bmad-plus 0.8.0 → 0.9.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (213) hide show
  1. package/CHANGELOG.md +45 -1
  2. package/LICENSE +21 -21
  3. package/README.md +107 -85
  4. package/osint-agent-package/README.md +88 -88
  5. package/osint-agent-package/SETUP_KEYS.md +108 -108
  6. package/osint-agent-package/agents/osint-investigator.md +80 -80
  7. package/osint-agent-package/install.ps1 +87 -87
  8. package/osint-agent-package/install.sh +76 -76
  9. package/osint-agent-package/skills/bmad-osint-investigate/SKILL.md +147 -147
  10. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/enrichment-databases-fr.md +148 -148
  11. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/_http.py +101 -101
  12. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/apify.py +266 -266
  13. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/brightdata.py +101 -101
  14. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/diagnose.py +141 -141
  15. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/exa.py +79 -79
  16. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/jina.py +71 -71
  17. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/parallel.py +85 -85
  18. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/perplexity.py +102 -102
  19. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/tavily.py +72 -72
  20. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/volley.py +208 -208
  21. package/osint-agent-package/skills/bmad-osint-investigator/SKILL.md +15 -15
  22. package/package.json +30 -3
  23. package/readme-international/README.de.md +18 -5
  24. package/readme-international/README.es.md +40 -12
  25. package/readme-international/README.fr.md +36 -8
  26. package/src/bmad-plus/agents/agent-architect-dev/SKILL.md +96 -96
  27. package/src/bmad-plus/agents/agent-architect-dev/bmad-skill-manifest.yaml +13 -13
  28. package/src/bmad-plus/agents/agent-maker/SKILL.md +201 -201
  29. package/src/bmad-plus/agents/agent-maker/bmad-skill-manifest.yaml +13 -13
  30. package/src/bmad-plus/agents/agent-orchestrator/SKILL.md +137 -137
  31. package/src/bmad-plus/agents/agent-orchestrator/bmad-skill-manifest.yaml +13 -13
  32. package/src/bmad-plus/agents/agent-quality/SKILL.md +83 -83
  33. package/src/bmad-plus/agents/agent-quality/bmad-skill-manifest.yaml +13 -13
  34. package/src/bmad-plus/agents/agent-shadow/SKILL.md +71 -71
  35. package/src/bmad-plus/agents/agent-shadow/bmad-skill-manifest.yaml +13 -13
  36. package/src/bmad-plus/agents/agent-strategist/SKILL.md +80 -80
  37. package/src/bmad-plus/agents/agent-strategist/bmad-skill-manifest.yaml +13 -13
  38. package/src/bmad-plus/data/role-triggers.yaml +209 -209
  39. package/src/bmad-plus/module-help.csv +10 -10
  40. package/src/bmad-plus/packs/pack-memory/README.md +106 -106
  41. package/src/bmad-plus/packs/pack-memory/memory-orchestrator.md +79 -79
  42. package/src/bmad-plus/packs/pack-memory/shared/karpathy-guardrails.md +86 -86
  43. package/src/bmad-plus/packs/pack-memory/shared/memory-protocol.md +143 -143
  44. package/src/bmad-plus/packs/pack-memory/templates/context.md +39 -39
  45. package/src/bmad-plus/packs/pack-memory/templates/decisions.md +25 -25
  46. package/src/bmad-plus/packs/pack-memory/templates/identity.yaml +39 -39
  47. package/src/bmad-plus/packs/pack-memory/templates/lessons.md +31 -31
  48. package/src/bmad-plus/packs/pack-memory/templates/patterns.md +24 -24
  49. package/src/bmad-plus/packs/pack-memory/templates/session-handoff.md +25 -25
  50. package/src/bmad-plus/packs/pack-memory/zecher-agent.md +157 -157
  51. package/src/bmad-plus/packs/pack-seo/bmad-skill-manifest.yaml +13 -0
  52. package/src/bmad-plus/packs/pack-shield/README.md +110 -110
  53. package/src/bmad-plus/packs/pack-shield/SKILL.md +82 -0
  54. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/csrd-agent.md +251 -251
  55. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/section508-agent.md +168 -168
  56. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/wcag-agent.md +190 -190
  57. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/eu-ai-act-agent.md +86 -86
  58. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/iso42001-agent.md +240 -240
  59. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/nist-ai-rmf-agent.md +122 -122
  60. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/cis-controls-agent.md +210 -210
  61. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/ism-agent.md +139 -139
  62. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/iso27001-agent.md +156 -156
  63. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nis2-agent.md +72 -72
  64. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-800-53-agent.md +239 -239
  65. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-csf-agent.md +207 -207
  66. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/ccpa-agent.md +94 -94
  67. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/dpdpa-agent.md +136 -136
  68. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/gdpr-agent.md +296 -296
  69. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/iso27701-agent.md +134 -134
  70. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/lgpd-agent.md +129 -129
  71. package/src/bmad-plus/packs/pack-shield/categories/defense-export/cmmc-agent.md +116 -116
  72. package/src/bmad-plus/packs/pack-shield/categories/defense-export/ear-agent.md +261 -261
  73. package/src/bmad-plus/packs/pack-shield/categories/defense-export/itar-agent.md +191 -191
  74. package/src/bmad-plus/packs/pack-shield/categories/defense-export/tsa-agent.md +356 -356
  75. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/dora-agent.md +499 -499
  76. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/fedramp-agent.md +236 -236
  77. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/hipaa-agent.md +162 -162
  78. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/pci-dss-agent.md +228 -228
  79. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/soc2-agent.md +255 -255
  80. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/swift-csp-agent.md +153 -153
  81. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-classifier.md +131 -131
  82. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-fria.md +155 -155
