Benjamin_Boenisch/breakpilot-compliance
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
ddcd89f26deeea53116ac23e98e16c88f2ca752d
breakpilot-compliance/admin-compliance/lib/sdk/compliance-scope-triggers.ts
Sharang Parnerkar 911d872178 refactor(admin): split compliance-scope-engine.ts (1811 LOC) into focused modules 
Extract data constants and document-scope logic from the monolithic engine:
- compliance-scope-data.ts (133 LOC): score weights + answer multipliers
- compliance-scope-triggers.ts (823 LOC): 50 hard trigger rules (data table)
- compliance-scope-documents.ts (497 LOC): document scope, risk flags, gaps, actions, reasoning
- compliance-scope-engine.ts (406 LOC): core class with scoring + trigger evaluation

All logic files stay under the 500 LOC cap. The triggers file exceeds it
as a pure declarative data table with no logic.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-04-10 13:33:51 +02:00

824 lines
24 KiB
TypeScript
Raw Blame History

/**
* 50 Hard Trigger Rules — data table.
*
* This file legitimately exceeds 500 LOC because it is a pure data
* definition with no logic. Splitting it further would hurt readability.
*/
import type { HardTriggerRule } from './compliance-scope-types'
// ============================================================================
// 50 HARD TRIGGER RULES
// ============================================================================
export const HARD_TRIGGER_RULES: HardTriggerRule[] = [
// ========== A: Art. 9 Besondere Kategorien (9 rules) ==========
{
id: 'HT-A01',
category: 'art9',
questionId: 'data_art9',
condition: 'CONTAINS',
conditionValue: 'gesundheit',
minimumLevel: 'L3',
requiresDSFA: true,
mandatoryDocuments: ['VVT', 'TOM', 'DSFA'],
legalReference: 'Art. 9 Abs. 1 DSGVO',
description: 'Verarbeitung von Gesundheitsdaten',
},
{
id: 'HT-A02',
category: 'art9',
questionId: 'data_art9',
condition: 'CONTAINS',
conditionValue: 'biometrie',
minimumLevel: 'L3',
requiresDSFA: true,
mandatoryDocuments: ['VVT', 'TOM', 'DSFA'],
legalReference: 'Art. 9 Abs. 1 DSGVO',
description: 'Verarbeitung biometrischer Daten zur eindeutigen Identifizierung',
},
{
id: 'HT-A03',
category: 'art9',
questionId: 'data_art9',
condition: 'CONTAINS',
conditionValue: 'genetik',
minimumLevel: 'L3',
requiresDSFA: true,
mandatoryDocuments: ['VVT', 'TOM', 'DSFA'],
legalReference: 'Art. 9 Abs. 1 DSGVO',
description: 'Verarbeitung genetischer Daten',
},
{
id: 'HT-A04',
category: 'art9',
questionId: 'data_art9',
condition: 'CONTAINS',
conditionValue: 'politisch',
minimumLevel: 'L3',
requiresDSFA: true,
mandatoryDocuments: ['VVT', 'TOM', 'DSFA'],
legalReference: 'Art. 9 Abs. 1 DSGVO',
description: 'Verarbeitung politischer Meinungen',
},
{
id: 'HT-A05',
category: 'art9',
questionId: 'data_art9',
condition: 'CONTAINS',
conditionValue: 'religion',
minimumLevel: 'L3',
requiresDSFA: true,
mandatoryDocuments: ['VVT', 'TOM', 'DSFA'],
legalReference: 'Art. 9 Abs. 1 DSGVO',
description: 'Verarbeitung religiöser oder weltanschaulicher Überzeugungen',
},
{
id: 'HT-A06',
category: 'art9',
questionId: 'data_art9',
condition: 'CONTAINS',
conditionValue: 'gewerkschaft',
minimumLevel: 'L3',
requiresDSFA: true,
mandatoryDocuments: ['VVT', 'TOM', 'DSFA'],
legalReference: 'Art. 9 Abs. 1 DSGVO',
