bmad-plus 0.9.0 → 0.9.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (192) hide show
  1. package/CHANGELOG.md +36 -0
  2. package/LICENSE +21 -21
  3. package/README.md +106 -86
  4. package/osint-agent-package/README.md +88 -88
  5. package/osint-agent-package/SETUP_KEYS.md +108 -108
  6. package/osint-agent-package/agents/osint-investigator.md +80 -80
  7. package/osint-agent-package/install.ps1 +87 -87
  8. package/osint-agent-package/install.sh +76 -76
  9. package/osint-agent-package/skills/bmad-osint-investigate/SKILL.md +147 -147
  10. package/osint-agent-package/skills/bmad-osint-investigate/osint/references/enrichment-databases-fr.md +148 -148
  11. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/_http.py +101 -101
  12. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/apify.py +266 -266
  13. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/brightdata.py +101 -101
  14. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/diagnose.py +141 -141
  15. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/exa.py +79 -79
  16. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/jina.py +71 -71
  17. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/parallel.py +85 -85
  18. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/perplexity.py +102 -102
  19. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/tavily.py +72 -72
  20. package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/volley.py +208 -208
  21. package/osint-agent-package/skills/bmad-osint-investigator/SKILL.md +15 -15
  22. package/package.json +30 -3
  23. package/readme-international/README.de.md +8 -3
  24. package/readme-international/README.es.md +8 -3
  25. package/readme-international/README.fr.md +8 -3
  26. package/src/bmad-plus/agents/agent-architect-dev/SKILL.md +96 -96
  27. package/src/bmad-plus/agents/agent-architect-dev/bmad-skill-manifest.yaml +13 -13
  28. package/src/bmad-plus/agents/agent-maker/SKILL.md +201 -201
  29. package/src/bmad-plus/agents/agent-maker/bmad-skill-manifest.yaml +13 -13
  30. package/src/bmad-plus/agents/agent-orchestrator/SKILL.md +137 -137
  31. package/src/bmad-plus/agents/agent-orchestrator/bmad-skill-manifest.yaml +13 -13
  32. package/src/bmad-plus/agents/agent-quality/SKILL.md +83 -83
  33. package/src/bmad-plus/agents/agent-quality/bmad-skill-manifest.yaml +13 -13
  34. package/src/bmad-plus/agents/agent-shadow/SKILL.md +71 -71
  35. package/src/bmad-plus/agents/agent-shadow/bmad-skill-manifest.yaml +13 -13
  36. package/src/bmad-plus/agents/agent-strategist/SKILL.md +80 -80
  37. package/src/bmad-plus/agents/agent-strategist/bmad-skill-manifest.yaml +13 -13
  38. package/src/bmad-plus/data/role-triggers.yaml +209 -209
  39. package/src/bmad-plus/module-help.csv +10 -10
  40. package/src/bmad-plus/packs/pack-memory/README.md +106 -106
  41. package/src/bmad-plus/packs/pack-memory/memory-orchestrator.md +79 -79
  42. package/src/bmad-plus/packs/pack-memory/shared/karpathy-guardrails.md +86 -86
  43. package/src/bmad-plus/packs/pack-memory/shared/memory-protocol.md +143 -143
  44. package/src/bmad-plus/packs/pack-memory/templates/context.md +39 -39
  45. package/src/bmad-plus/packs/pack-memory/templates/decisions.md +25 -25
  46. package/src/bmad-plus/packs/pack-memory/templates/identity.yaml +39 -39
  47. package/src/bmad-plus/packs/pack-memory/templates/lessons.md +31 -31
  48. package/src/bmad-plus/packs/pack-memory/templates/patterns.md +24 -24
  49. package/src/bmad-plus/packs/pack-memory/templates/session-handoff.md +25 -25
  50. package/src/bmad-plus/packs/pack-memory/zecher-agent.md +157 -157
  51. package/src/bmad-plus/packs/pack-seo/bmad-skill-manifest.yaml +13 -13
  52. package/src/bmad-plus/packs/pack-shield/README.md +110 -110
  53. package/src/bmad-plus/packs/pack-shield/SKILL.md +82 -82
  54. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/csrd-agent.md +251 -251
  55. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/section508-agent.md +168 -168
  56. package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/wcag-agent.md +190 -190
  57. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/eu-ai-act-agent.md +86 -86
  58. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/iso42001-agent.md +240 -240
  59. package/src/bmad-plus/packs/pack-shield/categories/ai-governance/nist-ai-rmf-agent.md +122 -122
  60. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/cis-controls-agent.md +210 -210
  61. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/ism-agent.md +139 -139
  62. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/iso27001-agent.md +156 -156
  63. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nis2-agent.md +72 -72
  64. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-800-53-agent.md +239 -239
  65. package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-csf-agent.md +207 -207
  66. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/ccpa-agent.md +94 -94
  67. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/dpdpa-agent.md +136 -136
  68. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/gdpr-agent.md +296 -296
  69. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/iso27701-agent.md +134 -134
  70. package/src/bmad-plus/packs/pack-shield/categories/data-privacy/lgpd-agent.md +129 -129
  71. package/src/bmad-plus/packs/pack-shield/categories/defense-export/cmmc-agent.md +116 -116
