From 83e32dc28913bcb11d6d85541e4c43eda89c9ae6 Mon Sep 17 00:00:00 2001
From: Benjamin Admin <benjaminadmin@MacBookPro.fritz.box>
Date: Mon, 9 Feb 2026 07:23:16 +0100
Subject: [PATCH] feat(sdk): Add DSFA (Art. 35 DSGVO) Editor and API Client
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Implements comprehensive Data Protection Impact Assessment tooling:
- 5-section wizard following Art. 35 DSGVO structure
- Interactive risk matrix with likelihood/impact scoring
- Mitigation management linked to risks
- DPO approval workflow (draft → in_review → approved/rejected)
- UCCA integration for auto-triggering DSFA from assessments
- Full TypeScript types and API client with 42 test cases

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 admin-v2/app/(sdk)/sdk/dsfa/[id]/page.tsx     | 1340 +++++++++++++++++
 admin-v2/app/(sdk)/sdk/dsfa/page.tsx          |  548 +++++++
 admin-v2/lib/sdk/dsfa/__tests__/api.test.ts   |  355 +++++
 admin-v2/lib/sdk/dsfa/__tests__/types.test.ts |  255 ++++
 admin-v2/lib/sdk/dsfa/api.ts                  |  399 +++++
 admin-v2/lib/sdk/dsfa/index.ts                |    8 +
 admin-v2/lib/sdk/dsfa/types.ts                |  365 +++++
 ai-compliance-sdk/docs/DEVELOPER.md           | 1011 +++++++++++++
 8 files changed, 4281 insertions(+)
 create mode 100644 admin-v2/app/(sdk)/sdk/dsfa/[id]/page.tsx
 create mode 100644 admin-v2/app/(sdk)/sdk/dsfa/page.tsx
 create mode 100644 admin-v2/lib/sdk/dsfa/__tests__/api.test.ts
 create mode 100644 admin-v2/lib/sdk/dsfa/__tests__/types.test.ts
 create mode 100644 admin-v2/lib/sdk/dsfa/api.ts
 create mode 100644 admin-v2/lib/sdk/dsfa/index.ts
 create mode 100644 admin-v2/lib/sdk/dsfa/types.ts
 create mode 100644 ai-compliance-sdk/docs/DEVELOPER.md

diff --git a/admin-v2/app/(sdk)/sdk/dsfa/[id]/page.tsx b/admin-v2/app/(sdk)/sdk/dsfa/[id]/page.tsx
new file mode 100644
index 0000000..9f4f18a
--- /dev/null
+++ b/admin-v2/app/(sdk)/sdk/dsfa/[id]/page.tsx
@@ -0,0 +1,1340 @@
+'use client'
+
+import React, { useState, useEffect, useCallback } from 'react'
+import Link from 'next/link'
+import { useParams, useRouter } from 'next/navigation'
+import {
+  DSFA,
+  DSFARisk,
+  DSFAMitigation,
+  DSFA_SECTIONS,
+  DSFA_STATUS_LABELS,
+  DSFA_RISK_LEVEL_LABELS,
+  DSFA_LEGAL_BASES,
+  DSFA_AFFECTED_RIGHTS,
+  calculateRiskLevel,
+} from '@/lib/sdk/dsfa/types'
+import {
+  getDSFA,
+  updateDSFASection,
+  addDSFARisk,
+  removeDSFARisk,
+  addDSFAMitigation,
+  updateDSFAMitigationStatus,
+} from '@/lib/sdk/dsfa/api'
+import { RiskMatrix, ApprovalPanel } from '@/components/sdk/dsfa'
+
+// =============================================================================
+// SECTION EDITORS
+// =============================================================================
+
+interface SectionProps {
+  dsfa: DSFA
+  onUpdate: (data: Record<string, unknown>) => Promise<void>
+  isSubmitting: boolean
+}
+
+// Section 1: Systematische Beschreibung (Art. 35 Abs. 7 lit. a)
+function Section1Editor({ dsfa, onUpdate, isSubmitting }: SectionProps) {
+  const [formData, setFormData] = useState({
+    processing_description: dsfa.processing_description || '',
+    processing_purpose: dsfa.processing_purpose || '',
+    data_categories: dsfa.data_categories || [],
+    data_subjects: dsfa.data_subjects || [],
+    recipients: dsfa.recipients || [],
+    legal_basis: dsfa.legal_basis || '',
+    legal_basis_details: dsfa.legal_basis_details || '',
+  })
+  const [newCategory, setNewCategory] = useState('')
+  const [newSubject, setNewSubject] = useState('')
+  const [newRecipient, setNewRecipient] = useState('')
+
+  const handleSave = () => {
+    onUpdate(formData)
+  }
+
+  const addItem = (field: 'data_categories' | 'data_subjects' | 'recipients', value: string, setter: (v: string) => void) => {
+    if (value.trim()) {
+      setFormData(prev => ({
+        ...prev,
+        [field]: [...prev[field], value.trim()]
+      }))
+      setter('')
+    }
+  }
+
+  const removeItem = (field: 'data_categories' | 'data_subjects' | 'recipients', index: number) => {
+    setFormData(prev => ({
+      ...prev,
+      [field]: prev[field].filter((_, i) => i !== index)
+    }))
+  }
+
+  return (
+    <div className="space-y-6">
+      {/* Processing Purpose */}
+      <div>
+        <label className="block text-sm font-medium text-gray-700 mb-2">
+          Verarbeitungszweck *
+        </label>
+        <textarea
+          value={formData.processing_purpose}
+          onChange={(e) => setFormData(prev => ({ ...prev, processing_purpose: e.target.value }))}
+          className="w-full px-4 py-3 border border-gray-300 rounded-lg focus:ring-2 focus:ring-purple-500 focus:border-transparent"
+          rows={3}
+          placeholder="Beschreiben Sie den Zweck der Datenverarbeitung..."
+        />
+      </div>
+
+      {/* Processing Description */}
+      <div>
+        <label className="block text-sm font-medium text-gray-700 mb-2">
+          Beschreibung der Verarbeitung *
+        </label>
+        <textarea
+          value={formData.processing_description}
+          onChange={(e) => setFormData(prev => ({ ...prev, processing_description: e.target.value }))}
+          className="w-full px-4 py-3 border border-gray-300 rounded-lg focus:ring-2 focus:ring-purple-500 focus:border-transparent"
+          rows={4}
+          placeholder="Detaillierte Beschreibung der Verarbeitungsvorgaenge..."
+        />
+      </div>
+
+      {/* Data Categories */}
+      <div>
+        <label className="block text-sm font-medium text-gray-700 mb-2">
+          Datenkategorien *
+        </label>
+        <div className="flex flex-wrap gap-2 mb-2">
+          {formData.data_categories.map((cat, idx) => (
+            <span key={idx} className="px-3 py-1 bg-blue-100 text-blue-700 rounded-full text-sm flex items-center gap-2">
+              {cat}
+              <button onClick={() => removeItem('data_categories', idx)} className="hover:text-blue-900">
+                <svg className="w-4 h-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+                  <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M6 18L18 6M6 6l12 12" />
+                </svg>
+              </button>
+            </span>
+          ))}
+        </div>
+        <div className="flex gap-2">
+          <input
+            type="text"
+            value={newCategory}
+            onChange={(e) => setNewCategory(e.target.value)}
+            onKeyPress={(e) => e.key === 'Enter' && addItem('data_categories', newCategory, setNewCategory)}
+            className="flex-1 px-4 py-2 border border-gray-300 rounded-lg focus:ring-2 focus:ring-purple-500"
+            placeholder="Kategorie hinzufuegen..."
+          />
+          <button
+            onClick={() => addItem('data_categories', newCategory, setNewCategory)}
+            className="px-4 py-2 bg-purple-600 text-white rounded-lg hover:bg-purple-700"
+          >
+            +
+          </button>
+        </div>
+      </div>
+
+      {/* Data Subjects */}
+      <div>
+        <label className="block text-sm font-medium text-gray-700 mb-2">
+          Betroffene Personen *
+        </label>
+        <div className="flex flex-wrap gap-2 mb-2">
+          {formData.data_subjects.map((subj, idx) => (
+            <span key={idx} className="px-3 py-1 bg-green-100 text-green-700 rounded-full text-sm flex items-center gap-2">
+              {subj}
+              <button onClick={() => removeItem('data_subjects', idx)} className="hover:text-green-900">
+                <svg className="w-4 h-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+                  <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M6 18L18 6M6 6l12 12" />
+                </svg>
+              </button>
+            </span>
+          ))}
+        </div>
+        <div className="flex gap-2">
+          <input
+            type="text"
+            value={newSubject}
+            onChange={(e) => setNewSubject(e.target.value)}
+            onKeyPress={(e) => e.key === 'Enter' && addItem('data_subjects', newSubject, setNewSubject)}
+            className="flex-1 px-4 py-2 border border-gray-300 rounded-lg focus:ring-2 focus:ring-purple-500"
+            placeholder="z.B. Kunden, Mitarbeiter..."
+          />
+          <button
+            onClick={() => addItem('data_subjects', newSubject, setNewSubject)}
+            className="px-4 py-2 bg-purple-600 text-white rounded-lg hover:bg-purple-700"
+          >
+            +
+          </button>
+        </div>
+      </div>
+
+      {/* Recipients */}
+      <div>
+        <label className="block text-sm font-medium text-gray-700 mb-2">
+          Empfaenger
+        </label>
+        <div className="flex flex-wrap gap-2 mb-2">
+          {formData.recipients.map((rec, idx) => (
+            <span key={idx} className="px-3 py-1 bg-orange-100 text-orange-700 rounded-full text-sm flex items-center gap-2">
+              {rec}
+              <button onClick={() => removeItem('recipients', idx)} className="hover:text-orange-900">
+                <svg className="w-4 h-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+                  <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M6 18L18 6M6 6l12 12" />
+                </svg>
+              </button>
+            </span>
+          ))}
+        </div>
+        <div className="flex gap-2">
+          <input
+            type="text"
+            value={newRecipient}
+            onChange={(e) => setNewRecipient(e.target.value)}
+            onKeyPress={(e) => e.key === 'Enter' && addItem('recipients', newRecipient, setNewRecipient)}
+            className="flex-1 px-4 py-2 border border-gray-300 rounded-lg focus:ring-2 focus:ring-purple-500"
+            placeholder="Empfaenger hinzufuegen..."
+          />
+          <button
+            onClick={() => addItem('recipients', newRecipient, setNewRecipient)}
+            className="px-4 py-2 bg-purple-600 text-white rounded-lg hover:bg-purple-700"
+          >
+            +
+          </button>
+        </div>
+      </div>
+
+      {/* Legal Basis */}
+      <div>
+        <label className="block text-sm font-medium text-gray-700 mb-2">
+          Rechtsgrundlage *
+        </label>
+        <select
+          value={formData.legal_basis}
+          onChange={(e) => setFormData(prev => ({ ...prev, legal_basis: e.target.value }))}
+          className="w-full px-4 py-3 border border-gray-300 rounded-lg focus:ring-2 focus:ring-purple-500"
+        >
+          <option value="">Bitte waehlen...</option>
+          {Object.entries(DSFA_LEGAL_BASES).map(([key, label]) => (
+            <option key={key} value={key}>{label}</option>
+          ))}
+        </select>
+      </div>
+
+      {/* Legal Basis Details */}
+      <div>
+        <label className="block text-sm font-medium text-gray-700 mb-2">
+          Begruendung der Rechtsgrundlage
+        </label>
+        <textarea
+          value={formData.legal_basis_details}
+          onChange={(e) => setFormData(prev => ({ ...prev, legal_basis_details: e.target.value }))}
+          className="w-full px-4 py-3 border border-gray-300 rounded-lg focus:ring-2 focus:ring-purple-500 focus:border-transparent"
+          rows={3}
+          placeholder="Erlaeutern Sie, warum diese Rechtsgrundlage anwendbar ist..."
+        />
+      </div>
+
+      {/* Save Button */}
+      <div className="flex justify-end pt-4 border-t border-gray-200">
+        <button
+          onClick={handleSave}
+          disabled={isSubmitting}
+          className="px-6 py-2 bg-purple-600 text-white rounded-lg hover:bg-purple-700 disabled:opacity-50 transition-colors"
+        >
+          {isSubmitting ? 'Speichern...' : 'Abschnitt speichern'}
+        </button>
+      </div>
+    </div>
+  )
+}
+
+// Section 2: Notwendigkeit & Verhaeltnismaessigkeit (Art. 35 Abs. 7 lit. b)
+function Section2Editor({ dsfa, onUpdate, isSubmitting }: SectionProps) {
+  const [formData, setFormData] = useState({
+    necessity_assessment: dsfa.necessity_assessment || '',
+    proportionality_assessment: dsfa.proportionality_assessment || '',
+    data_minimization: dsfa.data_minimization || '',
+    alternatives_considered: dsfa.alternatives_considered || '',
+    retention_justification: dsfa.retention_justification || '',
+  })
+
+  const handleSave = () => {
+    onUpdate(formData)
+  }
+
+  return (
+    <div className="space-y-6">
+      {/* Necessity */}
+      <div>
+        <label className="block text-sm font-medium text-gray-700 mb-2">
+          Notwendigkeit der Verarbeitung *
+        </label>
+        <p className="text-xs text-gray-500 mb-2">
+          Erklaeren Sie, warum die Verarbeitung fuer den angegebenen Zweck notwendig ist.
+        </p>
+        <textarea
+          value={formData.necessity_assessment}
+          onChange={(e) => setFormData(prev => ({ ...prev, necessity_assessment: e.target.value }))}
+          className="w-full px-4 py-3 border border-gray-300 rounded-lg focus:ring-2 focus:ring-purple-500 focus:border-transparent"
+          rows={4}
+          placeholder="Beschreiben Sie die Notwendigkeit..."
+        />
+      </div>
+
+      {/* Proportionality */}
+      <div>
+        <label className="block text-sm font-medium text-gray-700 mb-2">
+          Verhaeltnismaessigkeit *
+        </label>
+        <p className="text-xs text-gray-500 mb-2">
+          Begruenden Sie, warum der Eingriff in die Rechte der Betroffenen verhaeltnismaessig ist.
+        </p>
+        <textarea
+          value={formData.proportionality_assessment}
+          onChange={(e) => setFormData(prev => ({ ...prev, proportionality_assessment: e.target.value }))}
+          className="w-full px-4 py-3 border border-gray-300 rounded-lg focus:ring-2 focus:ring-purple-500 focus:border-transparent"
+          rows={4}
+          placeholder="Beschreiben Sie die Verhaeltnismaessigkeit..."
+        />
+      </div>
+
+      {/* Data Minimization */}
+      <div>
+        <label className="block text-sm font-medium text-gray-700 mb-2">
+          Datenminimierung
+        </label>
+        <p className="text-xs text-gray-500 mb-2">
+          Welche Massnahmen wurden ergriffen, um nur die notwendigen Daten zu erheben?
+        </p>
+        <textarea
+          value={formData.data_minimization}
+          onChange={(e) => setFormData(prev => ({ ...prev, data_minimization: e.target.value }))}
+          className="w-full px-4 py-3 border border-gray-300 rounded-lg focus:ring-2 focus:ring-purple-500 focus:border-transparent"
+          rows={3}
+          placeholder="Beschreiben Sie die Datenminimierungsmassnahmen..."
+        />
+      </div>
+
+      {/* Alternatives */}
+      <div>
+        <label className="block text-sm font-medium text-gray-700 mb-2">
+          Gepruefe Alternativen
+        </label>
+        <p className="text-xs text-gray-500 mb-2">
+          Welche weniger eingriffsintensiven Alternativen wurden geprueft?
+        </p>
+        <textarea
+          value={formData.alternatives_considered}
+          onChange={(e) => setFormData(prev => ({ ...prev, alternatives_considered: e.target.value }))}
+          className="w-full px-4 py-3 border border-gray-300 rounded-lg focus:ring-2 focus:ring-purple-500 focus:border-transparent"
+          rows={3}
+          placeholder="Beschreiben Sie gepruefe Alternativen..."
+        />
+      </div>
+
+      {/* Retention */}
+      <div>
+        <label className="block text-sm font-medium text-gray-700 mb-2">
+          Speicherdauer / Loeschfristen
+        </label>
+        <textarea
+          value={formData.retention_justification}
+          onChange={(e) => setFormData(prev => ({ ...prev, retention_justification: e.target.value }))}
+          className="w-full px-4 py-3 border border-gray-300 rounded-lg focus:ring-2 focus:ring-purple-500 focus:border-transparent"
+          rows={3}
+          placeholder="Begruenden Sie die geplante Speicherdauer..."
