bmad-plus 0.9.0 → 0.9.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +36 -0
- package/LICENSE +21 -21
- package/README.md +106 -86
- package/osint-agent-package/README.md +88 -88
- package/osint-agent-package/SETUP_KEYS.md +108 -108
- package/osint-agent-package/agents/osint-investigator.md +80 -80
- package/osint-agent-package/install.ps1 +87 -87
- package/osint-agent-package/install.sh +76 -76
- package/osint-agent-package/skills/bmad-osint-investigate/SKILL.md +147 -147
- package/osint-agent-package/skills/bmad-osint-investigate/osint/references/enrichment-databases-fr.md +148 -148
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/_http.py +101 -101
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/apify.py +266 -266
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/brightdata.py +101 -101
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/diagnose.py +141 -141
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/exa.py +79 -79
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/jina.py +71 -71
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/parallel.py +85 -85
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/perplexity.py +102 -102
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/tavily.py +72 -72
- package/osint-agent-package/skills/bmad-osint-investigate/osint/scripts/volley.py +208 -208
- package/osint-agent-package/skills/bmad-osint-investigator/SKILL.md +15 -15
- package/package.json +30 -3
- package/readme-international/README.de.md +8 -3
- package/readme-international/README.es.md +8 -3
- package/readme-international/README.fr.md +8 -3
- package/src/bmad-plus/agents/agent-architect-dev/SKILL.md +96 -96
- package/src/bmad-plus/agents/agent-architect-dev/bmad-skill-manifest.yaml +13 -13
- package/src/bmad-plus/agents/agent-maker/SKILL.md +201 -201
- package/src/bmad-plus/agents/agent-maker/bmad-skill-manifest.yaml +13 -13
- package/src/bmad-plus/agents/agent-orchestrator/SKILL.md +137 -137
- package/src/bmad-plus/agents/agent-orchestrator/bmad-skill-manifest.yaml +13 -13
- package/src/bmad-plus/agents/agent-quality/SKILL.md +83 -83
- package/src/bmad-plus/agents/agent-quality/bmad-skill-manifest.yaml +13 -13
- package/src/bmad-plus/agents/agent-shadow/SKILL.md +71 -71
- package/src/bmad-plus/agents/agent-shadow/bmad-skill-manifest.yaml +13 -13
- package/src/bmad-plus/agents/agent-strategist/SKILL.md +80 -80
- package/src/bmad-plus/agents/agent-strategist/bmad-skill-manifest.yaml +13 -13
- package/src/bmad-plus/data/role-triggers.yaml +209 -209
- package/src/bmad-plus/module-help.csv +10 -10
- package/src/bmad-plus/packs/pack-memory/README.md +106 -106
- package/src/bmad-plus/packs/pack-memory/memory-orchestrator.md +79 -79
- package/src/bmad-plus/packs/pack-memory/shared/karpathy-guardrails.md +86 -86
- package/src/bmad-plus/packs/pack-memory/shared/memory-protocol.md +143 -143
- package/src/bmad-plus/packs/pack-memory/templates/context.md +39 -39
- package/src/bmad-plus/packs/pack-memory/templates/decisions.md +25 -25
- package/src/bmad-plus/packs/pack-memory/templates/identity.yaml +39 -39
- package/src/bmad-plus/packs/pack-memory/templates/lessons.md +31 -31
- package/src/bmad-plus/packs/pack-memory/templates/patterns.md +24 -24
- package/src/bmad-plus/packs/pack-memory/templates/session-handoff.md +25 -25
- package/src/bmad-plus/packs/pack-memory/zecher-agent.md +157 -157
- package/src/bmad-plus/packs/pack-seo/bmad-skill-manifest.yaml +13 -13
- package/src/bmad-plus/packs/pack-shield/README.md +110 -110
- package/src/bmad-plus/packs/pack-shield/SKILL.md +82 -82
- package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/csrd-agent.md +251 -251
- package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/section508-agent.md +168 -168
- package/src/bmad-plus/packs/pack-shield/categories/accessibility-esg/wcag-agent.md +190 -190
- package/src/bmad-plus/packs/pack-shield/categories/ai-governance/eu-ai-act-agent.md +86 -86
- package/src/bmad-plus/packs/pack-shield/categories/ai-governance/iso42001-agent.md +240 -240
- package/src/bmad-plus/packs/pack-shield/categories/ai-governance/nist-ai-rmf-agent.md +122 -122
- package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/cis-controls-agent.md +210 -210
- package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/ism-agent.md +139 -139
- package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/iso27001-agent.md +156 -156
- package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nis2-agent.md +72 -72
- package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-800-53-agent.md +239 -239
- package/src/bmad-plus/packs/pack-shield/categories/cybersecurity/nist-csf-agent.md +207 -207
- package/src/bmad-plus/packs/pack-shield/categories/data-privacy/ccpa-agent.md +94 -94
- package/src/bmad-plus/packs/pack-shield/categories/data-privacy/dpdpa-agent.md +136 -136
- package/src/bmad-plus/packs/pack-shield/categories/data-privacy/gdpr-agent.md +296 -296
- package/src/bmad-plus/packs/pack-shield/categories/data-privacy/iso27701-agent.md +134 -134
- package/src/bmad-plus/packs/pack-shield/categories/data-privacy/lgpd-agent.md +129 -129
- package/src/bmad-plus/packs/pack-shield/categories/defense-export/cmmc-agent.md +116 -116
- package/src/bmad-plus/packs/pack-shield/categories/defense-export/ear-agent.md +261 -261
- package/src/bmad-plus/packs/pack-shield/categories/defense-export/itar-agent.md +191 -191
- package/src/bmad-plus/packs/pack-shield/categories/defense-export/tsa-agent.md +356 -356
- package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/dora-agent.md +499 -499
- package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/fedramp-agent.md +236 -236
- package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/hipaa-agent.md +162 -162
- package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/pci-dss-agent.md +228 -228
- package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/soc2-agent.md +255 -255
- package/src/bmad-plus/packs/pack-shield/categories/industry-compliance/swift-csp-agent.md +153 -153
- package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-classifier.md +131 -131