description: 'Verarbeitung von Gewerkschaftszugehörigkeit',
},
{
id: 'HT-A07',
category: 'art9',
questionId: 'data_art9',
condition: 'CONTAINS',
conditionValue: 'sexualleben',
minimumLevel: 'L3',
requiresDSFA: true,
mandatoryDocuments: ['VVT', 'TOM', 'DSFA'],
legalReference: 'Art. 9 Abs. 1 DSGVO',
description: 'Verarbeitung von Daten zum Sexualleben oder zur sexuellen Orientierung',
},
{
id: 'HT-A08',
category: 'art9',
questionId: 'data_art9',
condition: 'CONTAINS',
conditionValue: 'strafrechtlich',
minimumLevel: 'L3',
requiresDSFA: true,
mandatoryDocuments: ['VVT', 'TOM', 'DSFA'],
legalReference: 'Art. 10 DSGVO',
description: 'Verarbeitung strafrechtlicher Verurteilungen',
},
{
id: 'HT-A09',
category: 'art9',
questionId: 'data_art9',
condition: 'CONTAINS',
conditionValue: 'ethnisch',
minimumLevel: 'L3',
requiresDSFA: true,
mandatoryDocuments: ['VVT', 'TOM', 'DSFA'],
legalReference: 'Art. 9 Abs. 1 DSGVO',
description: 'Verarbeitung der rassischen oder ethnischen Herkunft',
},
// ========== B: Vulnerable Gruppen (3 rules) ==========
{
id: 'HT-B01',
category: 'vulnerable',
questionId: 'data_minors',
condition: 'EQUALS',
conditionValue: true,
minimumLevel: 'L3',
requiresDSFA: true,
mandatoryDocuments: ['VVT', 'TOM', 'DSFA', 'DSE'],
legalReference: 'Art. 8 DSGVO',
description: 'Verarbeitung von Daten Minderjähriger',
},
{
id: 'HT-B02',
category: 'vulnerable',
questionId: 'data_minors',
condition: 'EQUALS',
conditionValue: true,
minimumLevel: 'L4',
requiresDSFA: true,
mandatoryDocuments: ['VVT', 'TOM', 'DSFA', 'DSE'],
legalReference: 'Art. 8 + Art. 9 DSGVO',
description: 'Verarbeitung besonderer Kategorien von Daten Minderjähriger',
combineWithArt9: true,
},
{
id: 'HT-B03',
category: 'vulnerable',
questionId: 'data_minors',
condition: 'EQUALS',
conditionValue: true,
minimumLevel: 'L4',
requiresDSFA: true,
mandatoryDocuments: ['VVT', 'TOM', 'DSFA', 'AI_ACT_DOKU'],
legalReference: 'Art. 8 DSGVO + AI Act',
description: 'KI-gestützte Verarbeitung von Daten Minderjähriger',
combineWithAI: true,
},
// ========== C: ADM/KI (6 rules) ==========
{
id: 'HT-C01',
category: 'adm',
questionId: 'proc_adm_scoring',
condition: 'EQUALS',
conditionValue: true,
minimumLevel: 'L3',
requiresDSFA: true,
mandatoryDocuments: ['VVT', 'TOM', 'DSFA'],
legalReference: 'Art. 22 DSGVO',
description: 'Automatisierte Einzelentscheidung mit Rechtswirkung oder erheblicher Beeinträchtigung',
},
{
id: 'HT-C02',
category: 'adm',
questionId: 'proc_ai_usage',
condition: 'CONTAINS',
conditionValue: 'autonom',
minimumLevel: 'L3',
requiresDSFA: true,
mandatoryDocuments: ['VVT', 'TOM', 'DSFA', 'AI_ACT_DOKU'],
legalReference: 'Art. 22 DSGVO + AI Act',
description: 'Autonome KI-Systeme mit Entscheidungsbefugnis',
},
{
id: 'HT-C03',
category: 'adm',
questionId: 'proc_ai_usage',
condition: 'CONTAINS',
conditionValue: 'scoring',
minimumLevel: 'L2',
requiresDSFA: false,
mandatoryDocuments: ['VVT', 'TOM'],
legalReference: 'Art. 22 DSGVO',
description: 'KI-gestütztes Scoring',
},
{
id: 'HT-C04',
category: 'adm',
questionId: 'proc_ai_usage',
condition: 'CONTAINS',
conditionValue: 'profiling',
minimumLevel: 'L3',
requiresDSFA: true,
mandatoryDocuments: ['VVT', 'TOM', 'DSFA'],
legalReference: 'Art. 22 DSGVO',
