Regulatory terms — every clause, every control, across 24 frameworks.
760 terms (438 clauses + 322 controls) and 97 crosswalk edges, generated from the canonical @regunav/frameworks registry. Every entry links to the source authority. Filter by framework, kind, or free-text.
Showing 200 of 760. Refine the search to see more.
- APPI_JAPANclauseArt. 17mandatory
Specification of utilisation purpose
A PIHBO shall, when handling personal information, specify the purpose of utilisation as explicitly as possible. The PIHBO shall not change the utilisation purpose beyond the scope reasonably recognised as having relevance to the originally specified purpose.
https://www.ppc.go.jp/en/legal/ ↗ - APPI_JAPANclauseArt. 171mandatory
Extraterritorial application + enforcement
The PPC's reporting + on-site-inspection + recommendation + order powers (Art. 143-148) apply to a PIHBO in a foreign country that handles personal information of an individual in Japan acquired in connection with providing goods or services to that individual. The PPC may share information with foreign authorities to facilitate enforcement (Art. 172).
https://www.ppc.go.jp/en/legal/ ↗ - APPI_JAPANclauseArt. 178-179mandatory
Penalties + administrative fines
Penalties include: failure to comply with a PPC order (Art. 178) — up to 1 year imprisonment OR a fine up to JPY 1 million for the responsible person; provision or theft of a personal-information database for unjust purposes (Art. 179) — up to 1 year imprisonment OR a fine up to JPY 500,000. Doubled-liability for legal persons: up to JPY 100 million for failure to comply with a PPC order or for unjust provision of a personal-information database (Art. 184). False reports / non-cooperation with PPC inspection: fines up to JPY 500,000.
https://www.ppc.go.jp/en/legal/ ↗ - APPI_JAPANclauseArt. 18mandatory
Restriction by utilisation purpose
A PIHBO shall not handle personal information beyond the scope necessary to achieve the utilisation purpose specified under Art. 17, without obtaining the prior consent of the individual, except where based on laws and regulations, urgent need to protect life/body/property, particularly necessary to improve public health or promote sound nurture of children, or cooperation with State organs, etc.
https://www.ppc.go.jp/en/legal/ ↗ - APPI_JAPANclauseArt. 19mandatory
Inappropriate use prohibition
A PIHBO shall not handle personal information by means that may foster or induce illegal or improper acts.
https://www.ppc.go.jp/en/legal/ ↗ - APPI_JAPANclauseArt. 2mandatory
Definitions — personal information, retained personal data, special-care, pseudonymous, anonymous
Defines: personal information (information about a living individual identifying them, including by combination, and individual-identification codes); retained personal data (personal data the PIHBO has authority to disclose/correct/suspend); special-care-required personal information (race, creed, social status, medical history, criminal record, victim-of-crime status and similar facts requiring particular care); pseudonymously-processed information (information that cannot identify a specific individual without other information); anonymously-processed information (information that cannot identify a specific individual and that cannot be restored).
https://www.ppc.go.jp/en/legal/ ↗ - APPI_JAPANclauseArt. 20mandatory
Proper acquisition + special-care-required PI consent
A PIHBO shall not acquire personal information by deception or other improper means. A PIHBO shall not acquire special-care-required personal information (Art. 2(3)) without the prior consent of the individual, except for the limited cases prescribed by the Act (laws and regulations, life/body/property urgency, public health, sound-nurture of children, cooperation with State organs, public disclosure by the individual or by State organ / academic-research / press, etc.).
https://www.ppc.go.jp/en/legal/ ↗ - APPI_JAPANclauseArt. 21mandatory
Notice or public announcement of utilisation purpose
A PIHBO shall, when acquiring personal information, promptly notify the individual of the utilisation purpose or publicly announce it (e.g., on the PIHBO's website). For information acquired directly in writing from the individual, the utilisation purpose shall be expressly indicated in advance — except for the prescribed exemptions (urgency, harm to the individual, harm to the PIHBO's rights, cooperation with State organs, etc.).
https://www.ppc.go.jp/en/legal/ ↗ - APPI_JAPANclauseArt. 23mandatory
Security control measures
A PIHBO shall take necessary and appropriate measures to prevent the leakage, loss or damage of personal data, and otherwise for security control of personal data. The PPC Guidelines elaborate the four pillars: organisational security (responsibilities, rules, audit), human security (training, NDA), physical security (premises, devices), and technical security (access control, encryption, monitoring, transfer protection).
crosswalks:GDPR·Art. 32https://www.ppc.go.jp/en/legal/ ↗ - APPI_JAPANclauseArt. 24-25mandatory
Supervision of employees + entrusted parties
Art. 24: A PIHBO shall exercise necessary and appropriate supervision over its employees handling personal data. Art. 25: Where handling of personal data is entrusted (e.g., to a processor or cloud provider) in whole or in part, the PIHBO shall exercise necessary and appropriate supervision over the entrustee to ensure security control of personal data.
https://www.ppc.go.jp/en/legal/ ↗ - APPI_JAPANclauseArt. 26mandatory
Reporting + notification of leakage etc.
A PIHBO shall, where a leakage, loss, damage or other situation prescribed by the Rules of the PPC occurs in respect of personal data, report the matter to the PPC AND notify the affected individuals (or publicly announce when notification to individuals is difficult and alternative measures are taken). The Rules specify the reportable categories: leakage involving special-care-required PI; leakage that may cause property damage by improper use; leakage by intentional wrongdoing; leakage involving more than 1,000 individuals. A preliminary report within 3-5 days and a final report within 30 days (60 days for intentional wrongdoing) are required.
https://www.ppc.go.jp/en/legal/ ↗ - APPI_JAPANclauseArt. 27mandatory
Restriction on provision of personal data to a third party
A PIHBO shall not provide personal data to a third party without the prior consent of the individual, except for: (i) provision based on laws and regulations; (ii) urgent need to protect life/body/property; (iii) particularly necessary to improve public health or promote sound nurture of children; (iv) cooperation with State organs; (v) academic-research exemptions; and (vi) the opt-out provision regime under Art. 27(2) (subject to advance PPC notification + public announcement — and excluded for special-care-required PI, illegally-acquired PI and personal-related-information-derived PI). Joint-use, entrustment, and business-succession scenarios are not 'third-party provision' (Art. 27(5)).
https://www.ppc.go.jp/en/legal/ ↗ - APPI_JAPANclauseArt. 28mandatory
Provision to a third party in a foreign country
A PIHBO shall, when providing personal data to a third party in a foreign country (other than a country recognised by PPC Rules as having a personal-information-protection system equivalent to Japan's — currently the EEA and the UK — and other than a recipient with continuous-equivalent-protection measures under PPC Rules), obtain prior consent of the individual to the foreign-transfer AND provide the individual in advance with information on (i) the name of the country, (ii) the personal-information-protection system of that country and (iii) the measures taken by the recipient. Where the recipient has continuous-equivalent-protection measures, the PIHBO shall take measures necessary to ensure their continued implementation and respond to inquiries from the individual.
https://www.ppc.go.jp/en/legal/ ↗ - APPI_JAPANclauseArt. 29-30mandatory
Recording obligation on provider + recipient of third-party provision
Art. 29: A PIHBO providing personal data to a third party shall record the date, the recipient, and the items provided. Art. 30: A PIHBO receiving personal data from a third party shall confirm the recipient's identity and the circumstances of acquisition, and record the same. Records retained for 1-3 years per Rule.
https://www.ppc.go.jp/en/legal/ ↗ - APPI_JAPANclauseArt. 31mandatory
Personal-related information — third-party provision
Where a PIHBO provides personal-related information (information that is not 'personal information' to the PIHBO — e.g., cookie identifiers, terminal identifiers, browsing history — but that the recipient is expected to acquire as personal data when combined with its own data) to a third party, the PIHBO shall confirm that the recipient has obtained the individual's consent to receive it as personal data, and shall record the confirmation. The foreign-transfer-disclosure rules of Art. 28 apply.
https://www.ppc.go.jp/en/legal/ ↗ - APPI_JAPANclauseArt. 32-39mandatory
Rights of individuals — disclosure, correction, suspension
Individuals have the right to request, in relation to retained personal data: (Art. 32) disclosure of the utilisation purpose; (Art. 33) disclosure of the retained data itself — including electromagnetic-record disclosure at the individual's choice; (Art. 34) correction, addition or deletion where the data is not correct; (Art. 35) suspension of utilisation or deletion where the data is handled in violation of Art. 18 / 19 / 20 / 27 / 28, OR where the PIHBO no longer needs the data, OR where a leakage situation under Art. 26 has occurred, OR where the handling may infringe the rights or legitimate interests of the individual; (Art. 36) cessation of third-party provision; (Art. 37) procedures for receiving requests; (Art. 38) charges for disclosure (within a reasonable range); (Art. 39) preceding-pursuit court-action requirement.
https://www.ppc.go.jp/en/legal/ ↗ - APPI_JAPANclauseArt. 41-42
Pseudonymously-processed information regime
Personal information processed in accordance with PPC-Rule-specified standards such that the individual cannot be identified unless combined with other information. PIHBOs handling pseudonymously-processed information are: relieved from Art. 17(2) purpose-change restriction, Art. 26 reporting/notification, and Art. 32-39 rights — provided the deletion-information + processing-method are not disclosed, the data is not used to identify the individual, and the data is not provided to third parties (except for entrustment / joint-use). Art. 42 governs anonymously-processed information (匿名加工情報): publicly disclose categories + provision method; do not collate with other information to re-identify.
https://www.ppc.go.jp/en/legal/ ↗ - APPI_JAPANcontrolAPPI-3RD-001high
Third-party provision + opt-out regime (Art. 27)
Default rule: no third-party provision without prior consent. Where the opt-out regime is used, prior PPC notification + public announcement of the prescribed items; opt-out excluded for special-care PI, illegally-acquired PI and personal-related-information-derived PI. Joint-use / entrustment / business-succession exemption flows documented separately.
policyprocedurecontractconfigurationhttps://www.ppc.go.jp/en/legal/ ↗ - APPI_JAPANcontrolAPPI-ACQ-001high
Proper acquisition + special-care consent (Art. 19-20)
No deceptive or improper acquisition; explicit prior consent captured before acquiring special-care-required PI (race, creed, social status, medical, criminal record, victim status, etc.); exemption analysis recorded where consent is not relied upon.