- package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-fria.md +155 -155
- package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-incidents.md +187 -187
- package/src/bmad-plus/packs/pack-shield/categories/workflows/ai-act-roles.md +113 -113
- package/src/bmad-plus/packs/pack-shield/categories/workflows/breach-sentinel.md +197 -197
- package/src/bmad-plus/packs/pack-shield/categories/workflows/cookie-policy-gen.md +180 -180
- package/src/bmad-plus/packs/pack-shield/categories/workflows/dpia-sentinel.md +235 -235
- package/src/bmad-plus/packs/pack-shield/categories/workflows/legitimate-interest.md +159 -159
- package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-advisor.md +133 -133
- package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-notice-gen.md +160 -160
- package/src/bmad-plus/packs/pack-shield/categories/workflows/privacy-policy-gen.md +135 -135
- package/src/bmad-plus/packs/pack-shield/references/ccpa/ccpa-gdpr-comparison.md +117 -117
- package/src/bmad-plus/packs/pack-shield/references/ccpa/consumer-rights-workflows.md +177 -177
- package/src/bmad-plus/packs/pack-shield/references/cis-controls/framework-mappings.md +162 -162
- package/src/bmad-plus/packs/pack-shield/references/cis-controls/implementation-guidance.md +235 -235
- package/src/bmad-plus/packs/pack-shield/references/cis-controls/safeguards-detail.md +252 -252
- package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-assessment.md +170 -170
- package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-levels.md +113 -113
- package/src/bmad-plus/packs/pack-shield/references/cmmc/cmmc-practices.md +211 -211
- package/src/bmad-plus/packs/pack-shield/references/csrd/compliance-program.md +281 -281
- package/src/bmad-plus/packs/pack-shield/references/csrd/double-materiality.md +253 -253
- package/src/bmad-plus/packs/pack-shield/references/csrd/esrs-standards.md +401 -401
- package/src/bmad-plus/packs/pack-shield/references/dora/article-reference.md +441 -441
- package/src/bmad-plus/packs/pack-shield/references/dora/incident-classification.md +297 -297
- package/src/bmad-plus/packs/pack-shield/references/dora/rts-its-guide.md +306 -306
- package/src/bmad-plus/packs/pack-shield/references/dora/third-party-risk.md +349 -349
- package/src/bmad-plus/packs/pack-shield/references/dpdpa/gdpr-comparison.md +173 -173
- package/src/bmad-plus/packs/pack-shield/references/dpdpa/rights-and-obligations.md +426 -426
- package/src/bmad-plus/packs/pack-shield/references/dpdpa/rules-2025.md +599 -599
- package/src/bmad-plus/packs/pack-shield/references/dpdpa/sections-reference.md +319 -319
- package/src/bmad-plus/packs/pack-shield/references/ear/ccl-eccn-guide.md +250 -250
- package/src/bmad-plus/packs/pack-shield/references/ear/compliance-program.md +280 -280
- package/src/bmad-plus/packs/pack-shield/references/ear/license-exceptions.md +207 -207
- package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/gpai-governance.md +267 -267
- package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/obligations-high-risk.md +287 -287
- package/src/bmad-plus/packs/pack-shield/references/eu-ai-act/risk-classification.md +182 -182
- package/src/bmad-plus/packs/pack-shield/references/fedramp/appendices-guide.md +209 -209
- package/src/bmad-plus/packs/pack-shield/references/fedramp/control-families.md +281 -281
- package/src/bmad-plus/packs/pack-shield/references/fedramp/poam-guide.md +93 -93
- package/src/bmad-plus/packs/pack-shield/references/fedramp/readiness-checklist.md +134 -134
- package/src/bmad-plus/packs/pack-shield/references/fedramp/sap-sar-guide.md +86 -86
- package/src/bmad-plus/packs/pack-shield/references/fedramp/ssp-guide.md +129 -129
- package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/documents.md +192 -192
- package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/dpa-template.md +121 -121
- package/src/bmad-plus/packs/pack-shield/references/gdpr-compliance/privacy-notice.md +87 -87
- package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/breach-notification.md +293 -293
- package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/privacy-rule.md +276 -276
- package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/security-rule.md +299 -299
- package/src/bmad-plus/packs/pack-shield/references/hipaa-compliance/templates.md +568 -568
- package/src/bmad-plus/packs/pack-shield/references/ism/control-applicability.md +181 -181
- package/src/bmad-plus/packs/pack-shield/references/ism/guidelines-overview.md +183 -183
- package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2013.md +203 -203
- package/src/bmad-plus/packs/pack-shield/references/iso27001/annex-a-2022.md +132 -132
- package/src/bmad-plus/packs/pack-shield/references/iso27001/control-mapping.md +153 -153
- package/src/bmad-plus/packs/pack-shield/references/iso27701/annex-a-controls.md +195 -195
- package/src/bmad-plus/packs/pack-shield/references/iso27701/regulatory-mapping.md +229 -229
- package/src/bmad-plus/packs/pack-shield/references/iso27701/transition-guide.md +219 -219
- package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-ai-risk-assessment.md +258 -258
- package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-clauses-requirements.md +279 -279
- package/src/bmad-plus/packs/pack-shield/references/iso42001/iso42001-controls-annex-a.md +155 -155
- package/src/bmad-plus/packs/pack-shield/references/itar/compliance-program.md +174 -174
- package/src/bmad-plus/packs/pack-shield/references/itar/licensing-guide.md +146 -146
- package/src/bmad-plus/packs/pack-shield/references/itar/usml-categories.md +93 -93
- package/src/bmad-plus/packs/pack-shield/references/lgpd/anpd-enforcement.md +147 -147
- package/src/bmad-plus/packs/pack-shield/references/lgpd/compliance-program.md +272 -272
- package/src/bmad-plus/packs/pack-shield/references/lgpd/lgpd-articles.md +271 -271
- package/src/bmad-plus/packs/pack-shield/references/nis2/article-21-measures.md +153 -153
- package/src/bmad-plus/packs/pack-shield/references/nis2/iso27001-nis2-mapping.md +68 -68
- package/src/bmad-plus/packs/pack-shield/references/nist-800-53/assessment-rmf.md +349 -349
- package/src/bmad-plus/packs/pack-shield/references/nist-800-53/baselines-tailoring.md +277 -277
