{"pack_id":"eu-ai-act-2026","pack_version":"1.1.0","total_phases":10,"phases":[{"phase":1,"title":"Prohibited Practices Screen","articles":["Article 5"],"fine_tier":"Article 99 paragraph 3 · up to 7% of worldwide annual turnover or EUR 35M","intro":"Article 5 prohibits eight specific AI practices, including subliminal manipulation, social scoring, untargeted facial recognition database scraping, real-time biometric identification in public spaces for law enforcement, predictive policing based solely on profiling, and emotion recognition in workplace or education. This phase confirms none are present in your AI footprint.","questions":[{"id":"p1_q1","label":"Does any of your AI use subliminal, manipulative, or deceptive techniques distorting behavior in a way that causes harm?","kind":"yes_no","required":true,"fail_value":"yes"},{"id":"p1_q2","label":"Does any of your AI exploit vulnerabilities tied to age, disability, or socio-economic status to materially distort behavior?","kind":"yes_no","required":true,"fail_value":"yes"},{"id":"p1_q3","label":"Does any of your AI conduct social scoring of natural persons based on behavior or personal traits leading to detrimental treatment?","kind":"yes_no","required":true,"fail_value":"yes"},{"id":"p1_q4","label":"Does any of your AI assess criminal-offense risk based solely on profiling or personality traits?","kind":"yes_no","required":true,"fail_value":"yes"},{"id":"p1_q5","label":"Does any of your AI build or expand facial recognition databases by untargeted scraping from the internet or CCTV?","kind":"yes_no","required":true,"fail_value":"yes"},{"id":"p1_q6","label":"Does any of your AI infer emotion in workplace or educational settings (excluding medical / safety reasons)?","kind":"yes_no","required":true,"fail_value":"yes"},{"id":"p1_q7","label":"Does any of your AI use biometric categorization to deduce race, political opinion, trade union membership, religion, sex life, or sexual orientation?","kind":"yes_no","required":true,"fail_value":"yes"},{"id":"p1_q8","label":"Does any of your AI use real-time remote biometric identification in publicly accessible spaces for law enforcement purposes?","kind":"yes_no","required":true,"fail_value":"yes"}]},{"phase":2,"title":"Role and Classification","articles":["Article 3","Article 6","Annex III"],"fine_tier":"Wrong role declaration is itself an Article 99 paragraph 5 misleading-info offense · up to 1.5% turnover or EUR 7.5M","intro":"EU AI Act applies different obligations to providers, deployers, importers, distributors, and authorized representatives. High-risk classification (Annex III) triggers the full Chapter III stack. This phase locks your role and surfaces your high-risk inventory.","questions":[{"id":"p2_q1","label":"Primary role under the Act for this scope","kind":"select","required":true,"options":["provider","deployer","importer","distributor","authorized_representative","gpai_provider","mixed"]},{"id":"p2_q2","label":"Are you established in the EU?","kind":"yes_no","required":true},{"id":"p2_q3","label":"Does any AI you provide or deploy fall into an Annex III high-risk category?","kind":"multi_select","required":true,"options":["biometrics","critical_infrastructure","education_vocational","employment_workers_management","access_to_essential_services","law_enforcement","migration_asylum_border","administration_of_justice_democratic_processes","none"]},{"id":"p2_q4","label":"How many distinct AI systems do you maintain a registered inventory for?","kind":"number","required":true},{"id":"p2_q5","label":"Do you operate or distribute General Purpose AI models (foundation models) above any compute threshold?","kind":"select","required":true,"options":["no","below_systemic_threshold","at_or_above_systemic_threshold","unclear_monitoring"]}]},{"phase":3,"title":"Risk Management Lifecycle","articles":["Article 9"],"fine_tier":"Article 99 paragraph 4 · up to 3% turnover or EUR 15M","intro":"Article 9 requires a continuous, iterative risk management system across the entire AI lifecycle. Not point-in-time. Not a document. A running process with documented identification, evaluation, mitigation, and post-market review.","questions":[{"id":"p3_q1","label":"Do you maintain a continuous risk management system documented per high-risk system?","kind":"yes_no","required":true,"fail_value":"no"},{"id":"p3_q2","label":"How frequently is risk identification re-run per system?","kind":"select","required":true,"options":["continuous","monthly","quarterly","annual","ad_hoc","never"]},{"id":"p3_q3","label":"Do mitigation measures include both technical controls and human oversight measures (Article 9 paragraph 4)?","kind":"yes_no","required":true,"fail_value":"no"},{"id":"p3_q4","label":"Have you tested the system on vulnerable subgroups under Article 9 paragraph 9?","kind":"yes_no","required":true,"fail_value":"no"},{"id":"p3_q5","label":"Are remaining residual risks judged acceptable and communicated to the deployer?","kind":"yes_no","required":true,"fail_value":"no"}]},{"phase":4,"title":"Data and Data Governance","articles":["Article 10"],"fine_tier":"Article 99 paragraph 4 · up to 3% turnover or EUR 15M","intro":"Article 10 governs training, validation, and testing datasets. Relevance, representativeness, accuracy, bias