  72. package/src/bmad-plus/packs/pack-shield/categories/defense-export/ear-agent.md +261 -261
  73. package/src/bmad-plus/packs/pack-shield/categories/defense-export/itar-agent.md +191 -191
  74. package/src/bmad-plus/packs/pack-shield/categories/defense-export/tsa-agent.md +356 -356
  75. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/dora-agent.md +499 -499
  76. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/fedramp-agent.md +236 -236
  77. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/hipaa-agent.md +162 -162
  78. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/pci-dss-agent.md +228 -228
  79. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/soc2-agent.md +255 -255
  80. package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/swift-csp-agent.md +153 -153
  81. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-classifier.md +131 -131
  82. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-fria.md +155 -155
  83. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-incidents.md +187 -187
  84. package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-roles.md +113 -113
  85. package/src/bmad-plus/packs/pack-shield/categories/workflows/breach-sentinel.md +197 -197
  86. package/src/bmad-plus/packs/pack-shield/categories/workflows/cookie-policy-gen.md +180 -180
  87. package/src/bmad-plus/packs/pack-shield/categories/workflows/dpia-sentinel.md +235 -235
  88. package/src/bmad-plus/packs/pack-shield/categories/workflows/legitimate-interest.md +159 -159
  89. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-advisor.md +133 -133
  90. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-notice-gen.md +160 -160
  91. package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-policy-gen.md +135 -135
  92. package/src/bmad-plus/packs/pack-shield/references/ccpa/ccpa-gdpr-comparison.md +117 -117
  93. package/src/bmad-plus/packs/pack-shield/references/ccpa/consumer-rights-workflows.md +177 -177
  94. package/src/bmad-plus/packs/pack-shield/references/cis-controls/framework-mappings.md +162 -162
  95. package/src/bmad-plus/packs/pack-shield/references/cis-controls/implementation-guidance.md +235 -235
  96. package/src/bmad-plus/packs/pack-shield/references/cis-controls/safeguards-detail.md +252 -252
  97. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-assessment.md +170 -170
  98. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-levels.md +113 -113
  99. package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-practices.md +211 -211
  100. package/src/bmad-plus/packs/pack-shield/references/csrd/compliance-program.md +281 -281
  101. package/src/bmad-plus/packs/pack-shield/references/csrd/double-materiality.md +253 -253
  102. package/src/bmad-plus/packs/pack-shield/references/csrd/esrs-standards.md +401 -401
  103. package/src/bmad-plus/packs/pack-shield/references/dora/article-reference.md +441 -441
  104. package/src/bmad-plus/packs/pack-shield/references/dora/incident-classification.md +297 -297
  105. package/src/bmad-plus/packs/pack-shield/references/dora/rts-its-guide.md +306 -306
  106. package/src/bmad-plus/packs/pack-shield/references/dora/third-party-risk.md +349 -349
  107. package/src/bmad-plus/packs/pack-shield/references/dpdpa/gdpr-comparison.md +173 -173
  108. package/src/bmad-plus/packs/pack-shield/references/dpdpa/rights-and-obligations.md +426 -426
  109. package/src/bmad-plus/packs/pack-shield/references/dpdpa/rules-2025.md +599 -599
  110. package/src/bmad-plus/packs/pack-shield/references/dpdpa/sections-reference.md +319 -319
  111. package/src/bmad-plus/packs/pack-shield/references/ear/ccl-eccn-guide.md +250 -250
  112. package/src/bmad-plus/packs/pack-shield/references/ear/compliance-program.md +280 -280
  113. package/src/bmad-plus/packs/pack-shield/references/ear/license-exceptions.md +207 -207
  114. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/gpai-governance.md +267 -267
  115. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/obligations-high-risk.md +287 -287
  116. package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/risk-classification.md +182 -182
  117. package/src/bmad-plus/packs/pack-shield/references/fedramp/appendices-guide.md +209 -209
  118. package/src/bmad-plus/packs/pack-shield/references/fedramp/control-families.md +281 -281
  119. package/src/bmad-plus/packs/pack-shield/references/fedramp/poam-guide.md +93 -93
  120. package/src/bmad-plus/packs/pack-shield/references/fedramp/readiness-checklist.md +134 -134
  121. package/src/bmad-plus/packs/pack-shield/references/fedramp/sap-sar-guide.md +86 -86
  122. package/src/bmad-plus/packs/pack-shield/references/fedramp/ssp-guide.md +129 -129
  123. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/documents.md +192 -192
  124. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/dpa-template.md +121 -121
  125. package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/privacy-notice.md +87 -87
  126. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/breach-notification.md +293 -293
  127. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/privacy-rule.md +276 -276
  128. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/security-rule.md +299 -299
  129. package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/templates.md +568 -568
