refactor(admin): split lib document generators and data catalogs into domain barrels

obligations-document, tom-document, loeschfristen-document, compliance-scope-triggers, sdk-flow/flow-data, processing-activities, loeschfristen-baseline-catalog, catalog-registry, dsfa mitigation-library + risk-catalog, vvt-baseline-catalog, vendor contract-review checklists + findings, demo-data, tom-compliance. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-18 00:07:03 +02:00
parent b00fe6cb73
commit 91063f09b8
65 changed files with 9514 additions and 9544 deletions
--- a/admin-compliance/lib/sdk/compliance-scope-triggers/triggers-f-m.ts
+++ b/admin-compliance/lib/sdk/compliance-scope-triggers/triggers-f-m.ts
@@ -0,0 +1,467 @@
+/**
+ * Hard Trigger Rules F–M
+ * Groups: Zertifizierung (F), Volumen/Skala (G), Produkt/Business (H),
+ *         Prozessreife (I), IACE AI Act Produkt (J), IACE CRA (K),
+ *         IACE NIS2 indirekt (L), IACE Maschinenverordnung (M)
+ */
+import type { HardTriggerRule } from '../compliance-scope-types'
+
+export const HARD_TRIGGER_RULES_F_M: HardTriggerRule[] = [
+  // ========== F: Zertifizierung (5 rules) ==========
+  {
+    id: 'HT-F01',
+    category: 'certification',
+    questionId: 'org_cert_target',
+    condition: 'CONTAINS',
+    conditionValue: 'ISO27001',
+    minimumLevel: 'L4',
+    requiresDSFA: false,
+    mandatoryDocuments: ['TOM', 'AUDIT_CHECKLIST'],
+    legalReference: 'ISO/IEC 27001',
+    description: 'Angestrebte ISO 27001 Zertifizierung',
+  },
+  {
+    id: 'HT-F02',
+    category: 'certification',
+    questionId: 'org_cert_target',
+    condition: 'CONTAINS',
+    conditionValue: 'ISO27701',
+    minimumLevel: 'L4',
+    requiresDSFA: false,
+    mandatoryDocuments: ['TOM', 'VVT', 'AUDIT_CHECKLIST'],
+    legalReference: 'ISO/IEC 27701',
+    description: 'Angestrebte ISO 27701 Zertifizierung',
+  },
+  {
+    id: 'HT-F03',
+    category: 'certification',
+    questionId: 'org_cert_target',
+    condition: 'CONTAINS',
+    conditionValue: 'SOC2',
+    minimumLevel: 'L4',
+    requiresDSFA: false,
+    mandatoryDocuments: ['TOM', 'AUDIT_CHECKLIST'],
+    legalReference: 'SOC 2 Type II',
+    description: 'Angestrebte SOC 2 Zertifizierung',
+  },
+  {
+    id: 'HT-F04',
+    category: 'certification',
+    questionId: 'org_cert_target',
+    condition: 'CONTAINS',
+    conditionValue: 'TISAX',
+    minimumLevel: 'L4',
+    requiresDSFA: false,
+    mandatoryDocuments: ['TOM', 'AUDIT_CHECKLIST', 'VENDOR_MANAGEMENT'],
+    legalReference: 'TISAX',
+    description: 'Angestrebte TISAX Zertifizierung',
+  },
+  {
+    id: 'HT-F05',
+    category: 'certification',
+    questionId: 'org_cert_target',
+    condition: 'CONTAINS',
+    conditionValue: 'BSI-Grundschutz',
+    minimumLevel: 'L4',
+    requiresDSFA: false,
+    mandatoryDocuments: ['TOM', 'AUDIT_CHECKLIST'],
+    legalReference: 'BSI IT-Grundschutz',
+    description: 'Angestrebte BSI-Grundschutz Zertifizierung',
+  },
+
+  // ========== G: Volumen/Skala (5 rules) ==========
+  {
+    id: 'HT-G01',
+    category: 'scale',
+    questionId: 'data_volume',