  83. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-incidents.md +187 -187
  84. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-roles.md +113 -113
  85. package/src/bmad-plus/packs/pack-shield/categories/workflows/breach-sentinel.md +197 -197
  86. package/src/bmad-plus/packs/pack-shield/categories/workflows/cookie-policy-gen.md +180 -180
  87. package/src/bmad-plus/packs/pack-shield/categories/workflows/dpia-sentinel.md +235 -235
  88. package/src/bmad-plus/packs/pack-shield/categories/workflows/legitimate-interest.md +159 -159
  89. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-advisor.md +133 -133
  90. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-notice-gen.md +160 -160
  91. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-policy-gen.md +135 -135
  92. package/src/bmad-plus/packs/pack-shield/references/ccpa/ccpa-gdpr-comparison.md +117 -117
  93. package/src/bmad-plus/packs/pack-shield/references/ccpa/consumer-rights-workflows.md +177 -177
  94. package/src/bmad-plus/packs/pack-shield/references/cis-controls/framework-mappings.md +162 -162
  95. package/src/bmad-plus/packs/pack-shield/references/cis-controls/implementation-guidance.md +235 -235
  96. package/src/bmad-plus/packs/pack-shield/references/cis-controls/safeguards-detail.md +252 -252
  97. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-assessment.md +170 -170
  98. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-levels.md +113 -113
  99. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-practices.md +211 -211
  100. package/src/bmad-plus/packs/pack-shield/references/csrd/compliance-program.md +281 -281
  101. package/src/bmad-plus/packs/pack-shield/references/csrd/double-materiality.md +253 -253
  102. package/src/bmad-plus/packs/pack-shield/references/csrd/esrs-standards.md +401 -401
  103. package/src/bmad-plus/packs/pack-shield/references/dora/article-reference.md +441 -441
  104. package/src/bmad-plus/packs/pack-shield/references/dora/incident-classification.md +297 -297
  105. package/src/bmad-plus/packs/pack-shield/references/dora/rts-its-guide.md +306 -306
  106. package/src/bmad-plus/packs/pack-shield/references/dora/third-party-risk.md +349 -349
  107. package/src/bmad-plus/packs/pack-shield/references/dpdpa/gdpr-comparison.md +173 -173
  108. package/src/bmad-plus/packs/pack-shield/references/dpdpa/rights-and-obligations.md +426 -426
  109. package/src/bmad-plus/packs/pack-shield/references/dpdpa/rules-2025.md +599 -599
  110. package/src/bmad-plus/packs/pack-shield/references/dpdpa/sections-reference.md +319 -319
  111. package/src/bmad-plus/packs/pack-shield/references/ear/ccl-eccn-guide.md +250 -250
  112. package/src/bmad-plus/packs/pack-shield/references/ear/compliance-program.md +280 -280
  113. package/src/bmad-plus/packs/pack-shield/references/ear/license-exceptions.md +207 -207
  114. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/gpai-governance.md +267 -267
  115. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/obligations-high-risk.md +287 -287
  116. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/risk-classification.md +182 -182
  117. package/src/bmad-plus/packs/pack-shield/references/fedramp/appendices-guide.md +209 -209
  118. package/src/bmad-plus/packs/pack-shield/references/fedramp/control-families.md +281 -281
  119. package/src/bmad-plus/packs/pack-shield/references/fedramp/poam-guide.md +93 -93
  120. package/src/bmad-plus/packs/pack-shield/references/fedramp/readiness-checklist.md +134 -134
  121. package/src/bmad-plus/packs/pack-shield/references/fedramp/sap-sar-guide.md +86 -86
  122. package/src/bmad-plus/packs/pack-shield/references/fedramp/ssp-guide.md +129 -129
  123. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/documents.md +192 -192
  124. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/dpa-template.md +121 -121
  125. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/privacy-notice.md +87 -87
  126. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/breach-notification.md +293 -293
  127. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/privacy-rule.md +276 -276
  128. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/security-rule.md +299 -299
  129. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/templates.md +568 -568
  130. package/src/bmad-plus/packs/pack-shield/references/ism/control-applicability.md +181 -181
  131. package/src/bmad-plus/packs/pack-shield/references/ism/guidelines-overview.md +183 -183
  132. package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2013.md +203 -203
  133. package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2022.md +132 -132
  134. package/src/bmad-plus/packs/pack-shield/references/iso27001/control-mapping.md +153 -153
  135. package/src/bmad-plus/packs/pack-shield/references/iso27701/annex-a-controls.md +195 -195
  136. package/src/bmad-plus/packs/pack-shield/references/iso27701/regulatory-mapping.md +229 -229
  137. package/src/bmad-plus/packs/pack-shield/references/iso27701/transition-guide.md +219 -219
  138. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-ai-risk-assessment.md +258 -258
  139. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-clauses-requirements.md +279 -279
  140. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-controls-annex-a.md +155 -155
  141. package/src/bmad-plus/packs/pack-shield/references/itar/compliance-program.md +174 -174
  142. package/src/bmad-plus/packs/pack-shield/references/itar/licensing-guide.md +146 -146
  143. package/src/bmad-plus/packs/pack-shield/references/itar/usml-categories.md +93 -93
  144. package/src/bmad-plus/packs/pack-shield/references/lgpd/anpd-enforcement.md +147 -147
  145. package/src/bmad-plus/packs/pack-shield/references/lgpd/compliance-program.md +272 -272
  146. package/src/bmad-plus/packs/pack-shield/references/lgpd/lgpd-articles.md +271 -271
  147. package/src/bmad-plus/packs/pack-shield/references/nis2/article-21-measures.md +153 -153
  148. package/src/bmad-plus/packs/pack-shield/references/nis2/iso27001-nis2-mapping.md +68 -68
  149. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/assessment-rmf.md +349 -349
  150. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/baselines-tailoring.md +277 -277
  151. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/control-families.md +450 -450
