0003972
REGULATION (EU) 2024/1689 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 13 June 2024 laying down harmonised rules on artificial intelligence and amending Regulations (EC) No 300/2008, (EU) No 167/2013, (EU) No 168/2013, (EU) 2018/858, (EU) 2018/1139 and (EU) 2019/2144 and Directives 2014/90/EU, (EU) 2016/797 and (EU) 2020/1828 (Artificial Intelligence Act)
European Union
Regulations
Free
Artificial Intelligence Act
REGULATION (EU) 2024/1689 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 13 June 2024 laying down harmonised rules on artificial intelligence and amending Regulations (EC) No 300/2008, (EU) No 167/2013, (EU) No 168/2013, (EU) 2018/858, (EU) 2018/1139 and (EU) 2019/2144 and Directives 2014/90/EU, (EU) 2016/797 and (EU) 2020/1828 (Artificial Intelligence Act)
2024-06-13
0003972
Free
European Union
Regulations
Artificial Intelligence Act
REGULATION (EU) 2024/1689 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 13 June 2024 laying down harmonised rules on artificial intelligence and amending Regulations (EC) No 300/2008, (EU) No 167/2013, (EU) No 168/2013, (EU) 2018/858, (EU) 2018/1139 and (EU) 2019/2144 and Directives 2014/90/EU, (EU) 2016/797 and (EU) 2020/1828 (Artificial Intelligence Act)
2024-06-13
This Authority Document In Depth Report is copyrighted - © 2024 - Network Frontiers LLC. All rights reserved. Copyright in the Authority Document analyzed herein is held by its authors. Network Frontiers makes no claims of copyright in this Authority Document.
This Authority Document In Depth Report is provided for informational purposes only and does not constitute, and should not be construed as, legal advice. The reader is encouraged to consult with an attorney experienced in these areas for further explanation and advice.
This Authority Document In Depth Report provides analysis and guidance for use and implementation of the Authority Document but it is not a substitute for the original authority document itself. Readers should refer to the original authority document as the definitive resource on obligations and compliance requirements.
This document has been mapped into the Unified Compliance Framework using a patented methodology and patented tools (you can research our patents HERE). The mapping team has taken every effort to ensure the quality of mapping is of the highest degree. To learn more about the process we use to map Authority Documents, or to become involved in that process, click HERE.
When the UCF Mapping Teams tag Citations and their associated mandates within an Authority Document, those Citations and Mandates are tied to Common Controls. In addition, and by virtue of those Citations and mandates being tied to Common Controls, there are three sets of meta data that are associated with each Citation; Controls by Impact Zone, Controls by Type, and Controls by Classification.
The online version of the mapping analysis you see here is just a fraction of the work the UCF Mapping Team has done. The downloadable version of this document, available within the Common Controls Hub (available HERE) contains the following:
Document implementation analysis – statistics about the document’s alignment with Common Controls as compared to other Authority Documents and statistics on usage of key terms and non-standard terms.
Citation and Mandate Tagging and Mapping – A complete listing of each and every Citation we found within REGULATION (EU) 2024/1689 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 13 June 2024 laying down harmonised rules on artificial intelligence and amending Regulations (EC) No 300/2008, (EU) No 167/2013, (EU) No 168/2013, (EU) 2018/858, (EU) 2018/1139 and (EU) 2019/2144 and Directives 2014/90/EU, (EU) 2016/797 and (EU) 2020/1828 (Artificial Intelligence Act) that have been tagged with their primary and secondary nouns and primary and secondary verbs in three column format. The first column shows the Citation (the marker within the Authority Document that points to where we found the guidance). The second column shows the Citation guidance per se, along with the tagging for the mandate we found within the Citation. The third column shows the Common Control ID that the mandate is linked to, and the final column gives us the Common Control itself.
