{
  "schema_version": "1.0.0",
  "published": "2026-06-29",
  "framework": {
    "id": "eu_ai_act",
    "title": "EU AI Act 2024/1689",
    "full_title": "Regulation (EU) 2024/1689 on Artificial Intelligence",
    "publisher": "European Union",
    "version": "2024/1689",
    "normative_force": "binding-law",
    "jurisdiction": [
      "eu"
    ],
    "canonical_url": "https://eur-lex.europa.eu/eli/reg/2024/1689/oj/eng",
    "effective_date": "2024-08-01"
  },
  "total_requirements": 65,
  "coverage_summary": {
    "direct": 51,
    "partial": 14,
    "none": 0,
    "out_of_scope": 0
  },
  "mappings": [
    {
      "requirement_id": "EU-AIA-ART05-01a",
      "section": "Art. 5(1)(a)",
      "title": "Prohibited AI \u2014 subliminal manipulation",
      "text": "AI systems that deploy subliminal techniques beyond a person's consciousness or purposefully manipulative or deceptive techniques with the objective to materially distort the behaviour of a person or a group of persons are prohibited.",
      "coverage": "direct",
      "apeiris_controls": [
        "apeiris://ethics/controls/EF-05",
        "apeiris://ethics/controls/HI-02",
        "apeiris://ethics/controls/HI-06",
        "apeiris://security/controls/GV-07"
      ],
      "primary_domains": [
        "ethics",
        "security"
      ],
      "notes": "EF-05 (EU AI Act Prohibited Practices Governance) directly operationalizes Art. 5 \u2014 it requires a prohibited-practice register, design-time review gate, and documented evidence that no deployed system falls within any Art. 5(1) category. HI-02 (Human Dignity and Autonomy Preservation) requires positive design controls against techniques that bypass rational agency. HI-06 (Consent and Agency Preservation) enforces that AI interactions maintain informed user consent at every point. GV-07 (Protect humans from being deceived by an agent) closes the agentic enforcement gap, requiring output review for deceptive framing or hidden influence channels."
    },
    {
      "requirement_id": "EU-AIA-ART05-01b",
      "section": "Art. 5(1)(b)",
      "title": "Prohibited AI \u2014 exploitation of vulnerabilities",
      "text": "AI systems that exploit any of the vulnerabilities of a natural person or a specific group of persons due to their age, disability or a specific social or economic situation are prohibited.",
      "coverage": "direct",
      "apeiris_controls": [
        "apeiris://ethics/controls/EF-05",
        "apeiris://ethics/controls/HI-03",
        "apeiris://ethics/controls/HI-07",
        "apeiris://ethics/controls/FA-07"
      ],
      "primary_domains": [
        "ethics"
      ],
      "notes": "EF-05 covers the legal prohibition governance gate. HI-03 (Vulnerable Population Protection) requires explicit identification of vulnerable groups in the AI system's intended population, risk controls, and documented evidence that the system cannot be directed toward exploitation. HI-07 (Child and Minors Safety Controls) extends this specifically to minors, with age-gating and interaction controls. FA-07 (Bias Remediation Governance) ensures that bias toward vulnerable groups discovered in evaluation triggers a mandatory remediation track before deployment approval."
    },
    {
      "requirement_id": "EU-AIA-ART05-01c",
      "section": "Art. 5(1)(c)",
      "title": "Prohibited AI \u2014 social scoring by public authorities",
      "text": "AI systems by or on behalf of public authorities for the evaluation or classification of natural persons based on their social behaviour or predicted personal or personality characteristics leading to detrimental or unfavourable treatment are prohibited.",
      "coverage": "direct",
      "apeiris_controls": [
        "apeiris://ethics/controls/EF-05",
        "apeiris://ethics/controls/FA-02",
        "apeiris://ethics/controls/FA-06",
        "apeiris://ethics/controls/EG-02"
      ],
      "primary_domains": [
        "ethics"
      ],
      "notes": "EF-05 maintains the prohibited-practice compliance gate. FA-02 (Algorithmic Bias Impact Assessment) would surface any classification scheme that segments populations in ways analogous to social scoring. FA-06 (Disparate Impact Analysis) detects when AI-driven classifications systematically disadvantage specific demographic groups in a manner inconsistent with the system's stated purpose. EG-02 (AI Ethics Policy Framework) requires that organizational policy explicitly prohibit deployment of social scoring mechanisms."
    },
    {
      "requirement_id": "EU-AIA-ART05-01d",
      "section": "Art. 5(1)(d)",
      "title": "Prohibited AI \u2014 real-time remote biometric identification in public spaces",
      "text": "AI systems for real-time remote biometric identification of natural persons in publicly accessible spaces for law enforcement purposes are prohibited, subject to limited enumerated exceptions.",
      "coverage": "partial",
      "apeiris_controls": [
        "apeiris://ethics/controls/EF-05",
        "apeiris://privacy/controls/PC-06",
        "apeiris://privacy/controls/DC-02",
        "apeiris://identity/controls/IF-05"
      ],
      "primary_domains": [
        "ethics",
        "privacy",
        "identity"
      ],
      "notes": "EF-05 provides the governance gate for Art. 5 prohibited practices. PC-06 (AI Privacy Impact Assessment) and DC-02 (Special Category Data Classification) provide controls for biometric data governance. IF-05 (eIDAS 2.0 Qualified Attestation for EU Operations) covers EU identity infrastructure. Partial: the narrow law-enforcement exception process and judicial/administrative authorization requirements are specific procedural obligations that fall outside Apeiris controls and require dedicated legal and operational workflows."
    },
    {
      "requirement_id": "EU-AIA-ART05-01e",
      "section": "Art. 5(1)(e)",
      "title": "Prohibited AI \u2014 emotion recognition in workplace and education",
      "text": "AI systems used for emotion recognition in the workplace and educational institutions are prohibited.",
      "coverage": "direct",
      "apeiris_controls": [
        "apeiris://ethics/controls/EF-05",
        "apeiris://ethics/controls/HI-02",
        "apeiris://privacy/controls/PC-06",
        "apeiris://ethics/controls/EG-02"
      ],
      "primary_domains": [
        "ethics",
        "privacy"
      ],
      "notes": "EF-05 directly covers this prohibition in the prohibited-practice register and design-time review gate. HI-02 (Human Dignity and Autonomy Preservation) requires controls against surveillance that infringes dignity or autonomy in institutional contexts. PC-06 (AI Privacy Impact Assessment) flags emotion-inference systems processing personal data without lawful basis. EG-02 requires explicit organizational policy prohibiting deployment of emotion-recognition systems in employment or educational settings."
    },
    {
      "requirement_id": "EU-AIA-ART05-01f",
      "section": "Art. 5(1)(f)",
      "title": "Prohibited AI \u2014 biometric categorization by protected characteristics",
      "text": "Biometric categorisation systems that categorise individually natural persons based on their biometric data to deduce or infer their race, political opinions, trade union membership, religious or philosophical beliefs, sex life or sexual orientation are prohibited.",
      "coverage": "direct",
      "apeiris_controls": [
        "apeiris://ethics/controls/EF-05",
        "apeiris://ethics/controls/FA-01",
        "apeiris://privacy/controls/DC-02",
        "apeiris://ethics/controls/FA-02"
      ],
      "primary_domains": [
        "ethics",
        "privacy"
      ],
      "notes": "EF-05 provides the prohibition governance gate. FA-01 (Protected Characteristic Identification and Scope) requires explicit mapping of all protected characteristics in scope and prohibits inference pipelines that derive protected characteristics without lawful authority. DC-02 (Special Category Data Classification) applies strict controls to biometric data inputs. FA-02 (Algorithmic Bias Impact Assessment) would detect if a model architecture is extracting protected-characteristic proxies from biometric inputs."
    },
    {
      "requirement_id": "EU-AIA-ART05-01g",
      "section": "Art. 5(1)(g)",
      "title": "Prohibited AI \u2014 predictive policing based on profiling",
      "text": "AI systems used by or on behalf of law enforcement authorities for making individual risk assessments of natural persons in order to predict the risk of a natural person of offending or reoffending based solely on profiling are prohibited.",
      "coverage": "direct",
      "apeiris_controls": [
        "apeiris://ethics/controls/EF-05",
        "apeiris://ethics/controls/FA-02",
        "apeiris://ethics/controls/FA-06",
        "apeiris://ethics/controls/HI-01"
      ],
      "primary_domains": [
        "ethics"
      ],
      "notes": "EF-05 maintains the prohibited-practice register covering this category. FA-02 and FA-06 (Disparate Impact Analysis) identify when profiling-based predictive outputs systematically disadvantage protected groups \u2014 a defining feature of prohibited predictive policing. HI-01 (Fundamental Rights Impact Assessment Content Governance) requires assessment of any AI system that could affect liberty or legal rights before deployment."
    },
    {
      "requirement_id": "EU-AIA-ART05-01h",
      "section": "Art. 5(1)(h)",
      "title": "Prohibited AI \u2014 facial recognition scraping",
      "text": "AI systems that create or expand facial recognition databases through the untargeted scraping of facial images from the internet or CCTV footage are prohibited.",
      "coverage": "partial",
      "apeiris_controls": [
        "apeiris://ethics/controls/EF-05",
        "apeiris://privacy/controls/DC-01",
        "apeiris://model/controls/TG-03",
        "apeiris://security/controls/RT-05"
      ],
      "primary_domains": [
        "ethics",
        "privacy",
        "model"
      ],
      "notes": "EF-05 covers the prohibition governance gate. DC-01 (Personal Data Inventory) and TG-03 (Data Rights, Lawful Authority and Permitted Use) require that all training data sources are inventoried and have documented lawful authority \u2014 scraping without authority would fail TG-03 gates. RT-05 (Data-loss prevention to agent egress) prevents agents from bulk-extracting biometric data. Partial: operational controls for scraping prevention (network-level blocking, web-facing API policies) are implementation-specific and extend beyond Apeiris's AI governance control plane."