- package/src/bmad-plus/packs/pack-shield/references/nist-800-53/control-families.md +450 -450
- package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-core.md +361 -361
- package/src/bmad-plus/packs/pack-shield/references/nist-ai-rmf/rmf-profiles.md +192 -192
- package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-10-to-20-mapping.md +143 -143
- package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-20-functions-categories.md +278 -278
- package/src/bmad-plus/packs/pack-shield/references/nist-csf/csf-implementation-tiers.md +135 -135
- package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-requirements.md +366 -366
- package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-saq-guide.md +217 -217
- package/src/bmad-plus/packs/pack-shield/references/pci-compliance/pci-dss-v4-changes.md +190 -190
- package/src/bmad-plus/packs/pack-shield/references/section-508/wcag-mapping.md +160 -160
- package/src/bmad-plus/packs/pack-shield/references/soc2/controls.md +241 -241
- package/src/bmad-plus/packs/pack-shield/references/soc2/evidence.md +236 -236
- package/src/bmad-plus/packs/pack-shield/references/soc2/policies.md +254 -254
- package/src/bmad-plus/packs/pack-shield/references/soc2/vendor.md +276 -276
- package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-assessment.md +202 -202
- package/src/bmad-plus/packs/pack-shield/references/swift-csp/swift-controls.md +545 -545
- package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-crmp-requirements.md +359 -359
- package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-directives-overview.md +187 -187
- package/src/bmad-plus/packs/pack-shield/references/tsa-compliance/tsa-incident-reporting.md +187 -187
- package/src/bmad-plus/packs/pack-shield/references/wcag/criteria-detail.md +510 -510
- package/src/bmad-plus/packs/pack-shield/shared/audit-report-template.md +103 -103
- package/src/bmad-plus/packs/pack-shield/shared/cross-framework-mapper.md +103 -103
- package/src/bmad-plus/packs/pack-shield/shared/gap-analysis-template.md +83 -83
- package/src/bmad-plus/packs/pack-shield/shield-orchestrator.md +229 -229
- package/src/bmad-plus/packs/pack-shield/upstream-sync.yaml +68 -68
- package/src/bmad-plus/skills/bmad-plus-autopilot/SKILL.md +99 -99
- package/src/bmad-plus/skills/bmad-plus-parallel/SKILL.md +93 -93
- package/src/bmad-plus/skills/bmad-plus-sync/SKILL.md +69 -69
- package/tools/cli/bmad-plus-cli.js +5 -3
- package/tools/cli/commands/autoconfig.js +23 -59
- package/tools/cli/commands/doctor.js +14 -0
- package/tools/cli/commands/install.js +29 -128
- package/tools/cli/commands/memory.js +1 -0
- package/tools/cli/commands/scan.js +44 -42
- package/tools/cli/commands/uninstall.js +10 -5
- package/tools/cli/commands/update.js +21 -3
- package/tools/cli/lib/ide-config.js +259 -0
- package/tools/cli/lib/memory-init.js +0 -1
- package/tools/cli/lib/pack-copy.js +84 -84
- package/tools/cli/lib/packs.js +16 -8
- package/tools/cli/lib/stack-detect.js +102 -0
- package/tools/cli/lib/validate.js +50 -0
|
@@ -1,182 +1,182 @@
|
|
|
1
|
-
# EU AI Act — Risk Classification Reference
|
|
2
|
-
|
|
3
|
-
## Art. 3 — Key Definitions
|
|
4
|
-
|
|
5
|
-
| Term | Definition |
|
|
6
|
-
|------|-----------|
|
|
7
|
-
| **AI System** (Art. 3(1)) | A machine-based system designed to operate with varying levels of autonomy that, for a given set of objectives, infers from inputs how to generate outputs such as predictions, recommendations, decisions, or content affecting real or virtual environments |
|
|
8
|
-
| **GPAI Model** (Art. 3(63)) | An AI model trained with large amounts of data using self-supervision at scale that displays significant generality and competently performs a wide range of distinct tasks, regardless of placement method — excludes pre-release R&D models |
|
|
9
|
-
| **GPAI System** (Art. 3(64)) | An AI system based on a GPAI model capable of serving multiple purposes, directly or when integrated into other AI systems |
|
|
10
|
-
| **Provider** (Art. 3(3)) | Natural or legal person that develops an AI system or GPAI model and places it on the market or puts it into service under own name/trademark |
|
|
11
|
-
| **Deployer** (Art. 3(4)) | Natural or legal person using an AI system under own authority, except for personal non-professional activity |
|
|
12
|
-
| **Operator** (Art. 3(8)) | Encompasses provider, product manufacturer, deployer, authorised representative, importer, or distributor |
|
|
13
|
-
| **Authorised Representative** (Art. 3(5)) | Person established in EU with written mandate from non-EU provider to act on their behalf |
|
|
14
|
-
| **Importer** (Art. 3(6)) | EU-established person placing on market an AI system bearing third-country person's name/trademark |
|
|
15
|
-
| **Distributor** (Art. 3(7)) | Supply chain person (other than provider/importer) making AI system available on EU market |
|
|
16
|
-
| **Profiling** (Art. 3(52)) | Automated processing of personal data to evaluate natural persons — work performance, economic situation, health, preferences, reliability, behaviour, location |
|
|
17
|
-
|
|
18
|
-
---
|
|
19
|
-
|
|
20
|
-
## Risk Tier Overview
|
|
21
|
-
|
|
22
|
-
| Tier | Regulation Path | Key Obligation | Applies From |
|
|
23
|
-
|------|----------------|----------------|--------------|
|
|
24
|
-
| **Prohibited** | Art. 5 | Complete ban | 2 Feb 2025 |
|
|
25
|
-
| **High Risk** | Art. 6 + Annex I/III | Full conformity regime | 2 Aug 2026 (Annex III) / 2027 (Annex I) |
|
|
26
|
-
| **Limited Risk** | Art. 50 | Transparency disclosure only | 2 Aug 2026 |
|
|
27
|
-
| **Minimal / No Risk** | — | Voluntary codes of conduct | — |
|
|
28
|
-
|
|
29
|
-
---
|
|
30
|
-
|
|
31
|
-
## Art. 5 — Prohibited AI Practices (All 8, applies from 2 February 2025)
|
|
32
|
-
|
|
33
|
-
### 5(1)(a) — Subliminal / Manipulative Techniques
|
|
34
|
-
AI systems using subliminal techniques beyond a person's consciousness, or purposefully manipulative/deceptive techniques, that materially distort behavior and impair informed decision-making, causing or likely to cause significant harm to those persons or third parties.