procedurelogattestationscreenshothttps://www.ppc.go.jp/en/legal/ ↗ - APPI_JAPANcontrolAPPI-BREACH-001high
Leakage reporting + individual notification (Art. 26)
Documented procedure to assess every leakage / loss / damage event against the four PPC reportable categories (special-care PI; property-damage risk; intentional wrongdoing; >1,000 individuals). Preliminary report to the PPC within 3-5 days, final report within 30 days (60 for intentional wrongdoing); individual notification or substitute public announcement.
procedureincident_recordreportattestationhttps://www.ppc.go.jp/en/legal/ ↗ - APPI_JAPANcontrolAPPI-ENF-001high
PPC-enforcement + penalty exposure (Art. 171, 178-179, 184)
Risk register reflects: extraterritorial PPC reporting + inspection + recommendation + order powers; criminal-liability schedule (up to 1 year + JPY 1m responsible-person / JPY 100m legal-person for PPC-order violation; up to JPY 500k / 1 year for unjust database provision); cross-border PPC enforcement-cooperation.
reportattestationpolicyhttps://www.ppc.go.jp/en/legal/ ↗ - APPI_JAPANcontrolAPPI-NOTICE-001high
Utilisation-purpose notice / announcement (Art. 21)
Notice or public announcement of the utilisation purpose for all acquired personal information; in-writing acquisitions display the purpose in advance; updates on purpose-change.
policyscreenshotreporthttps://www.ppc.go.jp/en/legal/ ↗ - APPI_JAPANcontrolAPPI-PSEUDO-001limited
Pseudonymous + anonymous information regimes (Art. 41-42)
Where pseudonymously-processed information is used, the PPC-Rule processing standard is applied; deletion-info + processing-method protected; no third-party provision (except entrustment / joint-use); no re-identification attempts. Where anonymously-processed information is used, categories + provision method publicly disclosed; collation prohibited.
procedurereportconfigurationattestationhttps://www.ppc.go.jp/en/legal/ ↗ - APPI_JAPANcontrolAPPI-PURP-001high
Utilisation-purpose specification + restriction (Art. 17-18)
Every processing activity has an explicit utilisation purpose recorded; handling outside that purpose requires either an Art. 18(3) exemption OR fresh consent; purpose-change limited to scope reasonably related to the original.
policyprocedureattestationconfigurationhttps://www.ppc.go.jp/en/legal/ ↗ - APPI_JAPANcontrolAPPI-REC-001high
Provider + recipient recording (Art. 29-30) + personal-related info confirmation (Art. 31)
Records of every third-party provision (date, recipient, items) on the provider side; records of recipient identity + acquisition circumstances on the recipient side; retention for the PPC-Rule-specified period (1-3 years). For personal-related-information transfers, confirm + record that the recipient has obtained the individual's consent to receive as personal data.
logprocedurereportconfigurationhttps://www.ppc.go.jp/en/legal/ ↗ - APPI_JAPANcontrolAPPI-RIGHTS-001high
Individual-rights workflow (Art. 32-39)
Documented intake + identity-verification + fulfilment workflow for disclosure (with electromagnetic-record-format choice), correction, suspension of utilisation, suspension of third-party provision, and utilisation-purpose disclosure; reasonable charges; reasons given on refusal; preceding-pursuit-letter step for litigation.
procedurelogreportscreenshothttps://www.ppc.go.jp/en/legal/ ↗ - APPI_JAPANcontrolAPPI-SEC-001high
Four-pillar security control measures (Art. 23)
Organisational (responsibility assignment, rules, audit), human (training, NDA), physical (premises, devices, media), and technical (access control, encryption-at-rest + in-transit, log monitoring) security control measures aligned with the PPC Guidelines; periodic review.
policyprocedureconfigurationattestationhttps://www.ppc.go.jp/en/legal/ ↗ - APPI_JAPANcontrolAPPI-SUPER-001high
Supervision of employees + entrusted parties (Art. 24-25)
Documented supervision of employees handling personal data (training, monitoring, sanctions); written-contract + due-diligence + audit-right + breach-reporting obligation for every entrusted party (sub-processor cascade addressed).
policyprocedurecontracttraining_recordhttps://www.ppc.go.jp/en/legal/ ↗ - APPI_JAPANcontrolAPPI-XBORDER-001high
Foreign-country transfer + enhanced disclosure (Art. 28)
For every foreign-country provision, classify the destination: (i) PPC-recognised equivalent country (EEA / UK) — no extra consent; (ii) recipient with continuous-equivalent-protection measures — ongoing supervision + inquiry-response; (iii) other countries — prior consent + advance disclosure of country name + protection system + recipient measures.
contractprocedurescreenshotattestationhttps://www.ppc.go.jp/en/legal/ ↗ - CCPAclause§1798.100mandatory
Right to know about personal information collected (general)
A consumer shall have the right to request that a business that collects a consumer's personal information disclose to that consumer the categories and specific pieces of personal information the business has collected, sold or shared about that consumer. The business shall provide the information in a portable and, to the extent technically feasible, readily useable format. The business shall not retain personal information for longer than is reasonably necessary for the disclosed purpose.
https://oag.ca.gov/privacy/ccpa ↗ - CCPAclause§1798.105mandatory
Right to delete personal information
A consumer shall have the right to request that a business delete any personal information about the consumer which the business has collected from the consumer. Business shall direct any service providers, contractors or third parties to delete the consumer's personal information from their records and notify all third parties to whom the business has sold or shared the consumer's personal information to delete the consumer's personal information.
https://oag.ca.gov/privacy/ccpa ↗ - CCPAclause§1798.106mandatory
Right to correct inaccurate personal information
A consumer shall have the right to request a business that maintains inaccurate personal information about the consumer to correct that inaccurate personal information, taking into account the nature of the personal information and the purposes of the processing.
https://oag.ca.gov/privacy/ccpa ↗ - CCPAclause§1798.110mandatory
Right to know — categories + specific pieces collected
A consumer shall have the right to request that a business that collects personal information about the consumer disclose: the categories of personal information collected; the categories of sources; the business or commercial purpose for collecting/selling/sharing; the categories of third parties with whom the business shares; the specific pieces of personal information collected.
https://oag.ca.gov/privacy/ccpa ↗ - CCPAclause§1798.115mandatory
Right to know — sale + sharing disclosures
A consumer shall have the right to request that a business that sells or shares the consumer's personal information, or that discloses it for a business purpose, disclose to the consumer: the categories of personal information sold/shared/disclosed; the categories of third parties to whom each category was sold/shared/disclosed.
https://oag.ca.gov/privacy/ccpa ↗ - CCPAclause§1798.120mandatory
Right to opt-out of sale or sharing
A consumer shall have the right, at any time, to direct a business that sells or shares personal information about the consumer to third parties not to sell or share the consumer's personal information. This right is referred to as the 'right to opt-out of sale or sharing'. Businesses shall honour an opt-out preference signal (Global Privacy Control / GPC).
https://oag.ca.gov/privacy/ccpa ↗ - CCPAclause§1798.121mandatory
Right to limit use + disclosure of sensitive personal information
A consumer shall have the right, at any time, to direct a business that collects sensitive personal information about the consumer to limit its use of the consumer's sensitive personal information to that use which is necessary to perform the services or provide the goods reasonably expected by an average consumer who requests such goods or services.
https://oag.ca.gov/privacy/ccpa ↗ - CCPAclause§1798.125mandatory
Right to non-discrimination for exercising rights
A business shall not discriminate against a consumer because the consumer exercised any of the rights conferred by this title — including by denying goods/services, charging different prices, providing a different level of quality, or suggesting that the consumer will receive a different price/quality. Permits financial-incentive programmes that are reasonably related to the value provided to the business by the consumer's data.
https://oag.ca.gov/privacy/ccpa ↗ - CCPAclause§1798.130mandatory
Notice + disclosure requirements
A business shall, in a form that is reasonably accessible to consumers: provide two or more designated methods for submitting requests for information; disclose + deliver the required information to a consumer free of charge, correct inaccurate personal information, or delete a consumer's personal information within 45 days of receiving the request (with a one-time 45-day extension allowed when reasonably necessary). Update privacy policy at least once every 12 months.
https://oag.ca.gov/privacy/ccpa ↗ - CCPAclause§1798.135mandatory
Methods — 'Do Not Sell or Share' + 'Limit the Use of My Sensitive PI'
Where a business sells or shares consumers' personal information, the business shall provide a clear and conspicuous link on the business's internet homepages, titled 'Do Not Sell or Share My Personal Information'. Where a business uses or discloses sensitive personal information for purposes other than those set forth in §1798.121(a), the business shall provide a clear and conspicuous link, titled 'Limit the Use of My Sensitive Personal Information'.
https://oag.ca.gov/privacy/ccpa ↗ - CCPAclause§1798.140mandatory
Definitions
Defines 'personal information', 'sensitive personal information', 'business', 'service provider', 'contractor', 'third party', 'sell', 'share' (for cross-context behavioural advertising), 'business purpose', 'commercial purpose', 'consumer', 'cross-context behavioural advertising', 'deidentified', 'aggregate consumer information', 'verifiable consumer request', 'minor'.
https://oag.ca.gov/privacy/ccpa ↗ - CCPAclause§1798.140(ag)mandatory
Service provider + contractor contractual requirements
A service provider or contractor is any entity that processes personal information on behalf of a business pursuant to a written contract that prohibits the entity from selling/sharing the personal information; retaining/using/disclosing the personal information for any purpose other than for the business purposes specified; retaining/using/disclosing the information outside of the direct business relationship; combining the personal information with personal information from other sources.
https://oag.ca.gov/privacy/ccpa ↗ - CCPAclause§1798.145mandatory
Exemptions + interactions with other laws
Sets out exemptions including: medical information governed by CMIA; protected health information collected by a covered entity or business associate subject to HIPAA; personal information collected, processed, sold or disclosed pursuant to specific federal laws (GLBA, FCRA, Driver's Privacy Protection Act); personal information collected by a business about a natural person in the course of the person acting as an employee, owner, director, officer, medical staff, contractor or agent.
https://oag.ca.gov/privacy/ccpa ↗ - CCPAclause§1798.150mandatory
Private right of action for certain data breaches
A consumer whose nonencrypted and nonredacted personal information (as defined in §1798.81.5) is subject to an unauthorised access and exfiltration, theft or disclosure as a result of the business's violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information may institute a civil action for statutory damages in an amount not less than $100 and not greater than $750 per consumer per incident or actual damages, whichever is greater, plus injunctive relief.
https://oag.ca.gov/privacy/ccpa ↗ - CCPAclause§1798.155mandatory
Civil penalties (AG + CPPA enforcement)
Any business, service provider, contractor, or other person that violates this title shall be subject to an injunction and liable for an administrative fine of not more than $2,500 for each violation or $7,500 for each intentional violation and violations involving the personal information of consumers known to be less than 16 years of age, which shall be assessed and recovered in a civil action brought in the name of the people of the State of California by the Attorney General or in an administrative enforcement action by the California Privacy Protection Agency.
https://oag.ca.gov/privacy/ccpa ↗ - CCPAclause§1798.185mandatory
CPPA rulemaking + automated decision-making + risk assessments + cybersecurity audits
The CPPA shall adopt regulations governing access + opt-out rights for businesses' use of automated decision-making technology (ADMT), mandatory annual cybersecurity audits for businesses whose processing presents significant risk to consumer privacy/security, and risk assessments for processing that presents significant risk to consumer privacy/security. Final CPPA regulations on ADMT, risk assessments + cybersecurity audits are expected to be effective in 2025-2026.
https://oag.ca.gov/privacy/ccpa ↗ - CCPAclause§1798.199mandatory
California Privacy Protection Agency (CPPA)
Establishes the California Privacy Protection Agency, an independent state agency, with full administrative power to implement and enforce the title. Includes a five-member board, rule-making authority, investigative and audit powers, and the authority to issue administrative fines.
https://oag.ca.gov/privacy/ccpa ↗ - CCPAcontrolCCPA-ADMT-001high
Automated decision-making transparency + opt-out (CPPA reg.)