+        />
+      </div>
+
+      {/* Save Button */}
+      <div className="flex justify-end pt-4 border-t border-gray-200">
+        <button
+          onClick={handleSave}
+          disabled={isSubmitting}
+          className="px-6 py-2 bg-purple-600 text-white rounded-lg hover:bg-purple-700 disabled:opacity-50 transition-colors"
+        >
+          {isSubmitting ? 'Speichern...' : 'Abschnitt speichern'}
+        </button>
+      </div>
+    </div>
+  )
+}
+
+// Section 3: Risikobewertung (Art. 35 Abs. 7 lit. c)
+function Section3Editor({ dsfa, onUpdate, isSubmitting }: SectionProps) {
+  const [selectedRisk, setSelectedRisk] = useState<DSFARisk | null>(null)
+  const [showAddRiskModal, setShowAddRiskModal] = useState(false)
+  const [newRiskLikelihood, setNewRiskLikelihood] = useState<'low' | 'medium' | 'high'>('medium')
+  const [newRiskImpact, setNewRiskImpact] = useState<'low' | 'medium' | 'high'>('medium')
+  const [affectedRights, setAffectedRights] = useState<string[]>(dsfa.affected_rights || [])
+
+  const handleAddRisk = (likelihood: 'low' | 'medium' | 'high', impact: 'low' | 'medium' | 'high') => {
+    setNewRiskLikelihood(likelihood)
+    setNewRiskImpact(impact)
+    setShowAddRiskModal(true)
+  }
+
+  const toggleAffectedRight = (rightId: string) => {
+    setAffectedRights(prev =>
+      prev.includes(rightId)
+        ? prev.filter(r => r !== rightId)
+        : [...prev, rightId]
+    )
+  }
+
+  const handleSaveSection = () => {
+    onUpdate({
+      affected_rights: affectedRights,
+      overall_risk_level: dsfa.overall_risk_level,
+    })
+  }
+
+  return (
+    <div className="space-y-6">
+      {/* Risk Matrix */}
+      <div className="bg-gray-50 rounded-xl p-6">
+        <RiskMatrix
+          risks={dsfa.risks || []}
+          onRiskSelect={(risk) => setSelectedRisk(risk)}
+          onAddRisk={handleAddRisk}
+          selectedRiskId={selectedRisk?.id}
+          readOnly={dsfa.status !== 'draft' && dsfa.status !== 'needs_update'}
+        />
+      </div>
+
+      {/* Triggered Rules from UCCA */}
+      {dsfa.triggered_rule_codes && dsfa.triggered_rule_codes.length > 0 && (
+        <div className="bg-red-50 border border-red-200 rounded-xl p-4">
+          <h4 className="text-sm font-medium text-red-800 mb-2">
+            DSFA-ausloesende Regeln (aus UCCA)
+          </h4>
+          <div className="flex flex-wrap gap-2">
+            {dsfa.triggered_rule_codes.map(code => (
+              <span key={code} className="px-2 py-1 bg-red-100 text-red-700 rounded text-xs">
+                {code}
+              </span>
+            ))}
+          </div>
+        </div>
+      )}
+
+      {/* Risk List */}
+      <div>
+        <h4 className="text-sm font-medium text-gray-700 mb-3">Identifizierte Risiken ({(dsfa.risks || []).length})</h4>
+        {(dsfa.risks || []).length === 0 ? (
+          <div className="text-center py-8 text-gray-500">
+            <svg className="w-12 h-12 mx-auto text-gray-300 mb-3" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+              <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M12 9v2m0 4h.01m-6.938 4h13.856c1.54 0 2.502-1.667 1.732-3L13.732 4c-.77-1.333-2.694-1.333-3.464 0L3.34 16c-.77 1.333.192 3 1.732 3z" />
+            </svg>
+            <p>Noch keine Risiken erfasst</p>
+            <p className="text-sm mt-1">Klicken Sie in der Matrix auf eine Zelle, um ein Risiko hinzuzufuegen.</p>
+          </div>
+        ) : (
+          <div className="space-y-3">
+            {(dsfa.risks || []).map(risk => {
+              const { level } = calculateRiskLevel(risk.likelihood, risk.impact)
+              const levelColors = {
+                low: 'bg-green-100 text-green-700 border-green-200',
+                medium: 'bg-yellow-100 text-yellow-700 border-yellow-200',
+                high: 'bg-orange-100 text-orange-700 border-orange-200',
+                very_high: 'bg-red-100 text-red-700 border-red-200',
+              }
+              return (
+                <div
+                  key={risk.id}
+                  className={`p-4 rounded-xl border cursor-pointer transition-all ${
+                    selectedRisk?.id === risk.id ? 'ring-2 ring-purple-500' : ''
+                  } ${levelColors[level]}`}
+                  onClick={() => setSelectedRisk(risk)}
+                >
+                  <div className="flex items-start justify-between">
+                    <div className="flex-1">
+                      <div className="font-medium">{risk.description}</div>
+                      <div className="text-sm mt-1 opacity-75">
+                        Kategorie: {risk.category === 'confidentiality' ? 'Vertraulichkeit' :
+                                    risk.category === 'integrity' ? 'Integritaet' :
+                                    risk.category === 'availability' ? 'Verfuegbarkeit' :
+                                    'Rechte & Freiheiten'}
+                      </div>
+                      <div className="text-sm opacity-75">
+                        Eintrittswahrscheinlichkeit: {risk.likelihood === 'low' ? 'Niedrig' : risk.likelihood === 'medium' ? 'Mittel' : 'Hoch'} |
+                        Auswirkung: {risk.impact === 'low' ? 'Niedrig' : risk.impact === 'medium' ? 'Mittel' : 'Hoch'}
+                      </div>
+                    </div>
+                    <span className={`px-2 py-1 rounded text-xs font-medium ${levelColors[level]}`}>
+                      {DSFA_RISK_LEVEL_LABELS[level]}
+                    </span>
+                  </div>
+                </div>
+              )
+            })}
+          </div>
+        )}
+      </div>
+
+      {/* Affected Rights */}
+      <div>
+        <h4 className="text-sm font-medium text-gray-700 mb-3">Betroffene Rechte & Freiheiten</h4>
+        <div className="grid grid-cols-2 gap-2">
+          {DSFA_AFFECTED_RIGHTS.map(right => (
+            <label
+              key={right.id}
+              className={`flex items-center gap-2 p-3 rounded-lg border cursor-pointer transition-colors ${
+                affectedRights.includes(right.id)
+                  ? 'bg-purple-50 border-purple-300'
+                  : 'bg-white border-gray-200 hover:bg-gray-50'
+              }`}
+            >
+              <input
+                type="checkbox"
+                checked={affectedRights.includes(right.id)}
+                onChange={() => toggleAffectedRight(right.id)}
+                className="rounded border-gray-300 text-purple-600 focus:ring-purple-500"
+              />
+              <span className="text-sm">{right.label}</span>
+            </label>
+          ))}
+        </div>
+      </div>
+
+      {/* Save Button */}
+      <div className="flex justify-end pt-4 border-t border-gray-200">
+        <button
+          onClick={handleSaveSection}
+          disabled={isSubmitting}
+          className="px-6 py-2 bg-purple-600 text-white rounded-lg hover:bg-purple-700 disabled:opacity-50 transition-colors"
+        >
+          {isSubmitting ? 'Speichern...' : 'Abschnitt speichern'}
+        </button>
+      </div>
+
+      {/* Add Risk Modal */}
+      {showAddRiskModal && (
+        <AddRiskModal
+          likelihood={newRiskLikelihood}
+          impact={newRiskImpact}
+          onClose={() => setShowAddRiskModal(false)}
+          onAdd={async (riskData) => {
+            // This would call the API
+            setShowAddRiskModal(false)
+          }}
+        />
+      )}
+    </div>
+  )
+}
+
+// Section 4: Abhilfemassnahmen (Art. 35 Abs. 7 lit. d)
+function Section4Editor({ dsfa, onUpdate, isSubmitting }: SectionProps) {
+  const [showAddMitigation, setShowAddMitigation] = useState(false)
+
+  const mitigationsByType = {
+    technical: (dsfa.mitigations || []).filter(m => m.type === 'technical'),
+    organizational: (dsfa.mitigations || []).filter(m => m.type === 'organizational'),
+    legal: (dsfa.mitigations || []).filter(m => m.type === 'legal'),
+  }
+
+  const getStatusBadge = (status: string) => {
+    const styles = {
+      planned: 'bg-gray-100 text-gray-600',
+      in_progress: 'bg-yellow-100 text-yellow-700',
+      implemented: 'bg-blue-100 text-blue-700',
+      verified: 'bg-green-100 text-green-700',
+    }
+    const labels = {
+      planned: 'Geplant',
+      in_progress: 'In Umsetzung',
+      implemented: 'Umgesetzt',
+      verified: 'Verifiziert',
+    }
+    return (
+      <span className={`px-2 py-1 rounded text-xs font-medium ${styles[status as keyof typeof styles] || styles.planned}`}>
+        {labels[status as keyof typeof labels] || status}
+      </span>
+    )
+  }
+
+  const renderMitigationSection = (
+    title: string,
+    icon: React.ReactNode,
+    mitigations: DSFAMitigation[],
+    bgColor: string
+  ) => (
+    <div>
+      <div className="flex items-center gap-2 mb-3">
+        {icon}
+        <h4 className="text-sm font-medium text-gray-700">{title} ({mitigations.length})</h4>
+      </div>
+      {mitigations.length === 0 ? (
+        <div className={`p-4 rounded-lg ${bgColor} text-center text-sm text-gray-500`}>
+          Keine Massnahmen definiert
+        </div>
+      ) : (
+        <div className="space-y-2">
+          {mitigations.map(m => (
+            <div key={m.id} className={`p-4 rounded-lg ${bgColor} border border-gray-200`}>
+              <div className="flex items-start justify-between">
+                <div className="flex-1">
+                  <div className="font-medium text-gray-900">{m.description}</div>
+                  <div className="text-sm text-gray-500 mt-1">
+                    Verantwortlich: {m.responsible_party || '-'}
+                    {m.tom_reference && ` | TOM: ${m.tom_reference}`}
+                  </div>
+                </div>
+                <div className="flex items-center gap-2">
+                  {getStatusBadge(m.status)}
+                </div>
+              </div>
+            </div>
+          ))}
+        </div>
+      )}
+    </div>
+  )
+
+  return (
+    <div className="space-y-6">
+      {/* Add Mitigation Button */}
+      <div className="flex justify-end">
+        <button
+          onClick={() => setShowAddMitigation(true)}
+          className="flex items-center gap-2 px-4 py-2 bg-purple-600 text-white rounded-lg hover:bg-purple-700 transition-colors"
+        >
+          <svg className="w-5 h-5" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+            <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M12 4v16m8-8H4" />
+          </svg>
+          Massnahme hinzufuegen
+        </button>
+      </div>
+
+      {/* Technical Measures */}
+      {renderMitigationSection(
+        'Technische Massnahmen',
+        <svg className="w-5 h-5 text-blue-500" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+          <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M9 3v2m6-2v2M9 19v2m6-2v2M5 9H3m2 6H3m18-6h-2m2 6h-2M7 19h10a2 2 0 002-2V7a2 2 0 00-2-2H7a2 2 0 00-2 2v10a2 2 0 002 2zM9 9h6v6H9V9z" />
+        </svg>,
+        mitigationsByType.technical,
+        'bg-blue-50'
+      )}
+
+      {/* Organizational Measures */}
+      {renderMitigationSection(
+        'Organisatorische Massnahmen',
+        <svg className="w-5 h-5 text-green-500" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+          <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M17 20h5v-2a3 3 0 00-5.356-1.857M17 20H7m10 0v-2c0-.656-.126-1.283-.356-1.857M7 20H2v-2a3 3 0 015.356-1.857M7 20v-2c0-.656.126-1.283.356-1.857m0 0a5.002 5.002 0 019.288 0M15 7a3 3 0 11-6 0 3 3 0 016 0zm6 3a2 2 0 11-4 0 2 2 0 014 0zM7 10a2 2 0 11-4 0 2 2 0 014 0z" />
+        </svg>,
+        mitigationsByType.organizational,
+        'bg-green-50'
+      )}
+
+      {/* Legal Measures */}
+      {renderMitigationSection(
+        'Rechtliche Massnahmen',
+        <svg className="w-5 h-5 text-purple-500" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+          <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M3 6l3 1m0 0l-3 9a5.002 5.002 0 006.001 0M6 7l3 9M6 7l6-2m6 2l3-1m-3 1l-3 9a5.002 5.002 0 006.001 0M18 7l3 9m-3-9l-6-2m0-2v2m0 16V5m0 16H9m3 0h3" />
+        </svg>,
+        mitigationsByType.legal,
+        'bg-purple-50'
+      )}
+
+      {/* TOM References */}
+      {dsfa.tom_references && dsfa.tom_references.length > 0 && (
+        <div className="bg-gray-50 rounded-xl p-4">
+          <h4 className="text-sm font-medium text-gray-700 mb-2">Verknuepfte TOM-Eintraege</h4>
+          <div className="flex flex-wrap gap-2">
+            {dsfa.tom_references.map((ref, idx) => (
+              <span key={idx} className="px-3 py-1 bg-white border border-gray-200 rounded-full text-sm text-gray-600">
+                {ref}
+              </span>
+            ))}
+          </div>
+        </div>
+      )}
+
+      {/* Add Mitigation Modal */}
+      {showAddMitigation && (
+        <AddMitigationModal
+          risks={dsfa.risks || []}
+          onClose={() => setShowAddMitigation(false)}
+          onAdd={async (mitigationData) => {
+            // This would call the API
+            setShowAddMitigation(false)
+          }}
+        />
+      )}
+    </div>
+  )
+}
+
+// Section 5: Stellungnahme DSB (Art. 35 Abs. 2 + Art. 36)
+function Section5Editor({ dsfa, onUpdate, isSubmitting }: SectionProps) {
+  const [formData, setFormData] = useState({
+    dpo_consulted: dsfa.dpo_consulted || false,
+    dpo_name: dsfa.dpo_name || '',
+    dpo_opinion: dsfa.dpo_opinion || '',
+    authority_consulted: dsfa.authority_consulted || false,
+    authority_reference: dsfa.authority_reference || '',
+    authority_decision: dsfa.authority_decision || '',
+  })
+
+  const handleSave = () => {
+    onUpdate(formData)
+  }
+
+  return (
+    <div className="space-y-6">
+      {/* DPO Consultation */}
+      <div className="bg-blue-50 border border-blue-200 rounded-xl p-6">
+        <div className="flex items-start gap-4">
+          <div className="w-12 h-12 bg-blue-100 rounded-full flex items-center justify-center flex-shrink-0">
+            <svg className="w-6 h-6 text-blue-600" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+              <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M16 7a4 4 0 11-8 0 4 4 0 018 0zM12 14a7 7 0 00-7 7h14a7 7 0 00-7-7z" />
+            </svg>
+          </div>
+          <div className="flex-1">
+            <label className="flex items-center gap-3">
+              <input
+                type="checkbox"
+                checked={formData.dpo_consulted}
+                onChange={(e) => setFormData(prev => ({ ...prev, dpo_consulted: e.target.checked }))}
+                className="w-5 h-5 rounded border-gray-300 text-blue-600 focus:ring-blue-500"
+              />
+              <span className="font-medium text-blue-800">
+                Datenschutzbeauftragter wurde konsultiert
+              </span>
+            </label>
+            <p className="text-sm text-blue-600 mt-2">
+              Gemaess Art. 35 Abs. 2 DSGVO muss bei einer DSFA der Rat des DSB eingeholt werden.
+            </p>
+          </div>
+        </div>
+
+        {formData.dpo_consulted && (
+          <div className="mt-4 space-y-4 pt-4 border-t border-blue-200">
+            <div>
+              <label className="block text-sm font-medium text-blue-800 mb-2">
+                Name des DSB
+              </label>
+              <input
+                type="text"
+                value={formData.dpo_name}
+                onChange={(e) => setFormData(prev => ({ ...prev, dpo_name: e.target.value }))}
+                className="w-full px-4 py-2 border border-blue-300 rounded-lg focus:ring-2 focus:ring-blue-500 bg-white"
+                placeholder="Name des Datenschutzbeauftragten"
+              />
+            </div>
+            <div>
+              <label className="block text-sm font-medium text-blue-800 mb-2">
+                Stellungnahme des DSB
+              </label>
+              <textarea
+                value={formData.dpo_opinion}
+                onChange={(e) => setFormData(prev => ({ ...prev, dpo_opinion: e.target.value }))}
+                className="w-full px-4 py-3 border border-blue-300 rounded-lg focus:ring-2 focus:ring-blue-500 bg-white"
+                rows={4}
+                placeholder="Stellungnahme und Empfehlungen des DSB..."
+              />
+            </div>
+          </div>
+        )}
+      </div>
+
+      {/* Authority Consultation */}
+      <div className="bg-orange-50 border border-orange-200 rounded-xl p-6">
+        <div className="flex items-start gap-4">
+          <div className="w-12 h-12 bg-orange-100 rounded-full flex items-center justify-center flex-shrink-0">
+            <svg className="w-6 h-6 text-orange-600" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+              <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M19 21V5a2 2 0 00-2-2H7a2 2 0 00-2 2v16m14 0h2m-2 0h-5m-9 0H3m2 0h5M9 7h1m-1 4h1m4-4h1m-1 4h1m-5 10v-5a1 1 0 011-1h2a1 1 0 011 1v5m-4 0h4" />
+            </svg>
+          </div>
+          <div className="flex-1">
+            <label className="flex items-center gap-3">
+              <input
+                type="checkbox"
+                checked={formData.authority_consulted}
+                onChange={(e) => setFormData(prev => ({ ...prev, authority_consulted: e.target.checked }))}
+                className="w-5 h-5 rounded border-gray-300 text-orange-600 focus:ring-orange-500"
+              />
+              <span className="font-medium text-orange-800">
+                Aufsichtsbehoerde wurde konsultiert (Art. 36)
+              </span>
+            </label>
+            <p className="text-sm text-orange-600 mt-2">
+              Falls nach Durchfuehrung der Massnahmen weiterhin ein hohes Risiko besteht, ist die Aufsichtsbehoerde zu konsultieren.
+            </p>
+          </div>
+        </div>
+
+        {formData.authority_consulted && (
+          <div className="mt-4 space-y-4 pt-4 border-t border-orange-200">
+            <div>
+              <label className="block text-sm font-medium text-orange-800 mb-2">
+                Aktenzeichen / Referenz
+              </label>
+              <input
+                type="text"
+                value={formData.authority_reference}
+                onChange={(e) => setFormData(prev => ({ ...prev, authority_reference: e.target.value }))}
+                className="w-full px-4 py-2 border border-orange-300 rounded-lg focus:ring-2 focus:ring-orange-500 bg-white"
+                placeholder="Aktenzeichen der Behoerde"
+              />
+            </div>
+            <div>
+              <label className="block text-sm font-medium text-orange-800 mb-2">
+                Entscheidung der Behoerde
+              </label>
+              <textarea
+                value={formData.authority_decision}
+                onChange={(e) => setFormData(prev => ({ ...prev, authority_decision: e.target.value }))}
+                className="w-full px-4 py-3 border border-orange-300 rounded-lg focus:ring-2 focus:ring-orange-500 bg-white"
+                rows={4}
+                placeholder="Entscheidung und Auflagen der Aufsichtsbehoerde..."
+              />
+            </div>
+          </div>
+        )}
+      </div>
+
+      {/* Info Box */}
+      <div className="bg-gray-50 border border-gray-200 rounded-xl p-4">
+        <div className="flex items-start gap-3">
+          <svg className="w-5 h-5 text-gray-400 mt-0.5" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+            <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M13 16h-1v-4h-1m1-4h.01M21 12a9 9 0 11-18 0 9 9 0 0118 0z" />
+          </svg>
+          <div className="text-sm text-gray-600">
+            <p className="font-medium text-gray-700 mb-1">Hinweis zur Konsultation</p>
+            <p>
+              Die Konsultation der Aufsichtsbehoerde ist nur erforderlich, wenn nach Umsetzung der
+              geplanten Massnahmen weiterhin ein hohes Risiko fuer die Rechte und Freiheiten der
+              betroffenen Personen besteht.
+            </p>
+          </div>
+        </div>
+      </div>
+
+      {/* Save Button */}
+      <div className="flex justify-end pt-4 border-t border-gray-200">
+        <button
+          onClick={handleSave}
+          disabled={isSubmitting}
+          className="px-6 py-2 bg-purple-600 text-white rounded-lg hover:bg-purple-700 disabled:opacity-50 transition-colors"
+        >
+          {isSubmitting ? 'Speichern...' : 'Abschnitt speichern'}
+        </button>
+      </div>
+    </div>
+  )
+}
+
+// =============================================================================
+// MODALS
+// =============================================================================
+
+function AddRiskModal({
+  likelihood,
+  impact,
+  onClose,
+  onAdd,
+}: {
+  likelihood: 'low' | 'medium' | 'high'
+  impact: 'low' | 'medium' | 'high'
+  onClose: () => void
+  onAdd: (data: { category: string; description: string }) => void
+}) {
+  const [category, setCategory] = useState('confidentiality')
+  const [description, setDescription] = useState('')
+
+  const { level } = calculateRiskLevel(likelihood, impact)
+
+  return (
+    <div className="fixed inset-0 bg-black/50 flex items-center justify-center z-50">
+      <div className="bg-white rounded-xl p-6 max-w-lg w-full mx-4">
+        <h3 className="text-lg font-semibold text-gray-900 mb-4">Risiko hinzufuegen</h3>
+
+        <div className="mb-4 p-3 rounded-lg bg-gray-50">
+          <div className="text-sm text-gray-500">
+            Eintrittswahrscheinlichkeit: <span className="font-medium text-gray-700">{likelihood === 'low' ? 'Niedrig' : likelihood === 'medium' ? 'Mittel' : 'Hoch'}</span>
+            {' | '}
+            Auswirkung: <span className="font-medium text-gray-700">{impact === 'low' ? 'Niedrig' : impact === 'medium' ? 'Mittel' : 'Hoch'}</span>
+            {' | '}
+            Risikostufe: <span className="font-medium">{DSFA_RISK_LEVEL_LABELS[level]}</span>
+          </div>
+        </div>
+
+        <div className="space-y-4">
+          <div>
+            <label className="block text-sm font-medium text-gray-700 mb-2">Kategorie</label>
+            <select
+              value={category}
+              onChange={(e) => setCategory(e.target.value)}
+              className="w-full px-4 py-2 border border-gray-300 rounded-lg focus:ring-2 focus:ring-purple-500"
+            >
+              <option value="confidentiality">Vertraulichkeit</option>
+              <option value="integrity">Integritaet</option>
+              <option value="availability">Verfuegbarkeit</option>
+              <option value="rights_freedoms">Rechte & Freiheiten</option>
+            </select>
+          </div>
+
+          <div>
+            <label className="block text-sm font-medium text-gray-700 mb-2">Beschreibung</label>
+            <textarea
+              value={description}
+              onChange={(e) => setDescription(e.target.value)}
+              className="w-full px-4 py-3 border border-gray-300 rounded-lg focus:ring-2 focus:ring-purple-500"
+              rows={4}
+              placeholder="Beschreiben Sie das Risiko..."