    },
    {
      "requirement_id": "EU-AIA-ART09-01",
      "section": "Art. 9(1)",
      "title": "Risk management system \u2014 establishment and maintenance",
      "text": "A risk management system shall be established, implemented, documented and maintained in relation to high-risk AI systems throughout their entire lifecycle.",
      "coverage": "direct",
      "apeiris_controls": [
        "apeiris://authority/controls/PV-01",
        "apeiris://agentic/controls/AG-03",
        "apeiris://compliance/controls/RF-01",
        "apeiris://compliance/controls/CG-01"
      ],
      "primary_domains": [
        "authority",
        "agentic",
        "compliance"
      ],
      "notes": "PV-01 (Operating Intent Declaration) establishes the scope and intent boundary as the foundation of any risk management system. AG-03 (Agentic AI Risk Assessment Framework) provides the structured risk assessment methodology covering identification, likelihood, impact, and treatment decisions. RF-01 (EU AI Act High-Risk AI System Classification) maps the system to the high-risk category under Annex III to confirm scope. CG-01 (Compliance Governance Structure) embeds the risk management function within the organizational governance structure, ensuring it is maintained rather than performed once."
    },
    {
      "requirement_id": "EU-AIA-ART09-02",
      "section": "Art. 9(2)",
      "title": "Risk management \u2014 identification and analysis of known and reasonably foreseeable risks",
      "text": "The risk management system shall consist of a continuous iterative process identifying and analysing known and reasonably foreseeable risks to health, safety or fundamental rights associated with each high-risk AI system.",
      "coverage": "direct",
      "apeiris_controls": [
        "apeiris://agentic/controls/AG-03",
        "apeiris://compliance/controls/CA-06",
        "apeiris://authority/controls/PV-02",
        "apeiris://ethics/controls/HI-01"
      ],
      "primary_domains": [
        "agentic",
        "compliance",
        "authority",
        "ethics"
      ],
      "notes": "AG-03 defines the risk identification and analysis methodology as a continuous, structured process updated on each deployment change. CA-06 (Compliance Obligation Gap Analysis) surfaces regulatory and rights-related risk gaps. PV-02 (Operating Intent Boundary Validation) continuously checks that system behavior stays within declared intent boundaries, catching drift-driven risk accumulation. HI-01 (Fundamental Rights Impact Assessment) formalizes the health, safety, and fundamental rights dimensions of risk analysis required by this article."
    },
    {
      "requirement_id": "EU-AIA-ART09-03",
      "section": "Art. 9(3)",
      "title": "Risk management \u2014 residual risk estimation and evaluation",
      "text": "The risk management system shall involve evaluation of known and reasonably foreseeable risks that may emerge when the high-risk AI system is used in accordance with its intended purpose and under conditions of reasonably foreseeable misuse.",
      "coverage": "direct",
      "apeiris_controls": [
        "apeiris://agentic/controls/AG-03",
        "apeiris://model/controls/EV-09",
        "apeiris://security/controls/AS-01",
        "apeiris://model/controls/EV-03"
      ],
      "primary_domains": [
        "agentic",
        "model",
        "security"
      ],
      "notes": "AG-03 includes residual risk estimation and misuse scenario analysis as mandatory components of the risk assessment output. EV-09 (Risk and Applicability Classification) produces a structured risk classification covering both intended use and foreseeable misuse vectors. AS-01 (Adversarial red-team and evaluate the agent before launch) specifically tests misuse and abuse scenarios beyond the happy-path intended purpose. EV-03 (Dangerous Capability Threshold Assessment) evaluates whether system capabilities create residual risks above defined thresholds even under normal use."
    },
    {
      "requirement_id": "EU-AIA-ART09-04",
      "section": "Art. 9(4)",
      "title": "Risk management \u2014 adoption of appropriate measures",
      "text": "Appropriate risk management measures shall be adopted, in particular as regards the risks referred to in paragraph 2, considering the effects and possible interactions resulting from the combination of requirements laid down in Articles 10 to 15.",
      "coverage": "direct",
      "apeiris_controls": [
        "apeiris://agentic/controls/AG-03",
        "apeiris://compliance/controls/CA-02",
        "apeiris://authority/controls/PO-01",
        "apeiris://compliance/controls/CI-07"
      ],
      "primary_domains": [
        "agentic",
        "compliance",
        "authority"
      ],
      "notes": "AG-03 requires risk treatment selection (accept, mitigate, transfer, avoid) with documented rationale for each identified risk. CA-02 (Compliance Framework Selection and Mapping) maps treatment measures to applicable regulatory obligations across Arts. 10-15, ensuring cross-requirement interaction effects are considered. PO-01 (Internal Policy Register for AI Deployments) translates risk treatment decisions into enforceable operational policies. CI-07 (Remediation Tracking and Closure) tracks measure implementation to verified completion."
    },
    {
      "requirement_id": "EU-AIA-ART09-05",
      "section": "Art. 9(5)",
      "title": "Risk management \u2014 testing for most appropriate measures",
      "text": "High-risk AI systems shall be tested for the purpose of identifying the most appropriate and targeted risk management measures. Testing shall ensure that high-risk AI systems perform consistently for their intended purpose and that they are compliant with the requirements set out in this Section.",
      "coverage": "direct",
      "apeiris_controls": [
        "apeiris://model/controls/EV-01",
        "apeiris://model/controls/EV-04",
        "apeiris://security/controls/AS-01",
        "apeiris://model/controls/EV-07"
      ],
      "primary_domains": [
        "model",
        "security"
      ],
      "notes": "EV-01 (Pre-Deployment Evaluation Gate) is a mandatory test gate that must be passed before deployment, covering consistency with intended purpose. EV-04 (Adversarial Red-Team Testing) tests that risk management measures hold under adversarial conditions. AS-01 (Red-team and evaluate before launch) provides the agentic variant of this requirement. EV-07 (Regression Testing on Updates) ensures that risk management measure effectiveness is re-verified on every system change."
    },
    {
      "requirement_id": "EU-AIA-ART09-06",
      "section": "Art. 9(6)",
      "title": "Risk management \u2014 testing against prior defined metrics and probabilistic thresholds",
      "text": "Testing of high-risk AI systems shall be performed, as appropriate, at any point in time during the development process, and, in any event, prior to placing on the market or putting into service. Testing shall be performed against prior defined metrics and probabilistic thresholds that are appropriate to the intended purpose.",
      "coverage": "direct",
      "apeiris_controls": [
        "apeiris://model/controls/EV-02",
        "apeiris://model/controls/EV-06",
        "apeiris://model/controls/EV-05",
        "apeiris://model/controls/BH-01"
      ],
      "primary_domains": [
        "model"
      ],
      "notes": "EV-02 (Fitness, Safety, Reliability and Policy-Conformance Evaluation) requires pre-defined performance metrics and pass/fail thresholds declared before evaluation begins. EV-06 (Reproducible Evaluation Design) enforces that metric definitions, test sets, and threshold criteria are fixed prior to evaluation execution \u2014 preventing post-hoc metric selection. EV-05 (Fairness and Bias Evaluation) applies probabilistic fairness thresholds appropriate to the demographic context of the intended purpose. BH-01 (Output Anomaly Detection) provides continuous metric monitoring in production to verify thresholds are maintained over time."
    },
    {
      "requirement_id": "EU-AIA-ART09-07",
      "section": "Art. 9(7)",
      "title": "Risk management \u2014 measures for particularly vulnerable groups",
      "text": "When identifying the most appropriate risk management measures, due consideration shall be given to whether the intended purpose of the high-risk AI system involves natural persons who are particularly vulnerable, in particular children.",
      "coverage": "direct",
      "apeiris_controls": [
        "apeiris://ethics/controls/HI-03",
        "apeiris://ethics/controls/HI-07",
        "apeiris://ethics/controls/FA-07",
        "apeiris://agentic/controls/AG-03"
      ],
      "primary_domains": [
        "ethics",
        "agentic"
      ],
      "notes": "HI-03 (Vulnerable Population Protection) requires explicit identification of vulnerable groups in the intended user population and mandates heightened controls for systems affecting those groups. HI-07 (Child and Minors Safety Controls) provides specific control requirements for systems accessible to or intended for minors, including interaction design constraints and parental/guardian notification. FA-07 (Bias Remediation Governance) ensures that disproportionate impact on vulnerable groups identified in testing triggers mandatory remediation before deployment. AG-03 includes vulnerable-group consideration as a mandatory dimension of the risk assessment."
    },
    {
      "requirement_id": "EU-AIA-ART10-01",
      "section": "Art. 10(1)",
      "title": "Data and data governance \u2014 governance practices for training, validation, testing data",
      "text": "High-risk AI systems which make use of techniques involving the training of AI models with data shall be developed on the basis of training, validation and testing data sets that meet the quality criteria referred to in paragraphs 2 to 5.",
      "coverage": "direct",
      "apeiris_controls": [
        "apeiris://model/controls/TG-01",
        "apeiris://data/controls/DM-05",
        "apeiris://data/controls/DL-02",
        "apeiris://data/controls/DV-02"
      ],
      "primary_domains": [
        "model",
        "data"
      ],
      "notes": "TG-01 (Training Data Quality Gates) establishes quality criteria and enforcement gates specifically for AI training data, operationalizing this article's core requirement. DM-05 (Data Quality Standards and Target Setting) defines organization-wide data quality standards that apply to AI training, validation, and testing sets. DL-02 (Training Data Lineage Documentation) ensures each dataset has traceable provenance to verify quality criteria were applied at source. DV-02 (Data Quality Gate Enforcement) provides the technical gate that rejects datasets below defined quality thresholds before they enter training pipelines."