Dictionary Terms – The dictionary terms listed for REGULATION (EU) 2024/1689 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 13 June 2024 laying down harmonised rules on artificial intelligence and amending Regulations (EC) No 300/2008, (EU) No 167/2013, (EU) No 168/2013, (EU) 2018/858, (EU) 2018/1139 and (EU) 2019/2144 and Directives 2014/90/EU, (EU) 2016/797 and (EU) 2020/1828 (Artificial Intelligence Act) are based upon terms either found within the Authority Document’s defined terms section(which most legal documents have), its glossary, and for the most part, as tagged within each mandate. The terms with links are terms that are the standardized version of the term.
Common Controls andAn Impact Zone is a hierarchical way of organizing our suite of Common Controls — it is a taxonomy. The top levels of the UCF hierarchy are called Impact Zones. Common Controls are mapped within the UCF’s Impact Zones and are maintained in a legal hierarchy within that Impact Zone. Each Impact Zone deals with a separate area of policies, standards, and procedures: technology acquisition, physical security, continuity, records management, etc.
The UCF created its taxonomy by looking at the corpus of standards and regulations through the lens of unification and a view toward how the controls impact the organization. Thus, we created a hierarchical structure for each impact zone that takes into account regulatory and standards bodies, doctrines, and language.
Leadership and high level objectives | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Leadership and high level objectives CC ID 00597 | IT Impact Zone | IT Impact Zone | |
| Analyze organizational objectives, functions, and activities. CC ID 00598 | Monitor and Evaluate Occurrences | Preventive | |
| Establish, implement, and maintain a Quality Management framework. CC ID 07196 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a Quality Management policy. CC ID 13694 [{put in place} Providers of high-risk AI systems shall put a quality management system in place that ensures compliance with this Regulation. That system shall be documented in a systematic and orderly manner in the form of written policies, procedures and instructions, and shall include at least the following aspects: Article 17 1.] | Establish/Maintain Documentation | Preventive | |
| Include a commitment to satisfy applicable requirements in the Quality Management policy. CC ID 13700 [Quality management system shall include at least the following aspects: a strategy for ="background-color:#F0BBBC;" class="term_primary-noun">regulatory compliance, including compliance with conformity assessment procedures and procedures for the management of modifications to the high-risk AI system; Article 17 1.(a)] | Establish/Maintain Documentation | Preventive | |
| Tailor the Quality Management policy to support the organization's strategic direction. CC ID 13699 | Establish/Maintain Documentation | Preventive | |
| Include a commitment to continual improvement of the Quality Management system in the Quality Management policy. CC ID 13698 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a Quality Management standard. CC ID 01006 | Establish/Maintain Documentation | Preventive | |
| Document the measurements used by Quality Assurance and Quality Control testing. CC ID 07200 [Quality management system shall include at least the following aspects: techniques, procedures and systematic actions to be used for the development, quality control and <span style="background-color:#F0BBBC;" class="term_primary-noun">quality assurance of the high-risk AI system; Article 17 1.(c)] | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a Quality Management program. CC ID 07201 [{put in place} Providers of high-risk AI systems shall: have a quality management system in place which complies with Article 17; Article 16 ¶ 1 (c) {put in place} Providers of high-risk AI systems shall put a or:#F0BBBC;" class="term_primary-noun">quality management system in place that ensures compliance with this Regulation. That system shall be documented in a systematic and orderly manner in the form of written policies, procedures and instructions, and shall include at least the following aspects: Article 17 1.] | Establish/Maintain Documentation | Preventive | |
| Notify affected parties and interested personnel of quality management system approvals that have been refused, suspended, or withdrawn. CC ID 15045 [Each notified body shall inform the other notified bodies of: quality management system approvals which it has refused, suspended or withdrawn, and, upon request, of quality system approvals which it has issued; Article 45 2.(a)] | Communicate | Preventive | |
| Notify affected parties and interested personnel of quality management system approvals that have been issued. CC ID 15036 [Each notified body shall inform the other notified bodies of: quality management system approvals which it has refused, suspended or withdrawn, and, upon request, of quality system approvals which it has -color:#B7D8ED;" class="term_primary-verb">issued; Article 45 2.(a)] | Communicate | Preventive | |