+            />
+          </div>
+        </div>
+
+        <div className="flex gap-3 mt-6">
+          <button
+            onClick={onClose}
+            className="flex-1 py-2 px-4 border border-gray-300 rounded-lg text-gray-700 hover:bg-gray-50"
+          >
+            Abbrechen
+          </button>
+          <button
+            onClick={() => onAdd({ category, description })}
+            disabled={!description.trim()}
+            className="flex-1 py-2 px-4 bg-purple-600 text-white rounded-lg font-medium hover:bg-purple-700 disabled:opacity-50"
+          >
+            Hinzufuegen
+          </button>
+        </div>
+      </div>
+    </div>
+  )
+}
+
+function AddMitigationModal({
+  risks,
+  onClose,
+  onAdd,
+}: {
+  risks: DSFARisk[]
+  onClose: () => void
+  onAdd: (data: { risk_id: string; description: string; type: string; responsible_party: string }) => void
+}) {
+  const [riskId, setRiskId] = useState(risks[0]?.id || '')
+  const [type, setType] = useState('technical')
+  const [description, setDescription] = useState('')
+  const [responsibleParty, setResponsibleParty] = useState('')
+
+  return (
+    <div className="fixed inset-0 bg-black/50 flex items-center justify-center z-50">
+      <div className="bg-white rounded-xl p-6 max-w-lg w-full mx-4">
+        <h3 className="text-lg font-semibold text-gray-900 mb-4">Massnahme hinzufuegen</h3>
+
+        <div className="space-y-4">
+          <div>
+            <label className="block text-sm font-medium text-gray-700 mb-2">Zugehoeriges Risiko</label>
+            <select
+              value={riskId}
+              onChange={(e) => setRiskId(e.target.value)}
+              className="w-full px-4 py-2 border border-gray-300 rounded-lg focus:ring-2 focus:ring-purple-500"
+            >
+              {risks.map(risk => (
+                <option key={risk.id} value={risk.id}>
+                  {risk.description.substring(0, 50)}...
+                </option>
+              ))}
+            </select>
+          </div>
+
+          <div>
+            <label className="block text-sm font-medium text-gray-700 mb-2">Typ</label>
+            <select
+              value={type}
+              onChange={(e) => setType(e.target.value)}
+              className="w-full px-4 py-2 border border-gray-300 rounded-lg focus:ring-2 focus:ring-purple-500"
+            >
+              <option value="technical">Technisch</option>
+              <option value="organizational">Organisatorisch</option>
+              <option value="legal">Rechtlich</option>
+            </select>
+          </div>
+
+          <div>
+            <label className="block text-sm font-medium text-gray-700 mb-2">Beschreibung</label>
+            <textarea
+              value={description}
+              onChange={(e) => setDescription(e.target.value)}
+              className="w-full px-4 py-3 border border-gray-300 rounded-lg focus:ring-2 focus:ring-purple-500"
+              rows={3}
+              placeholder="Beschreiben Sie die Massnahme..."
+            />
+          </div>
+
+          <div>
+            <label className="block text-sm font-medium text-gray-700 mb-2">Verantwortlich</label>
+            <input
+              type="text"
+              value={responsibleParty}
+              onChange={(e) => setResponsibleParty(e.target.value)}
+              className="w-full px-4 py-2 border border-gray-300 rounded-lg focus:ring-2 focus:ring-purple-500"
+              placeholder="Name oder Rolle..."
+            />
+          </div>
+        </div>
+
+        <div className="flex gap-3 mt-6">
+          <button
+            onClick={onClose}
+            className="flex-1 py-2 px-4 border border-gray-300 rounded-lg text-gray-700 hover:bg-gray-50"
+          >
+            Abbrechen
+          </button>
+          <button
+            onClick={() => onAdd({ risk_id: riskId, description, type, responsible_party: responsibleParty })}
+            disabled={!description.trim()}
+            className="flex-1 py-2 px-4 bg-purple-600 text-white rounded-lg font-medium hover:bg-purple-700 disabled:opacity-50"
+          >
+            Hinzufuegen
+          </button>
+        </div>
+      </div>
+    </div>
+  )
+}
+
+// =============================================================================
+// MAIN PAGE
+// =============================================================================
+
+export default function DSFAEditorPage() {
+  const params = useParams()
+  const router = useRouter()
+  const dsfaId = params.id as string
+
+  const [dsfa, setDSFA] = useState<DSFA | null>(null)
+  const [isLoading, setIsLoading] = useState(true)
+  const [isSaving, setIsSaving] = useState(false)
+  const [activeSection, setActiveSection] = useState(1)
+  const [saveMessage, setSaveMessage] = useState<{ type: 'success' | 'error'; text: string } | null>(null)
+
+  // Load DSFA data
+  useEffect(() => {
+    const loadDSFA = async () => {
+      setIsLoading(true)
+      try {
+        const data = await getDSFA(dsfaId)
+        setDSFA(data)
+      } catch (error) {
+        console.error('Failed to load DSFA:', error)
+      } finally {
+        setIsLoading(false)
+      }
+    }
+    loadDSFA()
+  }, [dsfaId])
+
+  const handleSectionUpdate = useCallback(async (sectionNumber: number, data: Record<string, unknown>) => {
+    if (!dsfa) return
+
+    setIsSaving(true)
+    setSaveMessage(null)
+
+    try {
+      const updated = await updateDSFASection(dsfaId, sectionNumber, data)
+      setDSFA(updated)
+      setSaveMessage({ type: 'success', text: 'Abschnitt gespeichert' })
+      setTimeout(() => setSaveMessage(null), 3000)
+    } catch (error) {
+      console.error('Failed to update section:', error)
+      setSaveMessage({ type: 'error', text: 'Fehler beim Speichern' })
+    } finally {
+      setIsSaving(false)
+    }
+  }, [dsfa, dsfaId])
+
+  const handleSubmitForReview = async () => {
+    // Implementation would call submitDSFAForReview
+    alert('Zur Pruefung einreichen - Coming soon')
+  }
+
+  const handleApprove = async (opinion: string) => {
+    // Implementation would call approveDSFA
+    alert('Genehmigen - Coming soon')
+  }
+
+  const handleReject = async (reason: string) => {
+    // Implementation would call approveDSFA with approved: false
+    alert('Ablehnen - Coming soon')
+  }
+
+  if (isLoading) {
+    return (
+      <div className="flex items-center justify-center py-12">
+        <svg className="animate-spin w-8 h-8 text-purple-600" fill="none" viewBox="0 0 24 24">
+          <circle className="opacity-25" cx="12" cy="12" r="10" stroke="currentColor" strokeWidth="4" />
+          <path className="opacity-75" fill="currentColor" d="M4 12a8 8 0 018-8V0C5.373 0 0 5.373 0 12h4zm2 5.291A7.962 7.962 0 014 12H0c0 3.042 1.135 5.824 3 7.938l3-2.647z" />
+        </svg>
+      </div>
+    )
+  }
+
+  if (!dsfa) {
+    return (
+      <div className="bg-white rounded-xl border border-gray-200 p-12 text-center">
+        <div className="w-16 h-16 mx-auto bg-red-100 rounded-full flex items-center justify-center mb-4">
+          <svg className="w-8 h-8 text-red-500" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+            <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M6 18L18 6M6 6l12 12" />
+          </svg>
+        </div>
+        <h3 className="text-lg font-semibold text-gray-900">DSFA nicht gefunden</h3>
+        <p className="mt-2 text-gray-500">
+          Die angeforderte DSFA existiert nicht oder wurde geloescht.
+        </p>
+        <Link
+          href="/sdk/dsfa"
+          className="mt-4 inline-flex items-center gap-2 px-4 py-2 text-purple-600 hover:bg-purple-50 rounded-lg transition-colors"
+        >
+          <svg className="w-5 h-5" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+            <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M10 19l-7-7m0 0l7-7m-7 7h18" />
+          </svg>
+          Zurueck zur Uebersicht
+        </Link>
+      </div>
+    )
+  }
+
+  const sectionConfig = DSFA_SECTIONS.find(s => s.number === activeSection)
+  const statusColors: Record<string, string> = {
+    draft: 'bg-gray-100 text-gray-600',
+    in_review: 'bg-yellow-100 text-yellow-700',
+    approved: 'bg-green-100 text-green-700',
+    rejected: 'bg-red-100 text-red-700',
+    needs_update: 'bg-orange-100 text-orange-700',
+  }
+
+  return (
+    <div className="space-y-6">
+      {/* Header */}
+      <div className="flex items-center justify-between">
+        <div className="flex items-center gap-4">
+          <Link
+            href="/sdk/dsfa"
+            className="p-2 text-gray-500 hover:text-gray-700 hover:bg-gray-100 rounded-lg transition-colors"
+          >
+            <svg className="w-5 h-5" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+              <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M10 19l-7-7m0 0l7-7m-7 7h18" />
+            </svg>
+          </Link>
+          <div>
+            <div className="flex items-center gap-2">
+              <span className={`px-2 py-1 text-xs rounded-full ${statusColors[dsfa.status]}`}>
+                {DSFA_STATUS_LABELS[dsfa.status]}
+              </span>
+              <span className={`px-2 py-1 text-xs rounded-full ${
+                dsfa.overall_risk_level === 'low' ? 'bg-green-100 text-green-700' :
+                dsfa.overall_risk_level === 'medium' ? 'bg-yellow-100 text-yellow-700' :
+                dsfa.overall_risk_level === 'high' ? 'bg-orange-100 text-orange-700' :
+                'bg-red-100 text-red-700'
+              }`}>
+                Risiko: {DSFA_RISK_LEVEL_LABELS[dsfa.overall_risk_level]}
+              </span>
+              {dsfa.assessment_id && (
+                <span className="px-2 py-1 text-xs rounded-full bg-purple-100 text-purple-700">
+                  UCCA-verknuepft
+                </span>
+              )}
+            </div>
+            <h1 className="text-2xl font-bold text-gray-900 mt-1">{dsfa.name}</h1>
+            {dsfa.description && (
+              <p className="text-sm text-gray-500 mt-1">{dsfa.description}</p>
+            )}
+          </div>
+        </div>
+
+        {/* Save Message */}
+        {saveMessage && (
+          <div className={`px-4 py-2 rounded-lg text-sm ${
+            saveMessage.type === 'success'
+              ? 'bg-green-100 text-green-700'
+              : 'bg-red-100 text-red-700'
+          }`}>
+            {saveMessage.text}
+          </div>
+        )}
+      </div>
+
+      {/* Main Content: 2/3 + 1/3 Layout */}
+      <div className="grid grid-cols-1 lg:grid-cols-3 gap-6">
+        {/* Left Column - 2/3 */}
+        <div className="lg:col-span-2 space-y-6">
+          {/* Section Tabs */}
+          <div className="bg-white rounded-xl border border-gray-200">
+            <div className="border-b border-gray-200">
+              <nav className="flex -mb-px overflow-x-auto">
+                {DSFA_SECTIONS.map((section) => {
+                  const progress = dsfa.section_progress
+                  const isComplete = section.number === 1 ? progress.section_1_complete :
+                                     section.number === 2 ? progress.section_2_complete :
+                                     section.number === 3 ? progress.section_3_complete :
+                                     section.number === 4 ? progress.section_4_complete :
+                                     progress.section_5_complete
+
+                  return (
+                    <button
+                      key={section.number}
+                      onClick={() => setActiveSection(section.number)}
+                      className={`
+                        flex items-center gap-2 px-4 py-4 text-sm font-medium border-b-2 transition-colors whitespace-nowrap
+                        ${activeSection === section.number
+                          ? 'border-purple-600 text-purple-600'
+                          : 'border-transparent text-gray-500 hover:text-gray-700 hover:border-gray-300'
+                        }
+                      `}
+                    >
+                      <span className={`
+                        w-6 h-6 rounded-full flex items-center justify-center text-xs
+                        ${isComplete
+                          ? 'bg-green-100 text-green-600'
+                          : activeSection === section.number
+                            ? 'bg-purple-100 text-purple-600'
+                            : 'bg-gray-100 text-gray-500'
+                        }
+                      `}>
+                        {isComplete ? (
+                          <svg className="w-4 h-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+                            <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M5 13l4 4L19 7" />
+                          </svg>
+                        ) : (
+                          section.number
+                        )}
+                      </span>
+                      {section.titleDE}
+                      {!section.required && (
+                        <span className="text-xs text-gray-400">(optional)</span>
+                      )}
+                    </button>
+                  )
+                })}
+              </nav>
+            </div>
+
+            {/* Section Header */}
+            {sectionConfig && (
+              <div className="p-4 bg-gray-50 border-b border-gray-200">
+                <div className="flex items-start justify-between">
+                  <div>
+                    <h2 className="text-lg font-semibold text-gray-900">
+                      {sectionConfig.number}. {sectionConfig.titleDE}
+                    </h2>
+                    <p className="text-sm text-gray-500 mt-1">{sectionConfig.description}</p>
+                  </div>
+                  <span className="px-2 py-1 bg-blue-50 text-blue-600 rounded text-xs">
+                    {sectionConfig.gdprRef}
+                  </span>
+                </div>
+              </div>
+            )}
+
+            {/* Section Content */}
+            <div className="p-6">
+              {activeSection === 1 && (
+                <Section1Editor
+                  dsfa={dsfa}
+                  onUpdate={(data) => handleSectionUpdate(1, data)}
+                  isSubmitting={isSaving}
+                />
+              )}
+              {activeSection === 2 && (
+                <Section2Editor
+                  dsfa={dsfa}
+                  onUpdate={(data) => handleSectionUpdate(2, data)}
+                  isSubmitting={isSaving}
+                />
+              )}
+              {activeSection === 3 && (
+                <Section3Editor
+                  dsfa={dsfa}
+                  onUpdate={(data) => handleSectionUpdate(3, data)}
+                  isSubmitting={isSaving}
+                />
+              )}
+              {activeSection === 4 && (
+                <Section4Editor
+                  dsfa={dsfa}
+                  onUpdate={(data) => handleSectionUpdate(4, data)}
+                  isSubmitting={isSaving}
+                />
+              )}
+              {activeSection === 5 && (
+                <Section5Editor
+                  dsfa={dsfa}
+                  onUpdate={(data) => handleSectionUpdate(5, data)}
+                  isSubmitting={isSaving}
+                />
+              )}
+            </div>
+          </div>
+        </div>
+
+        {/* Right Column - 1/3 Sidebar */}
+        <div className="space-y-6">
+          {/* Approval Panel */}
+          <ApprovalPanel
+            dsfa={dsfa}
+            onSubmitForReview={handleSubmitForReview}
+            onApprove={handleApprove}
+            onReject={handleReject}
+            isSubmitting={isSaving}
+            userRole="editor"
+          />
+
+          {/* Quick Info */}
+          <div className="bg-white rounded-xl border border-gray-200 p-6">
+            <h3 className="text-sm font-medium text-gray-700 mb-4">Informationen</h3>
+            <div className="space-y-3 text-sm">
+              <div className="flex justify-between">
+                <span className="text-gray-500">Erstellt am</span>
+                <span className="text-gray-900">
+                  {new Date(dsfa.created_at).toLocaleDateString('de-DE')}
+                </span>
+              </div>
+              <div className="flex justify-between">
+                <span className="text-gray-500">Zuletzt aktualisiert</span>
+                <span className="text-gray-900">
+                  {new Date(dsfa.updated_at).toLocaleDateString('de-DE')}
+                </span>
+              </div>
+              <div className="flex justify-between">
+                <span className="text-gray-500">Risiken</span>
+                <span className="text-gray-900">{(dsfa.risks || []).length}</span>
+              </div>
+              <div className="flex justify-between">
+                <span className="text-gray-500">Massnahmen</span>
+                <span className="text-gray-900">{(dsfa.mitigations || []).length}</span>
+              </div>
+            </div>
+          </div>
+
+          {/* Export Options */}
+          <div className="bg-white rounded-xl border border-gray-200 p-6">
+            <h3 className="text-sm font-medium text-gray-700 mb-4">Export</h3>
+            <div className="space-y-2">
+              <button className="w-full flex items-center gap-3 px-4 py-2 text-left text-gray-700 hover:bg-gray-50 rounded-lg transition-colors">
+                <svg className="w-5 h-5 text-red-500" fill="currentColor" viewBox="0 0 24 24">
+                  <path d="M14 2H6a2 2 0 00-2 2v16a2 2 0 002 2h12a2 2 0 002-2V8l-6-6z"/>
+                  <path d="M14 2v6h6M16 13H8M16 17H8M10 9H8"/>
+                </svg>
+                Als PDF exportieren
+              </button>
+              <button className="w-full flex items-center gap-3 px-4 py-2 text-left text-gray-700 hover:bg-gray-50 rounded-lg transition-colors">
+                <svg className="w-5 h-5 text-blue-500" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+                  <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M4 16v1a3 3 0 003 3h10a3 3 0 003-3v-1m-4-4l-4 4m0 0l-4-4m4 4V4" />
+                </svg>
+                Als JSON exportieren
+              </button>
+            </div>
+          </div>
+        </div>
+      </div>
+    </div>
+  )
+}
diff --git a/admin-v2/app/(sdk)/sdk/dsfa/page.tsx b/admin-v2/app/(sdk)/sdk/dsfa/page.tsx
new file mode 100644
index 0000000..20f6bdb
--- /dev/null
+++ b/admin-v2/app/(sdk)/sdk/dsfa/page.tsx
@@ -0,0 +1,548 @@
+'use client'
+
+import React, { useState, useEffect, useCallback } from 'react'
+import { useRouter } from 'next/navigation'
+import Link from 'next/link'
+import { useSDK } from '@/lib/sdk'
+import { StepHeader, STEP_EXPLANATIONS } from '@/components/sdk/StepHeader'
+import { DSFACard } from '@/components/sdk/dsfa'
+import {
+  DSFA,
+  DSFAStatus,
+  DSFA_STATUS_LABELS,
+  DSFA_RISK_LEVEL_LABELS,
+} from '@/lib/sdk/dsfa/types'
+import {
+  listDSFAs,
+  deleteDSFA,
+  exportDSFAAsJSON,
+  getDSFAStats,
+  createDSFAFromAssessment,
+  getDSFAByAssessment,
+} from '@/lib/sdk/dsfa/api'
+
+// =============================================================================
+// UCCA TRIGGER WARNING COMPONENT
+// =============================================================================
+
+interface UCCATriggerWarningProps {
+  assessmentId: string
+  triggeredRules: string[]
+  existingDsfaId?: string
+  onCreateDSFA: () => void
+}
+
+function UCCATriggerWarning({
+  assessmentId,
+  triggeredRules,
+  existingDsfaId,
+  onCreateDSFA,
+}: UCCATriggerWarningProps) {
+  if (existingDsfaId) {
+    return (
+      <div className="bg-blue-50 border border-blue-200 rounded-xl p-4 flex items-start gap-4">
+        <div className="w-10 h-10 bg-blue-100 rounded-full flex items-center justify-center flex-shrink-0">
+          <svg className="w-5 h-5 text-blue-600" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+            <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M9 12l2 2 4-4m6 2a9 9 0 11-18 0 9 9 0 0118 0z" />
+          </svg>
+        </div>
+        <div className="flex-1">
+          <h4 className="font-medium text-blue-800">DSFA bereits erstellt</h4>
+          <p className="text-sm text-blue-600 mt-1">
+            Fuer dieses Assessment wurde bereits eine DSFA angelegt.
