13:["$","$L15",null,{"formats":"$undefined","locale":"en","messages":{"metadata":{"classifierTitle":"AI System Classifier — Witness","classifierDescription":"Free EU AI Act classifier. Answer 10 questions to determine whether your AI system is prohibited, high-risk, limited-risk, or minimal-risk under Regulation 2024/1689.","resultTitle":"Classification Result — Witness","resultDescription":"Your AI system's EU AI Act risk classification, applicable articles, and the provider or deployer obligations you must meet before August 2, 2026.","documentationTitle":"Technical Documentation — Witness","documentationDescription":"Build Annex IV technical documentation for high-risk AI systems — 42 guided fields covering data, risk management, performance, and post-market monitoring.","reviewTitle":"Review Documentation — Witness","reviewDescription":"Review and export your Annex IV technical documentation.","obligationsTitle":"Obligation Tracker — Witness","obligationsDescription":"Track your EU AI Act compliance obligations and progress toward the August 2, 2026 deadline.","literacyTitle":"AI Literacy Compliance — Witness","literacyDescription":"Build your Article 4 AI literacy training program and generate compliance evidence.","literacyReviewTitle":"Review AI Literacy Program — Witness","literacyReviewDescription":"Review and export your AI literacy compliance documentation.","friaTitle":"FRIA Generator — Witness","friaDescription":"Generate your Fundamental Rights Impact Assessment per EU AI Act Article 27 — 8 sections, 37 guided fields, PDF and Word export for public-body deployers.","friaReviewTitle":"Review FRIA — Witness","friaReviewDescription":"Review and export your Fundamental Rights Impact Assessment.","roleClassifierTitle":"Provider vs Deployer — Witness","roleClassifierDescription":"Free role classifier for the EU AI Act. Find out whether your company is a Provider, Deployer, or both under Article 25 — and which obligations apply.","conformityTitle":"Conformity Assessment — Witness","conformityDescription":"Prepare your conformity assessment per Article 43 of the EU AI Act, including QMS review, declaration of conformity, and CE marking.","conformityReviewTitle":"Review Conformity Assessment — Witness","conformityReviewDescription":"Review and export your conformity assessment documentation.","riskManagementTitle":"Risk Management System — Witness","riskManagementDescription":"Build and document your Article 9 Risk Management System for high-risk AI systems under the EU AI Act.","riskManagementReviewTitle":"Review Risk Management System — Witness","riskManagementReviewDescription":"Review and export your Article 9 Risk Management System documentation.","dashboardTitle":"Dashboard — Witness","dashboardDescription":"Your organization's AI compliance overview and management dashboard.","loginTitle":"Sign In — Witness","loginDescription":"Sign in to your Witness account to manage your EU AI Act compliance.","onboardingTitle":"Set Up Your Organization — Witness","onboardingDescription":"Complete your organization profile to get started with EU AI Act compliance.","teamTitle":"Team Management — Witness","teamDescription":"Manage team members and invitations for your organization.","academyTitle":"AI Act Academy — Witness","academyDescription":"Free EU AI Act academy — 13 plain-language modules, 42 quiz questions, and an employee tracker to prove Article 4 AI literacy training for your organisation.","siteTitle":"Witness — EU AI Act Compliance Made Simple","siteDescription":"Self-service EU AI Act compliance for European SMEs. Classify AI systems, generate Annex IV documentation, and track obligations before 2 August 2026.","chatTitle":"AI Act Assistant — Witness","chatDescription":"Ask questions about the EU AI Act and get instant, source-backed answers.","getStartedTitle":"Get Started — Witness","getStartedDescription":"Start your EU AI Act compliance journey in under 5 minutes — a guided conversation classifies your AI system and produces a personalised obligation plan.","workspaceTitle":"Compliance Workspace — Witness","workspaceDescription":"Unified compliance workspace for your AI system under the EU AI Act.","glossaryTitle":"EU AI Act Glossary — Witness","glossaryDescription":"Comprehensive EU AI Act glossary — plain-language definitions for Annex III, FRIA, provider, deployer, high-risk, GPAI, and other key regulatory terms.","impressumTitle":"Impressum — Witness","impressumDescription":"Legal disclosure and company information for Witness by Parallax Technologies GmbH.","privacyTitle":"Privacy Policy — Witness","privacyDescription":"Privacy policy for Witness, the EU AI Act compliance platform by Parallax Technologies GmbH.","termsTitle":"Terms of Service — Witness","termsDescription":"Terms of service for Witness, the EU AI Act compliance platform by Parallax Technologies GmbH.","pricingTitle":"Pricing — Witness","pricingDescription":"Transparent EU AI Act pricing — one-time initial assessment (€0 to €999) plus optional annual maintenance. No subscriptions, no lock-in.","aboutTitle":"About — Witness","aboutDescription":"Witness is the self-service EU AI Act compliance platform for SMEs. Classify your AI system and generate audit-ready Annex IV, Article 9, Article 27, and Article 43 documentation.","featuresTitle":"Features — Witness","featuresDescription":"Every EU AI Act obligation SMEs need: classification, Annex IV, Article 9 risk management, Article 27 FRIA, Article 4 literacy, conformity assessment, tamper-evident audit trail.","trustTitle":"Trust & Security — Witness","trustDescription":"EU-hosted, GDPR by design, article-grounded accuracy, tamper-evident audit trail. How Witness keeps your compliance defensible.","notFoundTitle":"404 — Witness","notFoundDescription":"That page is not here.","ogImageAlt":"Witness — EU AI Act compliance made simple"},"seo":{"breadcrumbHome":"Home","breadcrumbBlog":"Blog","breadcrumbClassifier":"AI System Classifier","breadcrumbFria":"FRIA Generator","breadcrumbDocumentation":"Technical Documentation","breadcrumbRiskManagement":"Risk Management System","breadcrumbConformity":"Conformity Assessment","breadcrumbLiteracy":"AI Literacy","breadcrumbRoleClassifier":"Provider vs Deployer","classifierFaq":{"q1":"Is my AI system high-risk?","a1":"An AI system is high-risk under the EU AI Act if it falls into one of the eight Annex III use cases (e.g., employment, credit scoring, biometric identification, critical infrastructure) or is a safety component regulated under Annex I Union harmonisation law. Article 6(3) offers narrow exceptions when the system only performs procedural tasks, improves prior human work, detects decision patterns, or handles preparatory tasks — but never when it profiles individuals. Use the Witness classifier to confirm.","q2":"What risk categories exist under the EU AI Act?","a2":"The EU AI Act defines four risk tiers: unacceptable risk (prohibited practices under Article 5), high-risk (Article 6 and Annex III), limited risk with transparency obligations (Article 50, e.g., chatbots and deepfakes), and minimal risk (everything else, no obligations beyond voluntary codes).","q3":"Does the EU AI Act apply to my company?","a3":"Yes if you place an AI system on the EU market, put one into service in the EU, or the system's output is used in the EU — regardless of where your company is based. Providers, deployers, importers, and distributors all have obligations under Article 2. Narrow exclusions exist for military, national security, pure research, and free open-source AI outside high-risk use."},"friaFaq":{"q1":"What is a FRIA?","a1":"A Fundamental Rights Impact Assessment (FRIA) is a documented analysis required by Article 27 of the EU AI Act. It maps how a high-risk AI system may affect the fundamental rights of persons or groups, describes mitigation measures, and must be notified to the market surveillance authority before first use.","q2":"Who needs to conduct a FRIA?","a2":"Article 27 requires deployers that are public bodies (or private entities providing public services) and deployers of high-risk AI systems used for creditworthiness assessment of natural persons or for life and health insurance risk assessment and pricing to conduct a FRIA before deploying the system.","q3":"What does Article 27 require?","a3":"The FRIA must describe the deployer's processes in which the AI system will be used, the period and frequency of use, categories of affected persons, specific risks of harm to fundamental rights, human oversight measures, and the governance and complaint arrangements put in place if identified risks materialise."},"documentationFaq":{"q1":"What is Annex IV?","a1":"Annex IV of the EU AI Act lists the technical documentation that providers of high-risk AI systems must prepare before placing the system on the market and keep up to date. It covers system description, design, development process, monitoring, performance, and risk management — nine sections in total.","q2":"What technical documentation is required?","a2":"Article 11 and Annex IV require: a general description of the AI system, detailed design specifications, information on data and data governance, monitoring and control mechanisms, performance metrics, the risk management system, changes made through its lifecycle, standards applied, the EU declaration of conformity, and the post-market monitoring plan.","q3":"How detailed does documentation need to be?","a3":"Documentation must be detailed enough for national competent authorities to assess conformity with the Act. SMEs and start-ups may provide the information in a simplified manner using a template provided by the Commission (Article 11(1)), but all Annex IV elements must still be addressed."},"pricingFaq":{"q1":"How much does EU AI Act compliance cost?","a1":"Witness costs between €0 and €999 depending on your tier, with an optional annual maintenance fee (€0 to €399/year). Your required tier depends on your AI system's risk classification.","q2":"Is there a free EU AI Act compliance tool?","a2":"Yes. Witness offers a free tier that includes the AI system classifier, role classifier, academy essentials, three AI chat messages per day, and a read-only document upload — enough to understand your obligations without paying anything.","q3":"What's included in each tier?","a3":"Free covers classification and education. Starter (€199 + €79/year) adds transparency tools and exports for limited-risk systems. Professional (€499 + €199/year) unlocks the full high-risk compliance suite: FRIA, conformity assessment, risk management, AI prefill, and advanced academy. Team (€999 + €399/year) adds multi-user seats, an employee tracker, and compliance reports.","q4":"Do I need a subscription?","a4":"No. You pay a one-time initial assessment fee and get lifetime access to the tools at your tier. Annual maintenance (optional after year one) keeps AI prefill, monitoring, and regulatory change alerts active. Documents you generated remain yours even if maintenance lapses."}},"home":{"title":"Witness delivers your EU AI Act compliance.","classifyButton":"Classify Your AI System","documentationButton":"Generate Documentation","trackObligationsButton":"Track Your Obligations","signInButton":"Sign In","literacyButton":"AI Literacy (Art. 4)","deadline":"August 2, 2026 — EU AI Act high-risk obligations take effect.","friaButton":"FRIA Generator","tagline":"EU AI Act compliance made simple","heroDescription":"The EU AI Act applies from 2 August 2026. Penalties reach €35 million or 7% of global annual turnover. Witness is self-service compliance: classify your AI systems, generate audit-ready documentation, and stay compliant.","featureClassifierTitle":"AI System Classifier","featureClassifierDesc":"10-question assessment that determines your AI system's risk level under the EU AI Act.","featureObligationsTitle":"Obligation Tracker","featureObligationsDesc":"Track 28 provider and deployer obligations with status tracking and deadline monitoring.","featureDocumentationTitle":"Technical Documentation","featureDocumentationDesc":"Generate Annex IV compliant documentation with 42 guided fields and legal references.","featureFriaTitle":"FRIA Generator","featureFriaDesc":"Fundamental Rights Impact Assessment with risk matrix and DPIA integration.","featureLiteracyTitle":"AI Literacy","featureLiteracyDesc":"Article 4 compliance — training program builder with pre-built modules.","featureRoleClassifierTitle":"Provider vs Deployer","featureRoleClassifierDesc":"Determine your role under the EU AI Act — Provider, Deployer, or both — with role-shifting detection.","featureConformityTitle":"Conformity Assessment","featureConformityDesc":"Article 43 conformity assessment wizard with QMS checklist, declaration builder, and CE marking guidance.","featureRiskManagementTitle":"Risk Management System","featureRiskManagementDesc":"Article 9 compliant risk management — identify, assess, mitigate, and document risks across the AI system lifecycle.","featureAcademyTitle":"AI Act Academy","featureAcademyDesc":"Free 8-module course teaching the EU AI Act in plain language. Interactive exercises, quiz, and completion certificate.","alreadyEnforceable":"Already Enforceable","startFree":"Start Free","learnMore":"Learn More","deadlineBannerTitle":"Compliance Deadline","deadlineBannerText":"EU AI Act high-risk obligations take effect on August 2, 2026.","exploreAcademy":"Explore the Academy","trustBadgeOfficial":"Based on official EU sources","trustBadgeDeadline":"Deadline: August 2, 2026","howItWorksTitle":"How It Works","step1Title":"Classify","step1Desc":"Answer 10 questions about your AI system","step2Title":"Upload","step2Desc":"Drop your existing docs, we extract what matters","step3Title":"Export","step3Desc":"Download your complete compliance package","freeToolsTitle":"Start for free","freeToolsSubtitle":"No account required. Classify your AI system and learn the regulation at no cost.","freeBadge":"Free","earlyAccessBadge":"Early Access","premiumToolsTitle":"Complete compliance toolkit","premiumToolsSubtitle":"Everything you need to go from classification to audit-ready compliance.","trustTitle":"Built on official EU sources","trustDisclaimer":"Witness provides compliance tools based on the official text of Regulation (EU) 2024/1689. It is not legal advice. Always verify with your legal team.","pricingTeaser":"Classify your AI system for free. Compliance tools from €99 (launch pricing). First year included.","ctaTitle":"Get ready for August 2, 2026","ctaSubtitle":"Join the waitlist and be the first to know when new features launch.","heroBadge":"Compliance deadline: August 2, 2026","aiPrefillBadge":"Smart Compliance","aiPrefillTitle":"Already have documentation? You're closer than you think.","aiPrefillSubtitle":"Drop your existing docs — product specs, risk assessments, anything you have. They're automatically analyzed and your compliance forms are pre-filled.","aiPrefillBullet1":"Upload any format — PDF, Word, or plain text","aiPrefillBullet2":"Your docs are automatically mapped to EU AI Act requirements","aiPrefillBullet3":"Most companies are 60–80% done before they start","aiPrefillCta":"Try it free — upload your first document","aiPrefillCtaNote":"No signup required. First upload is free.","aiPrefillMockupTitle":"Technical Documentation","aiPrefillMockupField1":"System Purpose","aiPrefillMockupValue1":"Automated candidate matching and ranking based on skills, experience, and job requirements","aiPrefillMockupField2":"Training Data Description","aiPrefillMockupValue2":"Historical hiring data from 2019–2025, anonymized applicant profiles","aiPrefillMockupField3":"Risk Management","aiPrefillMockupConfidenceHigh":"High confidence","aiPrefillMockupConfidenceMedium":"Medium confidence","aiPrefillMockupNeedsInput":"Needs your input","aiPrefillMockupSummary":"{covered} of {total} fields pre-filled","aiPrefillMockupBadge":"AI Suggested","aiChatTitle":"Got questions? Ask the EU AI Act Expert","aiChatDesc":"Get instant, grounded answers about the EU AI Act. Every article, annex, and recital — with sources cited.","aiChatCta":"Ask a question","countdownSectionTitle":"The deadline is not moving.","countdownSectionBody":"On 2 August 2026 the EU AI Act applies in full. Providers and deployers of high-risk AI systems face penalties up to €15 million or 3% of global annual turnover under Article 99(4). SME caps under Article 99(6) do not eliminate the obligation — they cap the damage.","countdownCta":"Classify my AI system","footerBlog":"Blog","footerAcademy":"Academy","footerPricing":"Pricing","footerGlossary":"Glossary","footerProduct":"Product","footerCompanyHeader":"Company","footerAbout":"About","footerFeatures":"Features","footerTrust":"Trust & Security","footerLegal":"Legal","footerImpressum":"Impressum","footerPrivacy":"Privacy Policy","footerTerms":"Terms of Service","footerDpa":"Data Processing Agreement","footerRefund":"Refund Policy","footerCopyright":"© 2026 Parallax Technologies GmbH. All rights reserved.","footerCompany":"Parallax Technologies GmbH","docShowcase":{"title":"Upload your documents. We do the rest.","subtitle":"Drop your existing documentation — product specs, risk assessments, anything. We extract compliance-relevant information and fill your forms automatically.","cta":"Get Started","windowTitle":"Document Analysis","analyzing":"Analyzing...","complete":"Complete","docField1Label":"System Purpose","docField1Value":"Automated screening and ranking of job applications based on skills, experience, and job requirements.","docField2Label":"Training Data","docField2Value":"50,000 anonymized CVs from 2019-2025, covering 12 industries and 340 job categories.","docField3Label":"Risk Mitigation","docField3Value":"Human oversight required for all final hiring decisions. Automated bias detection on monthly cycles.","fieldsCovered":"{covered}/{total} fields covered"},"chatShowcase":{"title":"Got questions? Ask the expert.","subtitle":"Our compliance assistant knows the EU AI Act inside out. Ask anything — from risk classification to specific article requirements.","cta":"Try it","windowTitle":"EU AI Act Expert","userQuestion":"Is my HR screening tool high-risk under the EU AI Act?","expertParagraph1":"Yes. Under Article 6(2) and Annex III category 4(a), AI systems used for recruitment and screening of job applications are classified as high-risk.","expertParagraph2":"As a provider, you'll need to:","expertBullet1":"Complete technical documentation (Annex IV)","expertBullet2":"Implement a risk management system (Art. 9)","expertBullet3":"Ensure human oversight (Art. 14)","expertBullet4":"Conduct a conformity assessment (Art. 43)","expertDeadline":"The deadline is August 2, 2026.","inputPlaceholder":"Ask your question..."}},"waitlist":{"placeholder":"Enter your email","notify":"Get notified","submitting":"Submitting...","success":"You're on the list! We'll let you know when we launch.","error":"Something went wrong. Please try again.","justWantUpdates":"Just want updates? Join the waitlist instead."},"classifier":{"backToHome":"Back to home","heading":"AI System Classifier","description":"Answer the questions below to determine the risk classification of your AI system under the EU AI Act. This typically takes 3-5 minutes.","backButton":"Back","nextButton":"Next","classifyButton":"Classify","phaseCounter":"Phase {current} of {total}","yesButton":"Yes","noButton":"No","earlyResultNotAI":"Based on your answers, this system does not appear to be an AI system under the EU AI Act. You can still proceed to see the full classification.","earlyResultExcluded":"This system appears to be excluded from the EU AI Act's scope. You can classify to see the detailed reasoning.","upgradeCta":{"highRiskTitle":"{count, plural, =1 {You have # obligation} other {You have # obligations}} to document across {toolCount, plural, =1 {# tool} other {# tools}}.","highRiskDescription":"Unlock Professional to start working through: {tools}.","highRiskButton":"Unlock Professional — €{price}","limitedRiskTitle":"{count, plural, =1 {You have # transparency obligation} other {You have # transparency obligations}} to document.","limitedRiskDescription":"Unlock Starter to produce transparency notices and AI literacy documentation.","limitedRiskButton":"Unlock Starter — €{price}"}},"phases":{"template_selection":"System Type","is_ai_system":"AI System Check","scope_exclusions":"Scope Exclusions","prohibited_practices":"Prohibited Practices","role_determination":"Your Role","annex_iii_check":"High-Risk Areas","article_6_3_exception":"Exception Check","limited_risk_check":"Limited Risk"},"phaseDescriptions":{"is_ai_system":"First, let's determine if your system qualifies as an AI system under Article 3(1) of the EU AI Act.","scope_exclusions":"Some AI systems are excluded from the EU AI Act. Let's check if any exclusions apply.","prohibited_practices":"Certain AI practices are outright banned under Article 5. These have been prohibited since February 2, 2025.","role_determination":"Your obligations depend on whether you're a Provider (developer) or Deployer (user) of the AI system.","annex_iii_check":"Annex III lists specific high-risk use cases. Answer 'No' to any areas that don't apply — most systems only match one or two.","article_6_3_exception":"Your system matches a high-risk category, but Article 6(3) provides exceptions for certain limited-scope systems.","limited_risk_check":"Some AI systems have transparency obligations under Article 50, even if they're not high-risk."},"questions":{"operates_with_autonomy":{"text":"Is the system designed to operate with at least some degree of autonomy, rather than being fully controlled step by step by a human?","helpText":"Article 3(1) covers machine-based systems designed to operate with varying levels of autonomy. Simple software that only executes fully predetermined human instructions is usually not an AI system."},"uses_ml":{"text":"Does your system use machine learning, deep learning, or neural networks?","helpText":"This includes supervised, unsupervised, and reinforcement learning, as well as any system trained on data to make predictions or decisions."},"uses_statistical":{"text":"Does your system use statistical approaches to make predictions, recommendations, or decisions?","helpText":"This includes regression models, Bayesian estimation, search and optimization methods, and other statistical inference techniques."},"uses_logic_knowledge":{"text":"Does your system use logic-based or knowledge-based approaches (expert systems, rule engines with inference capabilities)?","helpText":"Systems that use knowledge representation and automated reasoning to derive conclusions. Simple if/else automation without inference does NOT qualify."},"generates_outputs":{"text":"Does your system infer from inputs how to generate outputs such as predictions, content, recommendations, or decisions?","helpText":"The key word is 'infer' — the system must derive outputs through some form of reasoning or pattern recognition, not just direct mapping."},"international_law_enforcement":{"text":"Is this AI system made available only for international law enforcement cooperation with authorities in a third country or with an international organisation under a qualifying international agreement?","helpText":"Article 2(4) excludes certain AI systems made available only for international law enforcement cooperation, provided equivalent fundamental-rights safeguards apply."},"military_use":{"text":"Is this AI system used exclusively for military or national security purposes?","helpText":"Systems developed or used exclusively for military/defense/national security are outside the AI Act's scope."},"research_only":{"text":"Is this AI system developed or used solely for scientific research and development, or only for research, testing, or development before being placed on the market or put into service?","helpText":"Article 2 excludes certain scientific R&D systems and pre-market research/testing/development activity. Once the system is placed on the market or put into service for non-R&D purposes, this exclusion may no longer apply."},"personal_use":{"text":"Is this AI system used exclusively for personal, non-professional activities?","helpText":"Hobby projects and personal tools used outside any professional context are excluded."},"released_under_open_source_license":{"text":"Is this AI system released under a free and open-source licence?","helpText":"Article 2(12) can exclude free and open-source AI systems, but not where the system is high-risk, prohibited, or subject to Article 50 transparency obligations."},"subliminal_manipulation":{"text":"Does your AI system use subliminal, manipulative, or deceptive techniques to distort people's behavior in ways that cause or are likely to cause significant harm?","helpText":"Techniques that operate below a person's consciousness or exploit psychological vulnerabilities to influence behavior without their awareness."},"exploit_vulnerable":{"text":"Does your AI system exploit vulnerabilities of specific groups (due to age, disability, or social/economic situation) to materially distort their behavior, causing or likely causing significant harm?","helpText":"Targeting children, elderly persons, persons with disabilities, or economically disadvantaged groups."},"social_scoring":{"text":"Is your AI system used by or for a public authority to evaluate or classify people based on social behavior or personal characteristics (social scoring), leading to detrimental treatment?","helpText":"Government-operated systems that rank citizens and restrict access to services based on social behavior data."},"predictive_policing_profiling":{"text":"Does your AI system assess the risk of a person committing criminal offences based solely on profiling or personality traits (without objective, verifiable facts linked to criminal activity)?","helpText":"Predicting criminal behavior purely from demographics, personality, or profile data — not augmented by objective evidence."},"facial_scraping":{"text":"Does your AI system scrape facial images from the internet or CCTV footage in an untargeted manner to build or expand a facial recognition database?","helpText":"Mass collection of facial images without specific, targeted justification (e.g., Clearview AI-style scraping)."},"emotion_recognition_work_school":{"text":"Does your AI system infer emotions of people in the workplace or in educational institutions?","helpText":"Monitoring employee or student emotions via facial expressions, voice, or biometrics. Exception: medical or safety reasons."},"biometric_sensitive_inference":{"text":"Does your AI system categorize people based on biometric data to infer sensitive attributes such as race, political opinions, trade union membership, religious beliefs, or sexual orientation?","helpText":"Using biometric processing to classify people into sensitive categories."},"realtime_biometric_public":{"text":"Does your AI system perform real-time remote biometric identification of people in publicly accessible spaces for law enforcement purposes?","helpText":"Live facial recognition in public areas by or for law enforcement. There are three narrow exceptions (missing persons, terrorism, serious crimes) that require judicial authorization."},"role":{"text":"What is your organization's role regarding this AI system?","helpText":"Provider: You developed it or have it developed and place it on the market under your name. Deployer: You use an AI system provided by someone else in your business operations.","options":{"provider":{"label":"Provider — We developed this AI system (or had it developed) and offer it under our name","helpText":"You are the maker. You developed, trained, or commissioned the system and place it on the market."},"deployer":{"label":"Deployer — We use an AI system built by someone else in our business operations","helpText":"You purchased, licensed, or otherwise obtained the AI system from a provider."},"both":{"label":"Both — We developed the system AND use it in our own operations","helpText":"You built the system and also deploy it internally (not just selling to others)."}}},"modified_system":{"text":"Have you made substantial modifications to this AI system, changed its intended purpose, or put your name/brand on it?","helpText":"Under Article 25, making substantial modifications or changing the intended purpose of an AI system makes you a Provider, even if you originally obtained it from someone else."},"public_body_or_public_service":{"text":"If you deploy this system, are you a body governed by public law or a private entity providing public services?","helpText":"Under Article 27(1), that status can trigger a Fundamental Rights Impact Assessment for Annex III high-risk systems, except point 2 critical infrastructure systems."},"biometric_identification":{"text":"Does your AI system perform remote biometric identification of people (e.g., facial recognition, not in real-time in public spaces)?","helpText":"Identifying people from a distance using biometric data. Real-time public-space use by law enforcement is banned under Article 5."},"biometric_categorization":{"text":"Does your AI system categorize people based on biometric data according to sensitive or protected attributes?","helpText":"Using biometric processing to sort or classify individuals by protected characteristics (where not already banned under Article 5)."},"emotion_recognition_other":{"text":"Does your AI system detect or infer emotions from biometric data (outside workplace/education, which is banned)?","helpText":"Emotion recognition in contexts other than workplace or education — for example, in customer service, security, or entertainment."},"critical_infrastructure":{"text":"Is your AI system a safety component in the management or operation of critical infrastructure (digital infrastructure, road traffic, water, gas, heating, or electricity supply)?","helpText":"The AI must be a safety-critical component, not just any software used by a utility company."},"education_admission":{"text":"Does your AI system determine access to, admission to, or assignment to educational or vocational training institutions?","helpText":"University admissions algorithms, school placement systems, training program selection."},"education_evaluation":{"text":"Does your AI system evaluate learning outcomes or steer the learning process?","helpText":"AI-based grading, adaptive learning systems that determine curriculum or progression."},"education_level_assessment":{"text":"Does your AI system assess the appropriate level of education for an individual or influence their access to education?","helpText":"Determining what educational level or track someone should be placed in."},"exam_proctoring":{"text":"Does your AI system monitor or detect prohibited behavior of students during tests (exam proctoring)?","helpText":"AI-based cheating detection during examinations."},"recruitment":{"text":"Does your AI system screen job applications, filter candidates, evaluate applicants, or place targeted job advertisements?","helpText":"CV screening AI, interview assessment, candidate ranking, targeted recruitment ads."},"employment_decisions":{"text":"Does your AI system make decisions about work relationships (promotion, termination, task allocation) or monitor/evaluate employee performance?","helpText":"Employee monitoring AI, performance evaluation, automated task assignment based on individual behavior or traits."},"public_benefits":{"text":"Is your AI system used by or for public authorities to evaluate eligibility for public assistance, benefits, or services (including healthcare)?","helpText":"Welfare eligibility determination, healthcare access decisions by government bodies."},"credit_scoring":{"text":"Does your AI system evaluate the creditworthiness of individuals or establish credit scores?","helpText":"Loan approval AI, credit scoring models, creditworthiness assessment. EXCEPTION: AI used solely for fraud detection is NOT high-risk."},"credit_scoring_fraud_only":{"text":"Is this credit-related AI system used SOLELY for detecting financial fraud (not for creditworthiness assessment)?","helpText":"If the system's only purpose is fraud detection, it is explicitly exempted from the high-risk classification under Annex III 5(b)."},"insurance_risk":{"text":"Does your AI system assess risk or set pricing for life or health insurance for individuals?","helpText":"AI-based insurance underwriting, risk scoring, or premium calculation for natural persons."},"emergency_services":{"text":"Does your AI system evaluate or classify emergency calls, or triage emergency healthcare patients?","helpText":"911/112 dispatch prioritization, emergency room triage AI."},"law_enforcement_victim_risk":{"text":"Does your AI system assess the risk of a person becoming a victim of criminal offences?","helpText":"Victim risk assessment tools used by law enforcement."},"lie_detection_law":{"text":"Is your AI system used as a polygraph or lie detector in a law enforcement context?","helpText":"AI-based deception detection for law enforcement purposes."},"evidence_reliability":{"text":"Does your AI system evaluate the reliability of evidence in criminal investigations?","helpText":"AI tools that assess evidence quality or authenticity during criminal proceedings."},"reoffending_risk":{"text":"Does your AI system assess the risk of a person offending or re-offending (using factors beyond pure profiling)?","helpText":"Recidivism prediction that uses objective factors. Pure profiling-based prediction is banned under Article 5(1)(d)."},"criminal_profiling":{"text":"Does your AI system profile people during detection, investigation, or prosecution of criminal offences?","helpText":"Criminal profiling AI used by law enforcement."},"lie_detection_migration":{"text":"Is your AI system used as a polygraph or lie detector in the context of migration or border control?","helpText":"Deception detection at borders or during asylum procedures."},"migration_risk":{"text":"Does your AI system assess the risk (irregular migration or health) posed by a person intending to enter the EU?","helpText":"Risk assessment of incoming travelers or migrants."},"asylum_processing":{"text":"Does your AI system examine or assist in processing applications for asylum, visa, or residence permits?","helpText":"AI systems supporting immigration case processing and eligibility determination."},"border_identification":{"text":"Does your AI system detect, recognize, or identify people in the context of migration, asylum, or border control (other than verifying travel documents)?","helpText":"Biometric identification at borders, excluding standard document verification."},"judicial_assistance":{"text":"Does your AI system assist judicial authorities in researching, interpreting, or applying the law, or is it used in alternative dispute resolution?","helpText":"AI legal research tools used by courts, AI-assisted sentencing, AI in arbitration."},"election_influence":{"text":"Does your AI system influence election outcomes, referendum results, or voting behavior of individuals (through direct interaction with voters)?","helpText":"AI targeting voters to influence their vote. Exception: campaign organization tools that don't directly interact with voters."},"narrow_procedural":{"text":"Does your AI system ONLY perform a narrow procedural task (e.g., converting data formats, sorting documents)?","helpText":"Simple, bounded operations that don't involve substantive decision-making about people."},"improves_human_result":{"text":"Does your AI system ONLY improve the result of a previously completed human activity?","helpText":"For example, spell-checking a human-written document or enhancing a human-taken photograph."},"detects_patterns_only":{"text":"Does your AI system ONLY detect decision-making patterns or deviations for human review, without replacing or influencing the human assessment?","helpText":"Anomaly detection or flagging tools that highlight patterns for a human to evaluate and decide upon."},"preparatory_task":{"text":"Does your AI system ONLY perform a preparatory task for an assessment that will be made by a human?","helpText":"Data gathering, summarization, or preliminary analysis where the human makes the final decision."},"profiles_persons":{"text":"Does your AI system profile natural persons (evaluate personal aspects such as work performance, economic situation, health, preferences, reliability, behavior, location, or movements)?","helpText":"IMPORTANT: If your system profiles people, it is ALWAYS high-risk regardless of the answers above. Profiling overrides all exceptions."},"interacts_with_persons":{"text":"Does your AI system interact directly with people (chatbot, voice assistant, virtual agent)?","helpText":"Users must be told they are interacting with an AI system, unless this is obvious from the context."},"generates_synthetic_content":{"text":"Does your AI system generate synthetic text, images, audio, or video that could appear to be human-made?","helpText":"AI-generated content must be marked in a machine-readable format and detectable as artificially generated or manipulated."},"emotion_recognition_limited":{"text":"Does your AI system detect or infer emotions from biometric data (in a non-banned, non-high-risk context)?","helpText":"Exposed persons must be informed of the system's operation."},"biometric_categorization_limited":{"text":"Does your AI system perform biometric categorization (in a non-banned, non-high-risk context)?","helpText":"Exposed persons must be informed of the system's operation."},"deepfake_generation":{"text":"Does your AI system generate or manipulate deepfakes (realistic fake images, audio, or video of real people)?","helpText":"Must be disclosed that the content has been artificially generated or manipulated."}},"obligations":{"Art_9":{"title":"Risk Management System","description":"Establish, implement, document, and maintain a continuous risk management system throughout the AI system's lifecycle. Identify and analyze known and foreseeable risks, adopt mitigation measures, and test the system."},"Art_10":{"title":"Data Governance","description":"Ensure training, validation, and test datasets are subject to appropriate data governance. Data must be relevant, representative, and free of errors to the best extent possible. Implement bias detection and correction."},"Art_11":{"title":"Technical Documentation","description":"Create comprehensive technical documentation per Annex IV before placing the system on the market or putting it into service. Must cover: general description, development process, data requirements, performance metrics, risk management, standards applied, and post-market monitoring plan."},"Art_12":{"title":"Automatic Logging","description":"Design the system to automatically record events (logs) for traceability throughout its lifecycle. Logs must enable monitoring for risk situations and facilitate post-market monitoring."},"Art_13":{"title":"Transparency & Instructions for Use","description":"Provide deployers with clear information about: provider identity, system capabilities and limitations, intended purpose, accuracy levels, human oversight measures, expected lifetime, and maintenance requirements."},"Art_14":{"title":"Human Oversight Design","description":"Design the system so humans can: understand its capabilities and limitations, correctly interpret its output, decide to override or disregard its output, and intervene or halt the system."},"Art_15":{"title":"Accuracy, Robustness & Cybersecurity","description":"Achieve and declare appropriate levels of accuracy, robustness, and cybersecurity. System must be resilient to errors, faults, and adversarial attacks."},"Art_17":{"title":"Quality Management System","description":"Implement a QMS covering: compliance strategy, design/development procedures, testing/validation, data management, risk management, post-market monitoring, incident reporting, and accountability framework."},"Art_18":{"title":"Documentation Retention (10 years)","description":"Retain all documentation for 10 years after the AI system has been placed on the market or put into service."},"Art_19":{"title":"Log Retention (min. 6 months)","description":"Keep automatically generated logs for a period appropriate to the intended purpose, at minimum 6 months."},"Art_20":{"title":"Corrective Actions","description":"If the system is non-compliant: take corrective action, withdraw, disable, or recall. Inform distributors, deployers, and competent authorities."},"Art_21":{"title":"Cooperation with Authorities","description":"Provide information and access to the AI system upon a reasoned request from a national competent authority."},"Art_22":{"title":"Authorized Representative","description":"Non-EU providers must appoint an EU-based authorized representative by written mandate before placing the system on the market."},"Art_43":{"title":"Conformity Assessment","description":"Complete a conformity assessment before placing the system on the market or putting it into service. Self-assessment (Annex VI) for most systems. Third-party assessment (Annex VII) required for biometric identification systems."},"Art_47":{"title":"EU Declaration of Conformity","description":"Draw up an EU declaration of conformity for each high-risk AI system and keep it with the required documentation for 10 years after the system has been placed on the market or put into service."},"Art_48":{"title":"CE Marking","description":"Affix the CE marking visibly, legibly, and indelibly to the high-risk AI system or, where that is not possible, on its packaging or documentation."},"Art_49":{"title":"EU Database Registration","description":"Before placing on the market or putting into service a high-risk AI system listed in Annex III (except Annex III point 2), register yourself and the system in the EU database."},"Art_72":{"title":"Post-Market Monitoring","description":"Establish a documented post-market monitoring system proportionate to risks. Collect and analyze performance data throughout the system's lifetime."},"Art_73":{"title":"Serious Incident Reporting","description":"Report serious incidents to the market surveillance authority within 15 days of establishing a causal link. Serious incidents include death, serious health damage, fundamental rights infringement, or serious property/environmental damage."},"Art_26_1":{"title":"Use According to Instructions","description":"Take appropriate technical and organizational measures to ensure the AI system is used in accordance with the provider's instructions for use."},"Art_26_2":{"title":"Human Oversight Personnel","description":"Assign human oversight to natural persons who have the necessary competence, training, authority, and support."},"Art_26_4":{"title":"Input Data Quality","description":"Ensure that input data fed into the AI system is relevant and sufficiently representative for the intended purpose."},"Art_26_5":{"title":"Monitor Operation","description":"Monitor the AI system's operation based on the instructions for use. When risks are identified, suspend use, inform the provider, and report serious incidents."},"Art_26_6":{"title":"Log Retention (min. 6 months)","description":"Keep the automatically generated logs for a period appropriate to the intended purpose, at minimum 6 months, to the extent under your control."},"Art_26_11":{"title":"Inform Affected Persons","description":"For Annex III high-risk AI systems (except Annex III point 2), inform natural persons that they are subject to the use of the high-risk AI system, unless another Union or national-law exception applies."},"Art_27":{"title":"Fundamental Rights Impact Assessment","description":"Conduct a Fundamental Rights Impact Assessment (FRIA) before first use where Article 27 applies: for bodies governed by public law and private entities providing public services deploying Annex III systems (except point 2), and for deployers of Annex III 5(b) and 5(c) systems."},"Art_26_12":{"title":"Cooperate with Authorities","description":"Cooperate with the relevant competent authorities in any action those authorities take in relation to the high-risk AI system."},"Art_26_7":{"title":"Inform Workers","description":"If the high-risk AI system is put into use or used at the workplace, inform workers' representatives and affected workers before doing so."},"Art_50_3":{"title":"Inform about Emotion Recognition / Biometric Categorization (if applicable)","description":"If deploying emotion recognition or biometric categorization systems, inform the persons exposed to the system about its operation."},"Art_4":{"title":"AI Literacy","description":"Ensure staff dealing with the AI system have sufficient AI literacy, considering their technical knowledge, experience, and the context in which the system is used."}},"reasoning":{"not_ai_system":"Based on the answers provided, this system does not appear to meet the definition of an AI system under Article 3(1) of the EU AI Act.","qualifies_as_ai":"This system qualifies as an AI system under Article 3(1).","excluded_international_law_enforcement":"This AI system is excluded from the EU AI Act scope because it is made available only for qualifying international law enforcement cooperation (Article 2(4)).","excluded_military":"This AI system is excluded from the EU AI Act scope because it is used exclusively for military or national security purposes (Article 2(3)).","excluded_research":"This AI system is excluded from the EU AI Act scope because it is used solely for scientific research and development, or only for research, testing, or development before being placed on the market or put into service (Article 2(6) and Article 2(8)).","excluded_personal":"This AI system is excluded from the EU AI Act scope because it is used exclusively for personal, non-professional activities (Article 2(10)).","excluded_open_source":"This AI system is excluded from most EU AI Act obligations because it is released under a free and open-source licence and does not fall into the high-risk, prohibited, or Article 50 transparency categories (Article 2(12)).","prohibited_count":"This AI system triggers {count} prohibited practice(s) under Article 5. These practices have been BANNED since February 2, 2025.","no_prohibited":"No prohibited practices detected under Article 5.","annex_iii_exception":"This system matches Annex III category/categories but qualifies for the Article 6(3) exception.","annex_iii_exception_note":"IMPORTANT: Even though the exception applies, you must document this assessment and register the system in the EU database under Article 49(2).","high_risk_classified":"This AI system is classified as HIGH-RISK under Annex III ({areas}).","profiling_override":"The system profiles natural persons, which overrides any Article 6(3) exception.","fria_required":"A Fundamental Rights Impact Assessment (FRIA) is required under Article 27 before putting this system into use.","fria_required_public_body":"A Fundamental Rights Impact Assessment (FRIA) is required under Article 27 because the deployer is a body governed by public law or a private entity providing public services and the system falls under Annex III outside point 2.","no_annex_iii":"No Annex III high-risk categories matched.","annex_i_regulated_product":"This AI system is HIGH-RISK under Article 6(1) because it is a safety component of (or itself is) a product covered by {citation} (Annex I Section {section}). Conformity assessment is performed under the sectoral harmonisation legislation (Article 43(3)).","limited_risk_transparency":"This AI system has transparency obligations under Article 50 (limited risk).","minimal_risk":"This AI system is classified as minimal risk. No mandatory obligations apply beyond AI literacy (Article 4). Voluntary codes of conduct are encouraged (Article 95).","exception_narrow_procedural":"performs a narrow procedural task","exception_improves_human":"improves a previously completed human activity","exception_detects_patterns":"detects patterns for human review without influencing decisions","exception_preparatory":"performs a preparatory task for human assessment","exception_combined":"System {reasons} (Article 6(3)).","exception_profiling_override":"The system profiles natural persons, which means Article 6(3) exception cannot apply regardless of other factors.","exception_none":"No Article 6(3) exception conditions met."},"result":{"backToClassifier":"Back to classifier","heading":"Classification Result","description":"Here is the EU AI Act risk classification for your AI system.","classificationResultLabel":"Classification Result","notAISystemLabel":"NOT AN AI SYSTEM","outOfScopeLabel":"OUT OF SCOPE","yourRole":"Your role:","noResultFound":"No classification result found.","startClassification":"Start Classification","reasoningHeading":"Reasoning","highRiskCategoriesHeading":"High-Risk Categories Matched","prohibitedPracticesHeading":"Prohibited Practices Triggered","prohibitedPracticesDescription":"These practices are banned under Article 5 of the EU AI Act since February 2, 2025. Penalties: up to 35 million EUR or 7% of global annual turnover.","obligationsHeading":"Your Obligations ({count})","obligationsDescription":"These are the mandatory requirements for your role under the EU AI Act.","dueLabel":"Due: {date}","applicableArticlesHeading":"Applicable Articles","classifyAnotherButton":"Classify Another System","exportButton":"Export Classification (JSON)","pricingCta":{"title":"Your compliance roadmap","description":"Based on your classification, we can show you exactly what you need.","button":"See your compliance roadmap","starterTitle":"You have {count} obligations to document.","starterDescription":"Unlock Starter to start working across {toolCount} tools: {tools}.","starterButton":"Unlock Starter — €199","professionalTitle":"You have {count} obligations to document.","professionalDescription":"Unlock Professional to start working across {toolCount} tools: {tools}.","professionalButton":"Unlock Professional — €499","tools":{"workspace":"Compliance Workspace","documentation":"Technical Documentation","riskManagement":"Risk Management","conformity":"Conformity Assessment","fria":"FRIA","obligations":"Obligation Tracker","literacy":"AI Literacy Program"}},"prohibitedCta":{"title":"Prohibited AI Practice","description":"This AI system involves prohibited practices under Article 5 of the EU AI Act and cannot be deployed in the EU. No compliance roadmap is available for prohibited systems."},"disclaimer":"This classification is for informational purposes only and does not constitute legal advice. Consult with a qualified legal professional for definitive compliance guidance. Based on Regulation (EU) 2024/1689."},"riskLevels":{"unacceptable":"PROHIBITED","high_risk":"HIGH RISK","limited_risk":"LIMITED RISK","minimal_risk":"MINIMAL RISK"},"roles":{"provider":"Provider","deployer":"Deployer","both":"Provider + Deployer"},"annexAreas":{"1a":"Biometric Identification","1b":"Biometric Categorization","1c":"Emotion Recognition","2a":"Critical Infrastructure","3a":"Education — Admission","3b":"Education — Evaluation","3c":"Education — Level Assessment","3d":"Exam Proctoring","4a":"Recruitment","4b":"Employment Decisions","5a":"Public Benefits","5b":"Credit Scoring","5c":"Insurance Risk","5d":"Emergency Services","6a":"Law Enforcement — Victim Risk","6b":"Lie Detection (Law Enforcement)","6c":"Evidence Reliability","6d":"Reoffending Risk","6e":"Criminal Profiling","7a":"Lie Detection (Migration)","7b":"Migration Risk","7c":"Asylum Processing","7d":"Border Identification","8a":"Judicial Assistance","8b":"Election Influence"},"documentation":{"title":"Technical Documentation Generator","subtitle":"Generate Annex IV compliant technical documentation for your high-risk AI system. Required under Article 11 of the EU AI Act.","backToHome":"Back to home","stepCounter":"Section {current} of {total}","nextButton":"Next Section","backButton":"Previous Section","reviewButton":"Review & Export","saveProgress":"Progress saved automatically","requiredField":"Required","optionalField":"Optional","conditionalField":"Required if applicable","overallProgress":"Overall Completion","progressLabel":"{percentage}%","fieldsFilled":"{filled} of {total} required fields completed","sectionProgress":"{percentage}%","sectionNavLabel":"Documentation sections","articleReference":"Ref: Annex IV {ref}","helpAriaLabel":"Show help for {field}","distributionOptions":{"software_package":"Software package","embedded_hardware":"Embedded in hardware","download":"Download","api":"API","saas":"SaaS (Software as a Service)","other":"Other"},"sections":{"general_description":{"title":"General Description","description":"Provide a general description of your AI system, including its name, version, intended purpose, and how it is distributed and used."},"development_process":{"title":"Development Process","description":"Describe how the AI system was developed, including design choices, algorithms, training methods, and testing procedures."},"monitoring_functioning_control":{"title":"Monitoring, Functioning & Control","description":"Detail the system's capabilities, limitations, human oversight measures, and logging capabilities."},"performance_metrics":{"title":"Performance Metrics","description":"Explain why the chosen performance metrics are appropriate for this system and its intended purpose."},"risk_management":{"title":"Risk Management System","description":"Describe the risk management system established per Article 9 of the EU AI Act."},"lifecycle_changes":{"title":"Lifecycle Changes","description":"Document relevant changes made to the system over its lifecycle."},"standards_applied":{"title":"Standards Applied","description":"List the harmonised standards or other standards and specifications applied to the system."},"eu_declaration_conformity":{"title":"EU Declaration of Conformity","description":"Provide the EU declaration of conformity as required by Article 47."},"post_market_monitoring":{"title":"Post-Market Monitoring","description":"Describe the post-market monitoring system established per Article 72(3)."}},"fields":{"system_name":{"label":"AI System Name","placeholder":"e.g., Customer Scoring Engine v2.1","helpText":"The official name of your AI system as it will appear in the EU database."},"provider_name":{"label":"Provider Name","placeholder":"e.g., Acme AI Solutions GmbH","helpText":"The legal name of the entity responsible for the AI system."},"system_version":{"label":"System Version","placeholder":"e.g., 2.1.0","helpText":"The current version identifier of the AI system."},"intended_purpose":{"label":"Intended Purpose","placeholder":"Describe in detail what the AI system is designed to do, for whom, and in what context...","helpText":"A detailed description of what the system is designed to do. This must be specific enough that a deployer can understand the boundaries of permitted use."},"hardware_software_interaction":{"label":"Hardware/Software Interaction","placeholder":"Describe how the system interacts with external hardware or software components...","helpText":"How the AI system interacts with or can be used to interact with hardware or software that is not part of the AI system itself."},"software_versions":{"label":"Software & Firmware Versions","placeholder":"List relevant software versions, frameworks, dependencies, and any update requirements...","helpText":"Versions of relevant software or firmware, and any requirements for version updates."},"distribution_forms":{"label":"Distribution Form","placeholder":"Select how the system is distributed","helpText":"How the AI system is made available: as a software package, embedded in hardware, via download, as an API, as a SaaS service, or other."},"hardware_requirements":{"label":"Hardware Requirements","placeholder":"Describe the hardware the system is intended to run on, including compute, memory, and storage requirements...","helpText":"Description of the hardware on which the AI system is intended to run."},"product_photos_description":{"label":"Product Photos & Illustrations Description","placeholder":"Describe external features, markings, and internal layout if the AI system is a component of a physical product...","helpText":"Only required if the AI system is a component of a physical product. Describe the external features, markings, and internal layout."},"user_interface_description":{"label":"User Interface Description","placeholder":"Describe the user interface provided to the deployer, including available controls and displays...","helpText":"A basic description of the user interface provided to the deployer."},"instructions_for_use":{"label":"Instructions for Use","placeholder":"Describe the instructions provided to deployers for proper use of the system...","helpText":"The instructions for use provided to the deployer, covering how to operate the system correctly."},"foreseeable_misuse":{"label":"Foreseeable Misuse","placeholder":"Describe foreseeable misuse scenarios and prohibited uses of the AI system...","helpText":"Description of foreseeable misuse scenarios, including ways the system could be used outside its intended purpose, and any explicitly prohibited uses."},"misuse_prevention_measures":{"label":"Misuse Prevention Measures","placeholder":"Describe measures taken to prevent or mitigate foreseeable misuse...","helpText":"Technical and organizational measures implemented to prevent, detect, or mitigate foreseeable misuse of the AI system."},"development_methods":{"label":"Development Methods & Steps","placeholder":"Describe the methods and steps for development, including any use of pre-trained models or third-party tools...","helpText":"Methods and steps performed for development, including use of pre-trained systems or third-party tools and how they were used, integrated, or modified."},"design_specifications":{"label":"Design Specifications (Logic & Algorithms)","placeholder":"Describe the general logic of the AI system and the algorithms used...","helpText":"The general logic of the AI system and the algorithms it uses."},"key_design_choices":{"label":"Key Design Choices & Rationale","placeholder":"Explain the key design decisions, including the rationale behind them and any assumptions made...","helpText":"Key design choices including the rationale and assumptions that were made."},"classification_choices":{"label":"Classification Choices","placeholder":"If applicable, describe what classification decisions the system makes...","helpText":"Only if applicable: describe what classification choices the system makes."},"optimization_target":{"label":"Optimization Target","placeholder":"Describe what the system optimizes for and the relevance of the parameters used...","helpText":"What the system is designed to optimize for and the relevance of the different parameters."},"expected_output":{"label":"Expected Output","placeholder":"Describe the expected output of the AI system, including format, range, and interpretation...","helpText":"A description of the expected output and output format of the AI system."},"design_tradeoffs":{"label":"Design Trade-offs","placeholder":"Describe the trade-offs made regarding technical solutions adopted...","helpText":"Decisions about trade-offs made with regard to the technical solutions adopted."},"system_architecture":{"label":"System Architecture","placeholder":"Describe the system architecture showing how software components build on or feed into each other...","helpText":"Description of the system architecture explaining how software components build on or feed into each other."},"computational_resources":{"label":"Computational Resources","placeholder":"Describe the computational resources used to develop, train, test, and validate the system...","helpText":"The computational resources used in development, training, testing, and validation."},"data_requirements":{"label":"Training Methodologies & Techniques","placeholder":"If ML-based: describe the training methodologies and techniques used...","helpText":"Only for ML-based systems: training methodologies and techniques, and training data requirements."},"training_data_description":{"label":"Training Data Description","placeholder":"If ML-based: provide a general description of the training datasets used...","helpText":"Only for ML-based systems: general description of the training datasets used."},"data_provenance":{"label":"Data Provenance","placeholder":"If ML-based: describe the provenance, scope, and main characteristics of the data...","helpText":"Only for ML-based systems: information on data provenance, scope, and main characteristics."},"data_acquisition":{"label":"Data Acquisition & Selection","placeholder":"If ML-based: describe how data was obtained and selected...","helpText":"Only for ML-based systems: how the data was obtained and selected."},"labeling_procedures":{"label":"Labeling Procedures","placeholder":"If ML-based: describe the labeling procedures and tools used...","helpText":"Only for ML-based systems: labeling procedures (e.g., annotation tools, methodology)."},"data_cleaning":{"label":"Data Cleaning Methodologies","placeholder":"If ML-based: describe data cleaning and preprocessing steps...","helpText":"Only for ML-based systems: data cleaning methodologies used (e.g., outlier detection, handling of missing values)."},"human_oversight_assessment":{"label":"Human Oversight Assessment","placeholder":"Describe the assessment of human oversight measures needed, including how humans can intervene...","helpText":"Assessment of the human oversight measures needed, per Article 14."},"predetermined_changes":{"label":"Pre-determined Changes","placeholder":"If applicable: describe any pre-determined changes to the system and how continuous compliance is ensured...","helpText":"Only if applicable: pre-determined changes to the system and its performance, with information on how continuous compliance is ensured."},"validation_testing":{"label":"Validation & Testing Procedures","placeholder":"Describe the validation and testing procedures used, including what data was used for testing...","helpText":"Validation and testing procedures used, including the data used for validation and testing and its main characteristics."},"metrics_used":{"label":"Metrics Used","placeholder":"List the metrics used to measure accuracy, robustness, compliance, and potential discriminatory impacts...","helpText":"Metrics used to measure accuracy, robustness, cybersecurity compliance, and potentially discriminatory impacts."},"test_logs_description":{"label":"Test Logs Description","placeholder":"Describe the test logs, including dates, responsible persons, and main findings...","helpText":"Description of test logs and all test reports, dated and signed by responsible persons."},"bias_detection_methodology":{"label":"Bias Detection Methodology","placeholder":"Describe how bias is detected and measured in the AI system...","helpText":"Methods and procedures used to detect, identify, and measure bias in the AI system's training data, model outputs, and decision-making processes."},"fairness_metrics":{"label":"Fairness Metrics","placeholder":"Describe which fairness metrics are used and their results...","helpText":"The specific fairness metrics applied to evaluate the system (e.g., demographic parity, equalized odds, disparate impact ratio) and their measured results."},"discriminatory_impact_assessment":{"label":"Discriminatory Impact Assessment","placeholder":"Describe the assessment of potentially discriminatory impacts on persons or groups...","helpText":"A thorough assessment of potentially discriminatory impacts the AI system may have on specific persons or groups, particularly those with protected characteristics."},"bias_mitigation_measures":{"label":"Bias Mitigation Measures","placeholder":"Describe what measures are taken to mitigate identified biases...","helpText":"Technical and organizational measures implemented to mitigate identified biases, including data preprocessing, algorithmic fairness constraints, and post-processing adjustments."},"cybersecurity_overview":{"label":"Cybersecurity Overview","placeholder":"Describe the overall cybersecurity approach and framework used...","helpText":"Overall cybersecurity strategy and framework applied to the AI system, including compliance with relevant cybersecurity standards and the approach to resilience against attacks."},"data_poisoning_protection":{"label":"Data Poisoning Protection","placeholder":"Describe measures against training and input data poisoning...","helpText":"Measures implemented to protect against data poisoning attacks that could compromise training data integrity or manipulate input data to produce incorrect outputs."},"data_leakage_prevention":{"label":"Data Leakage Prevention","placeholder":"Describe measures against data leakage and unauthorized access...","helpText":"Measures to prevent unauthorized access to, exfiltration of, or leakage of training data, model parameters, or system outputs, including encryption, access controls, and data loss prevention mechanisms."},"adversarial_attack_protection":{"label":"Adversarial Attack Protection","placeholder":"Describe measures against adversarial attacks and evasion techniques...","helpText":"Measures to protect against adversarial examples, evasion attacks, and other techniques designed to manipulate the AI system's behavior or exploit its vulnerabilities."},"infrastructure_security":{"label":"Infrastructure Security","placeholder":"Describe network, cloud, and infrastructure security measures...","helpText":"Security measures applied to the underlying infrastructure including network security, cloud security configurations, container security, and physical security of hardware hosting the AI system."},"capabilities_limitations":{"label":"Capabilities & Limitations","placeholder":"Describe the degree of accuracy for specific target groups and the overall expected accuracy level...","helpText":"The degree of accuracy for specific persons or groups the system is intended for, and the overall expected level of accuracy."},"unintended_outcomes":{"label":"Foreseeable Unintended Outcomes","placeholder":"Describe foreseeable unintended outcomes and sources of risk to health, safety, and fundamental rights...","helpText":"Foreseeable unintended outcomes and sources of risks to health and safety, and to fundamental rights."},"human_oversight_specs":{"label":"Human Oversight Specifications","placeholder":"Describe technical measures for human oversight, including the human-machine interface design...","helpText":"Technical measures put in place for human oversight, including the human-machine interface measures."},"input_data_specs":{"label":"Input Data Specifications","placeholder":"Describe the specifications on input data that the system requires...","helpText":"Specifications on input data, including format, source, and quality requirements."},"logging_capabilities":{"label":"Logging Capabilities","placeholder":"Describe the logging capabilities of the system per Article 12, including what events are recorded...","helpText":"Description of the logging capabilities of the AI system, in line with Article 12."},"metrics_appropriateness":{"label":"Performance Metrics Appropriateness","placeholder":"Explain why the chosen performance metrics are appropriate for this specific AI system and its intended purpose...","helpText":"Justification of why the chosen performance metrics are appropriate for this specific system and its intended purpose."},"risk_management_description":{"label":"Risk Management System Description","placeholder":"Describe the risk management system per Article 9, including risk identification, analysis, and mitigation measures...","helpText":"Description of the risk management system per Article 9, covering risk identification, analysis, estimation, evaluation, and mitigation."},"lifecycle_changes":{"label":"Lifecycle Changes","placeholder":"Describe relevant changes made to the system over its lifecycle, including version history and modifications...","helpText":"Description of relevant changes made to the system throughout its lifecycle."},"harmonised_standards":{"label":"Harmonised Standards Applied","placeholder":"List the harmonised standards applied (full or partial). If none, describe alternative solutions and list other standards applied...","helpText":"List of harmonised standards applied (fully or partially). If no harmonised standards were applied, describe the solutions adopted and list other relevant standards and technical specifications."},"declaration_of_conformity":{"label":"EU Declaration of Conformity","placeholder":"Provide or describe the EU declaration of conformity per Article 47...","helpText":"A copy or description of the EU declaration of conformity as required by Article 47."},"post_market_monitoring_plan":{"label":"Post-Market Monitoring Plan","placeholder":"Describe the system for post-market monitoring per Article 72(3), including how performance data will be collected and analyzed...","helpText":"A detailed description of the post-market monitoring system per Article 72(3), including how performance data will be collected and analyzed throughout the system's lifetime."}},"review":{"title":"Review & Export","subtitle":"Review your technical documentation before exporting. All 9 Annex IV sections are shown below.","backToEditor":"Back to editing","exportPdf":"Export as PDF","exportPdfAriaLabel":"Export technical documentation as PDF using browser print dialog","exportPdfDescription":"Generate a print-ready version of your technical documentation.","sectionEmpty":"No content provided for this section.","fieldEmpty":"Not provided","completionWarning":"Your documentation is {percentage}% complete. We recommend filling all required fields before exporting.","documentTitle":"Technical Documentation — Annex IV","documentSubtitle":"EU AI Act (Regulation (EU) 2024/1689)","generatedBy":"Generated by Witness","generatedOn":"Generated on {date}","disclaimer":"This document is generated to assist with EU AI Act compliance. It does not constitute legal advice. Verify all content with a qualified legal professional.","backToDashboard":"Back to Dashboard"},"help":{"system_name":{"legalText":"Annex IV 1(a): A general description of the AI system including its intended purpose, the name and version of the system, and the name and address of the provider.","explanation":"Enter the official product name of your AI system. This is the name that will appear in the EU database and all compliance documentation. Use the exact same name you use in marketing materials and contracts.","example":"SmartScreen HR Candidate Evaluator v3.2"},"provider_name":{"legalText":"Annex IV 1(a): A general description of the AI system including the name and address of the provider.","explanation":"Enter the full legal name of the company or person responsible for developing and placing this AI system on the market. This must match your official business registration.","example":"TalentTech Solutions GmbH, Mariahilfer Strasse 42, 1060 Wien, Austria"},"system_version":{"legalText":"Annex IV 1(a): A general description of the AI system including the version of the system.","explanation":"Enter the current version number or identifier of the AI system. Use semantic versioning if possible. Each major version change may require updated documentation.","example":"3.2.1 (released 2026-01-15)"},"intended_purpose":{"legalText":"Annex IV 1(a): The intended purpose of the AI system, including the specific context and conditions of use.","explanation":"Describe exactly what the AI system is designed to do, who will use it, and in what context. Be specific about the boundaries of permitted use. This defines what deployers are allowed to use the system for.","example":"This system is designed to pre-screen job applications for mid-level software engineering roles at technology companies with 50-500 employees. It analyzes CVs and cover letters to rank candidates based on skill match, experience relevance, and qualification fit. It is NOT intended for final hiring decisions -- a human recruiter must review all shortlisted candidates."