description: 'KI-gestütztes Profiling mit erheblicher Wirkung',
},
{
id: 'HT-C05',
category: 'adm',
questionId: 'proc_ai_usage',
condition: 'CONTAINS',
conditionValue: 'generativ',
minimumLevel: 'L2',
requiresDSFA: false,
mandatoryDocuments: ['VVT', 'TOM', 'AI_ACT_DOKU'],
legalReference: 'AI Act',
description: 'Generative KI-Systeme',
},
{
id: 'HT-C06',
category: 'adm',
questionId: 'proc_ai_usage',
condition: 'CONTAINS',
conditionValue: 'chatbot',
minimumLevel: 'L2',
requiresDSFA: false,
mandatoryDocuments: ['VVT', 'AI_ACT_DOKU'],
legalReference: 'AI Act',
description: 'Chatbots mit Personendatenverarbeitung',
},
// ========== D: Überwachung (5 rules) ==========
{
id: 'HT-D01',
category: 'surveillance',
questionId: 'proc_video_surveillance',
condition: 'EQUALS',
conditionValue: true,
minimumLevel: 'L2',
requiresDSFA: false,
mandatoryDocuments: ['VVT', 'TOM', 'DSE'],
legalReference: 'Art. 6 DSGVO',
description: 'Videoüberwachung',
},
{
id: 'HT-D02',
category: 'surveillance',
questionId: 'proc_employee_monitoring',
condition: 'EQUALS',
conditionValue: true,
minimumLevel: 'L2',
requiresDSFA: false,
mandatoryDocuments: ['VVT', 'TOM', 'DSFA'],
legalReference: 'Art. 88 DSGVO + BetrVG',
description: 'Mitarbeiterüberwachung',
},
{
id: 'HT-D03',
category: 'surveillance',
questionId: 'proc_tracking',
condition: 'EQUALS',
conditionValue: true,
minimumLevel: 'L2',
requiresDSFA: false,
mandatoryDocuments: ['VVT', 'TOM', 'COOKIE_BANNER', 'EINWILLIGUNGEN'],
legalReference: 'Art. 6 DSGVO + ePrivacy',
description: 'Online-Tracking',
},
{
id: 'HT-D04',
category: 'surveillance',
questionId: 'proc_video_surveillance',
condition: 'EQUALS',
conditionValue: true,
minimumLevel: 'L3',
requiresDSFA: true,
mandatoryDocuments: ['VVT', 'TOM', 'DSFA'],
legalReference: 'Art. 35 Abs. 3 DSGVO',
description: 'Videoüberwachung kombiniert mit Mitarbeitermonitoring',
combineWithEmployeeMonitoring: true,
},
{
id: 'HT-D05',
category: 'surveillance',
questionId: 'proc_video_surveillance',
condition: 'EQUALS',
conditionValue: true,
minimumLevel: 'L3',
requiresDSFA: true,
mandatoryDocuments: ['VVT', 'TOM', 'DSFA'],
legalReference: 'Art. 35 Abs. 3 DSGVO',
description: 'Videoüberwachung kombiniert mit automatisierter Bewertung',
combineWithADM: true,
},
// ========== E: Drittland (5 rules) ==========
{
id: 'HT-E01',
category: 'third_country',
questionId: 'tech_third_country',
condition: 'EQUALS',
conditionValue: true,
minimumLevel: 'L2',
requiresDSFA: false,
mandatoryDocuments: ['VVT', 'TRANSFER_DOKU'],
legalReference: 'Art. 44 ff. DSGVO',
description: 'Datenübermittlung in Drittland',
},
{
id: 'HT-E02',
category: 'third_country',
questionId: 'tech_hosting_location',
condition: 'EQUALS',
conditionValue: 'drittland',
minimumLevel: 'L2',
requiresDSFA: false,
mandatoryDocuments: ['VVT', 'TOM', 'TRANSFER_DOKU'],
legalReference: 'Art. 44 ff. DSGVO',
description: 'Hosting in Drittland',
},
{
id: 'HT-E03',
category: 'third_country',
questionId: 'tech_hosting_location',
condition: 'EQUALS',
conditionValue: 'us_adequacy',
minimumLevel: 'L2',
requiresDSFA: false,
mandatoryDocuments: ['TRANSFER_DOKU'],
legalReference: 'Art. 45 DSGVO',
description: 'Hosting in USA mit Angemessenheitsbeschluss',
},
{
id: 'HT-E04',
category: 'third_country',
questionId: 'tech_third_country',