|
|
35
|
-
|
|
36
|
-
### 5(1)(b) — Exploitation of Vulnerabilities
|
|
37
|
-
AI systems exploiting vulnerabilities of persons or groups based on age, disability, or socioeconomic circumstances, distorting behavior in a manner that causes or is likely to cause significant harm.
|
|
38
|
-
|
|
39
|
-
### 5(1)(c) — Social Scoring
|
|
40
|
-
AI systems that evaluate or classify natural persons or groups based on social behavior over a period of time or inferred personal characteristics, leading to:
|
|
41
|
-
- Detrimental or unfavorable treatment of persons or groups in unrelated social contexts; OR
|
|
42
|
-
- Treatment that is disproportionate or unjustified relative to the social context in which the behavior occurred
|
|
43
|
-
|
|
44
|
-
### 5(1)(d) — Predictive Criminal Risk Assessment
|
|
45
|
-
AI systems assessing the risk of natural persons committing criminal offenses based solely on profiling or personality/character traits assessment. **Exception:** systems supporting human assessment based on objective, verifiable facts directly linked to criminal activity.
|
|
46
|
-
|
|
47
|
-
### 5(1)(e) — Untargeted Facial Recognition Database Creation
|
|
48
|
-
Creating or expanding facial recognition databases through untargeted scraping of facial images from the internet or CCTV footage.
|
|
49
|
-
|
|
50
|
-
### 5(1)(f) — Emotion Inference in Workplace or Educational Institutions
|
|
51
|
-
AI systems that infer emotions of natural persons in the workplace or educational institutions. **Exception:** for medical or safety purposes.
|
|
52
|
-
|
|
53
|
-
### 5(1)(g) — Biometric-Based Categorization for Sensitive Attributes
|
|
54
|
-
AI systems categorizing natural persons individually based on biometric data to deduce or infer race, political opinions, trade union membership, religious or philosophical beliefs, sex life, or sexual orientation. **Exception:** labeling/filtering of lawfully acquired biometric datasets in law enforcement.
|
|
55
|
-
|
|
56
|
-
### 5(1)(h) — Real-Time Remote Biometric Identification (RBI) in Public Spaces by Law Enforcement
|
|
57
|
-
Real-time RBI systems in publicly accessible spaces for law enforcement purposes. **Narrow exceptions:**
|
|
58
|
-
- (i) Targeted search for specific missing persons or trafficking victims
|
|
59
|
-
- (ii) Preventing specific, substantial, imminent threat to life or terrorist attack
|
|
60
|
-
- (iii) Identifying suspects of serious criminal offenses carrying ≥4-year sentences listed in Annex II
|
|
61
|
-
|
|
62
|
-
**Procedural requirements for exceptions:** Prior judicial or independent administrative body authorization (post-hoc authorization within 24 hours for urgency); fundamental rights impact assessment; registration in EU AI database; report to market surveillance authority after each use. **Prohibited:** use to identify protected attributes.
|
|
63
|
-
|
|
64
|
-
---
|
|
65
|
-
|
|
66
|
-
## Art. 6 — High-Risk Classification Rules
|
|
67
|
-
|
|
68
|
-
### Path A — Art. 6(1): Safety Component of Sectoral Product
|
|
69
|
-
System is high-risk when BOTH conditions are met:
|
|
70
|
-
1. It is a **safety component of a product** covered by Annex I harmonisation legislation (or is itself such a product); **AND**
|
|
71
|
-
2. That product **requires third-party conformity assessment** under the relevant Annex I legislation
|
|
72
|
-
|
|
73
|
-
### Path B — Art. 6(2): Annex III Listed Use Case
|
|
74
|
-
System is high-risk when **listed in Annex III**, unless the following non-high-risk exceptions all apply:
|
|
75
|
-
- Performs a narrow procedural task
|
|
76
|
-
- Improves result of a previously completed human activity
|
|
77
|
-
- Detects decision-making patterns/deviations without replacing/influencing human assessment
|
|
78
|
-
- Performs preparatory tasks for assessment relevant to Annex III use cases
|
|
79
|
-
|
|
80
|
-
**Critical override (Art. 6(3)):** Any Annex III system that **profiles natural persons** is ALWAYS high-risk regardless of the above exceptions.
|
|
81
|
-
|
|
82
|
-
**Documentation obligation (Art. 6(3)):** Providers claiming non-high-risk status must document their assessment before market placement and make it available to national authorities on request.
