|
253
|
+
- Visible, legible, indelible affixation on system, packaging, or documentation
|
|
254
|
+
- Only affixed after successful conformity assessment and drawing up of EU Declaration of Conformity
|
|
255
|
+
- Subject to general principles of CE marking (Regulation 765/2008)
|
|
256
|
+
- Affixed before market placement; re-affixed if system substantially modified
|
|
257
|
+
|
|
258
|
+
### Arts. 49 and 60 — EU AI Database Registration
|
|
259
|
+
|
|
260
|
+
**Provider registration (Art. 49):**
|
|
261
|
+
- Before market placement (Annex III systems — Art. 6(2))
|
|
262
|
+
- Information includes: provider/representative identity; system description, intended purpose, accuracy; conformity assessment procedure; CE marking notified body (if applicable)
|
|
263
|
+
- Provider registration covers all deployers and users of that system
|
|
264
|
+
|
|
265
|
+
**Public authority deployer registration (Art. 60):**
|
|
266
|
+
- Before deployment of registered high-risk systems
|
|
267
|
+
- Additional system-specific information for public authority use
|
|
268
|
+
|
|
269
|
+
**Database operation:** Operational from 2 August 2026 (Commission responsibility, Art. 71).
|
|
270
|
+
|
|
271
|
+
**Publicly accessible information vs. restricted:** Most information public; some law enforcement/immigration information accessible only to competent authorities.
|
|
272
|
+
|
|
273
|
+
---
|
|
274
|
+
|
|
275
|
+
## Art. 27 — Fundamental Rights Impact Assessment (FRIA)
|
|
276
|
+
|
|
277
|
+
**Who:** Public authorities and bodies deploying high-risk AI systems in Annex III Areas 1, 2, 4, 5(b–d), 6, 7, and 8.
|
|
278
|
+
|
|
279
|
+
**Content:**
|
|
280
|
+
- Description of the deployer's processes in which the system will be used
|
|
281
|
+
- Time period, frequency, and number of persons affected
|
|
282
|
+
- The specific categories of persons likely to be affected
|
|
283
|
+
- Specific risks of harm to categories of affected persons
|
|
284
|
+
- Human oversight measures (Art. 14) planned
|
|
285
|
+
- Measures to address fundamental rights risks
|
|
286
|
+
|
|
287
|
+
**Relationship to GDPR DPIA:** Where GDPR DPIA is also required, the FRIA may be conducted alongside or integrated into the DPIA.
|