},"hardware_software_interaction":{"legalText":"Annex IV 1(b): A description of how the AI system interacts with or can be used to interact with hardware or software, including other AI systems, that is not part of the AI system itself.","explanation":"Describe what external hardware or software your AI system connects to, sends data to, or receives data from. Include APIs, databases, sensors, or other systems it interacts with.","example":"The system integrates with the company's existing Applicant Tracking System (ATS) via REST API. It receives candidate application data (CV text, cover letter) from the ATS and returns a ranked score (0-100) back to the ATS dashboard. It also connects to the company's LDAP directory to authenticate hiring managers."},"software_versions":{"legalText":"Annex IV 1(c): The versions of the relevant software or firmware and any requirement related to version update.","explanation":"List the key software frameworks, libraries, and firmware versions that the AI system depends on. Include any requirements for keeping these updated.","example":"Python 3.11.4, PyTorch 2.1.0, scikit-learn 1.3.2, FastAPI 0.104.1, PostgreSQL 15.4. The ML model requires re-validation after any PyTorch major version upgrade. Security patches must be applied within 30 days of release."},"distribution_forms":{"legalText":"Annex IV 1(d): The forms in which the AI system is placed on the market or put into service, such as software package, embedded into hardware, etc.","explanation":"Select how the AI system is delivered to its users. This affects which compliance requirements apply and how the CE marking must be displayed.","example":"SaaS -- the system is hosted on our cloud infrastructure and accessed by deployers via a web application and REST API."},"hardware_requirements":{"legalText":"Annex IV 1(e): The description of the hardware on which the AI system is intended to run.","explanation":"Describe the computing hardware needed to run the AI system. Include minimum specifications for servers, GPUs, memory, and storage. If it runs in the cloud, describe the cloud infrastructure.","example":"The system runs on AWS EC2 instances (minimum c5.2xlarge: 8 vCPUs, 16 GB RAM). Model inference requires 1x NVIDIA T4 GPU with 16 GB VRAM. Storage: minimum 500 GB SSD for model artifacts and application data. Network: minimum 1 Gbps connection for API response times under 200ms."},"product_photos_description":{"legalText":"Annex IV 1(f): Where the AI system is a component of a product, photographs or illustrations showing external features, marking and internal layout of that product.","explanation":"Only fill this in if your AI system is built into a physical product (e.g., a robot, medical device, or vehicle). Describe or reference photos showing the product's external appearance, internal layout, and any compliance markings.","example":"The AI system is embedded in the AutoSort X200 industrial sorting machine. See attached: (1) Front view showing the operator panel and CE marking, (2) Rear view showing data connection ports, (3) Internal view showing the camera array and processing unit location."},"user_interface_description":{"legalText":"Annex IV 1(g): A basic description of the user interface provided to the deployer.","explanation":"Describe the screens, dashboards, or controls that the person operating the AI system sees and uses. Focus on how the user interacts with the system and what information is displayed to them.","example":"The deployer accesses the system through a web dashboard showing: (1) a candidate list with AI-generated scores and reasoning summaries, (2) a filter panel to sort by score range, department, or role, (3) a detail view for each candidate showing the AI's assessment breakdown, and (4) override buttons to manually adjust rankings. All AI-generated assessments are clearly labeled."},"instructions_for_use":{"legalText":"Annex IV 1(h): Instructions of use for the deployer, including the information referred to in Article 13(3).","explanation":"Describe the instructions you provide to deployers (the people/companies using your AI system). This must cover how to operate the system correctly, its limitations, and what human oversight is needed.","example":"Deployers receive a 40-page operations manual covering: system setup and configuration, how to interpret scoring results, when human review is mandatory (all candidates scoring 40-60 must be manually reviewed), prohibited uses (must not be sole basis for rejection), data input requirements (CVs must be in PDF or DOCX, max 10 pages), and escalation procedures for suspected errors."},"foreseeable_misuse":{"legalText":"Art. 13(3)(b)(ii): The information referred to in paragraph 2 shall specify, as applicable, foreseeable misuse of the AI system and any known or foreseeable circumstances which may lead to risks to health and safety or fundamental rights.","explanation":"Think about all the ways someone could misuse your AI system -- intentionally or accidentally. Include scenarios where the system is used outside its intended purpose, for prohibited activities, or in contexts where it was not designed to work. Be thorough and realistic.","example":"Foreseeable misuse: (1) Using the candidate scoring system as the sole basis for hiring decisions without human review. (2) Applying the system to roles it was not trained on (e.g., creative roles, executive positions). (3) Using scores to discriminate against specific demographic groups. (4) Feeding the system fake CVs to reverse-engineer scoring criteria. (5) Using the system for purposes other than recruitment (e.g., employee performance evaluation)."},"misuse_prevention_measures":{"legalText":"Art. 13(3)(b)(ii): Instructions for use shall include the foreseeable misuse and measures to prevent or mitigate such misuse.","explanation":"Describe the concrete technical and organizational safeguards you have put in place to prevent or limit the misuse scenarios you identified. Include both automated controls and policy-based measures.","example":"Prevention measures: (1) Mandatory human review workflow -- the system will not produce a final recommendation without a recruiter confirming review. (2) Role-type validation -- the system warns if a job description does not match trained role categories. (3) Rate limiting to prevent bulk score extraction. (4) Audit logging of all system interactions with tamper-proof storage. (5) Contractual terms of use prohibiting use as sole decision-maker. (6) Quarterly audits of deployer usage patterns to detect anomalies."},"development_methods":{"legalText":"Annex IV 2(a): A description of the methods and steps performed for the development of the AI system, including, where relevant, recourse to pre-trained systems or tools provided by third parties and how those were used, integrated or modified by the provider.","explanation":"Describe how you built the AI system step by step. Include whether you used any pre-trained models (e.g., from Hugging Face or OpenAI), third-party tools, or open-source components, and how you adapted them.","example":"Development followed an agile process over 8 months. We fine-tuned a pre-trained BERT-base model (Hugging Face) on 50,000 anonymized job applications from 12 partner companies. The model was adapted using domain-specific training on technical role requirements. We used LabelStudio for annotation and MLflow for experiment tracking. No third-party APIs are called at inference time."},"design_specifications":{"legalText":"Annex IV 2(b): The design specifications of the system, namely the general logic of the AI system and of the algorithms; the key design choices including the rationale and assumptions made.","explanation":"Describe the core algorithm or model architecture your AI system uses, and the general logic of how it works. This is about what kind of AI approach you chose and why.","example":"The system uses a fine-tuned transformer model (BERT-base, 110M parameters) for text classification. Input CVs are tokenized and embedded, then passed through 12 attention layers. A classification head outputs scores across 5 dimensions: skill match, experience relevance, qualification fit, communication quality, and role alignment. The final score is a weighted average."},"key_design_choices":{"legalText":"Annex IV 2(b): The key design choices including the rationale and assumptions made, also with regard to the persons or groups of persons on whom the system is intended to be used.","explanation":"Explain the most important decisions you made when designing the system and why. Include any assumptions about the people the system will be used on.","example":"Key decisions: (1) Chose BERT over GPT to keep the model deterministic and auditable. (2) Excluded demographic data (name, age, photo, gender) from input features to reduce bias. (3) Set a minimum human review threshold at 40-60 score range where model confidence is lowest. (4) Assumption: all applicants have at least a B2 level of English, as job ads specify this."},"classification_choices":{"legalText":"Annex IV 2(b): The design specifications of the system, namely the main classification choices.","explanation":"Only fill this in if your AI system makes classification decisions (e.g., sorting people into categories, assigning labels, or making yes/no decisions). Describe what categories it uses.","example":"The system classifies candidates into three tiers: 'Strongly Recommended' (score 80-100), 'Recommended for Review' (score 40-79), and 'Below Threshold' (score 0-39). These thresholds were set based on validation data where human recruiters agreed with the classification 92% of the time."},"optimization_target":{"legalText":"Annex IV 2(b): What, if anything, the system is designed to optimise for and the relevance of the different parameters.","explanation":"Describe what your AI system is trying to maximize or minimize. What is the objective function or goal? Explain which parameters matter most and why.","example":"The system optimizes for precision in the top-20 candidates (P@20) -- meaning the top 20 candidates surfaced by the AI should include as many truly qualified candidates as possible. We prioritize precision over recall because false positives (unqualified candidates ranked high) waste recruiter time, while false negatives (qualified candidates ranked low) are caught by the mandatory human review of the 40-79 score band."},"expected_output":{"legalText":"Annex IV 2(b): The description of the expected output and output format of the AI system.","explanation":"Describe exactly what the AI system produces as output. Include the format (numbers, text, categories, etc.) and how to interpret it.","example":"For each candidate, the system outputs: (1) An overall score from 0 to 100, (2) Sub-scores for 5 dimensions (0-100 each), (3) A text summary (2-3 sentences) explaining the key factors behind the score, (4) A confidence indicator (high/medium/low). Output is returned as JSON via the API and displayed in the dashboard."},"design_tradeoffs":{"legalText":"Annex IV 2(b): The decisions about any possible trade-off made regarding the technical solutions adopted to comply with the requirements set out in Chapter III, Section 2.","explanation":"Describe the trade-offs you made when building the system. Every design choice has trade-offs -- be honest about what you gave up and why.","example":"Trade-offs made: (1) Accuracy vs. explainability: we chose a smaller BERT model over a larger one (GPT-4) because it allows us to provide per-feature importance scores, even though the larger model scored 3% higher on our benchmark. (2) Speed vs. thoroughness: we limit CV analysis to the first 5 pages to keep response time under 2 seconds, which means lengthy academic CVs may lose some signal. (3) Bias mitigation vs. performance: removing demographic proxies (university name, graduation year) reduced accuracy by 2% but improved fairness metrics by 15%."},"system_architecture":{"legalText":"Annex IV 2(c): The description of the system architecture explaining how software components build on or feed into each other and integrate into the overall processing.","explanation":"Describe how the different parts of your AI system fit together. Think of it like a blueprint showing which components talk to which, and how data flows through the system.","example":"Architecture: (1) API Gateway (FastAPI) receives candidate data from the ATS. (2) Preprocessing Service extracts text from CVs, normalizes formatting, removes PII. (3) ML Inference Service runs the BERT model and produces raw scores. (4) Post-processing Service applies business rules, generates explanations, and formats output. (5) Results Database (PostgreSQL) stores all predictions with full audit trail. (6) Dashboard (React) displays results to recruiters."},"computational_resources":{"legalText":"Annex IV 2(c): The computational resources used to develop, train, test and validate the AI system.","explanation":"Describe the computing power used during the entire development lifecycle -- not just what the system needs to run, but what was used to train and test it.","example":"Training: 4x NVIDIA A100 GPUs (80 GB each) on AWS p4d.24xlarge instances for 72 hours. Total training compute: approximately 1,152 GPU-hours. Testing and validation: 1x NVIDIA T4 GPU, approximately 24 GPU-hours for full test suite. Development environment: 8-core CPU machines with 32 GB RAM for data preprocessing and analysis. Total cloud cost for development: approximately EUR 4,200."},"data_requirements":{"legalText":"Annex IV 2(d): Where relevant, the data requirements in terms of datasheets describing the training methodologies and techniques and the training data sets used.","explanation":"Only for ML-based systems. Describe the methodology used to train your model. How was the training structured? What techniques did you use?","example":"Training methodology: Supervised fine-tuning of BERT-base on a binary classification task (qualified/not-qualified). Training used AdamW optimizer with learning rate 2e-5, batch size 32, for 5 epochs with early stopping based on validation F1. We used 5-fold cross-validation to select hyperparameters. Data augmentation included synonym replacement and back-translation to increase diversity."},"training_data_description":{"legalText":"Annex IV 2(d): A general description of the training data sets used, including information about their provenance, scope and main characteristics.","explanation":"Only for ML-based systems. Give an overview of the data used to train your model. How big is it? What does it contain? Where did it come from?","example":"Training dataset: 50,000 job applications from 12 technology companies in the DACH region (2020-2025). Contains anonymized CV text and cover letters paired with human recruiter decisions (hire/no-hire). Dataset breakdown: 60% software engineering roles, 25% data science roles, 15% DevOps roles. Gender distribution: 35% female, 63% male, 2% non-binary/not specified."},"data_provenance":{"legalText":"Annex IV 2(d): Information about the provenance, scope and main characteristics of the data; how the data was obtained and selected.","explanation":"Only for ML-based systems. Explain where the training data originally came from. Who collected it? What agreements are in place? Is it representative?","example":"Data was obtained through data-sharing agreements with 12 partner companies. Each company provided anonymized historical application records with explicit consent from applicants (GDPR-compliant data processing agreement in place). Data covers applications from 2020-2025 across Austria, Germany, and Switzerland. PII was removed using our automated anonymization pipeline before any model training."},"data_acquisition":{"legalText":"Annex IV 2(d): How the data was obtained and selected.","explanation":"Only for ML-based systems. Describe the practical steps taken to collect and select the training data. How did you decide what data to include or exclude?","example":"Data acquisition process: (1) Partner companies exported anonymized application records from their ATS. (2) We filtered for completed hiring processes only (applications with final decisions). (3) Excluded applications older than 5 years to ensure relevance. (4) Removed duplicate applications. (5) Applied stratified sampling to balance across role types and company sizes. (6) Final selection criteria: complete CV text, clear hiring outcome, no pending legal disputes."},"labeling_procedures":{"legalText":"Annex IV 2(d): The labelling procedures, where relevant.","explanation":"Only for ML-based systems. Describe how the training data was labeled or annotated. Who did the labeling? How did you ensure quality?","example":"Labels were derived from actual hiring outcomes (hired vs. not hired) from partner companies. For the skill-dimension scoring, 3 experienced recruiters independently rated a random 5,000-application subset on the 5 scoring dimensions. Inter-rater reliability (Cohen's kappa) was 0.78. Disagreements were resolved by a senior HR manager. LabelStudio was used for the annotation interface."},"data_cleaning":{"legalText":"Annex IV 2(d): Data cleaning methodologies.","explanation":"Only for ML-based systems. Describe how you cleaned and prepared the data before using it for training. What issues did you find and fix?","example":"Data cleaning steps: (1) Removed 2,341 duplicate records (4.7% of raw data). (2) Fixed encoding issues in 892 CVs with non-Latin characters. (3) Removed 156 records with corrupted text (OCR failures). (4) Standardized date formats across all records. (5) Handled missing fields: cover letter missing in 12% of records (marked as optional input). (6) Outlier detection: removed 43 records with suspiciously short CVs (< 50 words, likely parsing errors)."},"human_oversight_assessment":{"legalText":"Annex IV 2(e): Where relevant, a description of the assessment of the human oversight measures needed in accordance with Article 14, including an assessment of the technical measures needed to facilitate the interpretation of the outputs of AI systems by the deployers.","explanation":"Describe what human oversight is built into the system and how you determined what level of oversight is needed. How can humans understand and override the AI's decisions?","example":"Human oversight assessment: The system is designed as a decision-support tool, not a decision-maker. (1) All candidates must be reviewed by a human recruiter before any hiring decision. (2) The dashboard shows per-dimension scores and text explanations to help recruiters understand the AI's reasoning. (3) Recruiters can override any score with a single click and must provide a reason. (4) The 40-60 score band triggers mandatory detailed review. (5) Monthly audits compare AI recommendations with actual hiring outcomes."},"predetermined_changes":{"legalText":"Annex IV 2(f): Where applicable, a description of any pre-determined change to the AI system and its performance, together with all the relevant information related to the technical solutions adopted to ensure continuous compliance of the AI system.","explanation":"Only fill this in if the AI system is designed to change or update itself after deployment (e.g., through online learning or scheduled retraining). Describe what changes are planned and how compliance is maintained.","example":"The model is retrained quarterly using new application data from the previous quarter. Predetermined changes: (1) Quarterly retraining with updated data (automated pipeline). (2) Performance thresholds: if F1 score drops below 0.85 on the validation set, retraining is triggered automatically. (3) All retrained models undergo the same validation suite before deployment. (4) Fairness metrics must remain within 5% of baseline across all demographic groups. (5) Any model update is logged with full versioning and rollback capability."},"validation_testing":{"legalText":"Annex IV 2(g): The validation and testing procedures used, including information about the validation and testing data used and their main characteristics; metrics used to measure accuracy, robustness, cybersecurity and compliance with other relevant requirements, as well as potentially discriminatory impacts.","explanation":"Describe how you tested the AI system to make sure it works correctly. What tests did you run? What data did you test with? How did you check for bias and fairness?","example":"Validation: 5-fold cross-validation on training data plus a held-out test set of 5,000 applications from 3 companies not in the training set. Tests include: (1) Accuracy metrics (F1, precision, recall), (2) Fairness testing across gender, age groups, and nationality, (3) Adversarial testing with deliberately misleading CVs, (4) Robustness testing with noisy input (OCR errors, formatting variations), (5) Load testing up to 1,000 concurrent requests."},"metrics_used":{"legalText":"Annex IV 2(g): Metrics used to measure accuracy, robustness, cybersecurity and compliance with other relevant requirements set out in Chapter III, Section 2, as well as potentially discriminatory impacts.","explanation":"List the specific metrics you use to measure how well the AI system performs. Include accuracy metrics, fairness metrics, and security metrics.","example":"Accuracy: F1 score (0.89), Precision@20 (0.92), Recall (0.85), AUC-ROC (0.94). Fairness: Demographic parity difference (<0.05 across gender groups), Equalized odds difference (<0.08). Robustness: Performance degradation <3% under 20% input noise. Cybersecurity: OWASP ML Top 10 assessment completed, penetration test passed. Bias: Disparate impact ratio >0.8 for all protected groups."},"test_logs_description":{"legalText":"Annex IV 2(g): Test logs and all test reports dated and signed by the responsible persons, including with regard to pre-determined changes as referred to in point (f).","explanation":"Describe the test documentation you maintain. This should include dated test reports signed by responsible people in your organization.","example":"Test logs maintained in MLflow with full experiment tracking. Latest test report (2026-01-10): signed by Maria Schmidt (Lead ML Engineer) and Thomas Weber (QA Manager). Report includes: full metric dashboard, bias analysis across 6 demographic dimensions, regression test results against previous version, and security scan results. All historical test reports archived for 10 years in compliance with Article 18."},"bias_detection_methodology":{"legalText":"Annex IV 2(g): Metrics used to measure accuracy, robustness, cybersecurity and compliance with other relevant requirements set out in Chapter III, Section 2, as well as potentially discriminatory impacts.","explanation":"Describe the specific methods and tools you use to detect bias in your AI system. This includes statistical tests on training data, model output analysis across demographic groups, and any automated bias detection pipelines.","example":"Bias detection methodology: (1) Pre-training: statistical analysis of training data distribution across gender, age, ethnicity, and nationality using chi-squared tests. (2) During training: monitored loss function convergence across demographic subgroups. (3) Post-training: tested model predictions on a balanced test set stratified by 6 protected characteristics. (4) Used IBM AI Fairness 360 toolkit for automated bias scanning. (5) Manual review of 500 edge cases by a diverse panel of 4 HR professionals."},"fairness_metrics":{"legalText":"Annex IV 2(g): Metrics used to measure potentially discriminatory impacts.","explanation":"List the specific mathematical fairness metrics you apply and their measured values. Common metrics include demographic parity, equalized odds, and disparate impact ratio. Explain what each metric means and what threshold you consider acceptable.","example":"Fairness metrics applied: (1) Demographic parity difference: 0.03 (threshold: <0.05) -- selection rates are nearly equal across gender groups. (2) Equalized odds difference: 0.06 (threshold: <0.10) -- true positive and false positive rates are similar across groups. (3) Disparate impact ratio: 0.87 (threshold: >0.80, per EEOC four-fifths rule). (4) Predictive parity: positive predictive value differs by <4% across age groups. All metrics measured quarterly."},"discriminatory_impact_assessment":{"legalText":"Annex IV 2(g): Metrics used to measure potentially discriminatory impacts.","explanation":"Provide a detailed assessment of how the AI system's outputs could disproportionately affect certain groups. Consider all protected characteristics and intersectional effects. Document both identified risks and areas where no discriminatory impact was found.","example":"Discriminatory impact assessment: (1) Gender: no significant disparate impact detected (DI ratio 0.87). (2) Age: candidates over 50 received scores 4% lower on average -- mitigated by removing graduation year from features. (3) Nationality: non-EU candidates scored 2% lower, traced to language complexity in CVs -- mitigated by adding multilingual text normalization. (4) Disability: no proxy features identified, but accommodations for non-standard CV formats added. (5) Intersectional analysis: female candidates over 50 showed compounded effect (-6%) -- additional rebalancing applied."},"bias_mitigation_measures":{"legalText":"Annex IV 2(g): Metrics used to measure potentially discriminatory impacts.","explanation":"Describe the concrete steps you take to reduce or eliminate identified biases. Cover pre-processing (data), in-processing (algorithm), and post-processing (output) mitigation strategies.","example":"Bias mitigation measures: (1) Pre-processing: removed direct demographic identifiers and known proxy features (university prestige ranking, graduation year). Balanced training data across gender using SMOTE oversampling. (2) In-processing: added fairness constraints to the loss function (equalized odds regularization with lambda=0.1). (3) Post-processing: calibrated score thresholds per demographic group to equalize false positive rates. (4) Organizational: quarterly bias audits, diverse review panel for model updates, deployer training on bias awareness."},"cybersecurity_overview":{"legalText":"Annex IV 2(h): A description of the cybersecurity measures put in place in accordance with Article 15.","explanation":"Provide an overview of the cybersecurity framework and strategy protecting your AI system. Reference any standards or certifications you follow (e.g., ISO 27001, SOC 2, NIST Cybersecurity Framework).","example":"Cybersecurity framework: The system follows ISO 27001:2022 controls adapted for AI workloads. Security architecture includes: defense-in-depth with 4 security layers (network, application, data, model). Annual penetration testing by external security firm. SOC 2 Type II compliance achieved. Dedicated security team performs monthly vulnerability assessments. Incident response plan with 4-hour SLA for critical AI security events. All security measures reviewed quarterly against OWASP ML Top 10 and ENISA AI security guidelines."},"data_poisoning_protection":{"legalText":"Annex IV 2(h): A description of the cybersecurity measures put in place, specifically measures against data poisoning.","explanation":"Describe how you protect the AI system's training data and input data from being deliberately corrupted or manipulated. Data poisoning can compromise model accuracy and introduce backdoors.","example":"Data poisoning protections: (1) Training data: cryptographic integrity verification (SHA-256 checksums) for all training datasets. (2) Input validation: statistical anomaly detection on incoming data using isolation forests -- flags inputs that deviate >3 standard deviations from training distribution. (3) Data pipeline security: all data transfers encrypted in transit (TLS 1.3), access restricted to authorized data engineers via role-based access control. (4) Provenance tracking: complete audit trail from raw data to training set. (5) Regular revalidation: monthly comparison of model behavior against clean holdout set to detect performance degradation from potential poisoning."},"data_leakage_prevention":{"legalText":"Annex IV 2(h): A description of the cybersecurity measures put in place, specifically measures against data leakage and unauthorized access.","explanation":"Describe the measures that prevent training data, model weights, or sensitive outputs from being accessed by unauthorized parties. Include both technical controls and organizational policies.","example":"Data leakage prevention: (1) Encryption at rest (AES-256) for all training data, model weights, and prediction logs. (2) Encryption in transit (TLS 1.3) for all API communications. (3) Role-based access control with principle of least privilege -- only 3 ML engineers have access to training data. (4) DLP (Data Loss Prevention) monitoring on all data egress points. (5) Model outputs sanitized to prevent membership inference attacks. (6) No training data stored on developer machines -- all processing in secure cloud environment. (7) Quarterly access reviews and automated deprovisioning."},"adversarial_attack_protection":{"legalText":"Annex IV 2(h): A description of the cybersecurity measures put in place, specifically measures against adversarial attacks and evasion techniques.","explanation":"Describe how the AI system is protected against adversarial inputs designed to fool the model, bypass its safeguards, or extract sensitive information about the model's internals.","example":"Adversarial attack protections: (1) Input preprocessing: text normalization and sanitization to neutralize adversarial text perturbations. (2) Adversarial training: model fine-tuned on 5,000 adversarial examples (keyword stuffing, invisible text, format manipulation). (3) Ensemble defense: critical predictions verified by a secondary model with different architecture. (4) Rate limiting: maximum 50 API calls per minute per user to prevent model probing. (5) Output confidence monitoring: predictions with confidence <0.6 are flagged for human review. (6) Regular red-team exercises (quarterly) to test for new attack vectors."},"infrastructure_security":{"legalText":"Annex IV 2(h): A description of the cybersecurity measures put in place for the infrastructure hosting the AI system.","explanation":"Describe the security measures applied to the servers, networks, and cloud infrastructure that host and run your AI system. Include network security, access controls, monitoring, and physical security where applicable.","example":"Infrastructure security: (1) Hosted on AWS in eu-central-1 (Frankfurt) -- EU data residency guaranteed. (2) VPC with private subnets for ML inference, public subnet only for API gateway. (3) WAF (Web Application Firewall) with OWASP Core Rule Set. (4) Network security groups restricting traffic to known IP ranges. (5) Container images scanned with Trivy before deployment, base images updated monthly. (6) Kubernetes cluster with pod security policies enforced. (7) CloudTrail logging for all AWS API calls. (8) 24/7 monitoring with PagerDuty alerting for security events. (9) Disaster recovery: automated backups every 6 hours, RTO 4 hours, RPO 6 hours."},"capabilities_limitations":{"legalText":"Annex IV 3(a): The capabilities and limitations of the AI system, including the degree of accuracy for specific persons or groups of persons on which the system is intended to be used and the overall expected level of accuracy in relation to its intended purpose.","explanation":"Be honest about what your AI system can and cannot do. Specify accuracy levels for different user groups. If performance varies across groups, say so clearly.","example":"Capabilities: The system reliably ranks candidates for technical roles with 89% agreement with senior recruiters. Limitations: (1) Performance drops to 76% agreement for roles requiring creative writing skills. (2) CVs in languages other than English or German are not supported. (3) The system cannot assess soft skills or cultural fit. (4) Accuracy for candidates with non-traditional career paths (career changers, freelancers) is lower (81% agreement)."},"unintended_outcomes":{"legalText":"Annex IV 3(a): The foreseeable unintended outcomes and sources of risks to health and safety, and to fundamental rights.","explanation":"Think about what could go wrong. What are the risks if the system makes mistakes? How could it harm people's rights, health, or safety? Be thorough and honest.","example":"Foreseeable risks: (1) Qualified candidates may be unfairly ranked low if their CV format is unusual (risk to equal opportunity). (2) The system may develop proxy bias through features correlated with protected characteristics (e.g., university name correlating with socioeconomic background). (3) Over-reliance by recruiters who may stop reviewing low-scored candidates thoroughly. (4) Privacy risk if application data is not properly anonymized in logs. Mitigation measures are documented in the risk management section."},"human_oversight_specs":{"legalText":"Annex IV 3(a): The technical measures put in place to facilitate the interpretation of the outputs of AI systems by the deployers, including the human-machine interface measures.","explanation":"Describe the specific technical features that help humans understand and control the AI system's outputs. How does the interface help users make informed decisions?","example":"Technical oversight measures: (1) Each score includes a natural-language explanation highlighting the top 3 factors. (2) A 'What-if' panel lets recruiters see how changing specific criteria would affect the ranking. (3) A confidence indicator (high/medium/low) flags uncertain predictions. (4) Dashboard alerts when the system encounters input it was not trained on. (5) An audit log tracks every recruiter interaction (views, overrides, approvals)."},"input_data_specs":{"legalText":"Annex IV 3(a): Specifications on input data, as appropriate.","explanation":"Describe what data the AI system needs as input to work correctly. Include format requirements, quality standards, and any limitations.","example":"Input requirements: (1) CV document in PDF or DOCX format, max 10 pages, max 5 MB. (2) Cover letter text (optional), max 2 pages. (3) Job description text for the target role. (4) Language: English or German only. Quality requirements: text must be extractable (no image-only PDFs). If text extraction quality is below 80% confidence, the system flags the application for manual processing."},"logging_capabilities":{"legalText":"Annex IV 3(b): A description of the logging capabilities of the AI system in accordance with Article 12.","explanation":"Describe what events your AI system automatically records in its logs. Logs must enable traceability and monitoring throughout the system's lifetime.","example":"The system logs: (1) Every inference request with timestamp, input hash, and output scores. (2) Model version used for each prediction. (3) All user interactions (dashboard views, score overrides, exports). (4) System errors and exceptions with full stack traces. (5) Data pipeline events (imports, preprocessing steps). (6) Authentication and authorization events. Logs are stored in Elasticsearch, retained for minimum 6 months, with sensitive data encrypted at rest."},"metrics_appropriateness":{"legalText":"Annex IV, Section 4: Detailed information about the monitoring, functioning and control of the AI system, specifically the appropriateness of the performance metrics.","explanation":"Explain why the specific metrics you chose are the right ones for measuring this AI system's performance. Connect each metric to the system's purpose and the risks it poses.","example":"We chose Precision@20 as the primary metric because the system's purpose is to surface the best candidates, not to evaluate every applicant. Precision@20 directly measures whether the top 20 candidates are genuinely qualified. We track demographic parity difference because the system affects hiring decisions, a fundamental rights area where fairness is legally required. AUC-ROC measures overall discrimination ability. F1 balances precision and recall for the binary qualified/not-qualified classification."},"risk_management_description":{"legalText":"Annex IV, Section 5: A detailed description of the risk management system in accordance with Article 9.","explanation":"Describe your complete risk management process for this AI system. This must be continuous and iterative, not a one-time assessment. Cover risk identification, analysis, mitigation, and monitoring.","example":"Risk management system: (1) Risk identification: quarterly risk workshops with engineering, legal, and HR teams identify new risks. (2) Risk analysis: each risk scored on likelihood (1-5) and impact (1-5). (3) Current top risks: proxy bias through university features (mitigated by feature exclusion), data drift from changing job market (mitigated by quarterly retraining), adversarial manipulation of CVs (mitigated by input validation). (4) Monitoring: automated fairness dashboards with alerts when metrics drift beyond thresholds. (5) Annual third-party audit of the risk management process."},"lifecycle_changes":{"legalText":"Annex IV, Section 6: A description of relevant changes made to the system through its lifecycle.","explanation":"Document all significant changes made to the system since it was first placed on the market. Include version updates, retraining events, and any modifications to the system's behavior.","example":"Version history: v1.0 (2025-06-01): Initial release with basic CV scoring. v2.0 (2025-09-15): Added multi-language support (EN/DE), replaced keyword matching with BERT model. v3.0 (2025-12-01): Added fairness constraints to the training pipeline, removed university name feature. v3.2 (2026-01-15): Quarterly retraining with Q4 2025 data, improved handling of career-change CVs. All changes documented with before/after performance metrics."},"harmonised_standards":{"legalText":"Annex IV, Section 7: A list of the harmonised standards applied in full or in part, the references of which have been published in the Official Journal of the European Union; where no such harmonised standards have been applied, a detailed description of the solutions adopted to meet the requirements set out in Chapter III, Section 2, including a list of other relevant standards and technical specifications applied.","explanation":"List any EU harmonised standards you follow. If no harmonised standards exist yet for your type of system (which is likely in 2026), describe which other standards and best practices you follow instead.","example":"No harmonised standards under the AI Act have been published yet for HR AI systems. Alternative standards and specifications applied: (1) ISO/IEC 42001:2023 -- AI Management System, (2) ISO/IEC 23894:2023 -- AI Risk Management, (3) NIST AI RMF 1.0, (4) IEEE 7010-2020 -- Wellbeing Impact Assessment. We also follow the AI HLEG Ethics Guidelines for Trustworthy AI (2019) as a voluntary framework."},"declaration_of_conformity":{"legalText":"Annex IV, Section 8: A copy of the EU declaration of conformity referred to in Article 47.","explanation":"Provide or describe the EU declaration of conformity for this AI system. This is the formal statement that your system meets all requirements of the AI Act. It must be kept for 10 years.","example":"EU Declaration of Conformity per Article 47: We, TalentTech Solutions GmbH, declare under our sole responsibility that the SmartScreen HR Candidate Evaluator v3.2 is in conformity with the requirements of Regulation (EU) 2024/1689 (AI Act), Chapter III, Section 2 (Articles 8-15). Conformity assessment completed per Annex VI (internal control). Signed: Dr. Anna Mueller, CTO, 2026-01-20. Full declaration document reference: DOC-2026-0042."},"post_market_monitoring_plan":{"legalText":"Annex IV, Section 9: A detailed description of the system in place to evaluate the AI system performance in the post-market phase, including the post-market monitoring plan referred to in Article 72(3).","explanation":"Describe how you will monitor the AI system's performance after it goes live. This must be an ongoing, systematic process that collects and analyzes real-world performance data.","example":"Post-market monitoring plan: (1) Continuous metrics dashboard tracking accuracy, fairness, and system health in production. (2) Monthly performance reports comparing predictions with actual hiring outcomes. (3) Quarterly fairness audits across demographic groups. (4) Automated alerts when any metric deviates >5% from baseline. (5) Deployer feedback system for reporting issues. (6) Semi-annual review meetings with deployer companies. (7) Annual comprehensive system review by independent third party. Responsible: Maria Schmidt (ML Lead), reporting to CTO."}}},"obligationTracker":{"backToResult":"Back to classification result","heading":"Obligation Tracker","description":"Track your EU AI Act compliance obligations. Check off items as you complete them.","noTrackerFound":"No obligation tracker found. Please classify your AI system first to generate your obligations.","loadingObligations":"Loading obligations...","startClassification":"Start Classification","deadlineCountdown":"{days} days until deadline","deadlinePassed":"Deadline has passed","deadlineDate":"August 2, 2026","deadlineLabel":"EU AI Act Deadline","urgencyCritical":"Less than 30 days remaining — take immediate action.","urgencyWarning":"Less than 90 days remaining — prioritize compliance.","urgencyPassed":"The EU AI Act deadline has passed. Ensure all obligations are met to avoid penalties.","progressLabel":"Overall Progress","progressPercentage":"{percentage}% complete","completedCount":"{count} completed","inProgressCount":"{count} in progress","notStartedCount":"{count} not started","totalCount":"{count} total obligations","filterAll":"All","filterCompleted":"Completed","filterInProgress":"In Progress","filterNotStarted":"Not Started","statusNotStarted":"Not Started","statusInProgress":"In Progress","statusCompleted":"Completed","statusNotApplicable":"Not Applicable","markNotStarted":"Mark as Not Started","markInProgress":"Mark as In Progress","markCompleted":"Mark as Completed","notesPlaceholder":"Add notes about your progress...","enforcementDate":"Due: {date}","roleLabel":"Your role: {role}","riskLevelLabel":"Risk level: {level}","resetTracker":"Reset Tracker","resetConfirmation":"Are you sure? This will reset all progress.","exportTracker":"Export Progress (JSON)","viewObligationsButton":"Track Your Obligations","noObligationsForSystem":"No obligations have been generated for this system yet. Classify your system first to generate obligations.","backToDashboard":"Back to Dashboard","noFilteredObligations":"No obligations match the selected filter.","disclaimer":"This tracker is for informational purposes only and does not constitute legal advice. Consult with a qualified legal professional for definitive compliance guidance."},"literacy":{"title":"AI Literacy Compliance Module","subtitle":"Build your Article 4 AI literacy training program. Article 4 has been enforceable since February 2, 2025 — this applies to ALL AI systems, not just high-risk.","backToHome":"Back to home","enforcementBanner":"Article 4 is ALREADY ENFORCEABLE since February 2, 2025","enforcementBannerDetail":"AI literacy obligations apply to ALL providers and deployers of AI systems, regardless of risk level. Non-compliance may result in penalties under Article 99.","stepCounter":"Section {current} of {total}","nextButton":"Next","backButton":"Back","reviewButton":"Review Program","saveProgress":"Your progress is automatically saved in this browser session.","lockedPreviewBadge":"Preview only","lockedPreviewTitle":"The AI literacy program is locked on the Free tier","lockedPreviewDescription":"You can review the structure now, but editing this program requires {tier} (€{price} initial assessment).","lockedPreviewCta":"Unlock {tier} — €{price}","lockedPreviewFooter":"Preview mode: editing is locked until you upgrade.","lockedFieldHint":"Upgrade to edit this field","requiredField":"Required","optionalField":"Optional","overallProgress":"Overall Progress","progressLabel":"{percentage}%","fieldsFilled":"{filled} of {total} required fields completed","sectionProgress":"{percentage}%","sectionNavLabel":"AI Literacy sections","helpAriaLabel":"Help for {field}","selectTrainingModules":"Select Training Modules","selectTrainingModulesDescription":"Choose from pre-built training module templates. You can customize each module after selecting it.","additionalFieldsBelow":"Fill in additional details for your training curriculum below.","moduleDuration":"{minutes} min","moduleObjectives":"{count} objectives","toggleModule":"Toggle {module}","selectedTrainingModulesLabel":"Selected Training Modules","sections":{"organization_overview":{"title":"Organization & AI Systems Overview","description":"Provide an overview of your organization and the AI systems in use. This context helps tailor the literacy program to your specific needs per Article 4."},"training_needs_assessment":{"title":"Training Needs Assessment","description":"Assess your staff's current AI literacy levels and identify gaps. Article 4 requires consideration of technical knowledge, experience, education, context of use, and affected persons."},"training_curriculum":{"title":"Training Curriculum","description":"Design your training program by selecting modules and customizing content. The curriculum should address the gaps identified in the assessment phase."},"compliance_documentation":{"title":"Compliance Documentation","description":"Document your AI literacy program for regulatory evidence. Article 4 requires you to demonstrate that sufficient measures have been taken to ensure AI literacy."}},"fields":{"organization_name":{"label":"Organization Name","placeholder":"Enter your organization name","helpText":"The legal name of the organization implementing the AI literacy program."},"industry_sector":{"label":"Industry Sector","placeholder":"Select your industry sector","helpText":"Your primary industry sector, which affects the specific AI literacy requirements."},"number_of_employees":{"label":"Number of Employees","placeholder":"Select the range","helpText":"Total number of employees in the organization."},"ai_systems_in_use":{"label":"AI Systems in Use","placeholder":"List the AI systems your organization uses or develops (e.g., customer service chatbot, credit scoring model, HR screening tool)","helpText":"A comprehensive list of all AI systems used or developed by your organization. Include both internal and third-party systems."},"ai_system_risk_levels":{"label":"AI System Risk Levels","placeholder":"Describe the risk classification of each AI system listed above (minimal, limited, high-risk, or unacceptable)","helpText":"The risk classification for each AI system, as determined by the EU AI Act classifier."},"roles_interacting_with_ai":{"label":"Roles Interacting with AI","placeholder":"List the roles and departments that interact with AI systems (e.g., Customer Service, HR, IT, Management)","helpText":"All staff roles that operate, oversee, or are affected by AI system decisions."},"current_literacy_baseline":{"label":"Current Literacy Baseline","placeholder":"Describe the current level of AI literacy across your organization (e.g., results of an internal survey or assessment)","helpText":"An honest assessment of where your staff currently stands in terms of AI knowledge and competence."},"knowledge_gaps":{"label":"Knowledge Gaps","placeholder":"Identify specific gaps in AI knowledge (e.g., staff unaware of bias risks, management unfamiliar with compliance obligations)","helpText":"Specific areas where staff knowledge falls short of what Article 4 requires."},"role_specific_needs":{"label":"Role-Specific Training Needs","placeholder":"Describe different training needs per role (e.g., developers need technical AI safety training, managers need regulatory overview)","helpText":"Different roles require different levels and types of AI literacy training."},"technical_depth_required":{"label":"Technical Depth Required","placeholder":"Select the overall technical depth","helpText":"The overall level of technical detail needed in the training program."},"affected_persons_awareness":{"label":"Affected Persons Awareness","placeholder":"Describe how staff will be trained to understand the impact of AI decisions on affected individuals and groups","helpText":"Article 4 specifically requires consideration of persons or groups of persons on which AI systems are intended to be used."},"context_specific_requirements":{"label":"Context-Specific Requirements","placeholder":"Describe any industry-specific or context-specific AI literacy requirements (e.g., healthcare AI requires understanding of patient safety implications)","helpText":"Article 4 requires literacy measures to take into account the context in which AI systems are intended to be used."},"selected_modules":{"label":"Selected Training Modules","placeholder":"Select modules from the template cards above","helpText":"The pre-built training modules you have selected for your program."},"custom_modules":{"label":"Custom Training Modules","placeholder":"Describe any additional custom training modules you want to create (e.g., department-specific AI usage guidelines)","helpText":"Additional training modules tailored to your organization's specific needs beyond the pre-built templates."},"target_audience":{"label":"Target Audience","placeholder":"Describe who will receive each type of training (e.g., all employees receive basic module, technical staff receive advanced modules)","helpText":"Define which staff members or groups will participate in which training modules."},"delivery_method":{"label":"Delivery Method","placeholder":"Select the primary delivery method","helpText":"The primary method for delivering the training program."},"training_schedule":{"label":"Training Schedule","placeholder":"Describe the timeline for rolling out the training program (e.g., initial training by Q2 2025, refresher courses quarterly)","helpText":"A concrete timeline for when training will be delivered, including initial rollout and ongoing refresher schedules."},"responsible_person":{"label":"Responsible Person","placeholder":"Name and role of the person responsible for the training program","helpText":"The individual accountable for implementing and maintaining the AI literacy program."},"program_description":{"label":"Program Description","placeholder":"Provide a comprehensive description of the AI literacy program, including its objectives, scope, and methodology","helpText":"A high-level summary of the entire AI literacy program that could be presented to regulators."},"implementation_date":{"label":"Implementation Date","placeholder":"Enter the date the program was or will be implemented (e.g., 2025-03-01)","helpText":"The date the AI literacy program was or will be put into effect."},"review_frequency":{"label":"Review Frequency","placeholder":"Select how often the program will be reviewed","helpText":"How often the literacy program will be reviewed and updated to ensure continued compliance."},"responsible_officer":{"label":"Responsible Compliance Officer","placeholder":"Name and title of the officer responsible for AI literacy compliance","helpText":"The senior officer accountable for ensuring the organization meets its Article 4 obligations."},"documentation_of_measures":{"label":"Documentation of Measures Taken","placeholder":"Describe the specific measures taken to ensure AI literacy (e.g., training sessions conducted, materials developed, assessments performed)","helpText":"Article 4 requires documented evidence of measures taken. This field captures the concrete steps your organization has implemented."},"evidence_of_completion":{"label":"Evidence of Completion","placeholder":"Describe how training completion is tracked and evidenced (e.g., attendance records, certificates, test results, learning management system logs)","helpText":"How you prove that staff have actually completed the required training."},"continuous_improvement_plan":{"label":"Continuous Improvement Plan","placeholder":"Describe how the program will be continuously improved (e.g., feedback mechanisms, periodic assessment updates, tracking regulatory changes)","helpText":"How the literacy program will evolve over time to address new AI systems, regulatory updates, and organizational changes."}},"selectOptions":{"industry_sector":{"technology":"Technology","finance":"Finance & Banking","healthcare":"Healthcare","manufacturing":"Manufacturing","retail":"Retail & E-Commerce","education":"Education","public_sector":"Public Sector","legal":"Legal Services","other":"Other"},"number_of_employees":{"1_10":"1 - 10","11_50":"11 - 50","51_250":"51 - 250","251_1000":"251 - 1,000","1000_plus":"1,000+"},"technical_depth_required":{"basic":"Basic — General awareness only","intermediate":"Intermediate — Understand key concepts and risks","advanced":"Advanced — Technical understanding of AI systems","expert":"Expert — Deep technical and regulatory knowledge"},"delivery_method":{"in_person":"In-Person Training","online_live":"Online Live Sessions","self_paced":"Self-Paced E-Learning","blended":"Blended (In-Person + Online)","workshops":"Interactive Workshops"},"review_frequency":{"monthly":"Monthly","quarterly":"Quarterly","semi_annually":"Semi-Annually","annually":"Annually"}},"trainingModules":{"eu_ai_act_fundamentals":{"title":"Module 1: EU AI Act Fundamentals","description":"Overview of the regulation, key dates, scope, and who it applies to. Covers Articles 1-4 including the AI literacy obligation itself."},"understanding_ai_risk_levels":{"title":"Module 2: Understanding AI Risk Levels","description":"The EU AI Act classification system — unacceptable, high-risk, limited, and minimal risk. Covers Annex III categories and how to determine your system's risk level."},"provider_deployer_obligations":{"title":"Module 3: Provider & Deployer Obligations","description":"What is required per role under the EU AI Act. Covers provider obligations (Art. 16-25), deployer obligations (Art. 26-29), and role-shifting scenarios."},"ai_transparency_communication":{"title":"Module 4: AI Transparency & Communication","description":"Recognizing AI-generated outputs and disclosure obligations. Covers transparency requirements under Article 50 and human oversight under Article 13."},"fundamental_rights_ai":{"title":"Module 5: Fundamental Rights & AI","description":"Understanding the impact of AI on fundamental rights. Covers the Fundamental Rights Impact Assessment (FRIA) under Article 27 and the EU Charter of Fundamental Rights."}},"help":{"organization_name":{"legalText":"Article 4: Providers and deployers of AI systems shall take measures to ensure, to their best extent, a sufficient level of AI literacy of their staff and other persons dealing with the operation and use of AI systems on their behalf.","explanation":"Enter the full legal name of the organization that is subject to the AI literacy obligation. This is the entity that will be responsible for demonstrating compliance with Article 4.","example":"TechSolutions GmbH"},"industry_sector":{"legalText":"Article 4: ...taking into account their technical knowledge, experience, education and training, the context the AI systems are to be used in...","explanation":"Your industry sector determines the specific context in which AI systems are used, which in turn affects the type and depth of AI literacy training required.","example":"A mid-size financial services company would select 'Finance & Banking' as their industry sector, which implies specific requirements around credit scoring AI and anti-money laundering systems."},"number_of_employees":{"legalText":"Article 4: Providers and deployers of AI systems shall take measures to ensure, to their best extent, a sufficient level of AI literacy of their staff...","explanation":"The number of employees helps determine the scale and logistics of the training program. Smaller organizations may need simpler delivery methods, while larger ones need structured rollout plans.","example":"A company with 51-250 employees would typically need a structured training plan with dedicated sessions for different departments."},"ai_systems_in_use":{"legalText":"Article 4: ...the context the AI systems are to be used in, and the persons or groups of persons on which the AI systems are to be used.","explanation":"List every AI system your organization uses, develops, or deploys. Include both obvious AI (like chatbots) and less visible AI (like recommendation engines or automated decision-making tools).","example":"1. Customer service chatbot (GPT-4 based) — handles initial customer inquiries\n2. Internal HR screening tool — filters job applications\n3. Fraud detection system — flags suspicious transactions\n4. Demand forecasting model — predicts inventory needs"},"ai_system_risk_levels":{"legalText":"Article 6 and Annex III: High-risk AI systems are defined based on their use in specific areas listed in Annex III, subject to Article 6(3) exceptions.","explanation":"For each AI system you listed, indicate its risk classification under the EU AI Act. Use the Witness classifier tool if you are unsure about a system's classification.","example":"1. Customer service chatbot — Limited risk (Art. 50 transparency obligations)\n2. HR screening tool — High-risk (Annex III, Category 4a: Employment)\n3. Fraud detection — Minimal risk (fraud-only exception under Annex III 5b)\n4. Demand forecasting — Minimal risk (not in Annex III)"},"roles_interacting_with_ai":{"legalText":"Article 4: ...their staff and other persons dealing with the operation and use of AI systems on their behalf...","explanation":"Identify all roles in your organization that interact with AI systems — not just the technical teams, but also end-users, decision-makers, and those affected by AI outputs.","example":"- Customer Service Representatives (use chatbot daily)\n- HR Team (use screening tool for recruitment)\n- Finance/Compliance Team (review fraud alerts)\n- IT/Engineering (maintain and update AI systems)\n- Management (make decisions based on AI outputs)\n- Data Protection Officer (oversees AI data processing)"},"current_literacy_baseline":{"legalText":"Article 4: ...taking into account their technical knowledge, experience, education and training...","explanation":"Assess where your organization currently stands. This could be based on surveys, interviews, or informal observations. Be honest — the baseline helps you design an effective training program.","example":"Internal survey results (January 2025, 85% response rate):\n- 70% of staff have heard of the EU AI Act but cannot explain its requirements\n- IT team has moderate understanding of AI concepts but limited regulatory knowledge\n- Management is aware of compliance deadlines but lacks understanding of specific obligations\n- Customer service staff use the chatbot daily but do not understand how it generates responses"},"knowledge_gaps":{"legalText":"Article 4: ...taking into account their technical knowledge, experience, education and training...","explanation":"Identify specific areas where your staff's AI knowledge falls short of what Article 4 requires. Focus on gaps that are relevant to your organization's AI systems and use cases.","example":"Key gaps identified:\n1. No staff can explain the difference between high-risk and limited-risk AI systems\n2. HR team is unaware that their screening tool is classified as high-risk under Annex III\n3. Management does not understand the organization's obligations as a deployer\n4. No awareness of the FRIA requirement for the HR screening tool\n5. Staff cannot recognize when AI-generated content should be disclosed"},"role_specific_needs":{"legalText":"Article 4: ...taking into account their technical knowledge, experience, education and training, the context the AI systems are to be used in...","explanation":"Different roles need different training. Technical staff need deeper understanding of how AI works, while managers need to understand regulatory obligations and risk management.","example":"- All staff: Basic AI awareness (Module 1) — what AI is, EU AI Act overview, key dates\n- Customer Service: How the chatbot works, when to escalate, transparency obligations (Modules 1, 4)\n- HR Team: High-risk AI obligations, bias risks, human oversight requirements (Modules 1, 2, 3)\n- IT/Engineering: Technical safety, monitoring, logging requirements (Modules 1, 2, 3)\n- Management: Regulatory overview, compliance obligations, risk management (Modules 1, 2, 3, 5)\n- DPO: Full training on all modules, including FRIA requirements"},"technical_depth_required":{"legalText":"Article 4: ...taking into account their technical knowledge, experience, education and training...","explanation":"Determine the overall level of technical detail your training program needs. This depends on your organization's role (provider vs. deployer) and the complexity of your AI systems.","example":"A mid-size company deploying a customer service chatbot and an HR screening tool would typically need 'Intermediate' depth — staff should understand key AI concepts and risks without needing deep technical knowledge of model architectures."},"affected_persons_awareness":{"legalText":"Article 4: ...and the persons or groups of persons on which the AI systems are to be used.","explanation":"Article 4 explicitly requires consideration of the people affected by AI decisions. Staff must understand the potential impact of AI systems on individuals, especially vulnerable groups.","example":"Training will cover:\n- Job applicants affected by the HR screening tool — staff must understand that automated screening can have discriminatory effects and know how to ensure human oversight\n- Customers interacting with the chatbot — staff must know that customers have the right to know they are interacting with AI\n- Employees subject to AI-based performance monitoring — if applicable, staff must understand the rights of monitored employees"},"context_specific_requirements":{"legalText":"Article 4: ...the context the AI systems are to be used in...","explanation":"Consider industry-specific factors that affect your AI literacy needs. Different sectors have different risks, regulatory overlaps, and use-case sensitivities.","example":"As a financial services company:\n- Credit scoring AI literacy must include understanding of anti-discrimination laws and the specific requirements under Annex III 5(b)\n- Fraud detection AI training must address the fraud-only exception and why it is classified differently\n- Staff handling customer data through AI must understand GDPR-AI Act interaction\n- FMA (Austrian Financial Market Authority) may have additional AI governance expectations"},"custom_modules":{"legalText":"Article 4: Providers and deployers of AI systems shall take measures to ensure, to their best extent, a sufficient level of AI literacy...","explanation":"If the pre-built modules do not fully cover your organization's needs, describe any custom training modules you plan to create. These should address organization-specific AI use cases or industry requirements.","example":"Custom Module: 'AI in Customer Service at TechSolutions'\n- How our specific chatbot works (GPT-4 based, fine-tuned on our FAQ database)\n- When to escalate from chatbot to human agent\n- How to identify and report chatbot errors or hallucinations\n- Our internal process for updating the chatbot's knowledge base\n- Duration: 30 minutes, delivered by the IT team lead"},"target_audience":{"legalText":"Article 4: ...their staff and other persons dealing with the operation and use of AI systems on their behalf...","explanation":"Define which employees or groups will receive each type of training. Not everyone needs the same level of detail — tailor the audience to the training content.","example":"- Modules 1 (Fundamentals): All 150 employees — mandatory, completed within first month\n- Module 2 (Risk Levels): IT, HR, Compliance, Management (approx. 40 people)\n- Module 3 (Obligations): IT, HR, Compliance, Management, Legal (approx. 45 people)\n- Module 4 (Transparency): Customer-facing staff (approx. 60 people)\n- Module 5 (Fundamental Rights): HR, Legal, DPO, Management (approx. 25 people)\n- Custom Module: Customer Service team (approx. 30 people)"},"delivery_method":{"legalText":"Article 4: Providers and deployers of AI systems shall take measures to ensure, to their best extent, a sufficient level of AI literacy...","explanation":"Choose how the training will be delivered. Consider your organization's size, location distribution, and the type of content being taught.","example":"A mid-size company with a single office location might choose 'Blended' — initial in-person workshops for management and key roles, followed by self-paced e-learning modules for all staff through the company LMS."},"training_schedule":{"legalText":"Article 4: Providers and deployers of AI systems shall take measures to ensure, to their best extent, a sufficient level of AI literacy...","explanation":"Create a concrete timeline for delivering the training. Remember that Article 4 is already enforceable, so training should begin as soon as possible.","example":"Phase 1 (March 2025): Management and Compliance team complete all modules\nPhase 2 (April 2025): IT and HR teams complete role-specific modules\nPhase 3 (May 2025): All remaining staff complete Module 1 (Fundamentals)\nPhase 4 (June 2025): Customer-facing staff complete Module 4 (Transparency)\nOngoing: Quarterly refresher sessions, new employee onboarding includes Module 1"},"responsible_person":{"legalText":"Article 4: Providers and deployers of AI systems shall take measures to ensure, to their best extent, a sufficient level of AI literacy...","explanation":"Designate a specific person who is accountable for the training program's implementation and success.","example":"Maria Schmidt, Head of Compliance & Data Protection — responsible for program design, delivery coordination, and tracking completion across all departments."},"program_description":{"legalText":"Article 4: Providers and deployers of AI systems shall take measures to ensure, to their best extent, a sufficient level of AI literacy of their staff and other persons dealing with the operation and use of AI systems on their behalf, taking into account their technical knowledge, experience, education and training, the context the AI systems are to be used in, and the persons or groups of persons on which the AI systems are to be used.","explanation":"Provide a comprehensive summary of your entire AI literacy program. This should serve as the executive summary that a regulator could review to understand your compliance efforts.","example":"TechSolutions GmbH AI Literacy Program\n\nObjective: Ensure all 150 employees achieve sufficient AI literacy as required by Article 4 of the EU AI Act.\n\nScope: Covers 4 AI systems (customer service chatbot, HR screening tool, fraud detection, demand forecasting) across all departments.\n\nMethodology: Blended learning approach with 5 core modules plus 1 custom module, delivered through a combination of in-person workshops and e-learning. Training is role-specific and tailored to each department's AI interaction patterns.\n\nTimeline: Full rollout March-June 2025 with quarterly refreshers."},"implementation_date":{"legalText":"Article 4 enforcement date: February 2, 2025. This obligation is already in effect.","explanation":"Enter the date your AI literacy program was or will be implemented. Since Article 4 is already enforceable, this should ideally be a date in the past or very near future.","example":"2025-03-01"},"review_frequency":{"legalText":"Article 4: Providers and deployers of AI systems shall take measures to ensure, to their best extent, a sufficient level of AI literacy...","explanation":"Choose how often the literacy program will be reviewed and updated. Regular reviews ensure the program stays current with new AI systems, regulatory updates, and organizational changes.","example":"A company deploying high-risk AI systems should review their program at least quarterly to account for regulatory updates, new AI deployments, and staff turnover."},"responsible_officer":{"legalText":"Article 4: Providers and deployers of AI systems shall take measures to ensure, to their best extent, a sufficient level of AI literacy...","explanation":"Designate a senior officer who is ultimately accountable for AI literacy compliance. This person should have the authority to allocate resources and enforce training requirements.","example":"Dr. Thomas Weber, Chief Compliance Officer — reports directly to the board on AI compliance matters, including Article 4 literacy obligations."},"documentation_of_measures":{"legalText":"Article 4: Providers and deployers of AI systems shall take measures to ensure, to their best extent, a sufficient level of AI literacy...","explanation":"Document the concrete steps your organization has taken. This is your evidence trail — regulators may ask to see proof of your compliance efforts.","example":"Measures taken:\n1. Conducted organization-wide AI literacy survey (January 2025, 128/150 responses)\n2. Developed 5 training modules with external AI law experts (February 2025)\n3. Deployed modules on company LMS (March 2025)\n4. Conducted 3 in-person workshops for management team (March 2025)\n5. Assigned role-specific training tracks to all 150 employees\n6. Established quarterly review cycle with compliance team"},"evidence_of_completion":{"legalText":"Article 4: Providers and deployers of AI systems shall take measures to ensure, to their best extent, a sufficient level of AI literacy...","explanation":"Describe how you track and prove that staff have completed their training. This is critical compliance evidence.","example":"Training completion is tracked through:\n1. LMS completion records — automatic tracking per module per employee\n2. Workshop attendance sheets — signed by participants\n3. Knowledge assessment quizzes — minimum 80% pass rate required\n4. Certificates of completion — issued automatically by LMS\n5. Monthly compliance dashboard — shows completion rates by department\n6. All records retained for minimum 5 years per internal compliance policy"},"continuous_improvement_plan":{"legalText":"Article 4: Providers and deployers of AI systems shall take measures to ensure, to their best extent, a sufficient level of AI literacy...","explanation":"Describe how the program will evolve over time. AI literacy is not a one-time exercise — your program must adapt to new AI systems, regulatory changes, and lessons learned.","example":"Continuous improvement measures:\n1. Quarterly training content review — update modules for new AI systems and regulatory guidance\n2. Annual full program audit — assess effectiveness and identify new gaps\n3. Employee feedback surveys after each training cycle — incorporate suggestions\n4. Regulatory change monitoring — subscribe to EU AI Office updates, track CJEU interpretations\n5. New AI system onboarding process — trigger training update whenever a new AI system is deployed\n6. Benchmarking — compare program with industry best practices annually"}},"review":{"title":"Review & Export","subtitle":"Review your AI literacy compliance program before exporting. All 4 sections are shown below.","backToEditor":"Back to editing","exportPdf":"Export as PDF","exportPdfAriaLabel":"Export AI literacy program as PDF using browser print dialog","exportPdfDescription":"Generate a print-ready version of your AI literacy compliance documentation.","sectionEmpty":"No content provided yet. Start building your AI literacy program first.","fieldEmpty":"Not provided","completionWarning":"Your program documentation is {percentage}% complete. We recommend filling all required fields before exporting.","documentTitle":"AI Literacy Compliance Program — Article 4","documentSubtitle":"EU AI Act (Regulation (EU) 2024/1689) — Enforceable since February 2, 2025","generatedBy":"Generated by Witness","generatedOn":"Generated on {date}","disclaimer":"This document is generated to assist with EU AI Act Article 4 compliance. It does not constitute legal advice. The AI literacy obligation is already enforceable since February 2, 2025. Verify all content with a qualified legal professional.","backToDashboard":"Back to Dashboard"},"academyLinkTitle":"AI Act Academy Training Modules","academyLinkDescription":"Your employees can complete AI literacy training through the free AI Act Academy. The Academy covers 13 modules across two tracks (Essentials and Advanced), with per-module quizzes and completion tracking for compliance reporting.","openAcademy":"Open AI Act Academy"},"common":{"exampleLabel":"Example","showFieldHelp":"Show field help","fieldHelpDialogLabel":"Field help information","selectAISystem":"Select AI System","selectAISystemHint":"You have multiple AI systems. Please select which one you want to work on.","selectPlaceholder":"Choose a system...","loadingSystems":"Loading your AI systems...","noSystemsMessage":"No AI systems found. Please classify an AI system first using the AI System Classifier.","backToDashboard":"Back to system dashboard","saveAndClose":"Save & Close"},"copyFromSystem":{"buttonLabel":"Copy from other system","noSystems":"No other systems available","noData":"No data available for this field","copied":"Copied from {system}"},"fria":{"title":"FRIA Generator","subtitle":"Generate a Fundamental Rights Impact Assessment (FRIA) as required by Article 27 of the EU AI Act. Required for bodies governed by public law and private entities providing public services deploying Annex III systems (except point 2), and for deployers of Annex III points 5(b) and 5(c).","backToHome":"Back to home","stepCounter":"Section {current} of {total}","nextButton":"Next Section","backButton":"Previous Section","reviewButton":"Review & Export","saveProgress":"Progress saved automatically","requiredField":"Required","optionalField":"Optional","conditionalField":"Required if applicable","overallProgress":"Overall Completion","progressLabel":"{percentage}%","fieldsFilled":"{filled} of {total} required fields completed","sectionProgress":"{percentage}%","sectionNavLabel":"FRIA sections","articleReference":"Ref: {ref}","helpAriaLabel":"Show help for {field}","selectOptions":{"continuous":"Continuous (24/7)","daily":"Daily","weekly":"Weekly","monthly":"Monthly","ad_hoc":"Ad hoc / On demand","low":"Low","medium":"Medium","high":"High","critical":"Critical","real_time":"Real-time","quarterly":"Quarterly","yes":"Yes","no":"No"},"riskMatrix":{"title":"Risk Assessment Matrix","overallRisk":"Overall Risk Level","likelihood":"Likelihood","severity":"Severity","levels":{"low":"Low","medium":"Medium","high":"High","critical":"Critical"}},"sections":{"process_description":{"title":"Process Description","description":"Describe the deployer's processes in which the AI system will be used, in line with its intended purpose (Article 27(1)(a))."