|
|
83
|
-
|
|
84
|
-
---
|
|
85
|
-
|
|
86
|
-
## Annex I — Sectoral Harmonisation Laws (Safety Component Path)
|
|
87
|
-
|
|
88
|
-
### Section A — New Legislative Framework Products
|
|
89
|
-
1. Machinery — Directive 2006/42/EC
|
|
90
|
-
2. Toys — Directive 2009/48/EC
|
|
91
|
-
3. Recreational watercraft — Directive 2013/53/EU
|
|
92
|
-
4. Lifts — Directive 2014/33/EU
|
|
93
|
-
5. ATEX equipment — Directive 2014/34/EU
|
|
94
|
-
6. Radio equipment — Directive 2014/53/EU
|
|
95
|
-
7. Pressure equipment — Directive 2014/68/EU
|
|
96
|
-
8. Cableway installations — Regulation 2016/424
|
|
97
|
-
9. Personal protective equipment — Regulation 2016/425
|
|
98
|
-
10. Gaseous fuel appliances — Regulation 2016/426
|
|
99
|
-
11. Medical devices — Regulation 2017/745
|
|
100
|
-
12. In vitro diagnostic medical devices — Regulation 2017/746
|
|
101
|
-
|
|
102
|
-
### Section B — Other Harmonisation Legislation
|
|
103
|
-
13. Civil aviation security — Regulation 300/2008
|
|
104
|
-
14. Two/three-wheel vehicles — Regulation 168/2013
|
|
105
|
-
15. Agricultural/forestry vehicles — Regulation 167/2013
|
|
106
|
-
16. Marine equipment — Directive 2014/90/EU
|
|
107
|
-
17. Rail interoperability — Directive 2016/797
|
|
108
|
-
18. Motor vehicles and trailers — Regulation 2018/858
|
|
109
|
-
19. Motor vehicle safety standards — Regulation 2019/2144
|
|
110
|
-
20. Civil aviation and drones — Regulation 2018/1139
|
|
111
|
-
|
|
112
|
-
---
|
|
113
|
-
|
|
114
|
-
## Annex III — High-Risk AI Use Case Areas (8 Areas)
|
|
115
|
-
|
|
116
|
-
### Area 1 — Biometrics
|
|
117
|
-
- (a) Remote biometric identification systems (excluding personal identity verification)
|
|
118
|
-
- (b) Biometric categorization systems inferring sensitive/protected attributes
|
|
119
|
-
- (c) Emotion recognition systems
|
|
120
|
-
|
|
121
|
-
**Notes:** (b) and (c) are prohibited under Art. 5(1)(g) and 5(1)(f) respectively in many contexts. Area 1(a) biometric categorization/emotion recognition systems that fall under Art. 5 prohibitions cannot qualify as merely high-risk — the prohibition takes precedence.
|
|
122
|
-
|
|
123
|
-
### Area 2 — Critical Infrastructure
|
|
124
|
-
AI safety components managing or used in safety-critical management of: road traffic, water supply, gas supply, heating supply, electricity supply, and critical digital infrastructure.
|
|
125
|
-
|
|
126
|
-
### Area 3 — Education and Vocational Training
|
|
127
|
-
- (a) Determining access/admission to or assignment to educational institutions at any level
|
|
128
|
-
- (b) Evaluating learning outcomes that materially influence the learning process
|
|
129
|
-
- (c) Assessing appropriate level of education and materially influencing the level of education received
|
|
130
|
-
- (d) Monitoring and detecting prohibited student behavior in tests/examinations
|
|
131
|
-
|
|
132
|
-
### Area 4 — Employment, Workers Management, and Self-Employment
|
|
133
|
-
- (a) Recruitment and selection: targeted job advertising, application filtering/screening, candidate evaluation and selection
|
|
134
|
-
- (b) Making decisions affecting terms of employment/work relationships: promotion, termination, task allocation, monitoring/evaluating performance/behavior of employed persons
|
|
135
|
-
|
|
136
|
-
### Area 5 — Access to and Enjoyment of Essential Private and Public Services
|
|
137
|
-
- (a) Public authorities evaluating individual eligibility for public assistance benefits and services (including healthcare)
|
|
138
|
-
- (b) Creditworthiness assessment and credit scoring (excluding fraud detection)
|
|
139
|
-
- (c) Life insurance and health insurance risk assessment and pricing for natural persons
|
|
140
|
-
- (d) Emergency dispatch and emergency call classification and prioritization
|
|
141
|
-
|
|
142
|
-
### Area 6 — Law Enforcement
|
|
143
|
-
- (a) Individual risk assessment for becoming victim of criminal offenses
|
|
144
|
-
- (b) Polygraphs and similar tools to assess reliability of persons
|
|
145
|
-
- (c) Evaluating reliability of evidence in criminal investigations/prosecution
|
|
146
|
-
- (d) Assessing risk of offending/reoffending, including recidivism assessment
|
|
147
|
-
- (e) Profiling natural persons in course of criminal detection, investigation, or prosecution
|
|
148
|
-
|
|
149
|
-
### Area 7 — Migration, Asylum, and Border Control Management
|
|
150
|
-
- (a) Polygraph-like tools and similar for competent authorities in migration/asylum/border control
|
|
151
|
-
- (b) Assessing risk (including security/irregular migration risk) of persons intending to enter or having entered EU territory
|
|
152
|
-
- (c) Assisting competent authorities in examining applications for asylum, visa, and residence permits
|
|
153
|
-
- (d) Detecting, recognizing, or identifying natural persons (excluding verification of travel documents)
|
|
154
|
-
|
|
155
|
-
### Area 8 — Administration of Justice and Democratic Processes
|
|
156
|
-
- (a) AI assisting judicial authorities in researching, interpreting, and applying the law
|
|
157
|
-
- (b) AI intended to influence the outcome of elections or referenda, or the voting behavior of natural persons