  130. package/src/bmad-plus/packs/pack-shield/references/ism/control-applicability.md +181 -181
  131. package/src/bmad-plus/packs/pack-shield/references/ism/guidelines-overview.md +183 -183
  132. package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2013.md +203 -203
  133. package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2022.md +132 -132
  134. package/src/bmad-plus/packs/pack-shield/references/iso27001/control-mapping.md +153 -153
  135. package/src/bmad-plus/packs/pack-shield/references/iso27701/annex-a-controls.md +195 -195
  136. package/src/bmad-plus/packs/pack-shield/references/iso27701/regulatory-mapping.md +229 -229
  137. package/src/bmad-plus/packs/pack-shield/references/iso27701/transition-guide.md +219 -219
  138. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-ai-risk-assessment.md +258 -258
  139. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-clauses-requirements.md +279 -279
  140. package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-controls-annex-a.md +155 -155
  141. package/src/bmad-plus/packs/pack-shield/references/itar/compliance-program.md +174 -174
  142. package/src/bmad-plus/packs/pack-shield/references/itar/licensing-guide.md +146 -146
  143. package/src/bmad-plus/packs/pack-shield/references/itar/usml-categories.md +93 -93
  144. package/src/bmad-plus/packs/pack-shield/references/lgpd/anpd-enforcement.md +147 -147
  145. package/src/bmad-plus/packs/pack-shield/references/lgpd/compliance-program.md +272 -272
  146. package/src/bmad-plus/packs/pack-shield/references/lgpd/lgpd-articles.md +271 -271
  147. package/src/bmad-plus/packs/pack-shield/references/nis2/article-21-measures.md +153 -153
  148. package/src/bmad-plus/packs/pack-shield/references/nis2/iso27001-nis2-mapping.md +68 -68
  149. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/assessment-rmf.md +349 -349
  150. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/baselines-tailoring.md +277 -277
  151. package/src/bmad-plus/packs/pack-shield/references/nist-800-53/control-families.md +450 -450
  152. package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-core.md +361 -361
  153. package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-profiles.md +192 -192
  154. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-10-to-20-mapping.md +143 -143
  155. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-20-functions-categories.md +278 -278
  156. package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-implementation-tiers.md +135 -135
  157. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-requirements.md +366 -366
  158. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-saq-guide.md +217 -217
  159. package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-v4-changes.md +190 -190
  160. package/src/bmad-plus/packs/pack-shield/references/section-508/wcag-mapping.md +160 -160
  161. package/src/bmad-plus/packs/pack-shield/references/soc2/controls.md +241 -241
  162. package/src/bmad-plus/packs/pack-shield/references/soc2/evidence.md +236 -236
  163. package/src/bmad-plus/packs/pack-shield/references/soc2/policies.md +254 -254
  164. package/src/bmad-plus/packs/pack-shield/references/soc2/vendor.md +276 -276
  165. package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-assessment.md +202 -202
  166. package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-controls.md +545 -545
  167. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-crmp-requirements.md +359 -359
  168. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-directives-overview.md +187 -187
  169. package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-incident-reporting.md +187 -187
  170. package/src/bmad-plus/packs/pack-shield/references/wcag/criteria-detail.md +510 -510
  171. package/src/bmad-plus/packs/pack-shield/shared/audit-report-template.md +103 -103
  172. package/src/bmad-plus/packs/pack-shield/shared/cross-framework-mapper.md +103 -103
  173. package/src/bmad-plus/packs/pack-shield/shared/gap-analysis-template.md +83 -83
  174. package/src/bmad-plus/packs/pack-shield/shield-orchestrator.md +229 -229
  175. package/src/bmad-plus/packs/pack-shield/upstream-sync.yaml +68 -68
  176. package/src/bmad-plus/skills/bmad-plus-autopilot/SKILL.md +99 -99
  177. package/src/bmad-plus/skills/bmad-plus-parallel/SKILL.md +93 -93
  178. package/src/bmad-plus/skills/bmad-plus-sync/SKILL.md +69 -69
  179. package/tools/cli/bmad-plus-cli.js +5 -3
  180. package/tools/cli/commands/autoconfig.js +23 -59
  181. package/tools/cli/commands/doctor.js +14 -0
  182. package/tools/cli/commands/install.js +29 -128
  183. package/tools/cli/commands/memory.js +1 -0
  184. package/tools/cli/commands/scan.js +44 -42
  185. package/tools/cli/commands/uninstall.js +10 -5
  186. package/tools/cli/commands/update.js +21 -3
  187. package/tools/cli/lib/ide-config.js +259 -0
  188. package/tools/cli/lib/memory-init.js +0 -1
  189. package/tools/cli/lib/pack-copy.js +84 -84
  190. package/tools/cli/lib/packs.js +16 -8
  191. package/tools/cli/lib/stack-detect.js +102 -0
  192. package/tools/cli/lib/validate.js +50 -0
@@ -1,182 +1,182 @@
1
- # EU AI Act — Risk Classification Reference
2
-
3
- ## Art. 3 — Key Definitions
4
-
5
- | Term | Definition |
6
- |------|-----------|
7