},"usage_timeline":{"title":"Usage Timeline & Frequency","description":"Specify how long and how frequently the AI system will be used, including seasonal or periodic patterns (Article 27(1)(b))."},"affected_groups":{"title":"Affected Groups","description":"Identify the categories of natural persons and groups likely to be affected by the use of the AI system (Article 27(1)(c))."},"specific_risks":{"title":"Specific Risks of Harm","description":"Assess the specific risks of harm likely to impact the identified groups, considering information provided by the provider under Article 13 (Article 27(1)(d))."},"human_oversight":{"title":"Human Oversight Measures","description":"Describe the human oversight measures to be implemented, in accordance with the provider's instructions for use (Article 27(1)(e))."},"mitigation_measures":{"title":"Mitigation Measures","description":"Detail the measures to be taken when risks materialise, including internal governance arrangements and complaint mechanisms (Article 27(1)(f))."},"dpia_integration":{"title":"DPIA Integration","description":"If a Data Protection Impact Assessment (DPIA) under GDPR Article 35 has been conducted, the FRIA may supplement it rather than duplicate the analysis (Article 27(4))."},"authority_notification":{"title":"Authority Notification","description":"After performing the FRIA, notify the relevant market surveillance authority of the results and submit the filled-out Article 27(5) template. Document your notification plan (Article 27(3))."}},"fields":{"fria_system_name":{"label":"AI System Name","placeholder":"e.g., Credit Scoring Engine v3.0","helpText":"The name of the AI system being assessed."},"fria_deployment_context":{"label":"Deployment Context","placeholder":"Describe the organizational context and business process where the AI system will be deployed...","helpText":"The specific organizational and operational context in which the AI system will be used."},"fria_intended_purpose":{"label":"Intended Purpose","placeholder":"Describe the intended purpose of the AI system within your processes...","helpText":"How the AI system will be used within the deployer's processes, aligned with the provider's stated intended purpose."},"fria_operational_environment":{"label":"Operational Environment","placeholder":"Describe the technical and organizational environment where the system operates...","helpText":"The technical infrastructure, organizational setting, and conditions under which the system operates."},"fria_decision_types":{"label":"Types of Decisions","placeholder":"Describe the types of decisions the AI system will support or make...","helpText":"The categories of decisions the AI system influences, supports, or makes autonomously."},"fria_start_date":{"label":"Planned Start Date","placeholder":"Select date","helpText":"The planned date when the AI system will first be put into service."},"fria_planned_duration":{"label":"Planned Duration of Use","placeholder":"e.g., 24 months, indefinite with annual review","helpText":"How long the AI system is planned to be in operation."},"fria_usage_frequency":{"label":"Usage Frequency","placeholder":"Select frequency","helpText":"How often the AI system will process decisions or assessments."},"fria_volume_of_decisions":{"label":"Volume of Decisions","placeholder":"e.g., approximately 5,000 credit applications per month","helpText":"The expected number of decisions or assessments the system will process in a given period."},"fria_review_schedule":{"label":"Review Schedule","placeholder":"Describe the planned schedule for reviewing the system's impact and performance...","helpText":"The planned schedule for periodic review of the system's operation and its impact on fundamental rights."},"fria_primary_affected_groups":{"label":"Primary Affected Groups","placeholder":"Describe the main categories of people affected by the AI system's decisions...","helpText":"The primary categories of natural persons whose rights or interests are directly affected by the system's output."},"fria_vulnerable_groups":{"label":"Vulnerable Groups","placeholder":"Identify any vulnerable groups that may be disproportionately affected...","helpText":"Groups that may be particularly vulnerable to the system's impact, such as elderly persons, persons with disabilities, or economically disadvantaged groups."},"fria_geographic_scope":{"label":"Geographic Scope","placeholder":"e.g., Austria, DACH region, European Union","helpText":"The geographic area where the AI system will be deployed and persons will be affected."},"fria_estimated_affected_persons":{"label":"Estimated Number of Affected Persons","placeholder":"e.g., approximately 50,000 persons per year","helpText":"An estimate of the total number of natural persons likely to be affected by the system annually."},"fria_indirect_affected_parties":{"label":"Indirect Affected Parties","placeholder":"Describe any parties indirectly affected by the system's decisions...","helpText":"Parties who may be indirectly affected, such as family members of credit applicants or communities."},"fria_identified_risks":{"label":"Identified Risks to Fundamental Rights","placeholder":"List and describe the specific risks to fundamental rights identified for each affected group...","helpText":"The specific risks to fundamental rights (e.g., non-discrimination, privacy, access to services) for each identified group."},"fria_risk_likelihood":{"label":"Overall Risk Likelihood","placeholder":"Select likelihood","helpText":"The overall likelihood that the identified risks will materialise."},"fria_risk_severity":{"label":"Overall Risk Severity","placeholder":"Select severity","helpText":"The overall severity of impact if the identified risks materialise."},"fria_provider_risk_info":{"label":"Provider Risk Information","placeholder":"Summarise the risk information provided by the AI system provider under Article 13...","helpText":"Information about risks provided by the AI system provider in the instructions for use (per Article 13)."},"fria_cumulative_effects":{"label":"Cumulative Effects","placeholder":"Describe any cumulative effects from combining this system with other systems or processes...","helpText":"Potential cumulative effects when the system is used alongside other AI systems or automated processes."},"fria_discrimination_risks":{"label":"Discrimination Risks","placeholder":"Assess the risk of discriminatory outcomes, including proxy discrimination...","helpText":"Assessment of potential discriminatory outcomes, including direct and indirect discrimination based on protected characteristics."},"fria_privacy_risks":{"label":"Privacy & Data Protection Risks","placeholder":"Assess the risks to privacy and data protection rights...","helpText":"Assessment of risks to the right to privacy and protection of personal data (Articles 7 and 8, EU Charter of Fundamental Rights)."},"fria_oversight_roles":{"label":"Oversight Roles & Responsibilities","placeholder":"Describe the roles and responsibilities of persons responsible for human oversight...","helpText":"The designated roles and their responsibilities for overseeing the AI system's operation."},"fria_intervention_mechanisms":{"label":"Intervention Mechanisms","placeholder":"Describe the mechanisms for human intervention in the system's operation...","helpText":"Technical and procedural mechanisms that allow humans to intervene in or override the system's decisions."},"fria_escalation_procedures":{"label":"Escalation Procedures","placeholder":"Describe the procedures for escalating issues identified during oversight...","helpText":"Procedures for escalating concerns, anomalies, or potential rights violations identified during operation."},"fria_override_capability":{"label":"Override Capability","placeholder":"Describe how and when human operators can override the system's decisions...","helpText":"The capability and procedures for human operators to override, reverse, or modify the system's output."},"fria_monitoring_frequency":{"label":"Monitoring Frequency","placeholder":"Select monitoring frequency","helpText":"How frequently the human oversight monitoring will be conducted."},"fria_preventive_measures":{"label":"Preventive Measures","placeholder":"Describe the preventive measures in place to reduce the likelihood of identified risks...","helpText":"Measures taken before deployment to prevent or reduce the likelihood of fundamental rights impacts."},"fria_corrective_measures":{"label":"Corrective Measures","placeholder":"Describe the corrective measures to be applied when risks materialise...","helpText":"Measures to be taken when risks materialise, including how affected persons will be remedied."},"fria_complaint_mechanism":{"label":"Complaint Mechanism","placeholder":"Describe the complaint mechanism available to affected persons...","helpText":"The mechanism through which affected persons can lodge complaints about the system's decisions."},"fria_governance_structure":{"label":"Internal Governance Structure","placeholder":"Describe the internal governance arrangements for overseeing compliance...","helpText":"The internal governance structure responsible for ensuring ongoing compliance and rights protection."},"fria_review_triggers":{"label":"Review Triggers","placeholder":"Describe the events or conditions that trigger a review of this FRIA...","helpText":"Specific events, thresholds, or conditions that trigger a mandatory review and update of this assessment."},"fria_notification_plan":{"label":"Escalation & Communication Plan","placeholder":"Describe the internal escalation, communication, and remediation steps you will take if identified risks materialise...","helpText":"Describe the practical communication and escalation arrangements that support your mitigation measures under Article 27(1)(f)."},"fria_dpia_conducted":{"label":"GDPR DPIA Conducted?","placeholder":"Select","helpText":"Have you conducted a Data Protection Impact Assessment (DPIA) under GDPR Article 35 for this AI system?"},"fria_dpia_reference":{"label":"DPIA Reference","placeholder":"e.g., DPIA-2026-001, dated 2026-01-15","helpText":"Reference number and date of the existing DPIA, if applicable."},"fria_dpia_supplement":{"label":"FRIA Supplement to DPIA","placeholder":"Describe how this FRIA supplements the existing DPIA with fundamental rights considerations beyond data protection...","helpText":"How this FRIA extends the DPIA analysis to cover fundamental rights beyond data protection (e.g., non-discrimination, access to services)."},"fria_authority_notification":{"label":"Market Surveillance Authority Notification","placeholder":"Describe your plan for notifying the relevant market surveillance authority of the FRIA results and submitting the filled-out Article 27(5) template...","helpText":"Per Article 27(3), you must notify the market surveillance authority of the FRIA results and submit the filled-out template referred to in Article 27(5)."}},"review":{"title":"Review & Export","subtitle":"Review your Fundamental Rights Impact Assessment before exporting. All 8 sections are shown below.","backToEditor":"Back to editing","exportPdf":"Export as PDF","exportPdfAriaLabel":"Export FRIA as PDF using browser print dialog","exportPdfDescription":"Generate a print-ready version of your FRIA.","sectionEmpty":"No content provided. Start filling in the FRIA assessment to see it here.","fieldEmpty":"Not provided","completionWarning":"Your FRIA is {percentage}% complete. We recommend filling all required fields before exporting.","overallRiskLevel":"Overall Assessed Risk Level","documentTitle":"Fundamental Rights Impact Assessment — Article 27","documentSubtitle":"EU AI Act (Regulation (EU) 2024/1689)","generatedBy":"Generated by Witness","generatedOn":"Generated on {date}","authorityReminder":"Notification Requirement: Article 27(3)","authorityReminderDetail":"After performing the FRIA, notify the relevant market surveillance authority of the results and submit the filled-out Article 27(5) template. Ensure you have identified the correct authority for your jurisdiction.","disclaimer":"This document is generated to assist with EU AI Act compliance. It does not constitute legal advice. Verify all content with a qualified legal professional.","backToDashboard":"Back to Dashboard"},"help":{"fria_system_name":{"legalText":"Article 27(1)(a): A description of the deployer's processes in which the high-risk AI system will be used in line with its intended purpose.","explanation":"Enter the official name of the AI system you are deploying. This should match the name used by the provider and in all compliance documentation.","example":"CreditScore Pro v3.0 -- automated credit scoring system provided by FinTech Solutions GmbH"},"fria_deployment_context":{"legalText":"Article 27(1)(a): A description of the deployer's processes in which the high-risk AI system will be used in line with its intended purpose.","explanation":"Describe the specific business process and organizational context where you deploy the AI system. Include which department uses it, what workflow it fits into, and how it connects to your existing processes.","example":"The system is deployed in our Consumer Lending department as part of the loan application workflow. When a customer submits a credit application through our online portal or branch office, the application data is automatically fed to CreditScore Pro, which produces a credit risk score. This score is then reviewed by a credit analyst before any lending decision is made."},"fria_intended_purpose":{"legalText":"Article 27(1)(a): A description of the deployer's processes in which the high-risk AI system will be used in line with its intended purpose.","explanation":"Describe how you intend to use the AI system. This must align with the intended purpose stated by the provider. If you use it differently, this creates additional obligations.","example":"We use CreditScore Pro to generate preliminary credit risk assessments for consumer loan applications between EUR 1,000 and EUR 50,000. The system's output is used as a decision-support tool -- it does not make autonomous lending decisions. Every application still requires human review and approval."},"fria_operational_environment":{"legalText":"Article 27(1)(a): A description of the deployer's processes in which the high-risk AI system will be used in line with its intended purpose.","explanation":"Describe the technical and organizational environment where the AI system runs. Include infrastructure, access controls, and any relevant environmental conditions.","example":"The system runs on our private cloud infrastructure hosted in an EU data center (Frankfurt, Germany). Access is restricted to authorized credit analysts via SSO authentication. The system integrates with our core banking system via encrypted REST API. All data transfers are encrypted in transit (TLS 1.3) and at rest (AES-256)."},"fria_decision_types":{"legalText":"Article 27(1)(a): A description of the deployer's processes in which the high-risk AI system will be used in line with its intended purpose.","explanation":"List the specific types of decisions the AI system helps make or influences. Be clear about whether these are autonomous decisions or decision-support.","example":"The system supports the following decision types: (1) Initial credit risk scoring (0-1000 scale), (2) Risk category assignment (low/medium/high/very high), (3) Recommended interest rate band based on risk, (4) Flagging of applications requiring enhanced due diligence. All are advisory -- final lending decisions are made by human credit analysts."},"fria_start_date":{"legalText":"Article 27(1)(b): A description of the period of time within which, and the frequency with which, each high-risk AI system is intended to be used.","explanation":"Enter the date when you plan to start using (or started using) the AI system. If the system is already in use, enter the actual start date.","example":"2026-03-01"},"fria_planned_duration":{"legalText":"Article 27(1)(b): A description of the period of time within which, and the frequency with which, each high-risk AI system is intended to be used.","explanation":"Specify how long you plan to use the AI system. Include any planned review points or renewal milestones.","example":"Initial contract period of 36 months (March 2026 -- February 2029), with annual compliance reviews in March. Contract includes automatic renewal for 12-month periods subject to satisfactory performance and continued compliance."},"fria_usage_frequency":{"legalText":"Article 27(1)(b): A description of the period of time within which, and the frequency with which, each high-risk AI system is intended to be used.","explanation":"Select how frequently the AI system will process inputs and generate outputs. This helps assess the scale of potential impact.","example":"Daily -- the system processes applications during business hours (Mon-Fri, 8:00-18:00 CET)"},"fria_volume_of_decisions":{"legalText":"Article 27(1)(b): A description of the period of time within which, and the frequency with which, each high-risk AI system is intended to be used.","explanation":"Estimate the number of decisions or assessments the system will process. This is critical for understanding the scale of fundamental rights impact.","example":"Approximately 5,000 credit applications per month (60,000 per year). Peak periods occur in January (post-holiday) and September (back-to-school) with volumes up to 7,000 per month."},"fria_review_schedule":{"legalText":"Article 27(1)(b): A description of the period of time within which, and the frequency with which, each high-risk AI system is intended to be used.","explanation":"Describe when and how you will review the system's performance and impact. Regular reviews are essential for ongoing compliance.","example":"Quarterly performance reviews (March, June, September, December) examining: accuracy metrics, fairness indicators, complaint volumes, and override rates. Annual comprehensive review including external audit of fundamental rights impact. Ad-hoc reviews triggered by significant complaint increases (>20% month-over-month) or system updates."},"fria_primary_affected_groups":{"legalText":"Article 27(1)(c): The categories of natural persons and groups of persons likely to be affected by its use.","explanation":"Identify the main groups of people directly affected by the AI system's decisions. Be specific about who they are and how they are affected.","example":"Primary affected groups: (1) Consumer loan applicants -- individuals applying for personal loans, car loans, or home improvement financing (approx. 60,000/year). (2) Existing customers applying for credit limit increases (approx. 15,000/year). (3) Small business owners applying for microloans under EUR 25,000 (approx. 5,000/year)."},"fria_vulnerable_groups":{"legalText":"Article 27(1)(c): The categories of natural persons and groups of persons likely to be affected by its use.","explanation":"Identify groups that may be particularly vulnerable to negative impacts. Consider age, disability, language, digital literacy, economic status, and migration background.","example":"Vulnerable groups identified: (1) Young adults (18-25) with limited credit history -- may be unfairly scored due to sparse data. (2) Elderly applicants (65+) who may have non-traditional income patterns (pensions, investments). (3) Recent migrants with credit histories from non-EU countries that the system cannot process. (4) Persons with disabilities who may have irregular employment patterns."},"fria_geographic_scope":{"legalText":"Article 27(1)(c): The categories of natural persons and groups of persons likely to be affected by its use.","explanation":"Specify the geographic area where the system will be used and where affected persons are located.","example":"Austria nationwide -- all 9 federal states. Applications accepted from Austrian residents and EU citizens with Austrian residence."},"fria_estimated_affected_persons":{"legalText":"Article 27(1)(c): The categories of natural persons and groups of persons likely to be affected by its use.","explanation":"Provide a reasonable estimate of the total number of people affected by the system annually. Include both direct and indirect impacts.","example":"Approximately 80,000 persons directly affected per year (applicants). Indirect effects estimated at 120,000 persons (household members of applicants, co-signers)."},"fria_indirect_affected_parties":{"legalText":"Article 27(1)(c): The categories of natural persons and groups of persons likely to be affected by its use.","explanation":"Consider people who are indirectly affected by the system's decisions, even if they are not the direct subject of the assessment.","example":"Indirect affected parties: (1) Family members and dependents of loan applicants -- a credit denial affects the entire household. (2) Co-applicants and guarantors. (3) Local businesses that may be affected by lending patterns in their area. (4) Credit brokers and intermediaries who rely on fair system outputs."},"fria_identified_risks":{"legalText":"Article 27(1)(d): The specific risks of harm likely to impact the categories of natural persons or groups of persons identified pursuant to point (c), having regard to the information given by the provider pursuant to Article 13.","explanation":"List all specific risks to fundamental rights you have identified. For each risk, describe which right is affected, who is affected, and what the potential harm is.","example":"Identified risks: (1) Right to non-discrimination (Art. 21 EU Charter): The system may systematically disadvantage applicants from certain postal codes that correlate with ethnic minority neighbourhoods. (2) Right to access to services (Art. 36 EU Charter): Unfair credit denials could restrict access to essential financial services. (3) Right to an effective remedy (Art. 47 EU Charter): Applicants may not understand or be able to challenge automated scoring decisions. (4) Right to human dignity (Art. 1 EU Charter): Reducing creditworthiness to an algorithmic score may fail to capture individual circumstances."},"fria_risk_likelihood":{"legalText":"Article 27(1)(d): The specific risks of harm likely to impact the categories of natural persons or groups of persons.","explanation":"Assess the overall likelihood that the identified risks will materialise. Consider the system's track record, the provider's testing data, and your operational context.","example":"Medium -- based on provider testing data showing 2-3% differential impact across demographic groups, and our mitigation measures including mandatory human review."},"fria_risk_severity":{"legalText":"Article 27(1)(d): The specific risks of harm likely to impact the categories of natural persons or groups of persons.","explanation":"Assess the severity of impact if risks materialise. Consider financial harm, access to services, dignity, and whether impacts are reversible.","example":"High -- credit decisions directly affect individuals' ability to access financial services, housing, and economic opportunities. Unfair denial can have lasting effects on financial well-being."},"fria_provider_risk_info":{"legalText":"Article 27(1)(d): Having regard to the information given by the provider pursuant to Article 13.","explanation":"Summarise the risk information the provider gave you in the instructions for use and technical documentation. This is required input for your FRIA.","example":"Per provider's Article 13 documentation: (1) Model accuracy: 91% agreement with human assessors. (2) Known limitations: reduced accuracy for applicants with thin credit files (<3 credit lines). (3) Bias testing: demographic parity difference <0.05 across gender, <0.08 across age groups. (4) Recommended human review for all scores in the 400-600 range (medium confidence zone). (5) System not designed for applicants under 18 or non-resident aliens."},"fria_cumulative_effects":{"legalText":"Article 27(1)(d): The specific risks of harm likely to impact the categories of natural persons or groups of persons.","explanation":"Consider whether the combination of this AI system with other automated systems or processes creates additional risks that would not exist from either system alone.","example":"Cumulative effects identified: (1) Combined with our automated fraud detection system, applicants flagged by both systems face a double barrier -- they may be denied credit AND reported to fraud databases, creating a cascading negative effect. (2) If applicants also use AI-based insurance pricing systems (Annex III 5(c)), unfair credit scoring could compound into higher insurance premiums."},"fria_discrimination_risks":{"legalText":"Article 27(1)(d): The specific risks of harm likely to impact the categories of natural persons or groups of persons.","explanation":"Assess the risk of discriminatory outcomes. Consider both direct discrimination (using protected characteristics) and proxy discrimination (using data that correlates with protected characteristics).","example":"Discrimination risk assessment: (1) Direct discrimination: The system does not use protected characteristics (gender, ethnicity, religion) as input features. (2) Proxy discrimination risk: Postal code correlates with ethnic composition in certain urban areas (correlation coefficient 0.67). (3) Historical bias: Training data reflects past lending patterns that may embed historical discrimination. (4) Mitigation: We exclude postal code from scoring, use fairness-aware algorithms, and conduct quarterly disparate impact analysis."},"fria_privacy_risks":{"legalText":"Article 27(1)(d): The specific risks of harm likely to impact the categories of natural persons or groups of persons.","explanation":"Assess risks to privacy and data protection. Consider data collection, processing, retention, and potential for re-identification or function creep.","example":"Privacy risks: (1) Data minimisation: System processes more data points (142) than strictly necessary for credit assessment -- we restrict input to 38 approved fields. (2) Retention: Score data retained for 10 years per banking regulations, creating long-term privacy exposure. (3) Re-identification: Aggregated scoring data could theoretically be cross-referenced to re-identify individuals. (4) Function creep: Scores must not be used for purposes beyond credit assessment (e.g., marketing targeting). Mitigated by: data access controls, purpose limitation policies, annual privacy audit."},"fria_oversight_roles":{"legalText":"Article 27(1)(e): A description of human oversight measures, according to the instructions for use.","explanation":"Describe who is responsible for overseeing the AI system's operation. Include their roles, qualifications, and authority to intervene.","example":"Oversight roles: (1) Credit Risk Manager (senior level, minimum 5 years experience): Overall accountability for system performance and compliance. Reviews monthly dashboards. Authority to suspend system use. (2) Credit Analysts (team of 12): Review every AI-generated score before lending decisions. Trained on AI literacy and bias awareness. Authority to override any individual score. (3) Compliance Officer: Quarterly compliance review. Escalation point for rights violations. Reports to the board."},"fria_intervention_mechanisms":{"legalText":"Article 27(1)(e): A description of human oversight measures, according to the instructions for use.","explanation":"Describe the specific technical and procedural mechanisms through which humans can intervene in the system's operation.","example":"Intervention mechanisms: (1) Score override: Any credit analyst can override the AI score with a manual assessment by clicking 'Override' and entering justification (mandatory). (2) System pause: Credit Risk Manager can suspend automated scoring via the admin dashboard with immediate effect. (3) Batch review: Any batch of applications can be flagged for 100% manual review if anomalies are detected. (4) Emergency stop: IT operations can disable the API endpoint within 5 minutes via the incident management system."},"fria_escalation_procedures":{"legalText":"Article 27(1)(e): A description of human oversight measures, according to the instructions for use.","explanation":"Describe the procedures for escalating issues discovered during operation. Include who can escalate, to whom, and expected response times.","example":"Escalation procedures: Level 1: Credit analyst identifies anomaly -> reports to team lead within same business day. Level 2: Team lead confirms issue -> escalates to Credit Risk Manager within 4 hours. Level 3: Systemic issue identified -> Credit Risk Manager escalates to Compliance Officer and may suspend system. Level 4: Potential rights violation -> Compliance Officer reports to board and market surveillance authority within 72 hours. All escalations logged in our incident management system with timestamps."},"fria_override_capability":{"legalText":"Article 27(1)(e): A description of human oversight measures, according to the instructions for use.","explanation":"Describe the capability to override the system's decisions. Include when overrides are required, who can perform them, and how they are documented.","example":"Override capability: (1) All AI scores can be overridden by any credit analyst at any time. (2) Mandatory override review for: scores in the 400-600 range (provider recommendation), applications from first-time borrowers under 25, applications where the analyst disagrees with the AI assessment. (3) All overrides logged with: analyst ID, original score, override decision, written justification, timestamp. (4) Override rate monitored monthly -- expected range 8-15%. Rates above 20% trigger system review."},"fria_monitoring_frequency":{"legalText":"Article 27(1)(e): A description of human oversight measures, according to the instructions for use.","explanation":"Select how frequently systematic oversight monitoring will occur. This is separate from individual decision oversight.","example":"Weekly -- automated dashboards reviewed every Monday by the Credit Risk Manager, with monthly deep-dive analysis and quarterly comprehensive reviews."},"fria_preventive_measures":{"legalText":"Article 27(1)(f): The measures to be taken in the case of the materialisation of those risks, including the arrangements for internal governance and complaint mechanisms.","explanation":"Describe measures in place to prevent fundamental rights impacts from occurring in the first place.","example":"Preventive measures: (1) Input data validation: automated checks reject incomplete or corrupted applications before scoring. (2) Fairness constraints: scoring algorithm includes demographic parity constraints (max 5% differential). (3) Mandatory human review for all decisions resulting in credit denial. (4) AI literacy training: all credit analysts complete 16-hour AI Act training program before using the system. (5) Regular bias testing: monthly automated fairness reports across 6 demographic dimensions."},"fria_corrective_measures":{"legalText":"Article 27(1)(f): The measures to be taken in the case of the materialisation of those risks.","explanation":"Describe what happens when risks materialise. How will you correct the situation and remedy affected persons?","example":"Corrective measures: (1) Immediate: Upon discovery of a rights violation, affected applications are flagged for manual reassessment within 48 hours. (2) Individual remedy: Affected applicants receive a new manual assessment, a written explanation, and -- if the original decision was unfair -- expedited processing of their application. (3) Systemic: If a systemic bias is found, all applications processed during the affected period are batch-reviewed. (4) System correction: Provider is notified of the issue and must provide a corrective update. System may be suspended until the fix is deployed."},"fria_complaint_mechanism":{"legalText":"Article 27(1)(f): The arrangements for internal governance and complaint mechanisms.","explanation":"Describe how affected persons can complain about the AI system's decisions. The mechanism must be accessible, transparent, and lead to meaningful review.","example":"Complaint mechanism: (1) Access: Applicants can submit complaints via our website, email (complaints@bank.at), telephone hotline (0800-xxx-xxx), or in person at any branch. (2) Process: All complaints acknowledged within 2 business days. Complaints related to AI decisions are flagged and routed to the Compliance team. (3) Investigation: Each complaint triggers a full review of the AI assessment, including the original data, model output, and any human override decisions. (4) Resolution: Target resolution within 15 business days. Applicant receives a written explanation including whether the AI contributed to the outcome. (5) Appeal: If unsatisfied, the applicant can escalate to our Ombudsman or the relevant financial supervisory authority."},"fria_governance_structure":{"legalText":"Article 27(1)(f): The arrangements for internal governance and complaint mechanisms.","explanation":"Describe the internal governance structure that oversees AI system compliance. Include roles, reporting lines, and decision-making authority.","example":"Governance structure: (1) AI Ethics Committee (meets quarterly): CTO, Chief Risk Officer, Compliance Officer, Data Protection Officer, external ethics advisor. Reviews FRIA findings and approves continued use. (2) Credit Risk Manager: Day-to-day operational oversight. Reports to Chief Risk Officer. (3) Compliance Officer: Regulatory liaison, authority notifications. Reports to the board. (4) Data Protection Officer: Privacy oversight, DPIA alignment. (5) Board: Annual review of all AI systems, approval of risk appetite. Ultimate accountability."},"fria_review_triggers":{"legalText":"Article 27(1)(f): The measures to be taken in the case of the materialisation of those risks.","explanation":"Define the specific events or conditions that require this FRIA to be reviewed and updated. These should be measurable and actionable.","example":"FRIA review triggers: (1) System update: Any model update or version change from the provider. (2) Complaint threshold: More than 5 AI-related complaints in a single month. (3) Override rate anomaly: Override rate exceeds 20% for two consecutive months. (4) Fairness metric drift: Any demographic parity metric exceeds 0.08. (5) Regulatory change: Any relevant regulatory guidance or standard is published. (6) Incident: Any data breach or system failure affecting scoring. (7) Scheduled: Annual mandatory review regardless of triggers."},"fria_notification_plan":{"legalText":"Article 27(1)(f): The measures to be taken in the case of the materialisation of those risks.","explanation":"Describe the internal escalation, communication, and remediation steps you will take if identified risks materialise. Focus on concrete operational measures rather than generic commitments.","example":"Escalation and communication plan: (1) Immediate containment: suspend use of the affected model if override rates or complaint volumes exceed defined thresholds. (2) Internal escalation: compliance lead, legal, and business owner review the issue within one business day. (3) Remediation: apply human review to affected cases and re-run impacted decisions where necessary. (4) External communication: update affected persons and counterparties where required under applicable law and documented internal procedures."},"fria_dpia_conducted":{"legalText":"Article 27(4): If any of the obligations laid down in this Article is already met through the data protection impact assessment conducted pursuant to Article 35 of Regulation (EU) 2016/679 or Article 27 of Directive (EU) 2016/680, the fundamental rights impact assessment referred to in paragraph 1 of this Article shall complement that data protection impact assessment.","explanation":"Indicate whether you have already conducted a Data Protection Impact Assessment (DPIA) under GDPR Article 35 for this AI system. If yes, this FRIA can supplement rather than duplicate that assessment.","example":"Yes -- DPIA conducted in January 2026 (reference: DPIA-2026-001)"},"fria_dpia_reference":{"legalText":"Article 27(4): The fundamental rights impact assessment shall complement that data protection impact assessment.","explanation":"If a DPIA exists, provide its reference number and date so this FRIA can be linked to it.","example":"DPIA-2026-001, dated 2026-01-15, conducted by Data Protection Officer Dr. Maria Weber"},"fria_dpia_supplement":{"legalText":"Article 27(4): The fundamental rights impact assessment shall complement that data protection impact assessment.","explanation":"Explain how this FRIA adds to the DPIA. The DPIA focuses on data protection; the FRIA must cover broader fundamental rights like non-discrimination, access to services, and human dignity.","example":"This FRIA supplements DPIA-2026-001 by extending the rights analysis beyond data protection: (1) Non-discrimination analysis: The DPIA did not assess proxy discrimination risks through postal codes and employment patterns. (2) Access to services: The DPIA did not evaluate how credit denials affect access to essential financial services. (3) Human dignity: This FRIA assesses the impact of algorithmic decision-making on the dignity of applicants reduced to a numerical score. (4) Effective remedy: The FRIA adds a detailed complaint mechanism analysis not covered by the DPIA."},"fria_authority_notification":{"legalText":"Article 27(3): Once the assessment referred to in paragraph 1 of this Article has been performed, the deployer shall notify the market surveillance authority of its results, submitting the filled-out template referred to in paragraph 5 of this Article as part of the notification.","explanation":"Describe your plan for notifying the market surveillance authority of the FRIA results, including which authority is competent, what template will be submitted, and your internal responsibility for the notification.","example":"Authority notification plan: (1) Authority: identify the national market surveillance authority competent for this deployment context. (2) Package: submit the Article 27(5) template together with the FRIA results. (3) Responsibility: the compliance lead prepares the notification and legal reviews it before submission. (4) Timing: the notification is sent promptly once the FRIA has been completed and before the system is put into use."}}},"roleClassifier":{"backToHome":"Back to home","title":"Provider vs Deployer Classifier","subtitle":"Determine whether you are a Provider, Deployer, or both under the EU AI Act. This covers Article 3 definitions and Article 25 role-shifting rules.","yesButton":"Yes","noButton":"No","resetButton":"Start Over","progressLabel":"Progress","questionCount":"{answered} of {total} answered","readyToClassify":"Classification complete","answerAllQuestions":"Answer all questions to see your result"},"roleClassifierQuestions":{"developed_system":{"text":"Did you develop the AI system yourself or have it developed for you?","helpText":"This includes commissioning a third party to build the system on your behalf, as long as it is placed on the market or put into service under your name or trademark."},"own_branding":{"text":"Did you place a pre-existing AI system on the market under your own name or trademark?","helpText":"If you took an AI system already on the market and rebranded it under your company name, you may be considered a provider under the role-shifting rules."},"substantial_modification":{"text":"Did you make a substantial modification to a high-risk AI system already on the market?","helpText":"A substantial modification is a change not foreseen in the initial conformity assessment that affects compliance with the requirements or changes the intended purpose."},"changed_intended_purpose":{"text":"Did you change the intended purpose of an AI system, making it high-risk?","helpText":"If you repurposed an AI system (including a general-purpose AI model) in a way that makes it fall under a high-risk category, you become a provider."},"using_under_authority":{"text":"Are you using an AI system under your authority (not for personal use)?","helpText":"Any business, public authority, or professional use of an AI system qualifies. Personal non-professional use is excluded."},"also_deploys":{"text":"Do you also deploy (use) AI systems that were developed by others?","helpText":"If you both develop your own AI systems and use third-party AI systems, you may have obligations as both a provider and a deployer."},"also_provides":{"text":"Do you also develop or provide AI systems yourself?","helpText":"If you also build AI systems or place them on the market under your name, you have additional provider obligations."}},"roleClassifierHelp":{"developed_system":{"legalText":"Article 3(3): 'provider' means a natural or legal person, public authority, agency or other body that develops an AI system or a general-purpose AI model or that has an AI system or a general-purpose AI model developed and places it on the market or puts the AI system into service under its own name or trademark, whether for payment or free of charge.","explanation":"A provider is the entity responsible for developing and releasing an AI system. This includes cases where you commission development by a third party but market the system under your own brand.","example":"A fintech company that builds a credit-scoring ML model in-house and offers it as a SaaS product to banks is a provider."},"own_branding":{"legalText":"Article 25(1)(a): A distributor, importer, deployer or other third party shall be considered to be a provider of a high-risk AI system and shall be subject to the obligations of the provider if they put their name or trademark on a high-risk AI system already placed on the market.","explanation":"White-labeling or rebranding a high-risk AI system triggers role-shifting. You become the provider even though you did not build the system.","example":"A consulting firm licenses a high-risk HR screening tool from a vendor and offers it to clients under the consulting firm's brand name."},"substantial_modification":{"legalText":"Article 25(1)(b): A distributor, importer, deployer or other third party shall be considered to be a provider if they make a substantial modification to a high-risk AI system already placed on the market or put into service.","explanation":"Making changes to a high-risk AI system that were not anticipated in the original conformity assessment and that affect compliance or intended purpose makes you a provider.","example":"A bank deploys a vendor's fraud detection AI but retrains the model on their own customer data, significantly changing its behavior and performance characteristics."},"changed_intended_purpose":{"legalText":"Article 25(1)(c): A distributor, importer, deployer or other third party shall be considered to be a provider if they modify the intended purpose of an AI system, including a general-purpose AI system, which has already been placed on the market or put into service in such a way that the AI system becomes a high-risk AI system.","explanation":"Repurposing an AI system so that it falls into a high-risk category under the EU AI Act makes you a provider for that system.","example":"A company takes a general-purpose chatbot and deploys it as a tool for making employment decisions about job applicants, which falls under Annex III high-risk category 4."},"using_under_authority":{"legalText":"Article 3(4): 'deployer' means a natural or legal person, public authority, agency or other body using an AI system under its authority, except where the AI system is used in the course of a personal non-professional activity.","explanation":"If you use an AI system in a business or professional capacity, you are a deployer and subject to deployer obligations.","example":"A hospital that uses an AI diagnostic tool provided by a medical device company to assist doctors in reading X-rays is a deployer of that system."},"also_deploys":{"legalText":"Articles 3(3) and 3(4): An organization can simultaneously be a provider for systems it develops and a deployer for systems it uses from other providers.","explanation":"Many organizations both build their own AI tools and use third-party AI systems. In that case, you have both sets of obligations.","example":"A bank develops its own credit-scoring AI (provider) while also using a third-party AI system for customer service chatbots (deployer)."},"also_provides":{"legalText":"Articles 3(3) and 3(4): An organization can simultaneously be a deployer for systems it uses and a provider for systems it develops and places on the market.","explanation":"If you both use AI systems from others and develop AI systems yourself, you need to comply with obligations for both roles.","example":"A technology company uses a third-party AI tool for internal HR processes (deployer) but also develops and sells AI-powered analytics software to clients (provider)."}},"roleClassifierResult":{"yourRole":"Your Determined Role","roles":{"provider":"Provider","deployer":"Deployer","both":"Provider & Deployer"},"roleDescriptions":{"provider":"You are classified as a Provider under the EU AI Act. Providers bear the primary responsibility for ensuring AI systems comply with the regulation before they are placed on the market or put into service. You must fulfill all provider obligations including technical documentation, conformity assessment, and post-market monitoring.","deployer":"You are classified as a Deployer under the EU AI Act. Deployers must use AI systems in accordance with the provider's instructions, implement human oversight, monitor system operation, and comply with transparency and notification requirements.","both":"You are classified as both a Provider and a Deployer under the EU AI Act. This means you must comply with the full set of obligations for both roles — provider obligations for the systems you develop or place on the market, and deployer obligations for the systems you use from other providers."},"roleShiftWarningTitle":"Role-Shifting Detected (Article 25)","roleShiftWarningDescription":"Based on your answers, you have triggered role-shifting rules. Although you did not originally develop the AI system, certain actions have made you a provider under Article 25, which means you must fulfill all provider obligations.","roleShiftReasons":{"art_25_1_a":"You placed a high-risk AI system on the market under your own name or trademark (Art. 25(1)(a))","art_25_1_b":"You made a substantial modification to a high-risk AI system (Art. 25(1)(b))","art_25_1_c":"You changed the intended purpose of an AI system, making it high-risk (Art. 25(1)(c))"},"roleShiftCooperation":"Under Articles 25(2) and 25(3), the original provider must cooperate with you and provide the necessary information, documentation, and technical access to fulfill your new provider obligations.","applicableArticlesTitle":"Applicable Articles","reasoningTitle":"Classification Reasoning","reasoning":{"developed_system_provider":"You developed the AI system or had it developed for you, making you a provider under Article 3(3).","role_shift_branding":"You placed a high-risk AI system on the market under your own name or trademark, triggering role-shifting under Article 25(1)(a).","role_shift_modification":"You made a substantial modification to a high-risk AI system, triggering role-shifting under Article 25(1)(b).","role_shift_purpose":"You changed the intended purpose of an AI system in a way that makes it high-risk, triggering role-shifting under Article 25(1)(c).","using_under_authority_deployer":"You are using an AI system under your authority for business purposes, making you a deployer under Article 3(4).","also_deploys_both":"You also deploy AI systems developed by others, giving you deployer obligations in addition to your provider obligations.","also_provides_both":"You also develop or provide AI systems, giving you provider obligations in addition to your deployer obligations.","result_both":"Your final classification is both Provider and Deployer. You must comply with obligations for both roles.","result_provider":"Your final classification is Provider. You bear the primary responsibility for AI system compliance.","result_deployer":"Your final classification is Deployer. You must use AI systems in compliance with the regulation.","result_no_role_detected":"Based on your answers, no clear role was detected. You may not fall under the EU AI Act's scope, but we recommend consulting with a legal advisor.","role_shift_cooperation":"The original provider is obligated to cooperate with you and provide necessary information under Articles 25(2) and 25(3)."},"obligationsTitle":"Your Obligations","obligationCount":"{count} obligations","moreObligations":"...and {count} more obligations","viewFullObligations":"View Full Obligation Tracker","goToObligations":"Go to Obligation Tracker"},"riskManagement":{"title":"Risk Management System Builder","subtitle":"Build and document a complete Risk Management System (RMS) as required by Article 9 of the EU AI Act. Required for all providers of high-risk AI systems.","backToHome":"Back to home","stepCounter":"Section {current} of {total}","nextButton":"Next Section","backButton":"Previous Section","reviewButton":"Review & Export","saveProgress":"Progress saved automatically","requiredField":"Required","optionalField":"Optional","conditionalField":"Required if applicable","overallProgress":"Overall Completion","progressLabel":"{percentage}%","fieldsFilled":"{filled} of {total} required fields completed","sectionProgress":"{percentage}%","sectionNavLabel":"RMS sections","articleReference":"Ref: {ref}","helpAriaLabel":"Show help for {field}","integrationTitle":"Integration with Other Compliance Modules","integrationDescription":"Your Risk Management System should connect to and reference other compliance documents you have created.","integrationClassifier":"Classification: Your AI system's risk level determines the scope of the RMS (see Classifier).","integrationDocumentation":"Technical Documentation: Annex IV Section 5 requires a description of the RMS (see Documentation Generator).","integrationFria":"FRIA: If a Fundamental Rights Impact Assessment has been conducted, its findings should feed into your risk analysis (see FRIA Generator).","selectOptions":{"low":"Low","medium":"Medium","high":"High","critical":"Critical","yes":"Yes","no":"No","before_deployment":"Before deployment","quarterly":"Quarterly","semi_annually":"Semi-annually","annually":"Annually","continuous":"Continuous","monthly":"Monthly"},"sections":{"risk_identification":{"title":"Risk Identification & Analysis","description":"Identify and analyse the known and reasonably foreseeable risks that the high-risk AI system can pose to health, safety, or fundamental rights (Article 9(2)(a))."},"risk_estimation":{"title":"Risk Estimation & Evaluation","description":"Estimate and evaluate the risks that may emerge when the system is used in accordance with its intended purpose and under conditions of reasonably foreseeable misuse (Article 9(2)(b))."},"risk_measures":{"title":"Risk Management Measures","description":"Define measures following the risk hierarchy: elimination, then mitigation, then adequate information and training to deployers (Article 9(8))."},"residual_risk":{"title":"Residual Risk Assessment","description":"Assess and document residual risks that remain after mitigation. Residual risks must be communicated to deployers and judged acceptable (Article 9(4))."},"testing":{"title":"Testing & Verification","description":"Define testing procedures to ensure risk management measures are effective. Testing must use preliminary defined metrics and probabilistic thresholds (Article 9(5))."},"continuous_iteration":{"title":"Continuous Iteration","description":"The RMS must be a continuous, iterative process planned and run throughout the entire lifecycle of the AI system (Article 9(1))."},"specific_considerations":{"title":"Specific Considerations","description":"Address special considerations for AI systems intended for children (Article 9(6)) and systems likely to impact vulnerable groups (Article 9(7))."}},"fields":{"rms_system_name":{"label":"AI System Name","placeholder":"e.g., CreditScore Pro v3.0","helpText":"The name of the AI system this Risk Management System covers."},"rms_system_description":{"label":"System Description","placeholder":"Describe the AI system, its architecture, and its key components...","helpText":"A brief description of the AI system's architecture, key components, and technical approach."},"rms_intended_purpose":{"label":"Intended Purpose","placeholder":"Describe the intended purpose of the AI system...","helpText":"The intended purpose of the AI system, which determines the scope of risk analysis."},"rms_known_risks":{"label":"Known Risks","placeholder":"List all known risks that the AI system can pose to health, safety, or fundamental rights...","helpText":"Risks that have been identified through design analysis, prior testing, literature review, or incident reports."},"rms_foreseeable_risks":{"label":"Reasonably Foreseeable Risks","placeholder":"List risks that could reasonably be foreseen even if not yet observed...","helpText":"Risks that a reasonable person could anticipate, even if they have not yet materialised in practice."},"rms_risk_sources":{"label":"Risk Sources & Categories","placeholder":"Describe the sources and categories of risks identified (e.g., data quality, model bias, operational errors)...","helpText":"Categorise the identified risks by their source: data-related, model-related, operational, integration, or environmental."},"rms_risk_likelihood":{"label":"Overall Risk Likelihood","placeholder":"Select likelihood","helpText":"The overall likelihood that the identified risks will materialise during intended use or foreseeable misuse."},"rms_risk_severity":{"label":"Overall Risk Severity","placeholder":"Select severity","helpText":"The overall severity of impact on health, safety, or fundamental rights if the identified risks materialise."},"rms_intended_use_risks":{"label":"Risks Under Intended Use","placeholder":"Describe risks that may emerge when the system is used as intended...","helpText":"Risks that may emerge when the AI system is used in accordance with its stated intended purpose."},"rms_misuse_risks":{"label":"Risks Under Foreseeable Misuse","placeholder":"Describe risks under conditions of reasonably foreseeable misuse...","helpText":"Risks that may emerge under conditions of reasonably foreseeable misuse, including use beyond the intended purpose."},"rms_evaluation_methodology":{"label":"Risk Evaluation Methodology","placeholder":"Describe the methodology used to estimate and evaluate risks (e.g., risk matrices, quantitative analysis, expert review)...","helpText":"The methodology and criteria used to estimate risk likelihood and severity, and to evaluate overall risk levels."},"rms_elimination_measures":{"label":"Risk Elimination Measures","placeholder":"Describe measures that eliminate identified risks through design and development...","helpText":"Measures that eliminate risks entirely through appropriate design and development choices. This is the highest priority in the risk hierarchy."},"rms_mitigation_measures":{"label":"Risk Mitigation Measures","placeholder":"Describe measures that reduce risks that cannot be fully eliminated...","helpText":"Where risks cannot be eliminated, describe measures to mitigate them to an acceptable level."},"rms_information_measures":{"label":"Information & Training Measures","placeholder":"Describe information, warnings, and training provided to deployers about residual risks...","helpText":"Where risks cannot be fully eliminated or mitigated, provide adequate information and training to the deployer. This is the lowest priority in the risk hierarchy."},"rms_combined_requirements":{"label":"Combined Requirements Consideration","placeholder":"Describe how risk management measures give due consideration to the effects and possible interactions from combined application of requirements...","helpText":"Per Article 9(3), risk management measures shall give due consideration to the effects and possible interactions resulting from the combined application of the requirements set out in Chapter III, Section 2."},"rms_measure_effectiveness":{"label":"Measure Effectiveness Assessment","placeholder":"Describe how the effectiveness of each risk management measure is assessed...","helpText":"How you assess and verify that each risk management measure achieves its intended risk reduction."},"rms_residual_risks_description":{"label":"Residual Risks Description","placeholder":"Describe the residual risks that remain after applying all risk management measures...","helpText":"The risks that remain after all elimination, mitigation, and information measures have been applied."},"rms_residual_risk_acceptability":{"label":"Residual Risk Acceptability","placeholder":"Explain why each residual risk is judged acceptable, considering the overall benefits of the system...","helpText":"Per Article 9(4), the overall residual risk of the high-risk AI system shall be judged acceptable, having regard to the benefits that the system delivers."},"rms_deployer_communication":{"label":"Communication to Deployers","placeholder":"Describe how residual risks are communicated to deployers...","helpText":"Per Article 9(4), residual risks shall be communicated to the deployer. Describe the format, channels, and content of this communication."},"rms_health_safety_considerations":{"label":"Health & Safety Impact Considerations","placeholder":"Describe specific considerations for health and safety impacts of residual risks...","helpText":"Additional considerations for residual risks that may impact health or safety of natural persons."},"rms_testing_procedures":{"label":"Testing Procedures","placeholder":"Describe the testing procedures to verify that risk management measures are effective...","helpText":"Per Article 9(5), testing shall ensure the AI system performs consistently for its intended purpose and complies with the requirements."},"rms_performance_metrics":{"label":"Performance Metrics","placeholder":"List the preliminary defined metrics used to assess system performance and risk levels...","helpText":"The specific metrics defined in advance against which the AI system's performance is measured."},"rms_probabilistic_thresholds":{"label":"Probabilistic Thresholds","placeholder":"Define the probabilistic thresholds that determine acceptable performance...","helpText":"Per Article 9(5), testing shall be made against preliminary defined metrics and probabilistic thresholds that are appropriate to the intended purpose."},"rms_testing_frequency":{"label":"Testing Frequency","placeholder":"Select testing frequency","helpText":"How frequently testing is conducted to verify continued compliance and effectiveness of risk measures."},"rms_testing_results":{"label":"Testing Results Summary","placeholder":"Summarise the results of testing conducted so far...","helpText":"A summary of testing results, including any issues identified and corrective actions taken."},"rms_lifecycle_plan":{"label":"Lifecycle Management Plan","placeholder":"Describe how the RMS is planned and run throughout the AI system's lifecycle...","helpText":"Per Article 9(1), the RMS must be a continuous iterative process planned and run throughout the entire lifecycle of a high-risk AI system."},"rms_update_triggers":{"label":"RMS Update Triggers","placeholder":"Define the events or conditions that trigger an update of the RMS...","helpText":"Specific events, incidents, or changes that require the Risk Management System to be reviewed and updated."},"rms_review_schedule":{"label":"Regular Review Schedule","placeholder":"Select review frequency","helpText":"The planned frequency for systematic review and update of the Risk Management System."},"rms_documentation_management":{"label":"Documentation & Record Keeping","placeholder":"Describe how RMS documentation is maintained, versioned, and stored...","helpText":"Per Article 9(1), the RMS must be documented and maintained. Describe your documentation management approach."},"rms_post_market_integration":{"label":"Post-Market Monitoring Integration","placeholder":"Describe how post-market monitoring findings feed back into the RMS...","helpText":"How findings from post-market monitoring (Article 72) and incident reports are incorporated into RMS updates."},"rms_children_accessible":{"label":"Accessible by Children?","placeholder":"Select","helpText":"Per Article 9(6), if the system is intended to be used by or accessible to children, specific child-related risks must be considered."},"rms_children_risks":{"label":"Child-Specific Risks","placeholder":"Describe the specific risks for children identified and the measures taken to address them...","helpText":"Per Article 9(6), due account shall be taken of whether the high-risk AI system is likely to be accessed by or have an impact on children."},"rms_vulnerable_groups_impact":{"label":"Impact on Vulnerable Groups?","placeholder":"Select","helpText":"Per Article 9(7), consider whether the system is likely to be accessed by or have an impact on persons belonging to vulnerable groups."},"rms_vulnerable_groups_details":{"label":"Vulnerable Groups Risk Assessment","placeholder":"Describe the vulnerable groups identified, specific risks, and measures taken...","helpText":"Per Article 9(7), due regard shall be given to whether the system is likely to impact vulnerable groups due to age, disability, or social/economic situation."},"rms_integration_notes":{"label":"Integration Notes","placeholder":"Describe how this RMS connects to other compliance modules (classification, technical documentation, FRIA)...","helpText":"Notes on how this Risk Management System integrates with other EU AI Act compliance documents and processes."}},"review":{"title":"Review & Export","subtitle":"Review your Risk Management System documentation before exporting. All 7 sections are shown below.","backToEditor":"Back to editing","exportPdf":"Export as PDF","exportPdfAriaLabel":"Export Risk Management System as PDF using browser print dialog","exportPdfDescription":"Generate a print-ready version of your RMS documentation.","sectionEmpty":"No content provided. Start filling in the Risk Management System to see it here.","fieldEmpty":"Not provided","completionWarning":"Your RMS documentation is {percentage}% complete. We recommend filling all required fields before exporting.","overallRiskLevel":"Overall Assessed Risk Level","documentTitle":"Risk Management System — Article 9","documentSubtitle":"EU AI Act (Regulation (EU) 2024/1689)","generatedBy":"Generated by Witness","generatedOn":"Generated on {date}","integrationReminder":"Documentation Requirement: Article 9(1)","integrationReminderDetail":"The Risk Management System must be established, implemented, documented and maintained throughout the lifecycle of the high-risk AI system. This document should be referenced in your Annex IV technical documentation (Section 5).","disclaimer":"This document is generated to assist with EU AI Act compliance. It does not constitute legal advice. Verify all content with a qualified legal professional.","backToDashboard":"Back to Dashboard"},"help":{"rms_system_name":{"legalText":"Article 9(1): A risk management system shall be established, implemented, documented and maintained in relation to high-risk AI systems.","explanation":"Enter the official name of the AI system covered by this Risk Management System. This should match the name used in your technical documentation and CE declaration of conformity.","example":"CreditScore Pro v3.0 -- automated credit risk assessment system for consumer lending"},"rms_system_description":{"legalText":"Article 9(1): A risk management system shall be established, implemented, documented and maintained in relation to high-risk AI systems.","explanation":"Provide a brief technical description of the AI system. Include its architecture type (e.g., neural network, ensemble model), key components, and how data flows through the system.","example":"CreditScore Pro v3.0 is a gradient-boosted decision tree ensemble trained on 5 years of consumer lending data. It processes 38 input features (financial history, employment, demographics) through a feature engineering pipeline and outputs a credit risk score (0-1000) with confidence intervals."},"rms_intended_purpose":{"legalText":"Article 9(2)(a): Identification and analysis of the known and reasonably foreseeable risks that the high-risk AI system can pose to health, safety or fundamental rights.","explanation":"Describe what the AI system is designed to do. The intended purpose determines the scope of your risk analysis -- risks should be assessed in the context of this purpose.","example":"The system is intended to generate preliminary credit risk scores for consumer loan applications between EUR 1,000 and EUR 50,000 in the Austrian market. Scores serve as decision-support input for human credit analysts, not as autonomous decisions."},"rms_known_risks":{"legalText":"Article 9(2)(a): Identification and analysis of the known and reasonably foreseeable risks that the high-risk AI system can pose to health, safety or fundamental rights when the high-risk AI system is used in accordance with its intended purpose.","explanation":"List all risks you have already identified through design analysis, testing, literature review, or prior incidents. Be specific about what could go wrong and who could be affected.","example":"Known risks: (1) Algorithmic bias -- historical lending data contains patterns that may disadvantage applicants from certain postcodes (proxy discrimination). (2) Data staleness -- model accuracy degrades over time as economic conditions change. (3) Overreliance -- credit analysts may defer excessively to AI scores, reducing effective human oversight. (4) Privacy leakage -- feature importance analysis could reveal sensitive patterns about protected groups."},"rms_foreseeable_risks":{"legalText":"Article 9(2)(a): Identification and analysis of the known and reasonably foreseeable risks.","explanation":"List risks that have not yet materialised but could reasonably be anticipated. Think about edge cases, unusual conditions, and potential changes in the operating environment.","example":"Foreseeable risks: (1) Economic shock -- sudden recession could make the training data distribution unrepresentative of current conditions. (2) Adversarial manipulation -- applicants could game the system by manipulating input features. (3) Regulatory change -- changes to consumer credit regulation could make current risk factors legally inadmissible. (4) Integration failures -- changes to upstream data sources could introduce systematic errors."},"rms_risk_sources":{"legalText":"Article 9(2)(a): Identification and analysis of the known and reasonably foreseeable risks.","explanation":"Categorise risks by their source to ensure comprehensive coverage. Common categories include: data-related, model-related, operational, integration, and environmental risks.","example":"Risk sources: (1) Data risks: training data bias, data quality issues, concept drift. (2) Model risks: underfitting/overfitting, feature instability, lack of explainability. (3) Operational risks: system downtime, human oversight failures, incorrect input data. (4) Integration risks: API failures, data format changes, version incompatibility. (5) Environmental risks: regulatory changes, economic shifts, adversarial attacks."},"rms_risk_likelihood":{"legalText":"Article 9(2)(b): Estimation and evaluation of the risks that may emerge when the high-risk AI system is used in accordance with its intended purpose and under conditions of reasonably foreseeable misuse.","explanation":"Assess the overall likelihood that identified risks will materialise. Consider historical data, testing results, and the operating environment.","example":"Medium -- based on provider testing showing 2-3% differential impact, quarterly monitoring data, and our mitigation measures."},"rms_risk_severity":{"legalText":"Article 9(2)(b): Estimation and evaluation of the risks that may emerge.","explanation":"Assess the overall severity of impact if risks materialise. Consider impacts on health, safety, fundamental rights, financial well-being, and whether impacts are reversible.","example":"High -- credit decisions directly affect access to financial services. Discriminatory denials can have lasting effects on economic participation and may violate fundamental rights to non-discrimination."},"rms_intended_use_risks":{"legalText":"Article 9(2)(b): Risks that may emerge when the high-risk AI system is used in accordance with its intended purpose.","explanation":"Even when used correctly, the AI system may generate risks. Describe what can go wrong during normal, intended operation.","example":"Under intended use: (1) Fair lending violations -- the model may systematically assign lower scores to applicants from underrepresented demographic groups. (2) Accuracy limitations -- the system achieves 91% accuracy, meaning roughly 9% of applicants receive incorrect risk assessments. (3) Opacity -- the model's decision-making process may be difficult for credit analysts to interpret and explain to applicants."