/** * 50 Hard Trigger Rules — data table. * * This file legitimately exceeds 500 LOC because it is a pure data * definition with no logic. Splitting it further would hurt readability. */ import type { HardTriggerRule } from './compliance-scope-types' // ============================================================================ // 50 HARD TRIGGER RULES // ============================================================================ export const HARD_TRIGGER_RULES: HardTriggerRule[] = [ // ========== A: Art. 9 Besondere Kategorien (9 rules) ========== { id: 'HT-A01', category: 'art9', questionId: 'data_art9', condition: 'CONTAINS', conditionValue: 'gesundheit', minimumLevel: 'L3', requiresDSFA: true, mandatoryDocuments: ['VVT', 'TOM', 'DSFA'], legalReference: 'Art. 9 Abs. 1 DSGVO', description: 'Verarbeitung von Gesundheitsdaten', }, { id: 'HT-A02', category: 'art9', questionId: 'data_art9', condition: 'CONTAINS', conditionValue: 'biometrie', minimumLevel: 'L3', requiresDSFA: true, mandatoryDocuments: ['VVT', 'TOM', 'DSFA'], legalReference: 'Art. 9 Abs. 1 DSGVO', description: 'Verarbeitung biometrischer Daten zur eindeutigen Identifizierung', }, { id: 'HT-A03', category: 'art9', questionId: 'data_art9', condition: 'CONTAINS', conditionValue: 'genetik', minimumLevel: 'L3', requiresDSFA: true, mandatoryDocuments: ['VVT', 'TOM', 'DSFA'], legalReference: 'Art. 9 Abs. 1 DSGVO', description: 'Verarbeitung genetischer Daten', }, { id: 'HT-A04', category: 'art9', questionId: 'data_art9', condition: 'CONTAINS', conditionValue: 'politisch', minimumLevel: 'L3', requiresDSFA: true, mandatoryDocuments: ['VVT', 'TOM', 'DSFA'], legalReference: 'Art. 9 Abs. 1 DSGVO', description: 'Verarbeitung politischer Meinungen', }, { id: 'HT-A05', category: 'art9', questionId: 'data_art9', condition: 'CONTAINS', conditionValue: 'religion', minimumLevel: 'L3', requiresDSFA: true, mandatoryDocuments: ['VVT', 'TOM', 'DSFA'], legalReference: 'Art. 9 Abs. 1 DSGVO', description: 'Verarbeitung religiöser oder weltanschaulicher Überzeugungen', }, { id: 'HT-A06', category: 'art9', questionId: 'data_art9', condition: 'CONTAINS', conditionValue: 'gewerkschaft', minimumLevel: 'L3', requiresDSFA: true, mandatoryDocuments: ['VVT', 'TOM', 'DSFA'], legalReference: 'Art. 9 Abs. 1 DSGVO', description: 'Verarbeitung von Gewerkschaftszugehörigkeit', }, { id: 'HT-A07', category: 'art9', questionId: 'data_art9', condition: 'CONTAINS', conditionValue: 'sexualleben', minimumLevel: 'L3', requiresDSFA: true, mandatoryDocuments: ['VVT', 'TOM', 'DSFA'], legalReference: 'Art. 9 Abs. 1 DSGVO', description: 'Verarbeitung von Daten zum Sexualleben oder zur sexuellen Orientierung', }, { id: 'HT-A08', category: 'art9', questionId: 'data_art9', condition: 'CONTAINS', conditionValue: 'strafrechtlich', minimumLevel: 'L3', requiresDSFA: true, mandatoryDocuments: ['VVT', 'TOM', 'DSFA'], legalReference: 'Art. 10 DSGVO', description: 'Verarbeitung strafrechtlicher Verurteilungen', }, { id: 'HT-A09', category: 'art9', questionId: 'data_art9', condition: 'CONTAINS', conditionValue: 'ethnisch', minimumLevel: 