Tracking of CPPA's rulemaking on automated decision-making technology (§1798.185(a)(15)-(16)); pre-deployment readiness for the access + opt-out requirements once final regulations take effect (expected 2025-2026).
reportprocedureattestationhttps://oag.ca.gov/privacy/ccpa ↗ - CCPAcontrolCCPA-CHILDREN-001high
Minors handling (under-16 opt-in)
Affirmative opt-in for sale/share of personal information of consumers known to be under 16, with parental consent required for those under 13; suppression of opt-in defaults; record retention. Heightened civil penalty exposure for violations involving minors.
procedurelogscreenshotreporthttps://oag.ca.gov/privacy/ccpa ↗ - CCPAcontrolCCPA-DEF-001high
PI/SPI classification + scoping
Per-system classification of personal information against the §1798.140 definitions, with attention to sensitive personal information categories (precise geolocation, racial/ethnic origin, religious beliefs, union membership, genetic data, biometric data, health, sex life, citizenship/immigration status, communications contents). Drives applicable consumer-rights workflows.
reportconfigurationprocedureattestationhttps://oag.ca.gov/privacy/ccpa ↗ - CCPAcontrolCCPA-ENF-001limited
Enforcement-risk awareness (CPPA + AG)
Risk register includes administrative fine exposure ($2,500 / violation; $7,500 / intentional violation or violation involving minors), private right of action statutory damages, injunctive relief. Includes monitoring of CPPA enforcement actions and rulings.
reportattestationpolicyhttps://oag.ca.gov/privacy/ccpa ↗ - CCPAcontrolCCPA-EXEMPT-001limited
Exemption tracking
Documentation tracking which data sets are exempt under §1798.145 (CMIA, HIPAA, GLBA, FCRA, employee/B2B carve-outs as applicable in the year covered), with the basis + the data flow.
reportattestationpolicyhttps://oag.ca.gov/privacy/ccpa ↗ - CCPAcontrolCCPA-NONDISC-001limited
Non-discrimination + financial-incentive governance
Operational controls that prevent discriminatory treatment of consumers who exercise CCPA rights; documented basis (reasonably related to the value provided to the business by the consumer's data) for any financial-incentive programme.
policyprocedurereportattestationhttps://oag.ca.gov/privacy/ccpa ↗ - CCPAcontrolCCPA-NOTICE-001high
Notice at Collection + privacy-policy refresh
Notice at collection delivered at or before the point of collection covering categories of PI/SPI collected, purposes, retention period, whether PI is sold or shared, consumer rights. Privacy policy refreshed at least every 12 months. Maps §1798.100 + §1798.130.
screenshotpolicyreporthttps://oag.ca.gov/privacy/ccpa ↗ - CCPAcontrolCCPA-OPT-001high
Opt-out of sale/sharing + GPC honouring
Clear and conspicuous 'Do Not Sell or Share My Personal Information' link on every homepage; honour Global Privacy Control (GPC) browser/device signal; downstream notification to recipients; record of opt-outs retained.
screenshotconfigurationlogreporthttps://oag.ca.gov/privacy/ccpa ↗ - CCPAcontrolCCPA-RIGHTS-001high
Consumer-rights intake + 45-day fulfilment workflow
Documented intake + identity-verification + fulfilment workflow for the right to know (§1798.100/§1798.110/§1798.115), right to delete (§1798.105), right to correct (§1798.106), with a 45-day SLA + one 45-day extension. Communicates downstream-deletion requests to service providers/contractors/third parties.
procedurelogreportattestationhttps://oag.ca.gov/privacy/ccpa ↗ - CCPAcontrolCCPA-RISK-AUDIT-001high
Risk assessment + cybersecurity audit (CPPA reg.)
Risk-assessment programme for processing that presents significant risk to consumer privacy/security; annual cybersecurity-audit programme. Both required by CPPA regulations issued under §1798.185(a)(14)-(15), expected effective 2025-2026.
reportprocedureattestationhttps://oag.ca.gov/privacy/ccpa ↗ - CCPAcontrolCCPA-SEC-001high
Reasonable security procedures (§1798.150)
Implementation + maintenance of reasonable security procedures and practices appropriate to the nature of the personal information (encryption + access control + monitoring + incident response). Reduces exposure to the private right of action for statutory damages ($100-$750 per consumer per incident).
configurationreportprocedureattestationhttps://oag.ca.gov/privacy/ccpa ↗ - CCPAcontrolCCPA-SP-001high
Service-provider + contractor + third-party contracts
Written contracts with every service provider/contractor that satisfy §1798.140(ag): prohibit sale/share, restrict use to specified business purpose, prohibit cross-context combination, audit + cooperation rights; distinct treatment for third parties + downstream-notification obligations.
contractreportprocedureattestationhttps://oag.ca.gov/privacy/ccpa ↗ - CCPAcontrolCCPA-SPI-001high
Limit-Use-of-Sensitive-PI mechanism
Clear and conspicuous 'Limit the Use of My Sensitive Personal Information' link on every homepage where SPI is processed beyond reasonably-expected purposes; honour the consumer's preference; record retained.
screenshotconfigurationlogreporthttps://oag.ca.gov/privacy/ccpa ↗ - DORAclauseArt. 10mandatory
Detection
Financial entities shall have in place mechanisms to promptly detect anomalous activities, including ICT network performance issues and ICT-related incidents, and identify potential material single points of failure. Detection mechanisms shall be tested on a regular basis.
https://eur-lex.europa.eu/eli/reg/2022/2554/oj ↗ - DORAclauseArt. 11mandatory
Response and recovery
Financial entities shall put in place a comprehensive ICT business continuity policy, response and recovery plans, including arrangements for backup, restoration and recovery, and shall periodically test those plans. Recovery time and recovery point objectives shall be set out per critical or important function.
https://eur-lex.europa.eu/eli/reg/2022/2554/oj ↗ - DORAclauseArt. 12mandatory
Backup policies and procedures, restoration and recovery procedures and methods
Financial entities shall develop, document and implement backup policies and procedures specifying the scope of data subject to backup, the minimum frequency, based on the criticality of the information or the confidentiality level of the data, and recovery procedures including the test of restored data.
https://eur-lex.europa.eu/eli/reg/2022/2554/oj ↗ - DORAclauseArt. 13mandatory
Learning and evolving
Financial entities shall have capabilities and staff to gather information on vulnerabilities, cyber threats and ICT-related incidents, particularly cyber-attacks, and analyse their likely impact on their digital operational resilience. Post-incident reviews shall examine causes of disruption and identify required improvements.
https://eur-lex.europa.eu/eli/reg/2022/2554/oj ↗ - DORAclauseArt. 14mandatory
Communication
Financial entities shall have crisis-communication plans enabling responsible disclosure of major ICT-related incidents or vulnerabilities to clients and counterparts as well as to the public, as appropriate, with clear responsibilities and approval procedures.
https://eur-lex.europa.eu/eli/reg/2022/2554/oj ↗ - DORAclauseArt. 17mandatory
ICT-related incident management process
Financial entities shall define, establish and implement an ICT-related incident management process to detect, manage and notify ICT-related incidents. The process shall set out indicators for early warning, procedures to identify, track, log, categorise and classify, and define the roles and responsibilities for incident response.
https://eur-lex.europa.eu/eli/reg/2022/2554/oj ↗ - DORAclauseArt. 18mandatory
Classification of ICT-related incidents and cyber threats
Financial entities shall classify ICT-related incidents based on impact criteria set out in regulatory technical standards (number/relevance of clients or counterparts affected, geographic spread, data losses, severity of impact on ICT systems, duration, criticality of services affected, economic impact, etc.). Major ICT-related incidents shall be reported.
https://eur-lex.europa.eu/eli/reg/2022/2554/oj ↗ - DORAclauseArt. 19mandatory
Reporting of major ICT-related incidents and voluntary notification of significant cyber threats
Financial entities shall report major ICT-related incidents to the relevant competent authority. Initial notification, intermediate report and final report shall be submitted within the time frames set out in the RTS adopted under Article 20.
https://eur-lex.europa.eu/eli/reg/2022/2554/oj ↗ - DORAclauseArt. 2mandatory
Scope — financial entities and ICT third-party service providers
DORA applies to financial entities including credit institutions, payment institutions, electronic-money institutions, investment firms, crypto-asset service providers, central securities depositories, central counterparties, trading venues, trade repositories, AIFMs, UCITS management companies, data-reporting service providers, insurance and reinsurance undertakings, insurance and reinsurance intermediaries (with proportionality), institutions for occupational retirement provision, credit rating agencies, administrators of critical benchmarks, crowdfunding service providers, securitisation repositories, and ICT third-party service providers.
https://eur-lex.europa.eu/eli/reg/2022/2554/oj ↗ - DORAclauseArt. 24mandatory
General requirements for the performance of digital operational resilience testing
Financial entities other than microenterprises shall establish, maintain and review a sound and comprehensive digital operational resilience testing programme, applying a risk-based approach taking into account the criteria set out in Article 4(2). The testing programme shall include a range of assessments, tests, methodologies, practices and tools.
https://eur-lex.europa.eu/eli/reg/2022/2554/oj ↗ - DORAclauseArt. 26mandatory
Advanced testing of ICT tools, systems and processes based on TLPT
Financial entities identified by the competent authority shall perform at least every 3 years advanced testing by means of threat-led penetration testing (TLPT). The TLPT shall cover several critical or important functions and be performed on live production systems supporting such functions.