},"rms_misuse_risks":{"legalText":"Article 9(2)(b): Risks under conditions of reasonably foreseeable misuse.","explanation":"Describe risks that arise when the system is used in ways not intended but that can reasonably be anticipated. This includes use beyond scope, ignoring limitations, or deliberate circumvention.","example":"Foreseeable misuse risks: (1) Scope creep -- using the system for commercial loans above EUR 50,000, beyond its validated range. (2) Autonomous decisions -- credit analysts bypassing human review and automatically applying AI scores. (3) Repurposing -- using credit scores for insurance pricing or employment screening. (4) Gaming -- loan brokers coaching applicants to manipulate input features."},"rms_evaluation_methodology":{"legalText":"Article 9(2)(b): Estimation and evaluation of the risks.","explanation":"Describe the specific methods used to estimate and evaluate risks. This should be systematic and reproducible.","example":"Methodology: (1) Quantitative risk matrix: 4x4 likelihood-severity matrix for each identified risk. (2) Statistical fairness testing: demographic parity, equalised odds, and calibration across 8 protected categories. (3) Expert review panel: quarterly review by Credit Risk Manager, Data Scientist, and Compliance Officer. (4) Stress testing: model performance under 3 economic scenario simulations. (5) Red team testing: semi-annual adversarial testing by external security firm."},"rms_elimination_measures":{"legalText":"Article 9(8): Risk management measures referred to in paragraph 2, point (d), shall be such that the relevant residual risk associated with each hazard, as well as the overall residual risk of the high-risk AI systems, is judged to be acceptable. Priority: eliminate risks through design.","explanation":"Describe measures that completely eliminate identified risks. This is the highest priority in the Article 9(8) risk hierarchy. Elimination means removing the source of the risk entirely.","example":"Elimination measures: (1) Removed postal code as a direct input feature to eliminate geographic proxy discrimination. (2) Excluded age as a model feature to eliminate direct age discrimination risk. (3) Implemented strict data access controls to eliminate unauthorised access to personal data. (4) Designed the system to reject out-of-scope applications (>EUR 50,000) to eliminate misuse risk."},"rms_mitigation_measures":{"legalText":"Article 9(8): Where elimination is not possible, risk management measures shall mitigate the risks.","explanation":"For risks that cannot be eliminated, describe how you reduce them to an acceptable level. This is the second priority in the risk hierarchy.","example":"Mitigation measures: (1) Fairness-aware training: demographic parity constraints (max 5% differential) built into the model training pipeline. (2) Mandatory human review for all denial decisions and borderline scores (400-600 range). (3) Monthly model retraining to address concept drift. (4) Real-time monitoring dashboard with automated alerts for performance degradation. (5) Redundant data validation pipeline to catch input data quality issues."},"rms_information_measures":{"legalText":"Article 9(8): Where elimination and mitigation are not sufficient, provide adequate information and training to deployers.","explanation":"For risks that remain after elimination and mitigation, describe the information, warnings, and training you provide to deployers so they can manage residual risks.","example":"Information measures: (1) Instructions for use document detailing all known limitations, accuracy metrics, and recommended oversight procedures. (2) 8-hour mandatory training program for credit analysts covering AI decision-making, bias awareness, and override procedures. (3) Quarterly risk bulletins communicating any changes to model performance or risk profile. (4) Clear warnings in the user interface when confidence levels are below threshold."},"rms_combined_requirements":{"legalText":"Article 9(3): The risk management measures referred to in paragraph 2, point (d), shall give due consideration to the effects and possible interactions resulting from the combined application of the requirements set out in this Section.","explanation":"Explain how your risk measures interact with other Chapter III requirements (data governance, transparency, human oversight, accuracy, etc.) and whether combining them creates any unintended effects.","example":"Combined requirements consideration: (1) Data governance (Art. 10) interaction: our bias mitigation in the RMS drives specific data quality requirements in our data governance framework. (2) Transparency (Art. 13) interaction: risk communication measures align with our instructions for use document. (3) Human oversight (Art. 14) interaction: our mandatory human review for borderline scores is designed as both a risk mitigation measure and a human oversight measure. (4) No conflicting interactions identified between accuracy requirements and fairness constraints."},"rms_measure_effectiveness":{"legalText":"Article 9(8): Risk management measures shall be such that the relevant residual risk is judged to be acceptable.","explanation":"Describe how you verify that each risk management measure actually achieves its intended risk reduction. Include metrics, testing, and review processes.","example":"Effectiveness assessment: (1) Fairness constraints: monthly demographic parity testing -- target <5% differential achieved consistently (current: 3.2%). (2) Human review: override rate monitored monthly -- current 12% (within 8-15% expected range). (3) Model retraining: accuracy comparison before/after retraining -- improvement of 1.5% observed in last cycle. (4) Alert system: 100% of simulated anomalies correctly detected in last quarterly test."},"rms_residual_risks_description":{"legalText":"Article 9(4): The risk management measures referred to in paragraph 2, point (d), shall be such that the relevant residual risk associated with each hazard, as well as the overall residual risk of the high-risk AI systems, is judged to be acceptable.","explanation":"Describe the specific risks that remain after all elimination, mitigation, and information measures have been applied. Be honest and precise about what cannot be fully addressed.","example":"Residual risks: (1) Irreducible model uncertainty -- approximately 9% of applications will receive scores that differ from expert human assessment (inherent limitation of statistical modelling). (2) Historical bias residue -- despite fairness constraints, subtle patterns from historical data may still influence scores at the margins. (3) Novel applicant profiles -- applicants with unusual financial profiles not well-represented in training data may receive less accurate scores."},"rms_residual_risk_acceptability":{"legalText":"Article 9(4): The overall residual risk of the high-risk AI systems shall be judged to be acceptable, having regard to the benefits that the system delivers.","explanation":"Explain why you judge each residual risk to be acceptable, weighing the remaining risk against the benefits the AI system provides.","example":"Acceptability justification: (1) 9% uncertainty rate is comparable to inter-rater reliability among human credit analysts (typically 85-90% agreement), and is further mitigated by mandatory human review. (2) Historical bias residue is monitored quarterly with statistical tests, and any statistically significant disparity triggers immediate review. (3) The system processes 60,000 applications per year with consistent, transparent criteria -- without it, decisions would be more subjective and less auditable. Benefits: faster processing (2 min vs 45 min), improved consistency, and better documentation of decision rationale."},"rms_deployer_communication":{"legalText":"Article 9(4): Residual risks shall be communicated to the deployer.","explanation":"Describe how and when you communicate residual risks to deployers. This is a mandatory requirement -- deployers need this information to fulfil their own obligations.","example":"Communication plan: (1) Initial disclosure: full residual risk register included in the Instructions for Use document delivered before deployment. (2) Ongoing updates: quarterly Risk Bulletin email to all registered deployers with updated residual risk metrics. (3) Format: standardised risk communication template including risk description, likelihood, severity, affected groups, and recommended deployer actions. (4) Acknowledgement: deployers must acknowledge receipt and understanding of residual risk communication."},"rms_health_safety_considerations":{"legalText":"Article 9(4): Residual risks associated with each hazard and the overall residual risk.","explanation":"If your AI system's residual risks could impact health or physical safety, describe specific considerations and additional safeguards.","example":"Health/safety considerations: While this credit scoring system does not directly impact physical health, denial of credit can affect access to essential services. We mitigate this through: (1) mandatory human review of all denials, (2) right to request manual reassessment, and (3) clear communication of alternative credit options."},"rms_testing_procedures":{"legalText":"Article 9(5): Testing of high-risk AI systems shall be performed, as appropriate, at any time throughout the development process, and, in any event, prior to their being placed on the market or put into service. Testing shall be made against preliminary defined metrics and probabilistic thresholds that are appropriate to the intended purpose of the high-risk AI system.","explanation":"Describe the specific testing procedures used to verify that risk management measures are effective and the system performs consistently.","example":"Testing procedures: (1) Pre-deployment validation: 5-fold cross-validation on held-out test set (20% of data), stratified by demographic groups. (2) Fairness audit: demographic parity and equalised odds testing across gender, age groups (4 bands), nationality (EU/non-EU), and employment type (6 categories). (3) Stress testing: performance under 3 economic scenarios (baseline, mild recession, severe recession). (4) Adversarial testing: semi-annual penetration testing of input manipulation vectors. (5) A/B testing: comparison of AI-assisted vs. manual-only credit assessments on random sample."},"rms_performance_metrics":{"legalText":"Article 9(5): Testing shall be made against preliminary defined metrics.","explanation":"List the specific, measurable metrics you have defined in advance to assess both system performance and the effectiveness of risk management measures.","example":"Defined metrics: (1) Accuracy: overall concordance with expert human assessment >= 90%. (2) Discrimination: demographic parity difference < 5% across all protected groups. (3) Calibration: predicted probabilities within 3% of observed default rates per risk band. (4) Stability: feature importance ranking shift < 15% between quarterly assessments. (5) Override rate: human override rate between 8% and 15% (too low suggests overreliance, too high suggests poor model quality)."},"rms_probabilistic_thresholds":{"legalText":"Article 9(5): Testing shall be made against probabilistic thresholds that are appropriate to the intended purpose.","explanation":"Define the specific numerical thresholds that determine whether the system passes or fails each metric. These must be defined before testing begins.","example":"Probabilistic thresholds: (1) Pass/fail: AUC-ROC >= 0.85 (critical threshold, system suspended below 0.80). (2) Fairness: Disparate Impact Ratio between 0.80 and 1.25 for all protected groups (below 0.80 triggers immediate review). (3) Calibration: Hosmer-Lemeshow p-value > 0.05 across all risk bands. (4) Confidence: system must output a confidence score; decisions with confidence < 0.65 automatically routed to manual review."},"rms_testing_frequency":{"legalText":"Article 9(5): Testing of high-risk AI systems shall be performed, as appropriate, at any time throughout the development process.","explanation":"Select how frequently you conduct systematic testing of the AI system and its risk management measures.","example":"Quarterly -- comprehensive testing every 3 months, with continuous automated monitoring between scheduled tests."},"rms_testing_results":{"legalText":"Article 9(5): Testing shall ensure consistent performance and compliance.","explanation":"Summarise the results of testing conducted to date. Include pass/fail status for each metric and any corrective actions taken.","example":"Latest results (Q4 2025): (1) Accuracy: AUC-ROC = 0.88 (PASS, threshold 0.85). (2) Fairness: DI ratio range 0.87-1.12 across all groups (PASS, threshold 0.80-1.25). (3) Calibration: H-L p-value = 0.12 (PASS, threshold > 0.05). (4) Stability: max feature shift 11% (PASS, threshold 15%). Action taken: retrained model with Q4 data to address slight accuracy decline from 0.91 to 0.88."},"rms_lifecycle_plan":{"legalText":"Article 9(1): A risk management system shall be established, implemented, documented and maintained in relation to high-risk AI systems. It shall consist of a continuous iterative process planned and run throughout the entire lifecycle of a high-risk AI system.","explanation":"Describe how the Risk Management System is maintained as a living document throughout the AI system's lifecycle, from development through deployment, operation, and eventual decommissioning.","example":"Lifecycle plan: (1) Development phase: initial risk assessment during design, updated after each development sprint. (2) Pre-deployment: comprehensive risk assessment and testing before market placement. (3) Operation phase: continuous monitoring with quarterly comprehensive reviews. (4) Update phase: full risk reassessment before any model update or significant change. (5) Decommissioning: final risk assessment including data retention and transition risks."},"rms_update_triggers":{"legalText":"Article 9(1): A continuous iterative process planned and run throughout the entire lifecycle.","explanation":"Define the specific events or conditions that trigger an unscheduled review and update of the Risk Management System.","example":"Update triggers: (1) Model update: any change to the model architecture, training data, or feature set. (2) Incident report: any serious incident per Article 73 or complaint involving AI-related harm. (3) Performance degradation: any metric falling below warning threshold (5% above critical threshold). (4) Regulatory change: new guidance from the AI Office or national authorities. (5) Environmental change: significant change in economic conditions, user population, or deployment context."},"rms_review_schedule":{"legalText":"Article 9(1): A continuous iterative process planned and run throughout the entire lifecycle.","explanation":"Select the frequency for scheduled, systematic reviews of the entire Risk Management System.","example":"Quarterly -- aligned with testing schedule and board reporting cycle."},"rms_documentation_management":{"legalText":"Article 9(1): A risk management system shall be established, implemented, documented and maintained.","explanation":"Describe how RMS documentation is created, versioned, stored, and made available for regulatory inspection.","example":"Documentation management: (1) Version control: all RMS documents stored in compliance document management system with full version history. (2) Retention: minimum 10 years per Article 18. (3) Access: available to market surveillance authorities within 24 hours upon request. (4) Format: structured digital format (PDF/A for archival) plus machine-readable risk register. (5) Review log: all changes tracked with author, date, and change rationale."},"rms_post_market_integration":{"legalText":"Article 9(1): The risk management system shall require regular systematic updating to ensure its continued appropriateness.","explanation":"Describe how findings from post-market monitoring (Article 72) and serious incident reporting (Article 73) feed back into updates to the Risk Management System.","example":"Post-market integration: (1) Automated monitoring feeds: system performance metrics, override rates, and complaint volumes automatically feed into RMS dashboards. (2) Incident integration: any Article 73 serious incident report triggers immediate RMS review and update. (3) Complaint analysis: monthly analysis of AI-related complaints for emerging risk patterns. (4) Provider updates: regular review of provider's post-market monitoring reports for new risk information. (5) Feedback loop: RMS updates drive changes to testing procedures, training materials, and operational procedures."},"rms_children_accessible":{"legalText":"Article 9(6): Testing shall include, as appropriate, testing in real-world conditions in accordance with Article 9a. Due account shall be taken of whether the high-risk AI system is likely to be accessed by or have an impact on children.","explanation":"Indicate whether the AI system is intended for use by children or may be accessed by children. If yes, additional child-specific risk considerations are required.","example":"No -- the credit scoring system is designed for adult applicants only. Minimum applicant age is 18 years."},"rms_children_risks":{"legalText":"Article 9(6): Due account shall be taken of whether the high-risk AI system is likely to be accessed by or have an impact on children.","explanation":"If the system may be accessed by or impact children, describe the specific risks and protective measures. Consider developmental impacts, consent issues, and age-appropriate design.","example":"N/A -- system restricted to adults (18+). Age verification is enforced at the application stage through identity document verification."},"rms_vulnerable_groups_impact":{"legalText":"Article 9(7): Due regard shall be given to whether the high-risk AI system is likely to be accessed by or have an impact on persons belonging to a vulnerable group.","explanation":"Indicate whether the AI system may impact persons from vulnerable groups such as elderly persons, persons with disabilities, or persons in precarious economic situations.","example":"Yes -- the credit scoring system may impact elderly applicants, recent migrants, and persons with limited credit history."},"rms_vulnerable_groups_details":{"legalText":"Article 9(7): Due regard shall be given to whether the high-risk AI system is likely to be accessed by or have an impact on persons belonging to a vulnerable group due to their age, disability or social or economic situation.","explanation":"Describe which vulnerable groups may be affected, the specific risks they face, and the measures you have taken to protect them.","example":"Vulnerable groups assessment: (1) Elderly applicants (65+): May have non-traditional income patterns (pensions, investments) that the model handles less accurately. Mitigation: enhanced human review for all 65+ applicants, specialised training for credit analysts on retirement-age financial profiles. (2) Recent migrants: Limited domestic credit history may lead to unfairly low scores. Mitigation: alternative data pathways for applicants with <2 years credit history, mandatory manual assessment pathway. (3) Economically disadvantaged: System may perpetuate existing financial exclusion. Mitigation: separate affordability assessment pathway for micro-loans under EUR 5,000."},"rms_integration_notes":{"legalText":"Article 9(1): A risk management system shall be established, implemented, documented and maintained in relation to high-risk AI systems.","explanation":"Document how this Risk Management System connects to and references your other EU AI Act compliance documents, including technical documentation, FRIA, and post-market monitoring plan.","example":"Integration notes: (1) Technical Documentation (Annex IV): This RMS is referenced in Section 5 of our Annex IV documentation (doc ref: TD-2026-001-v3). (2) FRIA (Art. 27): FRIA findings (ref: FRIA-2026-001) feed into Section 1 risk identification and Section 4 residual risk assessment. (3) Post-Market Monitoring (Art. 72): PMS plan (ref: PMS-2026-001) defines the monitoring metrics that trigger RMS updates. (4) Conformity Assessment (Art. 43): RMS reviewed as part of self-assessment per Annex VI."}}},"blog":{"title":"Blog","subtitle":"Insights on EU AI Act compliance, AI regulation, and building trustworthy AI systems.","minRead":"min read","ctaTitle":"Check if the EU AI Act applies to you","ctaSubtitle":"Free classification in 3 minutes. No signup required.","ctaButton":"Get Started","backToBlog":"Back to Blog"},"nav":{"academy":"Academy","toggleMenu":"Toggle menu","signIn":"Sign In","signOut":"Sign Out","dashboard":"Dashboard","getStarted":"Get Started","askAI":"Expert Chat","blog":"Blog","pricing":"Pricing","freeTools":"Free Tools","features":"Features","about":"About"},"conformity":{"backToHome":"Back to home","title":"Conformity Assessment Preparation","subtitle":"Prepare your conformity assessment per Article 43 of the EU AI Act. This wizard guides you through the self-assessment (Annex VI) or third-party assessment (Annex VII) process, QMS review, declaration of conformity, and CE marking.","backButton":"Back","nextButton":"Next","reviewButton":"Review & Export","stepCounter":"Step {current} of {total}","overallProgress":"Overall Progress","progressLabel":"{percentage}%","fieldsFilled":"{filled} of {total} required fields completed","sectionNavLabel":"Assessment sections","sectionProgress":"{percentage}%","requiredField":"Required","conditionalField":"Conditional","optionalField":"Optional","articleReference":"{ref}","helpAriaLabel":"Help for {field}","saveProgress":"Your progress is saved automatically in this browser session.","assessmentPath":{"selfAssessmentTitle":"Self-Assessment Path (Annex VI)","selfAssessmentDescription":"Based on your AI system category, you qualify for the internal control procedure under Annex VI. You can complete the conformity assessment yourself without involving a notified body.","thirdPartyTitle":"Third-Party Assessment Required (Annex VII)","thirdPartyDescription":"Your AI system falls under Annex III Area 1 (biometrics) and harmonised standards do not cover all requirements. A notified body must be involved in the conformity assessment per Annex VII."},"sections":{"assessment_path":{"title":"Assessment Path","description":"Determine whether your AI system requires a self-assessment (Annex VI) or a third-party conformity assessment (Annex VII) based on the system category and available harmonised standards."},"qms_checklist":{"title":"QMS Compliance Checklist","description":"Verify compliance with the Quality Management System requirements of Article 17. The QMS must address each of the following areas proportionate to the size of your organisation."},"documentation_review":{"title":"Technical Documentation Review","description":"Review the completeness of your technical documentation against Articles 8-15 and Annex IV requirements. This verifies that all required sections are prepared for the conformity assessment."},"declaration_of_conformity":{"title":"EU Declaration of Conformity","description":"Build your EU Declaration of Conformity per Article 47. This declaration must be issued under the sole responsibility of the provider before placing the AI system on the market."},"ce_marking":{"title":"CE Marking Guidance","description":"Ensure proper CE marking per Article 48. The CE marking must be affixed visibly, legibly, and indelibly to the AI system, its packaging, or accompanying documentation."},"reassessment_triggers":{"title":"Re-Assessment Monitoring","description":"Plan for ongoing conformity. Article 43(4) requires a new conformity assessment after any substantial modification to the AI system."}},"fields":{"conf_system_name":{"label":"AI System Name","placeholder":"Enter the name of your AI system","helpText":"The official name used to identify this AI system."},"conf_system_category":{"label":"High-Risk Category (Annex III Area)","placeholder":"Select the applicable Annex III area","helpText":"The Annex III area determines whether you need self-assessment (Annex VI) or third-party assessment (Annex VII). Only biometrics (Area 1) requires third-party assessment."},"conf_harmonised_standards":{"label":"Harmonised Standards Applied","placeholder":"Select whether harmonised standards cover all requirements","helpText":"If harmonised standards covering all applicable requirements have been applied, even biometrics systems can use self-assessment. Partial coverage is not sufficient."},"conf_system_description":{"label":"System Description","placeholder":"Describe the AI system's architecture and main components","helpText":"A brief technical description of the system for the conformity assessment record."},"conf_intended_purpose":{"label":"Intended Purpose","placeholder":"Describe the intended purpose and use cases","helpText":"The purpose for which the AI system is intended, as defined in the instructions for use."},"conf_qms_strategy_compliance":{"label":"Regulatory Compliance Strategy","placeholder":"Select compliance status","helpText":"Strategy for ensuring compliance with the AI Act, including procedures for conformity assessment and management of changes."},"conf_qms_design_procedures":{"label":"Design & Development Procedures","placeholder":"Select compliance status","helpText":"Techniques, procedures, and systematic actions for design, design control, and design verification."},"conf_qms_development_control":{"label":"Development & Quality Control","placeholder":"Select compliance status","helpText":"Techniques, procedures, and systematic actions for development, quality control, and quality assurance."},"conf_qms_quality_control":{"label":"Examination, Test & Validation","placeholder":"Select compliance status","helpText":"Examination, test, and validation procedures before, during, and after development, and the frequency of these checks."},"conf_qms_standards_specs":{"label":"Technical Standards & Specifications","placeholder":"Select compliance status","helpText":"Technical specifications, including standards, to be applied and, where relevant, means to ensure conformity."},"conf_qms_data_management":{"label":"Data Management Systems","placeholder":"Select compliance status","helpText":"Systems and procedures for data management, including data acquisition, collection, analysis, labelling, storage, filtering, mining, aggregation, retention, and any other data operation."},"conf_qms_risk_management":{"label":"Risk Management System","placeholder":"Select compliance status","helpText":"The risk management system referred to in Article 9, covering identification, analysis, evaluation, and mitigation of risks."},"conf_qms_post_market_monitoring":{"label":"Post-Market Monitoring","placeholder":"Select compliance status","helpText":"Post-market monitoring system as required by Article 72, including procedures and frequency of monitoring activities."},"conf_qms_incident_reporting":{"label":"Serious Incident Reporting","placeholder":"Select compliance status","helpText":"Procedures for reporting serious incidents and malfunctioning in accordance with Article 73."},"conf_qms_communication_authorities":{"label":"Communication with Authorities","placeholder":"Select compliance status","helpText":"Procedures for communication with national competent authorities, notified bodies, and other relevant entities."},"conf_qms_corrective_actions":{"label":"Corrective & Preventive Actions","placeholder":"Select compliance status","helpText":"Systems and procedures for record-keeping of all relevant documents and information, and for handling corrective actions."},"conf_qms_accountability":{"label":"Resource Management & Accountability","placeholder":"Select compliance status","helpText":"Procedures for resource management, including supply-chain related measures, ensuring adequate human resources with appropriate competence."},"conf_doc_system_description":{"label":"General System Description (Annex IV, Section 1)","placeholder":"Select documentation status","helpText":"Overall system description including intended purpose, provider details, system version, and hardware/software requirements."},"conf_doc_risk_management":{"label":"Risk Management Documentation (Art. 9)","placeholder":"Select documentation status","helpText":"Documentation of the risk management system per Article 9, including risk identification, analysis, estimation, evaluation, and treatment."},"conf_doc_data_governance":{"label":"Data Governance Documentation (Art. 10)","placeholder":"Select documentation status","helpText":"Documentation of data governance and management practices including training data, validation data, and testing data descriptions."},"conf_doc_monitoring":{"label":"Logging & Monitoring Capabilities (Art. 12)","placeholder":"Select documentation status","helpText":"Documentation of automatic logging capabilities enabling traceability and monitoring of the AI system's functioning."},"conf_doc_human_oversight":{"label":"Human Oversight Measures (Art. 14)","placeholder":"Select documentation status","helpText":"Documentation of human oversight measures built into the AI system or identified by the provider."},"conf_doc_accuracy_robustness":{"label":"Accuracy, Robustness & Cybersecurity (Art. 15)","placeholder":"Select documentation status","helpText":"Documentation of accuracy and robustness levels, cybersecurity measures, and known limitations."},"conf_doc_instructions_use":{"label":"Instructions for Use (Art. 13)","placeholder":"Select documentation status","helpText":"Documentation of instructions for deployers including contact details, system capabilities, limitations, and foreseeable misuse."},"conf_doc_design_process":{"label":"Design & Development Process Description","placeholder":"Describe how the design and development process is consistent with the technical documentation","helpText":"Describe how the actual design and development process matches what is documented in the technical documentation (Annex VI requirement)."},"conf_doc_post_market_plan":{"label":"Post-Market Monitoring Plan (Art. 72)","placeholder":"Select documentation status","helpText":"A documented plan for post-market monitoring proportionate to the nature of the AI system and the risks involved."},"conf_decl_provider_name":{"label":"Provider Name","placeholder":"Enter the legal name of the provider","helpText":"The full legal name of the provider issuing this declaration of conformity."},"conf_decl_provider_address":{"label":"Provider Address","placeholder":"Enter the registered address of the provider","helpText":"The registered business address of the provider."},"conf_decl_system_name":{"label":"AI System Name","placeholder":"Enter the AI system name as it will appear on the declaration","helpText":"The name of the AI system as used in official documentation and market placement."},"conf_decl_system_type":{"label":"AI System Type","placeholder":"Enter the type or model designation","helpText":"The type, batch, or serial number, or other element allowing unique identification of the AI system."},"conf_decl_system_reference":{"label":"Additional Reference","placeholder":"Enter any additional reference numbers or identifiers","helpText":"Any additional unambiguous reference allowing identification of the AI system."},"conf_decl_conformity_statement":{"label":"Statement of Conformity","placeholder":"Enter the conformity statement, e.g., 'The above-described AI system is in conformity with Regulation (EU) 2024/1689.'","helpText":"A statement that this declaration is issued under the sole responsibility of the provider and that the AI system complies with the AI Act."},"conf_decl_harmonised_standards":{"label":"Harmonised Standards Used","placeholder":"List any harmonised standards applied (e.g., EN ISO 12345:2025)","helpText":"References to relevant harmonised standards used, including date and version. If no harmonised standards were applied, leave blank."},"conf_decl_common_specifications":{"label":"Common Specifications Used","placeholder":"List any common specifications applied","helpText":"References to common specifications adopted by the Commission, if used instead of or in addition to harmonised standards."},"conf_decl_notified_body_name":{"label":"Notified Body Name","placeholder":"Enter the name of the notified body","helpText":"Only required for third-party assessment (Annex VII). The name of the notified body that performed the assessment."},"conf_decl_notified_body_number":{"label":"Notified Body Identification Number","placeholder":"Enter the identification number","helpText":"Only required for third-party assessment. The EU identification number assigned to the notified body."},"conf_decl_certificate_reference":{"label":"Certificate Reference","placeholder":"Enter the certificate number or reference","helpText":"Only required for third-party assessment. The reference number of the certificate issued by the notified body."},"conf_decl_place":{"label":"Place of Issue","placeholder":"Enter the city and country","helpText":"The place where the declaration of conformity is issued."},"conf_decl_date":{"label":"Date of Issue","placeholder":"","helpText":"The date on which the declaration of conformity is first issued or updated."},"conf_decl_signatory_name":{"label":"Signatory Name","placeholder":"Enter the full name of the person signing","helpText":"The name of the natural person signing the declaration on behalf of the provider."},"conf_decl_signatory_function":{"label":"Signatory Function","placeholder":"Enter the function/title, e.g., 'Chief Technology Officer'","helpText":"The function or title of the person signing the declaration."},"conf_ce_placement_method":{"label":"CE Marking Placement","placeholder":"Select where the CE marking will be placed","helpText":"The CE marking must be affixed to the AI system in a visible, legible, and indelible manner. If not possible on the product itself, it can be placed on packaging or documentation."},"conf_ce_visibility_check":{"label":"Visible?","placeholder":"Is the CE marking visible?","helpText":"The CE marking must be visible when the AI system is in its normal operating position or packaging."},"conf_ce_legibility_check":{"label":"Legible?","placeholder":"Is the CE marking legible?","helpText":"The CE marking must be legible — minimum height 5mm unless justified by the nature of the AI system."},"conf_ce_indelibility_check":{"label":"Indelible?","placeholder":"Is the CE marking indelible?","helpText":"The CE marking must be indelible and not easily removed or altered."},"conf_ce_digital_marking":{"label":"Digital CE Marking","placeholder":"Will a digital CE marking be used?","helpText":"For software-only AI systems or where physical marking is impractical, a digital CE marking may be used in the user interface or documentation."},"conf_ce_notes":{"label":"Additional CE Marking Notes","placeholder":"Enter any additional notes about CE marking implementation","helpText":"Any additional information about how CE marking requirements will be met for this AI system."},"conf_reassess_monitoring_plan":{"label":"Substantial Modification Monitoring Plan","placeholder":"Describe how you will monitor for substantial modifications that would trigger re-assessment","helpText":"Article 43(4) requires a new conformity assessment after any substantial modification. Describe your process for monitoring changes."},"conf_reassess_modification_criteria":{"label":"Modification Assessment Criteria","placeholder":"Define criteria for what constitutes a 'substantial modification' for this system","helpText":"Define specific criteria for determining whether a change to the AI system constitutes a substantial modification requiring re-assessment."},"conf_reassess_responsible_person":{"label":"Responsible Person","placeholder":"Enter the name or role responsible for modification assessment","helpText":"The person or role responsible for evaluating whether modifications trigger a new conformity assessment."},"conf_reassess_review_frequency":{"label":"Review Frequency","placeholder":"Select how often modification reviews will occur","helpText":"How frequently the system will be reviewed for potential substantial modifications."}},"help":{"conf_system_name":{"legalText":"Article 43(1): Before placing on the market or putting into service, providers of high-risk AI systems shall ensure that the AI system undergoes the relevant conformity assessment procedure.","explanation":"Enter the official name of the AI system that will undergo conformity assessment. This should match the name used in your technical documentation and market placement materials.","example":"CreditScore AI v2.1 — Automated Credit Risk Assessment System"},"conf_system_category":{"legalText":"Article 43(1) subpara 2: For high-risk AI systems referred to in Annex III, point 1 (biometrics), the provider shall follow the conformity assessment procedure based on Annex VII (third-party). For all other Annex III systems, the provider may follow Annex VI (self-assessment).","explanation":"Select the Annex III high-risk category your system falls into. This determines which assessment path applies — only biometrics requires third-party assessment by default.","example":"If your system performs facial recognition for identity verification, select 'Biometrics'. For an AI-powered recruitment tool, select 'Employment'."},"conf_harmonised_standards":{"legalText":"Article 43(1): Where the provider has applied harmonised standards covering the applicable requirements, and these have been published in the Official Journal, the provider may choose the self-assessment procedure even for biometric systems.","explanation":"Indicate whether you have applied published harmonised standards that cover all applicable requirements. Full coverage allows biometrics providers to use self-assessment.","example":"Select 'Yes' if you have applied EN-standard XYZ that covers all requirements for your biometric system. Select 'No' if no harmonised standards exist or you have not applied them."},"conf_system_description":{"legalText":"Annex VI requires the provider to verify that the quality management system and the examination of the technical documentation are consistent with the AI system as designed and developed.","explanation":"Provide a concise technical description of the AI system including its main components, architecture, and operating principles.","example":"Machine learning-based credit scoring system using gradient boosting on applicant financial data. Deployed as a cloud API service integrated into our loan origination platform."},"conf_intended_purpose":{"legalText":"Article 6(1) and Annex IV require clear documentation of the intended purpose. The intended purpose determines the applicable requirements and risk classification.","explanation":"Describe what the AI system is designed to do, in what context it operates, and what decisions it supports or makes.","example":"Automated assessment of creditworthiness for consumer loan applications up to EUR 50,000. The system provides a risk score and recommendation to human loan officers."},"conf_qms_strategy_compliance":{"legalText":"Article 17(1)(a): A strategy for regulatory compliance, including conformity assessment procedures and management of changes to the high-risk AI system.","explanation":"Assess whether your organization has a documented strategy for ensuring ongoing AI Act compliance, including conformity assessment and change management procedures.","example":"Compliant: We have a documented AI compliance strategy reviewed quarterly, with designated compliance officers and defined processes for conformity assessment and change management."},"conf_qms_design_procedures":{"legalText":"Article 17(1)(b): Techniques, procedures, and systematic actions to be used for the design, design control, and design verification of the high-risk AI system.","explanation":"Assess whether you have documented design and verification procedures specifically for the AI system's development lifecycle.","example":"Compliant: Design reviews at each development milestone, formal verification of model architecture against requirements, documented design decisions."},"conf_qms_development_control":{"legalText":"Article 17(1)(c): Techniques, procedures, and systematic actions to be used for the development, quality control, and quality assurance of the high-risk AI system.","explanation":"Assess whether development follows controlled, documented quality processes with appropriate checks.","example":"Compliant: CI/CD pipeline with automated testing, code reviews for all changes, documented development process with quality gates."},"conf_qms_quality_control":{"legalText":"Article 17(1)(d): Examination, test, and validation procedures to be carried out before, during, and after development, and the frequency with which they have to be carried out.","explanation":"Assess whether testing and validation procedures exist for each development phase with defined frequencies.","example":"Compliant: Unit testing (continuous), integration testing (weekly), validation against production data (monthly), fairness testing (quarterly)."},"conf_qms_standards_specs":{"legalText":"Article 17(1)(e): Technical specifications, including standards, to be applied and, where the relevant harmonised standards are not applied in full, the means to be used to ensure compliance.","explanation":"Assess whether applicable technical standards have been identified and applied to the system.","example":"Compliant: Applied ISO/IEC 42001 for AI management, ISO/IEC 25012 for data quality, with documented mapping of standards to requirements."},"conf_qms_data_management":{"legalText":"Article 17(1)(f): Systems and procedures for data management, including data acquisition, collection, analysis, labelling, storage, filtration, mining, aggregation, retention, and any other operation regarding the data.","explanation":"Assess whether comprehensive data management procedures cover the full data lifecycle used by the AI system.","example":"Compliant: Data governance framework covering data sourcing, quality checks, GDPR-compliant storage, retention policies, and audit trails for all data operations."},"conf_qms_risk_management":{"legalText":"Article 17(1)(g): The risk management system referred to in Article 9.","explanation":"Assess whether a risk management system per Article 9 is in place, covering the full AI system lifecycle.","example":"Compliant: Documented risk management process with risk registry, regular risk assessments, defined risk thresholds, and mitigation measures reviewed quarterly."},"conf_qms_post_market_monitoring":{"legalText":"Article 17(1)(h): The setting-up, implementation, and maintenance of a post-market monitoring system, in accordance with Article 72.","explanation":"Assess whether a post-market monitoring system is established to collect and analyze system performance data after deployment.","example":"Compliant: Automated monitoring of model performance, drift detection, feedback collection from deployers, and documented escalation procedures."},"conf_qms_incident_reporting":{"legalText":"Article 17(1)(i): Procedures related to the reporting of a serious incident in accordance with Article 73.","explanation":"Assess whether procedures exist for identifying, documenting, and reporting serious incidents involving the AI system.","example":"Compliant: Incident classification criteria defined, 72-hour reporting timeline documented, responsible persons designated, reporting templates prepared."},"conf_qms_communication_authorities":{"legalText":"Article 17(1)(j): The handling of communication with national competent authorities, other relevant authorities, including those providing or supporting access to data, notified bodies, and other operators.","explanation":"Assess whether procedures exist for regulatory communication and cooperation with relevant authorities.","example":"Compliant: Designated regulatory liaison, documented procedures for responding to authority requests, templates for mandatory notifications."},"conf_qms_corrective_actions":{"legalText":"Article 17(1)(k): Systems and procedures for record-keeping of all relevant documentation and information.","explanation":"Assess whether record-keeping systems and corrective action procedures are in place for compliance evidence.","example":"Compliant: Central compliance documentation repository, version-controlled records, corrective action tracking system with root cause analysis."},"conf_qms_accountability":{"legalText":"Article 17(1)(l): Resource management, including supply-chain related measures, ensuring adequate human resources with appropriate competence.","explanation":"Assess whether adequate resources (human, technical, financial) are allocated and competencies are maintained.","example":"Compliant: Dedicated compliance team, regular training program, defined competency requirements for AI development and oversight roles."},"conf_doc_system_description":{"legalText":"Annex IV(1): A general description of the AI system including its intended purpose, the provider, the version, how the system interacts with hardware and software.","explanation":"Check whether your technical documentation includes a complete general description as specified in Annex IV Section 1.","example":"Complete: Full system description including architecture diagrams, component list, version history, and integration requirements."},"conf_doc_risk_management":{"legalText":"Article 9, Annex IV(2): A description of the risk management system in accordance with Article 9.","explanation":"Check whether your risk management system documentation is complete per Article 9 requirements.","example":"Complete: Risk register, assessment methodology, risk thresholds, mitigation measures, and ongoing monitoring plan documented."},"conf_doc_data_governance":{"legalText":"Article 10, Annex IV(2)(d): A description of data governance and management practices, including collection, processing, and labelling.","explanation":"Check whether data governance documentation covers all aspects of data used for training, validation, and testing.","example":"Complete: Data sources documented, data quality measures defined, bias assessment completed, data sheets for datasets prepared."},"conf_doc_monitoring":{"legalText":"Article 12, Annex IV(2)(e): A description of the monitoring capabilities built into the AI system, including logging.","explanation":"Check whether automatic logging and monitoring capabilities are documented as required by Article 12.","example":"Complete: Log format specifications, retention periods, monitoring dashboard descriptions, and alert configurations documented."},"conf_doc_human_oversight":{"legalText":"Article 14, Annex IV(3): Detailed information about the human oversight measures, including the technical measures put in place to facilitate interpretation.","explanation":"Check whether human oversight measures are fully documented per Article 14.","example":"Complete: Oversight procedures, intervention mechanisms, override capabilities, and training requirements for human operators documented."},"conf_doc_accuracy_robustness":{"legalText":"Article 15, Annex IV(3): Information about the levels of accuracy, robustness, and cybersecurity, including known limitations.","explanation":"Check whether accuracy, robustness, and cybersecurity documentation is complete per Article 15.","example":"Complete: Performance metrics, test results, known limitations, adversarial testing results, and cybersecurity assessment documented."},"conf_doc_instructions_use":{"legalText":"Article 13, Annex IV(4): A description of information to be provided to deployers, including instructions for use.","explanation":"Check whether instructions for deployers are prepared covering system capabilities, limitations, and proper use.","example":"Complete: User manual with capability description, intended use cases, known limitations, foreseeable misuse warnings, and maintenance requirements."},"conf_doc_design_process":{"legalText":"Annex VI(a): The provider shall verify that the design and development process of the high-risk AI system and its post-market monitoring is consistent with the technical documentation.","explanation":"Describe how you have verified that the actual design and development process matches the technical documentation.","example":"Development followed the documented SDLC. Design reviews confirmed architecture matches documentation. Post-market monitoring system was tested against the documented monitoring plan."},"conf_doc_post_market_plan":{"legalText":"Article 72: Providers shall establish and document a post-market monitoring system proportionate to the nature and risks of the AI system.","explanation":"Check whether a post-market monitoring plan is documented per Article 72 requirements.","example":"Complete: Monitoring plan includes data collection methods, performance metrics, reporting frequency, and escalation procedures."},"conf_decl_provider_name":{"legalText":"Article 47(1)(a): The name and address of the provider.","explanation":"Enter the full legal name of the provider entity that is issuing the declaration of conformity.","example":"Acme AI Solutions GmbH"},"conf_decl_provider_address":{"legalText":"Article 47(1)(a): The name and address of the provider.","explanation":"Enter the registered business address of the provider.","example":"Musterstrasse 42, 1010 Vienna, Austria"},"conf_decl_system_name":{"legalText":"Article 47(1)(b): The name and type of the AI system and any additional unambiguous reference allowing identification of the AI system.","explanation":"Enter the name of the AI system as it appears in market placement and official documentation.","example":"CreditScore AI"},"conf_decl_system_type":{"legalText":"Article 47(1)(b): The name and type of the AI system.","explanation":"Enter the type designation, model number, or version identifier of the AI system.","example":"Type: Credit Risk Assessment System, Model: CS-2000, Version 2.1.0"},"conf_decl_system_reference":{"legalText":"Article 47(1)(b): Any additional unambiguous reference allowing identification of the AI system.","explanation":"Enter any additional reference numbers, serial numbers, or identifiers used to uniquely identify this system.","example":"EU Database Registration ID: EU-AI-2026-00123"},"conf_decl_conformity_statement":{"legalText":"Article 47(1)(c)-(d): A statement that the declaration is issued under the sole responsibility of the provider, and that the AI system is in conformity with this Regulation.","explanation":"Draft the conformity statement. It must declare sole responsibility and confirm compliance with the EU AI Act.","example":"This declaration of conformity is issued under the sole responsibility of the provider. The AI system described above is in conformity with Regulation (EU) 2024/1689 (EU AI Act)."},"conf_decl_harmonised_standards":{"legalText":"Article 47(1)(e): References to any relevant harmonised standards used.","explanation":"List any harmonised standards published in the Official Journal that you have applied in developing the system.","example":"EN ISO/IEC 42001:2025 — AI Management Systems; EN ISO/IEC 23894:2025 — AI Risk Management"},"conf_decl_common_specifications":{"legalText":"Article 47(1)(e): References to other common specifications in relation to which conformity is declared.","explanation":"List any common specifications adopted by the European Commission that you have used.","example":"Common Specification for High-Risk AI Systems in Financial Services (CS-FIN-001)"},"conf_decl_notified_body_name":{"legalText":"Article 47(1)(f): Where applicable, the name and identification number of the notified body, a description of the conformity assessment procedure performed, and identification of the certificate issued.","explanation":"Only required if you underwent third-party assessment (Annex VII). Enter the name of the notified body.","example":"TUV Rheinland AG"},"conf_decl_notified_body_number":{"legalText":"Article 47(1)(f): The identification number of the notified body.","explanation":"The EU identification number assigned to the notified body. Find this in the NANDO database.","example":"NB-0197"},"conf_decl_certificate_reference":{"legalText":"Article 47(1)(f): Identification of the certificate issued.","explanation":"The reference number or identifier of the certificate issued by the notified body after assessment.","example":"Certificate No. AI-CERT-2026-0456"},"conf_decl_place":{"legalText":"Article 47(1)(g): The place and date of issue of the declaration.","explanation":"The city and country where the declaration is issued.","example":"Vienna, Austria"},"conf_decl_date":{"legalText":"Article 47(1)(g): The place and date of issue of the declaration.","explanation":"The date the declaration is first issued or last updated.","example":"2026-06-15"},"conf_decl_signatory_name":{"legalText":"Article 47(1)(g): The name and function of the person signing.","explanation":"The full name of the natural person who signs the declaration on behalf of the provider.","example":"Dr. Maria Schmidt"},"conf_decl_signatory_function":{"legalText":"Article 47(1)(g): The function of the person signing.","explanation":"The title or function of the signatory within the provider organization.","example":"Chief Technology Officer"},"conf_ce_placement_method":{"legalText":"Article 48(1): The CE marking shall be affixed visibly, legibly and indelibly for high-risk AI systems. Where that is not possible or not warranted on account of the nature of the AI system, it shall be affixed to the packaging or to the accompanying documentation.","explanation":"Select where you will affix the CE marking. For software-only systems, documentation or digital marking is typically used.","example":"For a cloud-based AI service: select 'In documentation' and include the CE mark in the system's user interface and technical documentation."},"conf_ce_visibility_check":{"legalText":"Article 48(2): The CE marking shall be visible, legible, and indelible.","explanation":"Confirm that the CE marking will be visible in the chosen placement location.","example":"Yes — CE marking displayed prominently in the system dashboard and on the first page of documentation."},"conf_ce_legibility_check":{"legalText":"Article 48(2): The CE marking shall be at least 5mm in height, unless justified otherwise.","explanation":"Confirm that the CE marking will be legible at the minimum required size.","example":"Yes — CE marking rendered at 8mm height in documentation and proportionally in digital interfaces."},"conf_ce_indelibility_check":{"legalText":"Article 48(2): The CE marking shall be indelible.","explanation":"Confirm that the CE marking cannot be easily removed, altered, or obscured.","example":"Yes — CE marking embedded in PDF documentation with watermark protection and displayed as a non-removable UI element."},"conf_ce_digital_marking":{"legalText":"Article 48(3): Where the AI system is provided as software, the CE marking may be affixed digitally.","explanation":"For software-only AI systems, indicate whether you will use a digital CE marking in addition to or instead of a physical one.","example":"Yes — CE marking displayed in the software's 'About' screen and included in all exported reports."},"conf_ce_notes":{"legalText":"Article 48: Additional requirements for CE marking may apply based on other applicable EU legislation.","explanation":"Note any additional CE marking considerations, such as other EU directives that require CE marking on the same product.","example":"System is also subject to Machinery Directive CE marking. Combined CE marking approach documented in quality manual section 7.3."},"conf_reassess_monitoring_plan":{"legalText":"Article 43(4): A new conformity assessment shall be required for any substantial modification of the high-risk AI system.","explanation":"Describe your process for monitoring the AI system for changes that could be considered substantial modifications requiring re-assessment.","example":"Monthly review of model performance metrics. Any retraining with new data triggers a change assessment. Quarterly review of deployment context for scope changes."},"conf_reassess_modification_criteria":{"legalText":"Article 43(4): The term 'substantial modification' refers to changes that affect compliance with the requirements of this Regulation or change the intended purpose.","explanation":"Define specific criteria your organization will use to determine whether a change constitutes a substantial modification.","example":"Substantial modification triggers: change in intended purpose, model architecture change affecting >10% of parameters, retraining with data from a new domain, change in deployment context."},"conf_reassess_responsible_person":{"legalText":"Article 43(4): The provider is responsible for ensuring ongoing conformity and initiating re-assessment when required.","explanation":"Identify who in your organization is responsible for evaluating modifications and triggering re-assessment.","example":"Head of AI Compliance (Dr. Maria Schmidt) with escalation to CTO for borderline cases."},"conf_reassess_review_frequency":{"legalText":"Article 43(4): Conformity assessment must be repeated after any substantial modification.","explanation":"Set a regular cadence for reviewing the system for potential substantial modifications.","example":"Select 'Quarterly' for systems with frequent updates, or 'Annual' for stable production systems."}},"selectOptions":{"biometrics":"Biometrics (Area 1)","critical_infrastructure":"Critical Infrastructure (Area 2)","education":"Education & Training (Area 3)","employment":"Employment & Workers (Area 4)","essential_services":"Essential Services (Area 5)","law_enforcement":"Law Enforcement (Area 6)","migration":"Migration & Border (Area 7)","justice":"Justice & Democracy (Area 8)","other_high_risk":"Other High-Risk","yes":"Yes","no":"No","partial":"Partial","compliant":"Compliant","not_compliant":"Not Compliant","not_applicable":"Not Applicable","complete":"Complete","missing":"Missing","on_product":"On the product itself","on_packaging":"On the packaging","in_documentation":"In accompanying documentation","monthly":"Monthly","quarterly":"Quarterly","semi_annual":"Semi-Annual","annual":"Annual"},"review":{"title":"Review Conformity Assessment","subtitle":"Review your conformity assessment documentation before printing or exporting.","backToEditor":"Back to Editor","exportPdf":"Print / Export PDF","exportPdfAriaLabel":"Print or export assessment as PDF","exportPdfDescription":"Uses your browser's print dialog. Save as PDF for a permanent record.","sectionEmpty":"No assessment data found. Please complete the conformity assessment wizard first.","fieldEmpty":"Not completed","completionWarning":"Your assessment is {percentage}% complete. Consider filling in all required fields before finalizing.","documentTitle":"EU AI Act — Conformity Assessment Report","documentSubtitle":"Prepared using Witness Conformity Assessment Wizard (Art. 43)","generatedBy":"Generated by Witness — AI Compliance Hub","generatedOn":"Generated on {date}","disclaimer":"This document is generated as a compliance aid and does not constitute legal advice. The provider bears sole responsibility for the accuracy and completeness of the conformity assessment. Consult qualified legal counsel for binding compliance determinations.","assessmentPathLabel":"Assessment Path","selfAssessmentLabel":"Self-Assessment (Annex VI)","thirdPartyLabel":"Third-Party (Annex VII)","qmsSummaryTitle":"QMS Compliance Summary","qmsCompliant":"{count} items compliant","qmsPartial":"{count} items partially compliant","qmsNonCompliant":"{count} items non-compliant","docSummaryTitle":"Documentation Review Summary","docComplete":"{count} sections complete","docPartial":"{count} sections partially complete","docMissing":"{count} sections missing","reassessmentReminder":"Re-Assessment Required for Substantial Modifications","reassessmentReminderDetail":"Per Article 43(4), a new conformity assessment is required whenever a substantial modification is made to the AI system. Review your modification criteria and monitoring plan regularly.","backToDashboard":"Back to Dashboard"}},"auth":{"signInTitle":"Sign in to Witness","signInSubtitle":"Enter your email to receive a magic link","emailLabel":"Email address","emailPlaceholder":"you@company.eu","signInButton":"Send Magic Link","signInLoading":"Sending...","verifyTitle":"Check your email","verifySubtitle":"We sent you a sign-in link","verifyDescription":"Click the link in your email to sign in. The link expires in 15 minutes. If you don't see it, check your spam folder.","inviteNotice":"After signing in, you'll automatically join the organization that invited you.","errors":{"generic":"Something went wrong. Please try again."}},"onboarding":{"title":"Set up your organization","subtitle":"Tell us about your company to personalize your compliance experience.","orgNameLabel":"Organization name","countryLabel":"Country","sectorLabel":"Industry sector","sectorPlaceholder":"Select a sector","employeeCountLabel":"Number of employees","employeeCountPlaceholder":"Select range","turnoverLabel":"Annual turnover","turnoverPlaceholder":"Select range","submitButton":"Create Organization","submitting":"Creating...","sectors":{"financial":"Financial Services","healthcare":"Healthcare","energy":"Energy","transport":"Transport","manufacturing":"Manufacturing","technology":"Technology","retail":"Retail","education":"Education","public_administration":"Public Administration","other":"Other"},"employeeRanges":{"MICRO":"< 10 employees","SMALL":"10–49 employees","MEDIUM":"50–249 employees","LARGE":"250+ employees"},"turnoverRanges":{"UNDER_2M":"< EUR 2M","UNDER_10M":"EUR 2–10M","UNDER_50M":"EUR 10–50M","OVER_50M":"> EUR 50M"},"countries":{"AT":"Austria","BE":"Belgium","BG":"Bulgaria","HR":"Croatia","CY":"Cyprus","CZ":"Czechia","DK":"Denmark","EE":"Estonia","FI":"Finland","FR":"France","DE":"Germany","GR":"Greece","HU":"Hungary","IE":"Ireland","IT":"Italy","LV":"Latvia","LT":"Lithuania","LU":"Luxembourg","MT":"Malta","NL":"Netherlands","PL":"Poland","PT":"Portugal","RO":"Romania","SK":"Slovakia","SI":"Slovenia","ES":"Spain","SE":"Sweden"},"errors":{"generic":"Failed to create organization. Please try again."}},"dashboard":{"title":"Dashboard","subtitle":"Your organization's compliance overview","aiSystemsTitle":"AI Systems","noSystems":"No AI systems registered yet. Classify your first system to get started.","teamTitle":"Team","memberCount":"{count, plural, one {# member} other {# members}}","planLabel":"Tier","quickActions":"Quick Actions","classifyNew":"Classify New System","classifyNewDesc":"Run the 7-phase questionnaire to determine your AI system's risk level.","generateDocs":"Generate Documentation","generateDocsDesc":"Create Annex IV compliant technical documentation.","trackObligations":"Track Obligations","trackObligationsDesc":"Monitor your compliance obligations and deadlines.","lockedModuleCta":"Upgrade to {tier} (€{price}) to unlock this module.","renewalModuleCta":"Renew maintenance (€{price}/year) to unlock this module.","maintenanceBadge":"Renew","toolCards":{"fria":"FRIA","friaDesc":"Run a Fundamental Rights Impact Assessment under Article 27.","riskManagement":"Risk Management","riskManagementDesc":"Document your risk management system per Article 9.","conformity":"Conformity Assessment","conformityDesc":"Complete the Article 43 conformity assessment.","literacy":"AI Literacy Programme","literacyDesc":"Document your Article 4 AI literacy measures."},"systemName":"System","classification":"Classification","status":"Status","planBadge":{"FREE":"Free","STARTER":"Starter","PROFESSIONAL":"Professional","TEAM":"Team"},"classifications":{"UNACCEPTABLE":"Unacceptable","HIGH_RISK":"High Risk","LIMITED_RISK":"Limited Risk","MINIMAL_RISK":"Minimal Risk"},"statuses":{"DRAFT":"Draft","CLASSIFIED":"Classified","IN_COMPLIANCE":"In Compliance","NON_COMPLIANT":"Non Compliant"},"duplicate":"Duplicate","delete":"Delete","deleteUndo":"{name} deleted","undo":"Undo","duplicateSuccess":"Duplicated as ''{name}''","actionsMenu":"Actions menu","euSubmissionNote":"The EU has not yet published where to submit compliance documentation. We'll prepare all the necessary steps for you as soon as this information becomes available.","requirements":{"badges":{"required":"Required","optional":"Optional","not_required":"Not required","not_applicable":"Not applicable"},"banners":{"unacceptable":"This AI system is classified as unacceptable and is prohibited under Article 5 of the EU AI Act. It must not be placed on the market or put into service.","unclassified":"Classify your AI system to see which compliance artifacts are required for your risk level.","notAISystem":"This record was assessed as not meeting the Article 3(1) AI-system definition. EU AI Act compliance artifacts do not apply.","outOfScope":"This record was assessed as outside the EU AI Act scope under Article 2. EU AI Act compliance artifacts do not apply."},"startOptional":"Start (optional)","reasons":{"unacceptable":"This system is prohibited under Art. 5. No compliance artifacts apply.","notAISystem":"This record did not meet the Article 3(1) AI-system definition, so EU AI Act compliance artifacts do not apply.","outOfScope":"This record is outside the EU AI Act scope under Article 2, so EU AI Act compliance artifacts do not apply.","techDocMinimal":"Technical documentation per Annex IV is only required for high-risk AI systems.","techDocLimited":"Technical documentation per Annex IV is only required for high-risk AI systems.","techDocHighProvider":"Providers of high-risk AI systems must draw up technical documentation per Art. 11 and Annex IV.","techDocHighDeployer":"Technical documentation is the provider's obligation. Deployers are not required to create it.","techDocHighBoth":"As provider, you must draw up technical documentation per Art. 11 and Annex IV.","friaMinimal":"FRIA is only required for deployers of specific high-risk AI systems (Art. 27).","friaLimited":"FRIA is only required for deployers of specific high-risk AI systems (Art. 27).","friaHighProvider":"FRIA is a deployer obligation. Providers are not required to conduct one (Art. 27).","friaHighDeployerRequired":"Required for deployers of AI systems used in credit scoring (5b) or insurance risk assessment (5c) per Art. 27.","friaHighDeployerPublicBodyRequired":"Required because the deployer is a body governed by public law or a private entity providing public services using an Annex III high-risk AI system outside point 2, per Art. 27.","friaHighDeployerNotRequired":"FRIA is required for deployers in credit scoring (5b) or insurance (5c) categories per Art. 27. Note: bodies governed by public law or private entities providing public services deploying any high-risk Annex III system (except area 2) also require a FRIA.","friaHighBothRequired":"Required as deployer of AI systems in credit scoring (5b) or insurance risk assessment (5c) per Art. 27.","friaHighBothPublicBodyRequired":"Required because, in your deployer role, you are a body governed by public law or a private entity providing public services using an Annex III high-risk AI system outside point 2, per Art. 27.","friaHighBothNotRequired":"FRIA is required for credit scoring (5b) or insurance (5c) categories per Art. 27. Note: bodies governed by public law or private entities providing public services deploying any high-risk Annex III system (except area 2) also require a FRIA.","obligationsMinimal":"Minimal-risk AI systems have no specific compliance obligations under the EU AI Act.","obligationsLimited":"Limited-risk systems have transparency obligations under Art. 50. Tracking is recommended.","obligationsHighProvider":"Providers of high-risk AI systems must fulfil obligations under Art. 16.","obligationsHighDeployer":"Deployers of high-risk AI systems must fulfil obligations under Art. 26.","obligationsHighBoth":"As both provider and deployer, you must fulfil obligations under Art. 16 and Art. 26.","riskMgmtMinimal":"A risk management system per Art. 9 is only required for high-risk AI systems.","riskMgmtLimited":"A risk management system per Art. 9 is only required for high-risk AI systems.","riskMgmtHighProvider":"Providers must establish and maintain a risk management system per Art. 9.","riskMgmtHighDeployer":"Risk management is the provider's obligation. Deployers are not required to maintain one per Art. 9.","riskMgmtHighBoth":"As provider, you must establish and maintain a risk management system per Art. 9.","conformityMinimal":"Conformity assessment per Art. 43 is only required for high-risk AI systems.","conformityLimited":"Conformity assessment per Art. 43 is only required for high-risk AI systems.","conformityHighProvider":"Providers must ensure conformity assessment per Art. 43 before placing on the market or putting into service.","conformityHighDeployer":"Conformity assessment is the provider's obligation. Deployers are not required to conduct one.","conformityHighBoth":"As provider, you must ensure conformity assessment per Art. 43 before placing on the market or putting into service.","aiLiteracyRequired":"All providers and deployers must ensure sufficient AI literacy for their staff per Art. 4."}}},"aiSystems":{"addSystem":"Add AI System","createTitle":"Create AI System","createDescription":"Register a new AI system to start tracking compliance.","editTitle":"Edit AI System","deleteTitle":"Delete AI System","deleteWarning":"This will permanently delete {name} and all associated compliance documents. This action cannot be undone.","deleteConfirmLabel":"Type \"{name}\" to confirm","name":"Name","namePlaceholder":"e.g. Customer Service Chatbot","description":"Description","descriptionPlaceholder":"Brief description of the AI system","version":"Version","versionPlaceholder":"e.g. 1.0.0","systemDetails":"System Details","complianceArtifacts":"Compliance Artifacts","classification":"Classification","technicalDocumentation":"Technical Documentation","obligations":"Obligations","riskManagement":"Risk Management","conformityAssessment":"Conformity Assessment","fria":"FRIA","aiLiteracy":"AI Literacy","artifactStatus":{"not_started":"Not started","in_progress":"In progress","complete":"Complete"},"roles":{"PROVIDER":"Provider","DEPLOYER":"Deployer","BOTH":"Provider & Deployer"},"open":"Open","start":"Start","reevaluate":"Reevaluate","reevaluateDialogTitle":"Re-evaluate Classification?","reevaluateDialogDescription":"This will re-run the full classification questionnaire. Your current classification will be updated with the new result.","reevaluateDialogContinue":"Continue","edit":"Edit","delete":"Delete","cancel":"Cancel","save":"Save","saving":"Saving...","create":"Create","creating":"Creating...","confirm":"Confirm","deleting":"Deleting...","backToDashboard":"Back to Dashboard","downloadPdf":"Download PDF","noSystems":"No AI systems yet. Add your first system to get started.","viewDetails":"View","actions":"Actions","errors":{"createFailed":"Failed to create AI system. Please try again.","updateFailed":"Failed to update AI system. Please try again.","deleteFailed":"Failed to delete AI system. Please try again."},"openWorkspace":"Open Workspace"},"team":{"title":"Team Management","subtitle":"Manage your organization's team members and invitations.","membersTitle":"Members","inviteTitle":"Invite a Team Member","nameLabel":"Name","emailLabel":"Email","emailPlaceholder":"colleague@company.eu","roleLabel":"Role","sendInvite":"Send Invite","sending":"Sending...","inviteSuccess":"Invitation sent successfully.","pendingTitle":"Pending Invitations","revokeButton":"Revoke","noMembers":"No team members yet.","noPending":"No pending invitations.","sentLabel":"Sent","actionsLabel":"Actions","you":"you","roles":{"OWNER":"Owner","ADMIN":"Admin","MEMBER":"Member"},"errors":{"generic":"Something went wrong. Please try again.","rateLimited":"Too many invites sent. Please try again later."