+    condition: 'EQUALS',
+    conditionValue: '>1000000',
+    minimumLevel: 'L3',
+    requiresDSFA: false,
+    mandatoryDocuments: ['VVT', 'TOM', 'LOESCHKONZEPT'],
+    legalReference: 'Art. 35 Abs. 3 lit. b DSGVO',
+    description: 'Umfangreiche Verarbeitung personenbezogener Daten (>1 Mio. Datensätze)',
+  },
+  {
+    id: 'HT-G02',
+    category: 'scale',
+    questionId: 'data_volume',
+    condition: 'EQUALS',
+    conditionValue: '100000-1000000',
+    minimumLevel: 'L2',
+    requiresDSFA: false,
+    mandatoryDocuments: ['VVT', 'TOM'],
+    legalReference: 'Art. 35 Abs. 3 lit. b DSGVO',
+    description: 'Großvolumige Datenverarbeitung (100k-1M Datensätze)',
+  },
+  {
+    id: 'HT-G03',
+    category: 'scale',
+    questionId: 'org_customer_count',
+    condition: 'EQUALS',
+    conditionValue: '100000+',
+    minimumLevel: 'L3',
+    requiresDSFA: false,
+    mandatoryDocuments: ['VVT', 'TOM', 'DSR_PROZESS'],
+    legalReference: 'Art. 15-22 DSGVO',
+    description: 'Großer Kundenstamm (>100k) mit hoher Betroffenenanzahl',
+  },
+  {
+    id: 'HT-G04',
+    category: 'scale',
+    questionId: 'org_employee_count',
+    condition: 'GREATER_THAN',
+    conditionValue: 249,
+    minimumLevel: 'L3',
+    requiresDSFA: false,
+    mandatoryDocuments: ['VVT', 'TOM', 'LOESCHKONZEPT', 'NOTFALLPLAN'],
+    legalReference: 'Art. 37 DSGVO',
+    description: 'Große Organisation (>250 Mitarbeiter) mit erhöhten Compliance-Anforderungen',
+  },
+  {
+    id: 'HT-G05',
+    category: 'scale',
+    questionId: 'org_employee_count',
+    condition: 'GREATER_THAN',
+    conditionValue: 999,
+    minimumLevel: 'L4',
+    requiresDSFA: false,
+    mandatoryDocuments: ['VVT', 'TOM', 'DSFA', 'LOESCHKONZEPT'],
+    legalReference: 'Art. 35 + Art. 37 DSGVO',
+    description: 'Sehr große Organisation (>1000 Mitarbeiter) mit Art. 9 Daten',
+    combineWithArt9: true,
+  },
+
+  // ========== H: Produkt/Business (7 rules) ==========
+  {
+    id: 'HT-H01a',
+    category: 'product',
+    questionId: 'prod_webshop',
+    condition: 'EQUALS',
+    conditionValue: true,
+    excludeWhen: { questionId: 'org_business_model', value: 'B2B' },
+    minimumLevel: 'L2',
+    requiresDSFA: false,
+    mandatoryDocuments: ['DSE', 'AGB', 'COOKIE_BANNER', 'EINWILLIGUNGEN',
+      'WIDERRUFSBELEHRUNG', 'PREISANGABEN', 'FERNABSATZ_INFO', 'STREITBEILEGUNG'],
+    legalReference: 'Art. 6 DSGVO + Fernabsatzrecht + PAngV + VSBG',
+    description: 'E-Commerce / Webshop (B2C) — Verbraucherschutzpflichten',
+  },
+  {
+    id: 'HT-H01b',
+    category: 'product',
+    questionId: 'prod_webshop',
+    condition: 'EQUALS',
+    conditionValue: true,
+    requireWhen: { questionId: 'org_business_model', value: 'B2B' },
+    minimumLevel: 'L2',
+    requiresDSFA: false,
+    mandatoryDocuments: ['DSE', 'AGB', 'COOKIE_BANNER'],
+    legalReference: 'Art. 6 DSGVO + eCommerce',
+    description: 'E-Commerce / Webshop (B2B) — Basis-Pflichten',
+  },
+  {
+    id: 'HT-H02',
+    category: 'product',
+    questionId: 'prod_data_broker',
+    condition: 'EQUALS',
+    conditionValue: true,