https://eur-lex.europa.eu/eli/reg/2022/2554/oj ↗ - DORAclauseArt. 28mandatory
General principles for sound management of ICT third-party risk
Financial entities shall manage ICT third-party risk as an integral component of ICT risk, in accordance with the principles in Article 5. The management body remains fully responsible for compliance with ICT third-party risk management requirements. Financial entities shall adopt and review a strategy on ICT third-party risk.
https://eur-lex.europa.eu/eli/reg/2022/2554/oj ↗ - DORAclauseArt. 29mandatory
Preliminary assessment of ICT concentration risk and further subcontracting arrangements
Financial entities shall assess whether the contractual arrangement covers an ICT service supporting a critical or important function and whether it could lead to ICT concentration risk. The assessment shall take into account other contractual arrangements and the subcontracting chain.
https://eur-lex.europa.eu/eli/reg/2022/2554/oj ↗ - DORAclauseArt. 30mandatory
Key contractual provisions
Contractual arrangements with ICT third-party service providers shall include, among others: a complete description of the services, locations where the data is processed, service-level descriptions, provisions on data accessibility, integrity and security, full audit and access rights, exit strategies, cooperation with competent authorities, and termination rights.
https://eur-lex.europa.eu/eli/reg/2022/2554/oj ↗ - DORAclauseArt. 31mandatory
Designation of critical ICT third-party service providers
The European Supervisory Authorities (ESAs) shall designate critical ICT third-party service providers based on criteria including systemic impact on stability/continuity/quality of financial services, systemic character or importance of the financial entities, reliance of financial entities, degree of substitutability.
https://eur-lex.europa.eu/eli/reg/2022/2554/oj ↗ - DORAclauseArt. 35mandatory
Powers of the Lead Overseer
Each critical ICT third-party service provider shall be subject to oversight by a Lead Overseer designated from among ESAs, with powers including requesting all relevant information and documentation, conducting general investigations and on-site inspections, issuing recommendations on areas covered by the oversight tasks.
https://eur-lex.europa.eu/eli/reg/2022/2554/oj ↗ - DORAclauseArt. 45mandatory
Information-sharing arrangements on cyber threat information and intelligence
Financial entities may exchange amongst themselves cyber threat information and intelligence, including indicators of compromise, tactics, techniques and procedures, cyber security alerts and configuration tools, to the extent that the sharing arrangements protect the potentially sensitive nature of the information.
https://eur-lex.europa.eu/eli/reg/2022/2554/oj ↗ - DORAclauseArt. 5mandatory
ICT risk management framework — governance and organisation
Financial entities shall have in place an internal governance and control framework that ensures an effective and prudent management of ICT risk. The management body shall define, approve, oversee and be responsible for the implementation of all arrangements related to the ICT risk management framework. Top management has ultimate accountability for managing ICT risk.
https://eur-lex.europa.eu/eli/reg/2022/2554/oj ↗ - DORAclauseArt. 6mandatory
ICT risk management framework — full lifecycle
Financial entities shall have a sound, comprehensive and well-documented ICT risk management framework as part of their overall risk management system, which enables them to address ICT risk quickly, efficiently and comprehensively, and to ensure a high level of digital operational resilience.
https://eur-lex.europa.eu/eli/reg/2022/2554/oj ↗ - DORAclauseArt. 7mandatory
ICT systems, protocols and tools
Financial entities shall use and maintain updated ICT systems, protocols and tools that are appropriate to the magnitude of operations, support performance of activities and provision of services, resilient and reliable enough to handle peak demand and process data securely.
https://eur-lex.europa.eu/eli/reg/2022/2554/oj ↗ - DORAclauseArt. 8mandatory
Identification of ICT-supported business functions, sources of ICT risk and assets
Financial entities shall identify, classify and adequately document all ICT-supported business functions, roles and responsibilities, the information assets and ICT assets supporting those functions, and their interdependencies. They shall identify on a continuous basis all sources of ICT risk, classify them according to criticality and risk level, and review the risk scenarios at least yearly.
https://eur-lex.europa.eu/eli/reg/2022/2554/oj ↗ - DORAclauseArt. 9mandatory
Protection and prevention
Financial entities shall continuously monitor and control the security and functioning of ICT systems and tools, minimise the impact of ICT risk on ICT systems through the deployment of appropriate ICT security tools, policies and procedures, and maintain mechanisms and policies to limit the impact of ICT incidents.
https://eur-lex.europa.eu/eli/reg/2022/2554/oj ↗ - DORAcontrolDORA-3P-001high
ICT third-party risk management + Art. 30 contractual terms
ICT third-party risk strategy; preliminary assessment of concentration risk and subcontracting; contractual arrangements satisfying Article 30 (service description, data locations, SLAs, audit rights, exit strategy, cooperation with competent authorities, termination rights). Maps Art. 28-30.
contractreportattestationprocedurehttps://eur-lex.europa.eu/eli/reg/2022/2554/oj ↗ - DORAcontrolDORA-ASSETS-001high
ICT-supported business function + asset inventory
Inventory of ICT-supported business functions, information assets, ICT assets and interdependencies; classification by criticality + risk level; annual review of sources of ICT risk and risk scenarios. Maps Art. 7-8.
reportconfigurationattestationhttps://eur-lex.europa.eu/eli/reg/2022/2554/oj ↗ - DORAcontrolDORA-BCM-001high
Business continuity, response and recovery
ICT business-continuity policy, response and recovery plans, backup policy with per-asset frequency, RTO/RPO per critical or important function, periodic test of restored data. Maps Art. 11-12.
procedurereportconfigurationattestationhttps://eur-lex.europa.eu/eli/reg/2022/2554/oj ↗ - DORAcontrolDORA-COMMS-001high
Crisis-communication plans
Documented crisis-communication plans covering responsible disclosure to clients, counterparts and the public; roles, approval gates, communication templates. Maps Art. 14.
procedurereportattestationhttps://eur-lex.europa.eu/eli/reg/2022/2554/oj ↗ - DORAcontrolDORA-CTPP-001high
Critical-TPP awareness + cooperation with Lead Overseer
Identification of contractual arrangements with TPPs designated as critical by the ESAs; preparation for Lead-Overseer oversight including information requests, on-site inspections, recommendations response. Maps Art. 31 + 35.
reportprocedureattestationhttps://eur-lex.europa.eu/eli/reg/2022/2554/oj ↗ - DORAcontrolDORA-DET-001high
Detection + monitoring
Mechanisms to promptly detect anomalous activities and ICT-related incidents, tested on a regular basis. Includes SOC alerting + SPOF identification + threshold-based escalation. Maps Art. 10.
configurationlogreportprocedurehttps://eur-lex.europa.eu/eli/reg/2022/2554/oj ↗ - DORAcontrolDORA-GOV-001high
ICT risk management governance + board accountability
Documented governance framework with management-body approval of ICT risk policy, defined roles and authority, board-level reporting cadence, and demonstrable management-body accountability for the framework. Maps Art. 5.
policyattestationreporthttps://eur-lex.europa.eu/eli/reg/2022/2554/oj ↗ - DORAcontrolDORA-INC-001high
ICT incident management process + classification
Incident-management process with detection indicators, identification, tracking, logging, categorisation, classification per Article 18 criteria. Includes major-incident determination workflow. Maps Art. 17-18.
procedureincident_recordconfigurationhttps://eur-lex.europa.eu/eli/reg/2022/2554/oj ↗ - DORAcontrolDORA-LEARN-001high
Post-incident learning + vulnerability + threat intel
Process for gathering information on vulnerabilities, cyber threats and ICT-related incidents; post-incident reviews documenting root cause and improvements; threat-intel feed into the framework. Maps Art. 13.
procedureincident_recordreportattestationhttps://eur-lex.europa.eu/eli/reg/2022/2554/oj ↗ - DORAcontrolDORA-PROT-001high
Protection + prevention controls
Continuous monitoring + control of ICT system security, deployment of ICT security tools (encryption, access control, network segmentation, vulnerability mgmt), policy + procedure layer governing them. Maps Art. 9.
configurationpolicyprocedureattestationhttps://eur-lex.europa.eu/eli/reg/2022/2554/oj ↗ - DORAcontrolDORA-REP-001high
Major ICT-related incident reporting workflow
Workflow for the initial notification, intermediate report and final report to the relevant competent authority within the time frames in the Article-20 RTS. Includes evidence preservation + cooperation procedure. Maps Art. 19.
procedureincident_recordreportattestationhttps://eur-lex.europa.eu/eli/reg/2022/2554/oj ↗ - DORAcontrolDORA-RM-001high
ICT risk management framework — full lifecycle
Comprehensive ICT risk management framework: identify, protect, detect, respond, recover, learn. Documented as a single artefact with annual review and on material change. Maps Art. 6.
policyprocedurereportattestationhttps://eur-lex.europa.eu/eli/reg/2022/2554/oj ↗ - DORAcontrolDORA-TEST-001high
Digital operational resilience testing programme
Risk-based testing programme with a documented scope, methodologies (vulnerability assessments, scenario-based tests, performance tests, end-to-end tests, penetration tests), and remediation tracking. Microenterprises out of scope. Maps Art. 24.
reportprocedureconfigurationhttps://eur-lex.europa.eu/eli/reg/2022/2554/oj ↗ - DORAcontrolDORA-TLPT-001high
Threat-led penetration testing (TLPT)
TLPT every 3 years (or more frequently if required), conducted on live production systems supporting critical or important functions, against a defined threat scenario. Includes red-team + blue-team coordination + attestation. Maps Art. 26.
reportattestationconfigurationhttps://eur-lex.europa.eu/eli/reg/2022/2554/oj ↗ - DPDP_INDIAclause§10mandatory
Additional obligations of Significant Data Fiduciary
Where the Central Government has notified a Data Fiduciary or class of Data Fiduciaries as a 'Significant Data Fiduciary' (based on volume + sensitivity, risk to electoral democracy, security of the State, public order, etc.), the SDF shall additionally: appoint a Data Protection Officer based in India; appoint an Independent Data Auditor; undertake periodic Data Protection Impact Assessment + periodic audit; undertake other measures the Government prescribes.
https://www.meity.gov.in/data-protection-framework ↗ - DPDP_INDIAclause§11mandatory
Right of Data Principal to information about personal data
The Data Principal shall have the right to obtain from the Data Fiduciary, upon making a request in such manner as may be prescribed: (a) a summary of personal data being processed and the processing activities; (b) the identities of all other Data Fiduciaries and Data Processors with whom the personal data has been shared; (c) any other information related to the personal data of such Data Principal and its processing as may be prescribed.