    },
    {
      "requirement_id": "EU-AIA-ART10-02",
      "section": "Art. 10(2)",
      "title": "Data governance \u2014 training, validation, testing data set requirements",
      "text": "Training, validation and testing data sets shall be subject to data governance and management practices including statistical properties and bias analysis; relevant to the intended purpose; sufficiently representative; free of errors; complete to the extent possible.",
      "coverage": "direct",
      "apeiris_controls": [
        "apeiris://model/controls/TG-05",
        "apeiris://model/controls/TG-01",
        "apeiris://data/controls/DV-03",
        "apeiris://data/controls/DI-01"
      ],
      "primary_domains": [
        "model",
        "data"
      ],
      "notes": "TG-05 (Train/Evaluation/Test Separation and Contamination Prevention) enforces proper dataset splits and prevents leakage that would compromise representativeness or introduce errors. TG-01 requires documentation of statistical properties for each dataset. DV-03 (Statistical Distribution Validation) validates that dataset distributions are consistent with the intended use population and flags under-representation of relevant subgroups. DI-01 (Data Integrity Baseline and Checksum Monitoring) detects corruption and errors in stored datasets before they are consumed by training pipelines."
    },
    {
      "requirement_id": "EU-AIA-ART10-03",
      "section": "Art. 10(3)",
      "title": "Data governance \u2014 relevance, completeness, and appropriateness of data",
      "text": "Training, validation and testing data sets shall take into account, to the extent required by their intended purpose, the relevant characteristics or elements particular to the specific geographical, contextual, behavioural, or functional setting within which the high-risk AI system is intended to be used.",
      "coverage": "direct",
      "apeiris_controls": [
        "apeiris://model/controls/TG-06",
        "apeiris://model/controls/LI-07",
        "apeiris://authority/controls/PV-01",
        "apeiris://model/controls/TG-02"
      ],
      "primary_domains": [
        "model",
        "authority"
      ],
      "notes": "LI-07 (Capability and Limitation Declaration) requires explicit documentation of the intended deployment context \u2014 geographic, demographic, and behavioural \u2014 as a prerequisite for dataset design. TG-06 (Sensitive-Data Necessity, Minimization and Controlled Use) ensures that training data characteristics are scoped to the deployment context. PV-01 (Operating Intent Declaration) anchors the intended purpose that training data must be relevant to. TG-02 (Bias and Representativeness Assessment) verifies that contextual representation is adequate for the stated deployment setting."
    },
    {
      "requirement_id": "EU-AIA-ART10-04",
      "section": "Art. 10(4)",
      "title": "Data governance \u2014 examination for biases",
      "text": "To the extent that it is strictly necessary for the purposes of ensuring bias detection and correction in the high-risk AI system, providers of such systems may process special categories of personal data, subject to appropriate safeguards for the fundamental rights and freedoms of natural persons.",
      "coverage": "direct",
      "apeiris_controls": [
        "apeiris://model/controls/TG-02",
        "apeiris://ethics/controls/FA-02",
        "apeiris://ethics/controls/FA-04",
        "apeiris://privacy/controls/PC-06"
      ],
      "primary_domains": [
        "model",
        "ethics",
        "privacy"
      ],
      "notes": "TG-02 (Bias and Representativeness Assessment) is the direct technical control for bias examination in training data, required before training begins. FA-02 (Algorithmic Bias Impact Assessment) covers bias analysis at the model evaluation stage. FA-04 (Independent Bias Testing Methodology) requires structured, repeatable methodology for bias detection that can be disclosed to regulators. PC-06 (AI Privacy Impact Assessment) ensures that where special-category data is used for bias detection, appropriate privacy safeguards and data minimization controls are documented."
    },
    {
      "requirement_id": "EU-AIA-ART10-05",
      "section": "Art. 10(5)",
      "title": "Data governance \u2014 special category data for bias detection",
      "text": "Special categories of personal data referred to in Article 9 of Regulation (EU) 2016/679 may be processed for bias detection provided that appropriate safeguards are in place for the fundamental rights and freedoms of natural persons.",
      "coverage": "partial",
      "apeiris_controls": [
        "apeiris://privacy/controls/DC-02",
        "apeiris://model/controls/TG-02",
        "apeiris://ethics/controls/FA-01",
        "apeiris://privacy/controls/DG-05"
      ],
      "primary_domains": [
        "privacy",
        "model",
        "ethics"
      ],
      "notes": "DC-02 (Special Category Data Classification) identifies and applies access controls to special-category data. TG-02 governs its use in bias detection workflows. FA-01 (Protected Characteristic Identification and Scope) maps which protected attributes are being assessed. DG-05 (DPIA Lifecycle Management) is the GDPR-layer safeguard required for special-category processing. Partial: the specific GDPR Article 9(2) legal basis selection, data processor agreements, and Article 30 record-of-processing entries for this specific processing purpose require legal and DPO involvement that extends beyond Apeiris controls."
    },
    {
      "requirement_id": "EU-AIA-ART11-01",
      "section": "Art. 11(1)",
      "title": "Technical documentation \u2014 establish before placing on market",
      "text": "Before placing on the market or putting into service a high-risk AI system, providers of such systems shall draw up technical documentation in accordance with Annex IV.",
      "coverage": "direct",
      "apeiris_controls": [
        "apeiris://model/controls/LI-04",
        "apeiris://compliance/controls/RF-03",
        "apeiris://model/controls/LI-07",
        "apeiris://model/controls/LI-02"
      ],
      "primary_domains": [
        "model",
        "compliance"
      ],
      "notes": "RF-03 (EU AI Act Technical Documentation Package \u2014 Art. 11) is the Apeiris control created specifically to manage Annex IV technical documentation production and completeness. LI-04 (Structured Model Documentation \u2014 Complete Model Card) covers the system description, intended purpose, version history, and performance characteristics required by Annex IV \u00a71-2. LI-07 (Capability and Limitation Declaration) covers Annex IV \u00a71(c) requirements for capability description and known limitations. LI-02 (Model Provenance Chain) covers Annex IV training data lineage requirements."
    },
    {
      "requirement_id": "EU-AIA-ART11-02",
      "section": "Art. 11(2)",
      "title": "Technical documentation \u2014 must enable conformity assessment",
      "text": "The technical documentation shall be drawn up in such a way so as to demonstrate that the high-risk AI system complies with the requirements set out in this Section and shall contain, at a minimum, the elements set out in Annex IV.",
      "coverage": "partial",
      "apeiris_controls": [
        "apeiris://compliance/controls/RF-03",
        "apeiris://compliance/controls/RF-02",
        "apeiris://compliance/controls/AU-02",
        "apeiris://compliance/controls/AU-07"
      ],
      "primary_domains": [
        "compliance"
      ],
      "notes": "RF-03 produces the technical documentation package mapped to Annex IV elements. AU-02 (Evidence Collection, Curation, and Validation) curates the evidence artifacts that demonstrate compliance with each Annex IV item. AU-07 (Multi-Framework Evidence Reuse) allows evidence from other Apeiris domains to be reused in the technical documentation package. RF-02 (Conformity Assessment Pathway Selection) determines the correct conformity procedure. Partial: formal CE marking, EU declaration of conformity filing, and registration in the EU AI Act database (Art. 71) are regulatory legal acts outside Apeiris control scope."
    },
    {
      "requirement_id": "EU-AIA-ART12-01",
      "section": "Art. 12(1)",
      "title": "Record-keeping \u2014 logging capabilities",
      "text": "High-risk AI systems shall technically allow for the automatic recording of events ('logs') over the lifetime of the system.",
      "coverage": "direct",
      "apeiris_controls": [
        "apeiris://model/controls/BH-05",
        "apeiris://security/controls/GV-02",
        "apeiris://agentic/controls/AT-07"
      ],
      "primary_domains": [
        "model",
        "security",
        "agentic"
      ],
      "notes": "BH-05 (Usage Telemetry and Decision Logging) mandates comprehensive event logging capturing inputs, outputs, confidence scores, model version, and user context for every AI decision. GV-02 (Immutable, tamper-evident audit trail) requires that these logs are protected from alteration \u2014 satisfying the 'automatic' and 'technical' logging requirements of Art. 12(1). AT-07 (Tool Usage Audit Trail) extends logging to cover tool calls made by agentic AI systems, which Art. 12 applies to."
    },
    {
      "requirement_id": "EU-AIA-ART12-02",
      "section": "Art. 12(2)",
      "title": "Record-keeping \u2014 automatic logging throughout lifecycle",
      "text": "The logging capabilities shall ensure a level of traceability of the AI system's functioning throughout its lifecycle that is appropriate to the intended purpose of the system, and shall at a minimum allow for the identification of the time period during which the system was used.",
      "coverage": "direct",
      "apeiris_controls": [
        "apeiris://model/controls/BH-05",
        "apeiris://security/controls/RT-01",
        "apeiris://agentic/controls/AM-01",
        "apeiris://data/controls/DL-03"
      ],
      "primary_domains": [
        "model",
        "security",
        "agentic",
        "data"
      ],
      "notes": "BH-05 captures timestamped event records with session metadata enabling reconstruction of usage periods. RT-01 (Capture OS-level telemetry of what the agent actually does) provides the infrastructure-layer telemetry that complements model-layer logging for full lifecycle traceability. AM-01 (Behavioral Telemetry Collection Baseline) establishes the baseline telemetry collection covering all agentic actions. DL-03 (Inference-Time Data Lineage \u2014 Per-Decision Provenance) provides per-decision lineage linking each output to its input data, model version, and execution timestamp."