|
|
158
|
-
|
|
159
|
-
---
|
|
160
|
-
|
|
161
|
-
## Art. 50 — Limited Risk Transparency Obligations (applies from 2 August 2026)
|
|
162
|
-
|
|
163
|
-
### Chatbots and AI Interaction Systems (Art. 50(1))
|
|
164
|
-
Providers must ensure users are informed they are interacting with an AI system, unless:
|
|
165
|
-
- Obvious to a reasonably well-informed user given context and circumstances
|
|
166
|
-
- System is authorized by law for detection of criminal offenses
|
|
167
|
-
|
|
168
|
-
### Synthetic Media — Deepfakes (Art. 50(2) and (4))
|
|
169
|
-
- Deployers of systems generating synthetic image/video/audio/text resembling real persons/places/events must disclose in machine-readable format that content is artificially generated or manipulated
|
|
170
|
-
- Deployer disclosure exceptions: authorized by law for criminal offense detection; artistic, satirical, or fictional works with appropriate disclosure that doesn't impair enjoyment
|
|
171
|
-
- All AI-generated text published to inform public on matters of public interest must be disclosed as AI-generated, unless: authorized for criminal investigation; content underwent human editorial review and editorial accountability exists
|
|
172
|
-
|
|
173
|
-
### Emotion Recognition and Biometric Categorization (Art. 50(3))
|
|
174
|
-
Deployers must inform natural persons exposed to these systems of:
|
|
175
|
-
- The operation of the system
|
|
176
|
-
- Must comply with GDPR and data protection law
|
|
177
|
-
- Exception: authorized for law enforcement
|
|
178
|
-
|
|
179
|
-
### Format Requirements
|
|
180
|
-
- Disclosures must be made at the latest at first interaction/exposure
|
|
181
|
-
- Clear and distinguishable manner
|
|
182
|
-
- Must meet accessibility standards (Directive 2019/882)
|
|
1
|
+
# EU AI Act — Risk Classification Reference
|
|
2
|
+
|
|
3
|
+
## Art. 3 — Key Definitions
|
|
4
|
+
|
|
5
|
+
| Term | Definition |
|
|
6
|
+
|------|-----------|
|
|
7
|
+
| **AI System** (Art. 3(1)) | A machine-based system designed to operate with varying levels of autonomy that, for a given set of objectives, infers from inputs how to generate outputs such as predictions, recommendations, decisions, or content affecting real or virtual environments |
|
|
8
|
+
| **GPAI Model** (Art. 3(63)) | An AI model trained with large amounts of data using self-supervision at scale that displays significant generality and competently performs a wide range of distinct tasks, regardless of placement method — excludes pre-release R&D models |
|
|
9
|
+
| **GPAI System** (Art. 3(64)) | An AI system based on a GPAI model capable of serving multiple purposes, directly or when integrated into other AI systems |
|
|
10
|
+
| **Provider** (Art. 3(3)) | Natural or legal person that develops an AI system or GPAI model and places it on the market or puts it into service under own name/trademark |
|
|
11
|
+
| **Deployer** (Art. 3(4)) | Natural or legal person using an AI system under own authority, except for personal non-professional activity |
|
|
12
|
+
| **Operator** (Art. 3(8)) | Encompasses provider, product manufacturer, deployer, authorised representative, importer, or distributor |
|
|
13
|
+
| **Authorised Representative** (Art. 3(5)) | Person established in EU with written mandate from non-EU provider to act on their behalf |
|
|
14
|
+
| **Importer** (Art. 3(6)) | EU-established person placing on market an AI system bearing third-country person's name/trademark |
|
|
15
|
+
| **Distributor** (Art. 3(7)) | Supply chain person (other than provider/importer) making AI system available on EU market |
|
|
16
|
+
| **Profiling** (Art. 3(52)) | Automated processing of personal data to evaluate natural persons — work performance, economic situation, health, preferences, reliability, behaviour, location |
|
|
17
|
+
|
|
18
|
+
---
|
|
19
|
+
|
|
20
|
+
## Risk Tier Overview
|
|
21
|
+
|
|
22
|
+
| Tier | Regulation Path | Key Obligation | Applies From |
|
|
23
|
+
|------|----------------|----------------|--------------|
|
|
24
|
+
| **Prohibited** | Art. 5 | Complete ban | 2 Feb 2025 |
|
|
25
|
+
| **High Risk** | Art. 6 + Annex I/III | Full conformity regime | 2 Aug 2026 (Annex III) / 2027 (Annex I) |
|
|
26
|
+
| **Limited Risk** | Art. 50 | Transparency disclosure only | 2 Aug 2026 |
|
|
27
|
+
| **Minimal / No Risk** | — | Voluntary codes of conduct | — |
|
|
28
|
+
|
|
29
|
+
---
|
|
30
|
+
|
|
31
|
+
## Art. 5 — Prohibited AI Practices (All 8, applies from 2 February 2025)
|
|
32
|
+
|
|
33
|
+
### 5(1)(a) — Subliminal / Manipulative Techniques
|
|
34
|
+
AI systems using subliminal techniques beyond a person's consciousness, or purposefully manipulative/deceptive techniques, that materially distort behavior and impair informed decision-making, causing or likely to cause significant harm to those persons or third parties.
|
|
35
|
+
|
|
36
|
+
### 5(1)(b) — Exploitation of Vulnerabilities
|
|
37
|
+
AI systems exploiting vulnerabilities of persons or groups based on age, disability, or socioeconomic circumstances, distorting behavior in a manner that causes or is likely to cause significant harm.