'L3', requiresDSFA: true, mandatoryDocuments: ['VVT', 'TOM', 'DSFA'], legalReference: 'Art. 9 Abs. 1 DSGVO', description: 'Verarbeitung der rassischen oder ethnischen Herkunft', }, // ========== B: Vulnerable Gruppen (3 rules) ========== { id: 'HT-B01', category: 'vulnerable', questionId: 'data_minors', condition: 'EQUALS', conditionValue: true, minimumLevel: 'L3', requiresDSFA: true, mandatoryDocuments: ['VVT', 'TOM', 'DSFA', 'DSE'], legalReference: 'Art. 8 DSGVO', description: 'Verarbeitung von Daten Minderjähriger', }, { id: 'HT-B02', category: 'vulnerable', questionId: 'data_minors', condition: 'EQUALS', conditionValue: true, minimumLevel: 'L4', requiresDSFA: true, mandatoryDocuments: ['VVT', 'TOM', 'DSFA', 'DSE'], legalReference: 'Art. 8 + Art. 9 DSGVO', description: 'Verarbeitung besonderer Kategorien von Daten Minderjähriger', combineWithArt9: true, }, { id: 'HT-B03', category: 'vulnerable', questionId: 'data_minors', condition: 'EQUALS', conditionValue: true, minimumLevel: 'L4', requiresDSFA: true, mandatoryDocuments: ['VVT', 'TOM', 'DSFA', 'AI_ACT_DOKU'], legalReference: 'Art. 8 DSGVO + AI Act', description: 'KI-gestützte Verarbeitung von Daten Minderjähriger', combineWithAI: true, }, // ========== C: ADM/KI (6 rules) ========== { id: 'HT-C01', category: 'adm', questionId: 'proc_adm_scoring', condition: 'EQUALS', conditionValue: true, minimumLevel: 'L3', requiresDSFA: true, mandatoryDocuments: ['VVT', 'TOM', 'DSFA'], legalReference: 'Art. 22 DSGVO', description: 'Automatisierte Einzelentscheidung mit Rechtswirkung oder erheblicher Beeinträchtigung', }, { id: 'HT-C02', category: 'adm', questionId: 'proc_ai_usage', condition: 'CONTAINS', conditionValue: 'autonom', minimumLevel: 'L3', requiresDSFA: true, mandatoryDocuments: ['VVT', 'TOM', 'DSFA', 'AI_ACT_DOKU'], legalReference: 'Art. 22 DSGVO + AI Act', description: 'Autonome KI-Systeme mit Entscheidungsbefugnis', }, { id: 'HT-C03', category: 'adm', questionId: 'proc_ai_usage', condition: 'CONTAINS', conditionValue: 'scoring', minimumLevel: 'L2', requiresDSFA: false, mandatoryDocuments: ['VVT', 'TOM'], legalReference: 'Art. 22 DSGVO', description: 'KI-gestütztes Scoring', }, { id: 'HT-C04', category: 'adm', questionId: 'proc_ai_usage', condition: 'CONTAINS', conditionValue: 'profiling', minimumLevel: 'L3', requiresDSFA: true, mandatoryDocuments: ['VVT', 'TOM', 'DSFA'], legalReference: 'Art. 22 DSGVO', description: 'KI-gestütztes Profiling mit erheblicher Wirkung', }, { id: 'HT-C05', category: 'adm', questionId: 'proc_ai_usage', condition: 'CONTAINS', conditionValue: 'generativ', minimumLevel: 'L2', requiresDSFA: false, mandatoryDocuments: ['VVT', 'TOM', 'AI_ACT_DOKU'], legalReference: 'AI Act', description: 'Generative KI-Systeme', }, { id: 'HT-C06', category: 'adm', questionId: 'proc_ai_usage', condition: 'CONTAINS', conditionValue: 'chatbot', minimumLevel: 'L2', requiresDSFA: false, mandatoryDocuments: ['VVT', 'AI_ACT_DOKU'], legalReference: 'AI Act', description: 'Chatbots mit Personendatenverarbeitung', }, // ========== D: Überwachung (5 rules) ========== { id: 'HT-D01', category: 'surveillance', questionId: 