https://www.meity.gov.in/data-protection-framework ↗ - DPDP_INDIAclause§12mandatory
Right to correction and erasure
The Data Principal whose personal data has been processed shall have the right to correction, completion, updating and erasure of personal data for processing of which consent was given or processed for a legitimate use under §7, unless the data is required to be retained.
https://www.meity.gov.in/data-protection-framework ↗ - DPDP_INDIAclause§13mandatory
Right of grievance redressal
The Data Principal shall have the right to readily available means of grievance redressal provided by the Data Fiduciary or Consent Manager. The Data Fiduciary / Consent Manager shall respond within the period prescribed. The Data Principal may then approach the Data Protection Board of India.
https://www.meity.gov.in/data-protection-framework ↗ - DPDP_INDIAclause§14mandatory
Right to nominate
The Data Principal shall have the right to nominate, in such manner as may be prescribed, any other individual, who shall, in the event of death or incapacity of the Data Principal, exercise the rights of the Data Principal in accordance with the Act.
https://www.meity.gov.in/data-protection-framework ↗ - DPDP_INDIAclause§16mandatory
Processing of personal data outside India
The Central Government may, by notification, restrict the transfer of personal data by a Data Fiduciary for processing to such country or territory outside India as may be so notified. Where no such notification has been issued, cross-border transfer of personal data is permitted, subject to compliance with other provisions of this Act. (Default-allow regime, distinct from EU GDPR's default-restrict.)
https://www.meity.gov.in/data-protection-framework ↗ - DPDP_INDIAclause§17mandatory
Exemptions
Provides exemptions for processing necessary for enforcing legal rights or claims; for judicial/quasi-judicial functions; for prevention/detection/investigation of offences; for processing of personal data of Data Principals not within the territory of India by a Data Fiduciary in India that has its operations elsewhere; for research, archiving, or statistical purposes if the data is not used to take any decision specific to a Data Principal; and for start-ups as notified by the Central Government.
https://www.meity.gov.in/data-protection-framework ↗ - DPDP_INDIAclause§3mandatory
Application of the Act
The Act applies to the processing of digital personal data within India, including data that was collected in non-digital form and digitised subsequently. It also applies to the processing of digital personal data outside India where such processing is in connection with any activity related to offering of goods or services to Data Principals within India. The Act does not apply to processing for personal/domestic purposes or to data made public by the Data Principal or by law.
https://www.meity.gov.in/data-protection-framework ↗ - DPDP_INDIAclause§33mandatory
Penalties
The Schedule to the Act prescribes penalties: up to ₹250 crore for failure to take reasonable security safeguards to prevent breach; up to ₹200 crore for failure to give intimation of personal data breach or for failure relating to children; up to ₹150 crore for breach of additional obligations of Significant Data Fiduciary; up to ₹50 crore for breach of duties of Data Principal; up to ₹10,000 + ₹50 crore for other breaches. The Data Protection Board determines and imposes penalties.
https://www.meity.gov.in/data-protection-framework ↗ - DPDP_INDIAclause§4mandatory
Grounds for processing of personal data
A Data Fiduciary may process the personal data of a Data Principal only in accordance with the provisions of this Act, and only for a lawful purpose — meaning either (a) for which the Data Principal has given consent, or (b) for certain legitimate uses (as defined in §7 — e.g. specified purposes for which the Data Principal has voluntarily provided data, performance of state functions, compliance with legal obligations, response to medical emergency, employment-related processing).
https://www.meity.gov.in/data-protection-framework ↗ - DPDP_INDIAclause§5mandatory
Notice to Data Principal
Every request for consent shall be accompanied by, or preceded by, a notice given by the Data Fiduciary informing the Data Principal of: (i) the personal data to be processed and the specified purpose; (ii) the manner of exercising rights and lodging complaints with the Data Protection Board. Notice shall be in clear and plain language. Where consent was given before the Act's commencement, notice as soon as reasonably practicable.
https://www.meity.gov.in/data-protection-framework ↗ - DPDP_INDIAclause§6mandatory
Consent
Consent shall be free, specific, informed, unconditional, unambiguous, with a clear affirmative action signifying agreement to the processing for the specified purpose. The Data Principal may withdraw consent at any time, with ease comparable to giving it. On withdrawal, the Data Fiduciary shall cease processing (and cause its Data Processors to cease) within a reasonable time, unless required to retain the data under law.
https://www.meity.gov.in/data-protection-framework ↗ - DPDP_INDIAclause§7mandatory
Certain legitimate uses
Personal data may be processed for the following legitimate uses without consent: (a) for which the Data Principal has voluntarily provided personal data + has not indicated non-consent; (b) for the State + its instrumentalities for permitted purposes; (c) compliance with any judgment or decree; (d) responding to a medical emergency involving a threat to life or immediate threat to the health of any Data Principal or any other person; (e) measures to provide medical treatment / health services during an epidemic, outbreak of disease, or any other threat to public health; (f) measures to ensure safety of any person during disaster or breakdown of public order; (g) for the purposes of employment, or those related to safeguarding the employer from loss/liability/threats.
https://www.meity.gov.in/data-protection-framework ↗ - DPDP_INDIAclause§8mandatory
General obligations of Data Fiduciary
The Data Fiduciary shall be responsible for complying with the Act and these Rules in respect of any processing it undertakes (whether on its own or through a Data Processor), including ensuring completeness/accuracy/consistency of personal data used to make any decision affecting the Data Principal; implementing technical + organisational measures to ensure effective observance; taking reasonable security safeguards to prevent personal data breach.
crosswalks:GDPR·Art. 32https://www.meity.gov.in/data-protection-framework ↗ - DPDP_INDIAclause§8(6)mandatory
Breach notification
In the event of a personal data breach, the Data Fiduciary shall give the Board and each affected Data Principal intimation of such breach, in such form and manner as may be prescribed (DPDP Rules). The notice describes the breach, its likely consequences, and the measures taken or proposed to mitigate.
https://www.meity.gov.in/data-protection-framework ↗ - DPDP_INDIAclause§9mandatory
Processing of personal data of children
The Data Fiduciary shall, before processing any personal data of a child, obtain verifiable consent of the parent (or lawful guardian) of such child. The Data Fiduciary shall not undertake such processing of personal data of a child that is likely to cause any detrimental effect on the well-being of the child, nor shall it undertake tracking or behavioural monitoring of children or targeted advertising directed at children.
https://www.meity.gov.in/data-protection-framework ↗ - DPDP_INDIAcontrolDPDP-BREACH-001high
§8(6) Board + Data-Principal breach notification
Breach-detection capability tied to the incident-response runbook; classification + risk assessment; Board notification + Data-Principal notification in the form + manner prescribed by the DPDP Rules; documentation of consequences + mitigation measures.
procedureincident_recordreportattestationhttps://www.meity.gov.in/data-protection-framework ↗ - DPDP_INDIAcontrolDPDP-CHILDREN-001high
Children + persons-with-disability protections (§9)
Pre-processing verifiable parental consent capture for any data of a child (under 18); no detrimental processing affecting child well-being; no tracking + behavioural monitoring of children; no targeted advertising directed at children. Persons-with-disability protections per DPDP Rules.
procedurelogscreenshotattestationhttps://www.meity.gov.in/data-protection-framework ↗ - DPDP_INDIAcontrolDPDP-CONSENT-001high
§6 free + specific + informed consent + easy withdrawal
Consent capture meeting §6: free + specific + informed + unconditional + unambiguous + clear affirmative action. Withdrawal mechanism as easy as giving consent; cessation of processing (incl. through Data Processors) within reasonable time on withdrawal.
logscreenshotprocedureconfigurationhttps://www.meity.gov.in/data-protection-framework ↗ - DPDP_INDIAcontrolDPDP-EXEMPT-001limited
§17 exemption tracking
Documentation tracking which processing relies on which §17 exemption (legal rights or claims, judicial/quasi-judicial functions, offences prevention/detection/investigation, foreign-origin data without India-data-principal nexus, research/archiving/statistical without individual-targeting, notified start-ups). Basis + data flow retained.
reportattestationpolicyhttps://www.meity.gov.in/data-protection-framework ↗ - DPDP_INDIAcontrolDPDP-FIDUCIARY-001high
General Data Fiduciary obligations (§8)
Accuracy + completeness + consistency of personal data used in any Data-Principal-affecting decision; T&O measures for compliance; reasonable security safeguards to prevent breach; downstream control of Data Processors via contract.
policyprocedureconfigurationattestationhttps://www.meity.gov.in/data-protection-framework ↗ - DPDP_INDIAcontrolDPDP-LAWFUL-001high
Lawful-purpose register (consent + legitimate uses)
For every processing activity, document the lawful purpose under §4 (consent or §7 legitimate use). Where §7 is relied on, the specific clause and supporting evidence. Reviewed at material change.
reportprocedureattestationhttps://www.meity.gov.in/data-protection-framework ↗ - DPDP_INDIAcontrolDPDP-NOTICE-001high
§5 notice + consent capture
Notice in clear + plain language accompanying or preceding every consent request, describing the personal data, the specified purpose, the manner of exercising rights and lodging complaints with the Board. Notice for pre-commencement consent provided as soon as reasonably practicable.
policyscreenshotprocedurereporthttps://www.meity.gov.in/data-protection-framework ↗ - DPDP_INDIAcontrolDPDP-PEN-001high
§33 penalty-exposure awareness + Board cooperation
Risk register reflects the DPDP penalty schedule (up to ₹250 crore for security-safeguards failure leading to breach; ₹200 crore for breach-intimation or children-related failures; ₹150 crore for SDF additional-obligations failures; etc.). Board-cooperation register tracking ongoing inquiries.
reportattestationpolicyhttps://www.meity.gov.in/data-protection-framework ↗ - DPDP_INDIAcontrolDPDP-RIGHTS-001high
Data Principal rights workflow (§11-14)
Documented intake + identity-verification + fulfilment workflow for the right to information (§11), correction/erasure (§12), grievance redressal (§13) and nomination (§14). Timeframes per DPDP Rules; appeal-route to the Data Protection Board.
procedurelogreportattestationhttps://www.meity.gov.in/data-protection-framework ↗ - DPDP_INDIAcontrolDPDP-SDF-001high
Significant Data Fiduciary additional obligations (§10)
Where notified as a Significant Data Fiduciary: India-based DPO; Independent Data Auditor; periodic DPIA; periodic data-protection audit; other measures the Central Government prescribes.