| Correct errors and deficiencies in a timely manner. CC ID 13501 | Business Processes | Corrective | |
| Include quality objectives in the Quality Management program. CC ID 13693 | Establish/Maintain Documentation | Preventive | |
| Include monitoring and analysis capabilities in the quality management program. CC ID 17153 | Monitor and Evaluate Occurrences | Preventive | |
| Include records management in the quality management system. CC ID 15055 | Establish/Maintain Documentation | Preventive | |
| Include risk management in the quality management system. CC ID 15054 [Quality management system shall include at least the following aspects: the risk management system referred to in Article 9; Article 17 1.(g)] | Establish/Maintain Documentation | Preventive | |
| Include data management procedures in the quality management system. CC ID 15052 | Establish/Maintain Documentation | Preventive | |
| Include a post-market monitoring system in the quality management system. CC ID 15027 | Establish/Maintain Documentation | Preventive | |
| Include operational roles and responsibilities in the quality management system. CC ID 15028 | Establish/Maintain Documentation | Preventive | |
| Include quality gates and testing milestones in the Quality Management program. CC ID 06825 | Systems Design, Build, and Implementation | Preventive | |
| Include resource management in the quality management system. CC ID 15026 | Establish/Maintain Documentation | Preventive | |
| Include communication protocols in the quality management system. CC ID 15025 | Establish/Maintain Documentation | Preventive | |
| Include incident reporting procedures in the quality management system. CC ID 15023 | Establish/Maintain Documentation | Preventive | |
| Include technical specifications in the quality management system. CC ID 15021 | Establish/Maintain Documentation | Preventive | |
| Document the deficiencies in a deficiency report that were found during Quality Control and corrected during Quality Improvement. CC ID 07203 | Establish/Maintain Documentation | Preventive | |
| Include program documentation standards in the Quality Management program. CC ID 01016 | Establish/Maintain Documentation | Preventive | |
| Establish and maintain time frames for correcting deficiencies found during Quality Control. CC ID 07206 | Business Processes | Detective | |
| Include program testing standards in the Quality Management program. CC ID 01017 | Establish/Maintain Documentation | Preventive | |
| Review and analyze any quality improvement goals that were missed. CC ID 07204 | Business Processes | Detective | |
| Include system testing standards in the Quality Management program. CC ID 01018 [Quality management system shall include at least the following aspects: techniques, procedures and systematic actions to be used for the design, design control and tyle="background-color:#F0BBBC;" class="term_primary-noun">design verification of the high-risk AI system; Article 17 1.(b) {test procedure} Quality management system shall include at least the following aspects: examination, test and imary-noun">validation procedures to be carried out before, during and after the development of the high-risk AI system, and the frequency with which they have to be carried out; Article 17 1.(d)] | Establish/Maintain Documentation | Preventive | |
| Include an issue tracking system in the Quality Management program. CC ID 06824 | Systems Design, Build, and Implementation | Preventive | |
Privacy protection for information and data | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Privacy protection for information and data CC ID 00008 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 | Establish/Maintain Documentation | Preventive | |
| Establish, implement, and maintain a personal data accountability program. CC ID 13432 | Establish/Maintain Documentation | Preventive | |
| Require data controllers to be accountable for their actions. CC ID 00470 | Establish Roles | Preventive | |
| Notify the supervisory authority. CC ID 00472 [Notified bodies shall inform the notifying authority of the following: any refusal, restriction, suspension or withdrawal of a Union background-color:#F0BBBC;" class="term_primary-noun">technical documentation assessment certificate or a quality management system approval issued in accordance with the requirements of Annex VII; Article 45 1.(b)] | Behavior | Preventive | |
| Establish, implement, and maintain approval applications. CC ID 16778 | Establish/Maintain Documentation | Preventive | |
| Define the requirements for approving or denying approval applications. CC ID 16780 | Business Processes | Preventive | |
| Submit approval applications to the supervisory authority. CC ID 16627 | Communicate | Preventive | |
| Include required information in the approval application. CC ID 16628 | Establish/Maintain Documentation | Preventive | |