  152. package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-core.md +361 -361
  153. package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-profiles.md +192 -192
  154. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-10-to-20-mapping.md +143 -143
  155. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-20-functions-categories.md +278 -278
  156. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-implementation-tiers.md +135 -135
  157. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-requirements.md +366 -366
  158. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-saq-guide.md +217 -217
  159. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-v4-changes.md +190 -190
  160. package/src/bmad-plus/packs/pack-shield/references/section-508/wcag-mapping.md +160 -160
  161. package/src/bmad-plus/packs/pack-shield/references/soc2/controls.md +241 -241
  162. package/src/bmad-plus/packs/pack-shield/references/soc2/evidence.md +236 -236
  163. package/src/bmad-plus/packs/pack-shield/references/soc2/policies.md +254 -254
  164. package/src/bmad-plus/packs/pack-shield/references/soc2/vendor.md +276 -276
  165. package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-assessment.md +202 -202
  166. package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-controls.md +545 -545
  167. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-crmp-requirements.md +359 -359
  168. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-directives-overview.md +187 -187
  169. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-incident-reporting.md +187 -187
  170. package/src/bmad-plus/packs/pack-shield/references/wcag/criteria-detail.md +510 -510
  171. package/src/bmad-plus/packs/pack-shield/shared/audit-report-template.md +103 -103
  172. package/src/bmad-plus/packs/pack-shield/shared/cross-framework-mapper.md +103 -103
  173. package/src/bmad-plus/packs/pack-shield/shared/gap-analysis-template.md +83 -83
  174. package/src/bmad-plus/packs/pack-shield/shield-orchestrator.md +229 -229
  175. package/src/bmad-plus/packs/pack-shield/upstream-sync.yaml +68 -68
  176. package/src/bmad-plus/skills/bmad-plus-autopilot/SKILL.md +99 -99
  177. package/src/bmad-plus/skills/bmad-plus-parallel/SKILL.md +93 -93
  178. package/src/bmad-plus/skills/bmad-plus-sync/SKILL.md +69 -69
  179. package/tools/bmad-plus-npx.js +3 -5
  180. package/tools/cli/bmad-plus-cli.js +5 -3
  181. package/tools/cli/commands/autoconfig.js +18 -61
  182. package/tools/cli/commands/doctor.js +30 -31
  183. package/tools/cli/commands/install.js +33 -343
  184. package/tools/cli/commands/memory.js +1 -0
  185. package/tools/cli/commands/scan.js +61 -74
  186. package/tools/cli/commands/uninstall.js +7 -4
  187. package/tools/cli/commands/update.js +15 -72
  188. package/tools/cli/i18n.js +92 -10
  189. package/tools/cli/lib/ide-config.js +259 -0
  190. package/tools/cli/lib/memory-init.js +113 -0
  191. package/tools/cli/lib/pack-copy.js +84 -0
  192. package/tools/cli/lib/packs.js +114 -0
  193. package/tools/cli/lib/stack-detect.js +102 -0
  194. package/tools/cli/lib/validate.js +45 -0
  195. package/src/bmad-plus/agents/pack-animated/animated-website-agent.md +0 -325
  196. package/src/bmad-plus/agents/pack-animated/templates/animated-website-workflow.md +0 -55
  197. package/src/bmad-plus/agents/pack-backup/backup-agent.md +0 -71
  198. package/src/bmad-plus/agents/pack-backup/templates/backup-workflow.md +0 -51
  199. package/src/bmad-plus/agents/pack-seo/SKILL.md +0 -171
  200. package/src/bmad-plus/agents/pack-seo/checklist.md +0 -140
  201. package/src/bmad-plus/agents/pack-seo/pagespeed-playbook.md +0 -320
  202. package/src/bmad-plus/agents/pack-seo/ref/audit-schema.json +0 -187
  203. package/src/bmad-plus/agents/pack-seo/ref/cwv-thresholds.md +0 -87
  204. package/src/bmad-plus/agents/pack-seo/ref/eeat-criteria.md +0 -123
  205. package/src/bmad-plus/agents/pack-seo/ref/geo-signals.md +0 -167
  206. package/src/bmad-plus/agents/pack-seo/ref/hreflang-rules.md +0 -153
  207. package/src/bmad-plus/agents/pack-seo/ref/quality-gates.md +0 -133
  208. package/src/bmad-plus/agents/pack-seo/ref/schema-catalog.md +0 -91
  209. package/src/bmad-plus/agents/pack-seo/ref/schema-templates.json +0 -356
  210. package/src/bmad-plus/agents/pack-seo/seo-chief.md +0 -294
  211. package/src/bmad-plus/agents/pack-seo/seo-judge.md +0 -241
  212. package/src/bmad-plus/agents/pack-seo/seo-scout.md +0 -171
  213. package/src/bmad-plus/agents/pack-seo/templates/seo-audit-workflow.md +0 -241
@@ -1,287 +1,287 @@
1
- # EU AI Act — High-Risk AI System Obligations Reference
2
-
3
- All obligations below apply to **providers** unless stated otherwise. Annex III systems: applies from **2 August 2026**. Annex I safety component systems: applies from **2 August 2027**.
4
-
5
- ---
6
-
7
- ## Art. 9 — Risk Management System
8
-
9
- **Purpose:** Identify and mitigate risks to health, safety, and fundamental rights throughout the AI system lifecycle.
10
-
11
- **Requirements:**
12
- - Continuous, iterative process maintained from development through decommissioning
13
- - Must cover **all phases**: development, testing, pre-deployment assessment, post-market monitoring
14
- - **5-step process:**
15
- 1. Identify all known and reasonably foreseeable risks (normal use, reasonably foreseeable misuse)
16
- 2. Estimate and evaluate risks under all intended and reasonably foreseeable uses
17
- 3. Evaluate risks emerging from post-market monitoring data
18
- 4. Adopt appropriate and targeted risk mitigation measures (Art. 9(4))
19
- 5. Assess residual risk acceptability; document reasoning
20
- - **Risk mitigation priority hierarchy (Art. 9(4)):**
21
- 1. Design-based risk elimination first
22
- 2. Adequate mitigation measures if elimination not possible
23
- 3. Information provision to deployers and users
24
- - **Testing (Art. 9(7)):** Before market placement; against pre-defined metrics and probabilistic thresholds; representative test data
25
- - **Under-18 impact:** Special attention required for systems likely to adversely impact minors
26
-
27
- **Documentation required:** Risk management system must be documented and form part of technical documentation (Art. 11, Annex IV).