+          </p>
+          <Link
+            href={`/sdk/dsfa/${existingDsfaId}`}
+            className="inline-flex items-center gap-1 mt-2 text-sm text-blue-700 hover:text-blue-800 font-medium"
+          >
+            DSFA oeffnen
+            <svg className="w-4 h-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+              <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M9 5l7 7-7 7" />
+            </svg>
+          </Link>
+        </div>
+      </div>
+    )
+  }
+
+  return (
+    <div className="bg-orange-50 border border-orange-200 rounded-xl p-4 flex items-start gap-4">
+      <div className="w-10 h-10 bg-orange-100 rounded-full flex items-center justify-center flex-shrink-0">
+        <svg className="w-5 h-5 text-orange-600" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+          <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M12 9v2m0 4h.01m-6.938 4h13.856c1.54 0 2.502-1.667 1.732-3L13.732 4c-.77-1.333-2.694-1.333-3.464 0L3.34 16c-.77 1.333.192 3 1.732 3z" />
+        </svg>
+      </div>
+      <div className="flex-1">
+        <h4 className="font-medium text-orange-800">DSFA erforderlich</h4>
+        <p className="text-sm text-orange-600 mt-1">
+          Das UCCA-Assessment hat folgende Trigger ausgeloest:
+        </p>
+        <div className="flex flex-wrap gap-1 mt-2">
+          {triggeredRules.map(rule => (
+            <span key={rule} className="px-2 py-0.5 text-xs bg-orange-100 text-orange-700 rounded">
+              {rule}
+            </span>
+          ))}
+        </div>
+        <button
+          onClick={onCreateDSFA}
+          className="inline-flex items-center gap-1 mt-3 px-4 py-2 bg-orange-600 text-white rounded-lg hover:bg-orange-700 transition-colors text-sm font-medium"
+        >
+          DSFA aus Assessment erstellen
+          <svg className="w-4 h-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+            <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M9 5l7 7-7 7" />
+          </svg>
+        </button>
+      </div>
+    </div>
+  )
+}
+
+// =============================================================================
+// GENERATOR WIZARD COMPONENT
+// =============================================================================
+
+function GeneratorWizard({ onClose, onCreated }: { onClose: () => void; onCreated: (dsfa: DSFA) => void }) {
+  const [step, setStep] = useState(1)
+  const [formData, setFormData] = useState({
+    name: '',
+    description: '',
+    processingPurpose: '',
+    dataCategories: [] as string[],
+    legalBasis: '',
+  })
+  const [isSubmitting, setIsSubmitting] = useState(false)
+
+  const DATA_CATEGORIES = [
+    'Kontaktdaten',
+    'Identifikationsdaten',
+    'Finanzdaten',
+    'Gesundheitsdaten',
+    'Standortdaten',
+    'Nutzungsdaten',
+    'Biometrische Daten',
+    'Daten Minderjaehriger',
+  ]
+
+  const LEGAL_BASES = [
+    { value: 'consent', label: 'Einwilligung (Art. 6 Abs. 1 lit. a)' },
+    { value: 'contract', label: 'Vertrag (Art. 6 Abs. 1 lit. b)' },
+    { value: 'legal_obligation', label: 'Rechtliche Verpflichtung (Art. 6 Abs. 1 lit. c)' },
+    { value: 'legitimate_interest', label: 'Berechtigtes Interesse (Art. 6 Abs. 1 lit. f)' },
+  ]
+
+  const handleCategoryToggle = (cat: string) => {
+    setFormData(prev => ({
+      ...prev,
+      dataCategories: prev.dataCategories.includes(cat)
+        ? prev.dataCategories.filter(c => c !== cat)
+        : [...prev.dataCategories, cat],
+    }))
+  }
+
+  const handleSubmit = async () => {
+    setIsSubmitting(true)
+    try {
+      // For standalone DSFA, we use the regular create endpoint
+      const response = await fetch('/api/sdk/v1/dsgvo/dsfas', {
+        method: 'POST',
+        headers: { 'Content-Type': 'application/json' },
+        body: JSON.stringify({
+          name: formData.name,
+          description: formData.description,
+          processing_purpose: formData.processingPurpose,
+          data_categories: formData.dataCategories,
+          legal_basis: formData.legalBasis,
+          status: 'draft',
+        }),
+      })
+      if (response.ok) {
+        const dsfa = await response.json()
+        onCreated(dsfa)
+        onClose()
+      }
+    } catch (error) {
+      console.error('Failed to create DSFA:', error)
+    } finally {
+      setIsSubmitting(false)
+    }
+  }
+
+  return (
+    <div className="bg-white rounded-xl border border-gray-200 p-6">
+      <div className="flex items-center justify-between mb-6">
+        <h3 className="text-lg font-semibold text-gray-900">Neue Standalone-DSFA erstellen</h3>
+        <button onClick={onClose} className="text-gray-400 hover:text-gray-600">
+          <svg className="w-6 h-6" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+            <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M6 18L18 6M6 6l12 12" />
+          </svg>
+        </button>
+      </div>
+
+      {/* Progress Steps */}
+      <div className="flex items-center gap-2 mb-6">
+        {[1, 2, 3].map(s => (
+          <React.Fragment key={s}>
+            <div className={`w-8 h-8 rounded-full flex items-center justify-center text-sm font-medium ${
+              s < step ? 'bg-green-500 text-white' :
+              s === step ? 'bg-purple-600 text-white' : 'bg-gray-200 text-gray-500'
+            }`}>
+              {s < step ? (
+                <svg className="w-4 h-4" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+                  <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M5 13l4 4L19 7" />
+                </svg>
+              ) : s}
+            </div>
+            {s < 3 && <div className={`flex-1 h-1 ${s < step ? 'bg-green-500' : 'bg-gray-200'}`} />}
+          </React.Fragment>
+        ))}
+      </div>
+
+      {/* Step Content */}
+      <div className="min-h-48">
+        {step === 1 && (
+          <div className="space-y-4">
+            <div>
+              <label className="block text-sm font-medium text-gray-700 mb-1">Titel der DSFA *</label>
+              <input
+                type="text"
+                value={formData.name}
+                onChange={(e) => setFormData(prev => ({ ...prev, name: e.target.value }))}
+                placeholder="z.B. DSFA - Mitarbeiter-Monitoring"
+                className="w-full px-4 py-2 border border-gray-300 rounded-lg focus:ring-2 focus:ring-purple-500"
+              />
+            </div>
+            <div>
+              <label className="block text-sm font-medium text-gray-700 mb-1">Beschreibung der Verarbeitung</label>
+              <textarea
+                value={formData.description}
+                onChange={(e) => setFormData(prev => ({ ...prev, description: e.target.value }))}
+                rows={3}
+                placeholder="Beschreiben Sie die geplante Datenverarbeitung..."
+                className="w-full px-4 py-2 border border-gray-300 rounded-lg focus:ring-2 focus:ring-purple-500"
+              />
+            </div>
+            <div>
+              <label className="block text-sm font-medium text-gray-700 mb-1">Verarbeitungszweck</label>
+              <input
+                type="text"
+                value={formData.processingPurpose}
+                onChange={(e) => setFormData(prev => ({ ...prev, processingPurpose: e.target.value }))}
+                placeholder="z.B. Automatisierte Bewerberauswahl"
+                className="w-full px-4 py-2 border border-gray-300 rounded-lg focus:ring-2 focus:ring-purple-500"
+              />
+            </div>
+          </div>
+        )}
+        {step === 2 && (
+          <div className="space-y-4">
+            <div>
+              <label className="block text-sm font-medium text-gray-700 mb-2">Datenkategorien *</label>
+              <div className="grid grid-cols-2 gap-2">
+                {DATA_CATEGORIES.map(cat => (
+                  <label key={cat} className="flex items-center gap-2 p-2 border rounded-lg hover:bg-gray-50">
+                    <input
+                      type="checkbox"
+                      checked={formData.dataCategories.includes(cat)}
+                      onChange={() => handleCategoryToggle(cat)}
+                      className="w-4 h-4 text-purple-600"
+                    />
+                    <span className="text-sm">{cat}</span>
+                  </label>
+                ))}
+              </div>
+            </div>
+          </div>
+        )}
+        {step === 3 && (
+          <div className="space-y-4">
+            <div>
+              <label className="block text-sm font-medium text-gray-700 mb-2">Rechtsgrundlage *</label>
+              <div className="space-y-2">
+                {LEGAL_BASES.map(basis => (
+                  <label key={basis.value} className="flex items-center gap-3 p-3 border rounded-lg hover:bg-gray-50 cursor-pointer">
+                    <input
+                      type="radio"
+                      name="legalBasis"
+                      value={basis.value}
+                      checked={formData.legalBasis === basis.value}
+                      onChange={(e) => setFormData(prev => ({ ...prev, legalBasis: e.target.value }))}
+                      className="w-4 h-4 text-purple-600"
+                    />
+                    <span className="text-sm font-medium">{basis.label}</span>
+                  </label>
+                ))}
+              </div>
+            </div>
+          </div>
+        )}
+      </div>
+
+      {/* Navigation */}
+      <div className="flex items-center justify-between mt-6 pt-4 border-t border-gray-200">
+        <button
+          onClick={() => step > 1 ? setStep(step - 1) : onClose()}
+          className="px-4 py-2 text-gray-600 hover:bg-gray-100 rounded-lg transition-colors"
+        >
+          {step === 1 ? 'Abbrechen' : 'Zurueck'}
+        </button>
+        <button
+          onClick={() => step < 3 ? setStep(step + 1) : handleSubmit()}
+          disabled={(step === 1 && !formData.name) || (step === 2 && formData.dataCategories.length === 0) || (step === 3 && !formData.legalBasis) || isSubmitting}
+          className="px-6 py-2 bg-purple-600 text-white rounded-lg hover:bg-purple-700 transition-colors disabled:bg-gray-300 disabled:cursor-not-allowed"
+        >
+          {isSubmitting ? 'Wird erstellt...' : step === 3 ? 'DSFA erstellen' : 'Weiter'}
+        </button>
+      </div>
+    </div>
+  )
+}
+
+// =============================================================================
+// MAIN PAGE
+// =============================================================================
+
+export default function DSFAPage() {
+  const router = useRouter()
+  const { state } = useSDK()
+  const [dsfas, setDsfas] = useState<DSFA[]>([])
+  const [showGenerator, setShowGenerator] = useState(false)
+  const [filter, setFilter] = useState<string>('all')
+  const [isLoading, setIsLoading] = useState(true)
+  const [stats, setStats] = useState({
+    total: 0,
+    draft: 0,
+    in_review: 0,
+    approved: 0,
+  })
+
+  // UCCA trigger info (would come from SDK state)
+  const [uccaTrigger, setUccaTrigger] = useState<{
+    assessmentId: string
+    triggeredRules: string[]
+    existingDsfaId?: string
+  } | null>(null)
+
+  // Load DSFAs
+  const loadDSFAs = useCallback(async () => {
+    setIsLoading(true)
+    try {
+      const [dsfaList, statsData] = await Promise.all([
+        listDSFAs(filter === 'all' ? undefined : filter),
+        getDSFAStats(),
+      ])
+      setDsfas(dsfaList)
+      setStats({
+        total: statsData.total,
+        draft: statsData.status_stats.draft || 0,
+        in_review: statsData.status_stats.in_review || 0,
+        approved: statsData.status_stats.approved || 0,
+      })
+    } catch (error) {
+      console.error('Failed to load DSFAs:', error)
+      // Set empty state on error
+      setDsfas([])
+    } finally {
+      setIsLoading(false)
+    }
+  }, [filter])
+
+  useEffect(() => {
+    loadDSFAs()
+  }, [loadDSFAs])
+
+  // Check for UCCA trigger from SDK state
+  // TODO: Enable when UCCA integration is complete
+  // useEffect(() => {
+  //   if (state?.uccaAssessment?.dsfa_recommended) {
+  //     const assessmentId = state.uccaAssessment.id
+  //     const triggeredRules = state.uccaAssessment.triggered_rules
+  //       ?.filter((r: { severity: string }) => r.severity === 'BLOCK' || r.severity === 'WARN')
+  //       ?.map((r: { code: string }) => r.code) || []
+  //
+  //     // Check if DSFA already exists
+  //     getDSFAByAssessment(assessmentId).then(existingDsfa => {
+  //       setUccaTrigger({
+  //         assessmentId,
+  //         triggeredRules,
+  //         existingDsfaId: existingDsfa?.id,
+  //       })
+  //     })
+  //   }
+  // }, [state?.uccaAssessment])
+
+  // Handle delete
+  const handleDelete = async (id: string) => {
+    if (confirm('Moechten Sie diese DSFA wirklich loeschen?')) {
+      try {
+        await deleteDSFA(id)
+        await loadDSFAs()
+      } catch (error) {
+        console.error('Failed to delete DSFA:', error)
+      }
+    }
+  }
+
+  // Handle export
+  const handleExport = async (id: string) => {
+    try {
+      const blob = await exportDSFAAsJSON(id)
+      const url = URL.createObjectURL(blob)
+      const a = document.createElement('a')
+      a.href = url
+      a.download = `dsfa_${id.slice(0, 8)}.json`
+      a.click()
+      URL.revokeObjectURL(url)
+    } catch (error) {
+      console.error('Failed to export DSFA:', error)
+    }
+  }
+
+  // Handle create from assessment
+  const handleCreateFromAssessment = async () => {
+    if (!uccaTrigger?.assessmentId) return
+
+    try {
+      const response = await createDSFAFromAssessment(uccaTrigger.assessmentId)
+      router.push(`/sdk/dsfa/${response.dsfa.id}`)
+    } catch (error) {
+      console.error('Failed to create DSFA from assessment:', error)
+    }
+  }
+
+  const filteredDSFAs = filter === 'all'
+    ? dsfas
+    : dsfas.filter(d => d.status === filter)
+
+  const stepInfo = STEP_EXPLANATIONS['dsfa']
+
+  return (
+    <div className="space-y-6">
+      {/* Step Header */}
+      <StepHeader
+        stepId="dsfa"
+        title={stepInfo.title}
+        description={stepInfo.description}
+        explanation={stepInfo.explanation}
+        tips={stepInfo.tips}
+      >
+        <div className="flex items-center gap-2">
+          {!showGenerator && (
+            <>
+              <button
+                onClick={() => setShowGenerator(true)}
+                className="flex items-center gap-2 px-4 py-2 bg-purple-600 text-white rounded-lg hover:bg-purple-700 transition-colors"
+              >
+                <svg className="w-5 h-5" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+                  <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M12 6v6m0 0v6m0-6h6m-6 0H6" />
+                </svg>
+                Standalone DSFA
+              </button>
+            </>
+          )}
+        </div>
+      </StepHeader>
+
+      {/* UCCA Trigger Warning */}
+      {uccaTrigger && (
+        <UCCATriggerWarning
+          assessmentId={uccaTrigger.assessmentId}
+          triggeredRules={uccaTrigger.triggeredRules}
+          existingDsfaId={uccaTrigger.existingDsfaId}
+          onCreateDSFA={handleCreateFromAssessment}
+        />
+      )}
+
+      {/* Generator */}
+      {showGenerator && (
+        <GeneratorWizard
+          onClose={() => setShowGenerator(false)}
+          onCreated={(dsfa) => {
+            router.push(`/sdk/dsfa/${dsfa.id}`)
+          }}
+        />
+      )}
+
+      {/* Stats */}
+      <div className="grid grid-cols-1 md:grid-cols-4 gap-4">
+        <div className="bg-white rounded-xl border border-gray-200 p-6">
+          <div className="text-sm text-gray-500">Gesamt</div>
+          <div className="text-3xl font-bold text-gray-900">{stats.total}</div>
+        </div>
+        <div className="bg-white rounded-xl border border-gray-200 p-6">
+          <div className="text-sm text-gray-500">Entwuerfe</div>
+          <div className="text-3xl font-bold text-gray-500">{stats.draft}</div>
+        </div>
+        <div className="bg-white rounded-xl border border-yellow-200 p-6">
+          <div className="text-sm text-yellow-600">In Pruefung</div>
+          <div className="text-3xl font-bold text-yellow-600">{stats.in_review}</div>
+        </div>
+        <div className="bg-white rounded-xl border border-green-200 p-6">
+          <div className="text-sm text-green-600">Genehmigt</div>
+          <div className="text-3xl font-bold text-green-600">{stats.approved}</div>
+        </div>
+      </div>
+
+      {/* Filter */}
+      <div className="flex items-center gap-2">
+        <span className="text-sm text-gray-500">Filter:</span>
+        {['all', 'draft', 'in_review', 'approved', 'needs_update'].map(f => (
+          <button
+            key={f}
+            onClick={() => setFilter(f)}
+            className={`px-3 py-1 text-sm rounded-full transition-colors ${
+              filter === f
+                ? 'bg-purple-600 text-white'
+                : 'bg-gray-100 text-gray-600 hover:bg-gray-200'
+            }`}
+          >
+            {f === 'all' ? 'Alle' : DSFA_STATUS_LABELS[f as DSFAStatus] || f}
+          </button>
+        ))}
+      </div>
+
+      {/* DSFA List */}
+      {isLoading ? (
+        <div className="flex items-center justify-center py-12">
+          <div className="w-8 h-8 border-4 border-purple-600 border-t-transparent rounded-full animate-spin" />
+        </div>
+      ) : (
+        <div className="space-y-4">
+          {filteredDSFAs.map(dsfa => (
+            <DSFACard
+              key={dsfa.id}
+              dsfa={dsfa}
+              onDelete={handleDelete}
+              onExport={handleExport}
+            />
+          ))}
+        </div>
+      )}
+
+      {/* Empty State */}
+      {!isLoading && filteredDSFAs.length === 0 && !showGenerator && (
+        <div className="bg-white rounded-xl border border-gray-200 p-12 text-center">
+          <div className="w-16 h-16 mx-auto bg-purple-100 rounded-full flex items-center justify-center mb-4">
+            <svg className="w-8 h-8 text-purple-600" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+              <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M9 12h6m-6 4h6m2 5H7a2 2 0 01-2-2V5a2 2 0 012-2h5.586a1 1 0 01.707.293l5.414 5.414a1 1 0 01.293.707V19a2 2 0 01-2 2z" />
+            </svg>
+          </div>
+          <h3 className="text-lg font-semibold text-gray-900">Keine DSFAs gefunden</h3>
+          <p className="mt-2 text-gray-500">
+            {filter !== 'all'
+              ? `Keine DSFAs mit Status "${DSFA_STATUS_LABELS[filter as DSFAStatus]}".`
+              : 'Erstellen Sie eine neue Datenschutz-Folgenabschaetzung.'}
+          </p>
+          {filter === 'all' && (
+            <button
+              onClick={() => setShowGenerator(true)}