    },
    {
      "requirement_id": "EU-AIA-ART12-03",
      "section": "Art. 12(3)",
      "title": "Record-keeping \u2014 deployer retention of logs",
      "text": "For high-risk AI systems referred to in Annex III, point 1, the logging capabilities shall, to the extent technically feasible, meet the requirements set out in Annex XII. Deployers shall retain the logs generated by the high-risk AI system.",
      "coverage": "partial",
      "apeiris_controls": [
        "apeiris://compliance/controls/AU-04",
        "apeiris://model/controls/CR-02",
        "apeiris://security/controls/GV-02"
      ],
      "primary_domains": [
        "compliance",
        "model",
        "security"
      ],
      "notes": "AU-04 (Audit Trail Integrity) governs log retention policies and technical controls ensuring logs remain intact. CR-02 (Model Evidence Archive and Audit Trail) maintains model-layer decision logs as part of the evidence archive. GV-02 enforces tamper-evidence for retained logs. Partial: deployer-specific retention obligations, particularly the specific duration and scope for biometric identification systems (Annex XII), may require jurisdiction-specific configuration beyond standard Apeiris retention controls."
    },
    {
      "requirement_id": "EU-AIA-ART13-01",
      "section": "Art. 13(1)",
      "title": "Transparency \u2014 sufficiently transparent operation",
      "text": "High-risk AI systems shall be designed and developed in such a way as to ensure that their operation is sufficiently transparent to enable deployers to interpret the system's output and use it appropriately.",
      "coverage": "direct",
      "apeiris_controls": [
        "apeiris://ethics/controls/XP-01",
        "apeiris://ethics/controls/XP-05",
        "apeiris://model/controls/LI-07",
        "apeiris://ethics/controls/XP-06"
      ],
      "primary_domains": [
        "ethics",
        "model"
      ],
      "notes": "XP-01 (Explainability Method Selection and Justification) requires that appropriate explainability methods are selected and integrated into the system design, enabling deployers to understand outputs. XP-05 (Model Card and System Card Transparency Disclosure) provides the system-level transparency disclosure consumed by deployers. LI-07 (Capability and Limitation Declaration) documents the operational envelope, known limitations, and appropriate use cases. XP-06 (Technical vs. Non-Technical Explanation Tiers) ensures that deployer-facing explanations are calibrated to the deployer's technical level."
    },
    {
      "requirement_id": "EU-AIA-ART13-02",
      "section": "Art. 13(2)",
      "title": "Transparency \u2014 instructions for use",
      "text": "High-risk AI systems shall be accompanied by instructions for use in an appropriate digital format that include concise, complete, correct, and clear information that is relevant, accessible, and comprehensible to deployers.",
      "coverage": "direct",
      "apeiris_controls": [
        "apeiris://model/controls/LI-04",
        "apeiris://model/controls/LI-07",
        "apeiris://ethics/controls/XP-06"
      ],
      "primary_domains": [
        "model",
        "ethics"
      ],
      "notes": "LI-04 (Structured Model Documentation \u2014 Complete Model Card) requires a complete model card with all required sections including intended use, performance characteristics, and operational guidance, which serves as the primary instructions for use. LI-07 (Capability and Limitation Declaration) provides the capabilities, constraints, and appropriate-use guidance component. XP-06 (Technical vs. Non-Technical Explanation Tiers) ensures documentation is calibrated to deployer comprehension level."
    },
    {
      "requirement_id": "EU-AIA-ART13-03",
      "section": "Art. 13(3)",
      "title": "Transparency \u2014 specific information required in instructions",
      "text": "Instructions for use shall contain information relating to: provider identity, intended purpose, level of accuracy and robustness, any known or foreseeable circumstances that may lead to risks, human oversight measures, expected lifetime and maintenance measures.",
      "coverage": "partial",
      "apeiris_controls": [
        "apeiris://model/controls/LI-04",
        "apeiris://ethics/controls/XP-05",
        "apeiris://compliance/controls/RF-03",
        "apeiris://model/controls/EV-02"
      ],
      "primary_domains": [
        "model",
        "ethics",
        "compliance"
      ],
      "notes": "LI-04 covers identity, intended purpose, and performance characteristics. XP-05 (Model Card and System Card) covers known limitations and risk circumstances. RF-03 (Technical Documentation Package) covers the complete Annex IV information set. EV-02 provides accuracy and robustness metrics. Partial: expected system lifetime and maintenance schedule commitments, and EU-specific provider registration details (EUID), may require legal entity information management beyond Apeiris's technical control scope."
    },
    {
      "requirement_id": "EU-AIA-ART14-01",
      "section": "Art. 14(1)",
      "title": "Human oversight \u2014 design with appropriate measures",
      "text": "High-risk AI systems shall be designed and developed in such a way, including with appropriate human-machine interface tools, that they can be effectively overseen by natural persons during the period in which the AI system is in use.",
      "coverage": "direct",
      "apeiris_controls": [
        "apeiris://model/controls/OA-02",
        "apeiris://agentic/controls/AO-04",
        "apeiris://security/controls/GV-01",
        "apeiris://ethics/controls/HI-04"
      ],
      "primary_domains": [
        "model",
        "agentic",
        "security",
        "ethics"
      ],
      "notes": "OA-02 (Meaningful Human Oversight for High-Stakes Decisions) requires design-time integration of oversight mechanisms as a mandatory design requirement rather than an optional feature. AO-04 (Human-in-the-Loop Gates for High-Consequence Orchestrations) enforces pause points at which human review and approval is required before consequential actions proceed. GV-01 (Human hard-stop for irreversible actions) provides the system-level capability for humans to halt the AI system at any point. HI-04 (Human Oversight and Override Mechanisms) requires that override mechanisms are accessible and operationally tested."
    },
    {
      "requirement_id": "EU-AIA-ART14-02",
      "section": "Art. 14(2)",
      "title": "Human oversight \u2014 measures proportionate to risks and autonomy level",
      "text": "Human oversight measures shall be commensurate with the risks, level of autonomy and context of use of the high-risk AI system and shall be identified and built into the high-risk AI system by the provider before placing on the market.",
      "coverage": "direct",
      "apeiris_controls": [
        "apeiris://model/controls/OA-04",
        "apeiris://security/controls/GV-05",
        "apeiris://agentic/controls/AG-03",
        "apeiris://agentic/controls/AG-02"
      ],
      "primary_domains": [
        "model",
        "security",
        "agentic"
      ],
      "notes": "OA-04 (Delegated Autonomy Tier Governance) directly maps autonomy levels to oversight requirements \u2014 the higher the autonomy tier, the stricter the required oversight controls. GV-05 (AI management system \u2014 tier agents by autonomy) provides the tiering framework that links autonomy level to risk-proportionate oversight requirements. AG-03 defines the risk level that drives oversight intensity. AG-02 (Agent Deployment Policy and Pre-Deployment Review Gate) ensures oversight measures are verified at the pre-deployment review gate before the system is placed in service."
    },
    {
      "requirement_id": "EU-AIA-ART14-03",
      "section": "Art. 14(3)",
      "title": "Human oversight \u2014 specific oversight capabilities",
      "text": "The measures referred to in paragraph 1 shall enable individuals designated to oversee to: fully understand the capabilities and limitations; monitor operation for anomalies; be able to disregard, override or interrupt the system; interpret outputs correctly; and intervene effectively.",
      "coverage": "direct",
      "apeiris_controls": [
        "apeiris://model/controls/OA-02",
        "apeiris://ethics/controls/HI-04",
        "apeiris://security/controls/GV-01",
        "apeiris://ethics/controls/XP-02"
      ],
      "primary_domains": [
        "model",
        "ethics",
        "security"
      ],
      "notes": "OA-02 requires that oversight personnel have documented access to capability/limitation documentation, anomaly alerts, and override mechanisms. HI-04 (Human Oversight and Override Mechanisms) operationalizes the override and interrupt capability requirements. GV-01 (Human hard-stop for irreversible actions) provides the technical interrupt capability. XP-02 (Decision-Level Explanation Requirements) ensures outputs are accompanied by decision-level explanations that enable correct interpretation by oversight personnel."
    },
    {
      "requirement_id": "EU-AIA-ART14-04",
      "section": "Art. 14(4)",
      "title": "Human oversight \u2014 deployer assignment of oversight persons",
      "text": "Deployers shall take appropriate technical and organisational measures to ensure the effective implementation of the human oversight measures as indicated by the provider in the instructions for use. Deployers shall assign oversight to competent natural persons.",
      "coverage": "direct",
      "apeiris_controls": [
        "apeiris://model/controls/OA-01",
        "apeiris://authority/controls/PA-04",
        "apeiris://agentic/controls/AG-04",
        "apeiris://security/controls/GV-09"
      ],
      "primary_domains": [
        "model",
        "authority",
        "agentic",
        "security"
      ],
      "notes": "OA-01 (Model Ownership Assignment) requires a named accountable owner assigned to every deployed model. PA-04 (Principal Accountability Binding) binds accountability for AI system decisions to a named principal with documented authority and competency requirements. AG-04 (Senior Accountability for Autonomous AI Systems) extends this to agentic systems requiring senior-level accountable owner assignment. GV-09 (Anchor a named business owner to every agent) ensures the oversight assignment is organizationally durable and cannot be left vacant."
    },
    {
      "requirement_id": "EU-AIA-ART14-05",
      "section": "Art. 14(5)",
      "title": "Human oversight \u2014 automation bias prevention",
      "text": "Deployers shall take appropriate measures to ensure that the natural persons to whom human oversight has been assigned are able to properly interpret the AI system's output, taking into account in particular the risks of automation bias.",
      "coverage": "direct",
      "apeiris_controls": [
        "apeiris://ethics/controls/HI-04",
        "apeiris://security/controls/GV-10",
        "apeiris://ethics/controls/XP-02",
        "apeiris://ethics/controls/XP-06"
      ],
      "primary_domains": [
        "ethics",
        "security"
      ],
      "notes": "GV-10 (Enable end-user responsibility and guard against automation bias) directly targets automation bias \u2014 it requires systems to present uncertainty information, limitation disclosures, and confidence calibration alongside outputs to prevent uncritical acceptance. HI-04 requires training and procedural safeguards for oversight personnel. XP-02 (Decision-Level Explanation Requirements) ensures outputs are contextualized to support critical evaluation rather than passive acceptance. XP-06 calibrates explanation depth to oversight personnel's technical level."