reportattestationprocedurehttps://www.meity.gov.in/data-protection-framework ↗ - DPDP_INDIAcontrolDPDP-XBORDER-001high
§16 cross-border-transfer awareness
Tracking of Central Government notifications restricting transfer of personal data to specified countries / territories; maintenance of the list of restricted destinations in the routing controls; safeguards-equivalent measures where transfers go to destinations of higher risk.
reportconfigurationattestationprocedurehttps://www.meity.gov.in/data-protection-framework ↗ - EU_AI_ACTclauseAnnex IIImandatory
High-risk AI systems referred to in Article 6(2)
Eight enumerated areas: (1) biometrics, (2) critical infrastructure, (3) education and vocational training, (4) employment and worker management, (5) access to essential private and public services and benefits, (6) law enforcement, (7) migration/asylum/border control, (8) administration of justice and democratic processes. Dual-dating note: high-risk obligations for Annex III systems are baselined at 2 August 2026 per Art. 113 of Regulation (EU) 2024/1689; the Digital Omnibus proposal would shift the Annex III applicability date to 2 December 2027 (and 2 August 2028 for Annex I product-related high-risk systems), conditional on the availability of supporting tools — subject to formal adoption / support-tool availability.
https://eur-lex.europa.eu/eli/reg/2024/1689/oj ↗ - EU_AI_ACTclauseAnnex IVmandatory
Technical documentation referred to in Article 11(1)
Required content includes the general description of the AI system, detailed description of elements and processes, performance metrics and their appropriateness, risk-management system detail, relevant changes over the lifecycle, harmonised standards applied, EU declaration of conformity, and post-market performance evaluation system.
https://eur-lex.europa.eu/eli/reg/2024/1689/oj ↗ - EU_AI_ACTclauseArt. 10mandatory
Data and data governance
Training, validation and testing data sets shall be subject to appropriate data governance and management practices, including data origin and lineage, bias examination, representativeness, completeness, and gap remediation in view of the intended purpose.
crosswalks:ISO_42001·Cl. 7.3https://eur-lex.europa.eu/eli/reg/2024/1689/oj ↗ - EU_AI_ACTclauseArt. 11mandatory
Technical documentation
Technical documentation of a high-risk AI system shall be drawn up before placing on the market or putting into service and kept up-to-date. Content is set out in Annex IV.
crosswalks:ISO_42001·Cl. 7.2https://eur-lex.europa.eu/eli/reg/2024/1689/oj ↗ - EU_AI_ACTclauseArt. 113mandatory
Entry into force and application
Sets the staggered entry-into-application schedule: 2 February 2025 for the Art. 5 prohibitions, 2 August 2025 for GPAI provisions, 2 August 2026 as the general applicability date (baseline for high-risk obligations), and 2 August 2027 for high-risk AI systems referred to in Article 6(1) (Annex I product-linked). Subject to the Digital Omnibus proposal, which would link the high-risk application dates to the availability of supporting tools — proposed revised baselines of 2 December 2027 for Annex III high-risk systems and 2 August 2028 for Annex I product-related high-risk systems, conditional on support-tool availability. The Digital Omnibus revision is subject to formal adoption / support-tool availability; until then the published Art. 113 dates apply.
https://eur-lex.europa.eu/eli/reg/2024/1689/oj ↗ - EU_AI_ACTclauseArt. 12mandatory
Record-keeping (logs)
High-risk AI systems shall technically allow for the automatic recording of events ('logs') over the duration of the system's lifetime, sufficient for traceability appropriate to the intended purpose.
crosswalks:ISO_42001·Cl. 9.1https://eur-lex.europa.eu/eli/reg/2024/1689/oj ↗ - EU_AI_ACTclauseArt. 13mandatory
Transparency and provision of information to deployers
High-risk AI systems shall be sufficiently transparent for deployers to interpret a system's output and use it appropriately, with concise, complete, correct and clear instructions for use provided in an appropriate digital format.
https://eur-lex.europa.eu/eli/reg/2024/1689/oj ↗ - EU_AI_ACTclauseArt. 14mandatory
Human oversight
High-risk AI systems shall be designed to be effectively overseen by natural persons during use. Oversight measures shall enable the assigned individual to intervene on operation or interrupt the system through a 'stop' control.
crosswalks:ISO_42001·Cl. 8.1NIST_AI_RMF·GOVERN-2https://eur-lex.europa.eu/eli/reg/2024/1689/oj ↗ - EU_AI_ACTclauseArt. 15mandatory
Accuracy, robustness and cybersecurity
High-risk AI systems shall achieve appropriate levels of accuracy, robustness and cybersecurity, consistent throughout their lifecycle. Accuracy levels and metrics shall be declared in the instructions for use.
crosswalks:NIST_AI_RMF·MEASURE-2https://eur-lex.europa.eu/eli/reg/2024/1689/oj ↗ - EU_AI_ACTclauseArt. 17mandatory
Quality management system
Providers of high-risk AI systems shall put a QMS in place that ensures compliance with this Regulation, documented as written policies, procedures and instructions.
crosswalks:ISO_42001·Cl. 4.1https://eur-lex.europa.eu/eli/reg/2024/1689/oj ↗ - EU_AI_ACTclauseArt. 18mandatory
Documentation keeping
Providers shall keep technical documentation, QMS documentation, notified-body change approvals (where applicable) and the EU declaration of conformity for at least 10 years after the system is placed on the market or put into service.
https://eur-lex.europa.eu/eli/reg/2024/1689/oj ↗ - EU_AI_ACTclauseArt. 19mandatory
Automatically generated logs
Providers shall keep logs automatically generated by their high-risk AI systems for at least six months, where the logs are under their control, unless otherwise required.
https://eur-lex.europa.eu/eli/reg/2024/1689/oj ↗ - EU_AI_ACTclauseArt. 26mandatory
Obligations of deployers of high-risk AI systems
Deployers shall use high-risk AI systems per the instructions for use, assign human oversight to a competent person, ensure input-data appropriateness, monitor operation, retain logs, and inform workers' representatives and affected workers of use.
https://eur-lex.europa.eu/eli/reg/2024/1689/oj ↗ - EU_AI_ACTclauseArt. 27mandatory
Fundamental rights impact assessment (FRIA)
Deployers that are bodies governed by public law, private operators providing public services, and deployers using Annex III(5)(b) and (5)(c) high-risk AI systems shall assess the impact on fundamental rights before deployment.
https://eur-lex.europa.eu/eli/reg/2024/1689/oj ↗ - EU_AI_ACTclauseArt. 3mandatory
Definitions
Defines 'AI system', 'general-purpose AI model', 'provider', 'deployer', 'importer', 'distributor', 'authorised representative', 'serious incident', 'making available on the market', 'placing on the market', 'putting into service'.
https://eur-lex.europa.eu/eli/reg/2024/1689/oj ↗ - EU_AI_ACTclauseArt. 4mandatory
AI literacy
Providers and deployers of AI systems shall take measures to ensure, to their best extent, a sufficient level of AI literacy of their staff and other persons dealing with the operation and use of AI systems on their behalf.
https://eur-lex.europa.eu/eli/reg/2024/1689/oj ↗ - EU_AI_ACTclauseArt. 5(1)(a)mandatory
Prohibited — subliminal techniques distorting behaviour
Prohibits the placing on the market, putting into service, or use of an AI system that deploys subliminal techniques beyond a person's consciousness, or purposefully manipulative or deceptive techniques, with the objective or effect of materially distorting the behaviour of a person or a group, causing significant harm.
https://eur-lex.europa.eu/eli/reg/2024/1689/oj ↗ - EU_AI_ACTclauseArt. 5(1)(b)mandatory
Prohibited — exploitation of vulnerabilities
Prohibits AI systems that exploit any of the vulnerabilities of a natural person or specific group due to age, disability, or social/economic situation, with the objective or effect of materially distorting their behaviour and causing significant harm.
https://eur-lex.europa.eu/eli/reg/2024/1689/oj ↗ - EU_AI_ACTclauseArt. 5(1)(c)mandatory
Prohibited — social scoring by public authorities
Prohibits AI systems for the evaluation or classification of natural persons over time based on social behaviour or personality characteristics where the social score leads to detrimental or unfavourable treatment in contexts unrelated to those in which the data was originally generated, or that is unjustified or disproportionate.
https://eur-lex.europa.eu/eli/reg/2024/1689/oj ↗ - EU_AI_ACTclauseArt. 5(1)(d)mandatory
Prohibited — predictive policing based solely on profiling
Prohibits AI systems making risk assessments of natural persons in order to assess or predict the risk of committing a criminal offence, based solely on profiling or on assessing personality traits.
https://eur-lex.europa.eu/eli/reg/2024/1689/oj ↗ - EU_AI_ACTclauseArt. 5(1)(e)mandatory
Prohibited — untargeted scraping of facial images
Prohibits AI systems that create or expand facial recognition databases through the untargeted scraping of facial images from the internet or CCTV footage.
https://eur-lex.europa.eu/eli/reg/2024/1689/oj ↗ - EU_AI_ACTclauseArt. 5(1)(f)mandatory
Prohibited — emotion inference in workplaces and educational institutions
Prohibits AI systems that infer emotions of a natural person in the areas of workplace and educational institutions, except where the use of the AI system is intended to be put in place or into the market for medical or safety reasons.
https://eur-lex.europa.eu/eli/reg/2024/1689/oj ↗ - EU_AI_ACTclauseArt. 5(1)(g)mandatory
Prohibited — biometric categorisation by sensitive attributes
Prohibits biometric categorisation systems that categorise individually natural persons based on their biometric data to deduce or infer their race, political opinions, trade union membership, religious or philosophical beliefs, sex life or sexual orientation.
https://eur-lex.europa.eu/eli/reg/2024/1689/oj ↗ - EU_AI_ACTclauseArt. 50mandatory
Transparency obligations for certain AI systems (limited-risk)
Providers shall ensure that AI systems interacting directly with natural persons disclose their AI nature unless this is obvious. Deployers of AI systems generating deep fakes shall disclose that the content has been artificially generated or manipulated.
https://eur-lex.europa.eu/eli/reg/2024/1689/oj ↗ - EU_AI_ACTclauseArt. 53mandatory
Obligations for providers of general-purpose AI models
GPAI providers shall maintain technical documentation, provide downstream-integrator documentation, implement an EU copyright-compliance policy, and publish a sufficiently detailed summary of training-content.
https://eur-lex.europa.eu/eli/reg/2024/1689/oj ↗ - EU_AI_ACTclauseArt. 55mandatory
Obligations for providers of GPAI models with systemic risk
GPAI providers classified as systemic-risk shall perform model evaluation including adversarial testing, assess and mitigate systemic risks, track and report serious incidents, and ensure cybersecurity protection of model and infrastructure.