28
-
29
- ---
30
-
31
- ## Art. 10 — Data and Data Governance
32
-
33
- **Purpose:** Ensure training, validation, and testing datasets are appropriate for the intended purpose.
34
-
35
- **Dataset requirements (Art. 10(2)):**
36
- - Relevant to intended purpose
37
- - Sufficiently representative of the persons/contexts the system will encounter
38
- - Free of errors (where appropriate)
39
- - Complete for the intended purpose
40
- - Statistically appropriate for target geographic, contextual, and behavioral population
41
-
42
- **Data governance practices (Art. 10(3)):**
43
- - Design choices documentation
44
- - Data collection method documentation
45
- - Data origin examination and documentation
46
- - Annotation, labeling, cleaning, enrichment, and aggregation procedures
47
- - Bias examination and identification
48
- - Gap identification in relevant properties
49
-
50
- **Special category data (Art. 10(5)) — bias detection exception:**
51
- Processing of special-category personal data (GDPR Art. 9) permitted ONLY when ALL conditions met:
52
- 1. No adequate alternative data source exists
53
- 2. Technical and organizational protections are in place (anonymization, pseudonymization where possible)
54
- 3. Access controls ensure minimum necessary access
55
- 4. No third-party data transfer
56
- 5. Data deleted upon completion of bias detection
57
- 6. Documented justification maintained
58
-
59
- ---
60
-
61
- ## Art. 11 — Technical Documentation
62
-
63
- **Who:** Providers (before market placement), kept up-to-date throughout lifecycle.
64
-
65
- **Content specified in Annex IV:**
66
- - General description: intended purpose, provider identity, version, interactions with other systems
67
- - Detailed description of elements and development process: training methodologies, design choices, algorithms, data used
68
- - Information about training data (including general description, origin, annotation procedures, design choices)
69
- - Assessment of the measures required to interpret outputs and enable human oversight
70
- - Detailed description of the system design (architecture, source code or training code access if applicable)
71
- - Validation and testing: procedures, applied metrics, performance benchmarks, testing datasets
72
- - Risk management system documentation (Art. 9)
73
- - Changes made to system over lifecycle
74
- - List of harmonised standards applied (or description of alternative solutions for conformity)
75
- - EU Declaration of Conformity
76
-
77
- **Retention:** 10 years after market placement or putting into service.
78
-
79
- ---
80
-
81
- ## Art. 12 — Record-Keeping / Automatic Logging
82
-
83
- **Who:** Providers must build in automatic logging capability; deployers must retain logs.
84
-
85
- **Provider obligations:**
86
- - High-risk systems must be capable of automatically generating event logs throughout operation
87
- - Logging capability enables post-deployment reconstruction of circumstances surrounding risks
88
- - For biometric identification: logs must enable identification of persons involved and circumstances
89
-
90
- **Deployer obligations (Art. 26(6)):**
91
- - Retain automatically generated logs for **minimum 6 months** from use, or as required by applicable Union/national law (whichever longer)
92
- - Public sector deployers: stricter retention may apply under public records obligations
93
-
94
- ---
95
-
96
- ## Art. 13 — Transparency and Provision of Information to Deployers
97
-
98
- **Purpose:** Enable deployers to understand and correctly use the AI system.
99
-
100
- **System design requirement:** High-risk AI systems must be designed with sufficient transparency for deployers to interpret outputs and use appropriately.
101
-
102
- **Instructions for use must include:**
103
- - Provider identity, address, registration data
104
- - System characteristics, capabilities, and intended purpose
105
- - Performance metrics: level of accuracy, robustness, cybersecurity
106
- - Known or foreseeable circumstances that may lead to risks
107
- - System performance for specific persons/groups
108
- - Specifications for input data (data types, formats, dimensions)
109
- - Information on changes made vs prior versions
110
- - Human oversight measures (Art. 14) and technical measures to enable oversight
111
- - Computational resources required; expected system lifetime
112
- - Description of logging mechanisms (Art. 12)
113
- - Any predetermined modifications or updates
114
-
115
- **Format:** Concise, complete, correct, clear, relevant; provided in digital and, where appropriate, physical format; accessible to deployers in appropriate language.
116
-
117
- ---
118
-
119
- ## Art. 14 — Human Oversight
120
-
121
- **Purpose:** Enable effective human monitoring during operation to identify and correct AI errors.
122
-
123
- **System design obligations (providers, Art. 14(3)):**
124
- High-risk AI systems must be designed to allow natural persons to:
125
- - Understand system capabilities and limitations
126
- - Recognize **automation bias** (over-reliance on AI outputs)
127
- - Correctly interpret AI outputs (including interpretability features)
128
- - Decide not to use, or disregard, override, or reverse AI outputs
129
- - Intervene through a **stop button** or similar interrupt mechanism
130
-
131
- **Deployer implementation obligations (Art. 14(4)):**
132
- - Assign human oversight to natural persons with necessary competence, authority, and resources
133
- - Train oversight persons on system capabilities/limitations and automation bias risk
134
-
135
- **Biometric identification specific (Art. 14(5)):**
136
- - Minimum **two separate persons** must independently verify and confirm identification before action is taken
137
-
138
- **Proportionality:** Oversight measures are built in by providers proportionate to risks and level of autonomy; deployers may need to supplement with organizational measures.