    },
    {
      "requirement_id": "EU-AIA-ART15-01",
      "section": "Art. 15(1)",
      "title": "Accuracy, robustness, cybersecurity \u2014 appropriate levels throughout lifecycle",
      "text": "High-risk AI systems shall be designed and developed in such a way that they achieve, in the light of their intended purpose, an appropriate level of accuracy, robustness and cybersecurity, and perform consistently in those respects throughout their lifecycle.",
      "coverage": "direct",
      "apeiris_controls": [
        "apeiris://model/controls/BH-02",
        "apeiris://model/controls/BH-03",
        "apeiris://model/controls/CR-03",
        "apeiris://model/controls/EV-02"
      ],
      "primary_domains": [
        "model"
      ],
      "notes": "BH-02 (Concept and Data Drift Detection) monitors for accuracy degradation due to distribution shift across the lifecycle. BH-03 (Production Performance Degradation Alerting) triggers alerts when production accuracy metrics fall below defined thresholds, enabling timely remediation. CR-03 (Scheduled Model Re-validation) requires periodic re-evaluation against defined accuracy thresholds to confirm sustained compliance throughout the lifecycle. EV-02 establishes the accuracy and robustness metrics against which lifecycle performance is measured."
    },
    {
      "requirement_id": "EU-AIA-ART15-02",
      "section": "Art. 15(2)",
      "title": "Accuracy \u2014 declared accuracy metrics",
      "text": "The levels of accuracy and the relevant accuracy metrics of high-risk AI systems shall be declared in the accompanying instructions for use.",
      "coverage": "direct",
      "apeiris_controls": [
        "apeiris://model/controls/EV-02",
        "apeiris://model/controls/EV-06",
        "apeiris://model/controls/BH-01",
        "apeiris://model/controls/LI-04"
      ],
      "primary_domains": [
        "model"
      ],
      "notes": "EV-02 (Fitness, Safety, Reliability and Policy-Conformance Evaluation) produces the accuracy metrics that must be declared. EV-06 (Reproducible Evaluation Design) ensures metrics are defined, reproducible, and suitable for public disclosure. BH-01 (Output Anomaly Detection) monitors that production outputs remain consistent with declared accuracy metrics. LI-04 (Model Card) is the primary vehicle for disclosing accuracy metrics in the instructions for use."
    },
    {
      "requirement_id": "EU-AIA-ART15-03",
      "section": "Art. 15(3)",
      "title": "Robustness \u2014 technical robustness to errors, faults, and inconsistencies",
      "text": "High-risk AI systems shall be resilient to errors, faults or inconsistencies that may occur within the system or in the environment in which the systems operate. Technically redundant solutions shall be considered.",
      "coverage": "direct",
      "apeiris_controls": [
        "apeiris://model/controls/EV-04",
        "apeiris://model/controls/BH-04",
        "apeiris://resilience/controls/FO-01",
        "apeiris://resilience/controls/FO-04"
      ],
      "primary_domains": [
        "model",
        "resilience"
      ],
      "notes": "EV-04 (Adversarial Red-Team Testing) systematically tests robustness under error injection, adversarial inputs, and edge cases. BH-04 (Behavioral Boundary Performance Testing) validates system behavior at boundary conditions and under inconsistent inputs. FO-01 (Graceful Degradation Design Patterns) requires fallback behaviors when primary system components fail. FO-04 (Input Validation and Malformed Request Handling) prevents system failures from malformed or inconsistent inputs at the infrastructure level."
    },
    {
      "requirement_id": "EU-AIA-ART15-04",
      "section": "Art. 15(4)",
      "title": "Cybersecurity \u2014 protection against adversarial attacks",
      "text": "The technical solutions to address cybersecurity of high-risk AI systems shall be appropriate to the relevant circumstances and shall include measures to prevent, detect, respond to, and protect against attacks attempting to manipulate the training dataset, pre-trained components or the deployment environment.",
      "coverage": "direct",
      "apeiris_controls": [
        "apeiris://security/controls/AS-01",
        "apeiris://model/controls/TG-04",
        "apeiris://security/controls/RT-02",
        "apeiris://security/controls/EC-01",
        "apeiris://security/controls/EC-12"
      ],
      "primary_domains": [
        "security",
        "model"
      ],
      "notes": "AS-01 (Adversarial red-team and evaluate before launch) provides comprehensive cybersecurity testing including adversarial attack simulation against the AI system. TG-04 (Data Poisoning Prevention) directly addresses the training dataset manipulation threat cited in Art. 15(4). RT-02 (Detect direct and indirect prompt injection at every input and output) addresses inference-time manipulation attacks on deployed systems. EC-01 (Sandbox \u2014 process isolation to micro-VMs) secures the deployment environment against compromise."
    },
    {
      "requirement_id": "EU-AIA-ART17-01",
      "section": "Art. 17(1)",
      "title": "Quality management system \u2014 establishment",
      "text": "Providers of high-risk AI systems shall put in place a quality management system that ensures compliance with this Regulation. That system shall be documented in a systematic and orderly manner in the form of written policies, procedures and instructions.",
      "coverage": "direct",
      "apeiris_controls": [
        "apeiris://compliance/controls/CG-01",
        "apeiris://compliance/controls/CG-02",
        "apeiris://authority/controls/PO-01",
        "apeiris://compliance/controls/CI-08"
      ],
      "primary_domains": [
        "compliance",
        "authority"
      ],
      "notes": "CG-01 (Compliance Governance Structure) establishes the organizational governance structure that serves as the foundation of the quality management system. CG-02 (Compliance Policy Framework for AI) produces the documented written policies and procedures required by Art. 17(1). PO-01 (Internal Policy Register for AI Deployments) maintains the authoritative register of all AI-related policies and instructions. CI-08 (Compliance Implementation Evidence Package) produces the systematic documentation of the QMS implementation."
    },
    {
      "requirement_id": "EU-AIA-ART17-01a",
      "section": "Art. 17(1)(a)",
      "title": "Quality management system \u2014 compliance strategy",
      "text": "The quality management system shall address a strategy for regulatory compliance including compliance with conformity assessment procedures and with the management of modifications to the high-risk AI system.",
      "coverage": "direct",
      "apeiris_controls": [
        "apeiris://compliance/controls/CA-02",
        "apeiris://compliance/controls/CG-02",
        "apeiris://model/controls/LI-09"
      ],
      "primary_domains": [
        "compliance",
        "model"
      ],
      "notes": "CA-02 (Compliance Framework Selection and Mapping) produces a documented compliance strategy covering applicable regulatory frameworks. CG-02 includes the regulatory compliance dimension as a required section of the AI compliance policy framework. LI-09 (Material-Change Determination and Authorization Gate) operationalizes the modification management component, requiring documented determination of whether changes constitute a substantial modification triggering re-assessment."
    },
    {
      "requirement_id": "EU-AIA-ART17-01b",
      "section": "Art. 17(1)(b)",
      "title": "Quality management system \u2014 design and development examination",
      "text": "The quality management system shall address techniques, procedures and systematic actions to be used for the design and development of the high-risk AI system, including design reviews and verification procedures.",
      "coverage": "direct",
      "apeiris_controls": [
        "apeiris://model/controls/EV-01",
        "apeiris://compliance/controls/CI-06",
        "apeiris://compliance/controls/RF-03",
        "apeiris://model/controls/EV-08"
      ],
      "primary_domains": [
        "model",
        "compliance"
      ],
      "notes": "EV-01 (Pre-Deployment Evaluation Gate) provides the formal design review and verification gate that must be passed before deployment. CI-06 (Internal Audit of AI Compliance Controls) provides systematic review of design-stage compliance control implementation. RF-03 (EU AI Act Technical Documentation Package) documents the design review outcomes for Annex IV technical documentation. EV-08 (Independent Validation) provides external verification against the design requirements."
    },
    {
      "requirement_id": "EU-AIA-ART17-01c",
      "section": "Art. 17(1)(c)",
      "title": "Quality management system \u2014 quality control and assurance",
      "text": "The quality management system shall address procedures for quality control and quality assurance of high-risk AI systems.",
      "coverage": "direct",
      "apeiris_controls": [
        "apeiris://compliance/controls/CI-01",
        "apeiris://model/controls/EV-08",
        "apeiris://compliance/controls/AU-01",
        "apeiris://compliance/controls/CI-02"
      ],
      "primary_domains": [
        "compliance",
        "model"
      ],
      "notes": "CI-01 (Compliance Control Testing Program) defines the quality control testing procedures and schedule. EV-08 (Independent Validation) provides the quality assurance function through independent evaluation of system performance against defined criteria. AU-01 (Audit Readiness Program) maintains the QMS in a continuous state of verifiable compliance readiness. CI-02 (Continuous Compliance Monitoring) automates quality assurance through ongoing monitoring rather than point-in-time testing."
    },
    {
      "requirement_id": "EU-AIA-ART17-01f",
      "section": "Art. 17(1)(f)",
      "title": "Quality management system \u2014 post-market monitoring plan",
      "text": "The quality management system shall address a post-market monitoring plan pursuant to Article 72.",
      "coverage": "direct",
      "apeiris_controls": [
        "apeiris://compliance/controls/RF-04",
        "apeiris://model/controls/CR-06",
        "apeiris://model/controls/CR-01",
        "apeiris://model/controls/BH-02"
      ],
      "primary_domains": [
        "compliance",
        "model"
      ],
      "notes": "RF-04 (EU AI Act Post-Market Monitoring Plan \u2014 Art. 72) is the Apeiris control specifically designed to satisfy the post-market monitoring plan requirement. CR-06 (Post-Market Surveillance) implements the ongoing monitoring obligations. CR-01 (Continuous Production Monitoring and Risk Aggregation) provides the technical infrastructure for post-market monitoring. BH-02 (Concept and Data Drift Detection) is the primary technical mechanism for detecting post-market performance degradation."