}},"academy":{"title":"AI Act Academy","subtitle":"Everything you need to know about the EU AI Act. 13 modules in 2 tracks, interactive exercises, and a completion certificate.","backToHome":"Back to home","freeBadge":"Free — no account required","progressLabel":"{completed} of {total} modules completed","minutesRead":"{minutes} min read","startModule":"Start","continueModule":"Continue","reviewModule":"Review","viewModule":"View","completed":"Completed","moduleOf":"Module {current} of {total}","markComplete":"Mark as Complete","moduleCompleted":"Module Completed","previousModule":"Previous Module","nextModule":"Next Module","backToOverview":"Back to Overview","legalBasis":"Legal basis","sectionTypes":{"legal_requirement":"Legal rule","implementation_guidance":"Implementation guidance","mixed_content":"Rule + guidance"},"finishCourse":"Back to Overview","clickToReveal":"Click to reveal","quizTitle":"Final Quiz","quizReady":"Test your knowledge with 20 questions covering all 8 modules.","quizLocked":"Complete all 8 modules to unlock the final quiz.","quizPassed":"You passed with {score}/20. Take it again or get your certificate.","takeQuiz":"Take the Quiz","retakeQuiz":"Retake Quiz","certificateTitle":"Completion Certificate","certificateReady":"Your certificate is ready. Add your name and print it.","getCertificate":"Get Certificate","quizPageTitle":"Module Quiz","quizPageDescription":"Answer the questions below. You need 80% to pass.","quizQuestion":"Question {current} of {total}","loadingQuiz":"Loading quiz...","nextQuestion":"Next Question","seeResults":"See Results","quizResultPassed":"Congratulations — You Passed!","quizResultFailed":"Not Quite — Try Again","quizScore":"{score}/{total} correct ({percentage}%)","quizPassThreshold":"Pass threshold: {threshold}%","quizBreakdown":"Score by Module","certificatePageTitle":"Completion Certificate","certificatePageDescription":"Your AI Act Academy completion certificate.","certificateNotReady":"Certificate Not Available","certificateNotReadyDesc":"You need to pass all 7 Essentials module quizzes (80% or higher) to receive your certificate.","certificateNamePlaceholder":"Enter your name","printCertificate":"Print / Save as PDF","certificateHeading":"Certificate of Completion","certificateCourseName":"AI Act Academy — EU AI Act Fundamentals","certificateAwardedTo":"This is awarded to","certificateParticipant":"Participant","certificateScoreLabel":"Quiz Score","certificateDateLabel":"Date Completed","certificateDescription":"This certifies completion of the Essentials track (7 modules) of the AI Act Academy covering the EU Artificial Intelligence Act (Regulation (EU) 2024/1689).","certificateRegulation":"Regulation (EU) 2024/1689 — Artificial Intelligence Act","module":{"1":{"title":"What is AI, Actually?","description":"AI in plain language — what it is, how it differs from regular software, and examples you already use every day.","sections":{"1_1":{"title":"AI in Plain Language","content":"AI stands for Artificial Intelligence. Under the EU AI Act, it does not just mean software that learns from data. The legal definition is broader: an AI system is a machine-based system designed to operate with varying levels of autonomy and that infers from the input it receives how to generate outputs such as predictions, content, recommendations, or decisions (Article 3(1)).\n\nIn everyday language, that means the system does more than execute a fixed list of human-written instructions step by step. It infers patterns or rules from inputs to produce outputs. That can include machine learning, statistical approaches, and some rule-based or knowledge-based systems.\n\nThis matters because not every automated system is AI under the Act. A simple calculator or fixed if/then script is usually not. But the legal definition is broader than \"machine learning only.\""},"1_2":{"title":"AI vs Regular Software — The Key Difference","content":"Here is a practical way to think about it.\n\nRegular software often works like a fixed recipe: IF the temperature is above 30 degrees, THEN turn on the air conditioning. A human defines the rules and the logic is applied in the same way each time.\n\nAI systems work differently because they infer how to produce outputs from the inputs they receive. Sometimes they learn from data, like a model trained on thousands of cat and dog photos. Sometimes they use statistical or knowledge-based methods to reach conclusions.\n\nThat is why AI can be powerful and risky at the same time. The behavior is not always obvious from a simple rule list, and errors or bias in the model, data, or logic can affect real people."},"1_3":{"title":"AI You Already Use Every Day","content":"You probably use AI dozens of times a day without realizing it. Here are some examples:\n\nEmail spam filters learn what spam looks like and automatically sort it out. Netflix and Spotify recommendations analyze what you watched or listened to and suggest things you might enjoy. Google Maps predicts traffic and suggests the fastest route.\n\nYour phone's face unlock recognizes your face among millions of possible faces. Auto-complete when you type messages predicts what word you want to type next. Voice assistants like Siri, Alexa, and Google Assistant understand spoken language and respond.\n\nAll of these are AI systems. They all learn from data and make predictions. But none of them are particularly dangerous — if Netflix recommends a bad movie, nobody gets hurt."},"1_4":{"title":"AI in Business — Where It Gets Serious","content":"Now consider these examples where AI makes decisions that really matter:\n\nBanks use AI to decide who gets a loan. This is called credit scoring. If the AI is biased, some people get unfairly rejected. Companies use AI to screen job applications. If the training data reflects past discrimination, the AI perpetuates it.\n\nHospitals use AI to help diagnose diseases. A wrong diagnosis can be life-threatening. Police use AI to predict where crimes might happen. This can lead to over-policing of certain neighborhoods. Schools use AI to grade exams or flag potential cheating.\n\nThese are the use cases the EU is most worried about — because they affect people's fundamental rights: their access to credit, employment, healthcare, justice, and education. This is why the EU decided to regulate AI."}},"scenario":{"title":"Interactive Exercise","description":"For each example below, decide: Is this AI or not? Click to reveal the answer.","options":{"0":{"label":"A calculator app on your phone","explanation":"NOT AI. A calculator follows fixed mathematical rules. 2 + 2 always equals 4. No learning, no inference, no predictions."},"1":{"label":"Spotify suggesting songs you might like","explanation":"This IS AI. Spotify analyzes your listening patterns and those of similar users to predict what songs you will enjoy. It learns and adapts over time."},"2":{"label":"An Excel spreadsheet formula","explanation":"NOT AI. Spreadsheet formulas follow fixed rules. SUM(A1:A10) always adds those cells. There is no learning or inference involved."},"3":{"label":"A chatbot answering customer questions","explanation":"This IS AI. Modern chatbots use language models that learn from text data to generate responses. They infer meaning and produce answers — they don't follow a simple script."},"4":{"label":"A thermostat set to keep the room at 22 degrees","explanation":"NOT AI. A basic thermostat follows a simple rule: if below 22, heat; if above 22, stop. No learning involved. (Note: some smart thermostats DO use AI to learn your preferences.)"},"5":{"label":"A self-driving car navigating through traffic","explanation":"This IS AI. Self-driving cars process camera images, radar, and sensor data using machine learning to make real-time driving decisions. This is one of the most complex AI applications."}}}},"2":{"title":"Why the EU Made a Law About AI","description":"Real-world AI failures, the EU's track record with tech regulation, and what the EU AI Act actually is.","sections":{"2_1":{"title":"What Can Go Wrong With AI","content":"Before we look at the law itself, let's understand why it exists. Here are real things that have happened:\n\nAmazon built an AI hiring tool that discriminated against women. Why? Because it was trained on 10 years of resumes — and historically, more men had been hired. The AI learned that being male was a positive signal. Amazon scrapped the tool.\n\nChina implemented a social credit scoring system where AI rates citizens based on their behavior — paying bills on time, jaywalking, social media posts — and then restricts freedoms based on the score. Low score? No train tickets.\n\nFacial recognition systems have been shown to misidentify people with darker skin at rates 10 to 100 times higher than people with lighter skin. This has led to wrongful arrests.\n\nDeepfake technology has been used to impersonate politicians and spread misinformation. Predictive policing algorithms have led to over-policing of minority neighborhoods, creating a feedback loop of discrimination."},"2_2":{"title":"The EU's Track Record","content":"The EU has regulated technology before, and the results often set a global standard.\n\nIn 2018, the General Data Protection Regulation (GDPR) became enforceable. It gave people stronger control over their personal data. Initially, many companies complained it was too strict. Today, GDPR has heavily influenced privacy rules around the world.\n\nThe EU is now doing something similar with AI. The AI Act was signed on June 13, 2024 and entered into force on August 1, 2024, but its application is phased. Prohibitions and AI literacy started applying on February 2, 2025. GPAI model rules started applying on August 2, 2025. Most high-risk AI obligations apply from August 2, 2026, and certain Annex I product-safety rules apply from August 2, 2027.\n\nThe broader pattern is the same: protect people, create clearer rules, and back them with meaningful enforcement."},"2_3":{"title":"What Is the EU AI Act?","content":"Here are the basics:\n\nFull name: Regulation (EU) 2024/1689 — commonly called the \"Artificial Intelligence Act\" or \"AI Act\". It was signed on June 13, 2024, published in the Official Journal of the EU on July 12, 2024, and entered into force on August 1, 2024.\n\nThe regulation has 113 articles plus several annexes. It is directly applicable in all 27 EU member states, so no national transposition is needed. Its application is phased rather than tied to a single date: some rules already apply, most high-risk obligations apply from August 2, 2026, and certain product-safety provisions apply from August 2, 2027.\n\nCritically, it applies to operators placing AI on the EU market or putting it into service in the EU, and in some cases also where the output is used in the EU, regardless of where the company is based."},"2_4":{"title":"Who Does This Apply To?","content":"If you are reading this, it probably applies to you. The EU AI Act applies to:\n\nCompanies that develop AI systems or have them developed under their name (providers). Companies that use AI systems in their operations (deployers). Importers and distributors. And in some cases, operators outside the EU if the system is placed on the EU market or its output is used in the EU.\n\nThere are specific exclusions and carve-outs, including personal non-professional use, certain scientific research/testing/development activity, military or national-security uses, and some free and open-source AI in limited situations. Those carve-outs do not cover every case.\n\nThe important point is that both the maker of the AI and the user of the AI can have obligations. Building AI creates responsibilities. Using AI can create responsibilities too."}},"scenario":{"title":"Interactive Exercise","description":"Does the EU AI Act apply in each of these situations? Click to reveal.","options":{"0":{"label":"A German company uses an AI chatbot for customer service","explanation":"YES, the EU AI Act applies. The company is a deployer operating in the EU. They must comply with deployer obligations, including transparency requirements (Article 50) — they must inform users they are interacting with AI."},"1":{"label":"A US company sells AI hiring software to EU companies","explanation":"YES, the EU AI Act applies. The US company is a provider placing an AI system on the EU market. It does not matter that the company is based outside the EU — what matters is that the AI is used in the EU (Article 2(1))."},"2":{"label":"A student uses ChatGPT for homework","explanation":"NO, the EU AI Act does NOT apply to the student. Personal, non-professional use is excluded (Article 2(10)). However, OpenAI as the provider of ChatGPT still has obligations."},"3":{"label":"A French military contractor builds AI for national defense","explanation":"NO, the EU AI Act does NOT apply. AI systems developed or used exclusively for military purposes are excluded from the scope of the regulation (Article 2(3))."}}}},"3":{"title":"The Risk Pyramid — How It All Works","description":"The four risk levels explained: unacceptable, high, limited, and minimal. How to know which level applies to you.","sections":{"3_1":{"title":"The Big Idea: Risk-Based Regulation","content":"The EU AI Act uses a risk-based approach. The higher the risk to people's rights and safety, the stricter the rules. Think of it like food safety:\n\nPoison is banned — you simply cannot sell it. Raw meat is high-risk — it needs strict handling, temperature controls, and proper labeling. Packaged snacks are limited-risk — they need ingredient labels and basic safety checks. Water is minimal risk — there are basically no specific food safety rules for it.\n\nThe same logic applies to AI: the more an AI system can affect people's lives, the more rules apply to it. This is the fundamental principle of the entire regulation."},"3_2":{"title":"The Four Risk Levels","content":"The EU AI Act defines four risk levels, often visualized as a pyramid.\n\nAt the top: UNACCEPTABLE RISK (Red). These AI practices are banned. This is covered by Article 5, and those prohibitions have applied since February 2, 2025.\n\nSecond level: HIGH RISK (Orange). These are AI systems that can seriously affect people's lives — think hiring, creditworthiness assessment, education, law enforcement, or critical infrastructure. They are allowed, but they must meet strict requirements. The main high-risk framework runs from Articles 6 to 49.\n\nThird level: LIMITED RISK (Yellow). These are AI systems that trigger transparency duties, for example because they interact with people or generate certain kinds of content. Article 50 is the key rule here.\n\nAt the bottom: MINIMAL RISK (Green). Everything else. These systems generally do not face the Chapter III high-risk requirements, but cross-cutting obligations such as AI literacy can still apply."},"3_3":{"title":"Why Classification Matters for You","content":"Your very first job in AI Act compliance is figuring out where each of your AI systems falls on this pyramid. That classification determines everything else:\n\nWhat you must do — your specific obligations. What documents you need — technical documentation, risk assessments, fundamental rights impact assessments. What deadlines apply to you. What fines you risk if you do not comply.\n\nA company with only minimal-risk AI systems has very few obligations. A company with high-risk AI systems has extensive documentation, testing, and monitoring requirements. A company using banned AI practices faces the highest penalties.\n\nThis is exactly what the Witness Classifier tool does — it walks you through a series of questions to determine the correct classification for your AI system."}},"scenario":{"title":"Interactive Exercise","description":"Where does each AI system fall on the risk pyramid? Click to reveal.","options":{"0":{"label":"AI that ranks people by 'trustworthiness' to decide their access to public services","explanation":"UNACCEPTABLE RISK — BANNED. This is social scoring by a public authority, which is explicitly prohibited under Article 5(1)(c). Evaluating people based on social behavior and then limiting their access to services they have a right to is forbidden."},"1":{"label":"AI that screens job applications and ranks candidates","explanation":"HIGH RISK. Employment and worker management is one of the 8 high-risk categories in Annex III (area 4). AI that influences hiring decisions can affect people's livelihoods and must meet strict requirements."},"2":{"label":"A chatbot on a website answering customer questions","explanation":"LIMITED RISK. The chatbot interacts with people, so the main obligation is transparency — you must clearly inform users that they are communicating with an AI system, not a human (Article 50)."},"3":{"label":"AI that recommends which movie to watch","explanation":"MINIMAL RISK. A movie recommendation has no meaningful impact on anyone's fundamental rights. No specific obligations under the AI Act — though general AI literacy requirements still apply (Article 4)."},"4":{"label":"AI that decides who gets a bank loan","explanation":"HIGH RISK. Credit scoring and creditworthiness assessment is explicitly listed in Annex III, area 5(b). This directly affects people's financial access and must meet all high-risk requirements."}}}},"4":{"title":"What's Completely Banned","description":"The 8 prohibited AI practices under Article 5 — already in effect since February 2025. Real examples of each.","sections":{"4_1":{"title":"The Red Line — Already in Effect","content":"Article 5 of the EU AI Act lists AI practices that are so dangerous or unethical that they are banned outright. This is the \"poison\" category from our food safety analogy.\n\nImportant: these prohibitions are ALREADY IN EFFECT since February 2, 2025. This is not a future deadline — companies using any of these practices must have already stopped. The fines for violations are the highest in the entire regulation: up to 35 million euros or 7% of global annual turnover, whichever is higher."},"4_2":{"title":"The 8 Prohibited Practices","content":"$16"}},"scenario":{"title":"Interactive Exercise","description":"Banned or allowed under the EU AI Act? Click to reveal.","options":{"0":{"label":"A retail store uses AI to detect whether customers are happy with the service","explanation":"ALLOWED (with conditions). The emotion recognition ban under Article 5(1)(f) specifically covers workplaces and educational institutions. A retail store is neither, so this is not banned — but the deployer still has transparency obligations and must inform people."},"1":{"label":"A government assigns reliability scores to citizens based on tax records and restricts travel for low scores","explanation":"BANNED. This is social scoring under Article 5(1)(c). A public authority is evaluating people based on their social behavior (tax compliance) and then restricting their rights in an unrelated area (travel). This is exactly what the prohibition targets."},"2":{"label":"Police use facial recognition on recorded CCTV footage to identify a robbery suspect","explanation":"NOT BANNED by Article 5(1)(h). That provision targets REAL-TIME remote biometric identification in publicly accessible spaces for law enforcement. Post-event analysis of recorded footage is not banned by that specific provision, but it may still fall under the high-risk framework and other applicable law-enforcement safeguards."},"3":{"label":"An HR tool analyzes candidates' facial expressions during video interviews","explanation":"BANNED. This is emotion recognition in the workplace under Article 5(1)(f). Job interviews are part of the employment context, and analyzing candidates' emotions through their facial expressions is explicitly prohibited."},"4":{"label":"A hospital uses AI to detect whether a patient is in pain from facial expressions","explanation":"ALLOWED. Article 5(1)(f) includes an exception for medical and safety reasons. Detecting pain in patients who may not be able to communicate (such as post-surgery or non-verbal patients) falls under this medical exception."}}}},"5":{"title":"High-Risk AI — The Heavy Rules","description":"The two pathways to high-risk classification, the 8 Annex III categories, exceptions, and what providers must do.","sections":{"5_1":{"title":"Two Ways to Be High-Risk","content":"There are two pathways to being classified as high-risk under the EU AI Act.\n\nPathway 1 (Article 6(1)): Your AI system is used as a safety component of a product that is already covered by existing EU safety legislation — for example, medical devices, cars, machinery, or toys. If that product requires a third-party conformity assessment under its existing EU legislation, then the AI component is automatically high-risk.\n\nPathway 2 (Article 6(2) + Annex III): Your AI system is used in one of the specific sensitive areas listed in Annex III. These are areas where AI decisions can significantly affect people's fundamental rights.\n\nMost companies will encounter Pathway 2. Annex III lists 8 categories of high-risk AI use cases."},"5_2":{"title":"The 8 High-Risk Categories (Annex III)","content":"$17"},"5_3":{"title":"The Exception — When High-Risk Isn't High-Risk","content":"$18"},"5_4":{"title":"What High-Risk Providers Must Do — Overview","content":"$19"}},"scenario":{"title":"Interactive Exercise","description":"Is this AI system high-risk or not? Click to reveal.","options":{"0":{"label":"AI that recommends products on an e-commerce website","explanation":"NOT HIGH-RISK. Product recommendations do not fall into any of the 8 Annex III categories. A bad recommendation has no meaningful impact on fundamental rights. This is minimal-risk AI."},"1":{"label":"AI that decides whether a bank customer qualifies for a mortgage","explanation":"HIGH-RISK. Credit scoring and creditworthiness assessment is explicitly listed in Annex III, area 5(b). Mortgage decisions directly affect people's access to housing and financial services."},"2":{"label":"AI that automatically grades university exams","explanation":"HIGH-RISK. Education is Annex III, area 3. AI that determines educational outcomes — including exam grades — affects students' academic progress and opportunities."},"3":{"label":"AI spell-checker in an email application","explanation":"NOT HIGH-RISK. A spell-checker has no meaningful impact on fundamental rights. It does not fall into any Annex III category. This is minimal-risk AI with no specific obligations."},"4":{"label":"AI that monitors factory workers' productivity and flags underperformers","explanation":"HIGH-RISK. Employment and worker management is Annex III, area 4. Monitoring worker productivity and flagging underperformers directly affects people's employment — it could lead to disciplinary action or termination."}}}},"6":{"title":"Provider, Deployer, or Both?","description":"The two main roles under the AI Act, when a deployer becomes a provider, and why your role determines your obligations.","sections":{"6_1":{"title":"The Two Main Roles","content":"The EU AI Act defines two main roles with different sets of obligations.\n\nProvider (Article 3(3)): The company that develops or builds the AI system and places it on the market or puts it into service. Even if they outsource the actual coding — if the AI system is released under their name or trademark, they are the provider.\n\nDeployer (Article 3(4)): The company that uses an AI system in their operations under their own authority. They did not build it, but they deploy it for a specific purpose.\n\nUnderstanding which role you play is critical because it determines what obligations you must fulfill."},"6_2":{"title":"A Simple Analogy","content":"Think of it like cars.\n\nThe Provider is the car manufacturer. BMW designs and builds the car. They are responsible for making sure it is safe — the brakes work, the airbags deploy, the emissions meet standards. They bear the heaviest safety obligations.\n\nThe Deployer is the taxi company. They buy the car and use it to drive passengers. They did not build the car, but they are responsible for using it properly — maintaining it, following traffic rules, having the right insurance, making sure their drivers are trained.\n\nBoth have responsibilities, but different ones. The manufacturer ensures the product is safe by design. The taxi company ensures it is used safely in practice. Same logic applies to AI systems."},"6_3":{"title":"When a Deployer Becomes a Provider","content":"Here is where it gets interesting. Article 25 describes situations where a deployer gets \"promoted\" to provider status — and inherits all the heavier provider obligations.\n\nThis happens when you: Put your own name or trademark on someone else's AI system. Substantially modify a high-risk AI system. Change the intended purpose of an AI system so that it becomes high-risk. Make a substantial modification to any high-risk AI system.\n\nExample: You buy an off-the-shelf AI chatbot. You use it for customer service — you are a deployer. Then you customize it heavily to screen job applications — you have changed its intended purpose to a high-risk use case. Congratulations, you are now the provider of a high-risk AI system, with all the obligations that come with it.\n\nThis is called \"role-shifting\" and it catches many companies by surprise. The Witness Role Classifier tool helps you determine your exact role."},"6_4":{"title":"Why Your Role Matters","content":"Your role determines the scope and weight of your compliance obligations.\n\nProviders have MORE obligations because they built the system and are responsible for its design. They must ensure the AI system meets the applicable requirements before placing it on the market or putting it into service. They must implement a quality management system, conduct conformity assessments, maintain technical documentation, and monitor the system after deployment.\n\nDeployers have FEWER but still important obligations. They must use the system according to the provider's instructions, ensure human oversight by trained people, monitor the system's operation, keep logs, and in some cases conduct a Fundamental Rights Impact Assessment.\n\nIf you are both — you built the AI system AND you use it yourself — then you have ALL obligations. Both the provider obligations and the deployer obligations apply to you."}},"scenario":{"title":"Interactive Exercise","description":"What role does the company play in each scenario? Click to reveal.","options":{"0":{"label":"Your company buys an AI tool from a vendor to sort customer emails","explanation":"DEPLOYER. You did not build the AI — you bought it from a vendor. You are using it under your own authority for a specific purpose. Your obligations are the deployer obligations under Article 26."},"1":{"label":"Your engineering team builds a custom AI model for internal use","explanation":"PROVIDER (and also deployer). You developed the AI system — that makes you the provider. Since you also use it internally, you are the deployer too. You have BOTH sets of obligations."},"2":{"label":"You buy an AI hiring tool and rebrand it with your company's logo","explanation":"PROVIDER through role-shifting. Under Article 25, putting your own name or trademark on someone else's AI system makes you the provider. You now carry full provider obligations for this high-risk system."},"3":{"label":"You use the ChatGPT API to build a customer-facing product","explanation":"PROVIDER of the product. You are integrating a general-purpose AI model (ChatGPT) into your own system and placing it on the market. That makes you the provider of the resulting AI system, even though you did not build the underlying model."}}}},"7":{"title":"What You Actually Have to Do","description":"Concrete obligations for providers and deployers, the FRIA requirement, and what AI Literacy means in practice.","sections":{"7_1":{"title":"Obligations That Apply to Everyone","content":"$1a"},"7_2":{"title":"Provider Obligations for High-Risk AI","content":"$1b"},"7_3":{"title":"Deployer Obligations for High-Risk AI","content":"$1c"},"7_4":{"title":"The FRIA — Fundamental Rights Impact Assessment","content":"Article 27 requires certain deployers to conduct a Fundamental Rights Impact Assessment before putting a high-risk AI system into use.\n\nThis applies specifically to:\n- Bodies governed by public law deploying Annex III systems, except point 2\n- Private entities providing public services deploying Annex III systems, except point 2\n- Deployers of AI systems referred to in Annex III points 5(b) and 5(c)\n\nThe FRIA must cover the six elements listed in Article 27(1): the deployer's processes, the period and frequency of use, the categories of persons likely to be affected, the specific risks of harm, the human oversight measures, and the measures to be taken if those risks materialize.\n\nIf the deployment context changes or the information no longer remains up to date, the deployer must update the FRIA (Article 27(2)). After performing the FRIA, the deployer must notify the market surveillance authority of the results and submit the Article 27(5) template (Article 27(3))."}},"scenario":{"title":"Interactive Exercise","description":"What obligations apply in each situation? Click to reveal.","options":{"0":{"label":"You are a provider of a high-risk AI system. Do you need technical documentation?","explanation":"YES — mandatory. Article 11 combined with Annex IV requires providers of high-risk AI systems to prepare comprehensive technical documentation BEFORE the system is placed on the market or put into service. This is one of the most detailed obligations."},"1":{"label":"You deploy an AI chatbot for customer service. Do you need to inform users?","explanation":"YES — mandatory. Article 50 requires that when an AI system interacts directly with people, those people must be informed that they are interacting with AI. This is a transparency obligation that applies regardless of risk level."},"2":{"label":"You deploy high-risk AI for creditworthiness assessment. Do you need a FRIA?","explanation":"YES — mandatory. Article 27 specifically requires a Fundamental Rights Impact Assessment for deployers of Annex III point 5(b) creditworthiness-assessment systems. You must assess the impact on affected groups before putting the system into use."},"3":{"label":"You provide a minimal-risk AI recommendation engine. What are your obligations?","explanation":"Minimal: AI Literacy (Article 4) — ensure your staff has sufficient understanding of AI. Transparency (Article 50) — if the system interacts with users, inform them. That is essentially it. No technical documentation, no conformity assessment, no FRIA."}}}},"8":{"title":"AI System Classification Deep Dive","description":"Master the four-tier risk classification system. Learn exactly how to determine if your AI system is unacceptable, high-risk, limited-risk, or minimal-risk.","sections":{"8_1":{"title":"The Four-Tier Risk Pyramid","content":"The EU AI Act classifies AI systems into four risk categories. Understanding this classification is essential because it determines which obligations apply to your organization.\n\nThe four tiers from most to least regulated are:\n\n1. Unacceptable Risk (Article 5) — Banned.\n\n2. High-Risk (Article 6, Annex III and Annex I pathways) — Permitted but heavily regulated.\n\n3. Limited Risk (Article 50) — Subject to transparency obligations.\n\n4. Minimal Risk — Generally outside the high-risk framework, though cross-cutting obligations such as AI literacy may still apply."},"8_2":{"title":"High-Risk Classification: Two Pathways","content":"A system can be classified as high-risk through two distinct pathways defined in Article 6.\n\nPathway 1 — Article 6(1): AI systems that are safety components of products covered by EU harmonisation legislation listed in Annex I. Examples include AI components in medical devices, machinery, toys, lifts, and vehicles. These systems are automatically high-risk if they require third-party conformity assessment under that legislation.\n\nPathway 2 — Article 6(2): AI systems listed in Annex III across 8 categories covering: biometric identification, critical infrastructure, education, employment, essential services, law enforcement, migration, and administration of justice. These are high-risk because they directly impact people's fundamental rights."},"8_3":{"title":"The Article 6(3) Exception","content":"Article 6(3) provides a crucial exception for Annex III systems. An Annex III system is not high-risk if it does not pose a significant risk of harm to health, safety, or fundamental rights, including by not materially influencing the outcome of decision-making, and it is intended to perform one of the listed limited functions.\n\nThose listed functions are alternatives: a narrow procedural task, improving the result of a previously completed human activity, detecting decision-making patterns or deviations without replacing or influencing human assessment, or performing a preparatory task for a human assessment.\n\nIMPORTANT: The exception does NOT apply if the system performs profiling of natural persons. Providers relying on the exception must document the assessment and register the system in the EU database under Article 49(2)."},"8_4":{"title":"Annex III: The Eight High-Risk Categories","content":"$1d"}},"scenario":{"title":"Classification Exercise","description":"A company builds an AI system that helps HR managers screen CVs by ranking candidates. The system highlights the top 20% of applicants. Is this system high-risk?","options":{"0":{"label":"No, it only helps HR managers and does not make final decisions.","explanation":"Incorrect. CV screening and candidate filtering falls under Annex III category 4 (Employment). Even though it assists rather than replaces the HR manager, automated filtering of candidates is explicitly listed as high-risk in Article 6(2) and Annex III."},"1":{"label":"Yes, it falls under Annex III category 4 (Employment) as it filters candidates.","explanation":"Correct! AI systems used for recruitment and filtering of job applicants are explicitly listed in Annex III point 4. This makes them high-risk under Article 6(2), regardless of whether a human makes the final hiring decision."},"2":{"label":"It depends on whether the company has more than 250 employees.","explanation":"Incorrect. The classification does not depend on company size. The high-risk classification is determined by the AI system's use case, not the deployer's characteristics."},"3":{"label":"Only if the AI system was trained on biased data.","explanation":"Incorrect. The risk classification is based on the system's intended purpose (employment screening), not the quality of its training data. Data quality affects compliance requirements, not the classification itself."}}}},"9":{"title":"Provider Obligations Deep Dive","description":"Complete analysis of all provider obligations under Article 16. Learn what you must do if you develop, place on the market, or put into service a high-risk AI system.","sections":{"9_1":{"title":"Who is a Provider?","content":"Article 3(3) defines a provider as any natural or legal person, public authority, agency, or other body that develops an AI system or has one developed on its behalf, and places it on the market or puts it into service under its own name or trademark.\n\nCritically, you become a provider if you substantially modify an existing AI system, even if someone else originally built it. If you put your name on it, you own the obligations.\n\nThis means: if your company contracts a third party to build an AI system that you then deploy under your brand, your company is the provider. The development contractor may have separate responsibilities, but the full set of Article 16 provider obligations falls on you."},"9_2":{"title":"Core Provider Obligations (Article 16)","content":"$1e"},"9_3":{"title":"Post-Market Obligations","content":"$1f"},"9_4":{"title":"Financial Sector Specifics","content":"For financial institutions regulated under EU financial services legislation, there are important special provisions:\n\nThe AI Act's obligations apply in addition to existing financial sector regulations (like MiFID II, Solvency II, or the DORA regulation). Financial institutions that are already subject to requirements regarding internal governance, processes, risk management, and quality management under financial services legislation can integrate AI Act requirements into their existing compliance frameworks.\n\nThis means banks, insurance companies, and investment firms do not need to build entirely separate compliance structures for AI — they can extend their existing governance frameworks to cover AI-specific requirements.\n\nHowever, the AI Act adds requirements that go beyond what financial sector regulations typically require, particularly around transparency, human oversight, and the specific technical documentation requirements of Annex IV."}},"scenario":{"title":"Provider Obligation Scenario","description":"Your company develops an AI-powered credit scoring system and sells it to multiple banks under your company's brand name. A bank discovers the system has been making biased decisions. What are your primary obligations?","options":{"0":{"label":"Since the bank is deploying it, they are responsible for corrective actions.","explanation":"Incorrect. As the provider (you placed it on the market under your name), you have primary responsibility for conformity and corrective actions under Article 20. The bank has deployer obligations too, but the provider bears the core responsibility."},"1":{"label":"Report the incident, take corrective action, notify deployers and authorities.","explanation":"Correct! Under Articles 20 and 73, providers must take immediate corrective action, report serious incidents to authorities, and inform all affected deployers. This includes potentially recalling or withdrawing the system if it poses a risk to health, safety, or fundamental rights."},"2":{"label":"Wait until the next scheduled conformity assessment to address the issue.","explanation":"Incorrect. Corrective actions must be taken immediately upon discovering non-conformity. Waiting for a scheduled assessment would violate Article 20, which requires prompt action."},"3":{"label":"Fix the bias in the next software update.","explanation":"Partially correct but insufficient. Simply fixing the issue in an update is not enough. You must also report the incident, notify deployers and authorities, and document all corrective actions taken. The response must be comprehensive, not just technical."}}}},"10":{"title":"Deployer Obligations Deep Dive","description":"Complete analysis of deployer obligations under Article 26. Understand your responsibilities when using high-risk AI systems in your operations.","sections":{"10_1":{"title":"Who is a Deployer?","content":"Article 3(4) defines a deployer as any natural or legal person, public authority, agency, or other body using an AI system under its authority, except where the AI system is used in the course of a personal non-professional activity.\n\nIn practical terms: if your organization uses an AI system (even one built by someone else) in your business operations, you are a deployer. This includes using commercial AI tools, SaaS products with AI capabilities, or AI systems purchased from a provider.\n\nThe distinction matters because deployers have their own set of obligations, separate from (and sometimes overlapping with) provider obligations."},"10_2":{"title":"Core Deployer Obligations (Article 26)","content":"$20"},"10_3":{"title":"Fundamental Rights Impact Assessment","content":"Article 27 requires certain deployers to carry out a Fundamental Rights Impact Assessment (FRIA) before putting a high-risk AI system into use.\n\nThis obligation applies specifically to:\n- Bodies governed by public law deploying Annex III systems, except point 2\n- Private entities providing public services deploying Annex III systems, except point 2\n- Deployers of AI systems referred to in Annex III points 5(b) and 5(c)\n\nThe FRIA must include:\n1. A description of the deployer's processes where the AI system will be used\n2. The period and frequency of use\n3. The categories of natural persons and groups likely to be affected\n4. The specific risks of harm likely to impact those persons and groups\n5. A description of the human oversight measures implemented\n6. Measures to be taken if the identified risks materialize\n\nAfter the FRIA is performed, the deployer must notify the market surveillance authority of the results and submit the Article 27(5) template (Article 27(3))."},"10_4":{"title":"Practical Compliance for Deployers","content":"$21"}},"scenario":{"title":"Deployer Obligation Scenario","description":"Your bank purchases an AI-powered creditworthiness assessment system from an external provider. The system scores consumer loan applicants, and a loan officer reviews the output before any final decision. What deployer obligations apply?","options":{"0":{"label":"No obligations — the provider is responsible since they built the system.","explanation":"Incorrect. As a deployer using a high-risk AI system, you have your own obligations under Article 26 regardless of what the provider has done. Provider and deployer obligations are separate and both apply simultaneously."},"1":{"label":"Ensure human oversight, monitor the system, keep logs, inform affected persons where required, and complete a FRIA.","explanation":"Correct! For a high-risk creditworthiness system, the bank must ensure competent human oversight, monitor the system per instructions, keep logs to the extent they are under its control, inform natural persons where Article 26(11) applies, and complete a FRIA under Article 27 before putting the system into use."},"2":{"label":"Only keep logs of scoring decisions for audit purposes.","explanation":"Insufficient. Log-keeping is just one of many deployer obligations. You also need human oversight, monitoring, and a FRIA because the system is used for creditworthiness assessment."},"3":{"label":"The loan officer reviewing applications fulfills all compliance requirements.","explanation":"Partially correct. Human review is important, but it does not exhaust the deployer's duties. You also need monitoring processes, logging, documentation, and a FRIA before the system is put into use."}}}},"11":{"title":"Transparency & Communication Requirements","description":"Deep dive into Article 50 transparency obligations and Article 13 system transparency. When and how to inform users they are interacting with AI.","sections":{"11_1":{"title":"Article 50: Transparency for Certain AI Systems","content":"$22"},"11_2":{"title":"Article 13: System Transparency for High-Risk AI","content":"Article 13 sets additional transparency requirements specifically for high-risk AI systems. These go beyond the general Article 50 obligations:\n\nHigh-risk AI systems must be designed and developed in a way that ensures their operation is sufficiently transparent to enable deployers to interpret the system's output and use it appropriately.\n\nThe provider must include in the instructions for use:\n- The characteristics, capabilities, and limitations of the system's performance\n- The intended purpose and foreseeable misuse\n- Changes that have been pre-determined and assessed for conformity\n- Human oversight measures and the technical measures facilitating interpretation of outputs\n- Computation and hardware resources needed\n- The expected lifetime and maintenance requirements\n\nThis means the provider cannot simply deliver a \"black box\" system. They must explain how the system works, what its limitations are, and how to interpret its outputs."},"11_3":{"title":"Practical Transparency Implementation","content":"How to implement transparency in practice:\n\nFor chatbots and virtual assistants: Display a clear notice at the start of any AI interaction. If a handoff between AI and a human agent could otherwise create confusion, make the transition understandable in context.\n\nFor synthetic content: Add machine-readable provenance or metadata labels to AI-generated content. Use established standards like C2PA where available.\n\nFor emotion recognition or biometric categorisation: Display a prominent notice before the system begins operating and make sure the information is understandable in context.\n\nFor deepfakes and public-interest text: Add clear disclosures unless a specific Article 50(4) exception applies, such as sufficiently reviewed text with a responsible editor.\n\nFor high-risk system deployers: Ensure your staff understands how to interpret the AI system's outputs. Provide training on the system's limitations and potential failure modes."}},"scenario":{"title":"Transparency Scenario","description":"Your company runs a customer service chatbot. Sometimes, the conversation is seamlessly transferred from the AI chatbot to a human agent without telling the customer. Does this comply with Article 50?","options":{"0":{"label":"Yes, as long as the chatbot identifies itself as AI at the beginning of the conversation.","explanation":"Partially correct. The initial disclosure is required, but a seamless transfer can create ambiguity about whether the user is still interacting with AI. If the design makes that unclear, the setup is risky under Article 50(1)."},"1":{"label":"No — if the handoff makes it unclear when the user is interacting with AI, Article 50(1) may not be satisfied.","explanation":"Correct. Article 50(1) requires that persons interacting with an AI system are informed that they are doing so, unless that is obvious from the circumstances. A handoff design that obscures whether the AI interaction has ended or resumed creates compliance risk; AI segments should remain clear in context."},"2":{"label":"It does not matter because customer service is not a high-risk use case.","explanation":"Incorrect. Article 50 transparency obligations apply regardless of risk classification. Even minimal-risk AI chatbots must disclose that users are interacting with AI. The risk level only determines additional obligations beyond transparency."},"3":{"label":"Only if the chatbot handles financial or health-related queries.","explanation":"Incorrect. The transparency obligation under Article 50(1) applies to ALL AI systems that interact directly with natural persons, regardless of the subject matter. The obligation is not limited to specific sectors or topics."}}}},"12":{"title":"Fundamental Rights Impact Assessment","description":"Comprehensive guide to Article 27 FRIA requirements. Who must conduct one, what it must contain, and how to do it properly.","sections":{"12_1":{"title":"When is a FRIA Required?","content":"Article 27 mandates a Fundamental Rights Impact Assessment (FRIA) for specific deployers before they put a high-risk AI system into use.\n\nA FRIA is required when:\n1. The deployer is a body governed by public law deploying an Annex III system, except point 2\n2. The deployer is a private entity providing public services deploying an Annex III system, except point 2\n3. The deployer uses AI systems for creditworthiness assessment (Annex III point 5(b))\n4. The deployer uses AI systems for risk assessment and pricing in life and health insurance (Annex III point 5(c))\n\nThe FRIA must be completed BEFORE the system is put into use. It is not a retrospective assessment — it must inform the deployment decision.\n\nNote: This is broader than many organizations initially expect. The public-body and public-service branches of Article 27 cover Annex III systems generally, with the carve-out applying to Annex III point 2."},"12_2":{"title":"Required FRIA Elements","content":"$23"},"12_3":{"title":"Conducting a FRIA: Practical Steps","content":"$24"},"12_4":{"title":"Common FRIA Mistakes","content":"$25"}},"scenario":{"title":"FRIA Requirement Scenario","description":"A private insurance company wants to deploy an AI system that assesses health risks for life insurance applicants. Must they conduct a FRIA?","options":{"0":{"label":"No, FRIAs are only required for government agencies.","explanation":"Incorrect. Article 27 requires FRIAs for private entities too — specifically for deployers using AI for creditworthiness assessment (Annex III 5(b)) and risk assessment for life and health insurance (Annex III 5(c))."},"1":{"label":"Yes, because AI risk assessment for life insurance is explicitly covered by Annex III point 5(c).","explanation":"Correct! Annex III point 5(c) specifically lists AI systems used for risk assessment and pricing in relation to natural persons for life and health insurance. Article 27 requires deployers of such systems to conduct a FRIA before putting the system into use."},"2":{"label":"Only if the insurance company has more than 500 employees.","explanation":"Incorrect. The FRIA requirement is based on the type of AI system used, not the size of the organization. There is no employee threshold for FRIA obligations."},"3":{"label":"Only if the AI system makes fully automated decisions without human review.","explanation":"Incorrect. The FRIA requirement applies regardless of whether human oversight is in place. Having human review does not exempt a deployer from conducting a FRIA — it is one of the elements that must be described IN the FRIA."}}}},"13":{"title":"Prohibited AI Practices Deep Dive","description":"Complete analysis of all 8 prohibited AI practices under Article 5. Understand exactly what is banned and why, with real-world examples.","sections":{"13_1":{"title":"The Eight Prohibited Practices","content":"$26"},"13_2":{"title":"Nuances and Exceptions","content":"$27"},"13_3":{"title":"Penalties for Violations","content":"Violations of Article 5 carry the heaviest penalties in the entire AI Act, reflecting the severity of these prohibitions:\n\nAdministrative fines up to EUR 35 million or up to 7% of worldwide annual turnover (whichever is higher) for companies. For SMEs and startups, the lower of the two amounts applies.\n\nThis is significantly higher than penalties for other AI Act violations:\n- Other AI Act violations: up to EUR 15 million or 3% of turnover\n- Incorrect information to authorities: up to EUR 7.5 million or 1% of turnover\n\nFor comparison, GDPR penalties cap at EUR 20 million or 4% of turnover. The AI Act's penalties for prohibited practices exceed even GDPR maximums.\n\nMember states are required to lay down rules on penalties and enforcement. They must be effective, proportionate, and dissuasive. Member states must also consider the interests of SMEs and startups when applying penalties.\n\nThe enforcement of Article 5 prohibitions began on February 2, 2025 — this is already in effect."}},"scenario":{"title":"Prohibited Practice Scenario","description":"A social media company uses an AI system to detect when users are in vulnerable emotional states (angry, sad, anxious) and then shows them targeted advertisements designed to exploit those emotional states. Is this prohibited?","options":{"0":{"label":"No, because targeted advertising is standard practice.","explanation":"Incorrect. While targeted advertising in general is not prohibited, using AI to specifically exploit emotional vulnerabilities to distort behavior crosses into prohibited territory under Article 5(1)(b) — exploitation of vulnerabilities."},"1":{"label":"Yes, this likely violates both the exploitation of vulnerabilities prohibition and potentially the manipulation prohibition.","explanation":"Correct! This practice could violate Article 5(1)(a) (subliminal/manipulative techniques distorting behavior) and Article 5(1)(b) (exploiting vulnerabilities). Detecting vulnerable emotional states and exploiting them to manipulate purchasing behavior is precisely the type of practice the AI Act seeks to prevent."},"2":{"label":"Only if the users are children or elderly persons.","explanation":"Partially correct. The exploitation of vulnerability prohibition (Article 5(1)(b)) explicitly covers vulnerability due to age, disability, or social/economic situation. However, the manipulation prohibition (Article 5(1)(a)) applies regardless of the person's characteristics — it covers manipulative and deceptive techniques targeting anyone."},"3":{"label":"Only if the company is an EU-based entity.","explanation":"Incorrect. The AI Act applies to all providers and deployers who place AI systems on the EU market or whose output is used in the EU, regardless of where the company is based. This follows the same territorial scope as GDPR."}}}}},"quiz":{"m1":{"1":{"question":"According to Article 3(1) of the EU AI Act, what is the defining characteristic of an AI system?","options":{"0":"It uses the internet","1":"It replaces human workers","2":"It infers from input to generate outputs like predictions or decisions","3":"It processes data faster than humans"},"explanation":"Article 3(1) defines AI as a machine-based system that infers from input how to generate outputs such as predictions, content, recommendations, or decisions. The key word is \"infers\" — it learns from data rather than following hardcoded rules."},"2":{"question":"What is the key difference between AI and regular software?","options":{"0":"AI is always more accurate","1":"AI learns patterns from data rather than following hardcoded rules","2":"AI requires more computing power","3":"AI always needs an internet connection"},"explanation":"The fundamental difference is that regular software follows explicit rules programmed by humans (if X then Y), while AI systems learn patterns from data and make inferences. This learning ability is what makes AI both powerful and potentially risky."},"3":{"question":"True or False: If an AI spam filter incorrectly classifies an email, this is generally a high-risk scenario under the EU AI Act.","options":{"0":"True","1":"False"},"explanation":"False. Email spam filtering is a minimal-risk AI application. While misclassification is annoying, it does not pose significant risks to fundamental rights. The EU AI Act only imposes heavy regulation on systems where errors could cause serious harm."}},"m2":{"1":{"question":"When did the EU AI Act enter into force?","options":{"0":"January 2024","1":"August 1, 2024","2":"February 2, 2025","3":"August 2, 2026"},"explanation":"The EU AI Act (Regulation (EU) 2024/1689) entered into force on August 1, 2024. Different provisions become applicable at different dates, with prohibited practices enforceable from February 2, 2025, and most other requirements from August 2, 2026."},"2":{"question":"True or False: The EU AI Act only applies to companies headquartered in the European Union.","options":{"0":"True","1":"False"},"explanation":"False. Like the GDPR, the AI Act has extraterritorial scope. It applies to any provider placing an AI system on the EU market or any deployer using AI within the EU, regardless of where the company is based. A US company selling AI tools to EU customers must comply."},"3":{"question":"What is the primary purpose of the EU AI Act?","options":{"0":"To ban all AI systems in the EU","1":"To promote EU AI companies over foreign competitors","2":"To ensure AI systems are safe and respect fundamental rights while promoting innovation","3":"To create a tax on AI technologies"},"explanation":"The AI Act aims to ensure AI systems placed on the EU market are safe and respect fundamental rights, while also providing legal certainty and promoting innovation. It takes a risk-based approach rather than banning AI outright."}},"m3":{"1":{"question":"Which risk category has the most AI systems?","options":{"0":"Unacceptable risk","1":"High-risk","2":"Limited risk","3":"Minimal risk"},"explanation":"The vast majority of AI systems fall into the minimal risk category. The EU estimates that most AI applications (like spam filters, game AI, inventory management) pose no significant risk and can be used freely without specific obligations."},"2":{"question":"An AI system used for credit scoring by a bank falls into which risk category?","options":{"0":"Minimal risk","1":"Limited risk","2":"High-risk","3":"Unacceptable risk"},"explanation":"Credit scoring is explicitly listed in Annex III point 5(b) as a high-risk application. AI systems evaluating creditworthiness directly affect people's access to financial resources and essential services, making them high-risk under Article 6(2)."},"3":{"question":"What determines the obligations that apply to an AI system under the EU AI Act?","options":{"0":"The cost of the AI system","1":"The size of the company using it","2":"The risk category it falls into","3":"The programming language it uses"},"explanation":"The EU AI Act follows a risk-based approach. The obligations that apply to an AI system are determined by its risk classification. Higher-risk systems face stricter requirements, while minimal-risk systems have no specific obligations."}},"m4":{"1":{"question":"How many AI practices does Article 5 prohibit?","options":{"0":"Four","1":"Six","2":"Eight","3":"Ten"},"explanation":"Article 5 prohibits exactly eight specific AI practices. These range from subliminal manipulation and exploitation of vulnerabilities to social scoring and real-time biometric identification in public spaces."},"2":{"question":"True or False: Social scoring by private companies is prohibited under the EU AI Act.","options":{"0":"True","1":"False"},"explanation":"False. The prohibition on social scoring under Article 5(1)(c) specifically targets public authorities evaluating or classifying persons based on their social behavior for general purposes. Private companies performing specific scoring (like credit scoring) are not covered by this specific prohibition, though they may face other requirements."},"3":{"question":"When did the Article 5 prohibitions become enforceable?","options":{"0":"August 1, 2024","1":"February 2, 2025","2":"August 2, 2025","3":"August 2, 2026"},"explanation":"The prohibited practices under Article 5 became enforceable on February 2, 2025 — six months after the AI Act entered into force. This is the earliest enforcement date in the regulation, reflecting the urgency of banning the most harmful AI uses."}},"m5":{"1":{"question":"Under the AI Act, who is a \"provider\"?","options":{"0":"Anyone who uses an AI system","1":"Anyone who develops an AI system or has one developed and places it on the market under their name","2":"Only companies with more than 250 employees","3":"Only EU-based companies"},"explanation":"Article 3(3) defines a provider as a person or entity that develops an AI system or has one developed on their behalf, and places it on the market or puts it into service under their own name or trademark. It is independent of company size or location."},"2":{"question":"What happens if a deployer substantially modifies a high-risk AI system?","options":{"0":"Nothing changes","1":"They become a provider with all provider obligations","2":"They only need to update the documentation","3":"The system loses its CE marking but the deployer has no new obligations"},"explanation":"Under the AI Act, if a deployer makes a substantial modification to a high-risk AI system, they are considered a new provider for that modified system. This means they take on the full set of provider obligations, including conformity assessment and technical documentation."},"3":{"question":"True or False: An importer of AI systems has no obligations under the EU AI Act.","options":{"0":"True","1":"False"},"explanation":"False. The AI Act defines specific obligations for importers (Article 23). They must verify that the provider has carried out the conformity assessment, that the system bears the CE marking, and that it is accompanied by the required documentation."}},"m6":{"1":{"question":"Which obligation applies to ALL AI systems (not just high-risk)?","options":{"0":"Technical documentation (Annex IV)","1":"AI literacy training (Article 4)","2":"Conformity assessment","3":"Risk management system"},"explanation":"Article 4 requires providers AND deployers of ALL AI systems (regardless of risk level) to ensure sufficient AI literacy among their staff and other persons dealing with the operation and use of AI systems. This is the only obligation that applies universally."},"2":{"question":"True or False: Deployers must keep system logs for at least 6 months.","options":{"0":"True","1":"False"},"explanation":"True. Article 26(6) requires deployers to keep logs automatically generated by the high-risk AI system for a period appropriate to the intended purpose, and at least six months, unless provided otherwise in applicable EU or national law."},"3":{"question":"How long must providers keep technical documentation after a system is placed on the market?","options":{"0":"1 year","1":"5 years","2":"10 years","3":"25 years"},"explanation":"Providers must keep technical documentation for 10 years after the high-risk AI system has been placed on the market or put into service. This ensures documentation is available for market surveillance and compliance auditing throughout the system's expected operational lifetime."}},"m7":{"1":{"question":"By what date must organizations comply with most high-risk AI system requirements?","options":{"0":"February 2, 2025","1":"August 2, 2025","2":"August 2, 2026","3":"August 2, 2027"},"explanation":"Most obligations for high-risk AI systems become applicable on August 2, 2026 — 24 months after the AI Act entered into force. This gives organizations time to prepare their compliance frameworks."},"2":{"question":"When did General-Purpose AI (GPAI) model obligations become applicable?","options":{"0":"February 2, 2025","1":"August 2, 2025","2":"August 2, 2026","3":"August 2, 2027"},"explanation":"GPAI model obligations under Articles 51-56 became applicable on August 2, 2025 — one year after the AI Act entered into force. This was the second enforcement milestone, after the prohibited practices and AI literacy obligations that took effect on February 2, 2025."},"3":{"question":"True or False: Organizations have until 2027 to comply with general-purpose AI model obligations.","options":{"0":"True","1":"False"},"explanation":"False. General-purpose AI model obligations (Articles 51-56) become applicable on August 2, 2025 — one year after entry into force. Organizations using or providing GPAI models should already be preparing for compliance."}},"m8":{"1":{"question":"How many pathways exist for an AI system to be classified as high-risk?","options":{"0":"One","1":"Two","2":"Three","3":"Four"},"explanation":"Article 6 defines two pathways: (1) AI systems that are safety components of products covered by EU harmonisation legislation (Article 6(1)), and (2) AI systems listed in Annex III covering 8 specific categories (Article 6(2))."},"2":{"question":"Under Article 6(3), an Annex III system is not high-risk only in limited cases. Which of these would STILL make it high-risk regardless?","options":{"0":"Processing large amounts of data","1":"Being used by a company with many employees","2":"Performing profiling of natural persons","3":"Using cloud computing infrastructure"},"explanation":"Even if an Annex III system otherwise falls within the Article 6(3) exception, the exception does NOT apply if the system performs profiling of natural persons. Profiling keeps the system in the high-risk category."},"3":{"question":"How many categories of high-risk AI systems does Annex III define?","options":{"0":"Four","1":"Six","2":"Eight","3":"Twelve"},"explanation":"Annex III defines 8 categories: (1) Biometrics, (2) Critical Infrastructure, (3) Education, (4) Employment, (5) Essential Services, (6) Law Enforcement, (7) Migration and Border Control, (8) Administration of Justice."},"4":{"question":"An AI component in a medical device that requires third-party conformity assessment becomes high-risk through which pathway?","options":{"0":"Annex III (standalone listing)","1":"Article 6(1) (safety component of regulated product)","2":"Article 50 (transparency obligation)","3":"Article 5 (prohibited practices)"},"explanation":"Medical devices are covered by EU harmonisation legislation listed in Annex I. AI components in such devices that require third-party conformity assessment are automatically high-risk under Article 6(1) — the product safety pathway."}},"m9":{"1":{"question":"How many key obligations does Article 16 establish for providers of high-risk AI systems?","options":{"0":"Six","1":"Eight","2":"Twelve","3":"Fifteen"},"explanation":"Article 16 establishes 12 key obligations for providers, covering the full lifecycle from development (risk management, data governance, technical documentation) through market placement (conformity assessment, CE marking, registration) to post-market activities (monitoring, incident reporting)."},"2":{"question":"You contract a third party to build an AI system that you sell under your brand. Who is the provider?","options":{"0":"The third-party developer","1":"You (since you place it on the market under your name)","2":"Both equally","3":"Neither — it depends on the contract"},"explanation":"Under Article 3(3), the provider is the entity that places the system on the market or puts it into service under its own name or trademark. Since you sell it under your brand, you are the provider with all associated obligations, regardless of who built it."},"3":{"question":"True or False: Provider obligations end once the AI system is placed on the market.","options":{"0":"True","1":"False"},"explanation":"False. Providers have significant post-market obligations including post-market monitoring (Article 72), serious incident reporting (Article 73), corrective actions (Article 20), and keeping technical documentation up to date for at least 10 years."}},"m10":{"1":{"question":"For how long must deployers keep AI system logs at minimum?","options":{"0":"30 days","1":"3 months","2":"6 months","3":"2 years"},"explanation":"Article 26(6) requires deployers to keep logs for at least 6 months, unless other EU or national law specifies a different period. The logs must be those automatically generated by the system during operation."},"2":{"question":"When must an employer deploying high-risk AI inform workers about the system?","options":{"0":"After deployment","1":"Before the system is put into use","2":"Only if workers request the information","3":"At the next annual review"},"explanation":"Article 26(7) requires employers to inform worker representatives and affected workers before deploying a high-risk AI system. This is a proactive obligation — employers cannot wait for workers to ask."},"3":{"question":"True or False: Deployers are only responsible for following the provider's instructions for use.","options":{"0":"True","1":"False"},"explanation":"False. While following instructions for use is important (Article 26(1)), deployers have many additional obligations including human oversight, input data quality, monitoring, log-keeping, worker information, DPIA when required, and cooperation with authorities."}},"m11":{"1":{"question":"Article 50 transparency obligations apply to which AI systems?","options":{"0":"Only high-risk systems","1":"Only limited-risk systems","2":"Certain AI systems regardless of risk classification","3":"All AI systems"},"explanation":"Article 50 applies to certain categories of AI systems regardless of their risk classification. Specifically: systems interacting with persons, synthetic content generators, emotion recognition, biometric categorization, and AI-generated public information."},"2":{"question":"When can you omit telling users they are interacting with an AI system?","options":{"0":"When the system is highly accurate","1":"When it is obvious from the circumstances","2":"When the company is an SME","3":"When the system is minimal risk"},"explanation":"Article 50(1) provides an exception: users need not be informed when it is \"obvious from the circumstances and the context of use\" that they are dealing with an AI system. This covers cases like clearly labeled chatbot interfaces."},"3":{"question":"True or False: AI-generated news articles do not need to be labeled as AI-generated if a human editor reviews them.","options":{"0":"True","1":"False"},"explanation":"True. Article 50(4) provides an exception for AI-generated text published to inform the public: labeling is not required if the content has undergone human review and a natural or legal person holds editorial responsibility for the publication."}},"m12":{"1":{"question":"A FRIA must be conducted at which point?","options":{"0":"After deployment, within 6 months","1":"Before putting the AI system into use","2":"During the conformity assessment","3":"Only when an incident occurs"},"explanation":"Article 27 requires the FRIA to be completed BEFORE putting the high-risk AI system into use. It is a prospective assessment that must inform the deployment decision, not a retrospective one."},"2":{"question":"How many mandatory elements must a FRIA contain?","options":{"0":"Three","1":"Four","2":"Six","3":"Eight"},"explanation":"Article 27(1) specifies six mandatory elements: description of processes, period/frequency of use, categories of affected persons, specific risks of harm, human oversight measures, and risk mitigation measures."},"3":{"question":"True or False: A GDPR Data Protection Impact Assessment (DPIA) can replace a FRIA.","options":{"0":"True","1":"False"},"explanation":"False. A DPIA and a FRIA serve different purposes. A DPIA covers personal data processing risks under GDPR. A FRIA covers fundamental rights impacts more broadly under the AI Act. You may need both assessments for the same AI system."}},"m13":{"1":{"question":"What is the maximum penalty for violating Article 5 prohibitions?","options":{"0":"EUR 10 million or 2% of turnover","1":"EUR 20 million or 4% of turnover","2":"EUR 35 million or 7% of turnover","3":"EUR 50 million or 10% of turnover"},"explanation":"Violations of Article 5 carry fines up to EUR 35 million or 7% of worldwide annual turnover, whichever is higher. This is the highest penalty tier in the AI Act, exceeding even GDPR maximums (EUR 20 million or 4%)."},"2":{"question":"Which of these is an exception to the prohibition on real-time biometric identification for law enforcement?","options":{"0":"National security purposes","1":"Searching for specific victims of crime","2":"General public safety monitoring","3":"Traffic enforcement"},"explanation":"Article 5(1)(h) allows three narrow exceptions: searching for specific victims of crime (including missing children), preventing specific and imminent threats to life or terrorist attacks, and locating suspects of specific serious crimes. Each requires prior judicial authorization."},"3":{"question":"True or False: Emotion recognition in the workplace is always prohibited under Article 5.","options":{"0":"True","1":"False"},"explanation":"False. Article 5(1)(f) prohibits emotion recognition in workplace and educational settings EXCEPT when used for safety reasons (e.g., detecting driver drowsiness) or medical purposes. These exceptions must be interpreted narrowly."},"4":{"question":"A private company scores its employees based on social behavior outside of work. Is this prohibited under Article 5?","options":{"0":"Yes, social scoring is always prohibited","1":"No, the social scoring prohibition only applies to public authorities","2":"Only if the scoring affects employment decisions","3":"Only in certain EU member states"},"explanation":"The social scoring prohibition in Article 5(1)(c) specifically targets public authorities or those acting on their behalf. However, a private company's behavior may still be prohibited under other provisions (like exploitation of vulnerabilities) or employment law, even though the specific social scoring prohibition does not apply."