- | **AI System** (Art. 3(1)) | A machine-based system designed to operate with varying levels of autonomy that, for a given set of objectives, infers from inputs how to generate outputs such as predictions, recommendations, decisions, or content affecting real or virtual environments |
8
- | **GPAI Model** (Art. 3(63)) | An AI model trained with large amounts of data using self-supervision at scale that displays significant generality and competently performs a wide range of distinct tasks, regardless of placement method — excludes pre-release R&D models |
9
- | **GPAI System** (Art. 3(64)) | An AI system based on a GPAI model capable of serving multiple purposes, directly or when integrated into other AI systems |
10
- | **Provider** (Art. 3(3)) | Natural or legal person that develops an AI system or GPAI model and places it on the market or puts it into service under own name/trademark |
11
- | **Deployer** (Art. 3(4)) | Natural or legal person using an AI system under own authority, except for personal non-professional activity |
12
- | **Operator** (Art. 3(8)) | Encompasses provider, product manufacturer, deployer, authorised representative, importer, or distributor |
13
- | **Authorised Representative** (Art. 3(5)) | Person established in EU with written mandate from non-EU provider to act on their behalf |
14
- | **Importer** (Art. 3(6)) | EU-established person placing on market an AI system bearing third-country person's name/trademark |
15
- | **Distributor** (Art. 3(7)) | Supply chain person (other than provider/importer) making AI system available on EU market |
16
- | **Profiling** (Art. 3(52)) | Automated processing of personal data to evaluate natural persons — work performance, economic situation, health, preferences, reliability, behaviour, location |
17
-
18
- ---
19
-
20
- ## Risk Tier Overview
21
-
22
- | Tier | Regulation Path | Key Obligation | Applies From |
23
- |------|----------------|----------------|--------------|
24
- | **Prohibited** | Art. 5 | Complete ban | 2 Feb 2025 |
25
- | **High Risk** | Art. 6 + Annex I/III | Full conformity regime | 2 Aug 2026 (Annex III) / 2027 (Annex I) |
26
- | **Limited Risk** | Art. 50 | Transparency disclosure only | 2 Aug 2026 |
27
- | **Minimal / No Risk** | — | Voluntary codes of conduct | — |
28
-
29
- ---
30
-
31
- ## Art. 5 — Prohibited AI Practices (All 8, applies from 2 February 2025)
32
-
33
- ### 5(1)(a) — Subliminal / Manipulative Techniques
34
- AI systems using subliminal techniques beyond a person's consciousness, or purposefully manipulative/deceptive techniques, that materially distort behavior and impair informed decision-making, causing or likely to cause significant harm to those persons or third parties.
35
-
36
- ### 5(1)(b) — Exploitation of Vulnerabilities
37
- AI systems exploiting vulnerabilities of persons or groups based on age, disability, or socioeconomic circumstances, distorting behavior in a manner that causes or is likely to cause significant harm.
38
-
39
- ### 5(1)(c) — Social Scoring
40
- AI systems that evaluate or classify natural persons or groups based on social behavior over a period of time or inferred personal characteristics, leading to:
41
- - Detrimental or unfavorable treatment of persons or groups in unrelated social contexts; OR
42
- - Treatment that is disproportionate or unjustified relative to the social context in which the behavior occurred
43
-
44
- ### 5(1)(d) — Predictive Criminal Risk Assessment
45
- AI systems assessing the risk of natural persons committing criminal offenses based solely on profiling or personality/character traits assessment. **Exception:** systems supporting human assessment based on objective, verifiable facts directly linked to criminal activity.
46
-
47
- ### 5(1)(e) — Untargeted Facial Recognition Database Creation
48
- Creating or expanding facial recognition databases through untargeted scraping of facial images from the internet or CCTV footage.
49
-
50
- ### 5(1)(f) — Emotion Inference in Workplace or Educational Institutions
51
- AI systems that infer emotions of natural persons in the workplace or educational institutions. **Exception:** for medical or safety purposes.
52
-
53
- ### 5(1)(g) — Biometric-Based Categorization for Sensitive Attributes
54
- AI systems categorizing natural persons individually based on biometric data to deduce or infer race, political opinions, trade union membership, religious or philosophical beliefs, sex life, or sexual orientation. **Exception:** labeling/filtering of lawfully acquired biometric datasets in law enforcement.
55
-
56
- ### 5(1)(h) — Real-Time Remote Biometric Identification (RBI) in Public Spaces by Law Enforcement
57
- Real-time RBI systems in publicly accessible spaces for law enforcement purposes. **Narrow exceptions:**
58
- - (i) Targeted search for specific missing persons or trafficking victims
59
- - (ii) Preventing specific, substantial, imminent threat to life or terrorist attack
60
- - (iii) Identifying suspects of serious criminal offenses carrying ≥4-year sentences listed in Annex II
61
-
62
- **Procedural requirements for exceptions:** Prior judicial or independent administrative body authorization (post-hoc authorization within 24 hours for urgency); fundamental rights impact assessment; registration in EU AI database; report to market surveillance authority after each use. **Prohibited:** use to identify protected attributes.