+              className="mt-4 px-6 py-2 bg-purple-600 text-white rounded-lg hover:bg-purple-700 transition-colors"
+            >
+              Erste DSFA erstellen
+            </button>
+          )}
+        </div>
+      )}
+    </div>
+  )
+}
diff --git a/admin-v2/lib/sdk/dsfa/__tests__/api.test.ts b/admin-v2/lib/sdk/dsfa/__tests__/api.test.ts
new file mode 100644
index 0000000..bc39234
--- /dev/null
+++ b/admin-v2/lib/sdk/dsfa/__tests__/api.test.ts
@@ -0,0 +1,355 @@
+import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest'
+
+// Mock fetch globally
+const mockFetch = vi.fn()
+global.fetch = mockFetch
+
+describe('DSFA API Client', () => {
+  beforeEach(() => {
+    mockFetch.mockClear()
+  })
+
+  afterEach(() => {
+    vi.restoreAllMocks()
+  })
+
+  describe('listDSFAs', () => {
+    it('should fetch DSFAs without status filter', async () => {
+      const mockDSFAs = [
+        { id: 'dsfa-1', name: 'Test DSFA 1', status: 'draft' },
+        { id: 'dsfa-2', name: 'Test DSFA 2', status: 'approved' },
+      ]
+
+      mockFetch.mockResolvedValueOnce({
+        ok: true,
+        json: () => Promise.resolve({ dsfas: mockDSFAs }),
+      })
+
+      const { listDSFAs } = await import('../api')
+      const result = await listDSFAs()
+
+      expect(mockFetch).toHaveBeenCalledTimes(1)
+      expect(result).toHaveLength(2)
+      expect(result[0].name).toBe('Test DSFA 1')
+    })
+
+    it('should fetch DSFAs with status filter', async () => {
+      const mockDSFAs = [{ id: 'dsfa-1', name: 'Draft DSFA', status: 'draft' }]
+
+      mockFetch.mockResolvedValueOnce({
+        ok: true,
+        json: () => Promise.resolve({ dsfas: mockDSFAs }),
+      })
+
+      const { listDSFAs } = await import('../api')
+      const result = await listDSFAs('draft')
+
+      expect(mockFetch).toHaveBeenCalledTimes(1)
+      const calledUrl = mockFetch.mock.calls[0][0]
+      expect(calledUrl).toContain('status=draft')
+    })
+
+    it('should return empty array when no DSFAs', async () => {
+      mockFetch.mockResolvedValueOnce({
+        ok: true,
+        json: () => Promise.resolve({ dsfas: null }),
+      })
+
+      const { listDSFAs } = await import('../api')
+      const result = await listDSFAs()
+
+      expect(result).toEqual([])
+    })
+  })
+
+  describe('getDSFA', () => {
+    it('should fetch a single DSFA by ID', async () => {
+      const mockDSFA = {
+        id: 'dsfa-123',
+        name: 'Test DSFA',
+        status: 'draft',
+        risks: [],
+        mitigations: [],
+      }
+
+      mockFetch.mockResolvedValueOnce({
+        ok: true,
+        json: () => Promise.resolve(mockDSFA),
+      })
+
+      const { getDSFA } = await import('../api')
+      const result = await getDSFA('dsfa-123')
+
+      expect(mockFetch).toHaveBeenCalledTimes(1)
+      expect(result.id).toBe('dsfa-123')
+      expect(result.name).toBe('Test DSFA')
+    })
+
+    it('should throw error for non-existent DSFA', async () => {
+      mockFetch.mockResolvedValueOnce({
+        ok: false,
+        status: 404,
+        text: () => Promise.resolve('{"error": "DSFA not found"}'),
+      })
+
+      const { getDSFA } = await import('../api')
+
+      await expect(getDSFA('non-existent')).rejects.toThrow()
+    })
+  })
+
+  describe('createDSFA', () => {
+    it('should create a new DSFA', async () => {
+      const newDSFA = {
+        name: 'New DSFA',
+        description: 'Test description',
+        processing_purpose: 'Testing',
+      }
+
+      const createdDSFA = {
+        id: 'dsfa-new',
+        ...newDSFA,
+        status: 'draft',
+      }
+
+      mockFetch.mockResolvedValueOnce({
+        ok: true,
+        json: () => Promise.resolve(createdDSFA),
+      })
+
+      const { createDSFA } = await import('../api')
+      const result = await createDSFA(newDSFA)
+
+      expect(mockFetch).toHaveBeenCalledTimes(1)
+      expect(result.id).toBe('dsfa-new')
+      expect(result.name).toBe('New DSFA')
+    })
+  })
+
+  describe('updateDSFA', () => {
+    it('should update an existing DSFA', async () => {
+      const updates = {
+        name: 'Updated DSFA Name',
+        processing_purpose: 'Updated purpose',
+      }
+
+      const updatedDSFA = {
+        id: 'dsfa-123',
+        ...updates,
+        status: 'draft',
+      }
+
+      mockFetch.mockResolvedValueOnce({
+        ok: true,
+        json: () => Promise.resolve(updatedDSFA),
+      })
+
+      const { updateDSFA } = await import('../api')
+      const result = await updateDSFA('dsfa-123', updates)
+
+      expect(mockFetch).toHaveBeenCalledTimes(1)
+      expect(result.name).toBe('Updated DSFA Name')
+    })
+  })
+
+  describe('deleteDSFA', () => {
+    it('should delete a DSFA', async () => {
+      mockFetch.mockResolvedValueOnce({
+        ok: true,
+      })
+
+      const { deleteDSFA } = await import('../api')
+      await deleteDSFA('dsfa-123')
+
+      expect(mockFetch).toHaveBeenCalledTimes(1)
+      const calledConfig = mockFetch.mock.calls[0][1]
+      expect(calledConfig.method).toBe('DELETE')
+    })
+
+    it('should throw error when deletion fails', async () => {
+      mockFetch.mockResolvedValueOnce({
+        ok: false,
+        statusText: 'Not Found',
+      })
+
+      const { deleteDSFA } = await import('../api')
+
+      await expect(deleteDSFA('non-existent')).rejects.toThrow()
+    })
+  })
+
+  describe('updateDSFASection', () => {
+    it('should update a specific section', async () => {
+      const sectionData = {
+        processing_purpose: 'Updated purpose',
+        data_categories: ['personal_data', 'contact_data'],
+      }
+
+      const updatedDSFA = {
+        id: 'dsfa-123',
+        section_progress: {
+          section_1_complete: true,
+        },
+      }
+
+      mockFetch.mockResolvedValueOnce({
+        ok: true,
+        json: () => Promise.resolve(updatedDSFA),
+      })
+
+      const { updateDSFASection } = await import('../api')
+      const result = await updateDSFASection('dsfa-123', 1, sectionData)
+
+      expect(mockFetch).toHaveBeenCalledTimes(1)
+      const calledUrl = mockFetch.mock.calls[0][0]
+      expect(calledUrl).toContain('/sections/1')
+    })
+  })
+
+  describe('submitDSFAForReview', () => {
+    it('should submit DSFA for review', async () => {
+      const response = {
+        message: 'DSFA submitted for review',
+        dsfa: {
+          id: 'dsfa-123',
+          status: 'in_review',
+        },
+      }
+
+      mockFetch.mockResolvedValueOnce({
+        ok: true,
+        json: () => Promise.resolve(response),
+      })
+
+      const { submitDSFAForReview } = await import('../api')
+      const result = await submitDSFAForReview('dsfa-123')
+
+      expect(mockFetch).toHaveBeenCalledTimes(1)
+      expect(result.dsfa.status).toBe('in_review')
+    })
+  })
+
+  describe('approveDSFA', () => {
+    it('should approve a DSFA', async () => {
+      mockFetch.mockResolvedValueOnce({
+        ok: true,
+        json: () => Promise.resolve({ message: 'DSFA approved' }),
+      })
+
+      const { approveDSFA } = await import('../api')
+      const result = await approveDSFA('dsfa-123', {
+        dpo_opinion: 'Approved after review',
+        approved: true,
+      })
+
+      expect(mockFetch).toHaveBeenCalledTimes(1)
+      expect(result.message).toBe('DSFA approved')
+    })
+
+    it('should reject a DSFA', async () => {
+      mockFetch.mockResolvedValueOnce({
+        ok: true,
+        json: () => Promise.resolve({ message: 'DSFA rejected' }),
+      })
+
+      const { approveDSFA } = await import('../api')
+      const result = await approveDSFA('dsfa-123', {
+        dpo_opinion: 'Needs more details',
+        approved: false,
+      })
+
+      expect(result.message).toBe('DSFA rejected')
+    })
+  })
+
+  describe('getDSFAStats', () => {
+    it('should fetch DSFA statistics', async () => {
+      const stats = {
+        total: 10,
+        status_stats: {
+          draft: 4,
+          in_review: 2,
+          approved: 3,
+          rejected: 1,
+        },
+        risk_stats: {
+          low: 3,
+          medium: 4,
+          high: 2,
+          very_high: 1,
+        },
+      }
+
+      mockFetch.mockResolvedValueOnce({
+        ok: true,
+        json: () => Promise.resolve(stats),
+      })
+
+      const { getDSFAStats } = await import('../api')
+      const result = await getDSFAStats()
+
+      expect(mockFetch).toHaveBeenCalledTimes(1)
+      expect(result.total).toBe(10)
+      expect(result.status_stats.approved).toBe(3)
+    })
+  })
+
+  describe('createDSFAFromAssessment', () => {
+    it('should create DSFA from UCCA assessment', async () => {
+      const response = {
+        dsfa: {
+          id: 'dsfa-new',
+          name: 'AI Chatbot DSFA',
+          status: 'draft',
+        },
+        prefilled: true,
+        message: 'DSFA created from assessment',
+      }
+
+      mockFetch.mockResolvedValueOnce({
+        ok: true,
+        json: () => Promise.resolve(response),
+      })
+
+      const { createDSFAFromAssessment } = await import('../api')
+      const result = await createDSFAFromAssessment('assessment-123')
+
+      expect(mockFetch).toHaveBeenCalledTimes(1)
+      expect(result.prefilled).toBe(true)
+      expect(result.dsfa.id).toBe('dsfa-new')
+    })
+  })
+
+  describe('getDSFAByAssessment', () => {
+    it('should return DSFA linked to assessment', async () => {
+      const dsfa = {
+        id: 'dsfa-123',
+        assessment_id: 'assessment-123',
+        name: 'Linked DSFA',
+      }
+
+      mockFetch.mockResolvedValueOnce({
+        ok: true,
+        json: () => Promise.resolve(dsfa),
+      })
+
+      const { getDSFAByAssessment } = await import('../api')
+      const result = await getDSFAByAssessment('assessment-123')
+
+      expect(result?.id).toBe('dsfa-123')
+    })
+
+    it('should return null when no DSFA exists for assessment', async () => {
+      mockFetch.mockResolvedValueOnce({
+        ok: false,
+        status: 404,
+        text: () => Promise.resolve('Not found'),
+      })
+
+      const { getDSFAByAssessment } = await import('../api')
+      const result = await getDSFAByAssessment('no-dsfa-assessment')
+
+      expect(result).toBeNull()
+    })
+  })
+})
diff --git a/admin-v2/lib/sdk/dsfa/__tests__/types.test.ts b/admin-v2/lib/sdk/dsfa/__tests__/types.test.ts
new file mode 100644
index 0000000..8b66249
--- /dev/null
+++ b/admin-v2/lib/sdk/dsfa/__tests__/types.test.ts
@@ -0,0 +1,255 @@
+import { describe, it, expect } from 'vitest'
+import {
+  calculateRiskLevel,
+  DSFA_SECTIONS,
+  DSFA_STATUS_LABELS,
+  DSFA_RISK_LEVEL_LABELS,
+  DSFA_LEGAL_BASES,
+  DSFA_AFFECTED_RIGHTS,
+  RISK_MATRIX,
+  type DSFARisk,
+  type DSFAMitigation,
+  type DSFASectionProgress,
+  type DSFA,
+} from '../types'
+
+describe('DSFA_SECTIONS', () => {
+  it('should have 5 sections defined', () => {
+    expect(DSFA_SECTIONS.length).toBe(5)
+  })
+
+  it('should have sections numbered 1-5', () => {
+    const numbers = DSFA_SECTIONS.map(s => s.number)
+    expect(numbers).toEqual([1, 2, 3, 4, 5])
+  })
+
+  it('should have GDPR references for all sections', () => {
+    DSFA_SECTIONS.forEach(section => {
+      expect(section.gdprRef).toBeDefined()
+      expect(section.gdprRef).toContain('Art. 35')
+    })
+  })
+
+  it('should mark first 4 sections as required', () => {
+    const requiredSections = DSFA_SECTIONS.filter(s => s.required)
+    expect(requiredSections.length).toBe(4)
+    expect(requiredSections.map(s => s.number)).toEqual([1, 2, 3, 4])
+  })
+
+  it('should mark section 5 as optional', () => {
+    const section5 = DSFA_SECTIONS.find(s => s.number === 5)
+    expect(section5?.required).toBe(false)
+  })
+
+  it('should have German titles for all sections', () => {
+    DSFA_SECTIONS.forEach(section => {
+      expect(section.titleDE).toBeDefined()
+      expect(section.titleDE.length).toBeGreaterThan(0)
+    })
+  })
+})
+
+describe('DSFA_STATUS_LABELS', () => {
+  it('should have all status labels defined', () => {
+    expect(DSFA_STATUS_LABELS.draft).toBe('Entwurf')
+    expect(DSFA_STATUS_LABELS.in_review).toBe('In Prüfung')
+    expect(DSFA_STATUS_LABELS.approved).toBe('Genehmigt')
+    expect(DSFA_STATUS_LABELS.rejected).toBe('Abgelehnt')
+    expect(DSFA_STATUS_LABELS.needs_update).toBe('Überarbeitung erforderlich')
+  })
+})
+
+describe('DSFA_RISK_LEVEL_LABELS', () => {
+  it('should have all risk level labels defined', () => {
+    expect(DSFA_RISK_LEVEL_LABELS.low).toBe('Niedrig')
+    expect(DSFA_RISK_LEVEL_LABELS.medium).toBe('Mittel')
+    expect(DSFA_RISK_LEVEL_LABELS.high).toBe('Hoch')
+    expect(DSFA_RISK_LEVEL_LABELS.very_high).toBe('Sehr Hoch')
+  })
+})
+
+describe('DSFA_LEGAL_BASES', () => {
+  it('should have 6 legal bases defined', () => {
+    expect(Object.keys(DSFA_LEGAL_BASES).length).toBe(6)
+  })
+
+  it('should reference GDPR Article 6', () => {
+    Object.values(DSFA_LEGAL_BASES).forEach(label => {
+      expect(label).toContain('Art. 6')
+    })
+  })
+})
+
+describe('DSFA_AFFECTED_RIGHTS', () => {
+  it('should have multiple affected rights defined', () => {
+    expect(DSFA_AFFECTED_RIGHTS.length).toBeGreaterThan(5)
+  })
+
+  it('should have id and label for each right', () => {
+    DSFA_AFFECTED_RIGHTS.forEach(right => {
+      expect(right.id).toBeDefined()
+      expect(right.label).toBeDefined()
+    })
+  })
+
+  it('should include GDPR data subject rights', () => {
+    const ids = DSFA_AFFECTED_RIGHTS.map(r => r.id)
+    expect(ids).toContain('right_of_access')
+    expect(ids).toContain('right_to_erasure')
+    expect(ids).toContain('right_to_data_portability')
+  })
+})
+
+describe('RISK_MATRIX', () => {
+  it('should have 9 cells defined (3x3 matrix)', () => {
+    expect(RISK_MATRIX.length).toBe(9)
+  })
+
+  it('should cover all combinations of likelihood and impact', () => {
+    const likelihoodValues = ['low', 'medium', 'high']
+    const impactValues = ['low', 'medium', 'high']
+
+    likelihoodValues.forEach(likelihood => {
+      impactValues.forEach(impact => {
+        const cell = RISK_MATRIX.find(
+          c => c.likelihood === likelihood && c.impact === impact
+        )
+        expect(cell).toBeDefined()
+      })
+    })
+  })
+
+  it('should have increasing scores for higher risks', () => {
+    const lowLow = RISK_MATRIX.find(c => c.likelihood === 'low' && c.impact === 'low')
+    const highHigh = RISK_MATRIX.find(c => c.likelihood === 'high' && c.impact === 'high')
+
+    expect(lowLow?.score).toBeLessThan(highHigh?.score || 0)
+  })
+})
+
+describe('calculateRiskLevel', () => {
+  it('should return low for low likelihood and low impact', () => {
+    const result = calculateRiskLevel('low', 'low')
+    expect(result.level).toBe('low')
+    expect(result.score).toBe(10)
+  })
+
+  it('should return very_high for high likelihood and high impact', () => {
+    const result = calculateRiskLevel('high', 'high')
+    expect(result.level).toBe('very_high')
+    expect(result.score).toBe(90)
+  })
+
+  it('should return medium for medium likelihood and medium impact', () => {
+    const result = calculateRiskLevel('medium', 'medium')
+    expect(result.level).toBe('medium')
+    expect(result.score).toBe(50)
+  })
+
+  it('should return high for high likelihood and medium impact', () => {
+    const result = calculateRiskLevel('high', 'medium')
+    expect(result.level).toBe('high')
+    expect(result.score).toBe(70)
+  })
+
+  it('should return medium for low likelihood and high impact', () => {
+    const result = calculateRiskLevel('low', 'high')
+    expect(result.level).toBe('medium')
+    expect(result.score).toBe(40)
+  })
+})
+
+describe('DSFARisk type', () => {
+  it('should accept valid risk data', () => {
+    const risk: DSFARisk = {
+      id: 'risk-001',
+      category: 'confidentiality',
+      description: 'Unauthorized access to personal data',
+      likelihood: 'medium',
+      impact: 'high',
+      risk_level: 'high',
+      affected_data: ['customer_data', 'financial_data'],
+    }
+
+    expect(risk.id).toBe('risk-001')
+    expect(risk.category).toBe('confidentiality')
+    expect(risk.likelihood).toBe('medium')
+    expect(risk.impact).toBe('high')
+  })
+})
+
+describe('DSFAMitigation type', () => {
+  it('should accept valid mitigation data', () => {
+    const mitigation: DSFAMitigation = {
+      id: 'mit-001',
+      risk_id: 'risk-001',
+      description: 'Implement encryption at rest',
+      type: 'technical',
+      status: 'implemented',
+      residual_risk: 'low',
+      responsible_party: 'IT Security Team',
+    }
+
+    expect(mitigation.id).toBe('mit-001')
+    expect(mitigation.type).toBe('technical')
+    expect(mitigation.status).toBe('implemented')
+  })
+})
+
+describe('DSFASectionProgress type', () => {
+  it('should track completion for all 5 sections', () => {
+    const progress: DSFASectionProgress = {
+      section_1_complete: true,
+      section_2_complete: true,
+      section_3_complete: false,
+      section_4_complete: false,
+      section_5_complete: false,
+    }
+
+    expect(progress.section_1_complete).toBe(true)
+    expect(progress.section_2_complete).toBe(true)
+    expect(progress.section_3_complete).toBe(false)
+  })
+})
+
+describe('DSFA type', () => {
+  it('should accept a complete DSFA object', () => {
+    const dsfa: DSFA = {
+      id: 'dsfa-001',
+      tenant_id: 'tenant-001',
+      name: 'AI Chatbot DSFA',
+      description: 'Data Protection Impact Assessment for AI Chatbot',
+      processing_description: 'Automated customer service using AI',
+      processing_purpose: 'Customer support automation',
+      data_categories: ['contact_data', 'inquiry_content'],
+      data_subjects: ['customers'],
+      recipients: ['internal_staff'],
+      legal_basis: 'legitimate_interest',
+      necessity_assessment: 'Required for efficient customer service',
+      proportionality_assessment: 'Minimal data processing for the purpose',
+      risks: [],
+      overall_risk_level: 'medium',
+      risk_score: 50,
+      mitigations: [],
+      dpo_consulted: false,
+      authority_consulted: false,
+      status: 'draft',
+      section_progress: {
+        section_1_complete: true,
+        section_2_complete: true,
+        section_3_complete: false,
+        section_4_complete: false,
+        section_5_complete: false,
+      },
+      conclusion: '',
+      created_at: new Date().toISOString(),
+      updated_at: new Date().toISOString(),
+      created_by: 'user-001',
+    }
+
+    expect(dsfa.id).toBe('dsfa-001')
+    expect(dsfa.name).toBe('AI Chatbot DSFA')
+    expect(dsfa.status).toBe('draft')
+    expect(dsfa.data_categories).toHaveLength(2)
+  })
+})
diff --git a/admin-v2/lib/sdk/dsfa/api.ts b/admin-v2/lib/sdk/dsfa/api.ts
new file mode 100644
index 0000000..9b0dfec
--- /dev/null
+++ b/admin-v2/lib/sdk/dsfa/api.ts
@@ -0,0 +1,399 @@
+/**
+ * DSFA API Client
+ *
+ * API client functions for DSFA (Data Protection Impact Assessment) endpoints.