| Extend the time limit for approving or denying approval applications. CC ID 16779 | Business Processes | Preventive | |
| Approve the approval application unless applicant has been convicted. CC ID 16603 | Process or Activity | Preventive | |
| Provide the supervisory authority with any information requested by the supervisory authority. CC ID 12606 [Notified bodies shall inform the notifying authority of the following: any circumstances affecting the scope of or F0BBBC;" class="term_primary-noun">conditions for notification; Article 45 1.(c) Notified bodies shall inform the notifying authority of the following: any request for information which they have received from ound-color:#F0BBBC;" class="term_primary-noun">market surveillance authorities regarding conformity assessment activities; Article 45 1.(d) Notified bodies shall inform the notifying authority of the following: on request, conformity assessment activities performed within the le="background-color:#F0BBBC;" class="term_primary-noun">scope of their | Process or Activity | Preventive | |
| Notify the supervisory authority of the safeguards employed to protect the data subject's rights. CC ID 12605 | Communicate | Preventive | |
| Respond to questions about submissions in a timely manner. CC ID 16930 | Communicate | Preventive | |
| Include any reasons for delay if notifying the supervisory authority after the time limit. CC ID 12675 | Communicate | Corrective | |
Records management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | TYPE | CLASS | |
|---|---|---|---|
| Records management CC ID 00902 | IT Impact Zone | IT Impact Zone | |
| Establish, implement, and maintain records management policies. CC ID 00903 | Establish/Maintain Documentation | Preventive | |
| Define each system's preservation requirements for records and logs. CC ID 00904 | Establish/Maintain Documentation | Detective | |
| Determine how long to keep records and logs before disposing them. CC ID 11661 | Process or Activity | Preventive | |
| Retain records in accordance with applicable requirements. CC ID 00968 [The provider shall, for a period ending 10 years after the AI system has been placed on the market or put into service, #B7D8ED;" class="term_primary-verb">keepan> at the disposal of the national competent authorities: the technical documentation referred to in Article 11; Article 18 1.(a)] | Records Management | Preventive | |
Common Controls andEach Common Control is assigned a meta-data type to help you determine the objective of the Control and associated Authority Document mandates aligned with it. These types include behavioral controls, process controls, records management, technical security, configuration management, etc. They are provided as another tool to dissect the Authority Document’s mandates and assign them effectively within your organization.
Behavior | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Notify the supervisory authority. CC ID 00472 [Notified bodies shall inform the notifying authority of the following: any refusal, restriction, suspension or withdrawal of a Union background-color:#F0BBBC;" class="term_primary-noun">technical documentation assessment certificate or a quality management system approval issued in accordance with the requirements of Annex VII; Article 45 1.(b)] | Privacy protection for information and data | Preventive | |
Business Processes | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Correct errors and deficiencies in a timely manner. CC ID 13501 | Leadership and high level objectives | Corrective | |
| Establish and maintain time frames for correcting deficiencies found during Quality Control. CC ID 07206 | Leadership and high level objectives | Detective | |
| Review and analyze any quality improvement goals that were missed. CC ID 07204 | Leadership and high level objectives | Detective | |
| Define the requirements for approving or denying approval applications. CC ID 16780 | Privacy protection for information and data | Preventive | |
| Extend the time limit for approving or denying approval applications. CC ID 16779 | Privacy protection for information and data | Preventive | |
Communicate | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Notify affected parties and interested personnel of quality management system approvals that have been refused, suspended, or withdrawn. CC ID 15045 [Each notified body shall inform the other notified bodies of: quality management system approvals which it has refused, suspended or withdrawn, and, upon request, of quality system approvals which it has issued; Article 45 2.(a)] | Leadership and high level objectives | Preventive | |
| Notify affected parties and interested personnel of quality management system approvals that have been issued. CC ID 15036 [Each notified body shall inform the other notified bodies of: quality management system approvals which it has refused, suspended or withdrawn, and, upon request, of quality system approvals which it has -color:#B7D8ED;" class="term_primary-verb">issued; Article 45 2.(a)] | Leadership and high level objectives | Preventive | |
