From ce3df9f080d1ff0696fdf2ab3d3c4c549098d19e Mon Sep 17 00:00:00 2001 From: Benjamin Admin Date: Sun, 12 Apr 2026 16:41:29 +0200 Subject: [PATCH] =?UTF-8?q?feat:=20AI=20Act=20Obligations=20erweitert=20(6?= =?UTF-8?q?0=E2=86=9281)=20+=20Decision=20Tree=20Q8=20fix?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit 1. 21 neue AI Act Obligations: - Art. 9 Risk Management (5 granulare Regeln) - Art. 10 Data Governance (3: Bias, Qualitaet, Versionierung) - Art. 12 Logging (3: I/O-Logging, Manipulationsschutz, Aufbewahrung) - Art. 14 Human Oversight (3: Override, Schulung, Automation Bias) - Art. 15 Accuracy/Cybersecurity (3: Genauigkeit, Robustheit, Security) - Art. 51/52/54/56 GPAI Governance (4: Klassifizierung, Kennzeichnung, EU-Rep, CoP) 2. Decision Tree Q8 praezisiert: "Stellst du ein KI-Modell fuer Dritte bereit?" statt generische GPAI-Frage Co-Authored-By: Claude Opus 4.6 (1M context) --- .../internal/ucca/decision_tree_engine.go | 4 +- .../policies/obligations/v2/_manifest.json | 4 +- .../policies/obligations/v2/ai_act_v2.json | 2656 ++++++++++++++--- 3 files changed, 2301 insertions(+), 363 deletions(-) diff --git a/ai-compliance-sdk/internal/ucca/decision_tree_engine.go b/ai-compliance-sdk/internal/ucca/decision_tree_engine.go index a89951f..d8139d1 100644 --- a/ai-compliance-sdk/internal/ucca/decision_tree_engine.go +++ b/ai-compliance-sdk/internal/ucca/decision_tree_engine.go @@ -96,8 +96,8 @@ func BuildDecisionTreeDefinition() *DecisionTreeDefinition { { ID: Q8, Axis: "gpai", - Question: "Handelt es sich um ein Foundation Model oder General-Purpose AI (GPAI)?", - Description: "Ein GPAI-Modell ist ein KI-Modell mit erheblicher Allgemeinheit, das kompetent eine breite Palette unterschiedlicher Aufgaben erfüllen kann, z.B. GPT, Claude, LLaMA, Gemini, Stable Diffusion.", + Question: "Stellst du ein KI-Modell fuer Dritte bereit (API / Plattform / SDK), das fuer viele verschiedene Zwecke einsetzbar ist?", + Description: "GPAI-Pflichten (Art. 51-56) gelten fuer den Modellanbieter, nicht den API-Nutzer. Wenn du nur eine API nutzt (z.B. OpenAI, Claude), bist du kein GPAI-Anbieter. GPAI-Anbieter ist, wer ein Modell trainiert/fine-tuned und Dritten zur Verfuegung stellt. Beispiele: GPT, Claude, LLaMA, Gemini, Stable Diffusion.", ArticleRef: "Art. 3 Nr. 63 / Art. 51", }, { diff --git a/ai-compliance-sdk/policies/obligations/v2/_manifest.json b/ai-compliance-sdk/policies/obligations/v2/_manifest.json index f73eeee..6da9145 100644 --- a/ai-compliance-sdk/policies/obligations/v2/_manifest.json +++ b/ai-compliance-sdk/policies/obligations/v2/_manifest.json @@ -11,7 +11,7 @@ "id": "ai_act", "file": "ai_act_v2.json", "version": "1.0", - "count": 60 + "count": 81 }, { "id": "nis2", @@ -63,5 +63,5 @@ } ], "tom_mapping_file": "_tom_mapping.json", - "total_obligations": 337 + "total_obligations": 358 } \ No newline at end of file diff --git a/ai-compliance-sdk/policies/obligations/v2/ai_act_v2.json b/ai-compliance-sdk/policies/obligations/v2/ai_act_v2.json index 0e4c8a7..12e0c75 100644 --- a/ai-compliance-sdk/policies/obligations/v2/ai_act_v2.json +++ b/ai-compliance-sdk/policies/obligations/v2/ai_act_v2.json @@ -12,24 +12,40 @@ "applies_when": "uses_ai", "applies_when_condition": { "all_of": [ - {"field": "ai_usage.uses_ai", "operator": "EQUALS", "value": true} + { + "field": "ai_usage.uses_ai", + "operator": "EQUALS", + "value": true + } ] }, "legal_basis": [ - {"norm": "AI Act", "article": "Art. 5", "title": "Verbotene Praktiken im KI-Bereich"} + { + "norm": "AI Act", + "article": "Art. 5", + "title": "Verbotene Praktiken im KI-Bereich" + } ], "sources": [ - {"type": "article", "ref": "Art. 5 AI Act"} + { + "type": "article", + "ref": "Art. 5 AI Act" + } ], "category": "Compliance", "responsible": "Geschaeftsfuehrung", - "sanctions": {"max_fine": "35 Mio. EUR oder 7% Jahresumsatz"}, + "sanctions": { + "max_fine": "35 Mio. EUR oder 7% Jahresumsatz" + }, "evidence": [ "KI-Inventar mit Risikobewertung", "Dokumentierte Pruefung auf verbotene Praktiken" ], "priority": "kritisch", - "tom_control_ids": ["TOM.GOV.01", "TOM.GOV.02"], + "tom_control_ids": [ + "TOM.GOV.01", + "TOM.GOV.02" + ], "valid_from": "2024-08-01", "valid_until": null, "version": "1.0" @@ -41,25 +57,41 @@ "applies_when": "high_risk", "applies_when_condition": { "all_of": [ - {"field": "ai_usage.high_risk_ai", "operator": "EQUALS", "value": true} + { + "field": "ai_usage.high_risk_ai", + "operator": "EQUALS", + "value": true + } ] }, "legal_basis": [ - {"norm": "AI Act", "article": "Art. 9", "title": "Risikomanagementsystem"} + { + "norm": "AI Act", + "article": "Art. 9", + "title": "Risikomanagementsystem" + } ], "sources": [ - {"type": "article", "ref": "Art. 9 AI Act"} + { + "type": "article", + "ref": "Art. 9 AI Act" + } ], "category": "Governance", "responsible": "KI-Verantwortlicher", - "sanctions": {"max_fine": "15 Mio. EUR oder 3% Jahresumsatz"}, + "sanctions": { + "max_fine": "15 Mio. EUR oder 3% Jahresumsatz" + }, "evidence": [ "Risikomanagement-Dokumentation", "Risikobewertungen pro KI-System", "Massnahmenplan" ], "priority": "kritisch", - "tom_control_ids": ["TOM.GOV.03", "TOM.GOV.04"], + "tom_control_ids": [ + "TOM.GOV.03", + "TOM.GOV.04" + ], "valid_from": "2024-08-01", "valid_until": null, "version": "1.0" @@ -71,26 +103,47 @@ "applies_when": "high_risk_provider", "applies_when_condition": { "all_of": [ - {"field": "ai_usage.high_risk_ai", "operator": "EQUALS", "value": true}, - {"field": "ai_usage.is_ai_provider", "operator": "EQUALS", "value": true} + { + "field": "ai_usage.high_risk_ai", + "operator": "EQUALS", + "value": true + }, + { + "field": "ai_usage.is_ai_provider", + "operator": "EQUALS", + "value": true + } ] }, "legal_basis": [ - {"norm": "AI Act", "article": "Art. 10", "title": "Daten und Daten-Governance"} + { + "norm": "AI Act", + "article": "Art. 10", + "title": "Daten und Daten-Governance" + } ], "sources": [ - {"type": "article", "ref": "Art. 10 AI Act"} + { + "type": "article", + "ref": "Art. 10 AI Act" + } ], "category": "Technisch", "responsible": "KI-Verantwortlicher", - "sanctions": {"max_fine": "15 Mio. EUR oder 3% Jahresumsatz"}, + "sanctions": { + "max_fine": "15 Mio. EUR oder 3% Jahresumsatz" + }, "evidence": [ "Datensatzdokumentation", "Bias-Analyse-Berichte", "Datenqualitaetsnachweise" ], "priority": "hoch", - "tom_control_ids": ["TOM.DATA.01", "TOM.DATA.02", "TOM.DATA.03"], + "tom_control_ids": [ + "TOM.DATA.01", + "TOM.DATA.02", + "TOM.DATA.03" + ], "valid_from": "2024-08-01", "valid_until": null, "version": "1.0" @@ -102,28 +155,55 @@ "applies_when": "high_risk_provider", "applies_when_condition": { "all_of": [ - {"field": "ai_usage.high_risk_ai", "operator": "EQUALS", "value": true}, - {"field": "ai_usage.is_ai_provider", "operator": "EQUALS", "value": true} + { + "field": "ai_usage.high_risk_ai", + "operator": "EQUALS", + "value": true + }, + { + "field": "ai_usage.is_ai_provider", + "operator": "EQUALS", + "value": true + } ] }, "legal_basis": [ - {"norm": "AI Act", "article": "Art. 11", "title": "Technische Dokumentation"}, - {"norm": "AI Act", "article": "Anhang IV", "title": "Technische Dokumentation gemaess Art. 11"} + { + "norm": "AI Act", + "article": "Art. 11", + "title": "Technische Dokumentation" + }, + { + "norm": "AI Act", + "article": "Anhang IV", + "title": "Technische Dokumentation gemaess Art. 11" + } ], "sources": [ - {"type": "article", "ref": "Art. 11 AI Act"}, - {"type": "article", "ref": "Anhang IV AI Act"} + { + "type": "article", + "ref": "Art. 11 AI Act" + }, + { + "type": "article", + "ref": "Anhang IV AI Act" + } ], "category": "Dokumentation", "responsible": "KI-Verantwortlicher", - "sanctions": {"max_fine": "15 Mio. EUR oder 3% Jahresumsatz"}, + "sanctions": { + "max_fine": "15 Mio. EUR oder 3% Jahresumsatz" + }, "evidence": [ "Technische Dokumentation nach Anhang IV", "Systemarchitektur-Dokumentation", "Algorithmus-Beschreibung" ], "priority": "hoch", - "tom_control_ids": ["TOM.GOV.05", "TOM.SDLC.01"], + "tom_control_ids": [ + "TOM.GOV.05", + "TOM.SDLC.01" + ], "valid_from": "2024-08-01", "valid_until": null, "version": "1.0" @@ -135,25 +215,42 @@ "applies_when": "high_risk", "applies_when_condition": { "all_of": [ - {"field": "ai_usage.high_risk_ai", "operator": "EQUALS", "value": true} + { + "field": "ai_usage.high_risk_ai", + "operator": "EQUALS", + "value": true + } ] }, "legal_basis": [ - {"norm": "AI Act", "article": "Art. 12", "title": "Aufzeichnungspflichten"} + { + "norm": "AI Act", + "article": "Art. 12", + "title": "Aufzeichnungspflichten" + } ], "sources": [ - {"type": "article", "ref": "Art. 12 AI Act"} + { + "type": "article", + "ref": "Art. 12 AI Act" + } ], "category": "Technisch", "responsible": "IT-Leitung", - "sanctions": {"max_fine": "15 Mio. EUR oder 3% Jahresumsatz"}, + "sanctions": { + "max_fine": "15 Mio. EUR oder 3% Jahresumsatz" + }, "evidence": [ "Log-System-Dokumentation", "Beispiel-Logs", "Aufbewahrungsrichtlinie" ], "priority": "hoch", - "tom_control_ids": ["TOM.LOG.01", "TOM.LOG.02", "TOM.LOG.03"], + "tom_control_ids": [ + "TOM.LOG.01", + "TOM.LOG.02", + "TOM.LOG.03" + ], "valid_from": "2024-08-01", "valid_until": null, "version": "1.0" @@ -165,26 +262,46 @@ "applies_when": "high_risk_provider", "applies_when_condition": { "all_of": [ - {"field": "ai_usage.high_risk_ai", "operator": "EQUALS", "value": true}, - {"field": "ai_usage.is_ai_provider", "operator": "EQUALS", "value": true} + { + "field": "ai_usage.high_risk_ai", + "operator": "EQUALS", + "value": true + }, + { + "field": "ai_usage.is_ai_provider", + "operator": "EQUALS", + "value": true + } ] }, "legal_basis": [ - {"norm": "AI Act", "article": "Art. 13", "title": "Transparenz und Information fuer Betreiber"} + { + "norm": "AI Act", + "article": "Art. 13", + "title": "Transparenz und Information fuer Betreiber" + } ], "sources": [ - {"type": "article", "ref": "Art. 13 AI Act"} + { + "type": "article", + "ref": "Art. 13 AI Act" + } ], "category": "Organisatorisch", "responsible": "KI-Verantwortlicher", - "sanctions": {"max_fine": "15 Mio. EUR oder 3% Jahresumsatz"}, + "sanctions": { + "max_fine": "15 Mio. EUR oder 3% Jahresumsatz" + }, "evidence": [ "Gebrauchsanweisung", "Leistungsdokumentation", "Warnhinweise" ], "priority": "hoch", - "tom_control_ids": ["TOM.GOV.06", "TOM.OPS.01"], + "tom_control_ids": [ + "TOM.GOV.06", + "TOM.OPS.01" + ], "valid_from": "2024-08-01", "valid_until": null, "version": "1.0" @@ -196,25 +313,42 @@ "applies_when": "high_risk", "applies_when_condition": { "all_of": [ - {"field": "ai_usage.high_risk_ai", "operator": "EQUALS", "value": true} + { + "field": "ai_usage.high_risk_ai", + "operator": "EQUALS", + "value": true + } ] }, "legal_basis": [ - {"norm": "AI Act", "article": "Art. 14", "title": "Menschliche Aufsicht"} + { + "norm": "AI Act", + "article": "Art. 14", + "title": "Menschliche Aufsicht" + } ], "sources": [ - {"type": "article", "ref": "Art. 14 AI Act"} + { + "type": "article", + "ref": "Art. 14 AI Act" + } ], "category": "Organisatorisch", "responsible": "KI-Verantwortlicher", - "sanctions": {"max_fine": "15 Mio. EUR oder 3% Jahresumsatz"}, + "sanctions": { + "max_fine": "15 Mio. EUR oder 3% Jahresumsatz" + }, "evidence": [ "Aufsichtskonzept", "Schulungsnachweise fuer Bediener", "Notfall-Abschaltprozedur" ], "priority": "kritisch", - "tom_control_ids": ["TOM.GOV.07", "TOM.HR.01", "TOM.OPS.02"], + "tom_control_ids": [ + "TOM.GOV.07", + "TOM.HR.01", + "TOM.OPS.02" + ], "valid_from": "2024-08-01", "valid_until": null, "version": "1.0" @@ -226,18 +360,31 @@ "applies_when": "high_risk", "applies_when_condition": { "all_of": [ - {"field": "ai_usage.high_risk_ai", "operator": "EQUALS", "value": true} + { + "field": "ai_usage.high_risk_ai", + "operator": "EQUALS", + "value": true + } ] }, "legal_basis": [ - {"norm": "AI Act", "article": "Art. 15", "title": "Genauigkeit, Robustheit und Cybersicherheit"} + { + "norm": "AI Act", + "article": "Art. 15", + "title": "Genauigkeit, Robustheit und Cybersicherheit" + } ], "sources": [ - {"type": "article", "ref": "Art. 15 