+ */
+
+import type {
+  DSFA,
+  DSFAListResponse,
+  DSFAStatsResponse,
+  CreateDSFARequest,
+  CreateDSFAFromAssessmentRequest,
+  CreateDSFAFromAssessmentResponse,
+  UpdateDSFASectionRequest,
+  SubmitForReviewResponse,
+  ApproveDSFARequest,
+  DSFATriggerInfo,
+} from './types'
+
+// =============================================================================
+// CONFIGURATION
+// =============================================================================
+
+const getBaseUrl = () => {
+  if (typeof window !== 'undefined') {
+    // Browser environment
+    return process.env.NEXT_PUBLIC_SDK_API_URL || '/api/sdk/v1'
+  }
+  // Server environment
+  return process.env.SDK_API_URL || 'http://localhost:8080/api/sdk/v1'
+}
+
+// =============================================================================
+// HELPER FUNCTIONS
+// =============================================================================
+
+async function handleResponse<T>(response: Response): Promise<T> {
+  if (!response.ok) {
+    const errorBody = await response.text()
+    let errorMessage = `HTTP ${response.status}`
+    try {
+      const errorJson = JSON.parse(errorBody)
+      errorMessage = errorJson.error || errorJson.message || errorMessage
+    } catch {
+      // Keep HTTP status message
+    }
+    throw new Error(errorMessage)
+  }
+  return response.json()
+}
+
+function getHeaders(): HeadersInit {
+  return {
+    'Content-Type': 'application/json',
+  }
+}
+
+// =============================================================================
+// DSFA CRUD OPERATIONS
+// =============================================================================
+
+/**
+ * List all DSFAs for the current tenant
+ */
+export async function listDSFAs(status?: string): Promise<DSFA[]> {
+  const url = new URL(`${getBaseUrl()}/dsgvo/dsfas`, window.location.origin)
+  if (status) {
+    url.searchParams.set('status', status)
+  }
+
+  const response = await fetch(url.toString(), {
+    method: 'GET',
+    headers: getHeaders(),
+    credentials: 'include',
+  })
+
+  const data = await handleResponse<DSFAListResponse>(response)
+  return data.dsfas || []
+}
+
+/**
+ * Get a single DSFA by ID
+ */
+export async function getDSFA(id: string): Promise<DSFA> {
+  const response = await fetch(`${getBaseUrl()}/dsgvo/dsfas/${id}`, {
+    method: 'GET',
+    headers: getHeaders(),
+    credentials: 'include',
+  })
+
+  return handleResponse<DSFA>(response)
+}
+
+/**
+ * Create a new DSFA
+ */
+export async function createDSFA(data: CreateDSFARequest): Promise<DSFA> {
+  const response = await fetch(`${getBaseUrl()}/dsgvo/dsfas`, {
+    method: 'POST',
+    headers: getHeaders(),
+    credentials: 'include',
+    body: JSON.stringify(data),
+  })
+
+  return handleResponse<DSFA>(response)
+}
+
+/**
+ * Update an existing DSFA
+ */
+export async function updateDSFA(id: string, data: Partial<DSFA>): Promise<DSFA> {
+  const response = await fetch(`${getBaseUrl()}/dsgvo/dsfas/${id}`, {
+    method: 'PUT',
+    headers: getHeaders(),
+    credentials: 'include',
+    body: JSON.stringify(data),
+  })
+
+  return handleResponse<DSFA>(response)
+}
+
+/**
+ * Delete a DSFA
+ */
+export async function deleteDSFA(id: string): Promise<void> {
+  const response = await fetch(`${getBaseUrl()}/dsgvo/dsfas/${id}`, {
+    method: 'DELETE',
+    headers: getHeaders(),
+    credentials: 'include',
+  })
+
+  if (!response.ok) {
+    throw new Error(`Failed to delete DSFA: ${response.statusText}`)
+  }
+}
+
+// =============================================================================
+// DSFA SECTION OPERATIONS
+// =============================================================================
+
+/**
+ * Update a specific section of a DSFA
+ */
+export async function updateDSFASection(
+  id: string,
+  sectionNumber: number,
+  data: UpdateDSFASectionRequest
+): Promise<DSFA> {
+  const response = await fetch(`${getBaseUrl()}/dsgvo/dsfas/${id}/sections/${sectionNumber}`, {
+    method: 'PUT',
+    headers: getHeaders(),
+    credentials: 'include',
+    body: JSON.stringify(data),
+  })
+
+  return handleResponse<DSFA>(response)
+}
+
+// =============================================================================
+// DSFA WORKFLOW OPERATIONS
+// =============================================================================
+
+/**
+ * Submit a DSFA for DPO review
+ */
+export async function submitDSFAForReview(id: string): Promise<SubmitForReviewResponse> {
+  const response = await fetch(`${getBaseUrl()}/dsgvo/dsfas/${id}/submit-for-review`, {
+    method: 'POST',
+    headers: getHeaders(),
+    credentials: 'include',
+  })
+
+  return handleResponse<SubmitForReviewResponse>(response)
+}
+
+/**
+ * Approve or reject a DSFA (DPO/CISO/GF action)
+ */
+export async function approveDSFA(id: string, data: ApproveDSFARequest): Promise<{ message: string }> {
+  const response = await fetch(`${getBaseUrl()}/dsgvo/dsfas/${id}/approve`, {
+    method: 'POST',
+    headers: getHeaders(),
+    credentials: 'include',
+    body: JSON.stringify(data),
+  })
+
+  return handleResponse<{ message: string }>(response)
+}
+
+// =============================================================================
+// DSFA STATISTICS
+// =============================================================================
+
+/**
+ * Get DSFA statistics for the dashboard
+ */
+export async function getDSFAStats(): Promise<DSFAStatsResponse> {
+  const response = await fetch(`${getBaseUrl()}/dsgvo/dsfas/stats`, {
+    method: 'GET',
+    headers: getHeaders(),
+    credentials: 'include',
+  })
+
+  return handleResponse<DSFAStatsResponse>(response)
+}
+
+// =============================================================================
+// UCCA INTEGRATION
+// =============================================================================
+
+/**
+ * Create a DSFA from a UCCA assessment (pre-filled)
+ */
+export async function createDSFAFromAssessment(
+  assessmentId: string,
+  data?: CreateDSFAFromAssessmentRequest
+): Promise<CreateDSFAFromAssessmentResponse> {
+  const response = await fetch(`${getBaseUrl()}/dsgvo/dsfas/from-assessment/${assessmentId}`, {
+    method: 'POST',
+    headers: getHeaders(),
+    credentials: 'include',
+    body: JSON.stringify(data || {}),
+  })
+
+  return handleResponse<CreateDSFAFromAssessmentResponse>(response)
+}
+
+/**
+ * Get a DSFA by its linked UCCA assessment ID
+ */
+export async function getDSFAByAssessment(assessmentId: string): Promise<DSFA | null> {
+  try {
+    const response = await fetch(`${getBaseUrl()}/dsgvo/dsfas/by-assessment/${assessmentId}`, {
+      method: 'GET',
+      headers: getHeaders(),
+      credentials: 'include',
+    })
+
+    if (response.status === 404) {
+      return null
+    }
+
+    return handleResponse<DSFA>(response)
+  } catch (error) {
+    // Return null if DSFA not found
+    return null
+  }
+}
+
+/**
+ * Check if a DSFA is required for a UCCA assessment
+ */
+export async function checkDSFARequired(assessmentId: string): Promise<DSFATriggerInfo> {
+  const response = await fetch(`${getBaseUrl()}/ucca/assessments/${assessmentId}/dsfa-required`, {
+    method: 'GET',
+    headers: getHeaders(),
+    credentials: 'include',
+  })
+
+  return handleResponse<DSFATriggerInfo>(response)
+}
+
+// =============================================================================
+// EXPORT
+// =============================================================================
+
+/**
+ * Export a DSFA as JSON
+ */
+export async function exportDSFAAsJSON(id: string): Promise<Blob> {
+  const response = await fetch(`${getBaseUrl()}/dsgvo/dsfas/${id}/export?format=json`, {
+    method: 'GET',
+    headers: {
+      'Accept': 'application/json',
+    },
+    credentials: 'include',
+  })
+
+  if (!response.ok) {
+    throw new Error(`Export failed: ${response.statusText}`)
+  }
+
+  return response.blob()
+}
+
+/**
+ * Export a DSFA as PDF
+ */
+export async function exportDSFAAsPDF(id: string): Promise<Blob> {
+  const response = await fetch(`${getBaseUrl()}/dsgvo/dsfas/${id}/export/pdf`, {
+    method: 'GET',
+    headers: {
+      'Accept': 'application/pdf',
+    },
+    credentials: 'include',
+  })
+
+  if (!response.ok) {
+    throw new Error(`PDF export failed: ${response.statusText}`)
+  }
+
+  return response.blob()
+}
+
+// =============================================================================
+// RISK & MITIGATION OPERATIONS
+// =============================================================================
+
+/**
+ * Add a risk to a DSFA
+ */
+export async function addDSFARisk(dsfaId: string, risk: {
+  category: string
+  description: string
+  likelihood: 'low' | 'medium' | 'high'
+  impact: 'low' | 'medium' | 'high'
+  affected_data?: string[]
+}): Promise<DSFA> {
+  const dsfa = await getDSFA(dsfaId)
+  const newRisk = {
+    id: crypto.randomUUID(),
+    ...risk,
+    risk_level: calculateRiskLevelString(risk.likelihood, risk.impact),
+    affected_data: risk.affected_data || [],
+  }
+
+  const updatedRisks = [...(dsfa.risks || []), newRisk]
+  return updateDSFA(dsfaId, { risks: updatedRisks } as Partial<DSFA>)
+}
+
+/**
+ * Remove a risk from a DSFA
+ */
+export async function removeDSFARisk(dsfaId: string, riskId: string): Promise<DSFA> {
+  const dsfa = await getDSFA(dsfaId)
+  const updatedRisks = (dsfa.risks || []).filter(r => r.id !== riskId)
+  return updateDSFA(dsfaId, { risks: updatedRisks } as Partial<DSFA>)
+}
+
+/**
+ * Add a mitigation to a DSFA
+ */
+export async function addDSFAMitigation(dsfaId: string, mitigation: {
+  risk_id: string
+  description: string
+  type: 'technical' | 'organizational' | 'legal'
+  responsible_party: string
+}): Promise<DSFA> {
+  const dsfa = await getDSFA(dsfaId)
+  const newMitigation = {
+    id: crypto.randomUUID(),
+    ...mitigation,
+    status: 'planned' as const,
+    residual_risk: 'medium' as const,
+  }
+
+  const updatedMitigations = [...(dsfa.mitigations || []), newMitigation]
+  return updateDSFA(dsfaId, { mitigations: updatedMitigations } as Partial<DSFA>)
+}
+
+/**
+ * Update mitigation status
+ */
+export async function updateDSFAMitigationStatus(
+  dsfaId: string,
+  mitigationId: string,
+  status: 'planned' | 'in_progress' | 'implemented' | 'verified'
+): Promise<DSFA> {
+  const dsfa = await getDSFA(dsfaId)
+  const updatedMitigations = (dsfa.mitigations || []).map(m => {
+    if (m.id === mitigationId) {
+      return {
+        ...m,
+        status,
+        ...(status === 'implemented' && { implemented_at: new Date().toISOString() }),
+        ...(status === 'verified' && { verified_at: new Date().toISOString() }),
+      }
+    }
+    return m
+  })
+
+  return updateDSFA(dsfaId, { mitigations: updatedMitigations } as Partial<DSFA>)
+}
+
+// =============================================================================
+// HELPER FUNCTIONS
+// =============================================================================
+
+function calculateRiskLevelString(
+  likelihood: 'low' | 'medium' | 'high',
+  impact: 'low' | 'medium' | 'high'
+): string {
+  const matrix: Record<string, Record<string, string>> = {
+    low: { low: 'low', medium: 'low', high: 'medium' },
+    medium: { low: 'low', medium: 'medium', high: 'high' },
+    high: { low: 'medium', medium: 'high', high: 'very_high' },
+  }
+  return matrix[likelihood]?.[impact] || 'medium'
+}
diff --git a/admin-v2/lib/sdk/dsfa/index.ts b/admin-v2/lib/sdk/dsfa/index.ts
new file mode 100644
index 0000000..774d2d5
--- /dev/null
+++ b/admin-v2/lib/sdk/dsfa/index.ts
@@ -0,0 +1,8 @@
+/**
+ * DSFA Module
+ *
+ * Exports for DSFA (Data Protection Impact Assessment) functionality.
+ */
+
+export * from './types'
+export * from './api'
diff --git a/admin-v2/lib/sdk/dsfa/types.ts b/admin-v2/lib/sdk/dsfa/types.ts
new file mode 100644
index 0000000..0976ea2
--- /dev/null
+++ b/admin-v2/lib/sdk/dsfa/types.ts
@@ -0,0 +1,365 @@
+/**
+ * DSFA Types - Datenschutz-Folgenabschätzung (Art. 35 DSGVO)
+ *
+ * TypeScript type definitions for DSFA (Data Protection Impact Assessment)
+ * aligned with the backend Go models.
+ */
+
+// =============================================================================
+// ENUMS & CONSTANTS
+// =============================================================================
+
+export type DSFAStatus = 'draft' | 'in_review' | 'approved' | 'rejected' | 'needs_update'
+
+export type DSFARiskLevel = 'low' | 'medium' | 'high' | 'very_high'
+
+export type DSFARiskCategory = 'confidentiality' | 'integrity' | 'availability' | 'rights_freedoms'
+
+export type DSFAMitigationType = 'technical' | 'organizational' | 'legal'
+
+export type DSFAMitigationStatus = 'planned' | 'in_progress' | 'implemented' | 'verified'
+
+export const DSFA_STATUS_LABELS: Record<DSFAStatus, string> = {
+  draft: 'Entwurf',
+  in_review: 'In Prüfung',
+  approved: 'Genehmigt',
+  rejected: 'Abgelehnt',
+  needs_update: 'Überarbeitung erforderlich',
+}
+
+export const DSFA_RISK_LEVEL_LABELS: Record<DSFARiskLevel, string> = {
+  low: 'Niedrig',
+  medium: 'Mittel',
+  high: 'Hoch',
+  very_high: 'Sehr Hoch',
+}
+
+export const DSFA_LEGAL_BASES = {
+  consent: 'Art. 6 Abs. 1 lit. a DSGVO - Einwilligung',
+  contract: 'Art. 6 Abs. 1 lit. b DSGVO - Vertrag',
+  legal_obligation: 'Art. 6 Abs. 1 lit. c DSGVO - Rechtliche Verpflichtung',
+  vital_interests: 'Art. 6 Abs. 1 lit. d DSGVO - Lebenswichtige Interessen',
+  public_interest: 'Art. 6 Abs. 1 lit. e DSGVO - Öffentliches Interesse',
+  legitimate_interest: 'Art. 6 Abs. 1 lit. f DSGVO - Berechtigtes Interesse',
+}
+
+export const DSFA_AFFECTED_RIGHTS = [
+  { id: 'right_to_information', label: 'Recht auf Information (Art. 13/14)' },
+  { id: 'right_of_access', label: 'Auskunftsrecht (Art. 15)' },
+  { id: 'right_to_rectification', label: 'Recht auf Berichtigung (Art. 16)' },
+  { id: 'right_to_erasure', label: 'Recht auf Löschung (Art. 17)' },
+  { id: 'right_to_restriction', label: 'Recht auf Einschränkung (Art. 18)' },
+  { id: 'right_to_data_portability', label: 'Recht auf Datenübertragbarkeit (Art. 20)' },
+  { id: 'right_to_object', label: 'Widerspruchsrecht (Art. 21)' },
+  { id: 'right_not_to_be_profiled', label: 'Recht bzgl. Profiling (Art. 22)' },
+  { id: 'freedom_of_expression', label: 'Meinungsfreiheit' },
+  { id: 'freedom_of_association', label: 'Versammlungsfreiheit' },
+  { id: 'non_discrimination', label: 'Nichtdiskriminierung' },
+  { id: 'data_security', label: 'Datensicherheit' },
+]
+
+// =============================================================================
+// SUB-TYPES
+// =============================================================================
+
+export interface DSFARisk {
+  id: string
+  category: DSFARiskCategory
+  description: string
+  likelihood: 'low' | 'medium' | 'high'
+  impact: 'low' | 'medium' | 'high'
+  risk_level: string
+  affected_data: string[]
+}
+
+export interface DSFAMitigation {
+  id: string
+  risk_id: string
+  description: string
+  type: DSFAMitigationType
+  status: DSFAMitigationStatus
+  implemented_at?: string
+  verified_at?: string
+  residual_risk: 'low' | 'medium' | 'high'
+  tom_reference?: string
+  responsible_party: string
+}
+
+export interface DSFAReviewComment {
+  id: string
+  section: number
+  comment: string
+  created_by: string
+  created_at: string
+  resolved: boolean
+}
+
+export interface DSFASectionProgress {
+  section_1_complete: boolean
+  section_2_complete: boolean
+  section_3_complete: boolean
+  section_4_complete: boolean
+  section_5_complete: boolean
+}
+
+// =============================================================================
+// MAIN DSFA TYPE
+// =============================================================================
+
+export interface DSFA {
+  id: string
+  tenant_id: string
+  namespace_id?: string
+  processing_activity_id?: string
+  assessment_id?: string
+  name: string
+  description: string
+
+  // Section 1: Systematische Beschreibung (Art. 35 Abs. 7 lit. a)
+  processing_description: string
+  processing_purpose: string
+  data_categories: string[]
+  data_subjects: string[]
+  recipients: string[]
+  legal_basis: string
+  legal_basis_details?: string
+
+  // Section 2: Notwendigkeit & Verhältnismäßigkeit (Art. 35 Abs. 7 lit. b)
+  necessity_assessment: string
+  proportionality_assessment: string
+  data_minimization?: string
+  alternatives_considered?: string
+  retention_justification?: string
+
+  // Section 3: Risikobewertung (Art. 35 Abs. 7 lit. c)
+  risks: DSFARisk[]
+  overall_risk_level: DSFARiskLevel
+  risk_score: number
+  affected_rights?: string[]
+  triggered_rule_codes?: string[]
+
+  // Section 4: Abhilfemaßnahmen (Art. 35 Abs. 7 lit. d)
+  mitigations: DSFAMitigation[]
+  tom_references?: string[]
+
+  // Section 5: Stellungnahme DSB (Art. 35 Abs. 2 + Art. 36)
+  dpo_consulted: boolean
+  dpo_consulted_at?: string
+  dpo_name?: string
+  dpo_opinion?: string
+  dpo_approved?: boolean
+  authority_consulted: boolean
+  authority_consulted_at?: string
+  authority_reference?: string
+  authority_decision?: string
+
+  // Workflow & Approval
+  status: DSFAStatus
+  submitted_for_review_at?: string
+  submitted_by?: string
+  conclusion: string
+  review_comments?: DSFAReviewComment[]
+
+  // Section Progress Tracking
+  section_progress: DSFASectionProgress
+
+  // Metadata & Audit
+  metadata?: Record<string, unknown>
+  created_at: string
+  updated_at: string
+  created_by: string
+  approved_by?: string
+  approved_at?: string
+}
+
+// =============================================================================
+// API REQUEST/RESPONSE TYPES
+// =============================================================================
+
+export interface DSFAListResponse {
+  dsfas: DSFA[]
+}
+
+export interface DSFAStatsResponse {
+  status_stats: Record<DSFAStatus | 'total', number>
+  risk_stats: Record<DSFARiskLevel, number>
+  total: number
+}
+
+export interface CreateDSFARequest {
+  name: string
+  description?: string
+  processing_description?: string
+  processing_purpose?: string
+  data_categories?: string[]
+  legal_basis?: string
+}
+
+export interface CreateDSFAFromAssessmentRequest {
+  name?: string
+  description?: string
+}
+
+export interface CreateDSFAFromAssessmentResponse {
+  dsfa: DSFA
+  prefilled: boolean
+  assessment: unknown // UCCA Assessment
+  message: string
+}
+
+export interface UpdateDSFASectionRequest {
+  // Section 1
+  processing_description?: string
+  processing_purpose?: string
+  data_categories?: string[]
+  data_subjects?: string[]
+  recipients?: string[]
+  legal_basis?: string
+  legal_basis_details?: string
+
+  // Section 2
+  necessity_assessment?: string
+  proportionality_assessment?: string
+  data_minimization?: string
+  alternatives_considered?: string
+  retention_justification?: string
+
+  // Section 3