https://eur-lex.europa.eu/eli/reg/2024/1689/oj ↗ - EU_AI_ACTclauseArt. 6mandatory
Classification rules for high-risk AI systems
An AI system is high-risk if it is intended to be used as a safety component of a product, or is itself a product, covered by the Union harmonisation legislation listed in Annex I AND required to undergo third-party conformity assessment. AI systems referred to in Annex III are also high-risk, subject to the Art. 6(3) carve-outs (narrow procedural task, improving a previously completed human activity, detecting decision-making patterns, or preparatory tasks).
https://eur-lex.europa.eu/eli/reg/2024/1689/oj ↗ - EU_AI_ACTclauseArt. 72mandatory
Post-market monitoring by providers
Providers shall establish and document a post-market monitoring system proportionate to the nature of the AI technologies and the risks of the high-risk AI system, feeding back into the Art. 9 risk-management cycle.
https://eur-lex.europa.eu/eli/reg/2024/1689/oj ↗ - EU_AI_ACTclauseArt. 73mandatory
Reporting of serious incidents
Providers shall report any serious incident to the market surveillance authorities of the affected Member States within 15 days of becoming aware of a causal link or reasonable likelihood of one.
https://eur-lex.europa.eu/eli/reg/2024/1689/oj ↗ - EU_AI_ACTclauseArt. 9mandatory
Risk management system
A risk management system shall be established, implemented, documented and maintained for high-risk AI systems. It shall be a continuous iterative process planned and run throughout the entire lifecycle of the system.
crosswalks:ISO_42001·Cl. 6.1NIST_AI_RMF·MAP-1NIST_AI_RMF·MEASURE-1NIST_AI_RMF·MANAGE-1https://eur-lex.europa.eu/eli/reg/2024/1689/oj ↗ - EU_AI_ACTcontrolEUAI-AR-001high
Accuracy, robustness and cybersecurity metrics
Pre-release evaluation of accuracy / robustness / cybersecurity against declared thresholds. Adversarial-robustness testing for systems exposed to untrusted input. Metrics published in the instructions for use.
reportconfigurationreporthttps://eur-lex.europa.eu/eli/reg/2024/1689/oj ↗ - EU_AI_ACTcontrolEUAI-DEP-001high
Deployer obligation compliance
For each deployed high-risk AI system: human-oversight assignment with documented competence, input-data appropriateness checks, monitoring of operation against instructions for use, log retention, and worker/affected-person notification.
policyproceduretraining_recordloghttps://eur-lex.europa.eu/eli/reg/2024/1689/oj ↗ - EU_AI_ACTcontrolEUAI-DG-001high
Data governance for training, validation and testing
Documented design choices, lineage, bias examination and data-gap remediation across the training/validation/test sets. Captures origin, representativeness, error rate and bias mitigations.
policyprocedurereportreporthttps://eur-lex.europa.eu/eli/reg/2024/1689/oj ↗ - EU_AI_ACTcontrolEUAI-DOC-001high
Annex IV technical documentation pack
Versioned, change-tracked Annex IV technical-documentation bundle covering system description, risk management, performance metrics, changes through lifecycle, harmonised standards, EU declaration of conformity and post-market plan. Maintained up to date.
reportconfigurationattestationhttps://eur-lex.europa.eu/eli/reg/2024/1689/oj ↗ - EU_AI_ACTcontrolEUAI-FRIA-001high
Fundamental Rights Impact Assessment
Pre-deployment FRIA covering processes in which the high-risk AI system will be used, time period of use, categories of natural persons likely to be affected, specific risks of harm likely to impact those persons, human-oversight measures, and risk-mitigation steps.
friareportattestationhttps://eur-lex.europa.eu/eli/reg/2024/1689/oj ↗ - EU_AI_ACTcontrolEUAI-GPAI-001high
GPAI provider documentation pack
For every GPAI model placed on the EU market: model technical documentation, downstream-integrator documentation, EU copyright-compliance policy and a publicly-available training-content summary.
reportreportpolicyconfigurationhttps://eur-lex.europa.eu/eli/reg/2024/1689/oj ↗ - EU_AI_ACTcontrolEUAI-GPAI-002high
GPAI systemic-risk evaluation and incident reporting
For GPAI models classified as systemic-risk: model evaluation including adversarial testing, systemic-risk assessment + mitigation plan, tracking and prompt reporting of serious incidents, and cybersecurity protection of model + infrastructure.
reportreportincident_recordhttps://eur-lex.europa.eu/eli/reg/2024/1689/oj ↗ - EU_AI_ACTcontrolEUAI-HO-001high
Effective human oversight
Named oversight role with the competence, authority and tooling to intervene, interrupt or override the AI system's output. Includes a documented escalation path and a 'stop' control.
policyproceduretraining_recordscreenshothttps://eur-lex.europa.eu/eli/reg/2024/1689/oj ↗ - EU_AI_ACTcontrolEUAI-INC-001high
Serious-incident reporting (15-day window)
Serious-incident notification to the market-surveillance authorities of the affected Member States within 15 days of provider/deployer becoming aware of the incident — immediately upon establishing a causal link or reasonable likelihood of one.
incident_recordreportattestationhttps://eur-lex.europa.eu/eli/reg/2024/1689/oj ↗ - EU_AI_ACTcontrolEUAI-LOG-001high
Automated event logging
Tamper-evident automatic logging of inputs, decisions, model identifier and model version. Logs retained for at least six months unless a longer retention is required, integrated with the platform's hash-chained audit trail.
loglogconfigurationhttps://eur-lex.europa.eu/eli/reg/2024/1689/oj ↗ - EU_AI_ACTcontrolEUAI-PMM-001high
Post-market monitoring system
Active, systematic collection of performance and incident signals across the deployed fleet. Drives the iterative risk-management cycle in EUAI-RM-001. Documented in the QMS.
procedurereportlogreporthttps://eur-lex.europa.eu/eli/reg/2024/1689/oj ↗ - EU_AI_ACTcontrolEUAI-QMS-001high
AI quality management system
Documented QMS covering design, development, testing, deployment and post-market processes for high-risk AI systems. Compatible with ISO/IEC 42001 AIMS so the same QMS satisfies both regimes.
policyprocedureattestationreporthttps://eur-lex.europa.eu/eli/reg/2024/1689/oj ↗ - EU_AI_ACTcontrolEUAI-RET-001high
10-year documentation retention
Retention of technical documentation, QMS documentation, notified-body change approvals (where applicable) and EU declaration of conformity for at least 10 years after the system is placed on the market or put into service.
policyattestationconfigurationhttps://eur-lex.europa.eu/eli/reg/2024/1689/oj ↗ - EU_AI_ACTcontrolEUAI-RM-001high
Continuous risk-management lifecycle
Iterative risk-identification, analysis, evaluation and treatment process run throughout the AI system's lifecycle. Outputs include a risk register, treatment plan, and residual-risk acceptance record signed by the AI governance owner.
policyprocedurereportattestationhttps://eur-lex.europa.eu/eli/reg/2024/1689/oj ↗ - EU_AI_ACTcontrolEUAI-TR-001limited
Limited-risk transparency disclosure
Front-of-experience disclosure for AI systems interacting directly with natural persons. Deep-fake content carries a machine-readable label disclosing artificial generation/manipulation.
screenshotconfigurationprocedurehttps://eur-lex.europa.eu/eli/reg/2024/1689/oj ↗ - EU_AI_ACTcontrolEUAI-TRANS-001high
Deployer-facing transparency information
Instructions for use covering intended purpose, level of accuracy/robustness/cybersecurity, foreseeable risks, performance metrics, validation/test data characteristics, and human-oversight measures. Provided in a digital format that survives downstream redistribution.
policyprocedurereporthttps://eur-lex.europa.eu/eli/reg/2024/1689/oj ↗ - EU_CRAclauseAnnex Imandatory
Essential cybersecurity requirements
Section 1 — Security properties of products with digital elements: appropriate level of cybersecurity, no known exploitable vulnerabilities, secure default configuration, security updates, protection from unauthorised access (e.g. authentication + identity + access management), confidentiality + integrity + availability of stored/transmitted/processed data, processing only of minimum amount of data, resilience against DoS, minimised attack surface, vulnerability detection + mitigation. Section 2 — Vulnerability handling requirements: identify + document, address + remediate, regular tests + reviews, public information, policy on coordinated vulnerability disclosure, mechanism to securely distribute updates.
https://eur-lex.europa.eu/eli/reg/2024/2847/oj ↗ - EU_CRAclauseAnnex IImandatory
Information and instructions to the user
Information that manufacturers must provide with the product: identity + contact details of the manufacturer, name/type/identification of the product, intended purpose, type of data the product is designed to process, support period during which security updates will be provided, technical security characteristics, instructions on how to make secure use of the product, automatic security-update mechanism + how to disable, point of contact to report vulnerabilities.
https://eur-lex.europa.eu/eli/reg/2024/2847/oj ↗ - EU_CRAclauseAnnex IVmandatory
Technical documentation
Required content for the technical documentation: general description (intended purpose, software versions, hardware specifications), description of the design + development + production of the product, assessment of the cybersecurity risks against which the product is designed + developed + produced, list of applied harmonised standards, copy of the EU declaration of conformity, security-update policy, support-period definition + rationale.
https://eur-lex.europa.eu/eli/reg/2024/2847/oj ↗ - EU_CRAclauseArt. 1mandatory
Subject matter
This Regulation lays down rules for the placing on the market of products with digital elements to ensure their cybersecurity, essential requirements for the design/development/production of products with digital elements, essential requirements for vulnerability-handling processes, and rules on market surveillance + enforcement.
https://eur-lex.europa.eu/eli/reg/2024/2847/oj ↗ - EU_CRAclauseArt. 13mandatory
Obligations of manufacturers
Manufacturers shall ensure that products with digital elements placed on the market have been designed/developed/produced in accordance with the essential cybersecurity requirements set out in Annex I. They shall perform a cybersecurity risk assessment; address all categories of risk; provide a support period (≥5 years by default, or the lifecycle if shorter); maintain technical documentation; and undergo conformity assessment.
https://eur-lex.europa.eu/eli/reg/2024/2847/oj ↗ - EU_CRAclauseArt. 14mandatory
Reporting obligations of manufacturers
Manufacturers shall notify ENISA + the relevant CSIRT designated under NIS2 of any actively exploited vulnerability contained in the product with digital elements that they become aware of, and any severe incident having impact on the security of the product. Cadence: 24-hour early warning, 72-hour incident notification, 14-day final report.