'proc_video_surveillance', condition: 'EQUALS', conditionValue: true, minimumLevel: 'L2', requiresDSFA: false, mandatoryDocuments: ['VVT', 'TOM', 'DSE'], legalReference: 'Art. 6 DSGVO', description: 'Videoüberwachung', }, { id: 'HT-D02', category: 'surveillance', questionId: 'proc_employee_monitoring', condition: 'EQUALS', conditionValue: true, minimumLevel: 'L2', requiresDSFA: false, mandatoryDocuments: ['VVT', 'TOM', 'DSFA'], legalReference: 'Art. 88 DSGVO + BetrVG', description: 'Mitarbeiterüberwachung', }, { id: 'HT-D03', category: 'surveillance', questionId: 'proc_tracking', condition: 'EQUALS', conditionValue: true, minimumLevel: 'L2', requiresDSFA: false, mandatoryDocuments: ['VVT', 'TOM', 'COOKIE_BANNER', 'EINWILLIGUNGEN'], legalReference: 'Art. 6 DSGVO + ePrivacy', description: 'Online-Tracking', }, { id: 'HT-D04', category: 'surveillance', questionId: 'proc_video_surveillance', condition: 'EQUALS', conditionValue: true, minimumLevel: 'L3', requiresDSFA: true, mandatoryDocuments: ['VVT', 'TOM', 'DSFA'], legalReference: 'Art. 35 Abs. 3 DSGVO', description: 'Videoüberwachung kombiniert mit Mitarbeitermonitoring', combineWithEmployeeMonitoring: true, }, { id: 'HT-D05', category: 'surveillance', questionId: 'proc_video_surveillance', condition: 'EQUALS', conditionValue: true, minimumLevel: 'L3', requiresDSFA: true, mandatoryDocuments: ['VVT', 'TOM', 'DSFA'], legalReference: 'Art. 35 Abs. 3 DSGVO', description: 'Videoüberwachung kombiniert mit automatisierter Bewertung', combineWithADM: true, }, // ========== E: Drittland (5 rules) ========== { id: 'HT-E01', category: 'third_country', questionId: 'tech_third_country', condition: 'EQUALS', conditionValue: true, minimumLevel: 'L2', requiresDSFA: false, mandatoryDocuments: ['VVT', 'TRANSFER_DOKU'], legalReference: 'Art. 44 ff. DSGVO', description: 'Datenübermittlung in Drittland', }, { id: 'HT-E02', category: 'third_country', questionId: 'tech_hosting_location', condition: 'EQUALS', conditionValue: 'drittland', minimumLevel: 'L2', requiresDSFA: false, mandatoryDocuments: ['VVT', 'TOM', 'TRANSFER_DOKU'], legalReference: 'Art. 44 ff. DSGVO', description: 'Hosting in Drittland', }, { id: 'HT-E03', category: 'third_country', questionId: 'tech_hosting_location', condition: 'EQUALS', conditionValue: 'us_adequacy', minimumLevel: 'L2', requiresDSFA: false, mandatoryDocuments: ['TRANSFER_DOKU'], legalReference: 'Art. 45 DSGVO', description: 'Hosting in USA mit Angemessenheitsbeschluss', }, { id: 'HT-E04', category: 'third_country', questionId: 'tech_third_country', condition: 'EQUALS', conditionValue: true, minimumLevel: 'L3', requiresDSFA: false, mandatoryDocuments: ['VVT', 'TOM', 'TRANSFER_DOKU', 'DSFA'], legalReference: 'Art. 44 ff. + Art. 9 DSGVO', description: 'Drittlandtransfer besonderer Kategorien', combineWithArt9: true, }, { id: 'HT-E05', category: 'third_country', questionId: 'tech_third_country', condition: 'EQUALS', conditionValue: true, minimumLevel: 'L3', requiresDSFA: false, mandatoryDocuments: ['VVT', 'TOM', 'TRANSFER_DOKU', 'DSFA'], legalReference: 'Art. 44 ff. + Art. 8 