examination, and lawful processing under data protection law. The provision bites whether or not GDPR also applies.","questions":[{"id":"p4_q1","label":"Are training, validation, and test data subject to data governance practices appropriate to the intended purpose (Article 10 paragraph 2)?","kind":"yes_no","required":true,"fail_value":"no"},{"id":"p4_q2","label":"Have you examined the data for possible biases that could affect protected groups or safety?","kind":"yes_no","required":true,"fail_value":"no"},{"id":"p4_q3","label":"Are training data sets relevant, sufficiently representative, free of errors, and complete in respect of intended purpose?","kind":"yes_no","required":true,"fail_value":"no"},{"id":"p4_q4","label":"Where Article 10 paragraph 5 applies, do you process special-category personal data only under the strict bias-detection exception with documented safeguards?","kind":"select","required":true,"options":["not_applicable","yes_documented","partial","no"]},{"id":"p4_q5","label":"Is data lineage documented and retrievable per system?","kind":"yes_no","required":true,"fail_value":"no"}]},{"phase":5,"title":"Logging, Record-Keeping, and Transparency","articles":["Article 11","Article 12","Annex IV"],"fine_tier":"Article 99 paragraph 4 · up to 3% turnover or EUR 15M","intro":"Article 11 requires technical documentation in Annex IV format before placing on the market. Article 12 requires automated logging across the lifetime of the system. Together they create the audit trail an EU notified body or market surveillance authority can subpoena.","questions":[{"id":"p5_q1","label":"Is Annex IV technical documentation drafted and current per high-risk system?","kind":"yes_no","required":true,"fail_value":"no"},{"id":"p5_q2","label":"Are automated logs generated for every operation as required by Article 12 paragraph 1?","kind":"yes_no","required":true,"fail_value":"no"},{"id":"p5_q3","label":"Logs retention period per Article 12 paragraph 3","kind":"select","required":true,"options":["under_6_months","6_to_12_months","12_months_plus","longer_than_lifecycle_of_system","none"]},{"id":"p5_q4","label":"Can logs be exported on regulator request without modification?","kind":"yes_no","required":true,"fail_value":"no"},{"id":"p5_q5","label":"Is the technical documentation kept for 10 years after placing on the market per Article 18?","kind":"yes_no","required":true,"fail_value":"no"}]},{"phase":6,"title":"Human Oversight and Deployer Information","articles":["Article 13","Article 14"],"fine_tier":"Article 99 paragraph 4 · up to 3% turnover or EUR 15M","intro":"Article 14 requires effective human oversight measures designed into the system. Article 13 requires the provider to ship instructions for use that enable the deployer to understand outputs, intervene, and stop the system. Together they prevent the system from making consequential decisions without a competent human in the loop.","questions":[{"id":"p6_q1","label":"Are human oversight measures designed into the system per Article 14 paragraph 2 (e.g. stop button, override controls, output explainability)?","kind":"yes_no","required":true,"fail_value":"no"},{"id":"p6_q2","label":"Is at least one human capable of understanding the system limitations and intervening before consequential decisions?","kind":"yes_no","required":true,"fail_value":"no"},{"id":"p6_q3","label":"Do deployer instructions cover intended purpose, performance metrics, foreseeable misuse, and human oversight measures (Article 13 paragraph 3)?","kind":"yes_no","required":true,"fail_value":"no"},{"id":"p6_q4","label":"Are deployer instructions available in the language of the EU country where the system is used?","kind":"yes_no","required":true,"fail_value":"no"},{"id":"p6_q5","label":"Is over-reliance on the system (automation bias) explicitly addressed in deployer instructions?","kind":"yes_no","required":true,"fail_value":"no"}]},{"phase":7,"title":"Accuracy, Robustness, Cybersecurity, and QMS","articles":["Article 15","Article 16","Article 17"],"fine_tier":"Article 99 paragraph 4 · up to 3% turnover or EUR 15M","intro":"Article 15 requires that high-risk AI achieve an appropriate level of accuracy, robustness, and cybersecurity throughout its lifecycle. Articles 16 and 17 require a quality management system for providers, documented and ratified at the top of the organization.","questions":[{"id":"p7_q1","label":"Are accuracy metrics declared in instructions and measured against in production?","kind":"yes_no","required":true,"fail_value":"no"},{"id":"p7_q2","label":"Is the system robust to errors, faults, and inconsistencies (Article 15 paragraph 3)?","kind":"yes_no","required":true,"fail_value":"no"},{"id":"p7_q3","label":"Cybersecurity controls in place per Article 15 paragraph 4","kind":"multi_select","required":true,"options":["adversarial_robustness_testing","data_poisoning_protections","model_evasion_protections","confidentiality_attacks","none"]},{"id":"p7_q4","label":"Do you operate a documented quality management system per Article 17?","kind":"yes_no","required":true,"fail_value":"no"},{"id":"p7_q5","label":"Is top management formally accountable for the QMS and reviewing it periodically?","kind":"yes_no","required":true,"fail_value":"no"}]},{"phase":8,"title":"Authorized