https://eur-lex.europa.eu/eli/reg/2024/2847/oj ↗ - EU_CRAclauseArt. 19mandatory
Obligations of importers
Importers shall place on the Union market only products with digital elements that comply with the essential requirements. They shall verify that the manufacturer has carried out the conformity-assessment procedure, drawn up the technical documentation, affixed the CE marking, and complied with documentation + reporting obligations.
https://eur-lex.europa.eu/eli/reg/2024/2847/oj ↗ - EU_CRAclauseArt. 2mandatory
Scope
Applies to products with digital elements made available on the Union market the intended purpose or reasonably foreseeable use of which includes a direct or indirect data connection to a device or network. Exclusions: products covered by specific EU regulation (medical devices under MDR/IVDR, motor vehicles, civil aviation, certain marine equipment, certifications under defence + national security).
https://eur-lex.europa.eu/eli/reg/2024/2847/oj ↗ - EU_CRAclauseArt. 20mandatory
Obligations of distributors
Distributors shall act with due care in relation to the requirements of this Regulation. Before making a product with digital elements available on the market, they shall verify the CE marking, the documentation, the instructions and information for the user are accessible, and the manufacturer + importer have complied with their respective obligations.
https://eur-lex.europa.eu/eli/reg/2024/2847/oj ↗ - EU_CRAclauseArt. 21mandatory
Cases in which obligations of manufacturers apply to importers and distributors
An importer or distributor shall be considered a manufacturer for the purposes of this Regulation and shall be subject to the obligations of the manufacturer where they place a product with digital elements on the market under their own name or trademark, or carry out a substantial modification of the product with digital elements.
https://eur-lex.europa.eu/eli/reg/2024/2847/oj ↗ - EU_CRAclauseArt. 27mandatory
Presumption of conformity
Products with digital elements that are in conformity with harmonised standards or parts thereof, the references of which have been published in the Official Journal of the European Union, shall be presumed to be in conformity with the essential requirements covered by those standards or parts thereof.
https://eur-lex.europa.eu/eli/reg/2024/2847/oj ↗ - EU_CRAclauseArt. 28mandatory
European cybersecurity certification schemes
Member States shall presume conformity with the essential requirements where a European cybersecurity certification scheme adopted pursuant to the Cybersecurity Act and applicable to the product covers those requirements at an assurance level corresponding to the relevant risks.
https://eur-lex.europa.eu/eli/reg/2024/2847/oj ↗ - EU_CRAclauseArt. 3mandatory
Definitions
Defines 'product with digital elements', 'remote data processing solution', 'critical product with digital elements', 'important product with digital elements', 'cybersecurity risk', 'significant cybersecurity risk', 'actively exploited vulnerability', 'manufacturer', 'importer', 'distributor', 'placing on the market', 'making available on the market', 'support period'.
https://eur-lex.europa.eu/eli/reg/2024/2847/oj ↗ - EU_CRAclauseArt. 30mandatory
CE marking
Products with digital elements that comply with this Regulation shall bear the CE marking before being placed on the market. The CE marking shall be affixed visibly, legibly and indelibly to the product. Where this is not possible or warranted because of the nature of the product, it shall be affixed to the packaging and to the documents accompanying the product.
https://eur-lex.europa.eu/eli/reg/2024/2847/oj ↗ - EU_CRAclauseArt. 31mandatory
Conformity assessment procedures
Manufacturers shall demonstrate conformity with the essential requirements by carrying out an appropriate conformity-assessment procedure set out in Annex VIII (module A internal control, module B+C type-examination + conformity-to-type, module H full quality assurance, full-quality-assurance procedure for important class II, mandatory European cybersecurity certification for critical products).
https://eur-lex.europa.eu/eli/reg/2024/2847/oj ↗ - EU_CRAclauseArt. 32mandatory
EU declaration of conformity
The EU declaration of conformity shall state that the fulfilment of the essential cybersecurity requirements has been demonstrated. It shall be drawn up in accordance with the model set out in Annex V and shall be translated into the language or languages required by the Member State in which the product is placed on the market.
https://eur-lex.europa.eu/eli/reg/2024/2847/oj ↗ - EU_CRAclauseArt. 6mandatory
Important products with digital elements
Important products with digital elements (Annex III) — class I (e.g. identity-management systems, password managers, smart-home with security functions, network management systems) and class II (e.g. hypervisors + container runtimes, firewalls, tamper-resistant microprocessors). Subject to stricter conformity-assessment routes than ordinary products.
https://eur-lex.europa.eu/eli/reg/2024/2847/oj ↗ - EU_CRAclauseArt. 7mandatory
Critical products with digital elements
Critical products with digital elements (Annex IV) — products that warrant the highest level of cybersecurity scrutiny (e.g. hardware devices with security boxes, smart meter gateways, smartcards or similar). Mandatory European cybersecurity certification by an accredited conformity-assessment body.
https://eur-lex.europa.eu/eli/reg/2024/2847/oj ↗ - EU_CRAcontrolCRA-CE-001limited
CE marking
CE marking affixed visibly + legibly + indelibly to the product (or packaging + accompanying documents where the product is too small / nature does not warrant). Marking applied only after successful conformity assessment.
screenshotreportattestationhttps://eur-lex.europa.eu/eli/reg/2024/2847/oj ↗ - EU_CRAcontrolCRA-CONF-001high
Conformity-assessment route selection
Determination of whether the product is ordinary / important class I / important class II / critical; selection of the corresponding Annex VIII module (A internal control, B+C type-examination + conformity-to-type, H full quality assurance, mandatory European cybersecurity certification for critical). Maps Art. 6 + 7 + 31.
reportprocedureattestationhttps://eur-lex.europa.eu/eli/reg/2024/2847/oj ↗ - EU_CRAcontrolCRA-DD-001high
Secure design + development + production
Engineering practices that satisfy Annex I Section 1 security properties: appropriate level of cybersecurity, no known exploitable vulns at release, secure-by-default configuration, IAM, confidentiality + integrity + availability, data minimisation, DoS resilience, minimised attack surface. Maps Annex I Section 1.
procedureconfigurationreportattestationhttps://eur-lex.europa.eu/eli/reg/2024/2847/oj ↗ - EU_CRAcontrolCRA-DOC-001high
Annex IV technical documentation pack
Versioned + change-tracked Annex IV technical documentation: general description, design/development/production, risk assessment, harmonised standards applied, EU declaration of conformity, security-update policy, support-period rationale. Maintained up to date for at least 10 years after the product is placed on the market. Maps Art. 13 + Annex IV.
reportconfigurationattestationhttps://eur-lex.europa.eu/eli/reg/2024/2847/oj ↗ - EU_CRAcontrolCRA-DOC-002high
EU declaration of conformity (Annex V)
EU declaration of conformity drawn up using the Annex V template; translated into Member-State languages where required; signed by the manufacturer or authorised representative.
attestationreportcontracthttps://eur-lex.europa.eu/eli/reg/2024/2847/oj ↗ - EU_CRAcontrolCRA-IMP-001high
Importer + distributor due-diligence
Where acting as importer: verify manufacturer has performed conformity assessment, drawn up technical documentation, affixed CE marking, complied with Annex II + reporting obligations. Where acting as distributor: verify CE marking, accessibility of documentation + instructions, manufacturer/importer compliance with their obligations. Maps Art. 19 + 20.
procedurereportattestationcontracthttps://eur-lex.europa.eu/eli/reg/2024/2847/oj ↗ - EU_CRAcontrolCRA-INFO-001high
User information + instructions (Annex II)
Documentation provided with the product covering manufacturer identity + contact, product identification, intended purpose, data types processed, support period, technical security characteristics, secure-use instructions, automatic-update mechanism + opt-out, vulnerability-reporting contact. Maps Annex II.
screenshotreportprocedurehttps://eur-lex.europa.eu/eli/reg/2024/2847/oj ↗ - EU_CRAcontrolCRA-MOD-001high
Substantial-modification + own-brand awareness
Process to determine whether importer/distributor activity constitutes placing under own name/trademark or substantial modification, which would trigger manufacturer obligations under Art. 21.
procedurereportattestationhttps://eur-lex.europa.eu/eli/reg/2024/2847/oj ↗ - EU_CRAcontrolCRA-REP-001high
Vulnerability + serious-incident reporting (24h/72h/14d)
Workflow that delivers an early warning to ENISA + relevant CSIRT within 24 hours of awareness of an actively exploited vulnerability or severe incident, an incident notification within 72 hours, and a final report within 14 days. Tracks vulnerability identifier + CVE + affected versions + mitigation. Maps Art. 14.
procedureincident_recordreportattestationhttps://eur-lex.europa.eu/eli/reg/2024/2847/oj ↗ - EU_CRAcontrolCRA-RM-001high
Cybersecurity risk assessment for the product
Documented cybersecurity risk assessment carried out before placing the product on the market. Assessment shall identify all categories of risk, the intended purpose + reasonably foreseeable use, the support period, and the relevant essential requirements. Maps Art. 13 + Annex I Section 1.
reportprocedureattestationhttps://eur-lex.europa.eu/eli/reg/2024/2847/oj ↗ - EU_CRAcontrolCRA-STD-001limited
Use of harmonised standards + European cybersecurity certification
Use of harmonised standards referenced in the OJ to claim presumption of conformity under Art. 27, OR European cybersecurity certification under Art. 28. Inventory + currency-tracking of selected standards/certifications.
reportconfigurationattestationhttps://eur-lex.europa.eu/eli/reg/2024/2847/oj ↗ - EU_CRAcontrolCRA-UPD-001high
Security update distribution + support period
Mechanism to securely distribute security updates throughout the support period (≥5 years by default, or product lifecycle if shorter); automatic-update default + opt-out; documented support-period rationale. Maps Art. 13 + Annex I Section 2.
configurationprocedurereportattestationhttps://eur-lex.europa.eu/eli/reg/2024/2847/oj ↗ - EU_CRAcontrolCRA-VH-001high
Vulnerability handling process
Vulnerability identification + documentation, remediation procedures, regular testing + reviews, coordinated-disclosure policy, secure update distribution. Maps Annex I Section 2.
policyprocedurereportattestationhttps://eur-lex.europa.eu/eli/reg/2024/2847/oj ↗ - FEDRAMPclauseACmandatory
Access Control (AC family)
NIST 800-53 Rev. 5 Access Control family.
crosswalks:NIST_CSF·PR.AAISO_27001·Annex A.5SOC_2·CC6https://www.fedramp.gov/ ↗