| Submit approval applications to the supervisory authority. CC ID 16627 | Privacy protection for information and data | Preventive | |
| Notify the supervisory authority of the safeguards employed to protect the data subject's rights. CC ID 12605 | Privacy protection for information and data | Preventive | |
| Respond to questions about submissions in a timely manner. CC ID 16930 | Privacy protection for information and data | Preventive | |
| Include any reasons for delay if notifying the supervisory authority after the time limit. CC ID 12675 | Privacy protection for information and data | Corrective | |
Establish Roles | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Require data controllers to be accountable for their actions. CC ID 00470 | Privacy protection for information and data | Preventive | |
Establish/Maintain Documentation | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Establish, implement, and maintain a Quality Management framework. CC ID 07196 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a Quality Management policy. CC ID 13694 [{put in place} Providers of high-risk AI systems shall put a quality management system in place that ensures compliance with this Regulation. That system shall be documented in a systematic and orderly manner in the form of written policies, procedures and instructions, and shall include at least the following aspects: Article 17 1.] | Leadership and high level objectives | Preventive | |
| Include a commitment to satisfy applicable requirements in the Quality Management policy. CC ID 13700 [Quality management system shall include at least the following aspects: a strategy for ="background-color:#F0BBBC;" class="term_primary-noun">regulatory compliance, including compliance with conformity assessment procedures and procedures for the management of modifications to the high-risk AI system; Article 17 1.(a)] | Leadership and high level objectives | Preventive | |
| Tailor the Quality Management policy to support the organization's strategic direction. CC ID 13699 | Leadership and high level objectives | Preventive | |
| Include a commitment to continual improvement of the Quality Management system in the Quality Management policy. CC ID 13698 | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a Quality Management standard. CC ID 01006 | Leadership and high level objectives | Preventive | |
| Document the measurements used by Quality Assurance and Quality Control testing. CC ID 07200 [Quality management system shall include at least the following aspects: techniques, procedures and systematic actions to be used for the development, quality control and <span style="background-color:#F0BBBC;" class="term_primary-noun">quality assurance of the high-risk AI system; Article 17 1.(c)] | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain a Quality Management program. CC ID 07201 [{put in place} Providers of high-risk AI systems shall: have a quality management system in place which complies with Article 17; Article 16 ¶ 1 (c) {put in place} Providers of high-risk AI systems shall put a or:#F0BBBC;" class="term_primary-noun">quality management system in place that ensures compliance with this Regulation. That system shall be documented in a systematic and orderly manner in the form of written policies, procedures and instructions, and shall include at least the following aspects: Article 17 1.] | Leadership and high level objectives | Preventive | |
| Include quality objectives in the Quality Management program. CC ID 13693 | Leadership and high level objectives | Preventive | |
| Include records management in the quality management system. CC ID 15055 | Leadership and high level objectives | Preventive | |
| Include risk management in the quality management system. CC ID 15054 [Quality management system shall include at least the following aspects: the risk management system referred to in Article 9; Article 17 1.(g)] | Leadership and high level objectives | Preventive | |
| Include data management procedures in the quality management system. CC ID 15052 | Leadership and high level objectives | Preventive | |
| Include a post-market monitoring system in the quality management system. CC ID 15027 | Leadership and high level objectives | Preventive | |
| Include operational roles and responsibilities in the quality management system. CC ID 15028 | Leadership and high level objectives | Preventive | |
| Include resource management in the quality management system. CC ID 15026 | Leadership and high level objectives | Preventive | |
| Include communication protocols in the quality management system. CC ID 15025 | Leadership and high level objectives | Preventive | |
| Include incident reporting procedures in the quality management system. CC ID 15023 | Leadership and high level objectives | Preventive | |