DSGVO', description: 'Drittlandtransfer von Daten Minderjähriger', combineWithMinors: true, }, // ========== F: Zertifizierung (5 rules) ========== { id: 'HT-F01', category: 'certification', questionId: 'org_cert_target', condition: 'CONTAINS', conditionValue: 'ISO27001', minimumLevel: 'L4', requiresDSFA: false, mandatoryDocuments: ['TOM', 'AUDIT_CHECKLIST'], legalReference: 'ISO/IEC 27001', description: 'Angestrebte ISO 27001 Zertifizierung', }, { id: 'HT-F02', category: 'certification', questionId: 'org_cert_target', condition: 'CONTAINS', conditionValue: 'ISO27701', minimumLevel: 'L4', requiresDSFA: false, mandatoryDocuments: ['TOM', 'VVT', 'AUDIT_CHECKLIST'], legalReference: 'ISO/IEC 27701', description: 'Angestrebte ISO 27701 Zertifizierung', }, { id: 'HT-F03', category: 'certification', questionId: 'org_cert_target', condition: 'CONTAINS', conditionValue: 'SOC2', minimumLevel: 'L4', requiresDSFA: false, mandatoryDocuments: ['TOM', 'AUDIT_CHECKLIST'], legalReference: 'SOC 2 Type II', description: 'Angestrebte SOC 2 Zertifizierung', }, { id: 'HT-F04', category: 'certification', questionId: 'org_cert_target', condition: 'CONTAINS', conditionValue: 'TISAX', minimumLevel: 'L4', requiresDSFA: false, mandatoryDocuments: ['TOM', 'AUDIT_CHECKLIST', 'VENDOR_MANAGEMENT'], legalReference: 'TISAX', description: 'Angestrebte TISAX Zertifizierung', }, { id: 'HT-F05', category: 'certification', questionId: 'org_cert_target', condition: 'CONTAINS', conditionValue: 'BSI-Grundschutz', minimumLevel: 'L4', requiresDSFA: false, mandatoryDocuments: ['TOM', 'AUDIT_CHECKLIST'], legalReference: 'BSI IT-Grundschutz', description: 'Angestrebte BSI-Grundschutz Zertifizierung', }, // ========== G: Volumen/Skala (5 rules) ========== { id: 'HT-G01', category: 'scale', questionId: 'data_volume', condition: 'EQUALS', conditionValue: '>1000000', minimumLevel: 'L3', requiresDSFA: false, mandatoryDocuments: ['VVT', 'TOM', 'LOESCHKONZEPT'], legalReference: 'Art. 35 Abs. 3 lit. b DSGVO', description: 'Umfangreiche Verarbeitung personenbezogener Daten (>1 Mio. Datensätze)', }, { id: 'HT-G02', category: 'scale', questionId: 'data_volume', condition: 'EQUALS', conditionValue: '100000-1000000', minimumLevel: 'L2', requiresDSFA: false, mandatoryDocuments: ['VVT', 'TOM'], legalReference: 'Art. 35 Abs. 3 lit. b DSGVO', description: 'Großvolumige Datenverarbeitung (100k-1M Datensätze)', }, { id: 'HT-G03', category: 'scale', questionId: 'org_customer_count', condition: 'EQUALS', conditionValue: '100000+', minimumLevel: 'L3', requiresDSFA: false, mandatoryDocuments: ['VVT', 'TOM', 'DSR_PROZESS'], legalReference: 'Art. 15-22 DSGVO', description: 'Großer Kundenstamm (>100k) mit hoher Betroffenenanzahl', }, { id: 'HT-G04', category: 'scale', questionId: 'org_employee_count', condition: 'GREATER_THAN', conditionValue: 249, minimumLevel: 'L3', requiresDSFA: false, mandatoryDocuments: ['VVT', 'TOM', 'LOESCHKONZEPT', 'NOTFALLPLAN'], legalReference: 'Art. 37 DSGVO', description: 'Große Organisation (>250 Mitarbeiter) mit erhöhten Compliance-Anforderungen', }, { id: 'HT-G05', category: 'scale', questionId: 