condition: 'EQUALS',
conditionValue: true,
minimumLevel: 'L3',
requiresDSFA: false,
mandatoryDocuments: ['VVT', 'TOM', 'TRANSFER_DOKU', 'DSFA'],
legalReference: 'Art. 44 ff. + Art. 9 DSGVO',
description: 'Drittlandtransfer besonderer Kategorien',
combineWithArt9: true,
},
{
id: 'HT-E05',
category: 'third_country',
questionId: 'tech_third_country',
condition: 'EQUALS',
conditionValue: true,
minimumLevel: 'L3',
requiresDSFA: false,
mandatoryDocuments: ['VVT', 'TOM', 'TRANSFER_DOKU', 'DSFA'],
legalReference: 'Art. 44 ff. + Art. 8 DSGVO',
description: 'Drittlandtransfer von Daten Minderjähriger',
combineWithMinors: true,
},
// ========== F: Zertifizierung (5 rules) ==========
{
id: 'HT-F01',
category: 'certification',
questionId: 'org_cert_target',
condition: 'CONTAINS',
conditionValue: 'ISO27001',
minimumLevel: 'L4',
requiresDSFA: false,
mandatoryDocuments: ['TOM', 'AUDIT_CHECKLIST'],
legalReference: 'ISO/IEC 27001',
description: 'Angestrebte ISO 27001 Zertifizierung',
},
{
id: 'HT-F02',
category: 'certification',
questionId: 'org_cert_target',
condition: 'CONTAINS',
conditionValue: 'ISO27701',
minimumLevel: 'L4',
requiresDSFA: false,
mandatoryDocuments: ['TOM', 'VVT', 'AUDIT_CHECKLIST'],
legalReference: 'ISO/IEC 27701',
description: 'Angestrebte ISO 27701 Zertifizierung',
},
{
id: 'HT-F03',
category: 'certification',
questionId: 'org_cert_target',
condition: 'CONTAINS',
conditionValue: 'SOC2',
minimumLevel: 'L4',
requiresDSFA: false,
mandatoryDocuments: ['TOM', 'AUDIT_CHECKLIST'],
legalReference: 'SOC 2 Type II',
description: 'Angestrebte SOC 2 Zertifizierung',
},
{
id: 'HT-F04',
category: 'certification',
questionId: 'org_cert_target',
condition: 'CONTAINS',
conditionValue: 'TISAX',
minimumLevel: 'L4',
requiresDSFA: false,
mandatoryDocuments: ['TOM', 'AUDIT_CHECKLIST', 'VENDOR_MANAGEMENT'],
legalReference: 'TISAX',
description: 'Angestrebte TISAX Zertifizierung',
},
{
id: 'HT-F05',
category: 'certification',
questionId: 'org_cert_target',
condition: 'CONTAINS',
conditionValue: 'BSI-Grundschutz',
minimumLevel: 'L4',
requiresDSFA: false,
mandatoryDocuments: ['TOM', 'AUDIT_CHECKLIST'],
legalReference: 'BSI IT-Grundschutz',
description: 'Angestrebte BSI-Grundschutz Zertifizierung',
},
// ========== G: Volumen/Skala (5 rules) ==========
{
id: 'HT-G01',
category: 'scale',
questionId: 'data_volume',
condition: 'EQUALS',
conditionValue: '>1000000',
minimumLevel: 'L3',
requiresDSFA: false,
mandatoryDocuments: ['VVT', 'TOM', 'LOESCHKONZEPT'],
legalReference: 'Art. 35 Abs. 3 lit. b DSGVO',
description: 'Umfangreiche Verarbeitung personenbezogener Daten (>1 Mio. Datensätze)',
},
{
id: 'HT-G02',
category: 'scale',
questionId: 'data_volume',
condition: 'EQUALS',
conditionValue: '100000-1000000',
minimumLevel: 'L2',
requiresDSFA: false,
mandatoryDocuments: ['VVT', 'TOM'],
legalReference: 'Art. 35 Abs. 3 lit. b DSGVO',
description: 'Großvolumige Datenverarbeitung (100k-1M Datensätze)',
},
{
id: 'HT-G03',
category: 'scale',
questionId: 'org_customer_count',
condition: 'EQUALS',
conditionValue: '100000+',
minimumLevel: 'L3',
requiresDSFA: false,
mandatoryDocuments: ['VVT', 'TOM', 'DSR_PROZESS'],
legalReference: 'Art. 15-22 DSGVO',
description: 'Großer Kundenstamm (>100k) mit hoher Betroffenenanzahl',
},
{