| Include technical specifications in the quality management system. CC ID 15021 | Leadership and high level objectives | Preventive | |
| Document the deficiencies in a deficiency report that were found during Quality Control and corrected during Quality Improvement. CC ID 07203 | Leadership and high level objectives | Preventive | |
| Include program documentation standards in the Quality Management program. CC ID 01016 | Leadership and high level objectives | Preventive | |
| Include program testing standards in the Quality Management program. CC ID 01017 | Leadership and high level objectives | Preventive | |
| Include system testing standards in the Quality Management program. CC ID 01018 [Quality management system shall include at least the following aspects: techniques, procedures and systematic actions to be used for the design, design control and tyle="background-color:#F0BBBC;" class="term_primary-noun">design verification of the high-risk AI system; Article 17 1.(b) {test procedure} Quality management system shall include at least the following aspects: examination, test and imary-noun">validation procedures to be carried out before, during and after the development of the high-risk AI system, and the frequency with which they have to be carried out; Article 17 1.(d)] | Leadership and high level objectives | Preventive | |
| Establish, implement, and maintain records management policies. CC ID 00903 | Records management | Preventive | |
| Define each system's preservation requirements for records and logs. CC ID 00904 | Records management | Detective | |
| Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain a personal data accountability program. CC ID 13432 | Privacy protection for information and data | Preventive | |
| Establish, implement, and maintain approval applications. CC ID 16778 | Privacy protection for information and data | Preventive | |
| Include required information in the approval application. CC ID 16628 | Privacy protection for information and data | Preventive | |
IT Impact Zone | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Leadership and high level objectives CC ID 00597 | Leadership and high level objectives | IT Impact Zone | |
| Records management CC ID 00902 | Records management | IT Impact Zone | |
| Privacy protection for information and data CC ID 00008 | Privacy protection for information and data | IT Impact Zone | |
Monitor and Evaluate Occurrences | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Analyze organizational objectives, functions, and activities. CC ID 00598 | Leadership and high level objectives | Preventive | |
| Include monitoring and analysis capabilities in the quality management program. CC ID 17153 | Leadership and high level objectives | Preventive | |
Process or Activity | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Determine how long to keep records and logs before disposing them. CC ID 11661 | Records management | Preventive | |
| Approve the approval application unless applicant has been convicted. CC ID 16603 | Privacy protection for information and data | Preventive | |
| Provide the supervisory authority with any information requested by the supervisory authority. CC ID 12606 [Notified bodies shall inform the notifying authority of the following: any circumstances affecting the scope of or F0BBBC;" class="term_primary-noun">conditions for notification; Article 45 1.(c) Notified bodies shall inform the notifying authority of the following: any request for information which they have received from ound-color:#F0BBBC;" class="term_primary-noun">market surveillance authorities regarding conformity assessment activities; Article 45 1.(d) Notified bodies shall inform the notifying authority of the following: on request, conformity assessment activities performed within the le="background-color:#F0BBBC;" class="term_primary-noun">scope of their | Privacy protection for information and data | Preventive | |
Records Management | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Retain records in accordance with applicable requirements. CC ID 00968 [The provider shall, for a period ending 10 years after the AI system has been placed on the market or put into service, #B7D8ED;" class="term_primary-verb">keepan> at the disposal of the national competent authorities: the technical documentation referred to in Article 11; Article 18 1.(a)] | Records management | Preventive | |
Systems Design, Build, and Implementation | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | CLASS | |
|---|---|---|---|
| Include quality gates and testing milestones in the Quality Management program. CC ID 06825 | Leadership and high level objectives | Preventive | |
| Include an issue tracking system in the Quality Management program. CC ID 06824 | Leadership and high level objectives | Preventive | |
Common Controls andThere are three types of Common Control classifications; corrective, detective, and preventive. Common Controls at the top level have the default assignment of Impact Zone.