63
-
64
- ---
65
-
66
- ## Art. 6 — High-Risk Classification Rules
67
-
68
- ### Path A — Art. 6(1): Safety Component of Sectoral Product
69
- System is high-risk when BOTH conditions are met:
70
- 1. It is a **safety component of a product** covered by Annex I harmonisation legislation (or is itself such a product); **AND**
71
- 2. That product **requires third-party conformity assessment** under the relevant Annex I legislation
72
-
73
- ### Path B — Art. 6(2): Annex III Listed Use Case
74
- System is high-risk when **listed in Annex III**, unless the following non-high-risk exceptions all apply:
75
- - Performs a narrow procedural task
76
- - Improves result of a previously completed human activity
77
- - Detects decision-making patterns/deviations without replacing/influencing human assessment
78
- - Performs preparatory tasks for assessment relevant to Annex III use cases
79
-
80
- **Critical override (Art. 6(3)):** Any Annex III system that **profiles natural persons** is ALWAYS high-risk regardless of the above exceptions.
81
-
82
- **Documentation obligation (Art. 6(3)):** Providers claiming non-high-risk status must document their assessment before market placement and make it available to national authorities on request.
83
-
84
- ---
85
-
86
- ## Annex I — Sectoral Harmonisation Laws (Safety Component Path)
87
-
88
- ### Section A — New Legislative Framework Products
89
- 1. Machinery — Directive 2006/42/EC
90
- 2. Toys — Directive 2009/48/EC
91
- 3. Recreational watercraft — Directive 2013/53/EU
92
- 4. Lifts — Directive 2014/33/EU
93
- 5. ATEX equipment — Directive 2014/34/EU
94
- 6. Radio equipment — Directive 2014/53/EU
95
- 7. Pressure equipment — Directive 2014/68/EU
96
- 8. Cableway installations — Regulation 2016/424
97
- 9. Personal protective equipment — Regulation 2016/425
98
- 10. Gaseous fuel appliances — Regulation 2016/426
99
- 11. Medical devices — Regulation 2017/745
100
- 12. In vitro diagnostic medical devices — Regulation 2017/746
101
-
102
- ### Section B — Other Harmonisation Legislation
103
- 13. Civil aviation security — Regulation 300/2008
104
- 14. Two/three-wheel vehicles — Regulation 168/2013
105
- 15. Agricultural/forestry vehicles — Regulation 167/2013
106
- 16. Marine equipment — Directive 2014/90/EU
107
- 17. Rail interoperability — Directive 2016/797
108
- 18. Motor vehicles and trailers — Regulation 2018/858
109
- 19. Motor vehicle safety standards — Regulation 2019/2144
110
- 20. Civil aviation and drones — Regulation 2018/1139
111
-
112
- ---
113
-
114
- ## Annex III — High-Risk AI Use Case Areas (8 Areas)
115
-
116
- ### Area 1 — Biometrics
117
- - (a) Remote biometric identification systems (excluding personal identity verification)
118
- - (b) Biometric categorization systems inferring sensitive/protected attributes
119
- - (c) Emotion recognition systems
120
-
121
- **Notes:** (b) and (c) are prohibited under Art. 5(1)(g) and 5(1)(f) respectively in many contexts. Area 1(a) biometric categorization/emotion recognition systems that fall under Art. 5 prohibitions cannot qualify as merely high-risk — the prohibition takes precedence.
122
-
123
- ### Area 2 — Critical Infrastructure
124
- AI safety components managing or used in safety-critical management of: road traffic, water supply, gas supply, heating supply, electricity supply, and critical digital infrastructure.
125
-
126
- ### Area 3 — Education and Vocational Training
127
- - (a) Determining access/admission to or assignment to educational institutions at any level
128
- - (b) Evaluating learning outcomes that materially influence the learning process
129
- - (c) Assessing appropriate level of education and materially influencing the level of education received
130
- - (d) Monitoring and detecting prohibited student behavior in tests/examinations
131
-
132
- ### Area 4 — Employment, Workers Management, and Self-Employment
133
- - (a) Recruitment and selection: targeted job advertising, application filtering/screening, candidate evaluation and selection
134
- - (b) Making decisions affecting terms of employment/work relationships: promotion, termination, task allocation, monitoring/evaluating performance/behavior of employed persons
135
-
136
- ### Area 5 — Access to and Enjoyment of Essential Private and Public Services
137
- - (a) Public authorities evaluating individual eligibility for public assistance benefits and services (including healthcare)
138
- - (b) Creditworthiness assessment and credit scoring (excluding fraud detection)
139
- - (c) Life insurance and health insurance risk assessment and pricing for natural persons
140
- - (d) Emergency dispatch and emergency call classification and prioritization
141
-
142
- ### Area 6 — Law Enforcement
143
- - (a) Individual risk assessment for becoming victim of criminal offenses
144
- - (b) Polygraphs and similar tools to assess reliability of persons
145
- - (c) Evaluating reliability of evidence in criminal investigations/prosecution
146
- - (d) Assessing risk of offending/reoffending, including recidivism assessment
147
- - (e) Profiling natural persons in course of criminal detection, investigation, or prosecution
148
-
149
- ### Area 7 — Migration, Asylum, and Border Control Management
150