139
-
140
- ---
141
-
142
- ## Art. 15 — Accuracy, Robustness, and Cybersecurity
143
-
144
- **Accuracy:**
145
- - System must achieve appropriate accuracy levels for intended purpose throughout its lifecycle
146
- - Declared accuracy levels and metrics must be in instructions for use (Art. 13)
147
- - Training, validation, and testing data must be statistically appropriate to achieve declared levels
148
-
149
- **Robustness:**
150
- - Resilience against errors, faults, or inconsistencies during operation and foreseeable misuse
151
- - Consistent performance throughout operational lifetime
152
- - Where appropriate: technical redundancy solutions, backup plans, fail-safe mechanisms
153
- - For continuous learning systems: eliminate/reduce risks of feedback loops amplifying biased outputs
154
-
155
- **Cybersecurity:**
156
- Resilience against attempts to alter use, outputs, or performance, including:
157
- - **Data poisoning attacks** (contaminating training data)
158
- - **Model poisoning attacks** (manipulating model weights)
159
- - **Adversarial examples** (crafted inputs causing misclassification)
160
- - **Confidentiality attacks** (extracting training data or model internals)
161
- - **Model flaws exploitation** (taking advantage of design weaknesses)
162
-
163
- **Technical solutions appropriate to context:** Air-gapping sensitive components, adversarial testing, input validation, output monitoring.
164
-
165
- ---
166
-
167
- ## Art. 16 — Provider Obligations (Complete 12-Item Checklist)
168
-
169
- Before placing on market or putting into service, providers must:
170
-
171
- 1. ☐ Ensure system complies with Section 2 requirements (Arts. 9–15)
172
- 2. ☐ Display name, trademark, and contact address on system, packaging, or documentation
173
- 3. ☐ Establish and implement quality management system (Art. 17)
174
- 4. ☐ Keep technical documentation (Art. 11, Annex IV)
175
- 5. ☐ Retain automatically generated logs (Art. 12) where under provider's control
176
- 6. ☐ Complete required conformity assessment (Art. 43) before market placement
177
- 7. ☐ Draw up EU Declaration of Conformity (Art. 47)
178
- 8. ☐ Affix CE marking (Art. 48)
179
- 9. ☐ Register in EU AI database (Art. 49) before market placement
180
- 10. ☐ Take immediate corrective action for non-conforming systems; notify authorities and deployers (Art. 20)
181
- 11. ☐ Demonstrate conformity upon request of national competent authority
182
- 12. ☐ Ensure accessible design where required (Directives 2016/2102, 2019/882)
183
-
184
- ---
185
-
186
- ## Art. 17 — Quality Management System (13 Required Components)
187
-
188
- Documented policies and procedures covering:
189
-
190
- 1. **Regulatory compliance strategy** including conformity assessment procedures and modifications management
191
- 2. **Design techniques** — procedures for designing, controlling, and verifying the AI system
192
- 3. **Development quality control** procedures
193
- 4. **Testing and validation** — before, during, and after development
194
- 5. **Technical standards application** — harmonised standards and common specifications
195
- 6. **Data management** — acquisition, labeling, storage, filtering, retention, cleaning procedures
196
- 7. **Risk management** per Art. 9
197
- 8. **Post-market monitoring** per Art. 72
198
- 9. **Serious incident reporting** per Art. 73 — communication with national authorities
199
- 10. **Authority communication** procedures for corrective actions and recalls (Art. 20)
200
- 11. **Record-keeping and documentation** — retention periods and access procedures
201
- 12. **Resource management** including supply-chain security measures
202
- 13. **Accountability framework** — clear responsibility assignment for all above components
203
-
204
- **Proportionality:** QMS must be proportionate to provider organization size. Existing sectoral QMS may be adapted/integrated.
205
-
206
- ---
207
-
208
- ## Art. 26 — Deployer Obligations
209
-
210
- 1. **Instructions compliance:** Use system in accordance with provider's instructions for use (Art. 13)
211
- 2. **Staff assignment:** Assign human oversight to persons with necessary competence, training, authority, and resources
212
- 3. **Input data control:** Where deployer controls input data — ensure it is relevant and sufficiently representative
213
- 4. **Continuous monitoring:** Monitor operations; if risk identified — notify provider/importer/distributor AND market surveillance authority; suspend use where appropriate
214
- 5. **Serious incidents:** Immediately notify provider, then importer/distributor and market surveillance authority
215
- 6. **Log retention:** Retain automatically generated logs for **at least 6 months**
216
- 7. **Worker notification:** In employment/worker management contexts — inform workers and representatives before deployment
217
- 8. **Public authority registration:** Public authorities must register use in EU AI database (Art. 60) before deployment; cannot use unregistered high-risk systems
218
- 9. **GDPR:** Conduct data protection impact assessments where required under GDPR Art. 35
219
- 10. **Fundamental Rights Impact Assessment:** Required for public authorities before deploying certain high-risk systems under Art. 27
220
-
221
- ---
222
-
223
- ## Arts. 43–49 — Conformity Assessment and CE Marking
224
-
225
- ### Art. 43 — Conformity Assessment Paths
226
-
227
- **Annex III — Point 1 Systems (Biometrics):** Provider chooses between:
228
- - **(A) Self-assessment** — Internal control via Annex VI procedure; OR
229
- - **(B) Notified body** — Third-party assessment under Annex VII (QMS review + technical documentation assessment)
230
-
231
- Notified body (B) is **mandatory** when:
232
- - No harmonised standards covering the system exist
233
- - Standards exist but provider has not applied them (or only partially)
234
- - Common specifications are unavailable or not used
235
- - Standards published with restrictions that limit presumption of conformity
236
-
237
- **Annex III — Points 2–8 Systems (Areas 2–8):** Self-assessment only — no notified body assessment available.
238
-
239
- **Annex I Products (safety components):** Conformity assessment integrated into the existing conformity procedure for the product under Annex I legislation.
240
-
241
- **Law enforcement / immigration / EU institutions:** Market surveillance authority acts as notified body.
242
-
243
- **Substantial modifications:** Require full reassessment; except predetermined learning modifications documented in original technical file and declared in conformity declaration.