'org_employee_count', condition: 'GREATER_THAN', conditionValue: 999, minimumLevel: 'L4', requiresDSFA: false, mandatoryDocuments: ['VVT', 'TOM', 'DSFA', 'LOESCHKONZEPT'], legalReference: 'Art. 35 + Art. 37 DSGVO', description: 'Sehr große Organisation (>1000 Mitarbeiter) mit Art. 9 Daten', combineWithArt9: true, }, // ========== H: Produkt/Business (7 rules) ========== { id: 'HT-H01a', category: 'product', questionId: 'prod_webshop', condition: 'EQUALS', conditionValue: true, excludeWhen: { questionId: 'org_business_model', value: 'B2B' }, minimumLevel: 'L2', requiresDSFA: false, mandatoryDocuments: ['DSE', 'AGB', 'COOKIE_BANNER', 'EINWILLIGUNGEN', 'WIDERRUFSBELEHRUNG', 'PREISANGABEN', 'FERNABSATZ_INFO', 'STREITBEILEGUNG'], legalReference: 'Art. 6 DSGVO + Fernabsatzrecht + PAngV + VSBG', description: 'E-Commerce / Webshop (B2C) — Verbraucherschutzpflichten', }, { id: 'HT-H01b', category: 'product', questionId: 'prod_webshop', condition: 'EQUALS', conditionValue: true, requireWhen: { questionId: 'org_business_model', value: 'B2B' }, minimumLevel: 'L2', requiresDSFA: false, mandatoryDocuments: ['DSE', 'AGB', 'COOKIE_BANNER'], legalReference: 'Art. 6 DSGVO + eCommerce', description: 'E-Commerce / Webshop (B2B) — Basis-Pflichten', }, { id: 'HT-H02', category: 'product', questionId: 'prod_data_broker', condition: 'EQUALS', conditionValue: true, minimumLevel: 'L3', requiresDSFA: true, mandatoryDocuments: ['VVT', 'TOM', 'DSFA', 'EINWILLIGUNGEN'], legalReference: 'Art. 35 Abs. 3 DSGVO', description: 'Datenhandel oder Datenmakler-Tätigkeit', }, { id: 'HT-H03', category: 'product', questionId: 'prod_api_external', condition: 'EQUALS', conditionValue: true, minimumLevel: 'L2', requiresDSFA: false, mandatoryDocuments: ['TOM', 'AVV'], legalReference: 'Art. 28 DSGVO', description: 'Externe API mit Datenweitergabe', }, { id: 'HT-H04', category: 'product', questionId: 'org_business_model', condition: 'EQUALS', conditionValue: 'b2c', minimumLevel: 'L2', requiresDSFA: false, mandatoryDocuments: ['DSE', 'COOKIE_BANNER', 'EINWILLIGUNGEN'], legalReference: 'Art. 6 DSGVO', description: 'B2C-Geschäftsmodell mit Endkundenkontakt', }, { id: 'HT-H05', category: 'product', questionId: 'org_industry', condition: 'EQUALS', conditionValue: 'finance', minimumLevel: 'L2', requiresDSFA: false, mandatoryDocuments: ['VVT', 'TOM'], legalReference: 'Art. 6 DSGVO + Finanzaufsicht', description: 'Finanzbranche mit erhöhten regulatorischen Anforderungen', }, { id: 'HT-H06', category: 'product', questionId: 'org_industry', condition: 'EQUALS', conditionValue: 'healthcare', minimumLevel: 'L3', requiresDSFA: true, mandatoryDocuments: ['VVT', 'TOM', 'DSFA'], legalReference: 'Art. 9 DSGVO + Gesundheitsrecht', description: 'Gesundheitsbranche mit sensiblen Daten', }, { id: 'HT-H07', category: 'product', questionId: 'org_industry', condition: 'EQUALS', conditionValue: 'public', minimumLevel: 'L2', requiresDSFA: false, mandatoryDocuments: ['VVT', 'TOM', 'DSR_PROZESS'], legalReference: 'Art. 6 Abs. 1 lit. e DSGVO', description: 'Öffentlicher Sektor', }, // ========== I: Prozessreife - Gap