|
|
38
|
+
|
|
39
|
+
### 5(1)(c) — Social Scoring
|
|
40
|
+
AI systems that evaluate or classify natural persons or groups based on social behavior over a period of time or inferred personal characteristics, leading to:
|
|
41
|
+
- Detrimental or unfavorable treatment of persons or groups in unrelated social contexts; OR
|
|
42
|
+
- Treatment that is disproportionate or unjustified relative to the social context in which the behavior occurred
|
|
43
|
+
|
|
44
|
+
### 5(1)(d) — Predictive Criminal Risk Assessment
|
|
45
|
+
AI systems assessing the risk of natural persons committing criminal offenses based solely on profiling or personality/character traits assessment. **Exception:** systems supporting human assessment based on objective, verifiable facts directly linked to criminal activity.
|
|
46
|
+
|
|
47
|
+
### 5(1)(e) — Untargeted Facial Recognition Database Creation
|
|
48
|
+
Creating or expanding facial recognition databases through untargeted scraping of facial images from the internet or CCTV footage.
|
|
49
|
+
|
|
50
|
+
### 5(1)(f) — Emotion Inference in Workplace or Educational Institutions
|
|
51
|
+
AI systems that infer emotions of natural persons in the workplace or educational institutions. **Exception:** for medical or safety purposes.
|
|
52
|
+
|
|
53
|
+
### 5(1)(g) — Biometric-Based Categorization for Sensitive Attributes
|
|
54
|
+
AI systems categorizing natural persons individually based on biometric data to deduce or infer race, political opinions, trade union membership, religious or philosophical beliefs, sex life, or sexual orientation. **Exception:** labeling/filtering of lawfully acquired biometric datasets in law enforcement.
|
|
55
|
+
|
|
56
|
+
### 5(1)(h) — Real-Time Remote Biometric Identification (RBI) in Public Spaces by Law Enforcement
|
|
57
|
+
Real-time RBI systems in publicly accessible spaces for law enforcement purposes. **Narrow exceptions:**
|
|
58
|
+
- (i) Targeted search for specific missing persons or trafficking victims
|
|
59
|
+
- (ii) Preventing specific, substantial, imminent threat to life or terrorist attack
|
|
60
|
+
- (iii) Identifying suspects of serious criminal offenses carrying ≥4-year sentences listed in Annex II
|
|
61
|
+
|
|
62
|
+
**Procedural requirements for exceptions:** Prior judicial or independent administrative body authorization (post-hoc authorization within 24 hours for urgency); fundamental rights impact assessment; registration in EU AI database; report to market surveillance authority after each use. **Prohibited:** use to identify protected attributes.
|
|
63
|
+
|
|
64
|
+
---
|
|
65
|
+
|
|
66
|
+
## Art. 6 — High-Risk Classification Rules
|
|
67
|
+
|
|
68
|
+
### Path A — Art. 6(1): Safety Component of Sectoral Product
|
|
69
|
+
System is high-risk when BOTH conditions are met:
|
|
70
|
+
1. It is a **safety component of a product** covered by Annex I harmonisation legislation (or is itself such a product); **AND**
|
|
71
|
+
2. That product **requires third-party conformity assessment** under the relevant Annex I legislation
|
|
72
|
+
|
|
73
|
+
### Path B — Art. 6(2): Annex III Listed Use Case
|
|
74
|
+
System is high-risk when **listed in Annex III**, unless the following non-high-risk exceptions all apply:
|
|
75
|
+
- Performs a narrow procedural task
|
|
76
|
+
- Improves result of a previously completed human activity
|
|
77
|
+
- Detects decision-making patterns/deviations without replacing/influencing human assessment
|
|
78
|
+
- Performs preparatory tasks for assessment relevant to Annex III use cases
|
|
79
|
+
|
|
80
|
+
**Critical override (Art. 6(3)):** Any Annex III system that **profiles natural persons** is ALWAYS high-risk regardless of the above exceptions.
|
|
81
|
+
|
|
82
|
+
**Documentation obligation (Art. 6(3)):** Providers claiming non-high-risk status must document their assessment before market placement and make it available to national authorities on request.
|
|
83
|
+
|
|
84
|
+
---
|
|
85
|
+
|
|
86
|
+
## Annex I — Sectoral Harmonisation Laws (Safety Component Path)
|
|
87
|
+
|
|
88
|
+
### Section A — New Legislative Framework Products
|
|
89
|
+
1. Machinery — Directive 2006/42/EC
|
|
90
|
+
2. Toys — Directive 2009/48/EC
|
|
91
|
+
3. Recreational watercraft — Directive 2013/53/EU
|
|
92
|
+
4. Lifts — Directive 2014/33/EU
|
|
93
|
+
5. ATEX equipment — Directive 2014/34/EU
|
|
94
|
+
6. Radio equipment — Directive 2014/53/EU
|
|
95
|
+
7. Pressure equipment — Directive 2014/68/EU
|
|
96
|
+
8. Cableway installations — Regulation 2016/424
|
|
97
|
+
9. Personal protective equipment — Regulation 2016/425
|
|
98
|
+
10. Gaseous fuel appliances — Regulation 2016/426
|
|
99
|
+
11. Medical devices — Regulation 2017/745
|
|
100
|
+
12. In vitro diagnostic medical devices — Regulation 2017/746
|
|
101
|
+
|
|
102
|
+
### Section B — Other Harmonisation Legislation
|
|
103
|
+
13. Civil aviation security — Regulation 300/2008
|
|
104
|
+
14. Two/three-wheel vehicles — Regulation 168/2013
|
|
105
|
+
15. Agricultural/forestry vehicles — Regulation 167/2013
|
|
106
|
+
16. Marine equipment — Directive 2014/90/EU
|
|
107
|
+
17. Rail interoperability — Directive 2016/797
|
|
108
|
+
18. Motor vehicles and trailers — Regulation 2018/858
|
|
109
|
+
19. Motor vehicle safety standards — Regulation 2019/2144
|
|
110
|
+
20. Civil aviation and drones — Regulation 2018/1139
|
|
111
|
+
|
|
112
|
+
---
|
|
113
|
+
|
|
114
|
+
## Annex III — High-Risk AI Use Case Areas (8 Areas)
|
|
115
|
+
|
|
116
|
+
### Area 1 — Biometrics
|
|
117
|
+
- (a) Remote biometric identification systems (excluding personal identity verification)
|
|
118
|
+
- (b) Biometric categorization systems inferring sensitive/protected attributes
|
|
119
|
+
- (c) Emotion recognition systems
|
|
120
|
+
|
|
121
|
+
**Notes:** (b) and (c) are prohibited under Art. 5(1)(g) and 5(1)(f) respectively in many contexts. Area 1(a) biometric categorization/emotion recognition systems that fall under Art. 5 prohibitions cannot qualify as merely high-risk — the prohibition takes precedence.