244
-
245
- ### Art. 47 — EU Declaration of Conformity
246
- - Drawn up by provider (or authorised representative); provider assumes full responsibility
247
- - Must confirm compliance with all applicable AI Act requirements (Section 2)
248
- - Must identify: system name, provider, version, intended purpose, conformity assessment procedure followed, standards applied
249
- - Machine-readable format; translation required into languages required by national authorities
250
- - Maintained for **10 years** from market placement
251
-
252
- ### Art. 48 — CE Marking
253
- - Visible, legible, indelible affixation on system, packaging, or documentation
254
- - Only affixed after successful conformity assessment and drawing up of EU Declaration of Conformity
255
- - Subject to general principles of CE marking (Regulation 765/2008)
256
- - Affixed before market placement; re-affixed if system substantially modified
257
-
258
- ### Arts. 49 and 60 — EU AI Database Registration
259
-
260
- **Provider registration (Art. 49):**
261
- - Before market placement (Annex III systems — Art. 6(2))
262
- - Information includes: provider/representative identity; system description, intended purpose, accuracy; conformity assessment procedure; CE marking notified body (if applicable)
263
- - Provider registration covers all deployers and users of that system
264
-
265
- **Public authority deployer registration (Art. 60):**
266
- - Before deployment of registered high-risk systems
267
- - Additional system-specific information for public authority use
268
-
269
- **Database operation:** Operational from 2 August 2026 (Commission responsibility, Art. 71).
270
-
271
- **Publicly accessible information vs. restricted:** Most information public; some law enforcement/immigration information accessible only to competent authorities.
272
-
273
- ---
274
-
275
- ## Art. 27 — Fundamental Rights Impact Assessment (FRIA)
276
-
277
- **Who:** Public authorities and bodies deploying high-risk AI systems in Annex III Areas 1, 2, 4, 5(b–d), 6, 7, and 8.
278
-
279
- **Content:**
280
- - Description of the deployer's processes in which the system will be used
281
- - Time period, frequency, and number of persons affected
282
- - The specific categories of persons likely to be affected
283
- - Specific risks of harm to categories of affected persons
284
- - Human oversight measures (Art. 14) planned
285
- - Measures to address fundamental rights risks
286
-
287
- **Relationship to GDPR DPIA:** Where GDPR DPIA is also required, the FRIA may be conducted alongside or integrated into the DPIA.
1
+ # EU AI Act — High-Risk AI System Obligations Reference
2
+
3
+ All obligations below apply to **providers** unless stated otherwise. Annex III systems: applies from **2 August 2026**. Annex I safety component systems: applies from **2 August 2027**.
4
+
5
+ ---
6
+
7
+ ## Art. 9 — Risk Management System
8
+
9
+ **Purpose:** Identify and mitigate risks to health, safety, and fundamental rights throughout the AI system lifecycle.
10
+
11
+ **Requirements:**
12
+ - Continuous, iterative process maintained from development through decommissioning
13
+ - Must cover **all phases**: development, testing, pre-deployment assessment, post-market monitoring
14
+ - **5-step process:**
15
+ 1. Identify all known and reasonably foreseeable risks (normal use, reasonably foreseeable misuse)
16
+ 2. Estimate and evaluate risks under all intended and reasonably foreseeable uses
17
+ 3. Evaluate risks emerging from post-market monitoring data
18
+ 4. Adopt appropriate and targeted risk mitigation measures (Art. 9(4))
19
+ 5. Assess residual risk acceptability; document reasoning
20
+ - **Risk mitigation priority hierarchy (Art. 9(4)):**
21
+ 1. Design-based risk elimination first
22
+ 2. Adequate mitigation measures if elimination not possible
23
+ 3. Information provision to deployers and users
24
+ - **Testing (Art. 9(7)):** Before market placement; against pre-defined metrics and probabilistic thresholds; representative test data
25
+ - **Under-18 impact:** Special attention required for systems likely to adversely impact minors
26
+
27
+ **Documentation required:** Risk management system must be documented and form part of technical documentation (Art. 11, Annex IV).
28
+
29
+ ---
30
+
31
+ ## Art. 10 — Data and Data Governance
32
+
33
+ **Purpose:** Ensure training, validation, and testing datasets are appropriate for the intended purpose.
34
+
35
+ **Dataset requirements (Art. 10(2)):**
36
+ - Relevant to intended purpose
37
+ - Sufficiently representative of the persons/contexts the system will encounter
38
+ - Free of errors (where appropriate)
39
+ - Complete for the intended purpose
40
+ - Statistically appropriate for target geographic, contextual, and behavioral population
41
+
42
+ **Data governance practices (Art. 10(3)):**
43
+ - Design choices documentation
44
+ - Data collection method documentation
45
+ - Data origin examination and documentation
46
+ - Annotation, labeling, cleaning, enrichment, and aggregation procedures
47
+ - Bias examination and identification
48
+ - Gap identification in relevant properties
49
+
50
+ **Special category data (Art. 10(5)) — bias detection exception:**
51
+ Processing of special-category personal data (GDPR Art. 9) permitted ONLY when ALL conditions met:
52
+ 1. No adequate alternative data source exists
53
+ 2. Technical and organizational protections are in place (anonymization, pseudonymization where possible)
54
+ 3. Access controls ensure minimum necessary access
55
+ 4. No third-party data transfer
56
+ 5. Data deleted upon completion of bias detection
57
+ 6. Documented justification maintained
58
+
59
+ ---
60
+
61
+ ## Art. 11 — Technical Documentation
62
+
63
+ **Who:** Providers (before market placement), kept up-to-date throughout lifecycle.
64
+
65
+ **Content specified in Annex IV:**
66
+ - General description: intended purpose, provider identity, version, interactions with other systems
67
+ - Detailed description of elements and development process: training methodologies, design choices, algorithms, data used
68
+ - Information about training data (including general description, origin, annotation procedures, design choices)
69
+ - Assessment of the measures required to interpret outputs and enable human oversight
70
+ - Detailed description of the system design (architecture, source code or training code access if applicable)
71
+ - Validation and testing: procedures, applied metrics, performance benchmarks, testing datasets
72
+ - Risk management system documentation (Art. 9)
73
+ - Changes made to system over lifecycle
74
+ - List of harmonised standards applied (or description of alternative solutions for conformity)
75
+ - EU Declaration of Conformity
76
+
77
+ **Retention:** 10 years after market placement or putting into service.