- - (a) Polygraph-like tools and similar for competent authorities in migration/asylum/border control
151
- - (b) Assessing risk (including security/irregular migration risk) of persons intending to enter or having entered EU territory
152
- - (c) Assisting competent authorities in examining applications for asylum, visa, and residence permits
153
- - (d) Detecting, recognizing, or identifying natural persons (excluding verification of travel documents)
154
-
155
- ### Area 8 — Administration of Justice and Democratic Processes
156
- - (a) AI assisting judicial authorities in researching, interpreting, and applying the law
157
- - (b) AI intended to influence the outcome of elections or referenda, or the voting behavior of natural persons
158
-
159
- ---
160
-
161
- ## Art. 50 — Limited Risk Transparency Obligations (applies from 2 August 2026)
162
-
163
- ### Chatbots and AI Interaction Systems (Art. 50(1))
164
- Providers must ensure users are informed they are interacting with an AI system, unless:
165
- - Obvious to a reasonably well-informed user given context and circumstances
166
- - System is authorized by law for detection of criminal offenses
167
-
168
- ### Synthetic Media — Deepfakes (Art. 50(2) and (4))
169
- - Deployers of systems generating synthetic image/video/audio/text resembling real persons/places/events must disclose in machine-readable format that content is artificially generated or manipulated
170
- - Deployer disclosure exceptions: authorized by law for criminal offense detection; artistic, satirical, or fictional works with appropriate disclosure that doesn't impair enjoyment
171
- - All AI-generated text published to inform public on matters of public interest must be disclosed as AI-generated, unless: authorized for criminal investigation; content underwent human editorial review and editorial accountability exists
172
-
173
- ### Emotion Recognition and Biometric Categorization (Art. 50(3))
174
- Deployers must inform natural persons exposed to these systems of:
175
- - The operation of the system
176
- - Must comply with GDPR and data protection law
177
- - Exception: authorized for law enforcement
178
-
179
- ### Format Requirements
180
- - Disclosures must be made at the latest at first interaction/exposure
181
- - Clear and distinguishable manner
182
- - Must meet accessibility standards (Directive 2019/882)
1
+ # EU AI Act — Risk Classification Reference
2
+
3
+ ## Art. 3 — Key Definitions
4
+
5
+ | Term | Definition |
6
+ |------|-----------|
7
+ | **AI System** (Art. 3(1)) | A machine-based system designed to operate with varying levels of autonomy that, for a given set of objectives, infers from inputs how to generate outputs such as predictions, recommendations, decisions, or content affecting real or virtual environments |
8
+ | **GPAI Model** (Art. 3(63)) | An AI model trained with large amounts of data using self-supervision at scale that displays significant generality and competently performs a wide range of distinct tasks, regardless of placement method — excludes pre-release R&D models |
9
+ | **GPAI System** (Art. 3(64)) | An AI system based on a GPAI model capable of serving multiple purposes, directly or when integrated into other AI systems |
10
+ | **Provider** (Art. 3(3)) | Natural or legal person that develops an AI system or GPAI model and places it on the market or puts it into service under own name/trademark |
11
+ | **Deployer** (Art. 3(4)) | Natural or legal person using an AI system under own authority, except for personal non-professional activity |
12
+ | **Operator** (Art. 3(8)) | Encompasses provider, product manufacturer, deployer, authorised representative, importer, or distributor |
13
+ | **Authorised Representative** (Art. 3(5)) | Person established in EU with written mandate from non-EU provider to act on their behalf |
14
+ | **Importer** (Art. 3(6)) | EU-established person placing on market an AI system bearing third-country person's name/trademark |
15
+ | **Distributor** (Art. 3(7)) | Supply chain person (other than provider/importer) making AI system available on EU market |
16
+ | **Profiling** (Art. 3(52)) | Automated processing of personal data to evaluate natural persons — work performance, economic situation, health, preferences, reliability, behaviour, location |
17
+
18
+ ---
19
+
20
+ ## Risk Tier Overview
21
+
22
+ | Tier | Regulation Path | Key Obligation | Applies From |
23
+ |------|----------------|----------------|--------------|
24
+ | **Prohibited** | Art. 5 | Complete ban | 2 Feb 2025 |
25
+ | **High Risk** | Art. 6 + Annex I/III | Full conformity regime | 2 Aug 2026 (Annex III) / 2027 (Annex I) |
26
+ | **Limited Risk** | Art. 50 | Transparency disclosure only | 2 Aug 2026 |
27
+ | **Minimal / No Risk** | — | Voluntary codes of conduct | — |
28
+
29
+ ---
30
+
31
+ ## Art. 5 — Prohibited AI Practices (All 8, applies from 2 February 2025)
32
+
33
+ ### 5(1)(a) — Subliminal / Manipulative Techniques
34
+ AI systems using subliminal techniques beyond a person's consciousness, or purposefully manipulative/deceptive techniques, that materially distort behavior and impair informed decision-making, causing or likely to cause significant harm to those persons or third parties.