+  overall_risk_level?: DSFARiskLevel
+  risk_score?: number
+  affected_rights?: string[]
+
+  // Section 5
+  dpo_consulted?: boolean
+  dpo_name?: string
+  dpo_opinion?: string
+  authority_consulted?: boolean
+  authority_reference?: string
+  authority_decision?: string
+}
+
+export interface SubmitForReviewResponse {
+  message: string
+  dsfa: DSFA
+}
+
+export interface ApproveDSFARequest {
+  dpo_opinion: string
+  approved: boolean
+}
+
+// =============================================================================
+// UCCA INTEGRATION TYPES
+// =============================================================================
+
+export interface DSFATriggerInfo {
+  required: boolean
+  reason: string
+  triggered_rules: string[]
+  assessment_id?: string
+  existing_dsfa_id?: string
+}
+
+export interface UCCATriggeredRule {
+  code: string
+  title: string
+  description: string
+  severity: 'INFO' | 'WARN' | 'BLOCK'
+  gdpr_ref?: string
+}
+
+// =============================================================================
+// HELPER TYPES FOR UI
+// =============================================================================
+
+export interface DSFASectionConfig {
+  number: number
+  title: string
+  titleDE: string
+  description: string
+  gdprRef: string
+  fields: string[]
+  required: boolean
+}
+
+export const DSFA_SECTIONS: DSFASectionConfig[] = [
+  {
+    number: 1,
+    title: 'Processing Description',
+    titleDE: 'Systematische Beschreibung',
+    description: 'Beschreiben Sie die geplante Verarbeitung, ihren Zweck, die Datenkategorien und Rechtsgrundlage.',
+    gdprRef: 'Art. 35 Abs. 7 lit. a DSGVO',
+    fields: ['processing_description', 'processing_purpose', 'data_categories', 'data_subjects', 'recipients', 'legal_basis'],
+    required: true,
+  },
+  {
+    number: 2,
+    title: 'Necessity & Proportionality',
+    titleDE: 'Notwendigkeit & Verhältnismäßigkeit',
+    description: 'Begründen Sie, warum die Verarbeitung notwendig ist und welche Alternativen geprüft wurden.',
+    gdprRef: 'Art. 35 Abs. 7 lit. b DSGVO',
+    fields: ['necessity_assessment', 'proportionality_assessment', 'data_minimization', 'alternatives_considered'],
+    required: true,
+  },
+  {
+    number: 3,
+    title: 'Risk Assessment',
+    titleDE: 'Risikobewertung',
+    description: 'Identifizieren und bewerten Sie die Risiken für die Rechte und Freiheiten der Betroffenen.',
+    gdprRef: 'Art. 35 Abs. 7 lit. c DSGVO',
+    fields: ['risks', 'overall_risk_level', 'risk_score', 'affected_rights'],
+    required: true,
+  },
+  {
+    number: 4,
+    title: 'Mitigation Measures',
+    titleDE: 'Abhilfemaßnahmen',
+    description: 'Definieren Sie technische und organisatorische Maßnahmen zur Risikominimierung.',
+    gdprRef: 'Art. 35 Abs. 7 lit. d DSGVO',
+    fields: ['mitigations', 'tom_references'],
+    required: true,
+  },
+  {
+    number: 5,
+    title: 'DPO Opinion',
+    titleDE: 'Stellungnahme DSB',
+    description: 'Dokumentieren Sie die Konsultation des Datenschutzbeauftragten und ggf. der Aufsichtsbehörde.',
+    gdprRef: 'Art. 35 Abs. 2 + Art. 36 DSGVO',
+    fields: ['dpo_consulted', 'dpo_opinion', 'authority_consulted', 'authority_reference'],
+    required: false,
+  },
+]
+
+// =============================================================================
+// RISK MATRIX HELPERS
+// =============================================================================
+
+export interface RiskMatrixCell {
+  likelihood: 'low' | 'medium' | 'high'
+  impact: 'low' | 'medium' | 'high'
+  level: DSFARiskLevel
+  score: number
+}
+
+export const RISK_MATRIX: RiskMatrixCell[] = [
+  // Low likelihood
+  { likelihood: 'low', impact: 'low', level: 'low', score: 10 },
+  { likelihood: 'low', impact: 'medium', level: 'low', score: 20 },
+  { likelihood: 'low', impact: 'high', level: 'medium', score: 40 },
+  // Medium likelihood
+  { likelihood: 'medium', impact: 'low', level: 'low', score: 20 },
+  { likelihood: 'medium', impact: 'medium', level: 'medium', score: 50 },
+  { likelihood: 'medium', impact: 'high', level: 'high', score: 70 },
+  // High likelihood
+  { likelihood: 'high', impact: 'low', level: 'medium', score: 40 },
+  { likelihood: 'high', impact: 'medium', level: 'high', score: 70 },
+  { likelihood: 'high', impact: 'high', level: 'very_high', score: 90 },
+]
+
+export function calculateRiskLevel(
+  likelihood: 'low' | 'medium' | 'high',
+  impact: 'low' | 'medium' | 'high'
+): { level: DSFARiskLevel; score: number } {
+  const cell = RISK_MATRIX.find(c => c.likelihood === likelihood && c.impact === impact)
+  return cell ? { level: cell.level, score: cell.score } : { level: 'medium', score: 50 }
+}
diff --git a/ai-compliance-sdk/docs/DEVELOPER.md b/ai-compliance-sdk/docs/DEVELOPER.md
new file mode 100644
index 0000000..f894d8e
--- /dev/null
+++ b/ai-compliance-sdk/docs/DEVELOPER.md
@@ -0,0 +1,1011 @@
+# AI Compliance SDK - Entwickler-Dokumentation
+
+## Inhaltsverzeichnis
+
+1. [Schnellstart](#1-schnellstart)
+2. [Architektur-Übersicht](#2-architektur-übersicht)
+3. [Policy Engine](#3-policy-engine)
+4. [License Policy Engine](#4-license-policy-engine)
+5. [Legal RAG Integration](#5-legal-rag-integration)
+6. [Wizard & Legal Assistant](#6-wizard--legal-assistant)
+7. [Eskalations-System](#7-eskalations-system)
+8. [API-Endpoints](#8-api-endpoints)
+9. [Policy-Dateien](#9-policy-dateien)
+10. [Tests ausführen](#10-tests-ausführen)
+11. [Generic Obligations Framework](#11-generic-obligations-framework)
+12. [Tests für Obligations Framework](#12-tests-für-obligations-framework)
+13. [DSFA (Datenschutz-Folgenabschätzung)](#13-dsfa-datenschutz-folgenabschätzung-nach-art-35-dsgvo)
+
+---
+
+## 1. Schnellstart
+
+### Voraussetzungen
+
+- Go 1.21+
+- PostgreSQL (für Eskalations-Store)
+- Qdrant (für Legal RAG)
+- Ollama oder Anthropic API Key (für LLM)
+
+### Build & Run
+
+```bash
+# Build
+cd ai-compliance-sdk
+go build -o server ./cmd/server
+
+# Run
+./server --config config.yaml
+
+# Alternativ: mit Docker
+docker compose up -d
+```
+
+### Erste Anfrage
+
+```bash
+# UCCA Assessment erstellen
+curl -X POST http://localhost:8080/sdk/v1/ucca/assess \
+  -H "Content-Type: application/json" \
+  -d '{
+    "use_case_text": "Chatbot für Kundenservice mit FAQ-Suche",
+    "domain": "utilities",
+    "data_types": {
+      "personal_data": false,
+      "public_data": true
+    },
+    "automation": "assistive",
+    "model_usage": {
+      "rag": true
+    },
+    "hosting": {
+      "region": "eu"
+    }
+  }'
+```
+
+---
+
+## 2. Architektur-Übersicht
+
+```
+┌─────────────────────────────────────────────────────────────────┐
+│                        API Layer (Gin)                           │
+│                    internal/api/handlers/                        │
+├─────────────────────────────────────────────────────────────────┤
+│                                                                   │
+│  ┌─────────────┐  ┌─────────────┐  ┌─────────────────────────┐  │
+│  │   UCCA      │  │   License   │  │      Eskalation         │  │
+│  │   Handler   │  │   Handler   │  │      Handler            │  │
+│  └──────┬──────┘  └──────┬──────┘  └───────────┬─────────────┘  │
+│         │                │                      │                │
+├─────────┼────────────────┼──────────────────────┼────────────────┤
+│         ▼                ▼                      ▼                │
+│  ┌─────────────┐  ┌─────────────┐  ┌─────────────────────────┐  │
+│  │   Policy    │  │   License   │  │   Escalation            │  │
+│  │   Engine    │  │   Policy    │  │   Store                 │  │
+│  │             │  │   Engine    │  │                         │  │
+│  └──────┬──────┘  └──────┬──────┘  └───────────┬─────────────┘  │
+│         │                │                      │                │
+│         └────────┬───────┴──────────────────────┘                │
+│                  ▼                                               │
+│         ┌─────────────────────────────────────────────────┐     │
+│         │              Legal RAG System                    │     │
+│         │         (Qdrant + LLM Integration)              │     │
+│         └─────────────────────────────────────────────────┘     │
+│                                                                   │
+└─────────────────────────────────────────────────────────────────┘
+```
+
+### Kernprinzip
+
+**LLM ist NICHT die Quelle der Wahrheit!**
+
+| Komponente | Entscheidet | LLM-Nutzung |
+|------------|-------------|-------------|
+| Policy Engine | Feasibility, Risk Level | Nein |
+| License Engine | Operation Mode, Stop-Lines | Nein |
+| Gap Mapping | Facts → Gaps → Controls | Nein |
+| Legal RAG | Erklärung generieren | Ja (nur Output) |
+
+---
+
+## 3. Policy Engine
+
+### Übersicht
+
+Die Policy Engine (`internal/ucca/policy_engine.go`) evaluiert Use Cases gegen deterministische Regeln.
+
+### Verwendung
+
+```go
+import "ai-compliance-sdk/internal/ucca"
+
+// Engine erstellen
+engine, err := ucca.NewPolicyEngineFromPath("policies/ucca_policy_v1.yaml")
+if err != nil {
+    log.Fatal(err)
+}
+
+// Intake erstellen
+intake := &ucca.UseCaseIntake{
+    UseCaseText: "Chatbot für Kundenservice",
+    Domain:      ucca.DomainUtilities,
+    DataTypes: ucca.DataTypes{
+        PersonalData: false,
+        PublicData:   true,
+    },
+    Automation: ucca.AutomationAssistive,
+    ModelUsage: ucca.ModelUsage{
+        RAG: true,
+    },
+    Hosting: ucca.Hosting{
+        Region: "eu",
+    },
+}
+
+// Evaluieren
+result := engine.Evaluate(intake)
+
+// Ergebnis auswerten
+fmt.Println("Feasibility:", result.Feasibility)   // YES, NO, CONDITIONAL
+fmt.Println("Risk Level:", result.RiskLevel)      // MINIMAL, LOW, MEDIUM, HIGH
+fmt.Println("Risk Score:", result.RiskScore)      // 0-100
+```
+
+### Ergebnis-Struktur
+
+```go
+type EvaluationResult struct {
+    Feasibility           Feasibility            // YES, NO, CONDITIONAL
+    RiskLevel             RiskLevel              // MINIMAL, LOW, MEDIUM, HIGH
+    RiskScore             int                    // 0-100
+    TriggeredRules        []TriggeredRule        // Ausgelöste Regeln
+    RequiredControls      []Control              // Erforderliche Maßnahmen
+    RecommendedArchitecture []Pattern            // Empfohlene Patterns
+    DSFARecommended       bool                   // DSFA erforderlich?
+    Art22Risk             bool                   // Art. 22 Risiko?
+    TrainingAllowed       TrainingAllowed        // YES, NO, CONDITIONAL
+    PolicyVersion         string                 // Version der Policy
+}
+```
+
+### Regeln hinzufügen
+
+Neue Regeln werden in `policies/ucca_policy_v1.yaml` definiert:
+
+```yaml
+rules:
+  - id: R-CUSTOM-001
+    code: R-CUSTOM-001
+    category: custom
+    title: Custom Rule
+    title_de: Benutzerdefinierte Regel
+    description: Custom rule description
+    severity: WARN  # INFO, WARN, BLOCK
+    gdpr_ref: "Art. 6 DSGVO"
+    condition:
+      all_of:
+        - field: domain
+          equals: custom_domain
+        - field: data_types.personal_data
+          equals: true
+    controls:
+      - C_CUSTOM_CONTROL
+```
+
+---
+
+## 4. License Policy Engine
+
+### Übersicht
+
+Die License Policy Engine (`internal/ucca/license_policy.go`) prüft die Lizenz-Compliance für Standards und Normen.
+
+### Operationsmodi
+
+| Modus | Beschreibung | Lizenzanforderung |
+|-------|--------------|-------------------|
+| `LINK_ONLY` | Nur Verweise | Keine |
+| `NOTES_ONLY` | Eigene Notizen | Keine |
+| `EXCERPT_ONLY` | Kurzzitate (<150 Zeichen) | Standard-Lizenz |
+| `FULLTEXT_RAG` | Volltext-Embedding | Explizite KI-Lizenz |
+| `TRAINING` | Modell-Training | Enterprise + Vertrag |
+
+### Verwendung
+
+```go
+import "ai-compliance-sdk/internal/ucca"
+
+engine := ucca.NewLicensePolicyEngine()
+
+facts := &ucca.LicensedContentFacts{
+    Present:       true,
+    Publisher:     "DIN_MEDIA",
+    LicenseType:   "SINGLE_WORKSTATION",
+    AIUsePermitted: "NO",
+    ProofUploaded: false,
+    OperationMode: "FULLTEXT_RAG",
+}
+
+result := engine.Evaluate(facts)
+
+if !result.Allowed {
+    fmt.Println("Blockiert:", result.StopLine.Message)
+    fmt.Println("Effektiver Modus:", result.EffectiveMode)
+}
+```
+
+### Ingest-Entscheidung
+
+```go
+// Prüfen ob Volltext-Ingest erlaubt ist
+canIngest := engine.CanIngestFulltext(facts)
+
+// Oder detaillierte Entscheidung
+decision := engine.DecideIngest(facts)
+fmt.Println("Fulltext:", decision.AllowFulltext)
+fmt.Println("Notes:", decision.AllowNotes)
+fmt.Println("Metadata:", decision.AllowMetadata)
+```
+
+### Audit-Logging
+
+```go
+// Audit-Entry erstellen
+entry := engine.FormatAuditEntry("tenant-123", "doc-456", facts, result)
+
+// Human-readable Summary
+summary := engine.FormatHumanReadableSummary(result)
+fmt.Println(summary)
+```
+
+### Publisher-spezifische Regeln
+
+DIN Media hat explizite Restriktionen:
+
+```go
+// DIN Media blockiert FULLTEXT_RAG ohne AI-Lizenz
+if facts.Publisher == "DIN_MEDIA" && facts.AIUsePermitted != "YES" {
+    // → STOP_DIN_FULLTEXT_AI_NOT_ALLOWED
+    // → Downgrade auf LINK_ONLY
+}
+```
+
+---
+
+## 5. Legal RAG Integration
+
+### Übersicht
+
+Das Legal RAG System (`internal/ucca/legal_rag.go`) generiert Erklärungen mit rechtlichem Kontext.
+
+### Verwendung
+
+```go
+import "ai-compliance-sdk/internal/ucca"
+
+rag := ucca.NewLegalRAGService(qdrantClient, llmClient, "bp_legal_corpus")
+
+// Erklärung generieren
+explanation, err := rag.Explain(ctx, result, intake)
+if err != nil {
+    log.Error(err)
+}
+
+fmt.Println("Erklärung:", explanation.Text)
+fmt.Println("Rechtsquellen:", explanation.Sources)
+```
+
+### Rechtsquellen im RAG
+
+| Quelle | Chunks | Beschreibung |
+|--------|--------|--------------|
+| DSGVO | 128 | EU Datenschutz-Grundverordnung |
+| AI Act | 96 | EU AI-Verordnung |
+| NIS2 | 128 | Netzwerk-Informationssicherheit |
+| SCC | 32 | Standardvertragsklauseln |
+| DPF | 714 | Data Privacy Framework |
+
+---
+
+## 6. Wizard & Legal Assistant
+
+### Wizard-Schema
+
+Das Wizard-Schema (`policies/wizard_schema_v1.yaml`) definiert die Fragen für das Frontend.
+
+### Legal Assistant verwenden
+
+```go
+// Wizard-Frage an Legal Assistant stellen
+type WizardAskRequest struct {
+    Question    string                 `json:"question"`
+    StepNumber  int                    `json:"step_number"`
+    FieldID     string                 `json:"field_id,omitempty"`
+    CurrentData map[string]interface{} `json:"current_data,omitempty"`
+}
+
+// POST /sdk/v1/ucca/wizard/ask
+```
+
+### Beispiel API-Call
+
+```bash
+curl -X POST http://localhost:8080/sdk/v1/ucca/wizard/ask \
+  -H "Content-Type: application/json" \
+  -d '{
+    "question": "Was sind personenbezogene Daten?",
+    "step_number": 2,
+    "field_id": "data_types.personal_data"
+  }'
+```
+
+---
+
+## 7. Eskalations-System
+
+### Eskalationsstufen
+
+| Level | Auslöser | Prüfer | SLA |
+|-------|----------|--------|-----|
+| E0 | Nur INFO | Automatisch | - |
+| E1 | WARN, geringes Risiko | Team-Lead | 24h |
+| E2 | Art. 9, DSFA empfohlen | DSB | 8h |
+| E3 | BLOCK, hohes Risiko | DSB + Legal | 4h |
+
+### Eskalation erstellen
+
+```go
+import "ai-compliance-sdk/internal/ucca"
+
+store := ucca.NewEscalationStore(db)
+
+escalation := &ucca.Escalation{
+    AssessmentID:    "assess-123",
+    Level:           ucca.EscalationE2,
+    TriggerReason:   "Art. 9 Daten betroffen",
+    RequiredReviews: 1,
+}
+
+err := store.CreateEscalation(ctx, escalation)
+```
+
+### SLA-Monitor
+
+```go
+monitor := ucca.NewSLAMonitor(store, notificationService)
+
+// Im Hintergrund starten
+go monitor.Start(ctx)
+```
+
+---
+
+## 8. API-Endpoints
+
+### UCCA Endpoints
+
+| Method | Endpoint | Beschreibung |
+|--------|----------|--------------|
+| POST | `/sdk/v1/ucca/assess` | Assessment erstellen |
+| GET | `/sdk/v1/ucca/assess/:id` | Assessment abrufen |
+| POST | `/sdk/v1/ucca/explain` | Erklärung generieren |
+| GET | `/sdk/v1/ucca/wizard/schema` | Wizard-Schema abrufen |
+| POST | `/sdk/v1/ucca/wizard/ask` | Legal Assistant fragen |
+
+### License Endpoints
+
+| Method | Endpoint | Beschreibung |
+|--------|----------|--------------|
+| POST | `/sdk/v1/license/evaluate` | Lizenz-Prüfung |
+| POST | `/sdk/v1/license/decide-ingest` | Ingest-Entscheidung |
+
+### Eskalations-Endpoints
+
+| Method | Endpoint | Beschreibung |
+|--------|----------|--------------|
+| GET | `/sdk/v1/escalations` | Offene Eskalationen |
+| GET | `/sdk/v1/escalations/:id` | Eskalation abrufen |
+| POST | `/sdk/v1/escalations/:id/decide` | Entscheidung treffen |
+
+---
+
+## 9. Policy-Dateien
+
+### Dateistruktur
+
+```
+policies/
+├── ucca_policy_v1.yaml        # Haupt-Policy (Regeln, Controls, Patterns)
+├── wizard_schema_v1.yaml      # Wizard-Fragen und Legal Assistant
+├── controls_catalog.yaml      # Detaillierte Control-Beschreibungen
+├── gap_mapping.yaml           # Facts → Gaps → Controls
+├── licensed_content_policy.yaml # Standards/Normen Compliance
+└── scc_legal_corpus.yaml      # SCC Rechtsquellen
+```
+
+### Policy-Version
+
+Jede Policy hat eine Version:
+
+```yaml
+metadata:
+  version: "1.0.0"
+  effective_date: "2025-01-01"
+  author: "Compliance Team"
+```
+
+---
+
+## 10. Tests ausführen
+
+### Alle Tests
+
+```bash
+cd ai-compliance-sdk
+go test -v ./...
+```
+
+### Spezifische Tests
+
+```bash
+# Policy Engine Tests
+go test -v ./internal/ucca/policy_engine_test.go
+
+# License Policy Tests
+go test -v ./internal/ucca/license_policy_test.go
+
+# Eskalation Tests
+go test -v ./internal/ucca/escalation_test.go
+```
+
+### Test-Coverage
+
+```bash
+go test -cover ./...
+
+# HTML-Report
+go test -coverprofile=coverage.out ./...
+go tool cover -html=coverage.out
+```
+
+### Beispiel: Neuen Test hinzufügen
+
+```go
+func TestMyNewFeature(t *testing.T) {
+    engine := NewLicensePolicyEngine()
+
+    facts := &LicensedContentFacts{
+        Present:       true,
+        Publisher:     "DIN_MEDIA",
+        OperationMode: "FULLTEXT_RAG",
+    }
+
+    result := engine.Evaluate(facts)
+
+    if result.Allowed {
+        t.Error("Expected blocked for DIN_MEDIA FULLTEXT_RAG")
+    }
+}
+```
+
+---
+
+## Anhang: Wichtige Dateien
+
+| Datei | Beschreibung |
+|-------|--------------|
+| `internal/ucca/policy_engine.go` | Haupt-Policy-Engine |
+| `internal/ucca/license_policy.go` | License Policy Engine |
+| `internal/ucca/legal_rag.go` | Legal RAG Integration |
+| `internal/ucca/escalation_store.go` | Eskalations-Verwaltung |
+| `internal/ucca/sla_monitor.go` | SLA-Überwachung |
+| `internal/api/handlers/ucca_handlers.go` | API-Handler |
+| `cmd/server/main.go` | Server-Einstiegspunkt |
+
+---
+
+---
+
+## 11. Generic Obligations Framework
+
+### Übersicht
+
+Das Obligations Framework ermöglicht die automatische Ableitung regulatorischer Pflichten aus NIS2, DSGVO und AI Act.