}}},"essentialsTrack":"Essentials Track","advancedTrack":"Advanced Track","essentialsDescription":"Start here. Learn the basics of the EU AI Act in plain language — what it means for your organization and what you need to do.","advancedDescription":"Go deeper. Legal-technical precision on classification, obligations, and compliance procedures.","minutes":"min","essentialsLabel":"Essentials","advancedLabel":"Advanced","quizPassedLabel":"Quiz passed: {score}%","employeesCompleted":"{count} employee(s) completed","takeModuleQuiz":"Take Module Quiz","complianceReport":"Compliance Report","complianceReportDesc":"View employee completion data and download compliance evidence for Article 4 audits.","viewReport":"View Report","employeeTracker":"Employee Completions","employeeName":"Employee Name","modulesCompleted":"Modules Completed","lastActivity":"Last Activity","avgScore":"Avg. Score","noEmployees":"No employee completions recorded yet. Employees can take module quizzes and their results will appear here.","employeeEmail":"Email (optional)","enterName":"Enter employee name","enterEmail":"Enter email address","recordCompletion":"Record Your Completion","recordCompletionDesc":"Enter your name to record this quiz result for your organization's compliance report.","saveAndContinue":"Save & Continue","skip":"Skip","articleRef":"Article Reference","backToModule":"Back to Module","certificateNeedQuizzes":"Pass all 7 Essentials module quizzes to unlock your certificate.","report":{"title":"Compliance Report","description":"Overview of employee AI literacy training completions for Article 4 compliance.","totalEmployees":"Total Employees","modulesCovered":"Modules Covered","averageScore":"Average Score","noData":"No completion data available yet. Employee quiz results will appear here.","module":"Module","dateCompleted":"Date Completed","quizScore":"Quiz Score","status":"Status","passed":"Passed","failed":"Failed"},"pool":{"m1":{"q1":{"question":"A finance team uses a spreadsheet macro that applies fixed formulas to calculate monthly interest. A colleague argues this is an AI system under the EU AI Act. What is the correct assessment?","options":{"0":"It is an AI system because it processes data automatically","1":"It is an AI system because it makes financial calculations","2":"It is NOT an AI system — it follows fixed rules without inference or learning","3":"It depends on the complexity of the formulas"},"explanation":"Under Article 3(1), an AI system must infer from input to generate outputs. A spreadsheet macro follows hardcoded formulas without any inference, learning, or adaptation. Automation alone does not make something an AI system."},"q2":{"question":"A customer service department deploys a chatbot powered by a large language model (LLM) that generates contextual responses to customer queries. Is this an AI system under the EU AI Act?","options":{"0":"No, chatbots are explicitly excluded from the Act","1":"Yes — it infers from input to generate outputs, meeting Article 3(1)","2":"Only if it processes personal data","3":"Only if it makes decisions that affect people's rights"},"explanation":"An LLM-powered chatbot clearly meets Article 3(1): it is a machine-based system that infers from input how to generate outputs (natural language responses). The definition is about the technical capability, not about the impact on rights."},"q3":{"question":"Which of the following is a defining characteristic of an AI system according to Article 3(1)?","options":{"0":"It must use neural networks","1":"It must be connected to the internet","2":"It must be more accurate than human decision-making","3":"It may exhibit adaptiveness after deployment"},"explanation":"Article 3(1) states that an AI system 'may exhibit adaptiveness after deployment.' This is one of the key characteristics. The definition does not require neural networks, internet connectivity, or superiority over humans."},"q4":{"question":"A hospital uses a rule-based expert system that applies medical decision trees developed by doctors to suggest preliminary diagnoses. Is this considered an AI system?","options":{"0":"Yes — expert systems that infer diagnoses from symptoms meet the AI system definition","1":"No — rule-based systems are never AI systems","2":"Only if the system updates its rules automatically","3":"Only if the system replaces the doctor entirely"},"explanation":"The EU AI Act definition is broad and includes rule-based expert systems that use inference (reasoning from input data to generate outputs like diagnoses). Even without machine learning, a system that applies complex inference logic qualifies under Article 3(1)."},"q5":{"question":"A meteorological agency uses a machine learning model trained on historical weather data to predict next-week temperatures. A regulator asks if this falls under the EU AI Act. What is the correct response?","options":{"0":"No, weather prediction is excluded from the Act","1":"No, because it does not interact with people directly","2":"Yes, it is an AI system — but likely minimal risk with no mandatory obligations","3":"Yes, and it is high-risk because incorrect predictions could harm people"},"explanation":"A weather prediction ML model meets the Article 3(1) definition (infers from input). However, weather prediction does not fall into any Annex III high-risk category or Art. 50 limited-risk trigger, so it is classified as minimal risk with no mandatory obligations."},"q6":{"question":"An online store uses simple if/else rules to show 'Free shipping on orders over 50 EUR.' Is this an AI system?","options":{"0":"Yes, because it automates a decision","1":"No — simple conditional logic without inference is not an AI system","2":"Yes, because it influences consumer behavior","3":"It depends on how many rules there are"},"explanation":"Simple conditional logic (if order > 50 then free shipping) does not involve inference, learning, or autonomy. Article 3(1) requires that the system 'infers from the input it receives.' Basic rule execution is regular software, not AI."},"q7":{"question":"A streaming platform uses a recommendation engine that learns user preferences from viewing history to suggest content. How should this be classified?","options":{"0":"Not an AI system because it merely suggests, not decides","1":"An AI system only if it uses deep learning","2":"Not covered by the EU AI Act at all","3":"An AI system under Art. 3(1) — it infers preferences from input to generate recommendations"},"explanation":"A recommendation engine that learns from user data and generates personalized suggestions clearly meets Art. 3(1): it infers from input (viewing history) to generate outputs (recommendations). Whether it uses deep learning or collaborative filtering is irrelevant."},"q8":{"question":"A logistics company uses an optimization algorithm that finds the shortest delivery routes by evaluating millions of possible combinations. Is this an AI system under the EU AI Act?","options":{"0":"Yes — search and optimization methods that infer optimal solutions from input data qualify under Art. 3(1)","1":"No, because it only performs mathematical optimization","2":"Only if it uses machine learning to improve over time","3":"No, because logistics is not mentioned in the Act"},"explanation":"The AI system definition under Art. 3(1) explicitly covers systems that use various approaches including optimization methods. A system that evaluates input data and infers optimal solutions qualifies, regardless of whether it uses ML or classical optimization techniques."}},"m2":{"q1":{"question":"A hobbyist builds an AI model at home to sort their personal photo collection by location. They never share it. Does the EU AI Act apply?","options":{"0":"Yes, all AI systems in the EU are covered regardless of use","1":"No — Article 2(10) excludes AI used in personal non-professional activities","2":"Only if the model processes biometric data","3":"Yes, but they qualify for the minimal risk exemption"},"explanation":"Article 2(10) explicitly excludes AI systems 'used in the course of a purely personal non-professional activity.' A hobby project for personal photo sorting is clearly excluded from the scope of the Act."},"q2":{"question":"A defence contractor develops AI for autonomous weapon target identification. They argue the EU AI Act does not apply. Are they correct?","options":{"0":"No, all AI systems are covered by the Act","1":"No, weapons systems are specifically high-risk under Annex III","2":"Yes, but only if the AI is developed under a military contract","3":"Yes — Article 2(3) excludes AI developed or used exclusively for military purposes"},"explanation":"Article 2(3) explicitly excludes AI systems 'developed or used exclusively for military purposes.' Defence applications that are exclusively military in nature fall outside the Act's scope. However, dual-use systems may still be covered."},"q3":{"question":"An open-source developer releases a general-purpose AI model under an Apache 2.0 license. Under the EU AI Act, what obligations apply?","options":{"0":"Open-source GPAI models are exempt from most provider obligations unless they pose systemic risk (Art. 53(2))","1":"All obligations apply identically to open-source and commercial AI","2":"Open-source AI is completely exempt from the Act","3":"Only documentation obligations apply to open-source"},"explanation":"Article 53(2) provides a limited exemption for open-source GPAI models: they only need to comply with copyright/training data transparency and making a summary available. However, this exemption does not apply if the model poses systemic risk."},"q4":{"question":"A US company sells an AI-powered hiring tool to European businesses. The AI is developed, trained, and hosted entirely in the USA. Does the EU AI Act apply?","options":{"0":"No, the Act only applies to AI developed in the EU","1":"Only if the company has an EU subsidiary","2":"Yes — Article 2(1) covers providers placing AI systems on the EU market, regardless of where they are established","3":"Only if the AI processes EU citizens' personal data"},"explanation":"Article 2(1) applies to providers who place on the market or put into service AI systems in the Union, regardless of whether those providers are established in the EU or a third country. The territorial scope is based on market availability, not establishment."},"q5":{"question":"A university's computer science department builds experimental AI models purely for published academic research, with no commercial application. Does the Act apply?","options":{"0":"Yes, universities are not exempt from the Act","1":"No — Article 2(6) excludes AI developed and used exclusively for scientific research and development","2":"Only if the research involves human subjects","3":"Yes, but reduced obligations apply under the research exemption"},"explanation":"Article 2(6) provides an exclusion for AI systems and models 'specifically developed and put into service for the sole purpose of scientific research and development.' However, this only applies if the AI is not subsequently placed on the market or put into service."},"q6":{"question":"What was the primary reason the EU created a dedicated law for AI systems rather than relying on existing regulations?","options":{"0":"To compete with China's AI regulations","1":"To protect data privacy, which was not covered by GDPR","2":"To ban all AI development in the EU","3":"To create a harmonized approach across all member states, preventing 27 different national AI laws"},"explanation":"The EU AI Act's purpose (Art. 1) is to establish uniform rules across all member states. Without it, individual countries would create their own AI regulations, fragmenting the single market and creating legal uncertainty for businesses operating across the EU."},"q7":{"question":"Which fundamental principle underpins the EU AI Act's regulatory approach?","options":{"0":"Risk-based regulation — obligations scale with the level of risk the AI poses","1":"Technology-neutral regulation — all software is treated the same","2":"Precautionary principle — all AI is restricted until proven safe","3":"Self-regulation — industry standards replace legal requirements"},"explanation":"The EU AI Act follows a risk-based approach: minimal-risk systems have no obligations, limited-risk systems have transparency requirements, high-risk systems have comprehensive obligations, and unacceptable-risk systems are banned. Obligations scale with risk."},"q8":{"question":"The EU AI Act entered into force on 1 August 2024. When do the provisions for prohibited AI practices start applying?","options":{"0":"Immediately upon entry into force (1 August 2024)","1":"6 months after entry into force","2":"2 February 2025 — 6 months after entry into force","3":"2 August 2026 — same as high-risk systems"},"explanation":"Article 113 sets a phased timeline. Prohibited practices (Art. 5) apply from 2 February 2025 — six months after entry into force. This was the earliest enforcement date, reflecting the urgency of banning the most harmful AI applications."}},"m3":{"q1":{"question":"A retail bank deploys an AI system that automatically approves or rejects consumer loan applications based on creditworthiness analysis. How should this be classified?","options":{"0":"Limited risk — it only needs transparency about AI use","1":"High-risk under Annex III, area 5(b) — evaluating creditworthiness of natural persons","2":"Minimal risk — financial services are not specifically regulated","3":"Prohibited — automated loan decisions are banned"},"explanation":"Annex III, area 5(b) explicitly lists 'evaluating the creditworthiness of natural persons or establishing their credit score' as high-risk. This applies to the banking use case directly, requiring full compliance with Articles 8-49."},"q2":{"question":"An HR department uses AI to screen CVs and rank job applicants by suitability. A compliance officer asks about the risk classification. What is the correct answer?","options":{"0":"High-risk under Annex III, area 4(a) — recruitment, screening applications, evaluating candidates","1":"Limited risk — the AI only assists, it doesn't decide","2":"Minimal risk — CV screening is a routine administrative task","3":"It depends on whether the applicants are EU citizens"},"explanation":"Annex III, area 4(a) explicitly covers AI systems used for 'recruitment or selection of natural persons, in particular to place targeted job advertisements, to screen or filter applications, or to evaluate candidates.' This is high-risk regardless of whether the AI makes final decisions."},"q3":{"question":"A tech company deploys a customer service chatbot that answers product questions and processes returns. How should this be classified under the EU AI Act?","options":{"0":"High-risk because it makes decisions about returns","1":"Prohibited because it may manipulate customers","2":"Minimal risk with no obligations","3":"Limited risk under Article 50 — must inform users they are interacting with AI"},"explanation":"A customer service chatbot falls under Article 50(1): systems that interact directly with natural persons must inform them that they are interacting with an AI system (unless obvious from context). This is a limited-risk classification with transparency obligations only."},"q4":{"question":"An AI system is embedded as a safety component in a medical diagnostic device that requires CE marking under the Medical Devices Regulation. Which classification pathway applies?","options":{"0":"The AI is not regulated because it's part of a medical device","1":"Limited risk — only transparency is required","2":"High-risk via Annex III, area 1","3":"High-risk via Article 6(1) / Annex I — safety component of a product under EU harmonisation legislation requiring third-party assessment"},"explanation":"When AI is a safety component of a product covered by EU harmonisation legislation listed in Annex I (like the Medical Devices Regulation), it is classified as high-risk via Art. 6(1), with conformity assessment per the sector-specific legislation. Note: the application date is Aug 2, 2027 for these."},"q5":{"question":"A city council uses an AI system to assign social benefit scores to citizens, then uses those scores to determine who gets priority access to social housing. What is the classification?","options":{"0":"High-risk under Annex III, area 5(a)","1":"Prohibited under Article 5(1)(c) — social scoring by a public authority leading to detrimental treatment in unrelated contexts","2":"Limited risk — only needs transparency","3":"Minimal risk — social housing allocation is not in Annex III"},"explanation":"Article 5(1)(c) prohibits AI systems that evaluate or classify natural persons based on social behavior leading to detrimental treatment in contexts unrelated to the original data collection, or disproportionate treatment. A public authority using social scores for housing allocation fits this prohibition."},"q6":{"question":"A company uses an AI-powered spam filter to automatically sort incoming emails. What is the risk classification?","options":{"0":"Minimal risk — email spam filtering has no specific obligations under the Act","1":"Limited risk — must disclose AI use to email senders","2":"High-risk — affects freedom of communication","3":"Prohibited — intercepting communications is banned"},"explanation":"Email spam filtering does not fall into any Annex III high-risk category, nor does it trigger Art. 50 limited-risk transparency obligations (it does not interact with persons or generate content). It is minimal risk with no mandatory obligations."},"q7":{"question":"A school installs an AI system that monitors students' facial expressions during exams to detect signs of cheating via emotion recognition. What is the correct classification?","options":{"0":"Minimal risk — exam monitoring is standard practice","1":"Limited risk — transparency notice is sufficient","2":"Prohibited under Article 5(1)(f) — emotion recognition in educational institutions","3":"High-risk under Annex III, area 3(d)"},"explanation":"Article 5(1)(f) prohibits emotion recognition systems in the workplace and educational institutions. A system detecting emotions of students during exams at school is directly prohibited, with narrow exceptions only for medical or safety reasons."},"q8":{"question":"An insurance company uses AI to pre-sort claims documents by type (e.g., accident reports vs. medical bills) before human adjusters review them. The AI falls under Annex III area 5(c). Can the Article 6(3) exception apply?","options":{"0":"No — exceptions never apply to financial services","1":"No — because the system processes personal data","2":"Yes, but only if the company is an SME","3":"Yes — if the AI only performs a narrow procedural task (document sorting) and does not profile individuals, the Art. 6(3) exception may apply"},"explanation":"Article 6(3) allows Annex III systems to be classified as non-high-risk if they only perform narrow procedural tasks (like document sorting) AND do not profile natural persons. Pre-sorting documents by type without evaluating individuals' personal characteristics could qualify."}},"m4":{"q1":{"question":"A tech startup develops an AI advertising platform that uses subliminal audio patterns imperceptible to conscious hearing to make users more receptive to purchase decisions. Users report increased spending without understanding why. What is the assessment?","options":{"0":"High-risk requiring documentation and conformity assessment","1":"Limited risk requiring transparency disclosure","2":"Prohibited under Article 5(1)(a) — subliminal techniques that materially distort behavior and cause significant harm","3":"Legal as long as users agree to terms of service"},"explanation":"Article 5(1)(a) prohibits AI systems that use subliminal techniques beyond a person's consciousness to materially distort behavior, causing or likely to cause significant harm. Imperceptible audio patterns influencing purchasing decisions clearly meets this prohibition."},"q2":{"question":"A company deploys AI in its call center that monitors employee voice patterns in real-time to assess their emotional state and flag agents who seem 'disengaged.' Is this permitted?","options":{"0":"Yes, employers can monitor employee performance","1":"Prohibited under Article 5(1)(f) — emotion recognition in the workplace","2":"Permitted if employees consent","3":"High-risk but allowed with proper documentation"},"explanation":"Article 5(1)(f) prohibits AI systems that infer emotions of natural persons in the workplace. Monitoring employee emotional states via voice analysis at work is directly banned, with very narrow exceptions only for medical or safety reasons."},"q3":{"question":"A municipal government builds an AI system that collects data on citizens' recycling habits, social media activity, and neighborhood behavior to generate a 'civic responsibility score.' Citizens with low scores face longer wait times at government offices. What is the classification?","options":{"0":"Prohibited under Article 5(1)(c) — social scoring by public authorities leading to detrimental treatment in unrelated contexts","1":"High-risk under Annex III, area 5(a)","2":"Limited risk with transparency obligations","3":"Legal if the scoring criteria are transparent"},"explanation":"Article 5(1)(c) prohibits AI social scoring by or on behalf of public authorities that leads to detrimental treatment in contexts unrelated to the original data collection or that is disproportionate. Using recycling data to affect government service wait times is a textbook example of this prohibition."},"q4":{"question":"A law enforcement agency uses AI to scrape publicly available social media profile pictures and match them against a database for identification purposes. The images are collected without individuals' knowledge. What applies?","options":{"0":"Permitted for law enforcement with judicial authorization","1":"High-risk under Annex III, area 6(e)","2":"Limited risk — only transparency is needed","3":"Prohibited under Article 5(1)(e) — untargeted scraping of facial images from the internet to build facial recognition databases"},"explanation":"Article 5(1)(e) prohibits the creation or expansion of facial recognition databases through untargeted scraping of facial images from the internet or CCTV footage. Collecting social media profile pictures without consent for identification purposes violates this prohibition."},"q5":{"question":"An online marketplace uses AI to identify elderly users (based on browsing patterns and account age) and shows them artificially inflated prices because they are less likely to comparison shop. What is the assessment?","options":{"0":"Legal if disclosed in terms of service","1":"Prohibited under Article 5(1)(b) — exploiting vulnerabilities of specific groups (age) to materially distort behavior and cause significant harm","2":"High-risk under Annex III, area 5","3":"Limited risk requiring price transparency"},"explanation":"Article 5(1)(b) prohibits AI that exploits vulnerabilities of specific groups — including age — to materially distort their behavior in a way that causes or is likely to cause significant harm. Targeting elderly users with inflated prices directly exploits age-related vulnerability."},"q6":{"question":"Police in a European city want to use real-time facial recognition cameras in a public square to identify known criminals during a football match with high hooliganism risk. Under what conditions might this be permitted?","options":{"0":"It is always permitted for public safety at large events","1":"It is always prohibited with no exceptions","2":"Only with prior judicial authorization and if searching for suspects of specific serious crimes listed in Annex II (Article 5(2)(c) and 5(3))","3":"Only if the cameras do not store data permanently"},"explanation":"Article 5(1)(h) prohibits real-time remote biometric identification in publicly accessible spaces for law enforcement, but Art. 5(2) provides three narrow exceptions. For known criminal identification, Art. 5(2)(c) allows it only for suspects of serious crimes listed in Annex II, and Art. 5(3) requires prior judicial authorization."},"q7":{"question":"A political research firm develops AI that scans social media posts to categorize individuals by their likely political affiliation based on facial features analysis. What is the classification?","options":{"0":"Prohibited under Article 5(1)(g) — biometric categorization inferring political opinions from biometric data","1":"High-risk under Annex III, area 8(b)","2":"Limited risk — only needs transparency disclosure","3":"Legal for legitimate research purposes"},"explanation":"Article 5(1)(g) prohibits AI systems that use biometric categorization to individually categorize natural persons to infer their political opinions, among other sensitive attributes. Using facial analysis to predict political affiliation falls squarely within this prohibition."},"q8":{"question":"A police department uses an AI system that predicts which neighborhoods will have the most crime next month based purely on historical crime statistics, with no individual profiling. A different department uses AI to predict which specific individuals are likely to commit crimes based on personality assessments. How do these compare?","options":{"0":"Both are prohibited under Article 5","1":"Both are high-risk but permitted","2":"Both are minimal risk","3":"The area-prediction is high-risk (Annex III 6(d)); the individual profiling is prohibited (Art. 5(1)(d)) — predicting crime risk based solely on profiling or personality assessment is banned"},"explanation":"Article 5(1)(d) prohibits AI that assesses the risk of a natural person committing a criminal offense based solely on profiling or personality traits. However, area-based crime prediction using historical statistics (not targeting individuals) falls under Annex III area 6(d) as high-risk, not prohibited."}},"m5":{"q1":{"question":"Company A develops an AI fraud detection system. Company B licenses it, rebrands it as 'FraudGuard Pro,' and sells it to banks under Company B's name. Under the EU AI Act, who is the provider?","options":{"0":"Company A, because they developed the technology","1":"Company B — they place it on the market under their own name/trademark, making them the provider under Art. 3(3)","2":"Both companies equally share provider obligations","3":"The banks that buy it become the providers"},"explanation":"Article 3(3) defines a provider as someone who 'places it on the market or puts the AI system into service under its own name or trademark.' Company B places the system on the market under 'FraudGuard Pro,' making them the provider with full provider obligations."},"q2":{"question":"A company deploys a high-risk AI system from a vendor. The company's engineers then modify the system's training data and retrain the model to work for a completely different intended purpose than what was specified by the vendor. What happens under the Act?","options":{"0":"Nothing changes — the original vendor remains the provider","1":"The company must notify the vendor of changes","2":"The company loses the right to use the system","3":"The company becomes a provider under Article 25 — substantial modification for a different intended purpose triggers role-shifting from deployer to provider"},"explanation":"Article 25(1)(c) states that a deployer who substantially modifies a high-risk AI system in a way that changes its intended purpose becomes a provider. Retraining for a completely different purpose is a textbook substantial modification triggering role-shifting."},"q3":{"question":"A marketing agency uses a third-party AI-powered analytics tool (SaaS) to segment their customer lists. They do not modify the tool, rebrand it, or change its purpose. What is the agency's role under the EU AI Act?","options":{"0":"Deployer under Article 3(4) — using an AI system under their authority for business purposes","1":"Provider because they control the input data","2":"Neither — SaaS tools are exempt from the Act","3":"Distributor because they distribute insights to their clients"},"explanation":"Article 3(4) defines a deployer as 'a natural or legal person using an AI system under its authority except in personal non-professional activity.' The agency uses the AI tool for business purposes without modification, making them a deployer."},"q4":{"question":"A deployer using a high-risk AI HR system discovers that the system systematically underscores candidates with non-European names. Rather than reporting this, they modify the scoring algorithm's weights to compensate. What are the legal implications?","options":{"0":"This is responsible AI governance with no legal issue","1":"The deployer has violated their duty to monitor and report to the provider","2":"By substantially modifying the system, the deployer has triggered Article 25 role-shifting and now has full provider obligations","3":"The modification is permitted because it reduces bias"},"explanation":"Article 25 states that if a deployer makes a substantial modification to a high-risk AI system, they become a provider with all associated obligations. Modifying the scoring algorithm's weights is a substantial modification that changes the system's functioning, triggering role-shifting."},"q5":{"question":"A person uses a publicly available AI image generator to create artwork for their apartment walls — purely for personal decoration. Does the EU AI Act impose obligations on them?","options":{"0":"Yes, they must label the images as AI-generated","1":"No — Article 2(10) excludes AI used for personal non-professional activities from the Act's scope","2":"Only if they share the images on social media","3":"Yes, but only minimal-risk transparency obligations"},"explanation":"Article 2(10) explicitly excludes AI systems 'used in the course of a purely personal non-professional activity.' Creating personal artwork for home decoration is non-professional personal use, so no obligations apply to this individual."},"q6":{"question":"A German AI startup develops a customer churn prediction system and sells it to telecom companies across the EU. In the EU AI Act framework, what is the startup's role?","options":{"0":"Provider under Article 3(3) — they develop an AI system and place it on the Union market under their name","1":"Deployer because the telecom companies use the system","2":"Distributor because they sell the system to end users","3":"Importer because they bring the system to different EU countries"},"explanation":"Article 3(3) defines a provider as one who 'develops an AI system and places it on the market or puts it into service under its own name or trademark.' The startup develops and sells the system, making them the provider."},"q7":{"question":"A company both develops an AI fraud detection system (which it sells to others) AND uses the same system internally for its own fraud monitoring. What is the company's role?","options":{"0":"Provider only, because they developed it","1":"Deployer only, because they use it","2":"The role depends on which activity generates more revenue","3":"Both provider AND deployer — provider for the systems sold to others, and deployer for their own internal use"},"explanation":"A company can hold both roles simultaneously. They are a provider under Art. 3(3) when they sell the system to others under their name, and a deployer under Art. 3(4) when they use the same system under their own authority for internal purposes."},"q8":{"question":"A non-EU company sells AI systems to EU customers but has no EU presence. What must they do before placing the system on the EU market?","options":{"0":"Nothing — the Act only applies to EU-established entities","1":"Register with the European AI Office directly","2":"Appoint an authorized representative established in the EU by written mandate before placing the system on the market (Art. 22)","3":"Transfer ownership to an EU entity"},"explanation":"Article 22 requires non-EU providers to appoint an authorized representative established in the EU by written mandate before placing their AI system on the market. This representative acts on behalf of the provider for compliance purposes."}},"m6":{"q1":{"question":"A provider of a high-risk AI system asks when they must create their Annex IV technical documentation. Their engineering team suggests doing it after the system has been on the market for a year to incorporate real-world performance data. Is this approach correct?","options":{"0":"Yes, real-world data makes documentation more accurate","1":"No — but documentation can be created anytime before the first compliance audit","2":"No — Article 11 requires technical documentation to be drawn up BEFORE placing the system on the market or putting it into service","3":"Yes, if they document the intention to create it later"},"explanation":"Article 11(1) is explicit: technical documentation must be 'drawn up before that system is placed on the market or put into service.' Waiting until after market placement violates this requirement. Documentation must be prepared during development."},"q2":{"question":"A company deploys a high-risk AI system for employee performance evaluation. The system vendor provided a comprehensive instruction manual. What are the deployer's key obligations?","options":{"0":"Assign competent, trained persons for human oversight (Art. 26(2)), ensure input data quality (Art. 26(4)), and monitor the system's operation (Art. 26(5))","1":"Only read the manual and follow the instructions","2":"Create their own technical documentation","3":"No obligations — the provider handles everything"},"explanation":"Deployers have multiple obligations under Art. 26: assign competent human oversight personnel (26(2)), ensure input data is relevant and representative (26(4)), monitor for risks and report issues to the provider (26(5)), and retain auto-generated logs for at least 6 months (26(6))."},"q3":{"question":"A company has 45 employees and uses AI. Their legal department says Article 4 AI literacy requirements do not apply to them because they are too small. Is the legal department correct?","options":{"0":"No — there is no size-based exemption","1":"Yes, companies under 50 employees are exempt","2":"Only partially — they must comply but with simplified requirements","3":"Article 4 AI literacy applies to ALL providers and deployers regardless of size — the legal department is wrong"},"explanation":"Article 4 requires ALL providers and deployers to ensure sufficient AI literacy among their staff and others dealing with AI systems on their behalf. There is no exemption based on company size. Even micro-enterprises must ensure their personnel have adequate understanding."},"q4":{"question":"How long must a provider of a high-risk AI system keep their technical documentation available for authorities?","options":{"0":"5 years from the date of first sale","1":"10 years after the system is placed on the market or put into service (Art. 18)","2":"As long as the system is in active use","3":"3 years from the last system update"},"explanation":"Article 18 requires providers to keep technical documentation for a minimum of 10 years after the AI system is placed on the market or put into service. This is one of the longest retention periods in EU tech regulation."},"q5":{"question":"A provider creates a high-risk AI system. Which of the following is NOT part of the risk management system required under Article 9?","options":{"0":"Identifying and analyzing known and reasonably foreseeable risks","1":"Eliminating ALL possible risks, including those with extremely low probability","2":"Adopting appropriate risk mitigation measures","3":"Testing to ensure the system meets requirements"},"explanation":"Article 9 requires identifying, analyzing, and mitigating risks, but it does not require eliminating ALL risks. It requires reducing risks 'as far as possible' and communicating residual risks to deployers. A risk management system must be proportionate and practical."},"q6":{"question":"A deployer of a high-risk AI system must retain automatically generated logs. What is the minimum retention period?","options":{"0":"6 months minimum, as specified in Article 26(6)","1":"1 year minimum","2":"3 years minimum","3":"10 years, same as the provider's documentation retention"},"explanation":"Article 26(6) requires deployers to keep auto-generated logs for a period 'appropriate to the intended purpose of the high-risk AI system, of at least six months.' The minimum is 6 months, though the appropriate period may be longer depending on the system's purpose."},"q7":{"question":"A high-risk AI provider is setting up their Quality Management System (QMS) as required by Article 17. Which of the following must be included?","options":{"0":"Only a testing and validation procedure","1":"Only a record-keeping system","2":"Only a compliance strategy document","3":"All of the above plus data management, risk management, post-market monitoring, incident reporting, and accountability framework"},"explanation":"Article 17 requires a comprehensive QMS including: compliance strategy, design/development procedures, testing/validation, data management, risk management integration, post-market monitoring, incident reporting, communication with authorities, record-keeping, resource management, and an accountability framework."},"q8":{"question":"A provider of a high-risk AI system discovers that the system is making incorrect assessments in certain edge cases after deployment. What must they do according to Article 72?","options":{"0":"Nothing, unless a formal complaint is filed","1":"The post-market monitoring system must be used to collect and analyze performance data, and appropriate corrective action must be taken (Art. 72 + Art. 20)","2":"Immediately withdraw the system from the market permanently","3":"Only inform the deployers via an updated FAQ document"},"explanation":"Article 72 requires providers to establish a post-market monitoring system to actively collect and analyze data on performance. When issues are discovered, Art. 20 requires appropriate corrective actions — which could range from software updates to withdrawal, depending on severity."}},"m7":{"q1":{"question":"A company realizes in January 2025 that their AI system performs social scoring. Their CEO says they have until August 2026 to address this. Is the CEO correct?","options":{"0":"Yes, all AI Act provisions apply from August 2026","1":"No — prohibited practices under Article 5 have been enforceable since 2 February 2025","2":"No, but they have until February 2026","3":"Yes, because enforcement depends on national implementation"},"explanation":"Article 113 sets a phased timeline. Prohibited practices (Art. 5) apply from 2 February 2025 — just 6 months after the Act entered into force. This is the earliest enforcement date. The company is already in violation if they are performing social scoring."},"q2":{"question":"A company deploys a high-risk AI system for employee recruitment. When must they comply with all deployer obligations?","options":{"0":"Immediately — the Act is already fully applicable","1":"2 February 2025, same as prohibited practices","2":"1 August 2025, for GPAI provisions","3":"2 August 2026 — Annex III high-risk system obligations apply from this date"},"explanation":"Article 113 specifies that obligations for Annex III high-risk systems (including recruitment AI) apply from 2 August 2026. This gives providers and deployers approximately 2 years from entry into force to achieve compliance."},"q3":{"question":"A large tech company (annual turnover: EUR 10 billion) knowingly deploys a prohibited AI system. What is the maximum fine they face?","options":{"0":"EUR 35 million or 7% of worldwide annual turnover, whichever is higher — so up to EUR 700 million","1":"EUR 15 million or 3% of turnover","2":"EUR 7.5 million maximum","3":"Criminal prosecution only, no fines"},"explanation":"Article 99(3) sets the penalty for prohibited practices at up to EUR 35 million or 7% of total worldwide annual turnover, whichever is higher. For a company with EUR 10 billion turnover, 7% = EUR 700 million, which exceeds the EUR 35 million threshold."},"q4":{"question":"An SME with 30 employees and EUR 5 million turnover violates the AI Act's requirements for high-risk systems. How are their penalties calculated compared to large enterprises?","options":{"0":"Same penalties apply regardless of company size","1":"SMEs are completely exempt from penalties","2":"Article 99(6) requires penalties to be effective, proportionate, and dissuasive, taking into account the interests of SMEs — penalties may be reduced","3":"SMEs only pay 50% of the standard fine"},"explanation":"Article 99(6) explicitly states that when imposing fines, the size and resources of the entity must be considered. While there is no fixed discount for SMEs, penalties must be proportionate to the undertaking's size, meaning SMEs will typically face lower absolute fines."},"q5":{"question":"When do obligations for providers of general-purpose AI (GPAI) models begin to apply?","options":{"0":"2 February 2025, same as prohibited practices","1":"1 August 2025 — 12 months after entry into force","2":"2 August 2026, same as high-risk systems","3":"2 August 2027, same as Annex I systems"},"explanation":"Article 113 specifies that GPAI model obligations apply from 1 August 2025, which is 12 months after the Act entered into force. This is between the prohibited practices date (Feb 2025) and the high-risk systems date (Aug 2026)."},"q6":{"question":"Each EU member state must designate at least one national competent authority to oversee AI Act enforcement. What is the primary role of this authority?","options":{"0":"Market surveillance: monitoring compliance, investigating violations, imposing corrective measures, and handling complaints from the public","1":"Developing AI systems for the government","2":"Certifying all AI systems before they can be sold","3":"Only educating companies about AI regulation"},"explanation":"Under Art. 70, national competent authorities are responsible for market surveillance — they monitor compliance, investigate potential violations, order corrective measures, and serve as the point of contact for complaints. They do not develop AI or pre-certify all systems."},"q7":{"question":"The European AI Office, established within the European Commission, has a specific role under the EU AI Act. What is its primary responsibility?","options":{"0":"Replacing national authorities in all member states","1":"Developing the EU's own AI systems","2":"Only maintaining the EU database of AI systems","3":"Overseeing GPAI model compliance, coordinating cross-border enforcement, and developing guidelines and codes of practice"},"explanation":"The AI Office's primary responsibilities include overseeing compliance of GPAI models (Art. 88), coordinating cross-border enforcement activities, developing implementation guidelines, and facilitating the development of codes of practice for GPAI providers."},"q8":{"question":"AI systems that are safety components of products covered by EU harmonisation legislation in Annex I have a different compliance deadline. When must they comply?","options":{"0":"2 February 2025","1":"1 August 2025","2":"2 August 2027 — 36 months after entry into force, giving one additional year compared to Annex III systems","3":"They are permanently exempt"},"explanation":"Article 113 gives Annex I (product safety pathway) systems until 2 August 2027 — a full year later than Annex III systems. This additional time recognizes the complexity of coordinating with existing product safety legislation and conformity assessment procedures."}},"m8":{"q1":{"question":"A bank uses AI to pre-approve credit applications. The system matches Annex III area 5(b) — creditworthiness evaluation. However, the bank argues the AI only does initial sorting before human review. Does this make it non-high-risk?","options":{"0":"Yes, human review always removes the high-risk classification","1":"No — human review does not automatically remove high-risk status; the AI still influences the assessment","2":"It depends on the percentage of applications reviewed","3":"Yes, if the human can override the AI decision"},"explanation":"Matching an Annex III category makes a system high-risk. Human review may be part of the human oversight requirements (Art. 14), but it does not reclassify the system. The Art. 6(3) exception requires specific conditions (narrow procedural task, no profiling), not merely human review."},"q2":{"question":"An insurance company's AI system is used solely to detect fraudulent claims by flagging anomalous patterns for human review. It falls within Annex III area 5(c) (insurance). Can this be classified as non-high-risk?","options":{"0":"Yes — fraud detection systems are explicitly excepted from the high-risk classification under Annex III area 5(b), and a similar logic applies to insurance fraud detection","1":"No — all insurance AI is automatically high-risk","2":"Only if the company is an SME","3":"It depends on the volume of claims processed"},"explanation":"Annex III area 5(b) explicitly states that credit scoring systems 'for the sole purpose of detecting financial fraud' are not high-risk. For insurance (area 5(c)), if the AI only detects fraud patterns without assessing risk or pricing, the Art. 6(3) exception (pattern detection without replacing human assessment) may apply."},"q3":{"question":"A company's HR AI system falls under Annex III area 4(a) for recruitment. The company argues the Art. 6(3) exception applies because the AI only performs a 'narrow procedural task' — converting CV formats to a standard template. Could this argument succeed?","options":{"0":"No — format conversion never qualifies as a narrow procedural task","1":"Yes, but only for CVs under 2 pages","2":"It depends on whether the system is cloud-based","3":"Yes — if the AI genuinely only performs format conversion (Art. 6(3)(a) narrow procedural task) and does not evaluate, rank, or profile candidates, the exception may apply"},"explanation":"Article 6(3)(a) allows the exception for systems performing a 'narrow procedural task.' Pure format conversion (e.g., turning various CV formats into a standard template) without any evaluation or ranking could qualify. The key question is whether the system truly ONLY does format conversion."},"q4":{"question":"An AI system falls under Annex III area 4(b) for workplace monitoring. The company argues the Art. 6(3) exception applies because the AI only detects anomalies without making decisions. However, the system profiles employees by tracking their work patterns. Does the exception apply?","options":{"0":"Yes, anomaly detection always qualifies for the exception","1":"No — profiling natural persons overrides ALL Art. 6(3) exception criteria; if the system profiles people, it is ALWAYS high-risk","2":"It depends on the type of anomaly detection","3":"Yes, because monitoring is different from profiling"},"explanation":"Article 6(3) is explicit: the exception does NOT apply if the AI system 'performs profiling of natural persons.' Tracking employees' work patterns to evaluate their performance constitutes profiling under GDPR Art. 4(4). Profiling is a hard override — no matter which exception criterion is met."},"q5":{"question":"An AI system is a safety component of a railway signalling system. The railway equipment is listed in Annex I of the EU AI Act. What classification pathway applies?","options":{"0":"Minimal risk — railways are not in Annex III","1":"Limited risk under Article 50","2":"High-risk via Article 6(1) / Annex I — safety component of a product under EU harmonisation legislation requiring third-party conformity assessment","3":"Prohibited — automated control of transport is banned"},"explanation":"Article 6(1) classifies AI as high-risk when it is a safety component of a product covered by EU harmonisation legislation listed in Annex I AND that product requires third-party conformity assessment. Railway signalling is covered by EU harmonisation legislation."},"q6":{"question":"A private company uses AI for remote biometric identification of employees entering their secure facility (non-public space). How is this classified?","options":{"0":"High-risk under Annex III area 1(a) — remote biometric identification systems, even in non-public spaces","1":"Prohibited — all biometric identification is banned","2":"Limited risk — only transparency is required","3":"Minimal risk — workplace access control has no obligations"},"explanation":"Annex III area 1(a) covers remote biometric identification systems. The Art. 5 prohibition only applies to REAL-TIME biometric ID in PUBLICLY ACCESSIBLE spaces for LAW ENFORCEMENT. A private company's secure facility is not a publicly accessible space, so the system is high-risk under Annex III, not prohibited."},"q7":{"question":"An AI system used by a university to evaluate student essays and assign grades falls under which Annex III category?","options":{"0":"Not in Annex III — education AI is minimal risk","1":"High-risk under Annex III area 3(b) — evaluating learning outcomes","2":"Prohibited — AI grading is banned in education","3":"Limited risk — only transparency is required"},"explanation":"Annex III area 3(b) covers AI systems 'intended to be used for evaluating learning outcomes, including when those outcomes are used to steer the learning process.' An automated essay grading system directly falls into this high-risk category."},"q8":{"question":"A police department uses AI to assess the reliability of forensic evidence (e.g., analyzing DNA match probabilities). Which Annex III category applies?","options":{"0":"Not in Annex III — forensic analysis is outside scope","1":"Annex III area 6(a) — assessing crime victim risk","2":"Annex III area 6(d) — assessing re-offending risk","3":"High-risk under Annex III area 6(c) — evaluating the reliability of evidence in criminal investigations"},"explanation":"Annex III area 6(c) specifically covers AI systems 'intended to be used by law enforcement authorities for evaluating the reliability of evidence in the course of investigation or prosecution of criminal offences.' DNA match probability analysis falls directly under this category."}},"m9":{"q1":{"question":"A high-risk AI provider is preparing their Annex IV technical documentation. Their documentation covers the system's architecture but omits training data governance. Is this acceptable?","options":{"0":"Yes, training data details are only needed for deep learning systems","1":"No — Annex IV requires comprehensive documentation of data governance practices, including training, validation, and test datasets","2":"Only if the provider is an SME","3":"Yes, data governance is a separate GDPR requirement"},"explanation":"Annex IV Section 2 explicitly requires documentation of data governance practices, including training/validation/test data description, design choices for data selection, data provenance, labeling procedures, and data cleaning methods. Omitting this is non-compliant."},"q2":{"question":"What specific information about training data must be included in Annex IV technical documentation?","options":{"0":"Only the volume of training data used","1":"Only a description of the data sources","2":"Only evidence that data was legally obtained","3":"Data provenance, acquisition methods, labeling procedures, cleaning methods, data gaps, and measures to detect bias"},"explanation":"Annex IV requires comprehensive training data documentation: description of datasets, design choices, data provenance, how data was acquired, labeling and cleaning procedures, detection of potential gaps and biases, and measures to address them."},"q3":{"question":"A small company (20 employees, EUR 3M turnover) provides a high-risk AI system. Can they benefit from any simplification of Annex IV documentation requirements?","options":{"0":"Yes — Article 11(2) allows SMEs to provide simplified technical documentation with a reduced set of elements defined by the European Commission","1":"No — all providers must meet identical documentation standards","2":"SMEs are exempt from documentation requirements entirely","3":"Only micro-enterprises get simplified requirements"},"explanation":"Article 11(2) explicitly allows 'micro, small and medium-sized enterprises, including start-ups' to comply with simplified elements of Annex IV documentation. The Commission will specify which elements can be simplified in an implementing act."},"q4":{"question":"Annex IV Section 1 requires a 'general description' of the AI system. Which of the following must be included?","options":{"0":"Only the system name and version number","1":"The provider's marketing materials","2":"The system's intended purpose, provider identity, version, how the system interacts with hardware/software, forms of distribution, and hardware requirements","3":"Only what the system does in non-technical language"},"explanation":"Annex IV Section 1 requires a comprehensive general description: system name, provider identity, version, intended purpose, hardware/software interaction, distribution forms, hardware requirements, UI description, and instructions for use."},"q5":{"question":"A provider's technical documentation includes performance metrics showing 95% accuracy in testing. Is this sufficient for the Annex IV Section 4 requirements?","options":{"0":"Yes, a single accuracy figure is sufficient","1":"No — Section 4 requires documented metrics AND an explanation of why those specific metrics are appropriate for the system's intended purpose, plus known limitations","2":"Only if accuracy exceeds 90%","3":"Yes, as long as the testing methodology is documented"},"explanation":"Annex IV Section 4 requires not just performance metrics but also an explanation of the appropriateness of those metrics for the intended purpose. Simply stating '95% accuracy' without explaining what was measured, how, and why that metric is meaningful is insufficient."},"q6":{"question":"After a high-risk AI system is placed on the market, the provider makes significant improvements to the model. What must happen to the technical documentation?","options":{"0":"The original documentation must be updated to reflect changes and kept current throughout the system's lifecycle (Art. 11(1))","1":"A new document must be created from scratch","2":"No updates needed — documentation is only required at market placement","3":"Updates are optional but recommended"},"explanation":"Article 11(1) requires technical documentation to be 'kept up to date.' This means providers must update the documentation when significant changes are made. The documentation must reflect the current state of the system throughout its lifecycle."},"q7":{"question":"Annex IV includes a section on 'lifecycle changes.' What does this section require the provider to document?","options":{"0":"Only the initial development timeline","1":"Only planned future updates","2":"Only the system's expected end-of-life date","3":"Predetermined changes to the system, information on how the system handles updates, and how changes are managed throughout the lifecycle"},"explanation":"Annex IV's lifecycle section requires documenting predetermined changes (changes planned at design time), how the system handles updates and modifications, and the overall change management approach throughout the system's operational life."},"q8":{"question":"A provider's technical documentation must include a post-market monitoring plan. What is the minimum content required?","options":{"0":"A statement of intent to monitor the system","1":"Only contact details for reporting issues","2":"A documented system for collecting and analyzing performance data throughout the system's lifetime, proportionate to the nature and risks of the system (Art. 72)","3":"Only a plan to check for software bugs"},"explanation":"Article 72 requires a 'documented post-market monitoring system' that is proportionate to the nature and risks. It must include methods for actively and systematically collecting, documenting, and analyzing data on the system's performance throughout its lifetime."}},"m10":{"q1":{"question":"A provider's risk management team performs a one-time risk assessment before launching their high-risk AI system and considers their obligation fulfilled. Is this approach compliant with Article 9?","options":{"0":"Yes, a pre-launch assessment satisfies the requirement","1":"No, but annual reviews are sufficient","2":"Article 9 requires a continuous, iterative risk management process throughout the entire lifecycle — a one-time assessment is insufficient","3":"Yes, if the assessment was thorough"},"explanation":"Article 9(1) explicitly requires that the risk management system is 'a continuous iterative process planned and run throughout the entire lifecycle of a high-risk AI system.' A one-time assessment fundamentally fails this requirement."},"q2":{"question":"A provider identifies residual risks that cannot be fully eliminated through design or mitigation measures. What does Article 9 require them to do?","options":{"0":"Communicate the residual risks clearly to deployers in the instructions for use, so deployers can implement appropriate measures","1":"Keep the risks confidential to avoid alarming customers","2":"Withdraw the system from the market","3":"Only document them internally without sharing"},"explanation":"Article 9(5) requires that residual risks 'shall be communicated to the deployer.' The provider must clearly inform deployers about remaining risks so they can take appropriate measures during deployment and operation."},"q3":{"question":"Article 9(7) requires that high-risk AI systems be tested to ensure they perform consistently. What does this testing requirement include?","options":{"0":"Only unit tests of individual components","1":"Testing against pre-defined metrics, including testing in real-world conditions where appropriate, and testing for specific risks of discrimination (Art. 9(7))","2":"Only testing during the development phase","3":"Only automated regression tests"},"explanation":"Article 9(7) requires testing to ensure consistent performance with pre-defined metrics. This includes testing in real-world conditions where appropriate and, notably, specific testing for risks of discriminatory outcomes, particularly for the groups listed in Article 10(2)(f)."},"q4":{"question":"A provider's risk management system must consider 'reasonably foreseeable misuse.' A deployer uses a job screening AI to evaluate loan applicants instead. Should the provider have anticipated this?","options":{"0":"No — misuse by deployers is always the deployer's responsibility","1":"Only if the provider knew the specific deployer","2":"Yes, but only if they explicitly warned against it","3":"Article 9(2)(b) requires identifying risks from 'reasonably foreseeable misuse' — using screening AI for loan decisions is a foreseeable cross-domain misuse the provider should consider"},"explanation":"Article 9(2)(b) requires providers to identify risks arising from 'reasonably foreseeable misuse.' Repurposing a screening tool for different types of assessments is a foreseeable misuse pattern. Providers must consider and document these scenarios in their risk management system."},"q5":{"question":"When adopting risk mitigation measures, what standard must a provider meet under Article 9?","options":{"0":"Reduce risks to the lowest level practically achievable, taking into account the state of the art and technical feasibility","1":"Eliminate all risks completely","2":"Reduce risks to a level below the industry average","3":"Only address risks that have been previously observed in practice"},"explanation":"Article 9(4) requires providers to adopt 'appropriate and targeted risk management measures' that reduce risks 'to an acceptable level,' considering the state of the art and available techniques. It is a practical, proportionate standard, not a zero-risk requirement."},"q6":{"question":"When should a high-risk AI system's risk assessment be initiated in relation to its market placement?","options":{"0":"After the first year on the market to incorporate real-world data","1":"Only when a complaint is received","2":"The risk management system must be established and documented BEFORE the system is placed on the market, as part of the pre-market compliance obligations (Art. 9 + Art. 8)","3":"Within 6 months of deployment"},"explanation":"The risk management system is a pre-market requirement. Article 9, read together with the general obligations in Article 8, requires that the risk management system be in place before the system is placed on the market or put into service."},"q7":{"question":"A high-risk AI system used in hiring shows different error rates for male and female applicants. What does the risk management system need to address regarding this?","options":{"0":"Nothing — different error rates are normal","1":"Article 9 requires specific attention to bias risks, including testing for discriminatory impacts on groups defined by characteristics like sex, and implementing measures to minimize such risks","2":"Only if the difference exceeds 10%","3":"Only if someone files a complaint"},"explanation":"Article 9(7) specifically requires testing for risks to 'persons or groups of persons that are likely to be affected,' including with reference to the non-discrimination criteria in Art. 10(2)(f). Disparate error rates between genders must be identified, assessed, and mitigated."},"q8":{"question":"A children's educational AI system is classified as high-risk. What special consideration does Article 9 require in the risk management process?","options":{"0":"No special considerations — all high-risk systems are treated the same","1":"Children are exempt from AI system usage","2":"Only parental consent is needed","3":"Article 9(9) requires specific attention to whether the system is likely to be accessed by or have an impact on children, with proportionate measures to protect their specific vulnerabilities"},"explanation":"Article 9(9) explicitly requires that the risk management process consider 'whether the high-risk AI system is likely to be accessed by or have an impact on children.' Systems interacting with children require proportionate protective measures."}},"m11":{"q1":{"question":"A provider designs a high-risk AI system where the system's recommendations can be overridden by the human operator at any point. However, in practice, the operator must restart the entire process from scratch to override. Does this meet the Article 14 human oversight requirement?","options":{"0":"Yes — Article 14 requires built-in technical measures that allow human operators to effectively override, intervene in, or halt the system's operation without disproportionate barriers","1":"Yes, because technically the override exists","2":"No, because the system should make all decisions autonomously","3":"It depends on how often overrides are needed"},"explanation":"Article 14(4) requires that oversight measures enable operators to 'decide, in any particular situation, not to use the high-risk AI system output or to override it.' If overriding requires restarting from scratch, creating a disproportionate barrier, the practical effect undermines the requirement."},"q2":{"question":"Article 14(4)(a) requires that human oversight enables the operator to 'fully understand the capacities and limitations' of the AI system. A provider delivers the system with a 500-page technical manual that no typical operator would read. Is this sufficient?","options":{"0":"Yes, as long as the information is technically available","1":"No, but a simple disclaimer is enough","2":"Article 14 requires that understanding is practically achievable — information must be presented in a way that is accessible and meaningful to the persons assigned to oversight","3":"Yes, if the manual is available in both paper and digital form"},"explanation":"The requirement for operators to 'fully understand' the system implies practical accessibility. Information buried in an unreadable manual does not enable understanding. The instructions for use (Art. 13) must be clear, comprehensible, and tailored to the oversight personnel."},"q3":{"question":"A deployer assigns a team to oversee a high-risk AI system, but the team receives no training on how the AI works, what its limitations are, or how to interpret its outputs. Is this compliant?","options":{"0":"Yes, if the team members are generally intelligent","1":"Article 14(4) + Art. 26(2) require that human oversight personnel are competent, properly trained, and have the authority to act — untrained oversight is non-compliant","2":"Yes, training is recommended but not required","3":"Only if the AI is fully autonomous"},"explanation":"Article 26(2) requires deployers to assign 'natural persons who have the necessary competence, training and authority' for oversight. Combined with Art. 14's design requirements, this means oversight personnel must be specifically trained on the AI system's capabilities, limitations, and correct interpretation of outputs."},"q4":{"question":"A high-risk AI system for judicial assistance (Annex III 8(a)) generates sentencing recommendations. The judge always follows the AI's recommendation because 'the computer must be right.' What risk does Article 14(4)(b) address?","options":{"0":"The risk of the judge being too slow","1":"The risk of the AI being unpopular","2":"The risk of budget overruns","3":"Automation bias — Article 14(4)(b) specifically requires measures to prevent over-reliance on the system's output, particularly for decisions affecting persons' rights"},"explanation":"Article 14(4)(b) explicitly addresses 'automation bias,' particularly for systems used in Annex III areas. It requires measures ensuring that oversight personnel 'do not automatically or uncritically rely on the output.' This is especially critical for judicial applications."},"q5":{"question":"A provider builds a high-risk AI system without any mechanism to halt its operation during emergencies. They argue that adding a stop function would reduce the system's efficiency. Is this acceptable?","options":{"0":"Yes — Article 14(4)(e) requires a 'stop' button or equivalent mechanism to halt the system; the absence of this capability is a design violation regardless of efficiency concerns","1":"Yes, efficiency is a valid engineering trade-off","2":"Only if the system operates in a non-critical domain","3":"It depends on the probability of emergencies"},"explanation":"Article 14(4)(e) requires that oversight measures include the ability to 'interrupt the activity of the system through a stop button or a similar procedure.' This is a mandatory design requirement. Efficiency concerns do not override the fundamental human oversight requirement."},"q6":{"question":"A deployer assigns oversight of a high-risk AI medical device to a receptionist with no medical or technical background. The receptionist can technically click 'override' on any recommendation. Does this satisfy human oversight requirements?","options":{"0":"Yes, any human oversight is sufficient","1":"Yes, because the override mechanism exists","2":"Article 26(2) requires persons with 'necessary competence, training and authority' — a receptionist without relevant expertise does not satisfy the competence requirement for medical AI oversight","3":"Yes, if a doctor is available by phone"},"explanation":"Article 26(2) requires deployers to assign 'natural persons who have the necessary competence, training and authority.' For a medical AI device, competent oversight requires medical and technical understanding. A receptionist without such background cannot meaningfully oversee the system."},"q7":{"question":"Article 14 requires that human oversight enables the operator to 'correctly interpret the high-risk AI system's output.' A system produces a numerical score of 0.73 with no explanation of what the number means. Is this compliant?","options":{"0":"Yes, the number is the output and interpretation is subjective","1":"The system must provide sufficient context for the operator to correctly interpret outputs — a bare number without explanation of its meaning, scale, and confidence does not enable correct interpretation","2":"Only if the operator has a statistics degree","3":"Yes, as long as the number is accurate"},"explanation":"Article 14(4)(a) requires that oversight measures enable 'correct interpretation' of outputs. A bare score without context (scale, meaning, confidence level, factors) does not enable correct interpretation. The system's design must facilitate meaningful human understanding of its outputs."},"q8":{"question":"For real-time remote biometric identification systems used by law enforcement (under the narrow Art. 5 exceptions), Article 14 imposes an additional oversight requirement. What is it?","options":{"0":"No additional requirements beyond standard oversight","1":"Only annual reviews","2":"Only automated monitoring","3":"Article 14(5) requires that no action or decision is taken based solely on the identification output without independent verification and a separate human confirmation by at least two natural persons"},"explanation":"Article 14(5) imposes enhanced oversight for real-time biometric identification in law enforcement: identification results require independent verification and confirmation by at least two separate natural persons. This double-check mechanism prevents false identification from leading to unwarranted action."}},"m12":{"q1":{"question":"A provider of a high-risk AI system in the healthcare domain (Annex III area 5(d)) needs to perform a conformity assessment. Can they self-assess, or is a third-party notified body required?","options":{"0":"Always third-party for all high-risk systems","1":"Self-assessment (Annex VI) is the default — third-party assessment (Annex VII) is only required for biometric identification systems (Annex III area 1) unless other sector legislation applies","2":"Healthcare always requires third-party assessment","3":"Neither — healthcare AI is exempt from conformity assessment"},"explanation":"Article 43(1) specifies that most Annex III high-risk systems can use self-assessment (internal control, Annex VI). Third-party notified body assessment (Annex VII) is required only for biometric identification systems under Annex III area 1. Sector-specific legislation may impose additional requirements."},"q2":{"question":"An AI system performs real-time biometric identification for access control at a private facility (Annex III area 1(a)). What type of conformity assessment must the provider complete?","options":{"0":"Self-assessment under Annex VI is sufficient","1":"No assessment needed for private facilities","2":"Only a CE marking application","3":"Third-party conformity assessment by a notified body under Annex VII — biometric identification systems (area 1) specifically require this"},"explanation":"Article 43(1) specifically requires third-party assessment for AI systems in Annex III area 1 (biometrics). Unlike other Annex III categories where self-assessment suffices, biometric identification systems must undergo assessment by an independent notified body."},"q3":{"question":"After passing conformity assessment and placing their AI on the market, the provider makes a substantial modification that changes the system's risk profile. What happens to the conformity assessment?","options":{"0":"A new conformity assessment must be performed — Article 43(4) requires reassessment when substantial modifications occur","1":"The original assessment remains valid indefinitely","2":"Only a supplementary document needs to be filed","3":"The deployer, not the provider, must reassess"},"explanation":"Article 43(4) explicitly states that a new conformity assessment is required 'where a substantial modification has been made.' The original assessment only covers the system as it was at the time of assessment. Substantial changes necessitate a fresh evaluation."},"q4":{"question":"After a successful conformity assessment, what marking must the provider affix to the high-risk AI system before placing it on the market?","options":{"0":"An 'AI Act Compliant' sticker","1":"No marking is required","2":"The CE marking — affixed visibly, legibly, and indelibly (Article 48)","3":"A QR code linking to the EU database"},"explanation":"Article 48 requires the CE marking to be affixed 'in a visible, legible and indelible manner' before the system is placed on the market. The CE marking indicates conformity with the EU AI Act requirements and enables free movement within the EU market."},"q5":{"question":"After completing conformity assessment, the provider must draw up a specific document. What is it, and how long must it be retained?","options":{"0":"A compliance report, retained for 5 years","1":"An EU declaration of conformity — retained for 10 years after the system is placed on the market (Article 47)","2":"A safety certificate, retained for 3 years","3":"An impact assessment, retained for 1 year"},"explanation":"Article 47 requires providers to draw up an EU declaration of conformity for each high-risk AI system. This document must be kept for 10 years after the system is placed on the market or put into service, matching the documentation retention period."