id: 'HT-G04',
category: 'scale',
questionId: 'org_employee_count',
condition: 'GREATER_THAN',
conditionValue: 249,
minimumLevel: 'L3',
requiresDSFA: false,
mandatoryDocuments: ['VVT', 'TOM', 'LOESCHKONZEPT', 'NOTFALLPLAN'],
legalReference: 'Art. 37 DSGVO',
description: 'Große Organisation (>250 Mitarbeiter) mit erhöhten Compliance-Anforderungen',
},
{
id: 'HT-G05',
category: 'scale',
questionId: 'org_employee_count',
condition: 'GREATER_THAN',
conditionValue: 999,
minimumLevel: 'L4',
requiresDSFA: false,
mandatoryDocuments: ['VVT', 'TOM', 'DSFA', 'LOESCHKONZEPT'],
legalReference: 'Art. 35 + Art. 37 DSGVO',
description: 'Sehr große Organisation (>1000 Mitarbeiter) mit Art. 9 Daten',
combineWithArt9: true,
},
// ========== H: Produkt/Business (7 rules) ==========
{
id: 'HT-H01a',
category: 'product',
questionId: 'prod_webshop',
condition: 'EQUALS',
conditionValue: true,
excludeWhen: { questionId: 'org_business_model', value: 'B2B' },
minimumLevel: 'L2',
requiresDSFA: false,
mandatoryDocuments: ['DSE', 'AGB', 'COOKIE_BANNER', 'EINWILLIGUNGEN',
'WIDERRUFSBELEHRUNG', 'PREISANGABEN', 'FERNABSATZ_INFO', 'STREITBEILEGUNG'],
legalReference: 'Art. 6 DSGVO + Fernabsatzrecht + PAngV + VSBG',
description: 'E-Commerce / Webshop (B2C) — Verbraucherschutzpflichten',
},
{
id: 'HT-H01b',
category: 'product',
questionId: 'prod_webshop',
condition: 'EQUALS',
conditionValue: true,
requireWhen: { questionId: 'org_business_model', value: 'B2B' },
minimumLevel: 'L2',
requiresDSFA: false,
mandatoryDocuments: ['DSE', 'AGB', 'COOKIE_BANNER'],
legalReference: 'Art. 6 DSGVO + eCommerce',
description: 'E-Commerce / Webshop (B2B) — Basis-Pflichten',
},
{
id: 'HT-H02',
category: 'product',
questionId: 'prod_data_broker',
condition: 'EQUALS',
conditionValue: true,
minimumLevel: 'L3',
requiresDSFA: true,
mandatoryDocuments: ['VVT', 'TOM', 'DSFA', 'EINWILLIGUNGEN'],
legalReference: 'Art. 35 Abs. 3 DSGVO',
description: 'Datenhandel oder Datenmakler-Tätigkeit',
},
{
id: 'HT-H03',
category: 'product',
questionId: 'prod_api_external',
condition: 'EQUALS',
conditionValue: true,
minimumLevel: 'L2',
requiresDSFA: false,
mandatoryDocuments: ['TOM', 'AVV'],
legalReference: 'Art. 28 DSGVO',
description: 'Externe API mit Datenweitergabe',
},
{
id: 'HT-H04',
category: 'product',
questionId: 'org_business_model',
condition: 'EQUALS',
conditionValue: 'b2c',
minimumLevel: 'L2',
requiresDSFA: false,
mandatoryDocuments: ['DSE', 'COOKIE_BANNER', 'EINWILLIGUNGEN'],
legalReference: 'Art. 6 DSGVO',
description: 'B2C-Geschäftsmodell mit Endkundenkontakt',
},
{
id: 'HT-H05',
category: 'product',
questionId: 'org_industry',
condition: 'EQUALS',
conditionValue: 'finance',
minimumLevel: 'L2',
requiresDSFA: false,
mandatoryDocuments: ['VVT', 'TOM'],
legalReference: 'Art. 6 DSGVO + Finanzaufsicht',
description: 'Finanzbranche mit erhöhten regulatorischen Anforderungen',
},
{
id: 'HT-H06',
category: 'product',
questionId: 'org_industry',
condition: 'EQUALS',
conditionValue: 'healthcare',
minimumLevel: 'L3',
requiresDSFA: true,
mandatoryDocuments: ['VVT', 'TOM', 'DSFA'],
legalReference: 'Art. 9 DSGVO + Gesundheitsrecht',
description: 'Gesundheitsbranche mit sensiblen Daten',
},
{
id: 'HT-H07',
category: 'product',
questionId: 'org_industry',
condition: 'EQUALS',