AI Act"} + { + "type": "article", + "ref": "Art. 15 AI Act" + } ], "category": "Technisch", "responsible": "IT-Leitung", - "sanctions": {"max_fine": "15 Mio. EUR oder 3% Jahresumsatz"}, + "sanctions": { + "max_fine": "15 Mio. EUR oder 3% Jahresumsatz" + }, "evidence": [ "Genauigkeits-Metriken und Tests", "Robustheitstests", @@ -245,7 +392,11 @@ "Penetrationstest-Bericht" ], "priority": "hoch", - "tom_control_ids": ["TOM.SDLC.02", "TOM.NET.01", "TOM.CRYPTO.01"], + "tom_control_ids": [ + "TOM.SDLC.02", + "TOM.NET.01", + "TOM.CRYPTO.01" + ], "valid_from": "2024-08-01", "valid_until": null, "version": "1.0" @@ -257,26 +408,47 @@ "applies_when": "high_risk_deployer", "applies_when_condition": { "all_of": [ - {"field": "ai_usage.high_risk_ai", "operator": "EQUALS", "value": true}, - {"field": "ai_usage.is_ai_deployer", "operator": "EQUALS", "value": true} + { + "field": "ai_usage.high_risk_ai", + "operator": "EQUALS", + "value": true + }, + { + "field": "ai_usage.is_ai_deployer", + "operator": "EQUALS", + "value": true + } ] }, "legal_basis": [ - {"norm": "AI Act", "article": "Art. 26", "title": "Pflichten der Betreiber"} + { + "norm": "AI Act", + "article": "Art. 26", + "title": "Pflichten der Betreiber" + } ], "sources": [ - {"type": "article", "ref": "Art. 26 AI Act"} + { + "type": "article", + "ref": "Art. 26 AI Act" + } ], "category": "Organisatorisch", "responsible": "KI-Verantwortlicher", - "sanctions": {"max_fine": "15 Mio. EUR oder 3% Jahresumsatz"}, + "sanctions": { + "max_fine": "15 Mio. EUR oder 3% Jahresumsatz" + }, "evidence": [ "Betriebskonzept", "Eingabedaten-Pruefung", "Monitoring-Dokumentation" ], "priority": "hoch", - "tom_control_ids": ["TOM.OPS.03", "TOM.OPS.04", "TOM.LOG.04"], + "tom_control_ids": [ + "TOM.OPS.03", + "TOM.OPS.04", + "TOM.LOG.04" + ], "valid_from": "2024-08-01", "valid_until": null, "version": "1.0" @@ -288,27 +460,51 @@ "applies_when": "high_risk_deployer_fria", "applies_when_condition": { "all_of": [ - {"field": "ai_usage.high_risk_ai", "operator": "EQUALS", "value": true}, - {"field": "ai_usage.is_ai_deployer", "operator": "EQUALS", "value": true}, - {"field": "organization.is_public_authority", "operator": "EQUALS", "value": true} + { + "field": "ai_usage.high_risk_ai", + "operator": "EQUALS", + "value": true + }, + { + "field": "ai_usage.is_ai_deployer", + "operator": "EQUALS", + "value": true + }, + { + "field": "organization.is_public_authority", + "operator": "EQUALS", + "value": true + } ] }, "legal_basis": [ - {"norm": "AI Act", "article": "Art. 27", "title": "Grundrechte-Folgenabschaetzung fuer Hochrisiko-KI-Systeme"} + { + "norm": "AI Act", + "article": "Art. 27", + "title": "Grundrechte-Folgenabschaetzung fuer Hochrisiko-KI-Systeme" + } ], "sources": [ - {"type": "article", "ref": "Art. 27 AI Act"} + { + "type": "article", + "ref": "Art. 27 AI Act" + } ], "category": "Governance", "responsible": "KI-Verantwortlicher", - "sanctions": {"max_fine": "15 Mio. EUR oder 3% Jahresumsatz"}, + "sanctions": { + "max_fine": "15 Mio. EUR oder 3% Jahresumsatz" + }, "evidence": [ "FRIA-Dokumentation", "Risikobewertung Grundrechte", "Abhilfemassnahmen" ], "priority": "kritisch", - "tom_control_ids": ["TOM.GOV.08", "TOM.GOV.09"], + "tom_control_ids": [ + "TOM.GOV.08", + "TOM.GOV.09" + ], "valid_from": "2024-08-01", "valid_until": null, "version": "1.0" @@ -320,25 +516,41 @@ "applies_when": "limited_risk", "applies_when_condition": { "all_of": [ - {"field": "ai_usage.limited_risk_ai", "operator": "EQUALS", "value": true} + { + "field": "ai_usage.limited_risk_ai", + "operator": "EQUALS", + "value": true + } ] }, "legal_basis": [ - {"norm": "AI Act", "article": "Art. 50", "title": "Transparenzpflichten fuer bestimmte KI-Systeme"} + { + "norm": "AI Act", + "article": "Art. 50", + "title": "Transparenzpflichten fuer bestimmte KI-Systeme" + } ], "sources": [ - {"type": "article", "ref": "Art. 50 AI Act"} + { + "type": "article", + "ref": "Art. 50 AI Act" + } ], "category": "Organisatorisch", "responsible": "KI-Verantwortlicher", - "sanctions": {"max_fine": "15 Mio. EUR oder 3% Jahresumsatz"}, + "sanctions": { + "max_fine": "15 Mio. EUR oder 3% Jahresumsatz" + }, "evidence": [ "Kennzeichnungskonzept", "Nutzerhinweise", "Deep-Fake-Kennzeichnung" ], "priority": "hoch", - "tom_control_ids": ["TOM.GOV.10", "TOM.OPS.05"], + "tom_control_ids": [ + "TOM.GOV.10", + "TOM.OPS.05" + ], "valid_from": "2024-08-01", "valid_until": null, "version": "1.0" @@ -350,25 +562,41 @@ "applies_when": "gpai_provider", "applies_when_condition": { "all_of": [ - {"field": "ai_usage.is_gpai_provider", "operator": "EQUALS", "value": true} + { + "field": "ai_usage.is_gpai_provider", + "operator": "EQUALS", + "value": true + } ] }, "legal_basis": [ - {"norm": "AI Act", "article": "Art. 53", "title": "Pflichten der Anbieter von KI-Modellen mit allgemeinem Verwendungszweck"} + { + "norm": "AI Act", + "article": "Art. 53", + "title": "Pflichten der Anbieter von KI-Modellen mit allgemeinem Verwendungszweck" + } ], "sources": [ - {"type": "article", "ref": "Art. 53 AI Act"} + { + "type": "article", + "ref": "Art. 53 AI Act" + } ], "category": "Dokumentation", "responsible": "KI-Verantwortlicher", - "sanctions": {"max_fine": "15 Mio. EUR oder 3% Jahresumsatz"}, + "sanctions": { + "max_fine": "15 Mio. EUR oder 3% Jahresumsatz" + }, "evidence": [ "GPAI-Dokumentation", "Trainingsdaten-Summary", "Urheberrechts-Policy" ], "priority": "hoch", - "tom_control_ids": ["TOM.GOV.11", "TOM.DATA.04"], + "tom_control_ids": [ + "TOM.GOV.11", + "TOM.DATA.04" + ], "valid_from": "2024-08-01", "valid_until": null, "version": "1.0" @@ -380,26 +608,47 @@ "applies_when": "gpai_systemic_risk", "applies_when_condition": { "all_of": [ - {"field": "ai_usage.is_gpai_provider", "operator": "EQUALS", "value": true}, - {"field": "ai_usage.gpai_systemic_risk", "operator": "EQUALS", "value": true} + { + "field": "ai_usage.is_gpai_provider", + "operator": "EQUALS", + "value": true + }, + { + "field": "ai_usage.gpai_systemic_risk", + "operator": "EQUALS", + "value": true + } ] }, "legal_basis": [ - {"norm": "AI Act", "article": "Art. 55", "title": "Pflichten der Anbieter von KI-Modellen mit allgemeinem Verwendungszweck mit systemischem Risiko"} + { + "norm": "AI Act", + "article": "Art. 55", + "title": "Pflichten der Anbieter von KI-Modellen mit allgemeinem Verwendungszweck mit systemischem Risiko" + } ], "sources": [ - {"type": "article", "ref": "Art. 55 AI Act"} + { + "type": "article", + "ref": "Art. 55 AI Act" + } ], "category": "Technisch", "responsible": "KI-Verantwortlicher", - "sanctions": {"max_fine": "35 Mio. EUR oder 7% Jahresumsatz"}, + "sanctions": { + "max_fine": "35 Mio. EUR oder 7% Jahresumsatz" + }, "evidence": [ "Systemische Risikobewertung", "Red-Teaming-Berichte", "Incident-Dokumentation" ], "priority": "kritisch", - "tom_control_ids": ["TOM.GOV.12", "TOM.NET.02", "TOM.SDLC.03"], + "tom_control_ids": [ + "TOM.GOV.12", + "TOM.NET.02", + "TOM.SDLC.03" + ], "valid_from": "2024-08-01", "valid_until": null, "version": "1.0" @@ -411,26 +660,48 @@ "applies_when": "high_risk", "applies_when_condition": { "all_of": [ - {"field": "ai_usage.high_risk_ai", "operator": "EQUALS", "value": true} + { + "field": "ai_usage.high_risk_ai", + "operator": "EQUALS", + "value": true + } ] }, "legal_basis": [ - {"norm": "AI Act", "article": "Art. 49", "title": "Registrierung"}, - {"norm": "AI Act", "article": "Art. 60", "title": "EU-Datenbank fuer Hochrisiko-KI-Systeme"} + { + "norm": "AI Act", + "article": "Art. 49", + "title": "Registrierung" + }, + { + "norm": "AI Act", + "article": "Art. 60", + "title": "EU-Datenbank fuer Hochrisiko-KI-Systeme" + } ], "sources": [ - {"type": "article", "ref": "Art. 49 AI Act"}, - {"type": "article", "ref": "Art. 60 AI Act"} + { + "type": "article", + "ref": "Art. 49 AI Act" + }, + { + "type": "article", + "ref": "Art. 60 AI Act" + } ], "category": "Meldepflicht", "responsible": "KI-Verantwortlicher", - "sanctions": {"max_fine": "15 Mio. EUR oder 3% Jahresumsatz"}, + "sanctions": { + "max_fine": "15 Mio. EUR oder 3% Jahresumsatz" + }, "evidence": [ "Registrierungsbestaetigung", "EU-Datenbank-Eintrag" ], "priority": "hoch", - "tom_control_ids": ["TOM.GOV.13"], + "tom_control_ids": [ + "TOM.GOV.13" + ], "valid_from": "2024-08-01", "valid_until": null, "version": "1.0" @@ -442,25 +713,41 @@ "applies_when": "uses_ai", "applies_when_condition": { "all_of": [ - {"field": "ai_usage.uses_ai", "operator": "EQUALS", "value": true} + { + "field": "ai_usage.uses_ai", + "operator": "EQUALS", + "value": true + } ] }, "legal_basis": [ - {"norm": "AI Act", "article": "Art. 4", "title": "KI-Kompetenz"} + { + "norm": "AI Act", + "article": "Art. 4", + "title": "KI-Kompetenz" + } ], "sources": [ - {"type": "article", "ref": "Art. 4 AI Act"} + { + "type": "article", + "ref": "Art. 4 AI Act" + } ], "category": "Schulung", "responsible": "Geschaeftsfuehrung", - "sanctions": {"max_fine": "7,5 Mio. EUR oder 1% Jahresumsatz"}, + "sanctions": { + "max_fine": "7,5 Mio. EUR oder 1% Jahresumsatz" + }, "evidence": [ "Schulungsnachweise", "Kompetenzmatrix", "Awareness-Programm" ], "priority": "mittel", - "tom_control_ids": ["TOM.HR.02", "TOM.HR.03"], + "tom_control_ids": [ + "TOM.HR.02", + "TOM.HR.03" + ], "valid_from": "2024-08-01", "valid_until": null, "version": "1.0" @@ -472,27 +759,50 @@ "applies_when": "uses_ai", "applies_when_condition": { "all_of": [ - {"field": "ai_usage.uses_ai", "operator": "EQUALS", "value": true} + { + "field": "ai_usage.uses_ai", + "operator": "EQUALS", + "value": true + } ] }, "legal_basis": [ - {"norm": "AI Act", "article": "Art. 6", "title": "Klassifizierungsregeln fuer Hochrisiko-KI-Systeme"}, - {"norm": "AI Act", "article": "Anhang III", "title": "Hochrisiko-KI-Systeme gemaess Art. 6 Abs. 2"} + { + "norm": "AI Act", + "article": "Art. 6", + "title": "Klassifizierungsregeln fuer Hochrisiko-KI-Systeme" + }, + { + "norm": "AI Act", + "article": "Anhang III", + "title": "Hochrisiko-KI-Systeme gemaess Art. 6 Abs. 2" + } ], "sources": [ - {"type": "article", "ref": "Art. 6 AI Act"}, - {"type": "article", "ref": "Anhang III AI Act"} + { + "type": "article", + "ref": "Art. 6 AI Act" + }, + { + "type": "article", + "ref": "Anhang III AI Act" + } ], "category": "Governance", "responsible": "KI-Verantwortlicher", - "sanctions": {"max_fine": "15 Mio. EUR oder 3% Jahresumsatz"}, + "sanctions": { + "max_fine": "15 Mio. EUR oder 3% Jahresumsatz" + }, "evidence": [ "Klassifizierungsbericht je KI-System", "Anhang-III-Pruefung dokumentiert", "Entscheidungsmatrix Risikoeinstufung" ], "priority": "kritisch", - "tom_control_ids": ["TOM.GOV.01", "TOM.GOV.03"], + "tom_control_ids": [ + "TOM.GOV.01", + "TOM.GOV.03" + ], "valid_from": "2024-08-01", "valid_until": null, "version": "1.0" @@ -504,24 +814,39 @@ "applies_when": "uses_ai", "applies_when_condition": { "all_of": [ - {"field": "ai_usage.uses_ai", "operator": "EQUALS", "value": true} + { + "field": "ai_usage.uses_ai", + "operator": "EQUALS", + "value": true + } ] }, "legal_basis": [ - {"norm": "AI Act", "article": "Art. 7", "title": "Aenderungen des Anhangs III"} + { + "norm": "AI Act", + "article": "Art. 7", + "title": "Aenderungen des Anhangs III" + } ], "sources": [ - {"type": "article", "ref": "Art. 7 AI Act"} + { + "type": "article", + "ref": "Art. 7 AI Act" + } ], "category": "Governance", "responsible": "KI-Verantwortlicher", - "sanctions": {"max_fine": "15 Mio. EUR oder 3% Jahresumsatz"}, + "sanctions": { + "max_fine": "15 Mio. EUR oder 3% Jahresumsatz" + }, "evidence": [ "Monitoring-Prozess fuer regulatorische Aenderungen", "Re-Klassifizierungsprotokolle" ], "priority": "mittel", - "tom_control_ids": ["TOM.GOV.01"], + "tom_control_ids": [ + "TOM.GOV.01" + ], "valid_from": "2024-08-01", "valid_until": null, "version": "1.0" @@ -533,26 +858,46 @@ "applies_when": "high_risk_provider", "applies_when_condition": { "all_of": [ - {"field": "ai_usage.high_risk_ai", "operator": "EQUALS", "value": true}, - {"field": "ai_usage.is_ai_provider", "operator": "EQUALS", "value": true} + { + "field": "ai_usage.high_risk_ai", + "operator": "EQUALS", + "value": true + }, + { + "field": "ai_usage.is_ai_provider", + "operator": "EQUALS", + "value": true + } ] }, "legal_basis": [ - {"norm": "AI Act", "article": "Art. 8", "title": "Einhaltung der Anforderungen"} + { + "norm": "AI Act", + "article": "Art. 8", + "title": "Einhaltung der Anforderungen" + } ], "sources": [ - {"type": "article", "ref": "Art. 8 AI Act"} + { + "type": "article", + "ref": "Art. 8 AI Act" + } ], "category": "Compliance", "responsible": "KI-Verantwortlicher", - "sanctions": {"max_fine": "15 Mio. EUR oder 3% Jahresumsatz"}, + "sanctions": { + "max_fine": "15 Mio. EUR oder 3% Jahresumsatz" + }, "evidence": [ "Compliance-Checkliste Art. 8-15", "Nachweis der Anforderungserfuellung", "Gap-Analyse" ], "priority": "hoch", - "tom_control_ids": ["TOM.GOV.04", "TOM.GOV.05"], + "tom_control_ids": [ + "TOM.GOV.04", + "TOM.GOV.05" + ], "valid_from": "2024-08-01", "valid_until": null, "version": "1.0" @@ -564,26 +909,47 @@ "applies_when": "high_risk_provider", "applies_when_condition": { "all_of": [ - {"field": "ai_usage.high_risk_ai", "operator": "EQUALS", "value": true}, - {"field": "ai_usage.is_ai_provider", "operator": "EQUALS", "value": true} + { + "field": "ai_usage.high_risk_ai", + "operator": "EQUALS", + "value": true + }, + { + "field": "ai_usage.is_ai_provider", + "operator": "EQUALS", + "value": true + } ] }, "legal_basis": [ - {"norm": "AI Act", "article": "Art. 16", "title": "Pflichten der Anbieter von Hochrisiko-KI-Systemen"} + { + "norm": "AI Act", + "article": "Art. 16", + "title": "Pflichten der Anbieter von Hochrisiko-KI-Systemen" + } ], "sources": [ - {"type": "article", "ref": "Art. 16 AI Act"} + { + "type": "article", + "ref": "Art. 16 AI Act" + } ], "category": "Compliance", "responsible": "Geschaeftsfuehrung", - "sanctions": {"max_fine": "15 Mio. EUR oder 3% Jahresumsatz"}, + "sanctions": { + "max_fine": "15 Mio. EUR oder 3% Jahresumsatz" + }, "evidence": [ "Anbieter-Compliance-Nachweis", "QMS-Dokumentation", "Konformitaetserklaerung" ], "priority": "kritisch", - "tom_control_ids": ["TOM.GOV.01", "TOM.GOV.05", "TOM.GOV.14"], + "tom_control_ids": [ + "TOM.GOV.01", + "TOM.GOV.05", + "TOM.GOV.14" + ], "valid_from": "2024-08-01", "valid_until": null, "version": "1.0" @@ -595,19 +961,36 @@ "applies_when": "high_risk_provider", "applies_when_condition": { "all_of": [ - {"field": "ai_usage.high_risk_ai", "operator": "EQUALS", "value": true}, - {"field": "ai_usage.is_ai_provider", "operator": "EQUALS", "value": true} + { + "field": "ai_usage.high_risk_ai", + "operator": "EQUALS", + "value": true + }, + { + "field": "ai_usage.is_ai_provider", + "operator": "EQUALS", + "value": true + } ] }, "legal_basis": [ - {"norm": "AI Act", "article": "Art. 17", "title": "Qualitaetsmanagementsystem"} + { + "norm": "AI Act", + "article": "Art. 17", + "title": "Qualitaetsmanagementsystem" + } ], "sources": [ - {"type": "article", "ref": "Art. 17 AI Act"} + { + "type": "article", + "ref": "Art. 17 AI Act" + } ], "category": "Governance", "responsible": "Qualitaetsmanagement", - "sanctions": {"max_fine": "15 Mio. EUR oder 3% Jahresumsatz"}, + "sanctions": { + "max_fine": "15 Mio. EUR oder 3% Jahresumsatz" + }, "evidence": [ "QMS-Handbuch", "Prozessbeschreibungen", @@ -615,7 +998,11 @@ "Management-Review-Protokolle" ], "priority": "hoch", - "tom_control_ids": ["TOM.GOV.14", "TOM.GOV.15", "TOM.SDLC.04"], + "tom_control_ids": [ + "TOM.GOV.14", + "TOM.GOV.15", + "TOM.SDLC.04" + ], "valid_from": "2024-08-01", "valid_until": null, "version": "1.0" @@ -627,26 +1014,46 @@ "applies_when": "high_risk_provider", "applies_when_condition": { "all_of": [ - {"field": "ai_usage.high_risk_ai", "operator": "EQUALS", "value": true}, - {"field": "ai_usage.is_ai_provider", "operator": "EQUALS", "value": true} + { + "field": "ai_usage.high_risk_ai", + "operator": "EQUALS", + "value": true + }, + { + "field": "ai_usage.is_ai_provider", + "operator": "EQUALS", + "value": true + } ] }, "legal_basis": [ - {"norm": "AI Act", "article": "Art. 18", "title": "Dokumentationspflichten"} + { + "norm": "AI Act", + "article": "Art. 18", + "title": "Dokumentationspflichten" + } ], "sources": [ - {"type": "article", "ref": "Art. 18 AI Act"} + { + "type": "article", + "ref": "Art. 18 AI Act" + } ], "category": "Dokumentation", "responsible": "KI-Verantwortlicher", - "sanctions": {"max_fine": "15 Mio. EUR oder 3% Jahresumsatz"}, + "sanctions": { + "max_fine": "15 Mio. EUR oder 3% Jahresumsatz" + }, "evidence": [ "Aufbewahrungsrichtlinie", "Archivierungssystem-Nachweis", "Zugangsprotokoll fuer Behoerden" ], "priority": "hoch", - "tom_control_ids": ["TOM.DATA.05", "TOM.DATA.06"], + "tom_control_ids": [ + "TOM.DATA.05", + "TOM.DATA.06" + ], "valid_from": "2024-08-01", "valid_until": null, "version": "1.0" @@ -658,28 +1065,55 @@ "applies_when": "high_risk_provider", "applies_when_condition": { "all_of": [ - {"field": "ai_usage.high_risk_ai", "operator": "EQUALS", "value": true}, - {"field": "ai_usage.is_ai_provider", "operator": "EQUALS", "value": true} + { + "field": "ai_usage.high_risk_ai", + "operator": "EQUALS", + "value": true + }, + { + "field": "ai_usage.is_ai_provider", + "operator": "EQUALS", + "value": true + } ] }, "legal_basis": [ - {"norm": "AI Act", "article": "Art. 19", "title": "Konformitaetsbewertung"}, - {"norm": "AI Act", "article": "Art. 43", "title": "Konformitaetsbewertungsverfahren"} + { + "norm": "AI Act", + "article": "Art. 19", + "title": "Konformitaetsbewertung" + }, + { + "norm": "AI Act", + "article": "Art. 43", + "title": "Konformitaetsbewertungsverfahren" + } ], "sources": [ - {"type": "article", "ref": "Art. 19 AI Act"}, - {"type": "article", "ref": "Art. 43 AI Act"} + { + "type": "article", + "ref": "Art. 19 AI Act" + }, + { + "type": "article", + "ref": "Art. 43 AI Act" + } ], "category": "Audit", "responsible": "KI-Verantwortlicher", - "sanctions": {"max_fine": "15 Mio. EUR oder 3% Jahresumsatz"}, + "sanctions": { + "max_fine": "15 Mio. EUR oder 3% Jahresumsatz" + }, "evidence": [ "Konformitaetsbewertungsbericht", "Zertifikat notifizierte Stelle (falls zutreffend)", "Interne Audit-Dokumentation" ], "priority": "kritisch", - "tom_control_ids": ["TOM.GOV.04", "TOM.GOV.14"], + "tom_control_ids": [ + "TOM.GOV.04", + "TOM.GOV.14" + ], "valid_from": "2024-08-01", "valid_until": null, "version": "1.0" @@ -691,26 +1125,47 @@ "applies_when": "high_risk_provider", "applies_when_condition": { "all_of": [ - {"field": "ai_usage.high_risk_ai", "operator": "EQUALS", "value": true}, - {"field": "ai_usage.is_ai_provider", "operator": "EQUALS", "value": true} + { + "field": "ai_usage.high_risk_ai", + "operator": "EQUALS", + "value": true + }, + { + "field": "ai_usage.is_ai_provider", + "operator": "EQUALS", + "value": true + } ] }, "legal_basis": [ - {"norm": "AI Act", "article": "Art. 20", "title": "Automatisch generierte Protokolle"} + { + "norm": "AI Act", + "article": "Art. 20", + "title": "Automatisch generierte Protokolle" + } ], "sources": [ - {"type": "article", "ref": "Art. 20 AI Act"} + { + "type": "article", + "ref": "Art. 20 AI Act" + } ], "category": "Technisch", "responsible": "IT-Leitung", - "sanctions": {"max_fine": "15 Mio. EUR oder 3% Jahresumsatz"}, + "sanctions": { + "max_fine": "15 Mio. EUR oder 3% Jahresumsatz" + }, "evidence": [ "Log-Export-Funktion", "Protokoll-Zugriffskonzept", "Behoerden-Schnittstelle" ], "priority": "hoch", - "tom_control_ids": ["TOM.LOG.01", "TOM.LOG.05", "TOM.LOG.06"], + "tom_control_ids": [ + "TOM.LOG.01", + "TOM.LOG.05", + "TOM.LOG.06" + ], "valid_from": "2024-08-01", "valid_until": null, "version": "1.0" @@ -722,26 +1177,46 @@ "applies_when": "high_risk_provider", "applies_when_condition": { "all_of": [ - {"field": "ai_usage.high_risk_ai", "operator": "EQUALS", "value": true}, - {"field": "ai_usage.is_ai_provider", "operator": "EQUALS", "value": true} + { + "field": "ai_usage.high_risk_ai", + "operator": "EQUALS", + "value": true + }, + { + "field": "ai_usage.is_ai_provider", + "operator": "EQUALS", + "value": true + } ] }, "legal_basis": [ - {"norm": "AI Act", "article": "Art. 21", "title": "Korrekturmassnahmen und Informationspflicht"} + { + "norm": "AI Act", + "article": "Art. 21", + "title": "Korrekturmassnahmen und Informationspflicht" + } ], "sources": [ - {"type": "article", "ref": "Art. 21 AI Act"} + { + "type": "article", + "ref": "Art. 21 AI Act" + } ], "category": "Compliance", "responsible": "Geschaeftsfuehrung", - "sanctions": {"max_fine": "15 Mio. EUR oder 3% Jahresumsatz"}, + "sanctions": { + "max_fine": "15 Mio. EUR oder 3% Jahresumsatz" + }, "evidence": [ "Korrekturmassnahmen-Prozess", "Rueckruf-Verfahren", "Behoerden-Meldungen" ], "priority": "kritisch", - "tom_control_ids": ["TOM.OPS.06", "TOM.BCP.01"], + "tom_control_ids": [ + "TOM.OPS.06", + "TOM.BCP.01" + ], "valid_from": "2024-08-01", "valid_until": null, "version": "1.0" @@ -753,28 +1228,55 @@ "applies_when": "high_risk_provider", "applies_when_condition": { "all_of": [ - {"field": "ai_usage.high_risk_ai", "operator": "EQUALS", "value": true}, - {"field": "ai_usage.is_ai_provider", "operator": "EQUALS", "value": true} + { + "field": "ai_usage.high_risk_ai", + "operator": "EQUALS", + "value": true + }, + { + "field": "ai_usage.is_ai_provider", + "operator": "EQUALS", + "value": true + } ] }, "legal_basis": [ - {"norm": "AI Act", "article": "Art. 22", "title": "Informationspflichten"}, - {"norm": "AI Act", "article": "Art. 23", "title": "Zusammenarbeit mit Behoerden"} + { + "norm": "AI Act", + "article": "Art. 22", + "title": "Informationspflichten" + }, + { + "norm": "AI Act", + "article": "Art. 23", + "title": "Zusammenarbeit mit Behoerden" + } ], "sources": [ - {"type": "article", "ref": "Art. 22 AI Act"}, - {"type": "article", "ref": "Art. 23 AI Act"} + { + "type": "article", + "ref": "Art. 22 AI Act" + }, + { + "type": "article", + "ref": "Art. 23 AI Act" + } ], "category": "Meldepflicht", "responsible": "KI-Verantwortlicher", - "sanctions": {"max_fine": "15 Mio. EUR oder 3% Jahresumsatz"}, + "sanctions": { + "max_fine": "15 Mio. EUR oder 3% Jahresumsatz" + }, "evidence": [ "Behoerden-Kommunikationsprotokoll", "Informationsbereitstellungs-Prozess", "Ansprechpartner-Benennung" ], "priority": "hoch", - "tom_control_ids": ["TOM.GOV.06", "TOM.GOV.13"], + "tom_control_ids": [ + "TOM.GOV.06", + "TOM.GOV.13" + ], "valid_from": "2024-08-01", "valid_until": null, "version": "1.0" @@ -786,26 +1288,46 @@ "applies_when": "high_risk_provider", "applies_when_condition": { "all_of": [ - {"field": "ai_usage.high_risk_ai", "operator": "EQUALS", "value": true}, - {"field": "ai_usage.is_ai_provider", "operator": "EQUALS", "value": true} + { + "field": "ai_usage.high_risk_ai", + "operator": "EQUALS", + "value": true + }, + { + "field": "ai_usage.is_ai_provider", + "operator": "EQUALS", + "value": true + } ] }, "legal_basis": [ - {"norm": "AI Act", "article": "Art. 24", "title": "Pflichten der Bevollmaechtigten"} + { + "norm": "AI Act", + "article": "Art. 24", + "title": "Pflichten der Bevollmaechtigten" + } ], "sources": [ - {"type": "article", "ref": "Art. 24 AI Act"} + { + "type": "article", + "ref": "Art. 24 AI Act" + } ], "category": "Organisatorisch", "responsible": "Geschaeftsfuehrung", - "sanctions": {"max_fine": "15 Mio. EUR oder 3% Jahresumsatz"}, + "sanctions": { + "max_fine": "15 Mio. EUR oder 3% Jahresumsatz" + }, "evidence": [ "Bevollmaechtigten-Vertrag", "Vollmacht-Dokumentation", "Kontaktdaten EU-Bevollmaechtigter" ], "priority": "hoch", - "tom_control_ids": ["TOM.GOV.01", "TOM.VENDOR.01"], + "tom_control_ids": [ + "TOM.GOV.01", + "TOM.VENDOR.01" + ], "valid_from": "2024-08-01", "valid_until": null, "version": "1.0" @@ -817,25 +1339,41 @@ "applies_when": "high_risk", "applies_when_condition": { "all_of": [ - {"field": "ai_usage.high_risk_ai", "operator": "EQUALS", "value": true} + { + "field": "ai_usage.high_risk_ai", + "operator": "EQUALS", + "value": true + } ] }, "legal_basis": [ - {"norm": "AI Act", "article": "Art. 25", "title": "Pflichten der Einführer"} + { + "norm": "AI