Flags (5 rules) ========== { id: 'HT-I01', category: 'process_maturity', questionId: 'proc_dsar_process', condition: 'EQUALS', conditionValue: false, minimumLevel: 'L1', requiresDSFA: false, mandatoryDocuments: [], legalReference: 'Art. 15-22 DSGVO', description: 'Fehlender Prozess für Betroffenenrechte', }, { id: 'HT-I02', category: 'process_maturity', questionId: 'proc_deletion_concept', condition: 'EQUALS', conditionValue: false, minimumLevel: 'L1', requiresDSFA: false, mandatoryDocuments: [], legalReference: 'Art. 17 DSGVO', description: 'Fehlendes Löschkonzept', }, { id: 'HT-I03', category: 'process_maturity', questionId: 'proc_incident_response', condition: 'EQUALS', conditionValue: false, minimumLevel: 'L1', requiresDSFA: false, mandatoryDocuments: [], legalReference: 'Art. 33 DSGVO', description: 'Fehlender Incident-Response-Prozess', }, { id: 'HT-I04', category: 'process_maturity', questionId: 'proc_regular_audits', condition: 'EQUALS', conditionValue: false, minimumLevel: 'L1', requiresDSFA: false, mandatoryDocuments: [], legalReference: 'Art. 24 DSGVO', description: 'Fehlende regelmäßige Audits', }, { id: 'HT-I05', category: 'process_maturity', questionId: 'comp_training', condition: 'EQUALS', conditionValue: false, minimumLevel: 'L1', requiresDSFA: false, mandatoryDocuments: [], legalReference: 'Art. 39 Abs. 1 lit. b DSGVO', description: 'Fehlende Schulungen zum Datenschutz', }, // ========== J: IACE — AI Act Produkt-Triggers (3 rules) ========== { id: 'HT-J01', category: 'iace_ai_act_product', questionId: 'machineBuilder.containsAI', condition: 'EQUALS', conditionValue: true, minimumLevel: 'L3', requiresDSFA: false, mandatoryDocuments: ['VVT', 'TOM'], legalReference: 'EU AI Act Annex I + EU Maschinenverordnung 2023/1230', description: 'KI mit Sicherheitsfunktion in Maschine → AI Act High-Risk', combineWithMachineBuilder: { field: 'hasSafetyFunction', value: true }, riskWeight: 9, }, { id: 'HT-J02', category: 'iace_ai_act_product', questionId: 'machineBuilder.containsAI', condition: 'EQUALS', conditionValue: true, minimumLevel: 'L3', requiresDSFA: false, mandatoryDocuments: ['VVT', 'TOM'], legalReference: 'EU AI Act + EU Maschinenverordnung 2023/1230', description: 'Autonome KI in Maschine → AI Act + Maschinenverordnung', combineWithMachineBuilder: { field: 'autonomousBehavior', value: true }, riskWeight: 8, }, { id: 'HT-J03', category: 'iace_ai_act_product', questionId: 'machineBuilder.hasSafetyFunction', condition: 'EQUALS', conditionValue: true, minimumLevel: 'L3', requiresDSFA: false, mandatoryDocuments: ['VVT', 'TOM'], legalReference: 'EU AI Act Annex III', description: 'KI-Bildverarbeitung mit Sicherheitsbezug', combineWithMachineBuilder: { field: 'aiIntegrationType', includes: 'vision' }, riskWeight: 8, }, // ========== K: IACE — CRA Triggers (3 rules) ========== { id: 'HT-K01', category: 'iace_cra', questionId: 'machineBuilder.isNetworked', condition: 'EQUALS', conditionValue: true, minimumLevel: 'L2', requiresDSFA: false, mandatoryDocuments: ['TOM'], legalReference: 'EU Cyber Resilience Act (CRA)', description: 'Vernetztes