},"q6":{"question":"What is the role of a 'notified body' in the EU AI Act conformity assessment framework?","options":{"0":"An independent third-party organization designated by EU member states to carry out conformity assessments when third-party assessment is required (Art. 43, Chapter IV)","1":"A government agency that develops AI systems","2":"The European AI Office","3":"Any auditing firm with ISO certification"},"explanation":"Notified bodies are independent organizations designated by member states (under Art. 28ff) to carry out third-party conformity assessments. They must meet specific competence, independence, and impartiality requirements. Not any auditor qualifies — formal designation is required."},"q7":{"question":"Before placing a high-risk AI system on the EU market, the provider must register it in a public database. What information must be included?","options":{"0":"Only the provider's name and the system's name","1":"Only technical specifications","2":"The system's source code","3":"Provider identity, system description, intended purpose, risk classification, conformity assessment status, and related documentation — registered in the EU database under Article 49"},"explanation":"Article 49 requires registration in the EU database before market placement. The registration includes: provider identity and contact details, system name and description, intended purpose, status of conformity assessment, member states where the system is placed on the market, and CE declaration reference."},"q8":{"question":"A high-risk AI provider successfully self-assesses under Annex VI. What are the two main procedural options within Annex VI (internal control)?","options":{"0":"Interview-based assessment and document review","1":"On-site inspection and lab testing","2":"The provider verifies compliance of the QMS (quality management system) AND examines the technical documentation to verify the system meets requirements — both must be documented","3":"Only a checklist submission to the national authority"},"explanation":"Annex VI (internal control) requires the provider to (1) verify the quality management system complies with Art. 17 requirements, and (2) examine the technical documentation to verify the system meets all applicable requirements in Chapter III, Section 2. Both steps must be thoroughly documented."}},"m13":{"q1":{"question":"A provider's high-risk AI system malfunctions, causing a patient to receive an incorrect medication dosage that results in hospitalization. The provider learns of this three days later. What are the reporting obligations?","options":{"0":"No reporting needed unless the patient dies","1":"Report within 30 days to the national health authority","2":"The provider must report to the market surveillance authority of the affected member state within 15 days of establishing a causal link between the AI system and the serious incident (Art. 73)","3":"Only the deployer (hospital) has reporting obligations"},"explanation":"Article 73 requires providers to report serious incidents (which include serious health damage, Art. 3(49)(a)) to the market surveillance authority. The 15-day deadline runs from when the provider establishes or reasonably should have established the causal link."},"q2":{"question":"What qualifies as a 'serious incident' under Article 3(49) of the EU AI Act?","options":{"0":"An incident causing death or serious health damage, serious infrastructure disruption, infringement of fundamental rights obligations, or serious property/environmental damage","1":"Any malfunction, even minor glitches","2":"Only incidents involving personal data breaches","3":"Only incidents resulting in financial losses"},"explanation":"Article 3(49) defines serious incidents as those leading to: (a) death or serious health damage, (b) serious irreversible disruption of critical infrastructure, (c) infringement of fundamental rights obligations, or (d) serious property or environmental damage."},"q3":{"question":"A high-risk AI system used for border control (Annex III area 7) has a serious incident in France affecting individuals from multiple EU countries. To which market surveillance authority must the provider report?","options":{"0":"All 27 member state authorities","1":"Only the authority of the provider's home country","2":"Only the European AI Office","3":"The market surveillance authority of the member state(s) where the incident occurred — in this case, France (Art. 73)"},"explanation":"Article 73 requires reporting to the market surveillance authority of the member state where the serious incident occurred. If the incident occurred in France, the French authority must be notified. Cross-border implications may require additional notifications under cooperation mechanisms."},"q4":{"question":"Article 72 requires providers to establish a post-market monitoring system. What is the key purpose of this system?","options":{"0":"Only to collect customer feedback for product improvement","1":"To actively and systematically collect, document, and analyze data relevant to the performance of the AI system throughout its lifetime, proportionate to its nature and risks","2":"Only to track sales and market share","3":"Only to comply with GDPR requirements"},"explanation":"Article 72 requires a 'documented post-market monitoring system' that 'actively and systematically collects, documents and analyses relevant data' on performance throughout the system's lifetime. It must be proportionate to the nature and risks, and include a monitoring plan as part of Annex IV documentation."},"q5":{"question":"A provider discovers through post-market monitoring that their AI system has a systematic bias issue. What must they do under Article 20?","options":{"0":"Take immediate corrective action — which may include updating, withdrawing, or recalling the system, and informing deployers, distributors, and relevant authorities","1":"Schedule a fix for the next software release cycle","2":"Only inform deployers if they specifically ask","3":"Nothing, unless the bias causes a serious incident"},"explanation":"Article 20 requires providers of non-compliant systems to immediately take necessary corrective actions: fix, withdraw, disable, or recall. They must also inform distributors, deployers, and authorities. Waiting for the next release cycle when a known bias issue exists violates the immediate corrective action requirement."},"q6":{"question":"A deployer discovers that a high-risk AI system they operate is producing unreliable outputs that could endanger people. What are the deployer's obligations?","options":{"0":"No obligations — only providers have post-market duties","1":"Only stop using the system","2":"Suspend use of the system, inform the provider or distributor, and report the issue to the relevant market surveillance authority (Art. 26(5))","3":"Continue using the system and document the issues"},"explanation":"Article 26(5) requires deployers to monitor the system and, if a risk arises: (1) suspend use of the system, (2) inform the provider or distributor, and (3) inform the relevant market surveillance authority. Deployers have active monitoring and reporting obligations."},"q7":{"question":"A market surveillance authority orders a provider to withdraw a non-compliant high-risk AI system from the market. What is the difference between 'withdrawal' and 'recall' under the Act?","options":{"0":"They are the same thing","1":"Withdrawal means removing from the market (preventing new sales); recall means retrieving systems already in use by deployers — both may be ordered depending on severity","2":"Withdrawal is voluntary; recall is mandatory","3":"Withdrawal applies to software; recall applies to hardware"},"explanation":"Under EU product safety terminology used in the Act: withdrawal means preventing further making available on the market (no new sales), while recall means retrieving systems already in the hands of deployers. The authority can order either or both depending on the severity of non-compliance."},"q8":{"question":"A serious incident with a high-risk AI system occurs in one member state but the provider is established in another member state. What cross-border notification mechanism applies?","options":{"0":"No cross-border mechanism exists","1":"Only bilateral communication between the two countries","2":"Only the AI Office is involved","3":"Article 73 + the market surveillance cooperation framework requires the authority of the member state where the incident occurred to be notified, and cooperation mechanisms ensure the provider's home state authority is also informed"},"explanation":"Under Art. 73, the provider reports to the authority where the incident occurred. The EU market surveillance cooperation framework (from the Market Surveillance Regulation, integrated with the AI Act) ensures cross-border communication between relevant national authorities."}}},"journeyLocked":"Locked","journeyCompleteFirst":"Complete the previous module quiz with 80%+ to unlock","journeyStart":"Start Module","journeyContinue":"Continue","journeyLockedTitle":"Module Locked","journeyLockedDesc":"You need to pass the previous module's quiz with at least 80% to unlock this module.","slideOf":"Slide {current} of {total}","slidePrevious":"Previous","slideContinue":"Continue","slideToScenario":"Practice Scenario","slideToQuiz":"Take Quiz","quizUnlockedNext":"Next module unlocked!","verifyCertificate":"Verify Certificate","verifyCertificateDesc":"Verify the authenticity of a Witness Academy completion certificate.","verifyNotFound":"Certificate Not Found","verifyNotFoundDesc":"This verification ID does not match any certificate in our system. Please check the ID and try again.","verifyValid":"Certificate Verified","verifyValidDesc":"This certificate is valid and was issued by Witness AI Compliance Hub.","verifyRecipient":"Recipient","verifyOrganization":"Organization","verifyModules":"Modules","verifyScore":"Score","verifyDate":"Issued","verifyId":"Verification ID","certificateNotReadyDescAll":"You need to pass all 13 module quizzes with at least 80% to earn your certificate.","certificateProgressAll":"{passed} of {total} modules passed","certificateModulesLabel":"Modules Completed","certificateVerifyAt":"Verify this certificate at witness-compliance.eu","certificateSaving":"Saving...","certificateSaveAndPrint":"Save & Print","gate":{"freeBadge":"Free","professionalBadge":"Professional","lockedTooltip":"Upgrade to Professional to unlock Advanced modules","essentialsTrackBadge":"Free — no account required","advancedTrackBadge":"Professional tier required","directUrlRedirect":"This module is part of the Advanced track and requires the Professional tier.","unlockWithProfessional":"Unlock with Professional","quizLockedTitle":"Quiz locked","quizLockedDescription":"The quiz for this Advanced module requires the Professional tier.","quizQuestionCount":"{count, plural, =1 {# question} other {# questions}}"}},"saveStatus":{"saving":"Saving...","allChangesSaved":"All changes saved at {time}","saveFailed":"Save failed","saveToDashboard":"Save to Dashboard","loading":"Loading...","signInToSave":"Save this classification to your dashboard for tracking and compliance documentation.","goToDashboard":"Go to Dashboard","autoSaving":"Saving to your dashboard...","autoSaved":"Saved to dashboard","retry":"Retry","signUpToSave":"Sign up to save your classification results and track compliance.","autoUpdating":"Updating classification...","autoUpdated":"Classification updated","updateClassification":"Update Classification"},"export":{"downloadPdf":"Download PDF","downloadWord":"Download Word","print":"Print","generatingPdf":"Generating PDF...","generatingDocx":"Generating Word document...","exportFailed":"Export failed","tableOfContents":"Table of Contents","generatedBy":"Generated by Witness","platform":"EU AI Act Compliance Platform","confidential":"Confidential","notProvided":"Not provided","page":"Page","of":"of","technicalDocumentation":"Technical Documentation","fundamentalRightsImpactAssessment":"Fundamental Rights Impact Assessment","conformityAssessment":"Conformity Assessment","riskManagementSystem":"Risk Management System","aiLiteracyProgram":"AI Literacy Program","export":"Export","exportLocked":"Exports available soon","exportLockedDescription":"Your compliance work is saved. We'll email you when document exports become available."},"excel":{"downloadTemplate":"Download Template","uploadExcel":"Upload Excel","dropZone":"Drop your Excel file here or click to browse","uploading":"Uploading...","processing":"Processing...","downloading":"Downloading...","fieldsPopulated":"{count} fields populated","errorsFound":"{count} errors found","warnings":"{count} warnings","applyData":"Apply Data","cancel":"Cancel","rowError":"Row {row}: {field} — {message}","requiredFieldEmpty":"Required field is empty","invalidSelectValue":"Invalid value for select field","template":"Template","instructions":"Instructions","fillInColumnD":"Fill in your data in column D","doNotModifyColumns":"Do not modify columns A-C or the hidden column G","invalidFileType":"Invalid file type. Please upload an .xlsx file.","downloadTemplateAria":"Download Excel template for {feature}","uploadExcelAria":"Upload Excel file for {feature}","closeModal":"Close","downloadError":"Failed to download template","featureNames":{"documentation":"Technical Documentation","fria":"Fundamental Rights Impact Assessment","risk-management":"Risk Management System","conformity":"Conformity Assessment","literacy":"AI Literacy Compliance"}},"classifierTemplates":{"heading":"What type of AI system are you classifying?","description":"Select a template to pre-fill answers based on your AI system type. You can change any answer during the questionnaire.","chatbot":{"name":"Customer Service Chatbot","description":"Conversational AI for customer support. Typically limited risk due to Art. 50 transparency requirements."},"recommendation":{"name":"Recommendation Engine","description":"Content, product, or service recommendations based on user data. Typically minimal risk."},"hrRecruitment":{"name":"HR / Recruitment Screening","description":"CV screening, candidate filtering, or interview assessment. High risk under Annex III, 4(a)."},"creditScoring":{"name":"Credit Scoring / Lending","description":"Creditworthiness assessment or credit score calculation. High risk under Annex III, 5(b)."},"contentModeration":{"name":"Content Moderation","description":"Automated review of user-generated content for policy violations. Typically minimal risk."},"medicalDecisionSupport":{"name":"Emergency Triage / Dispatch AI","description":"AI for evaluating emergency calls or triaging emergency patients (e.g., 112/911 dispatch prioritization, ER triage)."},"fraudDetection":{"name":"Fraud Detection","description":"Financial fraud detection and prevention. Explicitly exempt from Annex III, 5(b) high-risk when used solely for fraud detection."},"documentProcessing":{"name":"Document Processing / OCR","description":"Automated document scanning, text extraction, and data entry. Typically minimal risk."},"imageGeneration":{"name":"Image / Video Generation","description":"Generative AI creating synthetic images, video, or audio. Limited risk with Art. 50 transparency obligations."},"predictiveMaintenance":{"name":"Predictive Maintenance","description":"Equipment monitoring and failure prediction for industrial systems. Typically minimal risk."},"custom":{"name":"Custom / Not Sure","description":"Start with a blank questionnaire and answer each question manually."}},"sources":{"officialSource":"Official source","officialResources":"Verified against official EU sources","verifiedAgainst":"All content verified against Regulation (EU) 2024/1689 — the EU AI Act","viewOnEurLex":"View on EUR-Lex (Official Journal)","viewOnServiceDesk":"View on AI Act Service Desk","eurLexDescription":"Official Journal of the European Union","serviceDeskDescription":"European Commission AI Act Portal","complianceCheckerDescription":"Official EU compliance self-assessment","disclaimer":"Witness references official EU sources for transparency. Always consult your legal advisor for binding interpretations.","verifyIndependently":"Verify this article independently"},"chat":{"title":"AI Act Assistant","placeholder":"Ask a question about the EU AI Act...","disclaimer":"AI-generated guidance — not legal advice. Always verify with official sources.","emptyState":"Ask me anything about the EU AI Act","emptyStateDescription":"Get instant answers about classification, obligations, timelines, and more.","exampleQuestionsLabel":"Example questions","exampleQ1":"What are the prohibited AI practices under Article 5?","exampleQ2":"When do high-risk AI system obligations take effect?","exampleQ3":"What is the difference between a provider and a deployer?","exampleQ4":"What documentation does Annex IV require?","upgradeTitle":"Expert Chat is a Professional feature","upgradeDescription":"Upgrade to Professional to get instant, source-backed answers about the EU AI Act regulation.","upgradeCta":"Upgrade to Professional (€499) to unlock the Expert Chat.","rateLimit":"Daily question limit reached. Resets tomorrow.","errorGeneric":"Something went wrong. Please try again.","sending":"Thinking...","newChat":"New conversation","history":"Chat history","sources":"Sources","noSessions":"No conversations yet","untitledChat":"Untitled conversation","deleteChat":"Delete conversation","deleteChatConfirm":"Delete this conversation? This cannot be undone.","deleted":"Conversation deleted"},"prefill":{"uploadTitle":"Import from Document","uploadDescription":"Upload your existing AI system documentation to auto-fill form fields","dropzone":"Drag & drop or click to upload","supportedFormats":"Supported: PDF, DOCX, TXT (max 10MB)","analyzing":"Analyzing your document...","suggestionsReady":"{count} fields can be pre-filled","acceptAll":"Accept All Suggestions","acceptAllConfirm":"This will fill {count} fields with AI-suggested values. You can edit them afterwards.","accept":"Accept","dismiss":"Dismiss","confidence":{"high":"High confidence","medium":"Medium confidence","low":"Low confidence"},"sourceQuote":"Source from your document","aiSuggested":"AI suggested","rateLimit":"Monthly prefill limit reached ({used}/{max})","error":{"tooLarge":"File is too large (max 10MB)","unsupportedFormat":"Unsupported file format","parseFailed":"Could not read document","processingFailed":"Analysis failed. Please try again."},"readOnly":{"upgrade":"Upgrade","unlockEditing":"Upgrade to unlock editing","bannerDescription":"Upgrade to accept suggestions — Starter from €199 for limited risk, Professional from €499 for high risk"},"upgrade":{"title":"Document Import is a Professional feature","description":"Upgrade to Professional to upload documents and auto-fill compliance forms"},"uploadDescriptionMulti":"Just dump everything you have — we'll figure out what matters.","addMoreFiles":"Add more files","analyzeAll":"Analyze all files","analyzingProgressMulti":"Analyzing {fileCount} documents across {totalSteps} compliance areas...","analyzingProgressSingle":"Analyzing document across {totalSteps} compliance areas...","analyzingProgressMultiSingleArea":"Analyzing {fileCount} documents...","analyzingProgressSingleSingleArea":"Analyzing document...","stepComplete":"Complete","stepSkipped":"Skipped","stepAnalyzing":"Analyzing...","stepPending":"Pending","toolLabels":{"documentation":"Technical Documentation","riskManagement":"Risk Management","conformity":"Conformity Assessment","fria":"Fundamental Rights Impact","literacy":"AI Literacy"},"ui":{"sourced":"Sourced","aiSuggestion":"AI suggestion","aiGuidance":"AI guidance","sourcedAria":"Sourced value from your document","aiSuggestionAria":"AI suggestion — not backed by your document","aiGuidanceAria":"AI guidance hint","accept":"Accept","edit":"Edit","reject":"Reject","accepted":"Accepted","rejected":"Rejected","close":"Close","shortcuts":"Shortcuts: {accept} accept · {edit} edit · {reject} reject","shortcutsNoEdit":"Shortcuts: {accept} accept · {reject} reject","fromLabel":"from {source}","fromLabelFallback":"your document","reasoningLabel":"Why this value","guidanceHintLabel":"What to write","guidanceSourcesLabel":"Sources","noPopoverContent":"No additional context available.","bannerTitle":"Your document was analyzed","summaryExtracted":"{count, plural, =0 {0 sourced} one {# sourced} other {# sourced}}","summaryGapFilled":"{count, plural, =0 {0 AI-suggested} one {# AI-suggested} other {# AI-suggested}}","summaryGuidance":"{count, plural, =0 {0 with guidance} one {# with guidance} other {# with guidance}}","acceptAllExtracted":"Accept {count} sourced","acceptAll":"Accept all {count}","reviewOneByOne":"Review one by one","sectionsFailedLabel":"{count, plural, one {# section failed} other {# sections failed}}","retryFailed":"Retry","upgradeToAccept":"Upgrade to accept","dismissBanner":"Dismiss banner","streaming":{"analyzing":"Analyzing: {sections}","sectionsComplete":"{done} of {total} sections analyzed","retryChip":"Retry","fatalError":"Analysis was interrupted. Please try again."},"emptyTitle":"Drop any document — we'll extract what matters","emptyHint":"We look for evidence across the entire EU AI Act. Works best with documents like these:","emptyCards":{"technicalDoc":{"title":"Technical documentation","description":"Architecture notes, data flow diagrams, model cards"},"riskPlan":{"title":"Risk management plan","description":"Risk registers, mitigation strategies, incident response"},"dataGovernance":{"title":"Data governance policy","description":"Data quality controls, bias checks, training data records"}}}},"pricing":{"title":"Pay once. Audit-ready forever. Monitoring optional.","subtitle":"Start free. Upgrade only if your AI systems are limited-risk or high-risk. Annual maintenance keeps you audit-ready.","heroTagline":"EU AI Act compliance made simple","initialAssessment":"Initial Assessment","annualMaintenance":"Annual Compliance Maintenance","firstYearIncluded":"First year included","thenPerYear":"then {price}/year","launchPricing":"Launch Pricing","foundingMember":"Founding Member","offerEnds":"Offer ends {date}","regularPrice":"Regular price","comingSoon":"Coming Soon","availableAtLaunch":"Available at launch","availableAtLaunchNote":"Checkout will be available shortly. Sign up to be notified.","free":{"name":"Free","initialPrice":"€0","priceNote":"Free forever","description":"Classify your AI system and understand your obligations","features":["AI System Classifier","Role Classifier (Provider/Deployer)","Academy Essentials","3 AI chat messages/day","1 document upload (read-only gap analysis)"],"cta":"Get started"},"starter":{"name":"Starter","initialPrice":"€199","launchPrice":"€99","annualPrice":"€79","priceNote":"Initial Assessment","description":"For limited-risk AI systems needing transparency compliance","features":["Everything in Free","Full compliance documentation","Technical Documentation Generator","Transparency obligation templates","PDF/Word/Excel export","20 AI chat messages/day","Academy Essentials"],"cta":"Get Starter"},"professional":{"name":"Professional","initialPrice":"€499","launchPrice":"€249","annualPrice":"€199","priceNote":"Initial Assessment","description":"Full compliance suite for high-risk AI systems","features":["Everything in Starter","FRIA Generator (Art. 27)","Conformity Assessment (Art. 43)","Risk Management System (Art. 9)","AI-powered document prefill","Unlimited document uploads","50 AI chat messages/day","Academy Advanced","EU Source Reference System","AI Literacy Compliance Module (Art. 4)"],"cta":"Get Professional"},"team":{"name":"Team","initialPrice":"€999","launchPrice":"€499","annualPrice":"€399","priceNote":"Initial Assessment","description":"For teams managing AI compliance across the organization","features":["Everything in Professional","Multi-user access (up to 10 seats)","Employee AI Literacy tracker","Compliance reports (board-ready)","Unlimited AI chat"],"cta":"Get Team"},"currentTier":"Current Plan","mostPopular":"Most Popular","launchDeal":"Launch Pricing","oneTimeNote":"One-time assessment + annual maintenance. First year included in all paid tiers.","minimalRisk":{"title":"Good news — you're compliant!","description":"Your AI system is minimal risk. No obligations under the EU AI Act. You're free to go!"},"limitedRisk":{"title":"Almost there","description":"Your AI system needs transparency compliance under Article 50. Starter has everything you need."},"highRisk":{"title":"Full compliance required","description":"Your high-risk AI system needs comprehensive documentation and compliance. Professional covers it all."},"recommended":"Recommended for you","launchBanner":{"title":"Launch Pricing","description":"Get up to 50% off the initial assessment. Annual maintenance stays the same. Be a Founding Member.","badge":"Limited time"},"faq":{"title":"Frequently Asked Questions","q1":{"question":"What if I don't renew?","answer":"You keep all documents you've generated. You lose access to compliance monitoring, freshness alerts, new document generation, and AI features. You can re-activate anytime by paying the annual fee — you won't need to pay the initial assessment again."},"q2":{"question":"What's included in the initial assessment?","answer":"Full compliance documentation package for your AI systems. Classification, required documentation generation, and your first year of compliance monitoring — all included."},"q3":{"question":"How does annual maintenance work?","answer":"After your first year, annual maintenance keeps your compliance current: regulatory update notifications, documentation freshness alerts, re-assessment triggers, and continued access to all features in your tier."},"q4":{"question":"Is VAT included?","answer":"Paddle, our payment provider, is a Merchant of Record and handles all EU VAT calculations automatically. Prices shown exclude VAT — your final price will include the VAT rate for your country."},"q5":{"question":"Can I upgrade later?","answer":"Yes. You can upgrade from Starter to Professional or Team at any time. You'll pay the difference in initial assessment price."}},"trustBanner":"Built on the official text of Regulation (EU) 2024/1689. Every field maps to a specific article.","vatNote":"All prices exclude VAT. Paddle handles EU VAT automatically as Merchant of Record.","trustBadges":{"euBased":"EU-based data processing","officialSources":"Based on official EU sources"}},"intake":{"back":"Back","next":"Next","finish":"See my results","yes":"Yes","no":"No","stepCounter":"{current} of {total}","q1":{"title":"What does your AI system do?","subtitle":"Describe it in 1-2 sentences. Don't worry about legal terms — plain language is perfect.","placeholder":"e.g., Screens job applications and ranks candidates by fit","notSure":"Not sure how to describe it? We'll help you refine later.","nameLabel":"Give it a short name","namePlaceholder":"e.g., TalentScreen AI, CV Ranker"},"q2":{"title":"What technology powers it?","subtitle":"Select all that apply. This helps us determine if your system falls under the AI Act's definition.","notSure":"Not sure? We'll assume machine learning to be safe.","options":{"ml":"Machine learning / Deep learning / Neural networks","statistical":"Statistical models (regression, Bayesian, etc.)","ruleBased":"Rule-based / Expert systems","search":"Search and optimization algorithms","notSure":"Not sure"}},"q3":{"title":"What does your system do with its outputs?","subtitle":"How does it process information and deliver results?","notSure":"Not sure? We'll mark this for review.","options":{"predictions":"Makes predictions","content":"Generates content (text, images, audio)","recommendations":"Recommends actions","decisions":"Makes or supports decisions","other":"Other"}},"q4":{"title":"Are you the one who built it, or do you use someone else's?","subtitle":"Your role determines which compliance obligations apply to you.","notSure":"Not sure? We'll assume deployer (most common).","followUp":"Did you significantly modify it or put your name/brand on it?","options":{"provider":"We built or developed it (Provider)","deployer":"We use a system built by someone else (Deployer)","both":"We modified someone else's system and sell it under our name (Both)"}},"q5":{"title":"What area does your system operate in?","subtitle":"Select all that apply. Some areas trigger higher compliance requirements.","notSure":"Not sure? Select 'None of the above' and we'll classify conservatively.","options":{"hiring":"Hiring and recruitment","credit":"Credit scoring or insurance","education":"Education and student assessment","healthcare":"Healthcare and medical devices","lawEnforcement":"Law enforcement or border control","infrastructure":"Critical infrastructure (energy, water, transport)","biometric":"Biometric identification","customerService":"Customer service / Chatbot","contentGeneration":"Content generation (text, images, video)","none":"None of the above / Other"},"annexIFollowUp":"Is your AI a safety component of (or itself) a product regulated under EU harmonisation legislation (Annex I, Article 6(1))?","annexI":{"medicalDevice":"Medical device (MDR 2017/745)","inVitroDiagnostic":"In-vitro diagnostic medical device (IVDR 2017/746)","machinery":"Machinery (Directive 2006/42/EC / Regulation 2023/1230)","toy":"Toy (Directive 2009/48/EC)","lift":"Lift or lift safety component (Directive 2014/33/EU)","radioEquipment":"Radio equipment (Directive 2014/53/EU)","pressureEquipment":"Pressure equipment (Directive 2014/68/EU)","automotive":"Motor vehicle or component (Regulation 2018/858)","aviation":"Civil aviation equipment (Regulation 2018/1139)","maritimeEquipment":"Marine equipment (Directive 2014/90/EU)","rail":"Rail system (Directive (EU) 2016/797)","agriculturalVehicle":"Agricultural or forestry vehicle (Regulation (EU) 167/2013)","otherAnnexI":"Other Annex I regulated product","none":"No — not embedded in a regulated product"}},"q6":{"title":"Does your system process any of the following?","subtitle":"These data types have specific requirements under the AI Act.","notSure":"Not sure? Select 'None of these' to continue.","options":{"biometric":"Biometric data (fingerprints, face, voice)","location":"Real-time location tracking","emotion":"Emotion recognition","none":"None of these"}},"q7":{"title":"Who is affected by your system's outputs?","subtitle":"Select all groups whose lives or decisions are impacted.","notSure":"Not sure? Select 'Other' to continue.","options":{"jobApplicants":"Job applicants","students":"Students","patients":"Patients","consumers":"Consumers / Customers","citizens":"Citizens (public services)","employees":"Employees","generalPublic":"General public","other":"Other"}},"q8":{"title":"Is your system used for any of these purposes?","subtitle":"Be honest — these practices are banned or heavily restricted under the AI Act.","notSure":"Not sure? Select 'None of these' to continue safely.","options":{"scoring":"Scoring or ranking people based on social behavior","predicting":"Predicting criminal behavior","manipulating":"Manipulating behavior without awareness","exploiting":"Exploiting vulnerabilities of specific groups","facialScraping":"Untargeted scraping of facial images from the internet or CCTV to build facial-recognition databases","biometricSensitive":"Biometric categorisation inferring race, political opinions, trade union membership, religious or philosophical beliefs, sex life, or sexual orientation","emotionWorkSchool":"Emotion inference in the workplace or in educational institutions","realtimeBiometric":"Real-time remote biometric identification in publicly accessible spaces for law enforcement","none":"None of these"},"scoringFollowUp":"Is this scoring performed by (or on behalf of) a public authority AND does it produce detrimental treatment that is unrelated to the original context or disproportionate to the behaviour?"},"q9":{"title":"Where are your users or affected people based?","subtitle":"The AI Act applies to systems that affect people in the EU.","notSure":"Not sure? We'll assume both EU and non-EU.","options":{"euOnly":"EU only","outsideEu":"Outside EU only","both":"Both EU and non-EU"}},"q10":{"title":"Is this system used exclusively for any of these?","subtitle":"These uses may exempt your system from the AI Act entirely.","notSure":"Not sure? Select 'None of these' to be safe.","options":{"military":"Military / Defense","research":"Scientific research only","personal":"Personal / Non-professional use","none":"None of these"}},"upload":{"title":"Great — now drop any existing documentation you have.","subtitle":"Product specs, risk assessments, internal docs, anything. We'll extract compliance-relevant information and pre-fill your forms automatically.","subtitlePreview":"We'll analyze your documents and show you how many compliance fields we can pre-fill. Create a free account to access the full results.","skip":"Just show me my classification results","laterNote":"You can always upload documents later from your dashboard.","processing":"Analyzing your documents...","processingSubtitle":"We're extracting compliance-relevant information.","processingProgress":"Processing: {tool} ({current} of {total})","uploading":"Uploading","analyzing":"Analyzing","of":"of","toolNames":{"documentation":"Documentation","fria":"Rights Impact Assessment","riskManagement":"Risk Assessment","conformity":"Conformity Assessment"}},"result":{"readiness":"Compliance readiness","fieldsCovered":"fields covered","monthsLeft":"months until deadline","remainingFields":"{count} fields still need your attention","complianceAreas":"Compliance areas","deadline":"EU AI Act enforcement deadline: August 2, 2026 — {months} months away","systemLabel":"System","editName":"Click to edit name","roleLabel":"Your role","continueCta":"Continue to your compliance dashboard","pricingCta":"Get started with Professional — €499","goToDashboard":"Go to dashboard","minimalTitle":"Good news! Your system is minimal risk.","minimalDescription":"No compliance obligations under the EU AI Act. You can use your system freely, though voluntary compliance with AI literacy (Article 4) is recommended.","limitedTitle":"Almost there! You need transparency compliance.","limitedDescription":"Your system triggers limited risk transparency obligations under Article 50. Users must be informed they are interacting with AI.","limitedCta":"Get started with Starter — €199","unacceptableTitle":"This system includes prohibited practices.","unacceptableDescription":"Based on your answers, this AI system falls under prohibited practices (Article 5). These systems cannot be placed on the EU market or used in the EU.","toolDocumentation":"Technical Documentation","toolRiskManagement":"Risk Management","toolConformity":"Conformity Assessment","toolFria":"Rights Impact Assessment","toolObligations":"Obligation Tracker","obligationsCount":"{count} obligations to track","previewSignupCta":"Create free account","previewDocsReceived":"{count, plural, one {# document received} other {# documents received}}. Create an account to see your pre-filled results.","previewDocsSignup":"Up to 80% of fields can be pre-filled from your documents.","previewPrefillTeaser":"Up to 80% of fields can be pre-filled from your documents. Sign up to upload and analyze.","whatThisMeans":"What this means for you","highRiskProviderIntro":"As a provider of a high-risk AI system under Annex III, you are required to complete:","highRiskDeployerIntro":"As a deployer of a high-risk AI system, you are required to complete:","fieldsRequired":"fields required","uploadPrompt":"Upload your documents and we'll pre-fill up to 80% of these fields automatically.","uploadButton":"Upload Documents","createAccount":"Create Free Account","minimalAccountNote":"Create an account to save your classification and access the Academy.","limitedObligation":"Your system requires transparency compliance under Article 50.","limitedObligationDetail":"You need to clearly inform users they are interacting with an AI system.","transparencyTitle":"Transparency Requirements","transparencyDescription":"User notification obligations, AI-generated content labeling, and disclosure requirements under Article 50.","toolDescription":{"documentation":"System description, training data documentation, risk analysis, and technical specifications.","riskManagement":"Risk identification, mitigation measures, residual risk assessment, and monitoring plan.","conformity":"Compliance verification, quality management system, EU declaration of conformity.","fria":"Fundamental rights impact assessment, data protection analysis, affected groups."},"pricingTransparency":"Based on your classification, you'll need {tier} (€{price} initial assessment, first year of maintenance included).","pricingFree":"Your system is minimal risk — no paid access needed.","pricingPrelaunchNote":"Commercial plans unlock at launch. You can complete classification and onboarding now, and upgrade once billing opens.","euSubmissionNote":"The EU has not yet published where to submit compliance documentation. We'll prepare all the necessary steps for you as soon as this information becomes available."}},"workspace":{"sidebarNavLabel":"Workspace sections","complianceReadiness":"Compliance Readiness","fieldsCompleted":"{filled}/{total} fields","exportComplianceDocs":"Export Compliance Docs","downloadAll":"Download All (PDF)","saveAndClose":"Save & Close","backToDashboard":"Back to dashboard","previousSection":"Previous Section","nextSection":"Next Section","sectionCounter":"Section {current} of {total}","loadingData":"Loading compliance data...","noWorkspaceNeeded":"No Compliance Workspace Needed","noWorkspaceDescription":"Your AI system is classified as minimal risk or prohibited. No compliance documentation is required.","exportItems":{"documentation":"Technical Documentation (PDF)","riskManagement":"Risk Management System (PDF)","conformity":"Conformity Assessment (PDF)","fria":"FRIA (PDF)"},"sections":{"about_system":{"title":"About Your System","description":"General information about your AI system, including its name, purpose, how it is distributed, and instructions for use."},"how_it_works":{"title":"How It Works","description":"Technical details about your system's development process, architecture, data handling, and cybersecurity measures."},"data_privacy":{"title":"Data & Privacy","description":"Information about affected groups, geographic scope, data protection impact assessments, and privacy considerations."},"risks_safeguards":{"title":"Risks & Safeguards","description":"Risk identification, estimation, mitigation measures, and residual risk assessment for your AI system."},"human_oversight":{"title":"Human Oversight","description":"How humans monitor and control the AI system, including intervention mechanisms and oversight responsibilities."},"testing_performance":{"title":"Testing & Performance","description":"Performance metrics, testing procedures, and documentation review for compliance verification."},"monitoring_updates":{"title":"Monitoring & Updates","description":"Post-market monitoring, lifecycle changes, standards applied, and ongoing compliance maintenance."},"conformity_compliance":{"title":"Conformity & Compliance","description":"Conformity assessment path, quality management system review, declaration of conformity, and CE marking."}},"fieldRequired":"Required","fieldOptional":"Optional","selectPlaceholder":"Select...","booleanYes":"Yes","booleanNo":"No","compliancePackage":"Compliance Package (ZIP)","uploadDocuments":"Upload Documents","uploadDescription":"Upload documentation to auto-fill compliance fields","docAnalysisTitle":"Witness Document Analysis","docAnalysisDescription":"Upload your existing documentation — product specs, risk assessments, internal docs, meeting notes, whatever you have. We will analyze them for you and pre-fill up to 80% of your compliance fields.","docAnalysisDragDrop":"Or drag and drop files here","docAnalysisLockedTooltip":"Document upload is available on the Professional tier","docAnalysisLockedButton":"Unlock Document Upload","docAnalysisLockedLabel":"Professional feature","docAnalysisComplete":"{count} fields pre-filled from your documents","uploadMore":"Upload more documents","exportLocked":"Exports available soon","exportLockedDescription":"Your compliance documents are being prepared. We'll email you when exports become available.","lockedPreviewBadge":"Preview only","lockedPreviewTitle":"This workspace is locked on the Free tier","lockedPreviewDescription":"You can review the structure now, but filling these {toolCount} compliance tools requires {tier} (€{price} initial assessment).","lockedPreviewDocUploadHint":"Document upload and AI prefill are unlocked on Professional (€{price} initial assessment).","lockedPreviewCta":"Unlock {tier} — €{price}","lockedPreviewFooter":"Preview mode: field editing is locked until you upgrade.","lockedFieldHint":"Upgrade to edit this field"},"guidance":{"title":"AI Analysis Note","whereToFind":"Where to find this"},"submissionGuidance":{"title":"Submission Guidance","subtitle":"Find your national AI authority and understand what to submit for compliance.","selectCountry":"Select your country","selectPlaceholder":"Select a country...","noAuthorityDesignated":"No authority designated yet","whatToPrepare":"What to Prepare","keyDeadlines":"Key Deadlines","omnibusTitle":"Digital Omnibus Act — Extended Deadline","omnibusBody":"The European Commission's Digital Omnibus proposal may extend certain high-risk AI deadlines. Dates shown are based on the original Regulation (EU) 2024/1689. Monitor your national authority for updates.","status":{"operational":"Operational","designated":"Designated","advisory":"Advisory","not_designated":"Not Yet Designated"},"at":{"notes":"Austria's RTR KI-Servicestelle provides advisory services and guidance on AI Act compliance. Formal submission processes are being developed. Contact ki@rtr.at for current guidance.","notesDe":"Die RTR KI-Servicestelle bietet Beratungsdienste und Orientierungshilfen zur Einhaltung des AI Acts. Formelle Einreichungsverfahren werden derzeit entwickelt. Kontaktieren Sie ki@rtr.at für aktuelle Informationen."},"de":{"notes":"Germany's Bundesnetzagentur (BNetzA) has been designated as the national AI authority. Submission processes and portals are being established.","notesDe":"Die Bundesnetzagentur (BNetzA) wurde als nationale KI-Behörde benannt. Einreichungsverfahren und -portale werden derzeit aufgebaut."},"fr":{"notes":"France's DGCCRF is providing advisory guidance. The formal AI authority designation and submission processes are being finalized.","notesDe":"Die französische DGCCRF bietet beratende Orientierungshilfe. Die formelle Benennung der KI-Behörde und Einreichungsverfahren werden finalisiert."},"nl":{"notes":"The Netherlands has not yet formally designated a national AI authority. The Autoriteit Persoonsgegevens (AP) may take this role.","notesDe":"Die Niederlande haben noch keine nationale KI-Behörde formal benannt. Die Autoriteit Persoonsgegevens (AP) könnte diese Rolle übernehmen."},"fi":{"notes":"Finland's Traficom is operational as a national AI authority and actively providing guidance on compliance requirements.","notesDe":"Finnlands Traficom ist als nationale KI-Behörde operativ und bietet aktiv Orientierungshilfe zu Compliance-Anforderungen."},"es":{"notes":"Spain's AESIA has been designated as the national AI authority. Compliance guidance and submission infrastructure are being developed.","notesDe":"Spaniens AESIA wurde als nationale KI-Behörde benannt. Compliance-Orientierungshilfen und Einreichungsinfrastruktur werden entwickelt."},"it":{"notes":"Italy has designated AgID and ACN jointly as national AI authorities. Processes for compliance submissions are under development.","notesDe":"Italien hat AgID und ACN gemeinsam als nationale KI-Behörden benannt. Verfahren für Compliance-Einreichungen werden entwickelt."},"prepare":{"techDoc":"Technical Documentation (Annex IV) — Required for high-risk systems","riskManagement":"Risk Management System (Article 9) — Continuous lifecycle approach","conformity":"Conformity Assessment (Article 43) — Internal control or notified body","euDatabase":"EU AI Database registration (Article 71) — Before placing on market","transparency":"Transparency obligations (Article 50) — Disclosure to users","userNotification":"User notification requirements — Inform users of AI interaction","voluntaryCode":"Consider voluntary codes of conduct (Article 95)"},"deadline":{"prohibitions":"Feb 2, 2025 — Prohibited AI practices enforcement","highRisk":"Aug 2, 2026 — High-risk AI system obligations","transparency":"Aug 2, 2026 — Transparency obligations for all risk levels"}},"glossary":{"title":"EU AI Act Glossary","subtitle":"Key terms and definitions from Regulation (EU) 2024/1689, explained in plain language.","searchPlaceholder":"Search terms...","noResults":"No terms found matching your search.","jumpTo":"Jump to","articleBadge":"Article Reference","relatedTool":"Related Tool","terms":{"aiSystem":{"term":"AI System","definition":"A machine-based system designed to operate with varying levels of autonomy, that may exhibit adaptiveness after deployment, and that infers from input how to generate outputs such as predictions, content, recommendations, or decisions that can influence physical or virtual environments.","article":"Art. 3(1)","toolLink":"/get-started","toolLabel":"AI System Classifier"},"provider":{"term":"Provider","definition":"A natural or legal person, public authority, agency, or other body that develops an AI system or a general-purpose AI model, or that has an AI system or model developed, and places it on the market or puts it into service under its own name or trademark, whether for payment or free of charge.","article":"Art. 3(3)","toolLink":"/get-started","toolLabel":"Role Classifier"},"deployer":{"term":"Deployer","definition":"A natural or legal person, public authority, agency, or other body using an AI system under its authority, except where the AI system is used in the course of a personal non-professional activity.","article":"Art. 3(4)","toolLink":"/get-started","toolLabel":"Role Classifier"},"highRiskAiSystem":{"term":"High-Risk AI System","definition":"An AI system that falls under one of the use cases listed in Annex III or is a safety component of a product covered by existing EU harmonisation legislation listed in Annex I. High-risk systems face the most comprehensive obligations under the AI Act.","article":"Art. 6","toolLink":"/get-started","toolLabel":"AI System Classifier"},"minimalRisk":{"term":"Minimal Risk","definition":"AI systems that do not fall into prohibited, high-risk, or limited risk categories. These systems face no specific obligations under the AI Act, though voluntary codes of conduct are encouraged.","article":"Recital 28"},"limitedRisk":{"term":"Limited Risk","definition":"AI systems subject to transparency obligations under Article 50. Users must be informed they are interacting with AI. Includes chatbots, emotion recognition systems, and AI-generated content (deepfakes).","article":"Art. 50"},"unacceptableRisk":{"term":"Unacceptable Risk","definition":"AI practices that are outright prohibited because they pose a clear threat to people's safety, livelihoods, and fundamental rights. Includes social scoring, manipulative AI, real-time biometric identification in public spaces (with narrow exceptions), and emotion recognition in workplaces/education.","article":"Art. 5"},"annexIII":{"term":"Annex III","definition":"The annex listing 8 high-risk areas with specific use cases that automatically classify an AI system as high-risk. Areas include biometrics, critical infrastructure, education, employment, essential services, law enforcement, migration, and justice/democracy.","article":"Annex III"},"annexIV":{"term":"Annex IV","definition":"The annex specifying the required contents of the technical documentation that providers of high-risk AI systems must draw up and maintain. Covers 9 sections from general system description to post-market monitoring.","article":"Annex IV","toolLink":"/documentation","toolLabel":"Documentation Generator"},"technicalDocumentation":{"term":"Technical Documentation","definition":"Comprehensive documentation that providers of high-risk AI systems must prepare before placing their system on the market. Must be kept up to date and made available to national competent authorities upon request.","article":"Art. 11","toolLink":"/documentation","toolLabel":"Documentation Generator"},"riskManagementSystem":{"term":"Risk Management System","definition":"A continuous iterative process planned and run throughout the entire lifecycle of a high-risk AI system. It involves identifying risks, estimating and evaluating them, adopting risk management measures, and testing those measures.","article":"Art. 9","toolLink":"/risk-management","toolLabel":"Risk Management Tool"},"conformityAssessment":{"term":"Conformity Assessment","definition":"The process of verifying whether a high-risk AI system meets the requirements of the AI Act before it can be placed on the market. Most systems use self-assessment (Annex VI), while biometric identification systems require third-party assessment by a notified body.","article":"Art. 43","toolLink":"/conformity","toolLabel":"Conformity Assessment Tool"},"fria":{"term":"Fundamental Rights Impact Assessment (FRIA)","definition":"An assessment that deployers of high-risk AI systems in certain sectors must conduct before putting the system into use. Required for public bodies and private entities providing essential services like healthcare, education, and insurance.","article":"Art. 27","toolLink":"/fria","toolLabel":"FRIA Generator"},"aiLiteracy":{"term":"AI Literacy","definition":"The obligation for providers and deployers to ensure their staff and other persons dealing with AI systems have a sufficient level of AI literacy. This applies to ALL AI systems regardless of risk level and is one of the first provisions to take effect (February 2, 2025).","article":"Art. 4","toolLink":"/academy","toolLabel":"Academy"},"ceMarking":{"term":"CE Marking","definition":"The marking that must be affixed to high-risk AI systems to indicate conformity with the AI Act. The CE marking must be visible, legible, and indelible, and is affixed before the system is placed on the market.","article":"Art. 48"},"euDeclarationOfConformity":{"term":"EU Declaration of Conformity","definition":"A document drawn up by the provider for each high-risk AI system, stating that the system meets the requirements of the AI Act. Must be kept up to date and made available to national competent authorities for 10 years after the system is placed on the market.","article":"Art. 47"},"euDatabase":{"term":"EU Database","definition":"A public EU database where high-risk AI systems must be registered before being placed on the market or put into service. Managed by the European Commission and accessible to the general public free of charge.","article":"Art. 71"},"postMarketMonitoring":{"term":"Post-Market Monitoring","definition":"A system that providers of high-risk AI systems must establish and document to actively and systematically collect, analyse, and evaluate data on the performance of their AI systems throughout their lifetime.","article":"Art. 72"},"seriousIncident":{"term":"Serious Incident","definition":"An incident or malfunction of an AI system that directly or indirectly leads to death, serious harm to health or fundamental rights, serious property damage, or serious environmental damage. Must be reported to market surveillance authorities.","article":"Art. 73"},"notifiedBody":{"term":"Notified Body","definition":"An independent organization designated by an EU Member State to carry out third-party conformity assessments for certain high-risk AI systems, particularly those involving biometric identification.","article":"Art. 28"},"marketSurveillanceAuthority":{"term":"Market Surveillance Authority","definition":"The national authority responsible for carrying out market surveillance of AI systems. Each Member State must designate at least one authority to supervise the application of the AI Act in their territory.","article":"Art. 70"},"harmonisedStandards":{"term":"Harmonised Standards","definition":"Technical standards adopted by European standardisation bodies (CEN, CENELEC, ETSI) at the request of the Commission. AI systems that comply with harmonised standards enjoy a presumption of conformity with the AI Act requirements those standards cover.","article":"Art. 40"},"gpai":{"term":"General-Purpose AI (GPAI)","definition":"An AI model that is trained with a large amount of data using self-supervision at scale, displays significant generality, can competently perform a wide range of distinct tasks, and can be integrated into downstream AI systems or applications. Subject to specific transparency and documentation obligations.","article":"Art. 51"},"systemicRisk":{"term":"Systemic Risk","definition":"A risk that is specific to the high-impact capabilities of general-purpose AI models. A GPAI model is classified as having systemic risk if it has high-impact capabilities or is designated as such by the Commission based on specific criteria.","article":"Art. 51"},"placingOnMarket":{"term":"Placing on the Market","definition":"The first making available of an AI system or a general-purpose AI model on the Union market. This triggers key compliance obligations for providers.","article":"Art. 3(9)"},"puttingIntoService":{"term":"Putting into Service","definition":"The supply of an AI system for first use directly to the deployer or for own use in the Union for its intended purpose. Distinct from placing on the market, as it refers to the actual deployment rather than making available.","article":"Art. 3(11)"},"intendedPurpose":{"term":"Intended Purpose","definition":"The use for which an AI system is intended by the provider, including the specific context and conditions of use as specified in the information supplied by the provider in the instructions for use, promotional materials, and technical documentation.","article":"Art. 3(12)"},"reasonablyForeseeableMisuse":{"term":"Reasonably Foreseeable Misuse","definition":"The use of an AI system in a way that is not in accordance with its intended purpose, but which may result from reasonably foreseeable human behaviour or interaction with other systems. Providers must account for this in their risk management.","article":"Art. 3(13)"},"biometricIdentification":{"term":"Biometric Identification","definition":"The automated recognition of physical, physiological, or behavioural human features for the purpose of establishing the identity of a natural person by comparing biometric data to stored reference data. One-to-many comparison.","article":"Art. 3(35)"},"emotionRecognition":{"term":"Emotion Recognition System","definition":"An AI system for the purpose of identifying or inferring emotions or intentions of natural persons on the basis of their biometric data. Use in workplaces and educational institutions is prohibited under Article 5.","article":"Art. 3(39)"},"realTimeBiometric":{"term":"Real-Time Remote Biometric Identification","definition":"A biometric identification system where the capturing of biometric data, comparison, and identification occur without significant delay. Strictly prohibited in publicly accessible spaces for law enforcement, with narrow exceptions requiring prior judicial authorisation.","article":"Art. 3(41)"},"regulatorySandbox":{"term":"Regulatory Sandbox","definition":"A controlled framework set up by a competent authority to allow the development, testing, and validation of innovative AI systems for a limited time under regulatory oversight. At least one sandbox must be operational in each Member State by August 2, 2026.","article":"Art. 57"}}},"legal":{"backToHome":"Back to home","impressum":{"title":"Impressum","companyTitle":"Company Information (pursuant to § 5 ECG)","companyName":"Parallax Technologies GmbH in Gründung","companyNote":"The company is currently in formation (in Gründung). Registered seat: Vienna, Austria. The full business address and commercial register details will be published here upon completion of GmbH registration.","managementTitle":"Management","managementName":"Managing Director: Kevin Miller","purposeTitle":"Business Purpose (Unternehmensgegenstand)","purposeText":"Development and operation of a software platform for EU AI Act compliance.","contactTitle":"Contact","contactEmail":"E-Mail: support@witness-compliance.eu","registrationTitle":"Commercial Register","registrationFirmenbuch":"Firmenbuch number: pending registration (Firmenbuchgericht: Handelsgericht Wien)","registrationUid":"UID number: pending registration","applicableLawTitle":"Applicable Law","applicableLawText":"Austrian E-Commerce-Gesetz (ECG), Mediengesetz, Unternehmensgesetzbuch (UGB).","odrTitle":"EU Online Dispute Resolution","odrText":"The European Commission provides a platform for online dispute resolution (ODR):","odrLink":"https://ec.europa.eu/consumers/odr/","odrDisclaimer":"We are neither obligated nor willing to participate in dispute resolution proceedings before a consumer arbitration board."},"privacy":{"title":"Privacy Policy","lastUpdated":"Effective: April 20, 2026","introTitle":"1. Introduction","introText":"This privacy policy explains how Parallax Technologies GmbH in Gründung (\"we\", \"us\", \"our\"), operating the platform witness-compliance.eu (\"Witness\", \"the Service\"), collects, uses, and protects your personal data. We are committed to protecting your privacy in accordance with the General Data Protection Regulation (GDPR) and applicable Austrian data protection law.","controllerTitle":"2. Data Controller","controllerText":"The data controller responsible for processing your personal data is:","controllerName":"Parallax Technologies GmbH in Gründung","controllerEmail":"E-Mail: support@witness-compliance.eu","controllerNote":"Full address and registration details will be published upon GmbH formation.","dataCollectedTitle":"3. Data We Collect","dataCollectedIntro":"We collect and process the following categories of personal data:","dataAccountTitle":"Account Data","dataAccountText":"Email address and name, collected during registration for authentication via magic link.","dataOrgTitle":"Organization Data","dataOrgText":"Company name, country, industry, and organization size, provided by you to establish your compliance context.","dataComplianceTitle":"Compliance Documentation","dataComplianceText":"Form field data you enter when using our compliance tools (classifier, technical documentation, risk management, FRIA, etc.). This is the core service of Witness and constitutes your compliance work product.","dataUploadsTitle":"Uploaded Documents","dataUploadsText":"If you upload documents for AI-assisted analysis, the extracted text is sent to our AI provider for processing. Documents are processed in memory only and are not stored as files on our servers.","dataChatTitle":"Chat Conversations","dataChatText":"Messages you send through the expert chat feature are stored in our database and sent to our AI provider to generate responses.","dataPaymentTitle":"Payment Information","dataPaymentText":"Payment processing is handled entirely by Paddle. We only store your Paddle customer ID and access tier. We do not have access to your credit card details or bank information.","dataAnalyticsTitle":"Analytics Data","dataAnalyticsText":"We collect anonymous page-level analytics via Umami. This is a privacy-friendly, cookieless analytics tool that does not collect personal data, does not use cookies, and does not track individual users.","dataTechnicalTitle":"Technical Data","dataTechnicalText":"Authentication session tokens stored in an httpOnly cookie for maintaining your logged-in session.","legalBasisTitle":"4. Legal Basis for Processing","legalBasisIntro":"We process your data on the following legal bases under GDPR Article 6:","legalBasisContractTitle":"Contract Performance (Art. 6(1)(b))","legalBasisContractText":"Processing of account data, organization data, compliance documentation, and chat conversations is necessary for the performance of our contract with you — providing the Witness compliance platform.","legalBasisInterestTitle":"Legitimate Interest (Art. 6(1)(f))","legalBasisInterestText":"Anonymous analytics data is processed based on our legitimate interest in understanding how the platform is used and improving our service. Security logging is based on our legitimate interest in protecting the service.","legalBasisConsentTitle":"Consent (Art. 6(1)(a))","legalBasisConsentText":"Document uploads for AI-assisted analysis are processed based on your explicit consent. You actively choose to upload each document. You can withdraw consent at any time by simply not uploading further documents.","processorsTitle":"5. Third-Party Processors","processorsIntro":"We use the following third-party service providers to operate Witness:","processorAnthropicName":"Anthropic (USA)","processorAnthropicPurpose":"AI-powered document analysis and chat responses. Receives: extracted document text from uploads and chat messages.","processorOpenaiName":"OpenAI (USA)","processorOpenaiPurpose":"Embedding generation for semantic search over public EU AI Act regulatory text. No user data is sent to OpenAI — only publicly available EU regulation text.","processorResendName":"Resend (USA)","processorResendPurpose":"Email delivery for magic link authentication and team invitations. Receives: email addresses only.","processorSentryName":"Sentry (EU/USA)","processorSentryPurpose":"Application error monitoring and incident diagnostics. Receives: technical error metadata, request identifiers, and stack traces when failures occur.","processorCloudflareName":"Cloudflare (Global)","processorCloudflarePurpose":"DNS, proxying, bot protection, and Turnstile verification. Receives: IP addresses, browser metadata, and anti-abuse telemetry needed to protect the service.","processorPaddleName":"Paddle (UK/EU)","processorPaddlePurpose":"Payment processing and merchant of record. Receives: standard payment data as entered by you during checkout. Paddle acts as the merchant of record and handles VAT compliance. We do not store payment details.","processorRailwayName":"Railway (EU West)","processorRailwayPurpose":"Database and application hosting in the EU. All persistent user data is stored here.","processorUmamiName":"Umami (cloud.umami.is)","processorUmamiPurpose":"Anonymous, cookieless website analytics. No personal data is collected or transmitted.","transfersTitle":"6. International Data Transfers","transfersText":"Some of our processors are based in or may process data from outside the European Union (Anthropic, OpenAI, Resend, Sentry, Cloudflare). Data transfers are conducted on the basis of the EU-US Data Privacy Framework and/or Standard Contractual Clauses (SCCs) in accordance with GDPR Article 46 where required. Our database hosting (Railway) is located in the EU West region — no international transfer applies to your stored data at rest. Payment processing by Paddle is conducted within the UK/EU.","retentionTitle":"7. Data Retention","retentionIntro":"We retain your data for the following periods:","retentionAccount":"Account data: Retained while your account is active. Deleted upon account deletion.","retentionCompliance":"Compliance data: Retained while your account is active. Deleted upon account deletion.","retentionChat":"Chat messages: Retained while your account is active. Deleted upon account deletion.","retentionUploads":"Uploaded documents: Not retained. Processed in memory and discarded immediately after analysis.","retentionAnalytics":"Analytics: Anonymized at collection. No personal data is retained.","retentionPayment":"Payment records: Retained as required by Austrian tax law (Bundesabgabenordnung, § 132) for a period of 7 years.","rightsTitle":"8. Your Rights Under GDPR","rightsIntro":"You have the following rights regarding your personal data:","rightsAccess":"Right of access (Art. 15) — You can request a copy of all personal data we hold about you.","rightsRectification":"Right to rectification (Art. 16) — You can request correction of inaccurate data.","rightsErasure":"Right to erasure (Art. 17) — You can request deletion of your data, subject to legal retention obligations.","rightsRestriction":"Right to restrict processing (Art. 18) — You can request that we limit how we use your data.","rightsPortability":"Right to data portability (Art. 20) — You can request your data in a structured, machine-readable format.","rightsObject":"Right to object (Art. 21) — You can object to processing based on legitimate interest.","rightsWithdraw":"Right to withdraw consent (Art. 7(3)) — Where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of prior processing.","rightsExercise":"To exercise any of these rights, please contact us at support@witness-compliance.eu. We will respond within 30 days.","authorityTitle":"9. Supervisory Authority","authorityText":"You have the right to lodge a complaint with the competent data protection supervisory authority:","authorityName":"Österreichische Datenschutzbehörde","authorityAddress":"Barichgasse 40-42, 1030 Wien, Austria","authorityEmail":"dsb@dsb.gv.at","authorityWebsite":"https://www.dsb.gv.at","cookiesTitle":"10. Cookies","cookiesText":"Witness uses only one cookie, which is essential for the operation of the service:","cookieSession":"authjs.session-token — An httpOnly, secure session cookie used for authentication. This is a strictly necessary cookie and does not require consent under ePrivacy rules.","cookieNone":"We do not use tracking cookies, advertising cookies, or any third-party cookies. Our analytics tool (Umami) is completely cookieless.","childrenTitle":"11. Children","childrenText":"Witness is a business-to-business compliance platform and is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.","changesTitle":"12. Changes to This Policy","changesText":"We may update this privacy policy from time to time to reflect changes in our practices or applicable law. Material changes will be communicated via email or through an in-app notice. Continued use of the Service after changes become effective constitutes acceptance of the updated policy."},"terms":{"title":"Terms of Service","lastUpdated":"Effective: April 20, 2026","scopeTitle":"1. Scope","scopeText":"These Terms of Service (\"Terms\") govern your access to and use of witness-compliance.eu (\"Witness\", \"the Service\"), operated by Parallax Technologies GmbH in Gründung (\"we\", \"us\", \"our\"). By accessing or using the Service, you agree to be bound by these Terms.","serviceTitle":"2. Service Description","serviceText":"Witness is a self-service EU AI Act compliance platform. The Service provides tools for AI system classification, compliance documentation generation, risk assessments, a compliance academy, and an AI-assisted expert chat. The Service is designed to assist organizations in understanding and meeting their obligations under Regulation (EU) 2024/1689 (the EU AI Act).","accountTitle":"3. Account Registration","accountIntro":"To use certain features of the Service, you must create an account. By creating an account you agree that:","accountEmail":"You will provide a valid email address for authentication.","accountOne":"Each account is for a single individual. Shared accounts are not permitted.","accountSecurity":"You are responsible for maintaining the security of your account and for all activities that occur under your account.","accountAge":"You must be at least 18 years of age or authorized by your organization to use the Service.","paymentTitle":"4. Pricing & Payment","paymentIntro":"Witness offers the following access tiers:","paymentFree":"Free — Limited features including the AI system classifier, role classifier, and academy essentials. No payment required.","paymentPaid":"Paid tiers (Starter, Professional, Team) — Unlocked via a one-time initial assessment payment that includes 12 months of compliance maintenance. After the first year, annual maintenance renews automatically via Paddle at the published rate. You may cancel renewal at any time; you retain access to previously generated documents but lose access to monitoring features and new document generation.","paymentPaddle":"All payments are processed in EUR by Paddle, who acts as our merchant of record. We do not store your payment details.","paymentWithdrawalTitle":"Right of Withdrawal","paymentWithdrawalText":"Under the Austrian Fern- und Auswärtsgeschäfte-Gesetz (FAGG), you have a 14-day right of withdrawal from the date of purchase. However, by using the Service immediately after purchase, you consent to the immediate provision of digital content and acknowledge that you thereby waive your right of withdrawal in accordance with § 18(1)(11) FAGG.","aiDisclaimerTitle":"5. AI-Generated Content Disclaimer","aiDisclaimerIntro":"Witness uses artificial intelligence (including Anthropic Claude) to assist with compliance analysis and documentation. By using the Service, you understand and agree that:","aiDisclaimerNotLegal":"AI-generated suggestions, analysis, and content are informational only and do not constitute legal advice.","aiDisclaimerVerify":"You are solely responsible for verifying the accuracy and completeness of all output generated by the Service.","aiDisclaimerNoGuarantee":"Witness does not guarantee compliance with the EU AI Act or any other regulation. The Service is a tool to assist your compliance efforts, not a replacement for professional legal judgment.","aiDisclaimerThirdParty":"AI analysis is performed using third-party services (Anthropic Claude) and results may contain errors, omissions, or inaccuracies.","aiDisclaimerResponsibility":"You remain fully responsible for your organization's regulatory compliance.","ipTitle":"6. Intellectual Property","ipPlatform":"The Witness platform, including its code, design, legal mappings, and educational content, is the intellectual property of Parallax Technologies GmbH in Gründung and is protected by applicable copyright and intellectual property laws.","ipUserContent":"Content you create using the Service (your compliance documentation, assessment results, etc.) remains your intellectual property. We claim no ownership over your work product.","ipEuText":"EU AI Act regulatory text referenced within the Service is sourced from official EU publications and is in the public domain.","useTitle":"7. Acceptable Use","useIntro":"You agree not to:","useIllegal":"Use the Service for any purpose that is illegal or prohibited by these Terms.","useCircumvent":"Attempt to circumvent access controls, authentication mechanisms, or usage limits.","useScrape":"Use automated tools, bots, or scrapers to access or extract data from the Service.","useMalicious":"Upload malicious content, malware, or any content intended to harm the Service or other users.","useInterfere":"Interfere with or disrupt the integrity or performance of the Service.","dataTitle":"8. Data Processing","dataText":"Your use of the Service involves the processing of personal data as described in our Privacy Policy. By using the Service, you acknowledge and agree to the data processing practices outlined therein.","dataLink":"Please refer to our Privacy Policy for full details.","liabilityTitle":"9. Limitation of Liability","liabilityIntro":"To the maximum extent permitted by Austrian law:","liabilityAi":"We are not liable for decisions made based on AI-generated content, analysis, or suggestions provided by the Service.","liabilityCompliance":"We are not liable for any compliance outcomes, regulatory penalties, or damages arising from your use or inability to use the Service.","liabilityCap":"Our total aggregate liability to you for all claims arising from or relating to the Service is limited to the amount you paid to us in the 12 months preceding the claim.","liabilityMandatory":"Nothing in these Terms limits or excludes our liability for intent (Vorsatz) or gross negligence (grobe Fahrlässigkeit), as such limitations are not permitted under Austrian consumer protection law (Konsumentenschutzgesetz, KSchG).","warrantyTitle":"10. Warranty Disclaimer","warrantyText":"To the extent permitted by applicable law, the Service is provided \"as is\" and \"as available\" without warranties of any kind, whether express or implied, including but not limited to implied warranties of merchantability or fitness for a particular purpose. We make reasonable efforts to maintain availability and accuracy but do not guarantee uninterrupted or error-free operation.","terminationTitle":"11. Termination","terminationUser":"You may delete your account at any time through the Service. Upon deletion, your data will be removed in accordance with our Privacy Policy retention schedule.","terminationUs":"We may suspend or terminate your access to the Service if you violate these Terms, with reasonable notice where practicable. In cases of severe or repeated violations, immediate suspension may occur.","terminationEffect":"Upon termination, your right to use the Service ceases immediately. Data deletion follows the retention periods described in our Privacy Policy.","lawTitle":"12. Governing Law & Jurisdiction","lawText":"These Terms are governed by and construed in accordance with the laws of the Republic of Austria, excluding its conflict of law provisions.","lawJurisdiction":"The exclusive jurisdiction for any disputes arising from or in connection with these Terms is the competent court in Vienna, Austria.","lawConsumer":"If you are a consumer within the meaning of the Austrian Konsumentenschutzgesetz (KSchG), mandatory consumer protection provisions of the law of your habitual residence shall apply to the extent they provide greater protection (in accordance with the Rome I Regulation).","odrTitle":"13. EU Online Dispute Resolution","odrText":"The European Commission provides a platform for online dispute resolution (ODR):","odrLink":"https://ec.europa.eu/consumers/odr/","odrDisclaimer":"We are neither obligated nor willing to participate in dispute resolution proceedings before a consumer arbitration board.","severabilityTitle":"14. Severability","severabilityText":"If any provision of these Terms is held to be invalid, illegal, or unenforceable, the remaining provisions shall continue in full force and effect. The invalid provision shall be replaced by a valid provision that comes closest to the economic purpose of the invalid provision.","changesToTermsTitle":"15. Changes to These Terms","changesToTermsText":"We may update these Terms from time to time. We will provide at least 30 days' notice of material changes via email or in-app notification. Continued use of the Service after the effective date of updated Terms constitutes acceptance. If you do not agree to updated Terms, you may delete your account before they take effect."