+    minimumLevel: 'L3',
+    requiresDSFA: true,
+    mandatoryDocuments: ['VVT', 'TOM', 'DSFA', 'EINWILLIGUNGEN'],
+    legalReference: 'Art. 35 Abs. 3 DSGVO',
+    description: 'Datenhandel oder Datenmakler-Tätigkeit',
+  },
+  {
+    id: 'HT-H03',
+    category: 'product',
+    questionId: 'prod_api_external',
+    condition: 'EQUALS',
+    conditionValue: true,
+    minimumLevel: 'L2',
+    requiresDSFA: false,
+    mandatoryDocuments: ['TOM', 'AVV'],
+    legalReference: 'Art. 28 DSGVO',
+    description: 'Externe API mit Datenweitergabe',
+  },
+  {
+    id: 'HT-H04',
+    category: 'product',
+    questionId: 'org_business_model',
+    condition: 'EQUALS',
+    conditionValue: 'b2c',
+    minimumLevel: 'L2',
+    requiresDSFA: false,
+    mandatoryDocuments: ['DSE', 'COOKIE_BANNER', 'EINWILLIGUNGEN'],
+    legalReference: 'Art. 6 DSGVO',
+    description: 'B2C-Geschäftsmodell mit Endkundenkontakt',
+  },
+  {
+    id: 'HT-H05',
+    category: 'product',
+    questionId: 'org_industry',
+    condition: 'EQUALS',
+    conditionValue: 'finance',
+    minimumLevel: 'L2',
+    requiresDSFA: false,
+    mandatoryDocuments: ['VVT', 'TOM'],
+    legalReference: 'Art. 6 DSGVO + Finanzaufsicht',
+    description: 'Finanzbranche mit erhöhten regulatorischen Anforderungen',
+  },
+  {
+    id: 'HT-H06',
+    category: 'product',
+    questionId: 'org_industry',
+    condition: 'EQUALS',
+    conditionValue: 'healthcare',
+    minimumLevel: 'L3',
+    requiresDSFA: true,
+    mandatoryDocuments: ['VVT', 'TOM', 'DSFA'],
+    legalReference: 'Art. 9 DSGVO + Gesundheitsrecht',
+    description: 'Gesundheitsbranche mit sensiblen Daten',
+  },
+  {
+    id: 'HT-H07',
+    category: 'product',
+    questionId: 'org_industry',
+    condition: 'EQUALS',
+    conditionValue: 'public',
+    minimumLevel: 'L2',
+    requiresDSFA: false,
+    mandatoryDocuments: ['VVT', 'TOM', 'DSR_PROZESS'],
+    legalReference: 'Art. 6 Abs. 1 lit. e DSGVO',
+    description: 'Öffentlicher Sektor',
+  },
+
+  // ========== I: Prozessreife - Gap Flags (5 rules) ==========
+  {
+    id: 'HT-I01',
+    category: 'process_maturity',
+    questionId: 'proc_dsar_process',
+    condition: 'EQUALS',
+    conditionValue: false,
+    minimumLevel: 'L1',
+    requiresDSFA: false,
+    mandatoryDocuments: [],
+    legalReference: 'Art. 15-22 DSGVO',
+    description: 'Fehlender Prozess für Betroffenenrechte',
+  },
+  {
+    id: 'HT-I02',
+    category: 'process_maturity',
+    questionId: 'proc_deletion_concept',
+    condition: 'EQUALS',
+    conditionValue: false,
+    minimumLevel: 'L1',
+    requiresDSFA: false,
+    mandatoryDocuments: [],
+    legalReference: 'Art. 17 DSGVO',
+    description: 'Fehlendes Löschkonzept',
+  },
+  {
+    id: 'HT-I03',
+    category: 'process_maturity',
+    questionId: 'proc_incident_response',
+    condition: 'EQUALS',
+    conditionValue: false,
+    minimumLevel: 'L1',
+    requiresDSFA: false,
+    mandatoryDocuments: [],
+    legalReference: 'Art. 33 DSGVO',
+    description: 'Fehlender Incident-Response-Prozess',
+  },
+  {
+    id: 'HT-I04',