Produkt → Cyber Resilience Act', riskWeight: 6, }, { id: 'HT-K02', category: 'iace_cra', questionId: 'machineBuilder.hasRemoteAccess', condition: 'EQUALS', conditionValue: true, minimumLevel: 'L2', requiresDSFA: false, mandatoryDocuments: ['TOM'], legalReference: 'CRA + NIS2 Art. 21', description: 'Remote-Zugriff → CRA + NIS2 Supply Chain', riskWeight: 7, }, { id: 'HT-K03', category: 'iace_cra', questionId: 'machineBuilder.hasOTAUpdates', condition: 'EQUALS', conditionValue: true, minimumLevel: 'L2', requiresDSFA: false, mandatoryDocuments: ['TOM'], legalReference: 'CRA Art. 10 - Patch Management', description: 'OTA-Updates → CRA Patch Management Pflicht', riskWeight: 7, }, // ========== L: IACE — NIS2 indirekt (2 rules) ========== { id: 'HT-L01', category: 'iace_nis2_indirect', questionId: 'machineBuilder.criticalSectorClients', condition: 'EQUALS', conditionValue: true, minimumLevel: 'L2', requiresDSFA: false, mandatoryDocuments: ['TOM'], legalReference: 'NIS2 Art. 21 - Supply Chain', description: 'Lieferant an KRITIS → NIS2 Supply Chain Anforderungen', riskWeight: 7, }, { id: 'HT-L02', category: 'iace_nis2_indirect', questionId: 'machineBuilder.oemClients', condition: 'EQUALS', conditionValue: true, minimumLevel: 'L2', requiresDSFA: false, mandatoryDocuments: [], legalReference: 'NIS2 + EU Maschinenverordnung', description: 'OEM-Zulieferer → Compliance-Nachweispflicht', riskWeight: 5, }, // ========== M: IACE — Maschinenverordnung Triggers (4 rules) ========== { id: 'HT-M01', category: 'iace_machinery_regulation', questionId: 'machineBuilder.containsSoftware', condition: 'EQUALS', conditionValue: true, minimumLevel: 'L3', requiresDSFA: false, mandatoryDocuments: ['TOM'], legalReference: 'EU Maschinenverordnung 2023/1230 Anhang III', description: 'Software als Sicherheitskomponente → Maschinenverordnung', combineWithMachineBuilder: { field: 'hasSafetyFunction', value: true }, riskWeight: 9, }, { id: 'HT-M02', category: 'iace_machinery_regulation', questionId: 'machineBuilder.ceMarkingRequired', condition: 'EQUALS', conditionValue: true, minimumLevel: 'L2', requiresDSFA: false, mandatoryDocuments: [], legalReference: 'EU Maschinenverordnung 2023/1230', description: 'CE-Kennzeichnung erforderlich', riskWeight: 6, }, { id: 'HT-M03', category: 'iace_machinery_regulation', questionId: 'machineBuilder.ceMarkingRequired', condition: 'EQUALS', conditionValue: true, minimumLevel: 'L3', requiresDSFA: false, mandatoryDocuments: [], legalReference: 'EU Maschinenverordnung 2023/1230 Art. 10', description: 'CE ohne bestehende Risikobeurteilung → Dringend!', combineWithMachineBuilder: { field: 'hasRiskAssessment', value: false }, riskWeight: 9, }, { id: 'HT-M04', category: 'iace_machinery_regulation', questionId: 'machineBuilder.containsFirmware', condition: 'EQUALS', conditionValue: true, minimumLevel: 'L2', requiresDSFA: false, mandatoryDocuments: ['TOM'], legalReference: 'EU Maschinenverordnung + CRA', description: 'Firmware mit Remote-Update → Change Management Pflicht', combineWithMachineBuilder: { field: 'hasOTAUpdates', value: true }, riskWeight: 7, }, ]