    },
    {
      "requirement_id": "EU-AIA-ART17-01g",
      "section": "Art. 17(1)(g)",
      "title": "Quality management system \u2014 communication to competent authorities",
      "text": "The quality management system shall address accountability provisions, including the designation of roles and responsibilities, and the communication to competent authorities regarding serious incidents.",
      "coverage": "direct",
      "apeiris_controls": [
        "apeiris://compliance/controls/AU-05",
        "apeiris://model/controls/CR-05",
        "apeiris://authority/controls/PE-02",
        "apeiris://model/controls/OA-07"
      ],
      "primary_domains": [
        "compliance",
        "model",
        "authority"
      ],
      "notes": "CR-05 (Regulatory Notification and Statutory Reporting) directly addresses the obligation to communicate with competent authorities, including timelines and content requirements for serious incident notifications. AU-05 (Regulatory Examination Response Program) establishes the ongoing relationship and communication protocols with competent authorities. PE-02 (Regulatory Disclosure Readiness) maintains a disclosure-ready evidence package. OA-07 (Incident Escalation Authority Chain) defines the accountability chain for incident reporting decisions."
    },
    {
      "requirement_id": "EU-AIA-ART17-01h",
      "section": "Art. 17(1)(h)",
      "title": "Quality management system \u2014 corrective action system",
      "text": "The quality management system shall address a corrective and preventive action system, including market withdrawal measures where necessary.",
      "coverage": "direct",
      "apeiris_controls": [
        "apeiris://compliance/controls/CI-07",
        "apeiris://model/controls/CR-04",
        "apeiris://agentic/controls/AG-05",
        "apeiris://model/controls/LI-06"
      ],
      "primary_domains": [
        "compliance",
        "model",
        "agentic"
      ],
      "notes": "CI-07 (Remediation Tracking and Closure) provides the corrective action tracking system with owner assignment, timeline, and verified closure. CR-04 (AI Incident Response Management) handles the incident-triggered corrective action process. AG-05 (Agent Incident Response Program) extends this to agentic systems. LI-06 (Immutable Version Control with Tested Rollback and Emergency Disable) provides the technical mechanism for market withdrawal \u2014 the emergency disable and rollback to a prior safe version."
    },
    {
      "requirement_id": "EU-AIA-ART18-01",
      "section": "Art. 18(1)",
      "title": "Documentation retention \u2014 10-year retention obligation",
      "text": "Providers of high-risk AI systems shall retain the technical documentation referred to in Article 11, the declaration of conformity, the quality management system documentation, and the post-market monitoring documentation for a period ending 10 years after the AI system has been placed on the market.",
      "coverage": "partial",
      "apeiris_controls": [
        "apeiris://compliance/controls/AU-02",
        "apeiris://model/controls/CR-02",
        "apeiris://authority/controls/PE-01"
      ],
      "primary_domains": [
        "compliance",
        "model",
        "authority"
      ],
      "notes": "AU-02 (Evidence Collection, Curation, and Validation) governs the evidence retention program including retention schedules. CR-02 (Model Evidence Archive and Audit Trail) provides long-term archive of model-layer evidence. PE-01 (Policy Evidence Archive) maintains policy and governance documentation. Partial: the specific 10-year retention period requires explicit configuration in organizational data retention policies; Apeiris provides the governance framework but does not enforce a specific statutory duration \u2014 this must be configured per-organization. Declaration of conformity retention is a legal act outside Apeiris scope."
    },
    {
      "requirement_id": "EU-AIA-ART18-02",
      "section": "Art. 18(2)",
      "title": "Documentation retention \u2014 availability to authorities on request",
      "text": "The documentation referred to in paragraph 1 shall be kept available to the relevant national competent authorities and the AI Office upon request.",
      "coverage": "direct",
      "apeiris_controls": [
        "apeiris://compliance/controls/AU-03",
        "apeiris://authority/controls/PE-02",
        "apeiris://compliance/controls/AU-04"
      ],
      "primary_domains": [
        "compliance",
        "authority"
      ],
      "notes": "AU-03 (Auditor Access and Cooperation Protocols) establishes the access control and cooperation procedures for providing documentation to competent authorities on request, including response timelines and access provisioning. PE-02 (Regulatory Disclosure Readiness) maintains a continuously updated regulatory evidence package ready for authority inspection. AU-04 (Audit Trail Integrity) ensures that documentation provided to authorities is cryptographically verifiable as unaltered."
    },
    {
      "requirement_id": "EU-AIA-ART19-01",
      "section": "Art. 19(1)",
      "title": "Conformity assessment \u2014 procedure selection and completion",
      "text": "Providers of high-risk AI systems shall ensure that their systems are subject to a conformity assessment procedure prior to placing on the market or putting into service, in accordance with Articles 43 to 49.",
      "coverage": "partial",
      "apeiris_controls": [
        "apeiris://compliance/controls/RF-02",
        "apeiris://compliance/controls/OB-04",
        "apeiris://compliance/controls/AU-01",
        "apeiris://compliance/controls/RF-03"
      ],
      "primary_domains": [
        "compliance"
      ],
      "notes": "RF-02 (EU AI Act Conformity Assessment Pathway Selection) provides the Apeiris control for selecting and documenting the applicable conformity assessment pathway. OB-04 (EU AI Act Conformity Assessment Obligation Management) tracks the conformity assessment as a managed obligation. AU-01 (Audit Readiness Program) maintains the organization in a state ready for third-party conformity assessment. RF-03 produces the technical documentation required for the assessment. Partial: the actual notified body assessment for Annex III high-risk systems, the EU Declaration of Conformity, CE marking, and EU database registration are formal regulatory acts that occur outside the Apeiris control framework."
    },
    {
      "requirement_id": "EU-AIA-ART19-02",
      "section": "Art. 19(2)",
      "title": "Conformity assessment \u2014 re-assessment on substantial modification",
      "text": "High-risk AI systems which have already been subject to a conformity assessment procedure shall undergo a new conformity assessment procedure whenever they are substantially modified, regardless of whether the modified system is intended to be further distributed or continues to be used by the current deployer.",
      "coverage": "partial",
      "apeiris_controls": [
        "apeiris://model/controls/LI-09",
        "apeiris://compliance/controls/RF-02",
        "apeiris://compliance/controls/OB-04",
        "apeiris://model/controls/OA-05"
      ],
      "primary_domains": [
        "model",
        "compliance"
      ],
      "notes": "LI-09 (Material-Change Determination and Authorization Gate) is the direct gate for determining whether a system change constitutes a substantial modification requiring re-assessment. RF-02 governs the conformity assessment pathway once a substantial modification is confirmed. OB-04 tracks re-assessment as a regulatory obligation triggered by LI-09 findings. OA-05 (Regulatory and Legal Review Sign-Off) requires regulatory counsel sign-off on material change determinations. Partial: the same formal regulatory procedure limitations as Art. 19(1) apply \u2014 the actual re-assessment with notified body or internal procedure, and updated EU database registration, are outside Apeiris scope."
    },
    {
      "requirement_id": "EU-AIA-ART20-01",
      "section": "Art. 20(1)",
      "title": "Post-market monitoring \u2014 proactive system",
      "text": "Providers of high-risk AI systems shall establish and document a post-market monitoring system in a manner that is proportionate to the nature of the AI technologies and the risks of the high-risk AI system.",
      "coverage": "direct",
      "apeiris_controls": [
        "apeiris://model/controls/CR-06",
        "apeiris://compliance/controls/RF-04",
        "apeiris://model/controls/CR-01",
        "apeiris://model/controls/BH-02"
      ],
      "primary_domains": [
        "model",
        "compliance"
      ],
      "notes": "CR-06 (Post-Market Surveillance) is the Apeiris control that directly establishes and documents the post-market monitoring system with risk-proportionate scope and frequency. RF-04 (EU AI Act Post-Market Monitoring Plan \u2014 Art. 72) provides the formal documented plan required by this article. CR-01 (Continuous Production Monitoring and Risk Aggregation) provides the technical infrastructure. BH-02 (Concept and Data Drift Detection) ensures the monitoring system detects distributional changes that may affect system behavior in post-market conditions."
    },
    {
      "requirement_id": "EU-AIA-ART20-02",
      "section": "Art. 20(2)",
      "title": "Post-market monitoring \u2014 data collection and analysis plan",
      "text": "The post-market monitoring system shall actively collect and analyse data on the performance of high-risk AI systems throughout their lifetime in order to identify necessary updates and potential risks.",
      "coverage": "direct",
      "apeiris_controls": [
        "apeiris://compliance/controls/RF-04",
        "apeiris://model/controls/CR-03",
        "apeiris://model/controls/BH-03",
        "apeiris://model/controls/BH-07"
      ],
      "primary_domains": [
        "compliance",
        "model"
      ],
      "notes": "RF-04 includes an active data collection and analysis plan as a required component of the post-market monitoring plan. CR-03 (Scheduled Model Re-validation) implements the periodic analysis of collected performance data. BH-03 (Production Performance Degradation Alerting) provides the automated detection of performance changes that may require corrective action or system update. BH-07 (Resource and Cost Anomaly Monitoring) extends monitoring to operational risk indicators beyond model accuracy."