conditionValue: 'public',
minimumLevel: 'L2',
requiresDSFA: false,
mandatoryDocuments: ['VVT', 'TOM', 'DSR_PROZESS'],
legalReference: 'Art. 6 Abs. 1 lit. e DSGVO',
description: 'Öffentlicher Sektor',
},
// ========== I: Prozessreife - Gap Flags (5 rules) ==========
{
id: 'HT-I01',
category: 'process_maturity',
questionId: 'proc_dsar_process',
condition: 'EQUALS',
conditionValue: false,
minimumLevel: 'L1',
requiresDSFA: false,
mandatoryDocuments: [],
legalReference: 'Art. 15-22 DSGVO',
description: 'Fehlender Prozess für Betroffenenrechte',
},
{
id: 'HT-I02',
category: 'process_maturity',
questionId: 'proc_deletion_concept',
condition: 'EQUALS',
conditionValue: false,
minimumLevel: 'L1',
requiresDSFA: false,
mandatoryDocuments: [],
legalReference: 'Art. 17 DSGVO',
description: 'Fehlendes Löschkonzept',
},
{
id: 'HT-I03',
category: 'process_maturity',
questionId: 'proc_incident_response',
condition: 'EQUALS',
conditionValue: false,
minimumLevel: 'L1',
requiresDSFA: false,
mandatoryDocuments: [],
legalReference: 'Art. 33 DSGVO',
description: 'Fehlender Incident-Response-Prozess',
},
{
id: 'HT-I04',
category: 'process_maturity',
questionId: 'proc_regular_audits',
condition: 'EQUALS',
conditionValue: false,
minimumLevel: 'L1',
requiresDSFA: false,
mandatoryDocuments: [],
legalReference: 'Art. 24 DSGVO',
description: 'Fehlende regelmäßige Audits',
},
{
id: 'HT-I05',
category: 'process_maturity',
questionId: 'comp_training',
condition: 'EQUALS',
conditionValue: false,
minimumLevel: 'L1',
requiresDSFA: false,
mandatoryDocuments: [],
legalReference: 'Art. 39 Abs. 1 lit. b DSGVO',
description: 'Fehlende Schulungen zum Datenschutz',
},
// ========== J: IACE — AI Act Produkt-Triggers (3 rules) ==========
{
id: 'HT-J01',
category: 'iace_ai_act_product',
questionId: 'machineBuilder.containsAI',
condition: 'EQUALS',
conditionValue: true,
minimumLevel: 'L3',
requiresDSFA: false,
mandatoryDocuments: ['VVT', 'TOM'],
legalReference: 'EU AI Act Annex I + EU Maschinenverordnung 2023/1230',
description: 'KI mit Sicherheitsfunktion in Maschine → AI Act High-Risk',
combineWithMachineBuilder: { field: 'hasSafetyFunction', value: true },
riskWeight: 9,
},
{
id: 'HT-J02',
category: 'iace_ai_act_product',
questionId: 'machineBuilder.containsAI',
condition: 'EQUALS',
conditionValue: true,
minimumLevel: 'L3',
requiresDSFA: false,
mandatoryDocuments: ['VVT', 'TOM'],
legalReference: 'EU AI Act + EU Maschinenverordnung 2023/1230',
description: 'Autonome KI in Maschine → AI Act + Maschinenverordnung',
combineWithMachineBuilder: { field: 'autonomousBehavior', value: true },
riskWeight: 8,
},
{
id: 'HT-J03',
category: 'iace_ai_act_product',
questionId: 'machineBuilder.hasSafetyFunction',
condition: 'EQUALS',
conditionValue: true,
minimumLevel: 'L3',
requiresDSFA: false,
mandatoryDocuments: ['VVT', 'TOM'],
legalReference: 'EU AI Act Annex III',
description: 'KI-Bildverarbeitung mit Sicherheitsbezug',
combineWithMachineBuilder: { field: 'aiIntegrationType', includes: 'vision' },
riskWeight: 8,
},
// ========== K: IACE — CRA Triggers (3 rules) ==========
{
id: 'HT-K01',
category: 'iace_cra',
questionId: 'machineBuilder.isNetworked',
condition: 'EQUALS',
conditionValue: true,
minimumLevel: 'L2',
requiresDSFA: false,