Act", + "article": "Art. 25", + "title": "Pflichten der Einführer" + } ], "sources": [ - {"type": "article", "ref": "Art. 25 AI Act"} + { + "type": "article", + "ref": "Art. 25 AI Act" + } ], "category": "Compliance", "responsible": "Geschaeftsfuehrung", - "sanctions": {"max_fine": "15 Mio. EUR oder 3% Jahresumsatz"}, + "sanctions": { + "max_fine": "15 Mio. EUR oder 3% Jahresumsatz" + }, "evidence": [ "Importeur-Pruefprotokoll", "Konformitaetserklaerung des Anbieters", "CE-Kennzeichnungsnachweis" ], "priority": "hoch", - "tom_control_ids": ["TOM.VENDOR.02", "TOM.VENDOR.03"], + "tom_control_ids": [ + "TOM.VENDOR.02", + "TOM.VENDOR.03" + ], "valid_from": "2024-08-01", "valid_until": null, "version": "1.0" @@ -847,26 +1385,46 @@ "applies_when": "high_risk_deployer", "applies_when_condition": { "all_of": [ - {"field": "ai_usage.high_risk_ai", "operator": "EQUALS", "value": true}, - {"field": "ai_usage.is_ai_deployer", "operator": "EQUALS", "value": true} + { + "field": "ai_usage.high_risk_ai", + "operator": "EQUALS", + "value": true + }, + { + "field": "ai_usage.is_ai_deployer", + "operator": "EQUALS", + "value": true + } ] }, "legal_basis": [ - {"norm": "AI Act", "article": "Art. 26 Abs. 4", "title": "Eingabedatenkontrolle durch Betreiber"} + { + "norm": "AI Act", + "article": "Art. 26 Abs. 4", + "title": "Eingabedatenkontrolle durch Betreiber" + } ], "sources": [ - {"type": "article", "ref": "Art. 26 Abs. 4 AI Act"} + { + "type": "article", + "ref": "Art. 26 Abs. 4 AI Act" + } ], "category": "Technisch", "responsible": "IT-Leitung", - "sanctions": {"max_fine": "15 Mio. EUR oder 3% Jahresumsatz"}, + "sanctions": { + "max_fine": "15 Mio. EUR oder 3% Jahresumsatz" + }, "evidence": [ "Eingabedaten-Qualitaetspruefung", "Datenvalidierungsprotokolle", "Repraesentativitaets-Analyse" ], "priority": "hoch", - "tom_control_ids": ["TOM.DATA.07", "TOM.DATA.08"], + "tom_control_ids": [ + "TOM.DATA.07", + "TOM.DATA.08" + ], "valid_from": "2024-08-01", "valid_until": null, "version": "1.0" @@ -878,26 +1436,47 @@ "applies_when": "high_risk_deployer", "applies_when_condition": { "all_of": [ - {"field": "ai_usage.high_risk_ai", "operator": "EQUALS", "value": true}, - {"field": "ai_usage.is_ai_deployer", "operator": "EQUALS", "value": true} + { + "field": "ai_usage.high_risk_ai", + "operator": "EQUALS", + "value": true + }, + { + "field": "ai_usage.is_ai_deployer", + "operator": "EQUALS", + "value": true + } ] }, "legal_basis": [ - {"norm": "AI Act", "article": "Art. 26 Abs. 5", "title": "Monitoring-Pflicht der Betreiber"} + { + "norm": "AI Act", + "article": "Art. 26 Abs. 5", + "title": "Monitoring-Pflicht der Betreiber" + } ], "sources": [ - {"type": "article", "ref": "Art. 26 Abs. 5 AI Act"} + { + "type": "article", + "ref": "Art. 26 Abs. 5 AI Act" + } ], "category": "Technisch", "responsible": "IT-Leitung", - "sanctions": {"max_fine": "15 Mio. EUR oder 3% Jahresumsatz"}, + "sanctions": { + "max_fine": "15 Mio. EUR oder 3% Jahresumsatz" + }, "evidence": [ "Monitoring-Dashboard", "Log-Aufbewahrungsnachweis", "Eskalationsprozess-Dokumentation" ], "priority": "hoch", - "tom_control_ids": ["TOM.LOG.04", "TOM.LOG.07", "TOM.OPS.07"], + "tom_control_ids": [ + "TOM.LOG.04", + "TOM.LOG.07", + "TOM.OPS.07" + ], "valid_from": "2024-08-01", "valid_until": null, "version": "1.0" @@ -909,27 +1488,51 @@ "applies_when": "high_risk_deployer", "applies_when_condition": { "all_of": [ - {"field": "ai_usage.high_risk_ai", "operator": "EQUALS", "value": true}, - {"field": "ai_usage.is_ai_deployer", "operator": "EQUALS", "value": true}, - {"field": "ai_usage.ai_makes_decisions", "operator": "EQUALS", "value": true} + { + "field": "ai_usage.high_risk_ai", + "operator": "EQUALS", + "value": true + }, + { + "field": "ai_usage.is_ai_deployer", + "operator": "EQUALS", + "value": true + }, + { + "field": "ai_usage.ai_makes_decisions", + "operator": "EQUALS", + "value": true + } ] }, "legal_basis": [ - {"norm": "AI Act", "article": "Art. 26 Abs. 7", "title": "Informationspflicht gegenueber betroffenen Personen"} + { + "norm": "AI Act", + "article": "Art. 26 Abs. 7", + "title": "Informationspflicht gegenueber betroffenen Personen" + } ], "sources": [ - {"type": "article", "ref": "Art. 26 Abs. 7 AI Act"} + { + "type": "article", + "ref": "Art. 26 Abs. 7 AI Act" + } ], "category": "Organisatorisch", "responsible": "KI-Verantwortlicher", - "sanctions": {"max_fine": "15 Mio. EUR oder 3% Jahresumsatz"}, + "sanctions": { + "max_fine": "15 Mio. EUR oder 3% Jahresumsatz" + }, "evidence": [ "Informationsschreiben-Vorlagen", "Nachweis der Benachrichtigung", "Datenschutzerklaerung mit KI-Hinweis" ], "priority": "hoch", - "tom_control_ids": ["TOM.GOV.10", "TOM.OPS.05"], + "tom_control_ids": [ + "TOM.GOV.10", + "TOM.OPS.05" + ], "valid_from": "2024-08-01", "valid_until": null, "version": "1.0" @@ -941,28 +1544,55 @@ "applies_when": "high_risk_deployer", "applies_when_condition": { "all_of": [ - {"field": "ai_usage.high_risk_ai", "operator": "EQUALS", "value": true}, - {"field": "ai_usage.is_ai_deployer", "operator": "EQUALS", "value": true} + { + "field": "ai_usage.high_risk_ai", + "operator": "EQUALS", + "value": true + }, + { + "field": "ai_usage.is_ai_deployer", + "operator": "EQUALS", + "value": true + } ] }, "legal_basis": [ - {"norm": "AI Act", "article": "Art. 26 Abs. 9", "title": "DSFA-Pflicht fuer Betreiber"}, - {"norm": "DSGVO", "article": "Art. 35", "title": "Datenschutz-Folgenabschaetzung"} + { + "norm": "AI Act", + "article": "Art. 26 Abs. 9", + "title": "DSFA-Pflicht fuer Betreiber" + }, + { + "norm": "DSGVO", + "article": "Art. 35", + "title": "Datenschutz-Folgenabschaetzung" + } ], "sources": [ - {"type": "article", "ref": "Art. 26 Abs. 9 AI Act"}, - {"type": "article", "ref": "Art. 35 DSGVO"} + { + "type": "article", + "ref": "Art. 26 Abs. 9 AI Act" + }, + { + "type": "article", + "ref": "Art. 35 DSGVO" + } ], "category": "Governance", "responsible": "Datenschutzbeauftragter", - "sanctions": {"max_fine": "15 Mio. EUR oder 3% Jahresumsatz"}, + "sanctions": { + "max_fine": "15 Mio. EUR oder 3% Jahresumsatz" + }, "evidence": [ "DSFA-Bericht", "FRIA-Integration", "Massnahmenplan" ], "priority": "kritisch", - "tom_control_ids": ["TOM.GOV.08", "TOM.GOV.09"], + "tom_control_ids": [ + "TOM.GOV.08", + "TOM.GOV.09" + ], "valid_from": "2024-08-01", "valid_until": null, "version": "1.0" @@ -974,26 +1604,46 @@ "applies_when": "high_risk_deployer", "applies_when_condition": { "all_of": [ - {"field": "ai_usage.high_risk_ai", "operator": "EQUALS", "value": true}, - {"field": "ai_usage.is_ai_deployer", "operator": "EQUALS", "value": true} + { + "field": "ai_usage.high_risk_ai", + "operator": "EQUALS", + "value": true + }, + { + "field": "ai_usage.is_ai_deployer", + "operator": "EQUALS", + "value": true + } ] }, "legal_basis": [ - {"norm": "AI Act", "article": "Art. 26 Abs. 10", "title": "Betreiber als Anbieter"} + { + "norm": "AI Act", + "article": "Art. 26 Abs. 10", + "title": "Betreiber als Anbieter" + } ], "sources": [ - {"type": "article", "ref": "Art. 26 Abs. 10 AI Act"} + { + "type": "article", + "ref": "Art. 26 Abs. 10 AI Act" + } ], "category": "Compliance", "responsible": "Geschaeftsfuehrung", - "sanctions": {"max_fine": "15 Mio. EUR oder 3% Jahresumsatz"}, + "sanctions": { + "max_fine": "15 Mio. EUR oder 3% Jahresumsatz" + }, "evidence": [ "Pruefung Anbieter-Status", "Aenderungsprotokoll KI-System", "Umklassifizierungsentscheidung" ], "priority": "hoch", - "tom_control_ids": ["TOM.GOV.01", "TOM.GOV.03"], + "tom_control_ids": [ + "TOM.GOV.01", + "TOM.GOV.03" + ], "valid_from": "2024-08-01", "valid_until": null, "version": "1.0" @@ -1005,25 +1655,41 @@ "applies_when": "high_risk", "applies_when_condition": { "all_of": [ - {"field": "ai_usage.high_risk_ai", "operator": "EQUALS", "value": true} + { + "field": "ai_usage.high_risk_ai", + "operator": "EQUALS", + "value": true + } ] }, "legal_basis": [ - {"norm": "AI Act", "article": "Art. 28", "title": "Pflichten der Haendler"} + { + "norm": "AI Act", + "article": "Art. 28", + "title": "Pflichten der Haendler" + } ], "sources": [ - {"type": "article", "ref": "Art. 28 AI Act"} + { + "type": "article", + "ref": "Art. 28 AI Act" + } ], "category": "Compliance", "responsible": "Geschaeftsfuehrung", - "sanctions": {"max_fine": "15 Mio. EUR oder 3% Jahresumsatz"}, + "sanctions": { + "max_fine": "15 Mio. EUR oder 3% Jahresumsatz" + }, "evidence": [ "Haendler-Checkliste", "Eingangs-Pruefprotokoll", "Lieferanten-Dokumentation" ], "priority": "mittel", - "tom_control_ids": ["TOM.VENDOR.04", "TOM.VENDOR.05"], + "tom_control_ids": [ + "TOM.VENDOR.04", + "TOM.VENDOR.05" + ], "valid_from": "2024-08-01", "valid_until": null, "version": "1.0" @@ -1035,26 +1701,46 @@ "applies_when": "high_risk_provider", "applies_when_condition": { "all_of": [ - {"field": "ai_usage.high_risk_ai", "operator": "EQUALS", "value": true}, - {"field": "ai_usage.is_ai_provider", "operator": "EQUALS", "value": true} + { + "field": "ai_usage.high_risk_ai", + "operator": "EQUALS", + "value": true + }, + { + "field": "ai_usage.is_ai_provider", + "operator": "EQUALS", + "value": true + } ] }, "legal_basis": [ - {"norm": "AI Act", "article": "Art. 29", "title": "Pflichten von Dritten in der Wertschoepfungskette"} + { + "norm": "AI Act", + "article": "Art. 29", + "title": "Pflichten von Dritten in der Wertschoepfungskette" + } ], "sources": [ - {"type": "article", "ref": "Art. 29 AI Act"} + { + "type": "article", + "ref": "Art. 29 AI Act" + } ], "category": "Organisatorisch", "responsible": "KI-Verantwortlicher", - "sanctions": {"max_fine": "15 Mio. EUR oder 3% Jahresumsatz"}, + "sanctions": { + "max_fine": "15 Mio. EUR oder 3% Jahresumsatz" + }, "evidence": [ "Lieferantenvertraege", "Informationsaustausch-Protokolle", "Supply-Chain-Due-Diligence" ], "priority": "mittel", - "tom_control_ids": ["TOM.VENDOR.06", "TOM.VENDOR.07"], + "tom_control_ids": [ + "TOM.VENDOR.06", + "TOM.VENDOR.07" + ], "valid_from": "2024-08-01", "valid_until": null, "version": "1.0" @@ -1066,27 +1752,51 @@ "applies_when": "high_risk_provider", "applies_when_condition": { "all_of": [ - {"field": "ai_usage.high_risk_ai", "operator": "EQUALS", "value": true}, - {"field": "ai_usage.is_ai_provider", "operator": "EQUALS", "value": true}, - {"field": "ai_usage.uses_biometric_ai", "operator": "EQUALS", "value": true} + { + "field": "ai_usage.high_risk_ai", + "operator": "EQUALS", + "value": true + }, + { + "field": "ai_usage.is_ai_provider", + "operator": "EQUALS", + "value": true + }, + { + "field": "ai_usage.uses_biometric_ai", + "operator": "EQUALS", + "value": true + } ] }, "legal_basis": [ - {"norm": "AI Act", "article": "Art. 43", "title": "Konformitaetsbewertungsstellen"} + { + "norm": "AI Act", + "article": "Art. 43", + "title": "Konformitaetsbewertungsstellen" + } ], "sources": [ - {"type": "article", "ref": "Art. 43 AI Act"} + { + "type": "article", + "ref": "Art. 43 AI Act" + } ], "category": "Audit", "responsible": "KI-Verantwortlicher", - "sanctions": {"max_fine": "15 Mio. EUR oder 3% Jahresumsatz"}, + "sanctions": { + "max_fine": "15 Mio. EUR oder 3% Jahresumsatz" + }, "evidence": [ "Notifizierte-Stelle-Beauftragung", "Akkreditierungsnachweis", "Bewertungsbericht der notifizierten Stelle" ], "priority": "kritisch", - "tom_control_ids": ["TOM.GOV.14", "TOM.GOV.15"], + "tom_control_ids": [ + "TOM.GOV.14", + "TOM.GOV.15" + ], "valid_from": "2024-08-01", "valid_until": null, "version": "1.0" @@ -1098,28 +1808,55 @@ "applies_when": "high_risk_provider", "applies_when_condition": { "all_of": [ - {"field": "ai_usage.high_risk_ai", "operator": "EQUALS", "value": true}, - {"field": "ai_usage.is_ai_provider", "operator": "EQUALS", "value": true} + { + "field": "ai_usage.high_risk_ai", + "operator": "EQUALS", + "value": true + }, + { + "field": "ai_usage.is_ai_provider", + "operator": "EQUALS", + "value": true + } ] }, "legal_basis": [ - {"norm": "AI Act", "article": "Art. 47", "title": "EU-Konformitaetserklaerung"}, - {"norm": "AI Act", "article": "Anhang V", "title": "Inhalt der