78
+
79
+ ---
80
+
81
+ ## Art. 12 — Record-Keeping / Automatic Logging
82
+
83
+ **Who:** Providers must build in automatic logging capability; deployers must retain logs.
84
+
85
+ **Provider obligations:**
86
+ - High-risk systems must be capable of automatically generating event logs throughout operation
87
+ - Logging capability enables post-deployment reconstruction of circumstances surrounding risks
88
+ - For biometric identification: logs must enable identification of persons involved and circumstances
89
+
90
+ **Deployer obligations (Art. 26(6)):**
91
+ - Retain automatically generated logs for **minimum 6 months** from use, or as required by applicable Union/national law (whichever longer)
92
+ - Public sector deployers: stricter retention may apply under public records obligations
93
+
94
+ ---
95
+
96
+ ## Art. 13 — Transparency and Provision of Information to Deployers
97
+
98
+ **Purpose:** Enable deployers to understand and correctly use the AI system.
99
+
100
+ **System design requirement:** High-risk AI systems must be designed with sufficient transparency for deployers to interpret outputs and use appropriately.
101
+
102
+ **Instructions for use must include:**
103
+ - Provider identity, address, registration data
104
+ - System characteristics, capabilities, and intended purpose
105
+ - Performance metrics: level of accuracy, robustness, cybersecurity
106
+ - Known or foreseeable circumstances that may lead to risks
107
+ - System performance for specific persons/groups
108
+ - Specifications for input data (data types, formats, dimensions)
109
+ - Information on changes made vs prior versions
110
+ - Human oversight measures (Art. 14) and technical measures to enable oversight
111
+ - Computational resources required; expected system lifetime
112
+ - Description of logging mechanisms (Art. 12)
113
+ - Any predetermined modifications or updates
114
+
115
+ **Format:** Concise, complete, correct, clear, relevant; provided in digital and, where appropriate, physical format; accessible to deployers in appropriate language.
116
+
117
+ ---
118
+
119
+ ## Art. 14 — Human Oversight
120
+
121
+ **Purpose:** Enable effective human monitoring during operation to identify and correct AI errors.
122
+
123
+ **System design obligations (providers, Art. 14(3)):**
124
+ High-risk AI systems must be designed to allow natural persons to:
125
+ - Understand system capabilities and limitations
126
+ - Recognize **automation bias** (over-reliance on AI outputs)
127
+ - Correctly interpret AI outputs (including interpretability features)
128
+ - Decide not to use, or disregard, override, or reverse AI outputs
129
+ - Intervene through a **stop button** or similar interrupt mechanism
130
+
131
+ **Deployer implementation obligations (Art. 14(4)):**
132
+ - Assign human oversight to natural persons with necessary competence, authority, and resources
133
+ - Train oversight persons on system capabilities/limitations and automation bias risk
134
+
135
+ **Biometric identification specific (Art. 14(5)):**
136
+ - Minimum **two separate persons** must independently verify and confirm identification before action is taken
137
+
138
+ **Proportionality:** Oversight measures are built in by providers proportionate to risks and level of autonomy; deployers may need to supplement with organizational measures.
139
+
140
+ ---
141
+
142
+ ## Art. 15 — Accuracy, Robustness, and Cybersecurity
143
+
144
+ **Accuracy:**
145
+ - System must achieve appropriate accuracy levels for intended purpose throughout its lifecycle
146
+ - Declared accuracy levels and metrics must be in instructions for use (Art. 13)
147
+ - Training, validation, and testing data must be statistically appropriate to achieve declared levels
148
+
149
+ **Robustness:**
150
+ - Resilience against errors, faults, or inconsistencies during operation and foreseeable misuse
151
+ - Consistent performance throughout operational lifetime
152
+ - Where appropriate: technical redundancy solutions, backup plans, fail-safe mechanisms
153
+ - For continuous learning systems: eliminate/reduce risks of feedback loops amplifying biased outputs
154
+
155
+ **Cybersecurity:**
156
+ Resilience against attempts to alter use, outputs, or performance, including:
157
+ - **Data poisoning attacks** (contaminating training data)
158
+ - **Model poisoning attacks** (manipulating model weights)
159
+ - **Adversarial examples** (crafted inputs causing misclassification)
160
+ - **Confidentiality attacks** (extracting training data or model internals)
161
+ - **Model flaws exploitation** (taking advantage of design weaknesses)
162
+
163
+ **Technical solutions appropriate to context:** Air-gapping sensitive components, adversarial testing, input validation, output monitoring.
164
+
165
+ ---
166
+
167
+ ## Art. 16 — Provider Obligations (Complete 12-Item Checklist)
168
+
169
+ Before placing on market or putting into service, providers must:
170
+
171
+ 1. ☐ Ensure system complies with Section 2 requirements (Arts. 9–15)
172
+ 2. ☐ Display name, trademark, and contact address on system, packaging, or documentation
173
+ 3. ☐ Establish and implement quality management system (Art. 17)
174
+ 4. ☐ Keep technical documentation (Art. 11, Annex IV)
175
+ 5. ☐ Retain automatically generated logs (Art. 12) where under provider's control
176
+ 6. ☐ Complete required conformity assessment (Art. 43) before market placement
177
+ 7. ☐ Draw up EU Declaration of Conformity (Art. 47)
178
+ 8. ☐ Affix CE marking (Art. 48)
179
+ 9. ☐ Register in EU AI database (Art. 49) before market placement
180
+ 10. ☐ Take immediate corrective action for non-conforming systems; notify authorities and deployers (Art. 20)
181
+ 11. ☐ Demonstrate conformity upon request of national competent authority
182
+ 12. ☐ Ensure accessible design where required (Directives 2016/2102, 2019/882)
183
+
184
+ ---
185
+
186
+ ## Art. 17 — Quality Management System (13 Required Components)
187
+
188
+ Documented policies and procedures covering:
189
+
190
+ 1. **Regulatory compliance strategy** including conformity assessment procedures and modifications management
191
+ 2. **Design techniques** — procedures for designing, controlling, and verifying the AI system
192
+ 3. **Development quality control** procedures
193
+ 4. **Testing and validation** — before, during, and after development
194
+ 5. **Technical standards application** — harmonised standards and common specifications
195
+ 6. **Data management** — acquisition, labeling, storage, filtering, retention, cleaning procedures
196
+ 7. **Risk management** per Art. 9
197
+ 8. **Post-market monitoring** per Art. 72
198
+ 9. **Serious incident reporting** per Art. 73 — communication with national authorities
199
+ 10. **Authority communication** procedures for corrective actions and recalls (Art. 20)
200
+ 11. **Record-keeping and documentation** — retention periods and access procedures
201
+ 12. **Resource management** including supply-chain security measures
202
+ 13. **Accountability framework** — clear responsibility assignment for all above components
203
+
204
+ **Proportionality:** QMS must be proportionate to provider organization size. Existing sectoral QMS may be adapted/integrated.