mandatoryDocuments: ['TOM'],
legalReference: 'EU Cyber Resilience Act (CRA)',
description: 'Vernetztes Produkt → Cyber Resilience Act',
riskWeight: 6,
},
{
id: 'HT-K02',
category: 'iace_cra',
questionId: 'machineBuilder.hasRemoteAccess',
condition: 'EQUALS',
conditionValue: true,
minimumLevel: 'L2',
requiresDSFA: false,
mandatoryDocuments: ['TOM'],
legalReference: 'CRA + NIS2 Art. 21',
description: 'Remote-Zugriff → CRA + NIS2 Supply Chain',
riskWeight: 7,
},
{
id: 'HT-K03',
category: 'iace_cra',
questionId: 'machineBuilder.hasOTAUpdates',
condition: 'EQUALS',
conditionValue: true,
minimumLevel: 'L2',
requiresDSFA: false,
mandatoryDocuments: ['TOM'],
legalReference: 'CRA Art. 10 - Patch Management',
description: 'OTA-Updates → CRA Patch Management Pflicht',
riskWeight: 7,
},
// ========== L: IACE — NIS2 indirekt (2 rules) ==========
{
id: 'HT-L01',
category: 'iace_nis2_indirect',
questionId: 'machineBuilder.criticalSectorClients',
condition: 'EQUALS',
conditionValue: true,
minimumLevel: 'L2',
requiresDSFA: false,
mandatoryDocuments: ['TOM'],
legalReference: 'NIS2 Art. 21 - Supply Chain',
description: 'Lieferant an KRITIS → NIS2 Supply Chain Anforderungen',
riskWeight: 7,
},
{
id: 'HT-L02',
category: 'iace_nis2_indirect',
questionId: 'machineBuilder.oemClients',
condition: 'EQUALS',
conditionValue: true,
minimumLevel: 'L2',
requiresDSFA: false,
mandatoryDocuments: [],
legalReference: 'NIS2 + EU Maschinenverordnung',
description: 'OEM-Zulieferer → Compliance-Nachweispflicht',
riskWeight: 5,
},
// ========== M: IACE — Maschinenverordnung Triggers (4 rules) ==========
{
id: 'HT-M01',
category: 'iace_machinery_regulation',
questionId: 'machineBuilder.containsSoftware',
condition: 'EQUALS',
conditionValue: true,
minimumLevel: 'L3',
requiresDSFA: false,
mandatoryDocuments: ['TOM'],
legalReference: 'EU Maschinenverordnung 2023/1230 Anhang III',
description: 'Software als Sicherheitskomponente → Maschinenverordnung',
combineWithMachineBuilder: { field: 'hasSafetyFunction', value: true },
riskWeight: 9,
},
{
id: 'HT-M02',
category: 'iace_machinery_regulation',
questionId: 'machineBuilder.ceMarkingRequired',
condition: 'EQUALS',
conditionValue: true,
minimumLevel: 'L2',
requiresDSFA: false,
mandatoryDocuments: [],
legalReference: 'EU Maschinenverordnung 2023/1230',
description: 'CE-Kennzeichnung erforderlich',
riskWeight: 6,
},
{
id: 'HT-M03',
category: 'iace_machinery_regulation',
questionId: 'machineBuilder.ceMarkingRequired',
condition: 'EQUALS',
conditionValue: true,
minimumLevel: 'L3',
requiresDSFA: false,
mandatoryDocuments: [],
legalReference: 'EU Maschinenverordnung 2023/1230 Art. 10',
description: 'CE ohne bestehende Risikobeurteilung → Dringend!',
combineWithMachineBuilder: { field: 'hasRiskAssessment', value: false },
riskWeight: 9,
},
{
id: 'HT-M04',
category: 'iace_machinery_regulation',
questionId: 'machineBuilder.containsFirmware',
condition: 'EQUALS',
conditionValue: true,
minimumLevel: 'L2',
requiresDSFA: false,
mandatoryDocuments: ['TOM'],
legalReference: 'EU Maschinenverordnung + CRA',
description: 'Firmware mit Remote-Update → Change Management Pflicht',
combineWithMachineBuilder: { field: 'hasOTAUpdates', value: true },
riskWeight: 7,
},
]
Reference in New Issue View Git Blame Copy Permalink