35
+
36
+ ### 5(1)(b) — Exploitation of Vulnerabilities
37
+ AI systems exploiting vulnerabilities of persons or groups based on age, disability, or socioeconomic circumstances, distorting behavior in a manner that causes or is likely to cause significant harm.
38
+
39
+ ### 5(1)(c) — Social Scoring
40
+ AI systems that evaluate or classify natural persons or groups based on social behavior over a period of time or inferred personal characteristics, leading to:
41
+ - Detrimental or unfavorable treatment of persons or groups in unrelated social contexts; OR
42
+ - Treatment that is disproportionate or unjustified relative to the social context in which the behavior occurred
43
+
44
+ ### 5(1)(d) — Predictive Criminal Risk Assessment
45
+ AI systems assessing the risk of natural persons committing criminal offenses based solely on profiling or personality/character traits assessment. **Exception:** systems supporting human assessment based on objective, verifiable facts directly linked to criminal activity.
46
+
47
+ ### 5(1)(e) — Untargeted Facial Recognition Database Creation
48
+ Creating or expanding facial recognition databases through untargeted scraping of facial images from the internet or CCTV footage.
49
+
50
+ ### 5(1)(f) — Emotion Inference in Workplace or Educational Institutions
51
+ AI systems that infer emotions of natural persons in the workplace or educational institutions. **Exception:** for medical or safety purposes.
52
+
53
+ ### 5(1)(g) — Biometric-Based Categorization for Sensitive Attributes
54
+ AI systems categorizing natural persons individually based on biometric data to deduce or infer race, political opinions, trade union membership, religious or philosophical beliefs, sex life, or sexual orientation. **Exception:** labeling/filtering of lawfully acquired biometric datasets in law enforcement.
55
+
56
+ ### 5(1)(h) — Real-Time Remote Biometric Identification (RBI) in Public Spaces by Law Enforcement
57
+ Real-time RBI systems in publicly accessible spaces for law enforcement purposes. **Narrow exceptions:**
58
+ - (i) Targeted search for specific missing persons or trafficking victims
59
+ - (ii) Preventing specific, substantial, imminent threat to life or terrorist attack
60
+ - (iii) Identifying suspects of serious criminal offenses carrying ≥4-year sentences listed in Annex II
61
+
62
+ **Procedural requirements for exceptions:** Prior judicial or independent administrative body authorization (post-hoc authorization within 24 hours for urgency); fundamental rights impact assessment; registration in EU AI database; report to market surveillance authority after each use. **Prohibited:** use to identify protected attributes.
63
+
64
+ ---
65
+
66
+ ## Art. 6 — High-Risk Classification Rules
67
+
68
+ ### Path A — Art. 6(1): Safety Component of Sectoral Product
69
+ System is high-risk when BOTH conditions are met:
70
+ 1. It is a **safety component of a product** covered by Annex I harmonisation legislation (or is itself such a product); **AND**
71
+ 2. That product **requires third-party conformity assessment** under the relevant Annex I legislation
72
+
73
+ ### Path B — Art. 6(2): Annex III Listed Use Case
74
+ System is high-risk when **listed in Annex III**, unless the following non-high-risk exceptions all apply:
75
+ - Performs a narrow procedural task
76
+ - Improves result of a previously completed human activity
77
+ - Detects decision-making patterns/deviations without replacing/influencing human assessment
78
+ - Performs preparatory tasks for assessment relevant to Annex III use cases
79
+
80
+ **Critical override (Art. 6(3)):** Any Annex III system that **profiles natural persons** is ALWAYS high-risk regardless of the above exceptions.
81
+
82
+ **Documentation obligation (Art. 6(3)):** Providers claiming non-high-risk status must document their assessment before market placement and make it available to national authorities on request.
83
+
84
+ ---
85
+
86
+ ## Annex I — Sectoral Harmonisation Laws (Safety Component Path)
87
+
88
+ ### Section A — New Legislative Framework Products
89
+ 1. Machinery — Directive 2006/42/EC
90
+ 2. Toys — Directive 2009/48/EC
91
+ 3. Recreational watercraft — Directive 2013/53/EU
92
+ 4. Lifts — Directive 2014/33/EU
93
+ 5. ATEX equipment — Directive 2014/34/EU
94
+ 6. Radio equipment — Directive 2014/53/EU
95
+ 7. Pressure equipment — Directive 2014/68/EU
96
+ 8. Cableway installations — Regulation 2016/424
97
+ 9. Personal protective equipment — Regulation 2016/425
98
+ 10. Gaseous fuel appliances — Regulation 2016/426
99
+ 11. Medical devices — Regulation 2017/745
100
+ 12. In vitro diagnostic medical devices — Regulation 2017/746
101
+
102
+ ### Section B — Other Harmonisation Legislation
103
+ 13. Civil aviation security — Regulation 300/2008
104
+ 14. Two/three-wheel vehicles — Regulation 168/2013
105
+ 15. Agricultural/forestry vehicles — Regulation 167/2013
106
+ 16. Marine equipment — Directive 2014/90/EU
107
+ 17. Rail interoperability — Directive 2016/797
108
+ 18. Motor vehicles and trailers — Regulation 2018/858
109
+ 19. Motor vehicle safety standards — Regulation 2019/2144
110
+ 20. Civil aviation and drones — Regulation 2018/1139
111
+
112
+ ---
113
+
114
+ ## Annex III — High-Risk AI Use Case Areas (8 Areas)
115
+
116
+ ### Area 1 — Biometrics
117
+ - (a) Remote biometric identification systems (excluding personal identity verification)
118
+ - (b) Biometric categorization systems inferring sensitive/protected attributes
119
+ - (c) Emotion recognition systems
120
+
121
+ **Notes:** (b) and (c) are prohibited under Art. 5(1)(g) and 5(1)(f) respectively in many contexts. Area 1(a) biometric categorization/emotion recognition systems that fall under Art. 5 prohibitions cannot qualify as merely high-risk — the prohibition takes precedence.