    },
    {
      "requirement_id": "EU-AIA-ART21-01",
      "section": "Art. 21(1)",
      "title": "Serious incident reporting \u2014 obligation to report to authorities",
      "text": "Providers of high-risk AI systems placed on the market of the Union shall report any serious incident to the market surveillance authorities of the Member States where that incident occurred.",
      "coverage": "direct",
      "apeiris_controls": [
        "apeiris://model/controls/CR-04",
        "apeiris://model/controls/CR-05",
        "apeiris://agentic/controls/AG-05",
        "apeiris://compliance/controls/CG-06"
      ],
      "primary_domains": [
        "model",
        "agentic",
        "compliance"
      ],
      "notes": "CR-04 (AI Incident Response Management) is the primary incident management control \u2014 it defines severity classification (including the 'serious incident' threshold under Art. 3(49)), investigation procedures, and documented escalation paths. CR-05 (Regulatory Notification and Statutory Reporting) governs the regulatory reporting obligation triggered by serious incidents, including authority identification, timeline compliance, and report content requirements. AG-05 (Agent Incident Response Program) extends this to agentic AI systems. CG-06 (Compliance Incident Response) ensures organizational compliance with the reporting obligation at the governance level."
    },
    {
      "requirement_id": "EU-AIA-ART25-02",
      "section": "Art. 25(2)",
      "title": "Value chain obligations \u2014 deployer obligations for high-risk AI",
      "text": "Deployers of high-risk AI systems shall: use systems in accordance with instructions for use; assign human oversight to natural persons with competence; take appropriate measures to monitor AI systems; notify providers of serious incidents; inform workers' representatives and affected workers.",
      "coverage": "direct",
      "apeiris_controls": [
        "apeiris://model/controls/OA-01",
        "apeiris://authority/controls/PA-04",
        "apeiris://compliance/controls/CA-07",
        "apeiris://model/controls/OA-02"
      ],
      "primary_domains": [
        "model",
        "authority",
        "compliance"
      ],
      "notes": "OA-01 (Model Ownership Assignment) and PA-04 (Principal Accountability Binding) establish named accountable persons with competency requirements, satisfying the human oversight assignment obligation. CA-07 (Third-Party and Supply Chain Compliance Obligations) manages the deployer's compliance obligations toward the provider. OA-02 (Meaningful Human Oversight for High-Stakes Decisions) provides the monitoring framework. CR-04 and CR-05 (via the provider domain) cover serious incident notification back to providers and authorities."
    },
    {
      "requirement_id": "EU-AIA-ART25-03",
      "section": "Art. 25(3)",
      "title": "Value chain obligations \u2014 substantial modification obligations",
      "text": "Any provider who places on the market or puts into service a high-risk AI system that has been substantially modified by a third party, or who substantially modifies a high-risk AI system for their own use, shall be considered a provider and shall comply with all provider obligations.",
      "coverage": "partial",
      "apeiris_controls": [
        "apeiris://model/controls/LI-09",
        "apeiris://compliance/controls/RF-02",
        "apeiris://model/controls/OA-05",
        "apeiris://compliance/controls/CA-07"
      ],
      "primary_domains": [
        "model",
        "compliance"
      ],
      "notes": "LI-09 (Material-Change Determination and Authorization Gate) detects substantial modifications and triggers the appropriate regulatory pathway. RF-02 (EU AI Act Conformity Assessment Pathway Selection) governs the provider obligation triggered by substantial modification. OA-05 (Regulatory and Legal Review Sign-Off) ensures legal determination of provider status is formally made. CA-07 maps the full chain of provider obligations triggered. Partial: the legal determination of who becomes a 'provider' in complex distribution chains, and the transfer of documentation and obligations along the supply chain, involves legal and contractual dimensions beyond technical controls."
    },
    {
      "requirement_id": "EU-AIA-ART50-01",
      "section": "Art. 50(1)",
      "title": "Transparency \u2014 notification that users interact with AI",
      "text": "Providers shall ensure that AI systems intended to interact directly with natural persons are designed and developed in such a way that the natural persons concerned are informed that they are interacting with an AI system.",
      "coverage": "direct",
      "apeiris_controls": [
        "apeiris://ethics/controls/XP-05",
        "apeiris://security/controls/GV-07",
        "apeiris://model/controls/BH-09",
        "apeiris://ethics/controls/HI-06"
      ],
      "primary_domains": [
        "ethics",
        "security",
        "model"
      ],
      "notes": "XP-05 (Model Card and System Card Transparency Disclosure) requires disclosure of AI nature as a mandatory transparency element. GV-07 (Protect humans from being deceived by an agent) specifically prohibits design patterns that conceal an AI system's nature \u2014 directly implementing Art. 50(1)'s anti-deception requirement. BH-09 (Synthetic-Content Provenance, Disclosure and Traceability) extends this to AI-generated content disclosure. HI-06 (Consent and Agency Preservation for AI Interactions) requires that users have clear, informed understanding of the nature of their interaction before commencing."
    },
    {
      "requirement_id": "EU-AIA-ART50-02",
      "section": "Art. 50(2)",
      "title": "Transparency \u2014 deepfake and synthetic media notification",
      "text": "Providers of AI systems generating synthetic audio, image, video or text content shall ensure that the outputs of the AI system are marked in a machine-readable format and detectable as artificially generated or manipulated.",
      "coverage": "direct",
      "apeiris_controls": [
        "apeiris://model/controls/BH-09",
        "apeiris://ethics/controls/XP-05",
        "apeiris://security/controls/GV-07"
      ],
      "primary_domains": [
        "model",
        "ethics",
        "security"
      ],
      "notes": "BH-09 (Synthetic-Content Provenance, Disclosure and Traceability) is the primary control \u2014 it requires that all AI-generated content is marked with provenance metadata, source model identification, and generation timestamp, in a format compatible with C2PA or equivalent machine-readable marking standards. XP-05 provides the system-level disclosure framework. GV-07 enforces that deceptive presentation of synthetic content as genuine is prohibited."
    },
    {
      "requirement_id": "EU-AIA-ART50-03",
      "section": "Art. 50(3)",
      "title": "Transparency \u2014 AI-generated text disclosure for matters of public interest",
      "text": "Deployers of AI systems that generate or manipulate text that constitutes an AIGS publication on matters of public interest shall disclose that the text has been artificially generated or manipulated.",
      "coverage": "partial",
      "apeiris_controls": [
        "apeiris://model/controls/BH-09",
        "apeiris://ethics/controls/XP-05",
        "apeiris://authority/controls/PO-06"
      ],
      "primary_domains": [
        "model",
        "ethics",
        "authority"
      ],
      "notes": "BH-09 provides the technical content marking and provenance tracking. XP-05 covers system-level disclosure policies. PO-06 (Communication and Commitment Policy) governs AI use in external communications that may constitute matters of public interest. Partial: the 'matters of public interest' determination and the specific disclosure format requirements (which depend on the publication medium and jurisdiction-specific guidance from the AI Office) require legal interpretation and operational workflow design that extends beyond Apeiris controls."
    },
    {
      "requirement_id": "EU-AIA-ART50-04",
      "section": "Art. 50(4)",
      "title": "Transparency \u2014 machine-readable content marking",
      "text": "AI-generated or manipulated content shall be marked in a machine-readable format and shall be detectable as artificially generated or manipulated in a technically feasible and reliable way.",
      "coverage": "partial",
      "apeiris_controls": [
        "apeiris://model/controls/BH-09",
        "apeiris://model/controls/LI-06"
      ],
      "primary_domains": [
        "model"
      ],
      "notes": "BH-09 (Synthetic-Content Provenance, Disclosure and Traceability) covers the machine-readable marking requirement with C2PA-compatible metadata. LI-06 (Immutable Version Control with Tested Rollback and Emergency Disable) provides tamper-evident version tracking that underpins content authenticity claims. Partial: reliable machine-detectable marking for all media types (particularly audio and video) requires integration with C2PA coalition tooling, watermarking infrastructure, and output pipeline configuration that is implementation-specific and depends on third-party marking technology not within Apeiris's direct control."
    },
    {
      "requirement_id": "EU-AIA-ART53-01a",
      "section": "Art. 53(1)(a)",
      "title": "GPAI model obligations \u2014 technical documentation",
      "text": "Providers of general-purpose AI models shall draw up and keep up-to-date technical documentation of the model, including the training process and the evaluation results.",
      "coverage": "direct",
      "apeiris_controls": [
        "apeiris://model/controls/LI-04",
        "apeiris://model/controls/LI-02",
        "apeiris://model/controls/LI-07",
        "apeiris://model/controls/EV-10"
      ],
      "primary_domains": [
        "model"
      ],
      "notes": "LI-04 (Structured Model Documentation \u2014 Complete Model Card) provides the primary technical documentation artifact for GPAI models including architecture description, training methodology, and capability documentation. LI-02 (Model Provenance Chain) documents the base model, pre-training, fine-tuning, and adapter lineage. EV-10 (Evaluation Result Provenance) documents evaluation methodology and results with full traceability. LI-07 (Capability and Limitation Declaration) captures the intended use, known capabilities, and limitations that Annex XI (GPAI technical documentation) requires."
    },
    {
      "requirement_id": "EU-AIA-ART53-01b",
      "section": "Art. 53(1)(b)",
      "title": "GPAI model obligations \u2014 information and documentation for downstream providers",
      "text": "Providers of general-purpose AI models shall make available information and documentation to providers of AI systems who intend to integrate the general-purpose AI model into their AI systems.",
      "coverage": "direct",
      "apeiris_controls": [
        "apeiris://model/controls/LI-04",
        "apeiris://model/controls/LI-07",
        "apeiris://compliance/controls/CA-07",
        "apeiris://model/controls/LI-08"
      ],
      "primary_domains": [
        "model",
        "compliance"
      ],
      "notes": "LI-04 and LI-07 together produce the model card and capability documentation required by Annex XII for downstream provider disclosure. CA-07 (Third-Party and Supply Chain Compliance Obligations) governs the compliance disclosure obligations toward downstream system integrators. LI-08 (License and IP Governance) covers the license and permitted-use information that downstream providers need to assess their own compliance obligations when integrating a GPAI model."