Corrective | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Correct errors and deficiencies in a timely manner. CC ID 13501 | Leadership and high level objectives | Business Processes | |
| Include any reasons for delay if notifying the supervisory authority after the time limit. CC ID 12675 | Privacy protection for information and data | Communicate | |
Detective | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Establish and maintain time frames for correcting deficiencies found during Quality Control. CC ID 07206 | Leadership and high level objectives | Business Processes | |
| Review and analyze any quality improvement goals that were missed. CC ID 07204 | Leadership and high level objectives | Business Processes | |
| Define each system's preservation requirements for records and logs. CC ID 00904 | Records management | Establish/Maintain Documentation | |
IT Impact Zone | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Leadership and high level objectives CC ID 00597 | Leadership and high level objectives | IT Impact Zone | |
| Records management CC ID 00902 | Records management | IT Impact Zone | |
| Privacy protection for information and data CC ID 00008 | Privacy protection for information and data | IT Impact Zone | |
Preventive | KEY: Primary Verb Primary Noun Secondary Verb Secondary Noun Limiting Term | |||
| Mandated - bold Implied - italic Implementation - regular | IMPACT ZONE | TYPE | |
|---|---|---|---|
| Analyze organizational objectives, functions, and activities. CC ID 00598 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
| Establish, implement, and maintain a Quality Management framework. CC ID 07196 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain a Quality Management policy. CC ID 13694 [{put in place} Providers of high-risk AI systems shall put a quality management system in place that ensures compliance with this Regulation. That system shall be documented in a systematic and orderly manner in the form of written policies, procedures and instructions, and shall include at least the following aspects: Article 17 1.] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include a commitment to satisfy applicable requirements in the Quality Management policy. CC ID 13700 [Quality management system shall include at least the following aspects: a strategy for ="background-color:#F0BBBC;" class="term_primary-noun">regulatory compliance, including compliance with conformity assessment procedures and procedures for the management of modifications to the high-risk AI system; Article 17 1.(a)] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Tailor the Quality Management policy to support the organization's strategic direction. CC ID 13699 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include a commitment to continual improvement of the Quality Management system in the Quality Management policy. CC ID 13698 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain a Quality Management standard. CC ID 01006 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Document the measurements used by Quality Assurance and Quality Control testing. CC ID 07200 [Quality management system shall include at least the following aspects: techniques, procedures and systematic actions to be used for the development, quality control and <span style="background-color:#F0BBBC;" class="term_primary-noun">quality assurance of the high-risk AI system; Article 17 1.(c)] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Establish, implement, and maintain a Quality Management program. CC ID 07201 [{put in place} Providers of high-risk AI systems shall: have a quality management system in place which complies with Article 17; Article 16 ¶ 1 (c) {put in place} Providers of high-risk AI systems shall put a or:#F0BBBC;" class="term_primary-noun">quality management system in place that ensures compliance with this Regulation. That system shall be documented in a systematic and orderly manner in the form of written policies, procedures and instructions, and shall include at least the following aspects: Article 17 1.] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Notify affected parties and interested personnel of quality management system approvals that have been refused, suspended, or withdrawn. CC ID 15045 [Each notified body shall inform the other notified bodies of: quality management system approvals which it has refused, suspended or withdrawn, and, upon request, of quality system approvals which it has issued; Article 45 2.(a)] | Leadership and high level objectives | Communicate | |
| Notify affected parties and interested personnel of quality management system approvals that have been issued. CC ID 15036 [Each notified body shall inform the other notified bodies of: quality management system approvals which it has refused, suspended or withdrawn, and, upon request, of quality system approvals which it has -color:#B7D8ED;" class="term_primary-verb">issued; Article 45 2.(a)] | Leadership and high level objectives | Communicate | |
| Include quality objectives in the Quality Management program. CC ID 13693 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include monitoring and analysis capabilities in the quality management program. CC ID 17153 | Leadership and high level objectives | Monitor and Evaluate Occurrences | |
| Include records management in the quality management system. CC ID 15055 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include risk management in the quality management system. CC ID 15054 [Quality management system shall include at least the following aspects: the risk management system referred to in Article 9; Article 17 1.(g)] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include data management procedures in the quality management system. CC ID 15052 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include a post-market monitoring system in the quality management system. CC ID 15027 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include operational roles and responsibilities in the quality management system. CC ID 15028 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include quality gates and testing milestones in the Quality Management program. CC ID 06825 | Leadership and high level objectives | Systems Design, Build, and Implementation | |