}},"upgrade":{"tierRequired":"Upgrade to {tier} to access this feature","tierDescription":"The {tier} tier starts at €{price} and unlocks this feature.","maintenanceRequired":"Renew your compliance maintenance to continue using this feature","maintenanceDescription":"Your first year of access has ended. Renew annual maintenance to keep using premium features.","maintenanceBadge":"Maintenance Required","upgradeButton":"View Plans","renewButton":"Renew Maintenance","featureNames":{"doc_generation":"Document Generation","export":"Document Export","templates":"Compliance Templates","monitoring":"Compliance Monitoring","freshness_alerts":"Freshness Alerts","audit_readiness":"Audit Readiness","fria":"FRIA Generator","conformity_assessment":"Conformity Assessment","risk_management":"Risk Management","ai_prefill":"AI Document Prefill","doc_upload":"Document Upload","academy_advanced":"Academy Advanced","multi_user":"Multi-User Access","employee_tracker":"Employee Training Tracker","compliance_reports":"Compliance Reports"}},"penaltyCalculator":{"meta":{"title":"EU AI Act Penalty Calculator — Free Tool | Witness","description":"Calculate your maximum EU AI Act fine exposure under Article 99. Free calculator covering all three tiers, including reduced caps for SMEs and startups.","keywords":"EU AI Act penalty calculator, EU AI Act fines, AI Act fine calculator, Article 99 EU AI Act, AI regulation fines, SME AI Act penalties"},"hero":{"eyebrow":"Free tool","heading":"EU AI Act Penalty Calculator","subheading":"Estimate your maximum exposure under Article 99 of the EU AI Act. Enter your annual worldwide turnover and see what the three tiers of fines could look like for your business — including the reduced caps for SMEs and startups.","legalBasis":"Based on Article 99 of Regulation (EU) 2024/1689."},"inputs":{"heading":"Your company","subheading":"Two inputs. We calculate the rest live.","revenueLabel":"Annual worldwide turnover (EUR)","revenuePlaceholder":"10,000,000","revenueHelp":"Use your total global annual turnover for the preceding financial year. Fines are capped on a per-infringement basis.","smeLabel":"Company type","smeOn":"SME or startup","smeOff":"Standard company","smeHelp":"SMEs and startups get the lower of fixed or percentage — not the higher."},"smeToggle":{"ariaLabel":"Apply SME/startup reduced penalty caps (Article 99(6))"},"results":{"heading":"Your maximum fine per violation tier","subheadingStandard":"Standard rule: the higher of the fixed cap or the turnover percentage applies.","subheadingSme":"SME / startup rule: the lower of the fixed cap or the turnover percentage applies.","maxLabel":"Maximum fine","fixedCap":"Fixed cap","percentCap":"Turnover cap","standardRule":"The higher of the two applies.","smeRule":"The lower of the two applies (Art. 99(6))."},"tiers":{"prohibited":{"title":"Prohibited practices","description":"Use of a banned practice under Article 5 (e.g. social scoring, real-time biometric categorisation, emotion recognition in the workplace). Highest tier: up to EUR 35M or 7% of worldwide turnover."},"highRisk":{"title":"High-risk violations","description":"Breach of obligations for high-risk AI systems (Articles 8–27, 43, 49), notified body duties, or GPAI provider obligations (Articles 51–56). Up to EUR 15M or 3% of worldwide turnover."},"misleadingInfo":{"title":"Misleading information","description":"Supplying incorrect, incomplete or misleading information to notified bodies or national competent authorities. Up to EUR 7.5M or 1% of worldwide turnover."}},"cta":{"heading":"Find out whether any of this actually applies to you","body":"These figures are the ceiling — the regulator looks at intent, duration, cooperation and dozens of other factors when setting an actual fine. Start with our free classifier to see what risk level your AI system falls into, then work through the compliance checklist.","primary":"Find out your risk level","secondary":"Start your compliance journey"},"faq":{"heading":"Frequently asked questions","q1":{"question":"What are the penalties for EU AI Act non-compliance?","answer":"Article 99 of the EU AI Act defines three tiers. Use of a prohibited practice under Article 5 is punishable by up to EUR 35 million or 7% of worldwide annual turnover, whichever is higher. Breach of most other obligations (high-risk AI, notified body duties, GPAI obligations) can cost up to EUR 15 million or 3% of worldwide turnover. Supplying misleading information to regulators is capped at EUR 7.5 million or 1% of turnover. The higher of the two applies for standard companies."},"q2":{"question":"How are AI Act fines calculated?","answer":"For each tier the regulator compares a fixed EUR cap with a percentage of your worldwide annual turnover from the preceding financial year and applies the higher of the two. Turnover is counted group-wide. The actual fine within that ceiling depends on the nature, gravity and duration of the infringement, whether the violation was intentional or negligent, how the company cooperated with authorities, the size of the operator and the extent of any financial benefit gained."},"q3":{"question":"Are there reduced penalties for SMEs and startups?","answer":"Yes. Article 99(6) flips the rule for SMEs, including startups: the lower of the fixed cap or the turnover percentage applies instead of the higher. In practice this caps a small company's exposure to the percentage-based figure, which can be a fraction of the headline numbers. SME status is defined by the EU recommendation 2003/361/EC (fewer than 250 employees and either turnover ≤ EUR 50M or balance sheet ≤ EUR 43M)."}},"disclaimer":"This calculator provides non-binding estimates of maximum statutory fines under Article 99 of Regulation (EU) 2024/1689. It is not legal advice. Actual fines depend on the specific circumstances of an infringement and the decision of the competent national authority."},"freeTools":{"meta":{"title":"Free EU AI Act Compliance Tools & Templates — Witness","description":"Free EU AI Act tools: AI classifier, provider-vs-deployer role check, Article 99 penalty calculator, plus FRIA, Annex IV, risk and AI literacy templates.","keywords":"free EU AI Act compliance tools, EU AI Act free templates, AI Act classifier, FRIA template, Annex IV template, risk management template, AI literacy template, penalty calculator"},"breadcrumbCurrent":"Free Tools","hero":{"eyebrow":"Free resources","heading":"Free EU AI Act compliance tools","subheading":"Interactive checks and ready-to-use templates for providers and deployers — no sign-up, no credit card.","intro":"We open-source the questionnaires and templates we built for Witness customers so every European SME can start preparing for the 2 August 2026 deadline. Each tool cites the exact EU AI Act article it implements — verify, download, and adapt."},"sections":{"interactive":{"title":"Interactive tools","description":"Answer a few guided questions and get an instant, article-level result."},"templates":{"title":"Downloadable templates","description":"Word and PDF templates for the core high-risk compliance artefacts. Launching soon — full interactive generators are already available inside Witness."}},"cards":{"aiClassifier":{"name":"AI System Classifier","description":"Determine whether your system is prohibited, high-risk, limited-risk, or minimal-risk under Articles 5, 6 and Annex III."},"roleClassifier":{"name":"Role Classifier","description":"Provider or deployer? Clarify your role under Article 25 and see which obligations actually apply to your company."},"penaltyCalculator":{"name":"Penalty Calculator","description":"Estimate your maximum fine exposure under Article 99 based on infringement type, turnover and SME status."},"friaTemplate":{"name":"FRIA Template","description":"Article 27 Fundamental Rights Impact Assessment template for public-body deployers of high-risk AI systems."},"annexIvTemplate":{"name":"Annex IV Documentation Template","description":"Nine-section technical documentation template covering Article 11 and Annex IV requirements for high-risk providers."},"riskManagementTemplate":{"name":"Risk Management System Template","description":"Article 9 risk management template — identify, estimate, evaluate and mitigate risks across the full AI lifecycle."},"aiLiteracyTemplate":{"name":"AI Literacy Plan Template","description":"Article 4 AI literacy plan template — document the training your staff needs to deploy AI responsibly."}},"cta":{"useTool":"Use tool","comingSoon":"Coming soon","footerHeading":"Ready for the full compliance suite?","footerDescription":"Free tools get you started. Witness takes you all the way to audit-ready documentation with guided generators, obligation tracking and continuous monitoring.","footerButton":"Start with Witness"}},"friaTemplate":{"meta":{"title":"Free FRIA Template — EU AI Act Article 27 | Witness","description":"Free Fundamental Rights Impact Assessment (FRIA) template for EU AI Act Article 27. Download the editable 8-section template or use the guided online generator.","keywords":"FRIA template, fundamental rights impact assessment, EU AI Act Article 27, FRIA template download, FRIA template free, AI Act FRIA"},"breadcrumbCurrent":"FRIA Template","hero":{"eyebrow":"Free template — Article 27","heading":"Free FRIA Template","subheading":"An editable Fundamental Rights Impact Assessment covering every section required by Article 27 of the EU AI Act — no sign-up, no guesswork, audit-ready in one evening.","legalBasis":"Aligned with","valueProp":"The template covers all eight mandatory sections and cites the relevant Article 27 subparagraphs inline, so every field traces back to the regulation.","ctaGenerate":"Generate FRIA online","ctaDownload":"Download template"},"whoNeeds":{"title":"Who must complete a FRIA?","description":"Article 27(1) limits the FRIA obligation to specific deployer categories — you only need one to apply.","items":{"publicAuthority":"Deployers that are public authorities or bodies governed by public law","publicServices":"Deployers that are private entities providing public services","annexIII5b":"Deployers of high-risk AI systems listed in Annex III point 5(b) — creditworthiness evaluation or credit scoring","annexIII5c":"Deployers of high-risk AI systems listed in Annex III point 5(c) — life and health insurance risk assessment and pricing"},"note":"If none of these apply, a FRIA is not mandatory — but you may still be subject to other Article 26 deployer obligations."},"contents":{"title":"What the template includes","description":"Eight structured sections, one-to-one with the subparagraphs of Article 27(1)(a)–(f) plus the DPIA and authority-notification requirements in Article 27(3) and (4).","sections":{"processDescription":{"title":"Process description","articleRef":"Art. 27(1)(a)","description":"Deployment context, intended purpose, operational environment and the types of decisions the system supports."},"usageTimeline":{"title":"Usage timeline and frequency","articleRef":"Art. 27(1)(b)","description":"Start date, planned duration, usage cadence, expected decision volume and review schedule."},"affectedGroups":{"title":"Affected categories of persons","articleRef":"Art. 27(1)(c)","description":"Primary affected groups, vulnerable groups, geographic scope and indirectly affected parties."},"specificRisks":{"title":"Specific risks of harm","articleRef":"Art. 27(1)(d)","description":"Likelihood, severity, discrimination and privacy risks — incorporating the provider's Article 13 information."},"humanOversight":{"title":"Human oversight measures","articleRef":"Art. 27(1)(e)","description":"Oversight roles, intervention mechanisms, escalation procedures, override capability and monitoring frequency."},"mitigationMeasures":{"title":"Mitigation measures and governance","articleRef":"Art. 27(1)(f)","description":"Preventive and corrective measures, complaint mechanism, governance structure and review triggers."},"dpiaIntegration":{"title":"DPIA integration","articleRef":"Art. 27(4)","description":"How the FRIA complements an existing GDPR Article 35 Data Protection Impact Assessment."},"authorityNotification":{"title":"Authority notification","articleRef":"Art. 27(3)","description":"Procedure for notifying the market surveillance authority when a risk cannot be mitigated."}}},"download":{"title":"Download or preview","description":"Open the template in your browser to preview it, print it straight to PDF from the browser menu, or save it locally to edit offline.","previewLabel":"Preview","previewAlt":"FRIA template preview showing the Article 27 section headings and answer boxes.","downloadCta":"Download FRIA template","openInBrowser":"Open in browser","fileNote":"HTML template, approximately 12 kB. Prints cleanly to PDF via your browser."},"online":{"eyebrow":"Upgrade path","title":"The online generator beats a static template","description":"The downloadable template gets you started. The guided FRIA generator inside Witness takes you the rest of the way.","benefits":{"aiPrefill":{"title":"AI prefill from your classifier answers","description":"Answers from the AI System Classifier flow into the FRIA sections so you start from an 80 percent draft, not a blank page."},"citations":{"title":"Legal citations on every field","description":"Each question links to the exact Article 27 subparagraph it implements, with EUR-Lex references available inline."},"exports":{"title":"Word and PDF export after completion","description":"Submit the completed FRIA and download a formatted deliverable ready to share with auditors or the market surveillance authority."}},"ctaLabel":"Open the online FRIA generator","ctaNote":"Requires a Witness account with Professional access and active annual maintenance."},"faq":{"title":"Frequently asked questions","q1":{"question":"Who must complete a FRIA?","answer":"Per Article 27(1), deployers must complete a FRIA before first use of the high-risk AI system if they are a public authority or body governed by public law, a private entity providing public services, or a deployer of high-risk AI systems listed in Annex III point 5(b) (creditworthiness and credit scoring) or point 5(c) (life and health insurance risk assessment and pricing)."},"q2":{"question":"When must the FRIA be completed?","answer":"Article 27(1) requires the assessment to be conducted before the high-risk AI system is put into use for the first time. It must be updated when any of its elements change materially — for example, a new deployment context, new affected groups, or substantive new risks."},"q3":{"question":"What happens if we skip the FRIA?","answer":"Failure to conduct a required FRIA is non-compliance with Article 27 and may trigger administrative fines under Article 99. Fines for non-compliance with obligations other than prohibited practices can reach up to 15,000,000 EUR or 3 percent of worldwide annual turnover, whichever is higher."},"q4":{"question":"Is this template legally binding?","answer":"No. The template is a structured starting point aligned with Article 27. The legal obligation is to produce a complete assessment covering Article 27(1)(a) to (f); using this particular template is not required by law. Witness does not warrant that filling in this template alone is sufficient to discharge the FRIA obligation."},"q5":{"question":"Can I edit the template?","answer":"Yes. The template is a plain HTML file — you can edit it in any browser, word processor or text editor and save it as PDF or DOCX. If you want guided completion with AI prefill, inline legal citations and a formatted export, use the online FRIA generator instead."},"q6":{"question":"How is the FRIA different from a DPIA?","answer":"A DPIA is a Data Protection Impact Assessment required by Article 35 of the GDPR and focuses on data-protection risks to personal data. A FRIA is required by Article 27 of the EU AI Act and addresses fundamental-rights impacts from a high-risk AI system. Article 27(4) says the two can complement each other: if a DPIA already exists, the FRIA should build on it rather than duplicate it."}},"schema":{"templateName":"Free FRIA Template — EU AI Act Article 27","templateDescription":"Editable Fundamental Rights Impact Assessment template covering all eight sections required by Article 27 of Regulation (EU) 2024/1689."}},"annexIvTemplate":{"meta":{"title":"Free Annex IV Template — EU AI Act Article 11 | Witness","description":"Free Annex IV technical documentation template for EU AI Act Article 11. Download the editable nine-section template or use the guided online generator.","keywords":"Annex IV template, technical documentation template, EU AI Act Article 11, Annex IV documentation, AI Act technical documentation, Annex IV free download"},"breadcrumbCurrent":"Annex IV Template","hero":{"eyebrow":"Free template — Article 11 / Annex IV","heading":"Free Annex IV Template","subheading":"An editable technical documentation template covering every section required by Annex IV of the EU AI Act — no sign-up, no guesswork, downloadable in PDF, Word and Excel.","legalBasis":"Aligned with Annex IV, referenced from","valueProp":"The template covers all nine mandatory Annex IV sections and cites the relevant subparagraphs inline so you can trace every field back to the regulation.","ctaGenerate":"Generate documentation online","ctaDownload":"Download template"},"whoNeeds":{"title":"Who needs Annex IV documentation?","description":"Article 11(1) makes technical documentation a provider obligation — the duty belongs to whoever places the high-risk AI system on the EU market or puts it into service under their own name.","items":{"highRiskProvider":"Providers of high-risk AI systems listed in Annex III or regulated as safety components under Annex I","beforeMarket":"Documentation must be drawn up before the system is placed on the market or put into service","keepUpdated":"Must be kept up to date throughout the system's lifecycle and retained for 10 years after market placement (Art. 18)","sme":"SMEs and start-ups may provide Annex IV in a simplified manner — the simplified template is to be established by the Commission (Art. 11(1) final subparagraph)"},"note":"Deployers do not draw up Annex IV documentation themselves, but may become providers under Article 25 if they substantially modify the system or put their own name on it."},"contents":{"title":"What the template includes","description":"Nine structured sections, one-to-one with the Annex IV requirements of Regulation (EU) 2024/1689 — the same sections used by the Witness online generator.","sections":{"generalDescription":{"title":"General description of the AI system","articleRef":"Annex IV(1)","description":"Intended purpose, provider, version, hardware/software interaction, distribution forms, user interface, instructions for use and foreseeable misuse."},"developmentProcess":{"title":"Detailed description of elements and development process","articleRef":"Annex IV(2)","description":"Development methods, design choices, architecture, training data, validation and testing, metrics, bias detection and cybersecurity per Art. 15."},"monitoringControl":{"title":"Monitoring, functioning and control","articleRef":"Annex IV(3)","description":"Capabilities and limitations, expected accuracy, human oversight specifications, input data and logging capabilities per Art. 12."},"performanceMetrics":{"title":"Appropriateness of performance metrics","articleRef":"Annex IV(4)","description":"Justification of why the chosen accuracy, robustness and fairness metrics are appropriate for this specific system and intended purpose."},"riskManagement":{"title":"Risk management system","articleRef":"Annex IV(5) / Art. 9","description":"Detailed description of the risk management system — identification, estimation, evaluation and mitigation across the full AI lifecycle."},"lifecycleChanges":{"title":"Changes through lifecycle","articleRef":"Annex IV(6)","description":"Relevant changes made by the provider over the system's lifecycle — model updates, retraining, configuration changes and substantial modifications."},"standardsApplied":{"title":"Standards and specifications applied","articleRef":"Annex IV(7)","description":"Harmonised standards applied, common specifications under Art. 41 or alternative technical solutions adopted to meet Chapter III, Section 2."},"declarationConformity":{"title":"EU declaration of conformity","articleRef":"Annex IV(8) / Art. 47","description":"Copy of the EU declaration of conformity identifying the provider, the system, the regulation and confirming conformity with Chapter III, Section 2."},"postMarketMonitoring":{"title":"Post-market monitoring system","articleRef":"Annex IV(9) / Art. 72(3)","description":"System for evaluating post-market performance, incident reporting under Art. 73 and feedback into the risk management system."}}},"download":{"title":"Download or preview","description":"Open the template in your browser to preview it, print it straight to PDF from the browser menu, or save it locally to edit offline.","previewLabel":"Preview","previewAlt":"Annex IV template preview showing the nine technical documentation section headings and answer boxes.","downloadCta":"Download Annex IV template","openInBrowser":"Open in browser","fileNote":"HTML template, approximately 14 kB. Prints cleanly to PDF via your browser."},"online":{"eyebrow":"Upgrade path","title":"The online generator beats a static template","description":"The downloadable template gets you started. The guided Technical Documentation generator inside Witness takes you the rest of the way.","benefits":{"aiPrefill":{"title":"AI prefill from your classifier answers","description":"Answers from the AI System Classifier flow into the Annex IV sections so you start from a substantial draft, not a blank page."},"citations":{"title":"Legal citations on every field","description":"Each of the 50+ fields links to the exact Annex IV subparagraph it implements, with EUR-Lex references available inline."},"exports":{"title":"Word and PDF export after completion","description":"Submit the completed documentation and download a formatted deliverable ready to share with auditors or notified bodies."},"versionHistory":{"title":"Version history for the 10-year retention","description":"Article 18 requires keeping the documentation for 10 years. The generator tracks versions so every change is auditable."}},"ctaLabel":"Open the online Technical Documentation generator","ctaNote":"Requires a Witness account with Professional access and active annual maintenance."},"faq":{"title":"Frequently asked questions","q1":{"question":"Who must complete Annex IV documentation?","answer":"Providers of high-risk AI systems must draw up the technical documentation set out in Annex IV. This obligation is set by Article 11(1) and applies to anyone who develops a high-risk AI system and places it on the EU market or puts it into service under their own name or trademark. Deployers do not draw up Annex IV themselves, but can become providers under Article 25 if they substantially modify the system or put their own name on it."},"q2":{"question":"When must the Annex IV documentation be completed?","answer":"Article 11(1) requires the technical documentation to be drawn up before the high-risk AI system is placed on the market or put into service. It must be kept up to date throughout the system's lifecycle — any substantial modification, retraining or material change in intended purpose triggers an update."},"q3":{"question":"Must I keep it on file after the system is on the market?","answer":"Yes. Article 18 requires providers to keep the technical documentation, the quality management system documentation, approvals of changes, decisions of notified bodies, the EU declaration of conformity and automatically generated logs at the disposal of national competent authorities for 10 years after the AI system has been placed on the market or put into service."},"q4":{"question":"What happens if we skip it?","answer":"Not drawing up or maintaining Annex IV documentation is non-compliance with Article 16 (provider obligations) and Article 11 (technical documentation). Under Article 99, non-compliance with obligations other than prohibited practices can trigger administrative fines of up to 15,000,000 EUR or 3 percent of worldwide annual turnover, whichever is higher."},"q5":{"question":"Is this template legally binding?","answer":"No. The template is a structured starting point aligned with Annex IV. The legal obligation is to produce complete Annex IV documentation covering all nine sections; using this particular template is not required by law. Witness does not warrant that filling in this template alone is sufficient to discharge the technical documentation obligation."},"q6":{"question":"What about the SME simplified form?","answer":"Article 11(1), final subparagraph allows SMEs and start-up providers to provide the Annex IV elements in a simplified manner. The Commission is mandated to establish a simplified technical documentation template adapted to SME and start-up needs. Until that template is published you can use this template as a starting point; the underlying obligation to cover the Annex IV elements still applies."}},"schema":{"templateName":"Free Annex IV Technical Documentation Template — EU AI Act Article 11","templateDescription":"Editable technical documentation template covering all nine sections required by Annex IV of Regulation (EU) 2024/1689."}},"riskManagementTemplate":{"meta":{"title":"Free Risk Management Template — EU AI Act Article 9 | Witness","description":"Free Article 9 Risk Management System template for EU AI Act high-risk providers. Editable 7-section template or guided online generator — no sign-up.","keywords":"risk management template, EU AI Act Article 9, risk management system template, AI Act risk management, risk management template download, risk management template free"},"breadcrumbCurrent":"Risk Management Template","hero":{"eyebrow":"Free template — Article 9","heading":"Free Risk Management System Template","subheading":"An editable Risk Management System aligned with every requirement of Article 9 of the EU AI Act — no sign-up, no guesswork, audit-ready documentation.","legalBasis":"Aligned with","valueProp":"For providers of high-risk AI systems, the template covers all seven Article 9 obligations and cites the relevant sub-paragraphs inline so auditors can trace each section back to the regulation.","ctaGenerate":"Generate online","ctaDownload":"Download template"},"whoNeeds":{"title":"Who must establish a Risk Management System?","description":"Article 9(1) requires every provider of a high-risk AI system to establish, implement, document and maintain a risk management system. Article 9(2) adds that it must run as a continuous iterative process across the entire lifecycle.","items":{"highRiskProviders":"Providers of high-risk AI systems under Article 6(1) or Article 6(2) — including systems listed in Annex III","lifecycle":"All such providers, throughout the entire lifecycle of the system — not a one-off deliverable (Article 9(2))","annexIII":"Systems in Annex III areas (biometrics, critical infrastructure, education, employment, essential services, law enforcement, migration, justice)","annexI":"Safety components of products in scope of the Annex I Union harmonisation legislation"},"note":"A Risk Management System is not required for non-high-risk systems, but deployers of high-risk systems still have their own obligations under Article 26 and, where applicable, Article 27 (FRIA)."},"contents":{"title":"What the template includes","description":"Seven structured sections aligned one-to-one with the Risk Management generator inside Witness, so you can start on paper and migrate to the online tool without losing work.","sections":{"riskIdentification":{"title":"Risk identification","articleRef":"Art. 9(2)(a)","description":"Known and reasonably foreseeable risks to health, safety and fundamental rights when the system is used in accordance with its intended purpose."},"riskEstimation":{"title":"Risk estimation and evaluation","articleRef":"Art. 9(2)(b)","description":"Likelihood and severity for intended use and reasonably foreseeable misuse, plus the evaluation methodology."},"riskMeasures":{"title":"Risk management measures","articleRef":"Art. 9(3), 9(5)","description":"Elimination, reduction, mitigation and information measures — considering the effect of their combined application."},"residualRisk":{"title":"Residual risk and deployer communication","articleRef":"Art. 9(5)","description":"Residual risks judged acceptable and communicated to deployers, including the relevant overall residual risk."},"testing":{"title":"Testing","articleRef":"Art. 9(6)–(8)","description":"Testing procedures, performance metrics, prior defined probabilistic thresholds and testing cadence — including real-world testing where appropriate."},"continuousIteration":{"title":"Continuous iteration and review","articleRef":"Art. 9(2)","description":"Lifecycle plan, update triggers, review schedule, documentation control and integration with Article 72 post-market monitoring."},"specificConsiderations":{"title":"Children and vulnerable groups","articleRef":"Art. 9(9)","description":"Specific consideration for children and other vulnerable groups where the system is likely to affect them."}}},"download":{"title":"Download or preview","description":"Open the template in your browser to preview it, print it straight to PDF from the browser menu, or save it locally to edit offline.","previewLabel":"Preview","previewAlt":"Risk Management template preview showing the Article 9 section headings and answer boxes.","downloadCta":"Download Risk Management template","openInBrowser":"Open in browser","fileNote":"HTML template, approximately 12 kB. Prints cleanly to PDF via your browser."},"online":{"eyebrow":"Upgrade path","title":"The online generator beats a static template","description":"The downloadable template gets you started. The guided Risk Management generator inside Witness takes you the rest of the way.","benefits":{"aiPrefill":{"title":"AI prefill from your classifier answers","description":"Answers from the AI System Classifier flow into the Risk Management sections so you start from an 80 percent draft, not a blank page."},"citations":{"title":"Legal citations on every field","description":"Each field links to the exact Article 9 sub-paragraph it implements, with EUR-Lex references available inline."},"exports":{"title":"Word and PDF export, plus version history","description":"Submit the completed RMS and download a formatted deliverable. Version history captures every iteration — mandatory under Article 9(2)."}},"ctaLabel":"Open the online Risk Management generator","ctaNote":"Requires a Witness account with Professional access and active annual maintenance."},"faq":{"title":"Frequently asked questions","q1":{"question":"Who must establish a Risk Management System?","answer":"Article 9(1) requires every provider of a high-risk AI system to establish, implement, document and maintain a risk management system. This applies to high-risk systems classified under Article 6(1) (safety components of products regulated under Annex I harmonisation legislation) and Article 6(2) (systems listed in Annex III). Deployers of high-risk systems have their own obligations under Article 26 but are not themselves required to run an Article 9 RMS for systems they only use."},"q2":{"question":"When must the Risk Management System be in place?","answer":"Article 9(2) requires the risk management system to run throughout the entire lifecycle of the high-risk AI system. It is not a one-off deliverable. Providers must establish the RMS before placing the system on the market or putting it into service and must continue to operate it as a continuous iterative process while the system remains available — including during the design, development, deployment and post-market phases."},"q3":{"question":"How often must the Risk Management System be reviewed?","answer":"Article 9(2)(e) requires the risk management system to be regularly and systematically reviewed and updated based on new testing results, changes in the state of the art, and data gathered through the Article 72 post-market monitoring system. There is no fixed minimum frequency in the regulation, but a documented review cadence — typically quarterly or at least annually — combined with event-driven updates (new incident, substantial modification, new deployment context) is the expected standard."},"q4":{"question":"Must we include reasonably foreseeable misuse?","answer":"Yes. Article 9(2)(b) explicitly requires providers to estimate and evaluate the risks that may emerge both when the system is used in accordance with its intended purpose and under conditions of reasonably foreseeable misuse. Ignoring misuse scenarios is a common cause of non-compliance findings — providers should document the misuse scenarios considered, why they are considered reasonably foreseeable, and the measures addressing them."},"q5":{"question":"What happens if we skip the Risk Management System?","answer":"Failing to establish a compliant risk management system is a breach of Article 9 and of the broader provider obligations under Article 16. Under Article 99(4), non-compliance with provider obligations can attract administrative fines of up to 15,000,000 EUR or, if higher, up to 3 percent of total worldwide annual turnover for the preceding financial year. SMEs are capped at the lower of the two amounts under Article 99(6)."},"q6":{"question":"Is this template legally binding?","answer":"No. The template is a structured starting point aligned with Article 9. The legal obligation is to establish, maintain and operate a compliant continuous risk management system covering Article 9(1) to (9) throughout the entire lifecycle of the high-risk AI system; using this particular template is not required by law. Witness does not warrant that filling in this template alone is sufficient to discharge the Article 9 obligation."}},"schema":{"templateName":"Free Risk Management System Template — EU AI Act Article 9","templateDescription":"Editable Risk Management System template covering all seven sections required by Article 9 of Regulation (EU) 2024/1689."}},"aiLiteracyTemplate":{"meta":{"title":"Free AI Literacy Plan Template — EU AI Act Article 4 | Witness","description":"Free AI literacy plan template for EU AI Act Article 4. Download the editable 4-section template or use the guided online generator. Art. 4 is enforced.","keywords":"AI literacy template, AI literacy plan, EU AI Act Article 4, AI literacy plan template, AI literacy plan free download, AI Act Article 4 training"},"breadcrumbCurrent":"AI Literacy Template","hero":{"eyebrow":"Free template — Article 4","heading":"Free AI Literacy Plan Template","subheading":"An editable AI literacy plan covering the four sections Article 4 of the EU AI Act asks you to document — no sign-up, no guesswork, already enforceable since February 2025.","legalBasis":"Aligned with","enforcementBadge":"In force since 2 February 2025.","enforcementNote":"Article 4 is already enforceable — unlike most high-risk obligations, which kick in on 2 August 2026. Providers and deployers are expected to have literacy measures in place now.","valueProp":"For providers and deployers, the template covers the four sections used by the Witness online generator and cites Article 4 inline so every field traces back to the regulation.","ctaGenerate":"Generate plan online","ctaDownload":"Download template"},"whoNeeds":{"title":"Who needs an AI literacy plan?","description":"Article 4 is one of the broadest obligations in the AI Act — it applies to providers and deployers, across all risk levels, and covers staff plus any other persons using AI systems on their behalf.","items":{"providers":"Providers of AI systems — anyone who develops an AI system and places it on the EU market or puts it into service under their own name","deployers":"Deployers of AI systems — any natural or legal person using an AI system under their authority in a professional context","allRiskLevels":"Applies to all AI systems, irrespective of risk classification — not only high-risk or general-purpose AI models","ownStaffAndContractors":"Covers the organisation's own staff and other persons dealing with the operation and use of AI systems on its behalf (e.g. contractors, outsourced operators)"},"note":"Article 4 does not prescribe a specific curriculum — measures must be proportionate to technical knowledge, experience, education, training, context of use and the persons or groups on whom AI systems are used."},"contents":{"title":"What the template includes","description":"Four structured sections that map one-to-one to the sections used by the Witness online AI literacy generator, each anchored in Article 4 of Regulation (EU) 2024/1689.","sections":{"organizationOverview":{"title":"Organisation overview","articleRef":"Art. 4","description":"Organisation, sector, headcount, AI systems in use, their risk levels and the internal roles interacting with them."},"trainingNeedsAssessment":{"title":"Training needs assessment","articleRef":"Art. 4","description":"Current literacy baseline, role-specific knowledge gaps, required technical depth, awareness for affected persons and context-specific requirements."},"trainingCurriculum":{"title":"Training curriculum","articleRef":"Art. 4","description":"Target audience, delivery method, training schedule and the person responsible for delivery."},"complianceDocumentation":{"title":"Compliance documentation","articleRef":"Art. 4","description":"Programme description, implementation date, review frequency, responsible officer, documentation of measures, evidence of completion and continuous improvement plan."}}},"download":{"title":"Download or preview","description":"Open the template in your browser to preview it, print it straight to PDF from the browser menu, or save it locally to edit offline.","previewLabel":"Preview","previewAlt":"AI literacy plan template preview showing the four Article 4 section headings and answer boxes.","downloadCta":"Download AI literacy template","openInBrowser":"Open in browser","fileNote":"HTML template, approximately 8 kB. Prints cleanly to PDF via your browser."},"online":{"eyebrow":"Upgrade path","title":"The online generator beats a static template","description":"The downloadable template gets you started. The guided AI literacy generator inside Witness takes you the rest of the way.","benefits":{"aiPrefill":{"title":"AI prefill from your classifier answers","description":"Answers from the AI System Classifier flow into the literacy sections so you start from a drafted plan, not a blank page."},"citations":{"title":"Legal citations on every field","description":"Each of the 25 fields links to Article 4 and its related recitals, with EUR-Lex references available inline."},"exports":{"title":"Word and PDF export after completion","description":"Submit the completed plan and download a formatted deliverable ready to share with auditors or national competent authorities."},"versionHistory":{"title":"Version history and review cadence","description":"Article 4 measures must be kept appropriate over time. The generator tracks revisions so every update is auditable."}},"ctaLabel":"Open the online AI literacy generator","ctaNote":"Requires a Witness account with Professional access and active annual maintenance."},"faq":{"title":"Frequently asked questions","q1":{"question":"Who must have an AI literacy plan?","answer":"Article 4 applies to both providers and deployers of AI systems. Providers develop AI systems and place them on the EU market or put them into service under their own name. Deployers use AI systems under their authority in a professional context. Both must take measures to ensure, to their best extent, a sufficient level of AI literacy of their staff and other persons dealing with the operation and use of AI systems on their behalf."},"q2":{"question":"Does this apply to all AI systems or just high-risk ones?","answer":"Article 4 applies to all AI systems, irrespective of their risk classification under Article 6. That means the obligation covers minimal-risk, limited-risk and high-risk systems, as well as general-purpose AI models when deployed in your organisation. It is one of the broadest obligations in the AI Act."},"q3":{"question":"Since when has Article 4 been in force?","answer":"Article 4 has applied since 2 February 2025, per Article 113 of Regulation (EU) 2024/1689. That is earlier than most high-risk provider and deployer obligations, which apply from 2 August 2026. In practice this means providers and deployers are already expected to have AI literacy measures in place."},"q4":{"question":"Who must be covered by the plan?","answer":"Article 4 requires you to ensure a sufficient level of AI literacy for your own staff and for other persons dealing with the operation and use of AI systems on your behalf. That includes employees, but also contractors, outsourced operators and any third parties acting on the provider's or deployer's behalf in relation to the AI system."},"q5":{"question":"What happens if we skip it?","answer":"Non-compliance with Article 4 can be pursued by national competent authorities. Article 99(7) lets Member States lay down rules on penalties for infringements of the Regulation by operators, and the general administrative fine tier under Article 99(4) — up to 15,000,000 EUR or 3 percent of worldwide annual turnover, whichever is higher — can apply to non-compliance with obligations that are not specifically listed in Article 99(3) or (5). In addition, missing AI literacy weakens compliance with related obligations (e.g. human oversight under Article 14, deployer duties under Article 26)."},"q6":{"question":"Is this template legally binding?","answer":"No. The template is a structured starting point aligned with Article 4. The legal obligation is to ensure, to your best extent, a sufficient level of AI literacy — using this particular template is not required by law. Witness does not warrant that filling in this template alone is sufficient to discharge the Article 4 obligation."}},"schema":{"templateName":"Free AI Literacy Plan Template — EU AI Act Article 4","templateDescription":"Editable AI literacy plan template covering the four sections used by the Witness online generator, aligned with Article 4 of Regulation (EU) 2024/1689."}},"questionnaire":{"lockedPreview":{"badge":"Preview only","bannerTitle":"Unlock {tool} with {tier}","bannerDescription":"Upgrade to {tier} (€{price} initial assessment) to fill out and save this questionnaire.","ctaButton":"Upgrade to {tier}","fieldLocked":"Locked — upgrade to edit","footerTitle":"Ready to complete your {tool}?","footerDescription":"Unlock {tier} (€{price} initial assessment) to fill, save and export this questionnaire."}},"docUpload":{"gate":{"badge":"Professional required","title":"Document upload is locked","description":"Upload your existing docs to prefill this tool — available on the Professional tier (€{price} initial assessment).","tooltip":"Document upload is available on the Professional tier","ctaButton":"Upgrade to Professional"}},"toolNames":{"documentation":"Technical Documentation","fria":"Fundamental Rights Impact Assessment","risk_management":"Risk Management System","conformity":"Conformity Assessment","literacy":"AI Literacy Programme","obligation_tracker":"Obligation Tracker"},"obligationTrackerLocked":{"providerTitle":"Provider obligations","deployerTitle":"Deployer obligations"},"countdown":{"label":"Until the EU AI Act applies in full","footnote":"Article 113, Regulation (EU) 2024/1689 — full application from 2 August 2026.","heroPassed":"The EU AI Act is now in full force.","inlineActive":"{days} days until 2 August 2026","inlinePassed":"EU AI Act now in force","inlineLoading":"Loading countdown…","units":{"days":"Days","hours":"Hours","minutes":"Min","seconds":"Sec"}},"getStartedHero":{"eyebrow":"Free classifier · no registration","title":"In 5 minutes, know exactly what the EU AI Act requires of your AI system.","subtitle":"Witness delivers your risk classification, your role (provider or deployer), and the specific articles that apply — with EUR-Lex citations. Free. No email gate.","trust1":"No registration required","trust2":"Every answer cites a specific article","trust3":"Used by SMEs across the EU","trust4":"Deterministic — same inputs, same output"},"about":{"meta":{"title":"About Witness — Self-service EU AI Act compliance","description":"Witness is a self-service platform that classifies your AI system under the EU AI Act and generates audit-ready Annex IV, Article 9, Article 27, and Article 43 documentation."},"heroTitle":"Self-service EU AI Act compliance for European SMEs.","heroSubtitle":"The EU AI Act is in force. Penalties reach €35 million or 7% of global annual turnover under Article 99. Witness is the software that gets you audit-ready.","problemTitle":"The deadline the regulation set.","problemBody":"The EU AI Act (Regulation (EU) 2024/1689) entered into force on 1 August 2024. Obligations phase in through 2 August 2026, when the full high-risk regime applies. Non-compliance penalties reach €35 million or 7% of worldwide annual turnover under Article 99. For a single SME, preparing Annex IV technical documentation, Article 9 risk management, Article 27 FRIA, and an Article 43 conformity assessment is a substantial body of work — and the regulation was written to protect SMEs, not to price them out.","solutionTitle":"What Witness does.","solutionBody":"Witness is a self-service platform. The classifier determines whether the EU AI Act applies to your system and at what risk tier (prohibited, high-risk, limited-risk, minimal-risk). From the classification, Witness produces audit-ready documentation: Annex IV technical documentation (Art. 11), Risk Management System (Art. 9), Fundamental Rights Impact Assessment (Art. 27), Conformity Assessment (Art. 43), and AI Literacy programme (Art. 4). Every field cites the exact article it is grounded in. Outputs export as PDF, Word, and Excel. One-time initial assessment plus annual maintenance.","ctaPrimary":"Run the classifier","ctaSecondary":"See pricing"},"features":{"meta":{"title":"Features — EU AI Act Compliance Suite","description":"Witness covers every high-risk AI Act obligation an SME needs: classification, Annex IV, Article 9 risk management, Article 27 FRIA, Article 4 literacy, conformity assessment, and a tamper-evident audit trail."},"heroTitle":"Everything the regulation requires. Nothing you don't need.","heroSubtitle":"Nine Annex IV sections. Seven Article 9 risk management sections. Eight Article 27 FRIA sections. Four Article 4 literacy sections. Every field cites the exact article it's grounded in.","modulesTitle":"Compliance modules","module1Title":"AI System Classifier","module1Body":"12 questions. 5 minutes. Returns your risk tier (prohibited, high-risk, limited-risk, minimal-risk), your role (provider or deployer), and the articles that apply — with EUR-Lex citations. Free, no registration.","module1Ref":"Art. 5, 6, Annex III","module2Title":"Annex IV Technical Documentation","module2Body":"Nine sections, generated. Provider-ready. AI prefill from your existing docs. PDF, Word, Excel export. Tamper-evident audit trail on every section.","module2Ref":"Art. 11 + Annex IV","module3Title":"Risk Management System","module3Body":"Seven sections: identification, estimation, mitigation, residual risk, testing, post-market monitoring, vulnerable-group assessment. Full lifecycle documentation.","module3Ref":"Art. 9","module4Title":"Fundamental Rights Impact Assessment","module4Body":"Eight sections. Required for Annex III 5(b) deployers, public authorities, and public-service providers. Governance arrangements and complaint mechanisms included.","module4Ref":"Art. 27","module5Title":"AI Literacy Programme","module5Body":"Enforceable since 2 February 2025. Four sections: organisation overview, training needs, curriculum, compliance documentation. Employee tracker on Team tier.","module5Ref":"Art. 4","module6Title":"Conformity Assessment","module6Body":"Six sections, 51 fields. Self-assessment where permitted (the common case for Annex III systems). Declaration of conformity and CE marking guidance included.","module6Ref":"Art. 43","module7Title":"Role Classifier","module7Body":"Provider or deployer? Or both? Role-shifting detection included — critical when you modify a third-party model or rebrand an AI system.","module7Ref":"Art. 25","module8Title":"Audit Trail","module8Body":"Every classification, every edit, every export. Timestamped, versioned, tamper-evident. Regulators and customers can verify grounds for every claim.","module8Ref":"Art. 12","module9Title":"Academy","module9Body":"Thirteen modules in plain language. 42 quiz questions. Completion certificate. Advanced track gated behind Professional. Employee literacy tracker on Team tier.","module9Ref":"Art. 4","platformTitle":"Platform guarantees","platform1":"Every field maps to a specific Article, Annex entry, or recital","platform2":"Deterministic classifier — same inputs produce the same output","platform3":"EU-hosted (Railway EU-West), EU payment processor (Paddle MoR)","platform4":"Bilingual EN + DE from day one. Every public page has a localised sibling.","platform5":"PDF, Word, and Excel export across every compliance tool","ctaTitle":"Ready to see it in action?","ctaPrimary":"Classify my AI system","ctaSecondary":"See pricing"},"trust":{"meta":{"title":"Trust & Security — Witness","description":"EU-hosted (Railway EU-West), Paddle as Merchant of Record, GDPR-compliant, article-grounded accuracy, tamper-evident audit trail. How Witness keeps your compliance defensible."},"heroTitle":"Defensible answers. Every time.","heroSubtitle":"Witness is the tool your regulator, your auditor, and your customer's procurement team can verify line-by-line.","accuracyTitle":"Legal accuracy is the IP.","accuracyBody":"Every classification question, every compliance field, every obligation maps to a specific Article, Annex entry, or recital of Regulation (EU) 2024/1689. The mapping lives in a single legal knowledge base that is reviewed before any change ships. Witness's classifier is deterministic — two runs with the same inputs produce the same output. No prompt-sampling randomness in the classification logic.","residencyTitle":"Data residency: EU.","residencyBody":"The application and database run on Railway EU-West (Amsterdam). No data crosses the Atlantic. Paddle, our payment processor, is EU-native and handles VAT as Merchant of Record across all 27 Member States.","gdprTitle":"GDPR by design.","gdprBody":"You control your data. Export or delete any record from your account settings. Our Data Processing Agreement is standard-form and available on request. Anonymous classifier runs are session-only with no personal data stored. Authenticated runs are stored under our DPA.","auditTitle":"Tamper-evident audit trail.","auditBody":"Every classification, every edit, every export is timestamped, versioned, and preserved. Confidence scores and article citations travel with every artifact. If a regulator or an auditor challenges a claim, you can reproduce the reasoning chain that produced it.","securityTitle":"Security roadmap.","security1":"SOC 2 Type I: on the roadmap, target completion Q4 2026","security2":"Full-disk encryption at rest, TLS 1.3 in transit","security3":"Magic-link authentication; OTP fallback on the roadmap","security4":"Sentry for runtime error tracking (EU region)","security5":"No third-party trackers. First-party analytics (Umami, EU-hosted) only.","legalTitle":"Legal disclosures.","legalBody":"Full company disclosure is in the Impressum. Payment processor: Paddle (Paddle.com Market Ltd, London) acting as Merchant of Record. Subprocessors listed in the DPA.","notLegalTitle":"What Witness is not.","notLegalBody":"Witness is not legal advice. Witness does not make legal decisions for you — it drafts the work product that a lawyer or compliance officer would otherwise produce by hand, at 1/40th the cost and 1/50th the time. For novel edge cases, litigation, or negotiated exemptions, consult our partner law firms.","linksTitle":"Useful links","linkImpressum":"Impressum","linkPrivacy":"Privacy Policy","linkTerms":"Terms of Service","linkEurLex":"Regulation (EU) 2024/1689 (EUR-Lex)","linkServiceDesk":"EU AI Act Service Desk"},"dpa":{"meta":{"title":"Data Processing Agreement — Witness","description":"Witness Data Processing Agreement (DPA) under GDPR Article 28(3). Controller–processor terms, sub-processor list, security measures, and data-subject-rights assistance."},"version":"Version 1.0 — Effective 2026-04-21","heroTitle":"Data Processing Agreement.","heroSubtitle":"This Data Processing Agreement (\"DPA\") governs the processing of personal data by Parallax Technologies GmbH in Gründung (\"Witness\", \"Processor\") on behalf of the customer (\"Controller\") in connection with the Witness services. It is drafted to satisfy Article 28(3) of Regulation (EU) 2016/679 (\"GDPR\").","incorporationBanner":"This DPA is effective from the date you accept the Witness Terms of Service. It is incorporated by reference into the main agreement between you and Witness. Where the DPA conflicts with the Terms of Service in relation to the processing of personal data, the DPA prevails.","section1":{"title":"Parties","body":"Controller: the customer organisation that opens a Witness account and determines the purposes and means of processing personal data through the service.\n\nProcessor: Parallax Technologies GmbH in Gründung, a company in formation under Austrian law, with its registered seat in Vienna, Austria, operating the Witness platform at witness-compliance.eu. Contact: legal@witness-compliance.eu.\n\nThe Controller and the Processor are individually a \"Party\" and collectively the \"Parties\"."},"section2":{"title":"Subject matter, duration, nature and purpose of processing","body":"Subject matter: processing of personal data necessary to provide the Witness service, including classification of AI systems, generation and storage of compliance artifacts (Annex IV technical documentation, Article 9 risk management records, Article 27 fundamental rights impact assessments, Article 4 AI literacy records), obligation tracking, audit trail maintenance, and account administration.\n\nDuration: for the term of the Controller's subscription to the Witness service and, where expressly requested in writing by the Controller, during a wind-down period of up to thirty (30) days thereafter to permit export.\n\nNature and purpose: the Processor processes personal data solely on documented instructions from the Controller in order to deliver the contractually agreed Witness service and to comply with its obligations under the Terms of Service and this DPA."},"section3":{"title":"Categories of personal data and data subjects","body":"Categories of personal data processed on behalf of the Controller may include: account identifiers (name, business email address, job role); authentication data (hashed credentials, session tokens); organisation data (company name, legal entity information); content submitted by the Controller's users into compliance artifacts (which may reference employees, customers, or third parties named by the Controller); usage metadata (log entries, timestamps, IP addresses); and support communications.\n\nCategories of data subjects: the Controller's employees, contractors, and authorised users of the Witness platform; any natural persons referenced by the Controller in the content of compliance artifacts (e.g. named affected persons in a fundamental rights impact assessment).\n\nThe Controller shall not submit special categories of personal data within the meaning of Article 9 GDPR into free-text fields unless strictly necessary and lawful under the Controller's own legal basis."},"section4":{"title":"Processor obligations","body":"$28"},"section5":{"title":"Sub-processors","body":"The Controller provides general written authorisation for the engagement of the sub-processors listed in the sub-processor section of this DPA. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors by updating the published list at least fourteen (14) days before the change takes effect, thereby giving the Controller the opportunity to object on reasonable data-protection grounds.\n\nWhere the Processor engages a sub-processor, it shall impose the same data protection obligations as set out in this DPA by way of a contract, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the GDPR. Where that sub-processor fails to fulfil its data protection obligations, the Processor shall remain fully liable to the Controller for the performance of that sub-processor's obligations."},"section6":{"title":"International transfers","body":"$29"},"section7":{"title":"Audit rights","body":"The Processor shall make available to the Controller, upon reasonable written request and no more than once per calendar year (save in the event of a documented suspected breach), information reasonably necessary to demonstrate compliance with this DPA and with Article 28 GDPR. Where the Controller requires further evidence, the Parties shall cooperate in good faith to arrange an audit, which may take the form of: (a) an audit report (e.g. ISO 27001, SOC 2) where available; or (b) a written questionnaire; or (c) an on-site inspection by the Controller or an independent auditor bound by confidentiality, conducted during regular business hours with at least thirty (30) days' prior written notice and in a manner that does not disrupt the Processor's operations or security obligations to other customers. The Controller shall bear the costs of any such audit."},"section8":{"title":"Liability and termination","body":"The liability of each Party under or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Witness Terms of Service, except that nothing in the Terms of Service or this DPA shall limit either Party's liability to data subjects under Article 82 GDPR or where liability cannot be limited under applicable mandatory law.\n\nThis DPA shall automatically terminate upon termination or expiry of the Terms of Service. Upon termination, the Processor shall, at the Controller's choice, delete or return all personal data processed on behalf of the Controller, and delete existing copies, unless Union or Member State law requires continued storage."},"section9":{"title":"Entry into force and governing law","body":"This DPA enters into force on 21 April 2026 and supersedes any prior data processing terms between the Parties for the Witness service.\n\nThis DPA is governed by the laws of the Republic of Austria, excluding its conflict-of-laws rules and the UN Convention on Contracts for the International Sale of Goods. The exclusive place of jurisdiction for any dispute arising out of or in connection with this DPA is the competent court in Vienna, Austria, to the extent permitted by mandatory consumer protection law."},"subprocessorsTitle":"Sub-processors","subprocessorsIntro":"The following sub-processors are authorised to process personal data on behalf of the Controller in connection with the Witness service. The Processor will update this list at least fourteen (14) days before any material change.","subprocessor1":{"name":"Railway Corp.","role":"Application hosting and managed PostgreSQL — EU-West (Amsterdam)","purpose":"Serves the Witness web application and stores production data inside the EEA. Covered by Standard Contractual Clauses where any residual transfer outside the EEA occurs."},"subprocessor2":{"name":"Paddle.com Market Ltd.","role":"Merchant of Record, billing, VAT and tax administration — United Kingdom (Commission adequacy decision (EU) 2021/1772)","purpose":"Processes payment data, invoicing, and tax for subscriptions and one-time purchases. Paddle acts as independent controller for tax-law purposes and as processor for other billing data. Transfers to the United Kingdom are covered by the European Commission adequacy decision for the United Kingdom (Commission Implementing Decision (EU) 2021/1772 of 28 June 2021)."},"subprocessor3":{"name":"Resend, Inc.","role":"Transactional email delivery","purpose":"Sends transactional emails (magic-link sign-in, account notifications, receipts). Processes recipient email address and message metadata only."},"subprocessor4":{"name":"Anthropic PBC","role":"AI-assisted form guidance and prefill — EU data-residency configuration","purpose":"Processes user-submitted text when the Controller invokes the AI assistant. Configured to use Anthropic's EU data-residency option. Inputs are not used to train Anthropic models."},"subprocessor5":{"name":"Functional Software, Inc. (Sentry)","role":"Error and performance monitoring — EU ingest","purpose":"Receives runtime error reports and performance traces from the Witness application. Configured to use the EU ingest endpoint. Personally identifiable fields are scrubbed at source where technically feasible."},"subprocessor6":{"name":"Umami (self-hosted)","role":"Privacy-friendly product analytics","purpose":"Self-hosted by the Processor on EU infrastructure. Captures aggregated product usage without cookies and without storing IP addresses in plain form."},"downloadTitle":"Download and signed copies","downloadBody":"A downloadable PDF version of this DPA will be published at /legal/witness-dpa-v1.pdf shortly after launch. Customers requiring a counter-signed copy on company letterhead or with negotiated terms may contact legal@witness-compliance.eu — Team-tier and enterprise customers receive a signed version on request."},"refund":{"meta":{"title":"Refund Policy — Witness","description":"Witness refund policy: 14-day right of withdrawal for consumers under the EU Distance Selling Directive, 14-day goodwill refund window for business purchases, and pro-rated refunds on annual maintenance."},"version":"Version 1.0 — Effective 2026-04-21","heroTitle":"Refund Policy.","heroSubtitle":"This policy sets out the terms under which Witness refunds payments for its services. It applies to all purchases made through Paddle, our Merchant of Record, and incorporates the consumer rights granted under the EU Distance Selling Directive (Directive 2011/83/EU).","section1":{"title":"Scope","body":"This policy applies to all Witness tiers — Starter, Professional, and Team — and to the associated annual compliance maintenance fees, purchased through the Witness website via Paddle as Merchant of Record. It does not apply to services rendered by third parties outside the Witness platform (for example, notified-body assessments or independent legal counsel)."},"section2":{"title":"14-day right of withdrawal for consumers","body":"If you purchased Witness as a consumer (a natural person acting outside their trade, business, or profession), you have the right to withdraw from the contract within fourteen (14) days of the purchase date without giving any reason, in accordance with Article 9 of Directive 2011/83/EU. Upon valid withdrawal, Witness will refund all payments received from you, including standard delivery costs, within fourteen (14) days using the same payment method used for the original transaction.\n\nTo exercise your right of withdrawal, email support@witness-compliance.eu with your order ID and a clear statement that you wish to withdraw. You may use the model withdrawal form contained in Annex I(B) of Directive 2011/83/EU, but this is not mandatory.","waiverTitle":"Immediate performance and loss of the right of withdrawal (Art. 16(m) Directive 2011/83/EU)","waiverBody":"Witness supplies digital content that is not delivered on a tangible medium. By clicking \"Start compliance\" or completing checkout for a paid tier, you expressly consent to Witness beginning performance immediately and you expressly acknowledge that you thereby lose your right of withdrawal under Article 16(m) of Directive 2011/83/EU as soon as performance has begun.\n\nPerformance is deemed to have begun at the earlier of: (i) the moment the first compliance document (e.g. Annex IV technical file, Article 9 risk management record, Article 27 fundamental rights impact assessment, or AI literacy record) is generated using your account; or (ii) the moment you first use your account to access any paid feature that is not available on the free tier. Until that point, the 14-day consumer right of withdrawal described above remains available."},"section3":{"title":"14-day goodwill refund for business purchases","body":"If you purchased Witness as a business (legal entity, sole trader, or other organisation acting within its trade or profession), the statutory right of withdrawal does not apply. As a goodwill gesture, Witness offers a refund of the initial tier fee within fourteen (14) days of purchase, provided the service has not been \"substantially used\".\n\n\"Substantially used\" means: more than three (3) compliance documents (e.g. Annex IV technical file, Article 9 risk management record, Article 27 FRIA, AI literacy record) have been generated, exported, or shared; or a certificate or conformity attestation has been issued on the basis of the subscription. After the fourteen-day window, or where the service has been substantially used, business purchases are non-refundable."},"section4":{"title":"Annual compliance maintenance — pro-rated refund","body":"Annual compliance maintenance is charged once per year to keep your account in monitoring mode, to generate updated compliance artifacts when the underlying regulation changes, and to retain access to AI-assisted features and alerting.\n\nIf you cancel within thirty (30) days of a renewal of your annual maintenance, Witness will issue a pro-rated refund for the unused portion of the twelve-month period, calculated on a daily basis. Cancellations after the first thirty days of a renewal period do not qualify for a refund, but the annual maintenance will simply not renew the following year. First-year maintenance is included in the initial tier fee and is not separately refundable."},"section5":{"title":"How to request a refund","body":"Send an email to support@witness-compliance.eu from the email address associated with your account, including: (a) your order ID (visible in the Paddle receipt you received by email); (b) a brief indication of which refund ground you are invoking (14-day consumer withdrawal, 14-day business goodwill, or annual-maintenance pro-rated); and (c) for business purchases, a statement that the service has not been substantially used. No justification is required for consumer withdrawals within the 14-day window."},"section6":{"title":"Processing time","body":"Approved refunds are processed within ten (10) business days through Paddle back to the original payment method. The time it then takes for the refund to appear on your statement depends on your card issuer or bank and is outside Witness's control."},"section7":{"title":"Exceptions and non-refundable items","body":"The following are non-refundable regardless of the above: (a) compliance certificates, conformity attestations, or other work product that has already been issued and delivered to you on the basis of the subscription — these represent performed work that cannot be reclaimed; (b) any third-party costs passed through to you (for example, notified-body fees or external assessor fees) where those amounts have already been paid to the third party; (c) amounts that Witness is required by applicable tax or financial law to retain. These exceptions apply equally to consumers and business customers."},"section8":{"title":"Contact and complaints","body":"Refund requests, questions about this policy, and complaints about its application should be sent to support@witness-compliance.eu. Witness is not obligated to participate in out-of-court dispute resolution but will consider such requests in good faith.","odrIntro":"If we cannot resolve your complaint to your satisfaction, consumers resident in the EU may also make use of the European Commission's Online Dispute Resolution platform at","odrOutro":"."},"contactTitle":"Questions","contactBody":"Questions about this refund policy or a pending request can always be sent to support@witness-compliance.eu. We reply within one business day."},"notFound":{"title":"404 — Page not found.","subtitle":"The page you were looking for isn't here. It may have moved, or the link may be stale. The classifier, the academy, and everything audit-ready is still one click away.","homeCta":"Back to home","classifierCta":"Start the classifier","supportNote":"Still stuck? Email support@witness-compliance.eu and we will get you where you need to go."},"unsubscribe":{"meta":{"title":"Unsubscribe — Witness","description":"Unsubscribe from non-transactional emails from Witness."},"title":"Unsubscribe","subtitle":"You're about to unsubscribe {email} from {category} emails from Witness.","confirmCta":"Confirm unsubscribe","confirmedTitle":"You've been unsubscribed","confirmedBody":"You won't receive {category} emails anymore. You will still receive transactional emails (login links, account notifications).","invalidTitle":"Invalid or expired link","invalidBody":"This unsubscribe link is invalid or has already been used. If you keep receiving unwanted emails, contact support@witness-compliance.eu.","backToHome":"Back to homepage","category":{"invite":"invite","marketing":"marketing","generic":"non-transactional"}}},"now":"$undefined","timeZone":"UTC","children":"$L2a"}]