122
+
123
+ ### Area 2 — Critical Infrastructure
124
+ AI safety components managing or used in safety-critical management of: road traffic, water supply, gas supply, heating supply, electricity supply, and critical digital infrastructure.
125
+
126
+ ### Area 3 — Education and Vocational Training
127
+ - (a) Determining access/admission to or assignment to educational institutions at any level
128
+ - (b) Evaluating learning outcomes that materially influence the learning process
129
+ - (c) Assessing appropriate level of education and materially influencing the level of education received
130
+ - (d) Monitoring and detecting prohibited student behavior in tests/examinations
131
+
132
+ ### Area 4 — Employment, Workers Management, and Self-Employment
133
+ - (a) Recruitment and selection: targeted job advertising, application filtering/screening, candidate evaluation and selection
134
+ - (b) Making decisions affecting terms of employment/work relationships: promotion, termination, task allocation, monitoring/evaluating performance/behavior of employed persons
135
+
136
+ ### Area 5 — Access to and Enjoyment of Essential Private and Public Services
137
+ - (a) Public authorities evaluating individual eligibility for public assistance benefits and services (including healthcare)
138
+ - (b) Creditworthiness assessment and credit scoring (excluding fraud detection)
139
+ - (c) Life insurance and health insurance risk assessment and pricing for natural persons
140
+ - (d) Emergency dispatch and emergency call classification and prioritization
141
+
142
+ ### Area 6 — Law Enforcement
143
+ - (a) Individual risk assessment for becoming victim of criminal offenses
144
+ - (b) Polygraphs and similar tools to assess reliability of persons
145
+ - (c) Evaluating reliability of evidence in criminal investigations/prosecution
146
+ - (d) Assessing risk of offending/reoffending, including recidivism assessment
147
+ - (e) Profiling natural persons in course of criminal detection, investigation, or prosecution
148
+
149
+ ### Area 7 — Migration, Asylum, and Border Control Management
150
+ - (a) Polygraph-like tools and similar for competent authorities in migration/asylum/border control
151
+ - (b) Assessing risk (including security/irregular migration risk) of persons intending to enter or having entered EU territory
152
+ - (c) Assisting competent authorities in examining applications for asylum, visa, and residence permits
153
+ - (d) Detecting, recognizing, or identifying natural persons (excluding verification of travel documents)
154
+
155
+ ### Area 8 — Administration of Justice and Democratic Processes
156
+ - (a) AI assisting judicial authorities in researching, interpreting, and applying the law
157
+ - (b) AI intended to influence the outcome of elections or referenda, or the voting behavior of natural persons
158
+
159
+ ---
160
+
161
+ ## Art. 50 — Limited Risk Transparency Obligations (applies from 2 August 2026)
162
+
163
+ ### Chatbots and AI Interaction Systems (Art. 50(1))
164
+ Providers must ensure users are informed they are interacting with an AI system, unless:
165
+ - Obvious to a reasonably well-informed user given context and circumstances
166
+ - System is authorized by law for detection of criminal offenses
167
+
168
+ ### Synthetic Media — Deepfakes (Art. 50(2) and (4))
169
+ - Deployers of systems generating synthetic image/video/audio/text resembling real persons/places/events must disclose in machine-readable format that content is artificially generated or manipulated
170
+ - Deployer disclosure exceptions: authorized by law for criminal offense detection; artistic, satirical, or fictional works with appropriate disclosure that doesn't impair enjoyment
171
+ - All AI-generated text published to inform public on matters of public interest must be disclosed as AI-generated, unless: authorized for criminal investigation; content underwent human editorial review and editorial accountability exists
172
+
173
+ ### Emotion Recognition and Biometric Categorization (Art. 50(3))
174
+ Deployers must inform natural persons exposed to these systems of:
175
+ - The operation of the system
176
+ - Must comply with GDPR and data protection law
177
+ - Exception: authorized for law enforcement
178
+
179
+ ### Format Requirements
180
+ - Disclosures must be made at the latest at first interaction/exposure
181
+ - Clear and distinguishable manner
182
+ - Must meet accessibility standards (Directive 2019/882)