| Include resource management in the quality management system. CC ID 15026 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include communication protocols in the quality management system. CC ID 15025 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include incident reporting procedures in the quality management system. CC ID 15023 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include technical specifications in the quality management system. CC ID 15021 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Document the deficiencies in a deficiency report that were found during Quality Control and corrected during Quality Improvement. CC ID 07203 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include program documentation standards in the Quality Management program. CC ID 01016 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include program testing standards in the Quality Management program. CC ID 01017 | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include system testing standards in the Quality Management program. CC ID 01018 [Quality management system shall include at least the following aspects: techniques, procedures and systematic actions to be used for the design, design control and tyle="background-color:#F0BBBC;" class="term_primary-noun">design verification of the high-risk AI system; Article 17 1.(b) {test procedure} Quality management system shall include at least the following aspects: examination, test and imary-noun">validation procedures to be carried out before, during and after the development of the high-risk AI system, and the frequency with which they have to be carried out; Article 17 1.(d)] | Leadership and high level objectives | Establish/Maintain Documentation | |
| Include an issue tracking system in the Quality Management program. CC ID 06824 | Leadership and high level objectives | Systems Design, Build, and Implementation | |
| Establish, implement, and maintain records management policies. CC ID 00903 | Records management | Establish/Maintain Documentation | |
| Determine how long to keep records and logs before disposing them. CC ID 11661 | Records management | Process or Activity | |
| Retain records in accordance with applicable requirements. CC ID 00968 [The provider shall, for a period ending 10 years after the AI system has been placed on the market or put into service, #B7D8ED;" class="term_primary-verb">keepan> at the disposal of the national competent authorities: the technical documentation referred to in Article 11; Article 18 1.(a)] | Records management | Records Management | |
| Establish, implement, and maintain a privacy framework that protects restricted data. CC ID 11850 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Establish, implement, and maintain a personal data accountability program. CC ID 13432 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Require data controllers to be accountable for their actions. CC ID 00470 | Privacy protection for information and data | Establish Roles | |
| Notify the supervisory authority. CC ID 00472 [Notified bodies shall inform the notifying authority of the following: any refusal, restriction, suspension or withdrawal of a Union background-color:#F0BBBC;" class="term_primary-noun">technical documentation assessment certificate or a quality management system approval issued in accordance with the requirements of Annex VII; Article 45 1.(b)] | Privacy protection for information and data | Behavior | |
| Establish, implement, and maintain approval applications. CC ID 16778 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Define the requirements for approving or denying approval applications. CC ID 16780 | Privacy protection for information and data | Business Processes | |
| Submit approval applications to the supervisory authority. CC ID 16627 | Privacy protection for information and data | Communicate | |
| Include required information in the approval application. CC ID 16628 | Privacy protection for information and data | Establish/Maintain Documentation | |
| Extend the time limit for approving or denying approval applications. CC ID 16779 | Privacy protection for information and data | Business Processes | |
| Approve the approval application unless applicant has been convicted. CC ID 16603 | Privacy protection for information and data | Process or Activity | |
| Provide the supervisory authority with any information requested by the supervisory authority. CC ID 12606 [Notified bodies shall inform the notifying authority of the following: any circumstances affecting the scope of or F0BBBC;" class="term_primary-noun">conditions for notification; Article 45 1.(c) Notified bodies shall inform the notifying authority of the following: any request for information which they have received from ound-color:#F0BBBC;" class="term_primary-noun">market surveillance authorities regarding conformity assessment activities; Article 45 1.(d) Notified bodies shall inform the notifying authority of the following: on request, conformity assessment activities performed within the le="background-color:#F0BBBC;" class="term_primary-noun">scope of their | Privacy protection for information and data | Process or Activity | |
| Notify the supervisory authority of the safeguards employed to protect the data subject's rights. CC ID 12605 | Privacy protection for information and data | Communicate | |
| Respond to questions about submissions in a timely manner. CC ID 16930 | Privacy protection for information and data | Communicate | |