+    category: 'process_maturity',
+    questionId: 'proc_regular_audits',
+    condition: 'EQUALS',
+    conditionValue: false,
+    minimumLevel: 'L1',
+    requiresDSFA: false,
+    mandatoryDocuments: [],
+    legalReference: 'Art. 24 DSGVO',
+    description: 'Fehlende regelmäßige Audits',
+  },
+  {
+    id: 'HT-I05',
+    category: 'process_maturity',
+    questionId: 'comp_training',
+    condition: 'EQUALS',
+    conditionValue: false,
+    minimumLevel: 'L1',
+    requiresDSFA: false,
+    mandatoryDocuments: [],
+    legalReference: 'Art. 39 Abs. 1 lit. b DSGVO',
+    description: 'Fehlende Schulungen zum Datenschutz',
+  },
+
+  // ========== J: IACE — AI Act Produkt-Triggers (3 rules) ==========
+  {
+    id: 'HT-J01',
+    category: 'iace_ai_act_product',
+    questionId: 'machineBuilder.containsAI',
+    condition: 'EQUALS',
+    conditionValue: true,
+    minimumLevel: 'L3',
+    requiresDSFA: false,
+    mandatoryDocuments: ['VVT', 'TOM'],
+    legalReference: 'EU AI Act Annex I + EU Maschinenverordnung 2023/1230',
+    description: 'KI mit Sicherheitsfunktion in Maschine → AI Act High-Risk',
+    combineWithMachineBuilder: { field: 'hasSafetyFunction', value: true },
+    riskWeight: 9,
+  },
+  {
+    id: 'HT-J02',
+    category: 'iace_ai_act_product',
+    questionId: 'machineBuilder.containsAI',
+    condition: 'EQUALS',
+    conditionValue: true,
+    minimumLevel: 'L3',
+    requiresDSFA: false,
+    mandatoryDocuments: ['VVT', 'TOM'],
+    legalReference: 'EU AI Act + EU Maschinenverordnung 2023/1230',
+    description: 'Autonome KI in Maschine → AI Act + Maschinenverordnung',
+    combineWithMachineBuilder: { field: 'autonomousBehavior', value: true },
+    riskWeight: 8,
+  },
+  {
+    id: 'HT-J03',
+    category: 'iace_ai_act_product',
+    questionId: 'machineBuilder.hasSafetyFunction',
+    condition: 'EQUALS',
+    conditionValue: true,
+    minimumLevel: 'L3',
+    requiresDSFA: false,
+    mandatoryDocuments: ['VVT', 'TOM'],
+    legalReference: 'EU AI Act Annex III',
+    description: 'KI-Bildverarbeitung mit Sicherheitsbezug',
+    combineWithMachineBuilder: { field: 'aiIntegrationType', includes: 'vision' },
+    riskWeight: 8,
+  },
+
+  // ========== K: IACE — CRA Triggers (3 rules) ==========
+  {
+    id: 'HT-K01',
+    category: 'iace_cra',
+    questionId: 'machineBuilder.isNetworked',
+    condition: 'EQUALS',
+    conditionValue: true,
+    minimumLevel: 'L2',
+    requiresDSFA: false,
+    mandatoryDocuments: ['TOM'],
+    legalReference: 'EU Cyber Resilience Act (CRA)',
+    description: 'Vernetztes Produkt → Cyber Resilience Act',
+    riskWeight: 6,
+  },
+  {
+    id: 'HT-K02',
+    category: 'iace_cra',
+    questionId: 'machineBuilder.hasRemoteAccess',
+    condition: 'EQUALS',
+    conditionValue: true,
+    minimumLevel: 'L2',
+    requiresDSFA: false,
+    mandatoryDocuments: ['TOM'],
+    legalReference: 'CRA + NIS2 Art. 21',
+    description: 'Remote-Zugriff → CRA + NIS2 Supply Chain',
+    riskWeight: 7,
+  },
+  {
+    id: 'HT-K03',
+    category: 'iace_cra',
+    questionId: 'machineBuilder.hasOTAUpdates',