    },
    {
      "requirement_id": "EU-AIA-ART53-01c",
      "section": "Art. 53(1)(c)",
      "title": "GPAI model obligations \u2014 copyright compliance policy",
      "text": "Providers of general-purpose AI models shall put in place a policy to comply with Union law on copyright and related rights, in particular to identify and comply with a reservation of rights expressed pursuant to Article 4(3) of Directive 2019/790.",
      "coverage": "direct",
      "apeiris_controls": [
        "apeiris://model/controls/TG-03",
        "apeiris://model/controls/LI-08",
        "apeiris://model/controls/TG-07"
      ],
      "primary_domains": [
        "model"
      ],
      "notes": "TG-03 (Data Rights, Lawful Authority and Permitted Use) requires documented legal basis for all training data sources, including identification and compliance with opt-out signals under Article 4(3) TDM exceptions. LI-08 (License and IP Governance \u2014 Dataset License Tracking, Derivative Work Authority) provides the license tracking system that identifies rights reservations in training datasets. TG-07 (Third-Party Dataset Governance) extends this to datasets acquired from third parties, requiring contractual representations of rights clearance."
    },
    {
      "requirement_id": "EU-AIA-ART53-01d",
      "section": "Art. 53(1)(d)",
      "title": "GPAI model obligations \u2014 AI-generated content marking support",
      "text": "Providers of general-purpose AI models shall publish a summary about the content used for training of the general-purpose AI model and support technical solutions for AI-generated content marking.",
      "coverage": "partial",
      "apeiris_controls": [
        "apeiris://model/controls/BH-09",
        "apeiris://model/controls/LI-07",
        "apeiris://model/controls/TG-03"
      ],
      "primary_domains": [
        "model"
      ],
      "notes": "BH-09 (Synthetic-Content Provenance, Disclosure and Traceability) covers the technical AI-generated content marking support obligation. LI-07 and TG-03 together support the training data summary disclosure. Partial: the public training data summary is a publishing obligation \u2014 requiring a structured summary document published in the EU AI Office's designated format \u2014 that goes beyond technical controls into legal disclosure obligations. The specific format and publication mechanism are defined by implementing acts not yet fully in force."
    },
    {
      "requirement_id": "EU-AIA-ART55-01a",
      "section": "Art. 55(1)(a)",
      "title": "GPAI systemic risk \u2014 adversarial testing",
      "text": "Providers of GPAI models with systemic risk shall perform model evaluations in accordance with standardised protocols and tools reflecting the state of the art, including adversarial testing of the model to identify and mitigate systemic risks.",
      "coverage": "direct",
      "apeiris_controls": [
        "apeiris://model/controls/EV-04",
        "apeiris://security/controls/AS-01",
        "apeiris://model/controls/EV-03",
        "apeiris://security/controls/AS-05"
      ],
      "primary_domains": [
        "model",
        "security"
      ],
      "notes": "EV-04 (Adversarial Red-Team Testing) provides the structured adversarial testing methodology required by this article, including capability elicitation, jailbreak testing, and dangerous-use scenario evaluation. AS-01 (Adversarially red-team and evaluate before launch) provides the agentic deployment variant of red-team evaluation. EV-03 (Dangerous Capability Threshold Assessment) specifically addresses systemic risks from frontier capabilities \u2014 evaluating whether the model crosses capability thresholds that trigger enhanced risk management. AS-05 (Study frontier offensive capability before public release) aligns with the 'state of the art' evaluation requirement."
    },
    {
      "requirement_id": "EU-AIA-ART55-01b",
      "section": "Art. 55(1)(b)",
      "title": "GPAI systemic risk \u2014 serious incident notification",
      "text": "Providers of GPAI models with systemic risk shall assess and mitigate possible systemic risks, including their sources, which may stem from the development, the placing on the market, or the use of GPAI models with systemic risk.",
      "coverage": "direct",
      "apeiris_controls": [
        "apeiris://model/controls/CR-04",
        "apeiris://model/controls/CR-05",
        "apeiris://agentic/controls/AG-05",
        "apeiris://model/controls/CR-01"
      ],
      "primary_domains": [
        "model",
        "agentic"
      ],
      "notes": "CR-04 (AI Incident Response Management) provides the structured process for identifying, investigating, and mitigating serious incidents arising from GPAI model deployments. CR-05 (Regulatory Notification and Statutory Reporting) governs the notification obligation to the AI Office when systemic risks or serious incidents are identified. AG-05 extends incident response to agentic deployment contexts. CR-01 (Continuous Production Monitoring and Risk Aggregation) provides ongoing systemic risk signal aggregation across all deployment instances."
    },
    {
      "requirement_id": "EU-AIA-ART55-01c",
      "section": "Art. 55(1)(c)",
      "title": "GPAI systemic risk \u2014 cybersecurity protection",
      "text": "Providers of GPAI models with systemic risk shall ensure an adequate level of cybersecurity protection for the GPAI model with systemic risk and the physical infrastructure of the model.",
      "coverage": "direct",
      "apeiris_controls": [
        "apeiris://security/controls/AS-01",
        "apeiris://security/controls/EC-01",
        "apeiris://security/controls/GV-04",
        "apeiris://model/controls/TG-04"
      ],
      "primary_domains": [
        "security",
        "model"
      ],
      "notes": "AS-01 (Adversarial red-team and evaluate before launch) provides comprehensive cybersecurity testing for the model and its infrastructure. EC-01 (Run the agent in a sandbox, from process isolation up to micro-VMs) secures the physical and virtual infrastructure running GPAI models. GV-04 (Enforce policy as code at run time, in the request path) provides the runtime enforcement layer for cybersecurity controls on model access. TG-04 (Data Poisoning Prevention) protects the training pipeline \u2014 a key attack surface for GPAI models \u2014 from adversarial manipulation."
    },
    {
      "requirement_id": "EU-AIA-ART55-01d",
      "section": "Art. 55(1)(d)",
      "title": "GPAI systemic risk \u2014 energy efficiency reporting",
      "text": "Providers of GPAI models with systemic risk shall report without undue delay to the AI Office information about serious incidents and possible corrective measures taken to address them, as well as information related to energy consumption.",
      "coverage": "partial",
      "apeiris_controls": [
        "apeiris://model/controls/CR-05",
        "apeiris://compliance/controls/CI-03",
        "apeiris://model/controls/BH-07"
      ],
      "primary_domains": [
        "model",
        "compliance"
      ],
      "notes": "CR-05 (Regulatory Notification and Statutory Reporting) covers the serious incident reporting and corrective measures communication obligation to the AI Office. CI-03 (AI-Specific Compliance KPIs) can be configured to track and report energy-consumption metrics as a regulatory KPI. BH-07 (Resource and Cost Anomaly Monitoring) monitors computational resource consumption, which correlates with energy use. Partial: energy consumption reporting for GPAI models requires dedicated energy metering infrastructure and standardised reporting metrics (defined by AI Office codes of practice) that are technical infrastructure obligations substantially outside the Apeiris AI governance control plane."
    }
  ],
  "meta": {
    "generated_at": "2026-06-29T00:00:00.000Z",
    "endpoint": "https://apeiris.ai/integration/coverage/eu_ai_act_coverage.json",
    "description": "Maps EU AI Act (Regulation 2024/1689) obligations for high-risk AI systems, prohibited AI practices, GPAI model obligations, and transparency requirements to Apeiris controls. Covers Chapter II Art. 5 (prohibited practices), Chapter III Section 2 Arts. 9-15 and 17-21 (high-risk AI system obligations), Chapter IV Art. 50 (transparency for certain AI systems), Chapter V Arts. 53 and 55 (GPAI model obligations), and Art. 25 (value chain obligations). CE marking, EU Declaration of Conformity filing, notified body assessments, and EU AI Act database registration (Art. 71) are formal regulatory legal acts outside Apeiris evidence control scope.",
    "coverage_notes": {
      "out_of_scope_items": [
        "CE marking and affixing (Art. 48)",
        "EU Declaration of Conformity (Art. 47)",
        "Notified body selection and engagement (Arts. 43-46)",
        "EU AI Act database registration (Art. 71)",
        "Market surveillance authority designation (Art. 70)",
        "Energy metering infrastructure for GPAI energy reporting"
      ],
      "primary_domains_covered": [
        "model",
        "compliance",
        "agentic",
        "ethics",
        "security",
        "authority",
        "privacy",
        "identity",
        "resilience",
        "data"
      ],
      "law_reference": "Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 on laying down harmonised rules on artificial intelligence",
      "application_date_notes": {
        "prohibited_ai_art5": "2025-02-02",
        "gpai_model_obligations_art53_55": "2025-08-02",
        "high_risk_ai_system_obligations": "2026-08-02",
        "full_application": "2027-08-02"
      },
      "enforcement_gating": {
        "date_basis": "EU AI Act Regulation (EU) 2024/1689 as originally enacted, without Digital Omnibus amendments",
        "legal_status": "enacted",
        "omnibus_status": "pending-final-adoption",
        "omnibus_note": "The European Commission proposed Digital Omnibus amendments (Feb 2025) that may reduce compliance obligations for certain Annex III high-risk AI system categories. This mapping reflects the original 2024/1689 text. Verify obligations against final Omnibus adoption status before relying on this mapping for compliance purposes.",
        "last_verified_on": "2026-06-29",
        "affected_provisions": [
          "Annex III high-risk AI classifications \u2014 scope may narrow under Omnibus",
          "Art. 9 risk management obligations \u2014 burden reduction proposed for some categories",
          "Art. 10 data governance obligations \u2014 simplifications proposed",
          "Art. 53 GPAI model obligations \u2014 transparency obligation adjustments proposed"
        ]
      }
    }
  }
}