Representative, Value Chain, Deployer, and FRIA","articles":["Article 22","Article 25","Article 26","Article 27"],"fine_tier":"Article 99 paragraph 4 · up to 3% turnover or EUR 15M","intro":"Non-EU providers must appoint an authorized representative (Article 22). Article 25 surfaces value-chain provider-flip scenarios where a distributor or downstream party becomes a provider. Article 26 stacks separate obligations on deployers. Article 27 requires a Fundamental Rights Impact Assessment for public-sector deployers and other defined categories.","questions":[{"id":"p8_q1","label":"If non-EU provider, do you have a written mandate with an EU-established authorized representative?","kind":"select","required":true,"options":["not_applicable_eu_provider","yes_mandate_in_force","in_progress","no"]},{"id":"p8_q2","label":"Have you assessed Article 25 value-chain scenarios that could flip you to provider role (rebranding, modification, substantial change)?","kind":"yes_no","required":true,"fail_value":"no"},{"id":"p8_q3","label":"For deployers, do you operate the system in accordance with the provider instructions and ensure human oversight (Article 26)?","kind":"select","required":true,"options":["not_applicable_pure_provider","yes_documented","partial","no"]},{"id":"p8_q4","label":"Is a Fundamental Rights Impact Assessment performed and renewed where Article 27 applies?","kind":"select","required":true,"options":["not_applicable","completed_current","in_progress","not_done"]},{"id":"p8_q5","label":"Are FRIA outcomes communicated to the relevant market surveillance authority before first use where required?","kind":"select","required":true,"options":["not_applicable","yes","partial","no"]}]},{"phase":9,"title":"EU Declaration of Conformity, Database Registration, and Transparency","articles":["Article 47","Article 49","Article 50","Annex V"],"fine_tier":"Article 99 paragraph 4 · up to 3% turnover or EUR 15M","intro":"Before placing on the market the provider draws up an EU Declaration of Conformity (Article 47) and registers the system in the EU database (Article 49). Article 50 layers limited-risk transparency for AI interacting with humans, generative AI, deepfakes, and biometric categorization.","questions":[{"id":"p9_q1","label":"Is an EU Declaration of Conformity drawn up per Annex V and signed before market placement?","kind":"select","required":true,"options":["yes_signed_current","in_progress","not_done","not_applicable_not_high_risk"]},{"id":"p9_q2","label":"Has the system been registered in the EU database per Article 49 (or registration prepared for not-yet-placed systems)?","kind":"select","required":true,"options":["yes_registered","in_progress","not_done","not_applicable"]},{"id":"p9_q3","label":"For AI that interacts with humans, are users informed they are interacting with an AI system per Article 50 paragraph 1?","kind":"select","required":true,"options":["not_applicable","yes","partial","no"]},{"id":"p9_q4","label":"For generative AI, are outputs marked as AI-generated in a machine-readable manner per Article 50 paragraph 2?","kind":"select","required":true,"options":["not_applicable","yes","partial","no"]},{"id":"p9_q5","label":"For deepfakes, is content labelled as artificially generated per Article 50 paragraph 4?","kind":"select","required":true,"options":["not_applicable","yes","partial","no"]}]},{"phase":10,"title":"Post-Market Monitoring, Incidents, and Sign-Off","articles":["Article 72","Article 73","Article 99 paragraph 5","Articles 51 to 55 GPAI"],"fine_tier":"Article 99 paragraph 5 · misleading information up to 1.5% turnover or EUR 7.5M","intro":"Article 72 requires a documented post-market monitoring system. Article 73 requires reporting of serious incidents and malfunctions to market surveillance. GPAI providers track separate obligations under Articles 51 to 55. Article 99 paragraph 5 penalizes incorrect, incomplete, or misleading information to authorities. Final sign-off attests that responses across all 10 phases are accurate to the best of the signer knowledge.","questions":[{"id":"p10_q1","label":"Do you operate a documented post-market monitoring system per Article 72?","kind":"yes_no","required":true,"fail_value":"no"},{"id":"p10_q2","label":"Are serious incidents reported to market surveillance within Article 73 timelines (15 days general, 2 days for widespread harm)?","kind":"yes_no","required":true,"fail_value":"no"},{"id":"p10_q3","label":"GPAI provider status: do you currently provide GPAI models on the EU market?","kind":"select","required":true,"options":["not_gpai_provider","gpai_below_systemic","gpai_at_or_above_systemic","gpai_open_weights_release"]},{"id":"p10_q4","label":"If GPAI provider, do you publish a sufficiently detailed summary of training content per Article 53 paragraph 1d?","kind":"select","required":true,"options":["not_applicable","yes_current","partial","no"]},{"id":"p10_q5","label":"Final sign-off: do you attest that all responses in this wizard are accurate to the best of your knowledge per Article 99 paragraph 5?","kind":"yes_no","required":true,"fail_value":"no"},{"id":"p10_q6","label":"Sign-off principal full name","kind":"text","required":true},{"id":"p10_q7","label":"Sign-off principal role or title","kind":"text","required":true}]}]}