+    condition: 'EQUALS',
+    conditionValue: true,
+    minimumLevel: 'L2',
+    requiresDSFA: false,
+    mandatoryDocuments: ['TOM'],
+    legalReference: 'CRA Art. 10 - Patch Management',
+    description: 'OTA-Updates → CRA Patch Management Pflicht',
+    riskWeight: 7,
+  },
+
+  // ========== L: IACE — NIS2 indirekt (2 rules) ==========
+  {
+    id: 'HT-L01',
+    category: 'iace_nis2_indirect',
+    questionId: 'machineBuilder.criticalSectorClients',
+    condition: 'EQUALS',
+    conditionValue: true,
+    minimumLevel: 'L2',
+    requiresDSFA: false,
+    mandatoryDocuments: ['TOM'],
+    legalReference: 'NIS2 Art. 21 - Supply Chain',
+    description: 'Lieferant an KRITIS → NIS2 Supply Chain Anforderungen',
+    riskWeight: 7,
+  },
+  {
+    id: 'HT-L02',
+    category: 'iace_nis2_indirect',
+    questionId: 'machineBuilder.oemClients',
+    condition: 'EQUALS',
+    conditionValue: true,
+    minimumLevel: 'L2',
+    requiresDSFA: false,
+    mandatoryDocuments: [],
+    legalReference: 'NIS2 + EU Maschinenverordnung',
+    description: 'OEM-Zulieferer → Compliance-Nachweispflicht',
+    riskWeight: 5,
+  },
+
+  // ========== M: IACE — Maschinenverordnung Triggers (4 rules) ==========
+  {
+    id: 'HT-M01',
+    category: 'iace_machinery_regulation',
+    questionId: 'machineBuilder.containsSoftware',
+    condition: 'EQUALS',
+    conditionValue: true,
+    minimumLevel: 'L3',
+    requiresDSFA: false,
+    mandatoryDocuments: ['TOM'],
+    legalReference: 'EU Maschinenverordnung 2023/1230 Anhang III',
+    description: 'Software als Sicherheitskomponente → Maschinenverordnung',
+    combineWithMachineBuilder: { field: 'hasSafetyFunction', value: true },
+    riskWeight: 9,
+  },
+  {
+    id: 'HT-M02',
+    category: 'iace_machinery_regulation',
+    questionId: 'machineBuilder.ceMarkingRequired',
+    condition: 'EQUALS',
+    conditionValue: true,
+    minimumLevel: 'L2',
+    requiresDSFA: false,
+    mandatoryDocuments: [],
+    legalReference: 'EU Maschinenverordnung 2023/1230',
+    description: 'CE-Kennzeichnung erforderlich',
+    riskWeight: 6,
+  },
+  {
+    id: 'HT-M03',
+    category: 'iace_machinery_regulation',
+    questionId: 'machineBuilder.ceMarkingRequired',
+    condition: 'EQUALS',
+    conditionValue: true,
+    minimumLevel: 'L3',
+    requiresDSFA: false,
+    mandatoryDocuments: [],
+    legalReference: 'EU Maschinenverordnung 2023/1230 Art. 10',
+    description: 'CE ohne bestehende Risikobeurteilung → Dringend!',
+    combineWithMachineBuilder: { field: 'hasRiskAssessment', value: false },
+    riskWeight: 9,
+  },
+  {
+    id: 'HT-M04',
+    category: 'iace_machinery_regulation',
+    questionId: 'machineBuilder.containsFirmware',
+    condition: 'EQUALS',
+    conditionValue: true,
+    minimumLevel: 'L2',
+    requiresDSFA: false,
+    mandatoryDocuments: ['TOM'],
+    legalReference: 'EU Maschinenverordnung + CRA',
+    description: 'Firmware mit Remote-Update → Change Management Pflicht',
+    combineWithMachineBuilder: { field: 'hasOTAUpdates', value: true },
+    riskWeight: 7,
+  },
+]