EU-Konformitaetserklaerung"} + { + "norm": "AI Act", + "article": "Art. 47", + "title": "EU-Konformitaetserklaerung" + }, + { + "norm": "AI Act", + "article": "Anhang V", + "title": "Inhalt der EU-Konformitaetserklaerung" + } ], "sources": [ - {"type": "article", "ref": "Art. 47 AI Act"}, - {"type": "article", "ref": "Anhang V AI Act"} + { + "type": "article", + "ref": "Art. 47 AI Act" + }, + { + "type": "article", + "ref": "Anhang V AI Act" + } ], "category": "Dokumentation", "responsible": "KI-Verantwortlicher", - "sanctions": {"max_fine": "15 Mio. EUR oder 3% Jahresumsatz"}, + "sanctions": { + "max_fine": "15 Mio. EUR oder 3% Jahresumsatz" + }, "evidence": [ "EU-Konformitaetserklaerung nach Anhang V", "Unterschriebene Erklaerung", "Verzeichnis der KI-Systeme mit Erklaerungen" ], "priority": "hoch", - "tom_control_ids": ["TOM.GOV.05", "TOM.GOV.14"], + "tom_control_ids": [ + "TOM.GOV.05", + "TOM.GOV.14" + ], "valid_from": "2024-08-01", "valid_until": null, "version": "1.0" @@ -1131,26 +1868,45 @@ "applies_when": "high_risk_provider", "applies_when_condition": { "all_of": [ - {"field": "ai_usage.high_risk_ai", "operator": "EQUALS", "value": true}, - {"field": "ai_usage.is_ai_provider", "operator": "EQUALS", "value": true} + { + "field": "ai_usage.high_risk_ai", + "operator": "EQUALS", + "value": true + }, + { + "field": "ai_usage.is_ai_provider", + "operator": "EQUALS", + "value": true + } ] }, "legal_basis": [ - {"norm": "AI Act", "article": "Art. 48", "title": "CE-Kennzeichnung"} + { + "norm": "AI Act", + "article": "Art. 48", + "title": "CE-Kennzeichnung" + } ], "sources": [ - {"type": "article", "ref": "Art. 48 AI Act"} + { + "type": "article", + "ref": "Art. 48 AI Act" + } ], "category": "Compliance", "responsible": "KI-Verantwortlicher", - "sanctions": {"max_fine": "15 Mio. EUR oder 3% Jahresumsatz"}, + "sanctions": { + "max_fine": "15 Mio. EUR oder 3% Jahresumsatz" + }, "evidence": [ "CE-Kennzeichnungsnachweis", "Screenshot digitale Schnittstelle", "Produktdokumentation" ], "priority": "hoch", - "tom_control_ids": ["TOM.GOV.05"], + "tom_control_ids": [ + "TOM.GOV.05" + ], "valid_from": "2024-08-01", "valid_until": null, "version": "1.0" @@ -1162,25 +1918,44 @@ "applies_when": "high_risk_deployer", "applies_when_condition": { "all_of": [ - {"field": "ai_usage.high_risk_ai", "operator": "EQUALS", "value": true}, - {"field": "ai_usage.is_ai_deployer", "operator": "EQUALS", "value": true} + { + "field": "ai_usage.high_risk_ai", + "operator": "EQUALS", + "value": true + }, + { + "field": "ai_usage.is_ai_deployer", + "operator": "EQUALS", + "value": true + } ] }, "legal_basis": [ - {"norm": "AI Act", "article": "Art. 49 Abs. 3", "title": "Registrierungspflicht der Betreiber"} + { + "norm": "AI Act", + "article": "Art. 49 Abs. 3", + "title": "Registrierungspflicht der Betreiber" + } ], "sources": [ - {"type": "article", "ref": "Art. 49 Abs. 3 AI Act"} + { + "type": "article", + "ref": "Art. 49 Abs. 3 AI Act" + } ], "category": "Meldepflicht", "responsible": "KI-Verantwortlicher", - "sanctions": {"max_fine": "15 Mio. EUR oder 3% Jahresumsatz"}, + "sanctions": { + "max_fine": "15 Mio. EUR oder 3% Jahresumsatz" + }, "evidence": [ "Betreiber-Registrierungsbestaetigung", "EU-Datenbank-Eintrag" ], "priority": "hoch", - "tom_control_ids": ["TOM.GOV.13"], + "tom_control_ids": [ + "TOM.GOV.13" + ], "valid_from": "2024-08-01", "valid_until": null, "version": "1.0" @@ -1192,25 +1967,41 @@ "applies_when": "limited_risk", "applies_when_condition": { "all_of": [ - {"field": "ai_usage.uses_emotion_recognition", "operator": "EQUALS", "value": true} + { + "field": "ai_usage.uses_emotion_recognition", + "operator": "EQUALS", + "value": true + } ] }, "legal_basis": [ - {"norm": "AI Act", "article": "Art. 50 Abs. 3", "title": "Transparenz bei Emotionserkennung"} + { + "norm": "AI Act", + "article": "Art. 50 Abs. 3", + "title": "Transparenz bei Emotionserkennung" + } ], "sources": [ - {"type": "article", "ref": "Art. 50 Abs. 3 AI Act"} + { + "type": "article", + "ref": "Art. 50 Abs. 3 AI Act" + } ], "category": "Organisatorisch", "responsible": "KI-Verantwortlicher", - "sanctions": {"max_fine": "15 Mio. EUR oder 3% Jahresumsatz"}, + "sanctions": { + "max_fine": "15 Mio. EUR oder 3% Jahresumsatz" + }, "evidence": [ "Informationshinweis Emotionserkennung", "Einwilligungsnachweis", "Aushang oder digitaler Hinweis" ], "priority": "kritisch", - "tom_control_ids": ["TOM.GOV.10", "TOM.OPS.05"], + "tom_control_ids": [ + "TOM.GOV.10", + "TOM.OPS.05" + ], "valid_from": "2024-08-01", "valid_until": null, "version": "1.0" @@ -1222,25 +2013,41 @@ "applies_when": "limited_risk", "applies_when_condition": { "all_of": [ - {"field": "ai_usage.uses_deepfakes", "operator": "EQUALS", "value": true} + { + "field": "ai_usage.uses_deepfakes", + "operator": "EQUALS", + "value": true + } ] }, "legal_basis": [ - {"norm": "AI Act", "article": "Art. 50 Abs. 4", "title": "Kennzeichnung von Deep Fakes"} + { + "norm": "AI Act", + "article": "Art. 50 Abs. 4", + "title": "Kennzeichnung von Deep Fakes" + } ], "sources": [ - {"type": "article", "ref": "Art. 50 Abs. 4 AI Act"} + { + "type": "article", + "ref": "Art. 50 Abs. 4 AI Act" + } ], "category": "Technisch", "responsible": "IT-Leitung", - "sanctions": {"max_fine": "15 Mio. EUR oder 3% Jahresumsatz"}, + "sanctions": { + "max_fine": "15 Mio. EUR oder 3% Jahresumsatz" + }, "evidence": [ "Deep-Fake-Kennzeichnungssystem", "Maschinenlesbare Metadaten", "Wasserzeichen-Implementation" ], "priority": "hoch", - "tom_control_ids": ["TOM.SDLC.05", "TOM.OPS.08"], + "tom_control_ids": [ + "TOM.SDLC.05", + "TOM.OPS.08" + ], "valid_from": "2024-08-01", "valid_until": null, "version": "1.0" @@ -1252,25 +2059,41 @@ "applies_when": "limited_risk", "applies_when_condition": { "all_of": [ - {"field": "ai_usage.uses_generative_ai", "operator": "EQUALS", "value": true} + { + "field": "ai_usage.uses_generative_ai", + "operator": "EQUALS", + "value": true + } ] }, "legal_basis": [ - {"norm": "AI Act", "article": "Art. 50 Abs. 2", "title": "Kennzeichnung KI-generierter Inhalte"} + { + "norm": "AI Act", + "article": "Art. 50 Abs. 2", + "title": "Kennzeichnung KI-generierter Inhalte" + } ], "sources": [ - {"type": "article", "ref": "Art. 50 Abs. 2 AI Act"} + { + "type": "article", + "ref": "Art. 50 Abs. 2 AI Act" + } ], "category": "Technisch", "responsible": "IT-Leitung", - "sanctions": {"max_fine": "15 Mio. EUR oder 3% Jahresumsatz"}, + "sanctions": { + "max_fine": "15 Mio. EUR oder 3% Jahresumsatz" + }, "evidence": [ "Content-Watermarking-System", "Metadaten-Standard (C2PA o.ae.)", "Kennzeichnungs-Testbericht" ], "priority": "hoch", - "tom_control_ids": ["TOM.SDLC.05", "TOM.SDLC.06"], + "tom_control_ids": [ + "TOM.SDLC.05", + "TOM.SDLC.06" + ], "valid_from": "2024-08-01", "valid_until": null, "version": "1.0" @@ -1282,25 +2105,41 @@ "applies_when": "gpai_provider", "applies_when_condition": { "all_of": [ - {"field": "ai_usage.is_gpai_provider", "operator": "EQUALS", "value": true} + { + "field": "ai_usage.is_gpai_provider", + "operator": "EQUALS", + "value": true + } ] }, "legal_basis": [ - {"norm": "AI Act", "article": "Art. 53 Abs. 1 lit. b", "title": "Informationspflicht GPAI-Anbieter"} + { + "norm": "AI Act", + "article": "Art. 53 Abs. 1 lit. b", + "title": "Informationspflicht GPAI-Anbieter" + } ], "sources": [ - {"type": "article", "ref": "Art. 53 Abs. 1 lit. b AI Act"} + { + "type": "article", + "ref": "Art. 53 Abs. 1 lit. b AI Act" + } ], "category": "Dokumentation", "responsible": "KI-Verantwortlicher", - "sanctions": {"max_fine": "15 Mio. EUR oder 3% Jahresumsatz"}, + "sanctions": { + "max_fine": "15 Mio. EUR oder 3% Jahresumsatz" + }, "evidence": [ "Downstream-Provider-Dokumentation", "Modellkarte (Model Card)", "API-Dokumentation mit Limitierungen" ], "priority": "hoch", - "tom_control_ids": ["TOM.GOV.11", "TOM.SDLC.07"], + "tom_control_ids": [ + "TOM.GOV.11", + "TOM.SDLC.07" + ], "valid_from": "2024-08-01", "valid_until": null, "version": "1.0" @@ -1312,25 +2151,41 @@ "applies_when": "gpai_provider", "applies_when_condition": { "all_of": [ - {"field": "ai_usage.is_gpai_provider", "operator": "EQUALS", "value": true} + { + "field": "ai_usage.is_gpai_provider", + "operator": "EQUALS", + "value": true + } ] }, "legal_basis": [ - {"norm": "AI Act", "article": "Art. 53 Abs. 1 lit. c", "title": "Urheberrechtspolitik GPAI"} + { + "norm": "AI Act", + "article": "Art. 53 Abs. 1 lit. c", + "title": "Urheberrechtspolitik GPAI" + } ], "sources": [ - {"type": "article", "ref": "Art. 53 Abs. 1 lit. c AI Act"} + { + "type": "article", + "ref": "Art. 53 Abs. 1 lit. c AI Act" + } ], "category": "Governance", "responsible": "Rechtsabteilung", - "sanctions": {"max_fine": "15 Mio. EUR oder 3% Jahresumsatz"}, + "sanctions": { + "max_fine": "15 Mio. EUR oder 3% Jahresumsatz" + }, "evidence": [ "Urheberrechts-Policy veroeffentlicht", "Opt-out-Mechanismus dokumentiert", "Trainingsdaten-Compliance-Bericht" ], "priority": "hoch", - "tom_control_ids": ["TOM.GOV.11", "TOM.DATA.09"], + "tom_control_ids": [ + "TOM.GOV.11", + "TOM.DATA.09" + ], "valid_from": "2024-08-01", "valid_until": null, "version": "1.0" @@ -1342,25 +2197,41 @@ "applies_when": "gpai_provider", "applies_when_condition": { "all_of": [ - {"field": "ai_usage.is_gpai_provider", "operator": "EQUALS", "value": true} + { + "field": "ai_usage.is_gpai_provider", + "operator": "EQUALS", + "value": true + } ] }, "legal_basis": [ - {"norm": "AI Act", "article": "Art. 53 Abs. 1 lit. d", "title": "Trainingsdaten-Zusammenfassung"} + { + "norm": "AI Act", + "article": "Art. 53 Abs. 1 lit. d", + "title": "Trainingsdaten-Zusammenfassung" + } ], "sources": [ - {"type": "article", "ref": "Art. 53 Abs. 1 lit. d AI Act"} + { + "type": "article", + "ref": "Art. 53 Abs. 1 lit. d AI Act" + } ], "category": "Dokumentation", "responsible": "KI-Verantwortlicher", - "sanctions": {"max_fine": "15 Mio. EUR oder 3% Jahresumsatz"}, + "sanctions": { + "max_fine": "15 Mio. EUR oder 3% Jahresumsatz" + }, "evidence": [ "Trainingsdaten-Zusammenfassung (AI Office Template)", "Veroeffentlichungsnachweis", "Datenquellen-Verzeichnis" ], "priority": "hoch", - "tom_control_ids": ["TOM.DATA.04", "TOM.DATA.10"], + "tom_control_ids": [ + "TOM.DATA.04", + "TOM.DATA.10" + ], "valid_from": "2024-08-01", "valid_until": null, "version": "1.0" @@ -1372,26 +2243,46 @@ "applies_when": "gpai_systemic_risk", "applies_when_condition": { "all_of": [ - {"field": "ai_usage.is_gpai_provider", "operator": "EQUALS", "value": true}, - {"field": "ai_usage.gpai_systemic_risk", "operator": "EQUALS", "value": true} + { + "field": "ai_usage.is_gpai_provider", + "operator": "EQUALS", + "value": true + }, + { + "field": "ai_usage.gpai_systemic_risk", + "operator": "EQUALS", + "value": true + } ] }, "legal_basis": [ - {"norm": "AI Act", "article": "Art. 55 Abs. 1 lit. a", "title": "Modellbewertung bei systemischem Risiko"} + { + "norm": "AI Act", + "article": "Art. 55 Abs. 1 lit. a", + "title": "Modellbewertung bei systemischem Risiko" + } ], "sources": [ - {"type": "article", "ref": "Art. 55 Abs. 1 lit. a AI Act"} + { + "type": "article", + "ref": "Art. 55 Abs. 1 lit. a AI Act" + } ], "category": "Audit", "responsible": "KI-Verantwortlicher", - "sanctions": {"max_fine": "35 Mio. EUR oder 7% Jahresumsatz"}, + "sanctions": { + "max_fine": "35 Mio. EUR oder 7% Jahresumsatz" + }, "evidence": [ "Modellbewertungsbericht", "Red-Teaming-Protokolle", "Benchmark-Ergebnisse" ], "priority": "kritisch", - "tom_control_ids": ["TOM.SDLC.08", "TOM.SDLC.09"], + "tom_control_ids": [ + "TOM.SDLC.08", + "TOM.SDLC.09" + ], "valid_from": "2024-08-01", "valid_until": null, "version": "1.0" @@ -1403,26 +2294,46 @@ "applies_when": "gpai_systemic_risk", "applies_when_condition": { "all_of": [ - {"field": "ai_usage.is_gpai_provider", "operator": "EQUALS", "value": true}, - {"field": "ai_usage.gpai_systemic_risk", "operator": "EQUALS", "value": true} + { + "field": "ai_usage.is_gpai_provider", + "operator": "EQUALS", + "value": true + }, + { + "field": "ai_usage.gpai_systemic_risk", + "operator": "EQUALS", + "value": true + } ] }, "legal_basis": [ - {"norm": "AI Act", "article": "Art. 55 Abs. 1 lit. b", "title": "Bewertung systemischer Risiken"} + { + "norm": "AI Act", + "article": "Art. 55 Abs. 1 lit. b", + "title": "Bewertung systemischer Risiken" + } ], "sources": [ - {"type": "article", "ref": "Art. 55 Abs. 1 lit. b AI Act"} + { + "type": "article", + "ref": "Art. 55 Abs. 1 lit. b AI Act" + } ], "category": "Governance", "responsible": "Geschaeftsfuehrung", - "sanctions": {"max_fine": "35 Mio. EUR oder 7% Jahresumsatz"}, + "sanctions": { + "max_fine": "35 Mio. EUR oder 7% Jahresumsatz" + }, "evidence": [ "Systemische Risikobewertung", "Minderungsmassnahmen-Plan", "Impact-Assessment EU-Ebene" ], "priority": "kritisch", - "tom_control_ids": ["TOM.GOV.03", "TOM.GOV.12"], + "tom_control_ids": [ + "TOM.GOV.03", + "TOM.GOV.12" + ], "valid_from": "2024-08-01", "valid_until": null, "version": "1.0" @@ -1434,26 +2345,47 @@ "applies_when": "gpai_systemic_risk", "applies_when_condition": { "all_of": [ - {"field": "ai_usage.is_gpai_provider", "operator": "EQUALS", "value": true}, - {"field": "ai_usage.gpai_systemic_risk", "operator": "EQUALS", "value": true} + { + "field": "ai_usage.is_gpai_provider", + "operator": "EQUALS", + "value": true + }, + { + "field": "ai_usage.gpai_systemic_risk", + "operator": "EQUALS", + "value": true + } ] }, "legal_basis": [ - {"norm": "AI Act", "article": "Art. 55 Abs. 1 lit. d", "title": "Cybersicherheit GPAI"} + { + "norm": "AI Act", + "article": "Art. 55 Abs. 1 lit. d", + "title": "Cybersicherheit GPAI" + } ], "sources": [ - {"type": "article", "ref": "Art. 55 Abs. 1 lit. d AI Act"} + { + "type": "article", + "ref": "Art. 55 Abs. 1 lit. d AI Act" + } ], "category": "Technisch", "responsible": "IT-Leitung", - "sanctions": {"max_fine": "35 Mio. EUR oder 7% Jahresumsatz"}, + "sanctions": { + "max_fine": "35 Mio. EUR oder 7% Jahresumsatz" + }, "evidence": [ "Cybersicherheits-Assessment", "Penetrationstest-Bericht", "Infrastruktur-Security-Audit" ], "priority": "kritisch", - "tom_control_ids": ["TOM.NET.02", "TOM.NET.03", "TOM.CRYPTO.02"], + "tom_control_ids": [ + "TOM.NET.02", + "TOM.NET.03", + "TOM.CRYPTO.02" + ], "valid_from": "2024-08-01", "valid_until": null, "version": "1.0" @@ -1465,26 +2397,46 @@ "applies_when": "gpai_systemic_risk", "applies_when_condition": { "all_of": [ - {"field": "ai_usage.is_gpai_provider", "operator": "EQUALS", "value": true}, - {"field": "ai_usage.gpai_systemic_risk", "operator": "EQUALS", "value": true} + { + "field": "ai_usage.is_gpai_provider", + "operator": "EQUALS", + "value": true + }, + { + "field": "ai_usage.gpai_systemic_risk", + "operator": "EQUALS", + "value": true + } ] }, "legal_basis": [ - {"norm": "AI Act", "article": "Art. 55 Abs. 1 lit. c", "title": "Vorfallmeldung GPAI"} + { + "norm": "AI Act", + "article": "Art. 55 Abs. 1 lit. c", + "title": "Vorfallmeldung GPAI" + } ], "sources": [ - {"type": "article", "ref": "Art. 55 Abs. 1 lit. c AI Act"} + { + "type": "article", + "ref": "Art. 55 Abs. 1 lit. c AI Act" + } ], "category": "Meldepflicht", "responsible": "KI-Verantwortlicher", - "sanctions": {"max_fine": "35 Mio. EUR oder 7% Jahresumsatz"}, + "sanctions": { + "max_fine": "35 Mio. EUR oder 7% Jahresumsatz" + }, "evidence": [ "Incident-Response-Plan GPAI", "Meldungen an AI Office", "Korrekturmassnahmen-Dokumentation" ], "priority": "kritisch", - "tom_control_ids": ["TOM.BCP.02", "TOM.BCP.03"], + "tom_control_ids": [ + "TOM.BCP.02", + "TOM.BCP.03" + ], "valid_from": "2024-08-01", "valid_until": null, "version": "1.0" @@ -1496,25 +2448,40 @@ "applies_when": "uses_ai", "applies_when_condition": { "all_of": [ - {"field": "ai_usage.uses_ai", "operator": "EQUALS", "value": true} + { + "field": "ai_usage.uses_ai", + "operator": "EQUALS", + "value": true + } ] }, "legal_basis": [ - {"norm": "AI Act", "article": "Art. 57", "title": "KI-Reallabore (Regulatory Sandboxes)"} + { + "norm": "AI Act", + "article": "Art. 57", + "title": "KI-Reallabore (Regulatory Sandboxes)" + } ], "sources": [ - {"type": "article", "ref": "Art. 57 AI Act"} + { + "type": "article", + "ref": "Art. 57 AI Act" + } ], "category": "Governance", "responsible": "Geschaeftsfuehrung", - "sanctions": {"max_fine": "7,5 Mio. EUR oder 1% Jahresumsatz"}, + "sanctions": { + "max_fine": "7,5 Mio. EUR oder 1% Jahresumsatz" + }, "evidence": [ "Sandbox-Antrag (falls zutreffend)", "Sandbox-Plan", "Abschlussberichte" ], "priority": "niedrig", - "tom_control_ids": ["TOM.GOV.01"], + "tom_control_ids": [ + "TOM.GOV.01" + ], "valid_from": "2024-08-01", "valid_until": null, "version": "1.0" @@ -1526,26 +2493,46 @@ "applies_when": "high_risk_provider", "applies_when_condition": { "all_of": [ - {"field": "ai_usage.high_risk_ai", "operator": "EQUALS", "value": true}, - {"field": "ai_usage.is_ai_provider", "operator": "EQUALS", "value": true} + { + "field": "ai_usage.high_risk_ai", + "operator": "EQUALS", + "value": true + }, + { + "field": "ai_usage.is_ai_provider", + "operator": "EQUALS", + "value": true + } ] }, "legal_basis": [ - {"norm": "AI Act", "article": "Art. 72", "title": "Post-Market-Monitoring durch Anbieter"} + { + "norm": "AI Act", + "article": "Art. 72", + "title": "Post-Market-Monitoring durch Anbieter" + } ], "sources": [ - {"type": "article", "ref": "Art. 72 AI Act"} + { + "type": "article", + "ref": "Art. 72 AI Act" + } ], "category": "Technisch", "responsible": "KI-Verantwortlicher", - "sanctions": {"max_fine": "15 Mio. EUR oder 3% Jahresumsatz"}, + "sanctions": { + "max_fine": "15 Mio. EUR oder 3% Jahresumsatz" + }, "evidence": [ "Post-Market-Monitoring-Plan", "Monitoring-Berichte", "Feedback-Erfassungssystem" ], "priority": "hoch", - "tom_control_ids": ["TOM.OPS.09", "TOM.OPS.10"], + "tom_control_ids": [ + "TOM.OPS.09", + "TOM.OPS.10" + ], "valid_from": "2024-08-01", "valid_until": null, "version": "1.0" @@ -1557,18 +2544,31 @@ "applies_when": "high_risk", "applies_when_condition": { "all_of": [ - {"field": "ai_usage.high_risk_ai", "operator": "EQUALS", "value": true} + { + "field": "ai_usage.high_risk_ai", + "operator": "EQUALS", + "value": true + } ] }, "legal_basis": [ - {"norm": "AI Act", "article": "Art. 73", "title": "Meldung schwerwiegender Vorfaelle"} + { + "norm": "AI Act", + "article": "Art. 73", + "title": "Meldung schwerwiegender Vorfaelle" + } ], "sources": [ - {"type": "article", "ref": "Art. 73 AI Act"} + { + "type": "article", + "ref": "Art. 73 AI Act" + } ], "category": "Meldepflicht", "responsible": "KI-Verantwortlicher", - "sanctions": {"max_fine": "15 Mio. EUR oder 3% Jahresumsatz"}, + "sanctions": { + "max_fine": "15 Mio. EUR oder 3% Jahresumsatz" + }, "evidence": [ "Incident-Response-Plan", "Meldeprozess dokumentiert", @@ -1576,7 +2576,11 @@ "Meldeformulare vorbereitet" ], "priority": "kritisch", - "tom_control_ids": ["TOM.BCP.01", "TOM.BCP.02", "TOM.BCP.04"], + "tom_control_ids": [ + "TOM.BCP.01", + "TOM.BCP.02", + "TOM.BCP.04" + ], "valid_from": "2024-08-01", "valid_until": null, "version": "1.0" @@ -1588,25 +2592,42 @@ "applies_when": "uses_ai", "applies_when_condition": { "all_of": [ - {"field": "ai_usage.uses_ai", "operator": "EQUALS", "value": true} + { + "field": "ai_usage.uses_ai", + "operator": "EQUALS", + "value": true + } ] }, "legal_basis": [ - {"norm": "AI Act", "article": "Art. 78", "title": "Vertraulichkeit"} + { + "norm": "AI Act", + "article": "Art. 78", + "title": "Vertraulichkeit" + } ], "sources": [ - {"type": "article", "ref": "Art. 78 AI Act"} + { + "type": "article", + "ref": "Art. 78 AI Act" + } ], "category": "Organisatorisch", "responsible": "Geschaeftsfuehrung", - "sanctions": {"max_fine": "7,5 Mio. EUR oder 1% Jahresumsatz"}, + "sanctions": { + "max_fine": "7,5 Mio. EUR oder 1% Jahresumsatz" + }, "evidence": [ "Vertraulichkeitsvereinbarungen (NDA)", "Informationsklassifizierung", "Zugriffskontrollen fuer KI-Dokumentation" ], "priority": "mittel", - "tom_control_ids": ["TOM.AC.01", "TOM.IAM.01", "TOM.CRYPTO.03"], + "tom_control_ids": [ + "TOM.AC.01", + "TOM.IAM.01", + "TOM.CRYPTO.03" + ], "valid_from": "2024-08-01", "valid_until": null, "version": "1.0" @@ -1618,25 +2639,41 @@ "applies_when": "uses_ai", "applies_when_condition": { "all_of": [ - {"field": "ai_usage.uses_ai", "operator": "EQUALS", "value": true} + { + "field": "ai_usage.uses_ai", + "operator": "EQUALS", + "value": true + } ] }, "legal_basis": [ - {"norm": "AI Act", "article": "Art. 99", "title": "Inkrafttreten und Geltungsbeginn"} + { + "norm": "AI Act", + "article": "Art. 99", + "title": "Inkrafttreten und Geltungsbeginn" + } ], "sources": [ - {"type": "article", "ref": "Art. 99 AI Act"} + { + "type": "article", + "ref": "Art. 99 AI Act" + } ], "category": "Compliance", "responsible": "Geschaeftsfuehrung", - "sanctions": {"max_fine": "15 Mio. EUR oder 3% Jahresumsatz"}, + "sanctions": { + "max_fine": "15 Mio. EUR oder 3% Jahresumsatz" + }, "evidence": [ "Umsetzungs-Roadmap", "Meilensteinplan AI Act", "Compliance-Fortschrittsbericht" ], "priority": "hoch", - "tom_control_ids": ["TOM.GOV.01", "TOM.GOV.02"], + "tom_control_ids": [ + "TOM.GOV.01", + "TOM.GOV.02" + ], "valid_from": "2024-08-01", "valid_until": null, "version": "1.0" @@ -1648,28 +2685,55 @@ "applies_when": "high_risk_provider", "applies_when_condition": { "all_of": [ - {"field": "ai_usage.high_risk_ai", "operator": "EQUALS", "value": true}, - {"field": "ai_usage.is_ai_provider", "operator": "EQUALS", "value": true} + { + "field": "ai_usage.high_risk_ai", + "operator": "EQUALS", + "value": true + }, + { + "field": "ai_usage.is_ai_provider", + "operator": "EQUALS", + "value": true + } ] }, "legal_basis": [ - {"norm": "AI Act", "article": "Art. 40", "title": "Harmonisierte Normen"}, - {"norm": "AI Act", "article": "Anhang I", "title": "Harmonisierte Rechtsvorschriften der Union"} + { + "norm": "AI Act", + "article": "Art. 40", + "title": "Harmonisierte Normen" + }, + { + "norm": "AI Act", + "article": "Anhang I", + "title": "Harmonisierte Rechtsvorschriften der Union" + } ], "sources": [ - {"type": "article", "ref": "Art. 40 AI Act"}, - {"type": "article", "ref": "Anhang I AI Act"} + { + "type": "article", + "ref": "Art. 40 AI Act" + }, + { + "type": "article", + "ref": "Anhang I AI Act" + } ], "category": "Compliance", "responsible": "KI-Verantwortlicher", - "sanctions": {"max_fine": "15 Mio. EUR oder 3% Jahresumsatz"}, + "sanctions": { + "max_fine": "15 Mio. EUR oder 3% Jahresumsatz" + }, "evidence": [ "Normen-Anwendungsbericht", "Gap-Analyse harmonisierte Normen", "Konformitaetsvermutungs-Dokumentation" ], "priority": "mittel", - "tom_control_ids": ["TOM.GOV.04", "TOM.GOV.14"], + "tom_control_ids": [ + "TOM.GOV.04", + "TOM.GOV.14" + ], "valid_from": "2024-08-01", "valid_until": null, "version": "1.0" @@ -1681,26 +2745,47 @@ "applies_when": "high_risk", "applies_when_condition": { "all_of": [ - {"field": "ai_usage.high_risk_ai", "operator": "EQUALS", "value": true}, - {"field": "ai_usage.uses_biometric_ai", "operator": "EQUALS", "value": true} + { + "field": "ai_usage.high_risk_ai", + "operator": "EQUALS", + "value": true + }, + { + "field": "ai_usage.uses_biometric_ai", + "operator": "EQUALS", + "value": true + } ] }, "legal_basis": [ - {"norm": "AI Act", "article": "Anhang III Nr. 1", "title": "Biometrie und biometriebasierte Systeme"} + { + "norm": "AI Act", + "article": "Anhang III Nr. 1", + "title": "Biometrie und biometriebasierte Systeme" + } ], "sources": [ - {"type": "article", "ref": "Anhang III Nr. 1 AI Act"} + { + "type": "article", + "ref": "Anhang III Nr. 1 AI Act" + } ], "category": "Compliance", "responsible": "KI-Verantwortlicher", - "sanctions": {"max_fine": "15 Mio. EUR oder 3% Jahresumsatz"}, + "sanctions": { + "max_fine": "15 Mio. EUR oder 3% Jahresumsatz" + }, "evidence": [ "Biometrie-Einsatz-Dokumentation", "Notifizierte-Stelle-Zertifikat", "Datenschutz-Folgenabschaetzung Biometrie" ], "priority": "kritisch", - "tom_control_ids": ["TOM.GOV.08", "TOM.DATA.11", "TOM.IAM.02"], + "tom_control_ids": [ + "TOM.GOV.08", + "TOM.DATA.11", + "TOM.IAM.02" + ], "valid_from": "2024-08-01", "valid_until": null, "version": "1.0" @@ -1712,26 +2797,47 @@ "applies_when": "high_risk", "applies_when_condition": { "all_of": [ - {"field": "ai_usage.high_risk_ai", "operator": "EQUALS", "value": true}, - {"field": "ai_usage.ai_in_critical_infrastructure", "operator": "EQUALS", "value": true} + { + "field": "ai_usage.high_risk_ai", + "operator": "EQUALS", + "value": true + }, + { + "field": "ai_usage.ai_in_critical_infrastructure", + "operator": "EQUALS", + "value": true + } ] }, "legal_basis": [ - {"norm": "AI Act", "article": "Anhang III Nr. 2", "title": "Kritische Infrastruktur"} + { + "norm": "AI Act", + "article": "Anhang III Nr. 2", + "title": "Kritische Infrastruktur" + } ], "sources": [ - {"type": "article", "ref": "Anhang III Nr. 2 AI Act"} + { + "type": "article", + "ref": "Anhang III Nr. 2 AI Act" + } ], "category": "Technisch", "responsible": "IT-Leitung", - "sanctions": {"max_fine": "15 Mio. EUR oder 3% Jahresumsatz"}, + "sanctions": { + "max_fine": "15 Mio. EUR oder 3% Jahresumsatz" + }, "evidence": [ "Kritische-Infrastruktur-Assessment", "Redundanz-Nachweis", "Ausfallsicherheits-Tests" ], "priority": "kritisch", - "tom_control_ids": ["TOM.BCP.05", "TOM.BCP.06", "TOM.NET.04"], + "tom_control_ids": [ + "TOM.BCP.05", + "TOM.BCP.06", + "TOM.NET.04" + ], "valid_from": "2024-08-01", "valid_until": null, "version": "1.0" @@ -1743,26 +2849,47 @@ "applies_when": "high_risk", "applies_when_condition": { "all_of": [ - {"field": "ai_usage.high_risk_ai", "operator": "EQUALS", "value": true}, - {"field": "ai_usage.ai_in_education", "operator": "EQUALS", "value": true} + { + "field": "ai_usage.high_risk_ai", + "operator": "EQUALS", + "value": true + }, + { + "field": "ai_usage.ai_in_education", + "operator": "EQUALS", + "value": true + } ] }, "legal_basis": [ - {"norm": "AI Act", "article": "Anhang III Nr. 3", "title": "Allgemeine und berufliche Bildung"} + { + "norm": "AI Act", + "article": "Anhang III Nr. 3", + "title": "Allgemeine und berufliche Bildung" + } ], "sources": [ - {"type": "article", "ref": "Anhang III Nr. 3 AI Act"} + { + "type": "article", + "ref": "Anhang III Nr. 3 AI Act" + } ], "category": "Compliance", "responsible": "KI-Verantwortlicher", - "sanctions": {"max_fine": "15 Mio. EUR oder 3% Jahresumsatz"}, + "sanctions": { + "max_fine": "15 Mio. EUR oder 3% Jahresumsatz" + }, "evidence": [ "Bildungs-KI-Einsatzkonzept", "Minderjaehrigenschutz-Nachweis", "Fairness-Analyse Bildungszugang" ], "priority": "kritisch", - "tom_control_ids": ["TOM.GOV.08", "TOM.DATA.12", "TOM.HR.04"], + "tom_control_ids": [ + "TOM.GOV.08", + "TOM.DATA.12", + "TOM.HR.04" + ], "valid_from": "2024-08-01", "valid_until": null, "version": "1.0" @@ -1774,26 +2901,47 @@ "applies_when": "high_risk", "applies_when_condition": { "all_of": [ - {"field": "ai_usage.high_risk_ai", "operator": "EQUALS", "value": true}, - {"field": "ai_usage.ai_in_employment", "operator": "EQUALS", "value": true} + { + "field": "ai_usage.high_risk_ai", + "operator": "EQUALS", + "value": true + }, + { + "field": "ai_usage.ai_in_employment", + "operator": "EQUALS", + "value": true + } ] }, "legal_basis": [ - {"norm": "AI Act", "article": "Anhang III Nr. 4", "title": "Beschaeftigung, Personalmanagement"} + { + "norm": "AI Act", + "article": "Anhang III Nr. 4", + "title": "Beschaeftigung, Personalmanagement" + } ], "sources": [ - {"type": "article", "ref": "Anhang III Nr. 4 AI Act"} + { + "type": "article", + "ref": "Anhang III Nr. 4 AI Act" + } ], "category": "Compliance", "responsible": "KI-Verantwortlicher", - "sanctions": {"max_fine": "15 Mio. EUR oder 3% Jahresumsatz"}, + "sanctions": { + "max_fine": "15 Mio. EUR oder 3% Jahresumsatz" + }, "evidence": [ "Beschaeftigungs-KI-Assessment", "Diskriminierungsfreiheits-Analyse", "Betriebsrats-Beteiligung dokumentiert" ], "priority": "kritisch", - "tom_control_ids": ["TOM.GOV.08", "TOM.HR.05", "TOM.DATA.13"], + "tom_control_ids": [ + "TOM.GOV.08", + "TOM.HR.05", + "TOM.DATA.13" + ], "valid_from": "2024-08-01", "valid_until": null, "version": "1.0" @@ -1805,26 +2953,47 @@ "applies_when": "high_risk", "applies_when_condition": { "all_of": [ - {"field": "ai_usage.high_risk_ai", "operator": "EQUALS", "value": true}, - {"field": "ai_usage.ai_in_law_enforcement", "operator": "EQUALS", "value": true} + { + "field": "ai_usage.high_risk_ai", + "operator": "EQUALS", + "value": true + }, + { + "field": "ai_usage.ai_in_law_enforcement", + "operator": "EQUALS", + "value": true + } ] }, "legal_basis": [ - {"norm": "AI Act", "article": "Anhang III Nr. 6", "title": "Strafverfolgung"} + { + "norm": "AI Act", + "article": "Anhang III Nr. 6", + "title": "Strafverfolgung" + } ], "sources": [ - {"type": "article", "ref": "Anhang III Nr. 6 AI Act"} + { + "type": "article", + "ref": "Anhang III Nr. 6 AI Act" + } ], "category": "Compliance", "responsible": "KI-Verantwortlicher", - "sanctions": {"max_fine": "15 Mio. EUR oder 3% Jahresumsatz"}, + "sanctions": { + "max_fine": "15 Mio. EUR oder 3% Jahresumsatz" + }, "evidence": [ "Grundrechts-Pruefung Strafverfolgung", "Verhältnismaessigkeits-Analyse", "Datenschutz-Richtlinie-Konformitaet" ], "priority": "kritisch", - "tom_control_ids": ["TOM.GOV.08", "TOM.GOV.09", "TOM.AC.02"], + "tom_control_ids": [ + "TOM.GOV.08", + "TOM.GOV.09", + "TOM.AC.02" + ], "valid_from": "2024-08-01", "valid_until": null, "version": "1.0" @@ -1836,29 +3005,792 @@ "applies_when": "high_risk", "applies_when_condition": { "all_of": [ - {"field": "ai_usage.high_risk_ai", "operator": "EQUALS", "value": true}, - {"field": "ai_usage.ai_in_justice", "operator": "EQUALS", "value": true} + { + "field": "ai_usage.high_risk_ai", + "operator": "EQUALS", + "value": true + }, + { + "field": "ai_usage.ai_in_justice", + "operator": "EQUALS", + "value": true + } ] }, "legal_basis": [ - {"norm": "AI Act", "article": "Anhang III Nr. 8", "title": "Rechtspflege und demokratische Prozesse"} + { + "norm": "AI Act", + "article": "Anhang III Nr. 8", + "title": "Rechtspflege und demokratische Prozesse" + } ], "sources": [ - {"type": "article", "ref": "Anhang III Nr. 8 AI Act"} + { + "type": "article", + "ref": "Anhang III Nr. 8 AI Act" + } ], "category": "Compliance", "responsible": "KI-Verantwortlicher", - "sanctions": {"max_fine": "15 Mio. EUR oder 3% Jahresumsatz"}, + "sanctions": { + "max_fine": "15 Mio. EUR oder 3% Jahresumsatz" + }, "evidence": [ "Justiz-KI-Einsatzkonzept", "Human-Oversight-Nachweis", "Transparenzbericht Justiz-KI" ], "priority": "kritisch", - "tom_control_ids": ["TOM.GOV.07", "TOM.GOV.08", "TOM.GOV.10"], + "tom_control_ids": [ + "TOM.GOV.07", + "TOM.GOV.08", + "TOM.GOV.10" + ], "valid_from": "2024-08-01", "valid_until": null, "version": "1.0" + }, + { + "id": "AIACT-OBL-061", + "title": "Risikomanagementsystem etablieren und dokumentieren", + "description": "Ein Risikomanagementsystem ist einzurichten, umzusetzen, zu dokumentieren und aufrechtzuerhalten. Es muss den gesamten Lebenszyklus des KI-Systems abdecken.", + "applies_when": "high-risk AI system", + "applies_when_condition": { + "all_of": [ + { + "field": "ai_usage.uses_ai", + "operator": "EQUALS", + "value": true + } + ] + }, + "legal_basis": [ + { + "norm": "AI Act", + "article": "Art. 9 Abs. 1" + } + ], + "sources": [ + { + "type": "regulation", + "ref": "Art. 9 Abs. 1 AI Act" + } + ], + "category": "Governance", + "responsible": "KI-Verantwortlicher", + "priority": "kritisch", + "deadline": { + "type": "on_event", + "event": "Vor Inverkehrbringen" + }, + "sanctions": { + "max_fine": "15 Mio. EUR oder 3% Jahresumsatz" + }, + "evidence": [ + { + "name": "RMS-Dokumentation", + "required": true + } + ], + "tom_control_ids": [ + "TOM.GOV.01" + ], + "valid_from": "2025-08-02", + "version": "1.0" + }, + { + "id": "AIACT-OBL-062", + "title": "Bekannte und vorhersehbare Risiken identifizieren und analysieren", + "description": "Identifikation und Analyse bekannter und vernuenftigerweise vorhersehbarer Risiken fuer Gesundheit, Sicherheit und Grundrechte.", + "applies_when": "high-risk AI system", + "applies_when_condition": { + "all_of": [ + { + "field": "ai_usage.uses_ai", + "operator": "EQUALS", + "value": true + } + ] + }, + "legal_basis": [ + { + "norm": "AI Act", + "article": "Art. 9 Abs. 2 lit. a" + } + ], + "sources": [ + { + "type": "regulation", + "ref": "Art. 9 Abs. 2 AI Act" + } + ], + "category": "Governance", + "responsible": "KI-Verantwortlicher", + "priority": "kritisch", + "evidence": [ + { + "name": "Risikoregister", + "required": true + } + ], + "tom_control_ids": [], + "valid_from": "2025-08-02", + "version": "1.0" + }, + { + "id": "AIACT-OBL-063", + "title": "Vorhersehbare Fehlanwendungen beruecksichtigen", + "description": "Risiken durch vernuenftigerweise vorhersehbare Fehlanwendungen (reasonably foreseeable misuse) muessen im RMS beruecksichtigt werden.", + "applies_when": "high-risk AI system", + "applies_when_condition": { + "all_of": [ + { + "field": "ai_usage.uses_ai", + "operator": "EQUALS", + "value": true + } + ] + }, + "legal_basis": [ + { + "norm": "AI Act", + "article": "Art. 9 Abs. 2 lit. b" + } + ], + "sources": [ + { + "type": "regulation", + "ref": "Art. 9 Abs. 2 AI Act" + } + ], + "category": "Governance", + "responsible": "KI-Verantwortlicher", + "priority": "hoch", + "evidence": [ + { + "name": "Misuse-Analyse-Dokument", + "required": true + } + ], + "tom_control_ids": [], + "valid_from": "2025-08-02", + "version": "1.0" + }, + { + "id": "AIACT-OBL-064", + "title": "Restrisiko bewerten und dokumentieren", + "description": "Nach Umsetzung von Risikominderungsmassnahmen ist das verbleibende Restrisiko zu bewerten und zu dokumentieren. Es muss akzeptabel sein.", + "applies_when": "high-risk AI system", + "applies_when_condition": { + "all_of": [ + { + "field": "ai_usage.uses_ai", + "operator": "EQUALS", + "value": true + } + ] + }, + "legal_basis": [ + { + "norm": "AI Act", + "article": "Art. 9 Abs. 4" + } + ], + "sources": [ + { + "type": "regulation", + "ref": "Art. 9 Abs. 4 AI Act" + } + ], + "category": "Governance", + "responsible": "KI-Verantwortlicher", + "priority": "hoch", + "evidence": [ + { + "name": "Restrisiko-Bewertung", + "required": true + } + ], + "tom_control_ids": [], + "valid_from": "2025-08-02", + "version": "1.0" + }, + { + "id": "AIACT-OBL-065", + "title": "Risikomanagement bei System-Updates wiederholen", + "description": "Bei wesentlichen Aenderungen des KI-Systems muss die Risikoanalyse erneut durchgefuehrt werden.", + "applies_when": "system update", + "applies_when_condition": { + "all_of": [ + { + "field": "ai_usage.uses_ai", + "operator": "EQUALS", + "value": true + } + ] + }, + "legal_basis": [ + { + "norm": "AI Act", + "article": "Art. 9 Abs. 1" + } + ], + "category": "Governance", + "responsible": "KI-Verantwortlicher", + "priority": "hoch", + "evidence": [ + { + "name": "Update-Risikoanalyse", + "required": true + } + ], + "tom_control_ids": [], + "valid_from": "2025-08-02", + "version": "1.0" + }, + { + "id": "AIACT-OBL-066", + "title": "Trainingsdaten auf Bias pruefen", + "description": "Trainings-, Validierungs- und Testdatensaetze muessen auf moegliche Verzerrungen (Bias) geprueft werden, die zu Diskriminierung fuehren koennten.", + "applies_when": "AI system uses training data", + "applies_when_condition": { + "all_of": [ + { + "field": "ai_usage.uses_ai", + "operator": "EQUALS", + "value": true + } + ] + }, + "legal_basis": [ + { + "norm": "AI Act", + "article": "Art. 10 Abs. 2 lit. f" + } + ], + "category": "Technisch", + "responsible": "Data Science Team", + "priority": "kritisch", + "evidence": [ + { + "name": "Bias-Analyse-Bericht", + "required": true + } + ], + "tom_control_ids": [ + "TOM.FAIR.01" + ], + "valid_from": "2025-08-02", + "version": "1.0" + }, + { + "id": "AIACT-OBL-067", + "title": "Datenqualitaetskriterien definieren und einhalten", + "description": "Datensaetze muessen relevant, hinreichend repraesentativ, fehlerfrei und vollstaendig sein.", + "applies_when": "AI system uses training data", + "applies_when_condition": { + "all_of": [ + { + "field": "ai_usage.uses_ai", + "operator": "EQUALS", + "value": true + } + ] + }, + "legal_basis": [ + { + "norm": "AI Act", + "article": "Art. 10 Abs. 3" + } + ], + "category": "Technisch", + "responsible": "Data Science Team", + "priority": "hoch", + "evidence": [ + { + "name": "Datenqualitaets-Dokumentation", + "required": true + } + ], + "tom_control_ids": [], + "valid_from": "2025-08-02", + "version": "1.0" + }, + { + "id": "AIACT-OBL-068", + "title": "Datenversionierung und Rueckverfolgbarkeit", + "description": "Trainings-, Validierungs- und Testdatensaetze muessen versioniert und rueckverfolgbar sein.", + "applies_when": "AI system uses training data", + "applies_when_condition": { + "all_of": [ + { + "field": "ai_usage.uses_ai", + "operator": "EQUALS", + "value": true + } + ] + }, + "legal_basis": [ + { + "norm": "AI Act", + "article": "Art. 10 Abs. 4" + } + ], + "category": "Technisch", + "responsible": "Data Engineering", + "priority": "hoch", + "evidence": [ + { + "name": "Daten-Versionierungskonzept", + "required": true + } + ], + "tom_control_ids": [], + "valid_from": "2025-08-02", + "version": "1.0" + }, + { + "id": "AIACT-OBL-069", + "title": "Automatische Protokollierung von Eingaben und Ausgaben", + "description": "Hochrisiko-KI-Systeme muessen Eingaben, Ausgaben und Entscheidungen automatisch protokollieren, soweit technisch moeglich.", + "applies_when": "high-risk AI system", + "applies_when_condition": { + "all_of": [ + { + "field": "ai_usage.uses_ai", + "operator": "EQUALS", + "value": true + } + ] + }, + "legal_basis": [ + { + "norm": "AI Act", + "article": "Art. 12 Abs. 1" + } + ], + "category": "Technisch", + "responsible": "Entwicklung", + "priority": "kritisch", + "evidence": [ + { + "name": "Logging-Architektur-Dokumentation", + "required": true + } + ], + "tom_control_ids": [ + "TOM.LOG.01" + ], + "valid_from": "2025-08-02", + "version": "1.0" + }, + { + "id": "AIACT-OBL-070", + "title": "Logs manipulationssicher speichern", + "description": "Protokolldaten muessen gegen Manipulation geschuetzt und fuer die vorgeschriebene Dauer aufbewahrt werden.", + "applies_when": "high-risk AI system", + "applies_when_condition": { + "all_of": [ + { + "field": "ai_usage.uses_ai", + "operator": "EQUALS", + "value": true + } + ] + }, + "legal_basis": [ + { + "norm": "AI Act", + "article": "Art. 12 Abs. 2" + } + ], + "category": "Technisch", + "responsible": "IT-Sicherheit", + "priority": "hoch", + "evidence": [ + { + "name": "Log-Integritaets-Konzept", + "required": true + } + ], + "tom_control_ids": [ + "TOM.LOG.01", + "TOM.CRY.01" + ], + "valid_from": "2025-08-02", + "version": "1.0" + }, + { + "id": "AIACT-OBL-071", + "title": "Log-Aufbewahrungsfristen definieren", + "description": "Aufbewahrungsfristen fuer Protokolldaten muessen definiert und eingehalten werden. Mindestens 6 Monate, sofern nicht anders vorgeschrieben.", + "applies_when": "high-risk AI system", + "applies_when_condition": { + "all_of": [ + { + "field": "ai_usage.uses_ai", + "operator": "EQUALS", + "value": true + } + ] + }, + "legal_basis": [ + { + "norm": "AI Act", + "article": "Art. 12 Abs. 3" + } + ], + "category": "Governance", + "responsible": "Compliance", + "priority": "hoch", + "evidence": [ + { + "name": "Aufbewahrungsrichtlinie", + "required": true + } + ], + "tom_control_ids": [], + "valid_from": "2025-08-02", + "version": "1.0" + }, + { + "id": "AIACT-OBL-072", + "title": "Override-Funktion fuer menschliche Uebersteuering", + "description": "Das System muss eine Funktion bereitstellen, mit der ein Mensch die KI-Entscheidung jederzeit uebersteuern oder das System stoppen kann.", + "applies_when": "high-risk AI system", + "applies_when_condition": { + "all_of": [ + { + "field": "ai_usage.uses_ai", + "operator": "EQUALS", + "value": true + } + ] + }, + "legal_basis": [ + { + "norm": "AI Act", + "article": "Art. 14 Abs. 4 lit. d" + } + ], + "category": "Technisch", + "responsible": "Entwicklung", + "priority": "kritisch", + "evidence": [ + { + "name": "Override-Funktionsdokumentation", + "required": true + } + ], + "tom_control_ids": [], + "valid_from": "2025-08-02", + "version": "1.0" + }, + { + "id": "AIACT-OBL-073", + "title": "Schulung der Nutzer zu KI-Systemgrenzen", + "description": "Personen, die die menschliche Aufsicht ausueben, muessen ueber die Faehigkeiten und Grenzen des Systems geschult sein.", + "applies_when": "high-risk AI system", + "applies_when_condition": { + "all_of": [ + { + "field": "ai_usage.uses_ai", + "operator": "EQUALS", + "value": true + } + ] + }, + "legal_basis": [ + { + "norm": "AI Act", + "article": "Art. 14 Abs. 4 lit. a" + } + ], + "category": "Organisatorisch", + "responsible": "HR / Training", + "priority": "hoch", + "evidence": [ + { + "name": "Schulungsnachweis KI-Nutzer", + "required": true + } + ], + "tom_control_ids": [], + "valid_from": "2025-08-02", + "version": "1.0" + }, + { + "id": "AIACT-OBL-074", + "title": "Automation Bias verhindern", + "description": "Massnahmen gegen uebermassiges Vertrauen in KI-Ausgaben (Automation Bias) muessen implementiert werden.", + "applies_when": "high-risk AI system", + "applies_when_condition": { + "all_of": [ + { + "field": "ai_usage.uses_ai", + "operator": "EQUALS", + "value": true + } + ] + }, + "legal_basis": [ + { + "norm": "AI Act", + "article": "Art. 14 Abs. 4 lit. b" + } + ], + "category": "Organisatorisch", + "responsible": "UX / Compliance", + "priority": "hoch", + "evidence": [ + { + "name": "Automation-Bias-Praeventionskonzept", + "required": true + } + ], + "tom_control_ids": [], + "valid_from": "2025-08-02", + "version": "1.0" + }, + { + "id": "AIACT-OBL-075", + "title": "Genauigkeitsziele definieren und messen", + "description": "Fuer Hochrisiko-KI-Systeme muessen Genauigkeitsziele definiert, in der technischen Dokumentation angegeben und den Nutzern mitgeteilt werden.", + "applies_when": "high-risk AI system", + "applies_when_condition": { + "all_of": [ + { + "field": "ai_usage.uses_ai", + "operator": "EQUALS", + "value": true + } + ] + }, + "legal_basis": [ + { + "norm": "AI Act", + "article": "Art. 15 Abs. 1" + } + ], + "category": "Technisch", + "responsible": "Data Science Team", + "priority": "hoch", + "evidence": [ + { + "name": "Genauigkeits-Metriken-Dokumentation", + "required": true + } + ], + "tom_control_ids": [], + "valid_from": "2025-08-02", + "version": "1.0" + }, + { + "id": "AIACT-OBL-076", + "title": "Robustheit gegen Fehler und Angriffe sicherstellen", + "description": "Das System muss robust sein gegen Fehler, Stoerungen und Versuche unbefugter Dritter, die Leistung zu manipulieren.", + "applies_when": "high-risk AI system", + "applies_when_condition": { + "all_of": [ + { + "field": "ai_usage.uses_ai", + "operator": "EQUALS", + "value": true + } + ] + }, + "legal_basis": [ + { + "norm": "AI Act", + "article": "Art. 15 Abs. 4" + } + ], + "category": "Technisch", + "responsible": "IT-Sicherheit", + "priority": "kritisch", + "evidence": [ + { + "name": "Adversarial-Test-Ergebnisse", + "required": true + } + ], + "tom_control_ids": [ + "TOM.SEC.01" + ], + "valid_from": "2025-08-02", + "version": "1.0" + }, + { + "id": "AIACT-OBL-077", + "title": "Cybersecurity-Massnahmen nach Stand der Technik", + "description": "Angemessene Cybersecurity-Massnahmen muessen implementiert werden, einschliesslich Schutz vor Data Poisoning und Adversarial Attacks.", + "applies_when": "high-risk AI system", + "applies_when_condition": { + "all_of": [ + { + "field": "ai_usage.uses_ai", + "operator": "EQUALS", + "value": true + } + ] + }, + "legal_basis": [ + { + "norm": "AI Act", + "article": "Art. 15 Abs. 5" + } + ], + "category": "Technisch", + "responsible": "IT-Sicherheit", + "priority": "kritisch", + "evidence": [ + { + "name": "AI-Cybersecurity-Konzept", + "required": true + } + ], + "tom_control_ids": [ + "TOM.SEC.01", + "TOM.CRY.01" + ], + "valid_from": "2025-08-02", + "version": "1.0" + }, + { + "id": "AIACT-OBL-078", + "title": "GPAI-Modell klassifizieren (normal vs. systemisch)", + "description": "Der Anbieter eines GPAI-Modells muss pruefen, ob das Modell als Modell mit systemischem Risiko einzustufen ist (>10^25 FLOP oder EU-Kommissions-Beschluss).", + "applies_when": "GPAI model provider", + "applies_when_condition": { + "all_of": [ + { + "field": "ai_usage.is_gpai", + "operator": "EQUALS", + "value": true + } + ] + }, + "legal_basis": [ + { + "norm": "AI Act", + "article": "Art. 51 Abs. 2" + } + ], + "category": "Governance", + "responsible": "KI-Verantwortlicher", + "priority": "kritisch", + "evidence": [ + { + "name": "GPAI-Klassifizierungsdokument", + "required": true + } + ], + "tom_control_ids": [], + "valid_from": "2025-08-02", + "version": "1.0" + }, + { + "id": "AIACT-OBL-079", + "title": "KI-generierte Inhalte als solche kennzeichnen (GPAI Transparency)", + "description": "Anbieter von GPAI-Modellen, die synthetische Inhalte erzeugen koennen, muessen sicherstellen, dass Ausgaben maschinenlesbar als KI-generiert gekennzeichnet werden.", + "applies_when": "GPAI model generates content", + "applies_when_condition": { + "all_of": [ + { + "field": "ai_usage.is_gpai", + "operator": "EQUALS", + "value": true + } + ] + }, + "legal_basis": [ + { + "norm": "AI Act", + "article": "Art. 50 Abs. 2" + }, + { + "norm": "AI Act", + "article": "Art. 52" + } + ], + "category": "Technisch", + "responsible": "Entwicklung", + "priority": "hoch", + "evidence": [ + { + "name": "Content-Marking-Implementierung", + "required": true + } + ], + "tom_control_ids": [], + "valid_from": "2025-08-02", + "version": "1.0" + }, + { + "id": "AIACT-OBL-080", + "title": "EU-Repraesentant benennen (Non-EU Anbieter)", + "description": "GPAI-Modell-Anbieter mit Sitz ausserhalb der EU muessen einen bevollmaechtigten Vertreter in der EU benennen.", + "applies_when": "GPAI provider outside EU", + "applies_when_condition": { + "all_of": [ + { + "field": "ai_usage.is_gpai", + "operator": "EQUALS", + "value": true + } + ] + }, + "legal_basis": [ + { + "norm": "AI Act", + "article": "Art. 54" + } + ], + "category": "Governance", + "responsible": "Legal", + "priority": "hoch", + "evidence": [ + { + "name": "Bevollmaechtigungsvertrag EU-Repraesentant", + "required": false + } + ], + "tom_control_ids": [], + "valid_from": "2025-08-02", + "version": "1.0" + }, + { + "id": "AIACT-OBL-081", + "title": "Codes of Practice einhalten oder alternative Massnahmen dokumentieren", + "description": "GPAI-Anbieter sollen sich an Codes of Practice halten. Wenn sie dies nicht tun, muessen sie alternative angemessene Massnahmen dokumentieren.", + "applies_when": "GPAI model provider", + "applies_when_condition": { + "all_of": [ + { + "field": "ai_usage.is_gpai", + "operator": "EQUALS", + "value": true + } + ] + }, + "legal_basis": [ + { + "norm": "AI Act", + "article": "Art. 56" + } + ], + "category": "Governance", + "responsible": "Compliance", + "priority": "mittel", + "evidence": [ + { + "name": "CoP-Teilnahme oder Alternative-Dokumentation", + "required": true + } + ], + "tom_control_ids": [], + "valid_from": "2025-08-02", + "version": "1.0" } ], "controls": [ @@ -1868,7 +3800,9 @@ "description": "Fuehrung eines vollstaendigen Inventars aller KI-Systeme", "category": "Governance", "what_to_do": "Erfassung aller KI-Systeme mit Risikoeinstufung, Zweck, Anbieter, Betreiber", - "iso27001_mapping": ["A.8.1"], + "iso27001_mapping": [ + "A.8.1" + ], "priority": "kritisch" }, { @@ -1919,7 +3853,9 @@ "content": "Meldung schwerwiegender Vorfaelle bei Hochrisiko-KI-Systemen: Tod oder schwere Gesundheitsschaeden, schwerwiegende Grundrechtsverletzungen, schwere Schaeden an Eigentum oder Umwelt.", "recipient": "Zustaendige Marktaufsichtsbehoerde", "legal_basis": [ - {"norm": "Art. 73 AI Act"} + { + "norm": "Art. 73 AI Act" + } ] }, { @@ -1928,7 +3864,9 @@ "content": "Anbieter von Hochrisiko-KI melden Fehlfunktionen, die einen schwerwiegenden Vorfall darstellen koennten.", "recipient": "Marktaufsichtsbehoerde des Herkunftslandes", "legal_basis": [ - {"norm": "Art. 73 Abs. 1 AI Act"} + { + "norm": "Art. 73 Abs. 1 AI Act" + } ] } ]