|
|
122
|
+
|
|
123
|
+
### Area 2 — Critical Infrastructure
|
|
124
|
+
AI safety components managing or used in safety-critical management of: road traffic, water supply, gas supply, heating supply, electricity supply, and critical digital infrastructure.
|
|
125
|
+
|
|
126
|
+
### Area 3 — Education and Vocational Training
|
|
127
|
+
- (a) Determining access/admission to or assignment to educational institutions at any level
|
|
128
|
+
- (b) Evaluating learning outcomes that materially influence the learning process
|
|
129
|
+
- (c) Assessing appropriate level of education and materially influencing the level of education received
|
|
130
|
+
- (d) Monitoring and detecting prohibited student behavior in tests/examinations
|
|
131
|
+
|
|
132
|
+
### Area 4 — Employment, Workers Management, and Self-Employment
|
|
133
|
+
- (a) Recruitment and selection: targeted job advertising, application filtering/screening, candidate evaluation and selection
|
|
134
|
+
- (b) Making decisions affecting terms of employment/work relationships: promotion, termination, task allocation, monitoring/evaluating performance/behavior of employed persons
|
|
135
|
+
|
|
136
|
+
### Area 5 — Access to and Enjoyment of Essential Private and Public Services
|
|
137
|
+
- (a) Public authorities evaluating individual eligibility for public assistance benefits and services (including healthcare)
|
|
138
|
+
- (b) Creditworthiness assessment and credit scoring (excluding fraud detection)
|
|
139
|
+
- (c) Life insurance and health insurance risk assessment and pricing for natural persons
|
|
140
|
+
- (d) Emergency dispatch and emergency call classification and prioritization
|
|
141
|
+
|
|
142
|
+
### Area 6 — Law Enforcement
|
|
143
|
+
- (a) Individual risk assessment for becoming victim of criminal offenses
|
|
144
|
+
- (b) Polygraphs and similar tools to assess reliability of persons
|
|
145
|
+
- (c) Evaluating reliability of evidence in criminal investigations/prosecution
|
|
146
|
+
- (d) Assessing risk of offending/reoffending, including recidivism assessment
|
|
147
|
+
- (e) Profiling natural persons in course of criminal detection, investigation, or prosecution
|
|
148
|
+
|
|
149
|
+
### Area 7 — Migration, Asylum, and Border Control Management
|
|
150
|
+
- (a) Polygraph-like tools and similar for competent authorities in migration/asylum/border control
|
|
151
|
+
- (b) Assessing risk (including security/irregular migration risk) of persons intending to enter or having entered EU territory
|
|
152
|
+
- (c) Assisting competent authorities in examining applications for asylum, visa, and residence permits
|
|
153
|
+
- (d) Detecting, recognizing, or identifying natural persons (excluding verification of travel documents)
|
|
154
|
+
|
|
155
|
+
### Area 8 — Administration of Justice and Democratic Processes
|
|
156
|
+
- (a) AI assisting judicial authorities in researching, interpreting, and applying the law
|
|
157
|
+
- (b) AI intended to influence the outcome of elections or referenda, or the voting behavior of natural persons
|
|
158
|
+
|
|
159
|
+
---
|
|
160
|
+
|
|
161
|
+
## Art. 50 — Limited Risk Transparency Obligations (applies from 2 August 2026)
|
|
162
|
+
|
|
163
|
+
### Chatbots and AI Interaction Systems (Art. 50(1))
|
|
164
|
+
Providers must ensure users are informed they are interacting with an AI system, unless:
|
|
165
|
+
- Obvious to a reasonably well-informed user given context and circumstances
|
|
166
|
+
- System is authorized by law for detection of criminal offenses
|
|
167
|
+
|
|
168
|
+
### Synthetic Media — Deepfakes (Art. 50(2) and (4))
|
|
169
|
+
- Deployers of systems generating synthetic image/video/audio/text resembling real persons/places/events must disclose in machine-readable format that content is artificially generated or manipulated
|
|
170
|
+
- Deployer disclosure exceptions: authorized by law for criminal offense detection; artistic, satirical, or fictional works with appropriate disclosure that doesn't impair enjoyment
|
|
171
|
+
- All AI-generated text published to inform public on matters of public interest must be disclosed as AI-generated, unless: authorized for criminal investigation; content underwent human editorial review and editorial accountability exists
|
|
172
|
+
|
|
173
|
+
### Emotion Recognition and Biometric Categorization (Art. 50(3))
|
|
174
|
+
Deployers must inform natural persons exposed to these systems of:
|
|
175
|
+
- The operation of the system
|
|
176
|
+
- Must comply with GDPR and data protection law
|
|
177
|
+
- Exception: authorized for law enforcement
|
|
178
|
+
|
|
179
|
+
### Format Requirements
|
|
180
|
+
- Disclosures must be made at the latest at first interaction/exposure
|
|
181
|
+
- Clear and distinguishable manner
|
|
182
|
+
- Must meet accessibility standards (Directive 2019/882)
|