+
+### Verwendung
+
+```go
+import "ai-compliance-sdk/internal/ucca"
+
+// Registry erstellen (lädt alle Module)
+registry := ucca.NewObligationsRegistry()
+
+// UnifiedFacts aufbauen
+facts := &ucca.UnifiedFacts{
+    Organization: ucca.OrganizationFacts{
+        EmployeeCount:  150,
+        AnnualRevenue:  30000000,
+        Country:        "DE",
+        EUMember:       true,
+    },
+    Sector: ucca.SectorFacts{
+        PrimarySector:    "digital_infrastructure",
+        SpecialServices:  []string{"cloud", "msp"},
+        IsKRITIS:         false,
+    },
+    DataProtection: ucca.DataProtectionFacts{
+        ProcessesPersonalData: true,
+    },
+    AIUsage: ucca.AIUsageFacts{
+        UsesAI:             true,
+        HighRiskCategories: []string{"employment"},
+        IsGPAIProvider:     false,
+    },
+}
+
+// Alle anwendbaren Pflichten evaluieren
+overview := registry.EvaluateAll(facts, "Muster GmbH")
+
+// Ergebnis auswerten
+fmt.Println("Anwendbare Regulierungen:", len(overview.ApplicableRegulations))
+fmt.Println("Gesamtzahl Pflichten:", len(overview.Obligations))
+fmt.Println("Kritische Pflichten:", overview.ExecutiveSummary.CriticalObligations)
+```
+
+### Neues Regulierungsmodul erstellen
+
+```go
+// 1. Module-Interface implementieren
+type MyRegulationModule struct {
+    obligations       []ucca.Obligation
+    controls          []ucca.ObligationControl
+    incidentDeadlines []ucca.IncidentDeadline
+}
+
+func (m *MyRegulationModule) ID() string { return "my_regulation" }
+func (m *MyRegulationModule) Name() string { return "My Regulation" }
+
+func (m *MyRegulationModule) IsApplicable(facts *ucca.UnifiedFacts) bool {
+    // Prüflogik implementieren
+    return facts.Organization.Country == "DE"
+}
+
+func (m *MyRegulationModule) DeriveObligations(facts *ucca.UnifiedFacts) []ucca.Obligation {
+    // Pflichten basierend auf Facts ableiten
+    return m.obligations
+}
+
+// 2. In Registry registrieren
+func NewMyRegulationModule() (*MyRegulationModule, error) {
+    m := &MyRegulationModule{}
+    // YAML laden oder hardcoded Pflichten definieren
+    return m, nil
+}
+
+// In obligations_registry.go:
+// r.Register(NewMyRegulationModule())
+```
+
+### YAML-basierte Pflichten
+
+```yaml
+# policies/obligations/my_regulation_obligations.yaml
+regulation: my_regulation
+name: "My Regulation"
+
+obligations:
+  - id: "MYREG-OBL-001"
+    title: "Compliance-Pflicht"
+    description: "Beschreibung der Pflicht"
+    applies_when: "classification != 'nicht_betroffen'"
+    legal_basis:
+      - norm: "§ 1 MyReg"
+    category: "Governance"
+    responsible: "Geschäftsführung"
+    deadline:
+      type: "relative"
+      duration: "12 Monate"
+    sanctions:
+      max_fine: "1 Mio. EUR"
+    priority: "high"
+
+controls:
+  - id: "MYREG-CTRL-001"
+    name: "Kontrollmaßnahme"
+    category: "Technical"
+    when_applicable: "immer"
+    what_to_do: "Maßnahme implementieren"
+    evidence_needed:
+      - "Dokumentation"
+```
+
+### PDF Export
+
+```go
+import "ai-compliance-sdk/internal/ucca"
+
+// Exporter erstellen
+exporter := ucca.NewPDFExporter("de")
+
+// PDF generieren
+response, err := exporter.ExportManagementMemo(overview)
+if err != nil {
+    log.Fatal(err)
+}
+
+// base64-kodierter PDF-Inhalt
+fmt.Println("Content-Type:", response.ContentType)  // application/pdf
+fmt.Println("Filename:", response.Filename)
+
+// PDF speichern
+decoded, _ := base64.StdEncoding.DecodeString(response.Content)
+os.WriteFile("memo.pdf", decoded, 0644)
+
+// Alternativ: Markdown
+mdResponse, err := exporter.ExportMarkdown(overview)
+fmt.Println(mdResponse.Content)  // Markdown-Text
+```
+
+### API-Endpoints
+
+```bash
+# Assessment erstellen
+curl -X POST http://localhost:8090/sdk/v1/ucca/obligations/assess \
+  -H "Content-Type: application/json" \
+  -d '{
+    "facts": {
+      "organization": {"employee_count": 150, "country": "DE"},
+      "sector": {"primary_sector": "healthcare"},
+      "data_protection": {"processes_personal_data": true},
+      "ai_usage": {"uses_ai": false}
+    },
+    "organization_name": "Test GmbH"
+  }'
+
+# PDF Export (direkt)
+curl -X POST http://localhost:8090/sdk/v1/ucca/obligations/export/direct \
+  -H "Content-Type: application/json" \
+  -d '{
+    "overview": { ... },
+    "format": "pdf",
+    "language": "de"
+  }'
+```
+
+---
+
+## 12. Tests für Obligations Framework
+
+```bash
+# Alle Obligations-Tests
+go test -v ./internal/ucca/..._module_test.go
+
+# NIS2 Module Tests
+go test -v ./internal/ucca/nis2_module_test.go
+
+# DSGVO Module Tests
+go test -v ./internal/ucca/dsgvo_module_test.go
+
+# AI Act Module Tests
+go test -v ./internal/ucca/ai_act_module_test.go
+
+# PDF Export Tests
+go test -v ./internal/ucca/pdf_export_test.go
+```
+
+### Beispiel-Tests
+
+```go
+func TestNIS2Module_LargeCompanyInAnnexISector(t *testing.T) {
+    module, _ := ucca.NewNIS2Module()
+
+    facts := &ucca.UnifiedFacts{
+        Organization: ucca.OrganizationFacts{
+            EmployeeCount: 500,
+            AnnualRevenue: 100000000,
+            Country:       "DE",
+        },
+        Sector: ucca.SectorFacts{
+            PrimarySector: "energy",
+        },
+    }
+
+    if !module.IsApplicable(facts) {
+        t.Error("Expected NIS2 to apply to large energy company")
+    }
+
+    classification := module.Classify(facts)
+    if classification != "besonders_wichtige_einrichtung" {
+        t.Errorf("Expected 'besonders_wichtige_einrichtung', got '%s'", classification)
+    }
+}
+
+func TestAIActModule_HighRiskEmploymentAI(t *testing.T) {
+    module, _ := ucca.NewAIActModule()
+
+    facts := &ucca.UnifiedFacts{
+        AIUsage: ucca.AIUsageFacts{
+            UsesAI:             true,
+            HighRiskCategories: []string{"employment"},
+        },
+    }
+
+    if !module.IsApplicable(facts) {
+        t.Error("Expected AI Act to apply")
+    }
+
+    riskLevel := module.ClassifyRisk(facts)
+    if riskLevel != ucca.AIActHighRisk {
+        t.Errorf("Expected 'high_risk', got '%s'", riskLevel)
+    }
+}
+```
+
+---
+
+## Anhang: Wichtige Dateien (erweitert)
+
+| Datei | Beschreibung |
+|-------|--------------|
+| `internal/ucca/policy_engine.go` | Haupt-Policy-Engine |
+| `internal/ucca/license_policy.go` | License Policy Engine |
+| `internal/ucca/obligations_framework.go` | Obligations Interfaces & Typen |
+| `internal/ucca/obligations_registry.go` | Modul-Registry |
+| `internal/ucca/nis2_module.go` | NIS2 Decision Tree |
+| `internal/ucca/dsgvo_module.go` | DSGVO Pflichten |
+| `internal/ucca/ai_act_module.go` | AI Act Risk Classification |
+| `internal/ucca/pdf_export.go` | PDF/Markdown Export |
+| `internal/api/handlers/obligations_handlers.go` | Obligations API |
+| `policies/obligations/*.yaml` | Pflichten-Kataloge |
+
+---
+
+---
+
+## 13. DSFA (Datenschutz-Folgenabschätzung nach Art. 35 DSGVO)
+
+### Übersicht
+
+Das DSFA-Modul implementiert die Datenschutz-Folgenabschätzung gemäß Art. 35 DSGVO als generisches Compliance-Tool für jeden KI-Anwendungsfall.
+
+### Architektur
+
+```
+┌─────────────────────────────────────────────────────────────────┐
+│                     Frontend (admin-v2)                          │
+│    app/(sdk)/sdk/dsfa/                                          │
+│    ├── page.tsx (Dashboard)                                     │
+│    └── [id]/page.tsx (5-Abschnitt-Editor)                       │
+├─────────────────────────────────────────────────────────────────┤
+│                     Components                                   │
+│    components/sdk/dsfa/                                          │
+│    ├── DSFACard.tsx (Listenansicht)                             │
+│    ├── RiskMatrix.tsx (Interaktive Risiko-Matrix)               │
+│    └── ApprovalPanel.tsx (Genehmigungs-Workflow)                │
+├─────────────────────────────────────────────────────────────────┤
+│                     API Client                                   │
+│    lib/sdk/dsfa/                                                 │
+│    ├── types.ts (TypeScript-Typen)                              │
+│    └── api.ts (API-Funktionen)                                  │
+├─────────────────────────────────────────────────────────────────┤
+│                     Backend (Go)                                 │
+│    internal/dsgvo/                                               │
+│    ├── models.go (DSFA-Datenmodell)                             │
+│    ├── store.go (PostgreSQL-Persistierung)                      │
+│    └── handlers.go (API-Endpoints)                              │
+└─────────────────────────────────────────────────────────────────┘
+```
+
+### Zwei Einstiegswege
+
+| Weg | Beschreibung | Vorausgefüllt |
+|-----|--------------|---------------|
+| **UCCA-getriggert** | Automatisch bei Trigger-Regeln (R-A002, R-A003, etc.) | Ja |
+| **Standalone** | Manuell für Verarbeitungen ohne UCCA | Nein |
+
+### Die 5 Abschnitte nach Art. 35 DSGVO
+
+| # | Abschnitt | Art. 35 Ref | Inhalt |
+|---|-----------|-------------|--------|
+| 1 | Systematische Beschreibung | Abs. 7 lit. a | Zweck, Datenkategorien, Betroffene, Empfänger, Rechtsgrundlage |
+| 2 | Notwendigkeit & Verhältnismäßigkeit | Abs. 7 lit. b | Warum notwendig? Alternativen? Datenminimierung? |
+| 3 | Risikobewertung | Abs. 7 lit. c | Risiko-Matrix (Eintrittswahrscheinlichkeit × Schwere) |
+| 4 | Abhilfemaßnahmen | Abs. 7 lit. d | Technische + Organisatorische Maßnahmen |
+| 5 | Stellungnahme DSB | Abs. 2 + Art. 36 | DSB-Konsultation, ggf. Behörden-Konsultation |
+
+### Datenmodell
+
+```go
+type DSFA struct {
+    ID                     uuid.UUID              `json:"id"`
+    TenantID               uuid.UUID              `json:"tenant_id"`
+    AssessmentID           *uuid.UUID             `json:"assessment_id,omitempty"` // UCCA-Verknüpfung
+    Name                   string                 `json:"name"`
+    Description            string                 `json:"description"`
+
+    // Abschnitt 1: Systematische Beschreibung
+    ProcessingDescription  string                 `json:"processing_description"`
+    ProcessingPurpose      string                 `json:"processing_purpose"`
+    DataCategories         []string               `json:"data_categories"`
+    DataSubjects           []string               `json:"data_subjects"`
+    Recipients             []string               `json:"recipients"`
+    LegalBasis             string                 `json:"legal_basis"`
+
+    // Abschnitt 2: Notwendigkeit
+    NecessityAssessment      string               `json:"necessity_assessment"`
+    ProportionalityAssessment string              `json:"proportionality_assessment"`
+    DataMinimization         string               `json:"data_minimization"`
+    AlternativesConsidered   string               `json:"alternatives_considered"`
+
+    // Abschnitt 3: Risikobewertung
+    Risks                  []DSFARisk             `json:"risks"`
+    OverallRiskLevel       string                 `json:"overall_risk_level"`
+    RiskScore              int                    `json:"risk_score"`
+    AffectedRights         []string               `json:"affected_rights"`
+    TriggeredRuleCodes     []string               `json:"triggered_rule_codes"`
+
+    // Abschnitt 4: Maßnahmen
+    Mitigations            []DSFAMitigation       `json:"mitigations"`
+    TOMReferences          []string               `json:"tom_references"`
+
+    // Abschnitt 5: DSB-Stellungnahme
+    DPOConsulted           bool                   `json:"dpo_consulted"`
+    DPOName                string                 `json:"dpo_name"`
+    DPOOpinion             string                 `json:"dpo_opinion"`
+    AuthorityConsulted     bool                   `json:"authority_consulted"`
+    AuthorityReference     string                 `json:"authority_reference"`
+
+    // Workflow
+    Status                 string                 `json:"status"` // draft, in_review, approved, rejected
+    SectionProgress        DSFASectionProgress    `json:"section_progress"`
+    ReviewComments         []DSFAReviewComment    `json:"review_comments"`
+}
+
+type DSFARisk struct {
+    ID          string   `json:"id"`
+    Category    string   `json:"category"` // confidentiality, integrity, availability, rights_freedoms
+    Description string   `json:"description"`
+    Likelihood  string   `json:"likelihood"` // low, medium, high
+    Impact      string   `json:"impact"`     // low, medium, high
+    RiskLevel   string   `json:"risk_level"` // low, medium, high, very_high
+}
+
+type DSFAMitigation struct {
+    ID               string  `json:"id"`
+    RiskID           string  `json:"risk_id"`
+    Description      string  `json:"description"`
+    Type             string  `json:"type"` // technical, organizational, legal
+    Status           string  `json:"status"` // planned, in_progress, implemented, verified
+    ResponsibleParty string  `json:"responsible_party"`
+    TOMReference     string  `json:"tom_reference,omitempty"`
+}
+```
+
+### API-Endpoints
+
+| Method | Endpoint | Beschreibung |
+|--------|----------|--------------|
+| GET | `/sdk/v1/dsgvo/dsfas` | Alle DSFAs auflisten |
+| POST | `/sdk/v1/dsgvo/dsfas` | Neue DSFA erstellen |
+| GET | `/sdk/v1/dsgvo/dsfas/:id` | DSFA abrufen |
+| PUT | `/sdk/v1/dsgvo/dsfas/:id` | DSFA aktualisieren |
+| DELETE | `/sdk/v1/dsgvo/dsfas/:id` | DSFA löschen |
+| PUT | `/sdk/v1/dsgvo/dsfas/:id/sections/:num` | Abschnitt aktualisieren |
+| POST | `/sdk/v1/dsgvo/dsfas/:id/submit-for-review` | Zur Prüfung einreichen |
+| POST | `/sdk/v1/dsgvo/dsfas/:id/approve` | Genehmigen/Ablehnen |
+| GET | `/sdk/v1/dsgvo/dsfas/stats` | Statistiken abrufen |
+| POST | `/sdk/v1/dsgvo/dsfas/from-assessment/:id` | DSFA aus UCCA erstellen |
+| GET | `/sdk/v1/dsgvo/dsfas/by-assessment/:id` | DSFA zu Assessment finden |
+
+### Verwendung (Backend)
+
+```go
+import "ai-compliance-sdk/internal/dsgvo"
+
+// Store erstellen
+store := dsgvo.NewStore(db)
+
+// DSFA erstellen
+dsfa := &dsgvo.DSFA{
+    Name:              "KI-Chatbot Kundenservice",
+    ProcessingPurpose: "Automatisierte Kundenanfragen-Bearbeitung",
+    DataCategories:    []string{"Kontaktdaten", "Anfrageinhalte"},
+    DataSubjects:      []string{"Kunden"},
+    LegalBasis:        "legitimate_interest",
+    Status:            "draft",
+}
+
+id, err := store.CreateDSFA(ctx, tenantID, dsfa)
+
+// Abschnitt aktualisieren
+err = store.UpdateDSFASection(ctx, id, 1, map[string]interface{}{
+    "processing_description": "Detaillierte Beschreibung...",
+})
+
+// Zur Prüfung einreichen
+err = store.SubmitDSFAForReview(ctx, id, userID)
+
+// Genehmigen
+err = store.ApproveDSFA(ctx, id, approverID, true, "Genehmigt nach Prüfung")
+```
+
+### Verwendung (Frontend)
+
+```typescript
+import { listDSFAs, getDSFA, updateDSFASection, submitDSFAForReview } from '@/lib/sdk/dsfa/api'
+
+// DSFAs laden
+const dsfas = await listDSFAs()
+
+// Einzelne DSFA laden
+const dsfa = await getDSFA(id)
+
+// Abschnitt aktualisieren
+await updateDSFASection(id, 1, {
+  processing_purpose: 'Neuer Zweck',
+  data_categories: ['Kontaktdaten', 'Nutzungsdaten'],
+})
+
+// Zur Prüfung einreichen
+await submitDSFAForReview(id)
+```
+
+### Risiko-Matrix
+
+Die Risiko-Matrix berechnet die Risikostufe aus Eintrittswahrscheinlichkeit und Auswirkung:
+
+```typescript
+import { calculateRiskLevel } from '@/lib/sdk/dsfa/types'
+
+const { level, score } = calculateRiskLevel('high', 'high')
+// level: 'very_high', score: 90
+```
+
+| Eintritt \ Auswirkung | Niedrig | Mittel | Hoch |
+|-----------------------|---------|--------|------|
+| **Hoch** | Mittel (40) | Hoch (70) | Sehr Hoch (90) |
+| **Mittel** | Niedrig (20) | Mittel (50) | Hoch (70) |
+| **Niedrig** | Niedrig (10) | Niedrig (20) | Mittel (40) |
+
+### UCCA-Integration (Trigger-Regeln)
+
+Folgende UCCA-Regeln lösen eine DSFA-Empfehlung aus:
+
+| Code | Beschreibung |
+|------|--------------|
+| R-A002 | Art. 9 Daten (besondere Kategorien) |
+| R-A003 | Daten von Minderjährigen |
+| R-A005 | Biometrische Daten |
+| R-B002 | Scoring (systematische Bewertung) |
+| R-B003 | Profiling |
+| R-B004 | Marketing mit personenbezogenen Daten |
+| R-D003 | Training mit Gesundheitsdaten |
+| R-G002 | Risiko-Score ≥ 60 |
+
+### Tests
+
+```bash
+# Backend-Tests
+go test -v ./internal/dsgvo/...
+
+# Frontend-Tests
+cd admin-v2 && npm test -- --testPathPattern=dsfa
+```
+
+### Wichtige Dateien
+
+| Datei | Beschreibung |
+|-------|--------------|
+| `internal/dsgvo/models.go` | DSFA-Datenmodell |
+| `internal/dsgvo/store.go` | PostgreSQL-Store |
+| `internal/api/handlers/dsgvo_handlers.go` | API-Handler |
+| `admin-v2/lib/sdk/dsfa/types.ts` | TypeScript-Typen |
+| `admin-v2/lib/sdk/dsfa/api.ts` | API-Client |
+| `admin-v2/components/sdk/dsfa/` | UI-Komponenten |
+| `admin-v2/app/(sdk)/sdk/dsfa/` | Dashboard & Editor |
+
+---
+
+*Dokumentationsstand: 2026-02-09*