205
+
206
+ ---
207
+
208
+ ## Art. 26 — Deployer Obligations
209
+
210
+ 1. **Instructions compliance:** Use system in accordance with provider's instructions for use (Art. 13)
211
+ 2. **Staff assignment:** Assign human oversight to persons with necessary competence, training, authority, and resources
212
+ 3. **Input data control:** Where deployer controls input data — ensure it is relevant and sufficiently representative
213
+ 4. **Continuous monitoring:** Monitor operations; if risk identified — notify provider/importer/distributor AND market surveillance authority; suspend use where appropriate
214
+ 5. **Serious incidents:** Immediately notify provider, then importer/distributor and market surveillance authority
215
+ 6. **Log retention:** Retain automatically generated logs for **at least 6 months**
216
+ 7. **Worker notification:** In employment/worker management contexts — inform workers and representatives before deployment
217
+ 8. **Public authority registration:** Public authorities must register use in EU AI database (Art. 60) before deployment; cannot use unregistered high-risk systems
218
+ 9. **GDPR:** Conduct data protection impact assessments where required under GDPR Art. 35
219
+ 10. **Fundamental Rights Impact Assessment:** Required for public authorities before deploying certain high-risk systems under Art. 27
220
+
221
+ ---
222
+
223
+ ## Arts. 43–49 — Conformity Assessment and CE Marking
224
+
225
+ ### Art. 43 — Conformity Assessment Paths
226
+
227
+ **Annex III — Point 1 Systems (Biometrics):** Provider chooses between:
228
+ - **(A) Self-assessment** — Internal control via Annex VI procedure; OR
229
+ - **(B) Notified body** — Third-party assessment under Annex VII (QMS review + technical documentation assessment)
230
+
231
+ Notified body (B) is **mandatory** when:
232
+ - No harmonised standards covering the system exist
233
+ - Standards exist but provider has not applied them (or only partially)
234
+ - Common specifications are unavailable or not used
235
+ - Standards published with restrictions that limit presumption of conformity
236
+
237
+ **Annex III — Points 2–8 Systems (Areas 2–8):** Self-assessment only — no notified body assessment available.
238
+
239
+ **Annex I Products (safety components):** Conformity assessment integrated into the existing conformity procedure for the product under Annex I legislation.
240
+
241
+ **Law enforcement / immigration / EU institutions:** Market surveillance authority acts as notified body.
242
+
243
+ **Substantial modifications:** Require full reassessment; except predetermined learning modifications documented in original technical file and declared in conformity declaration.
244
+
245
+ ### Art. 47 — EU Declaration of Conformity
246
+ - Drawn up by provider (or authorised representative); provider assumes full responsibility
247
+ - Must confirm compliance with all applicable AI Act requirements (Section 2)
248
+ - Must identify: system name, provider, version, intended purpose, conformity assessment procedure followed, standards applied
249
+ - Machine-readable format; translation required into languages required by national authorities
250
+ - Maintained for **10 years** from market placement
251
+
252
+ ### Art. 48 — CE Marking
253
+ - Visible, legible, indelible affixation on system, packaging, or documentation
254
+ - Only affixed after successful conformity assessment and drawing up of EU Declaration of Conformity
255
+ - Subject to general principles of CE marking (Regulation 765/2008)
256
+ - Affixed before market placement; re-affixed if system substantially modified
257
+
258
+ ### Arts. 49 and 60 — EU AI Database Registration
259
+
260
+ **Provider registration (Art. 49):**
261
+ - Before market placement (Annex III systems — Art. 6(2))
262
+ - Information includes: provider/representative identity; system description, intended purpose, accuracy; conformity assessment procedure; CE marking notified body (if applicable)
263
+ - Provider registration covers all deployers and users of that system
264
+
265
+ **Public authority deployer registration (Art. 60):**
266
+ - Before deployment of registered high-risk systems
267
+ - Additional system-specific information for public authority use
268
+
269
+ **Database operation:** Operational from 2 August 2026 (Commission responsibility, Art. 71).
270
+
271
+ **Publicly accessible information vs. restricted:** Most information public; some law enforcement/immigration information accessible only to competent authorities.
272
+
273
+ ---
274
+
275
+ ## Art. 27 — Fundamental Rights Impact Assessment (FRIA)
276
+
277
+ **Who:** Public authorities and bodies deploying high-risk AI systems in Annex III Areas 1, 2, 4, 5(b–d), 6, 7, and 8.
278
+
279
+ **Content:**
280
+ - Description of the deployer's processes in which the system will be used
281
+ - Time period, frequency, and number of persons affected
282
+ - The specific categories of persons likely to be affected
283
+ - Specific risks of harm to categories of affected persons
284
+ - Human oversight measures (Art. 14) planned
285
+ - Measures to address fundamental rights risks
286
+
287
+ **Relationship to GDPR DPIA:** Where GDPR DPIA is also required, the FRIA may be conducted alongside or integrated into the DPIA.