DARR
Reverse crosswalk

EU AI Act 2024/1689 + GPAI Code of Practice (deployer)

43 entries, 43 mapped to canonical risks. Each entry below is shown with the canonical risk it maps to, or the reason it sits outside the register.

Framework entryDescriptionDispositionRegister mappingConfidenceNote
Art. 4
MappedClearAI literacy of staff. | Nearest existing risk: MR-048 AI competence and skills gaps (the capability gap; Art. 4 is the enforceable literacy duty for all deployers).
Art. 5
MappedClearNearest existing risk: MR-060 Use outside intended scope / MR-040 Regulatory non-compliance (neither names the prohibited-practice categories).
Art. 5(a)
MappedClearManipulative and exploitative techniques prohibited.
Art. 5(b)
MappedClearManipulative and exploitative techniques prohibited.
Art. 5(c)
MappedClearData-driven bias and social-scoring prohibition.
Art. 5(e)
MappedClearBiometric scraping prohibition, law-enforcement biometric authorisation, biometric/emotion disclosure.
Art. 9
MappedClearRisk-management system maintained for the deployed high-risk system. | Testing and evaluation of the deployed system.
Art. 10
MappedClearData-driven bias and social-scoring prohibition. | Lawful data processing and DPIA linkage. | Input-data relevance and representativeness.
Art. 12
MappedClearLog generation and retention (>= 6 months).
Art. 13
MappedClearProvider instructions and documentation the deployer relies on. | Transparency to and disclosure toward affected persons.
Art. 14
MappedClearHuman oversight assigned and effective.
Art. 15
MappedClearCybersecurity of the system and model weights. | Testing and evaluation of the deployed system. | Accuracy maintained in use. | Robustness maintained in use.
Art. 26(1)
MappedClearUse within the provider's instructions for use.
Art. 26(2)
MappedClearHuman oversight assigned and effective.
Art. 26(4)
MappedClearInput-data relevance and representativeness.
Art. 26(5)
MappedClearMonitoring and serious-incident reporting/suspension. | Nearest existing risk: MR-068 Inadequate incident response (the organizational capability; Art. 26(5)/72/73 is the mandatory authority-reporting and suspension duty).
Art. 26(6)
MappedClearLog generation and retention (>= 6 months).
Art. 26(7)
MappedClearNearest existing risk: MR-040 Regulatory non-compliance (generic; the worker-information duty is not otherwise named).
Art. 26(8)
MappedClearRegistration and inventory visibility. | Nearest existing risk: MR-063 AI inventory blind spots (internal visibility; Art. 26(8)/49 is the external regulatory registration duty).
Art. 26(9)
MappedClearLawful data processing and DPIA linkage.
Art. 26(10)
MappedClearBiometric scraping prohibition, law-enforcement biometric authorisation, biometric/emotion disclosure.
Art. 26(11)
MappedClearTransparency to and disclosure toward affected persons. | Nearest existing risk: MR-055 Lack of explainability (interpretability of the decision, not the duty to notify the affected person).
Art. 26(12)
MappedClearGeneric compliance umbrella; Article-specific duties are split into EU-### gaps per the brief.
Art. 27
MappedClearFundamental-rights impact assessment (specific variant of the impact-assessment process). | Nearest existing risk: MR-067 Absence of AI impact assessment (the ISO-derived process risk; Art. 27 is the specific fundamental-rights, public-service variant with a notification duty).
Art. 49
MappedClearRegistration and inventory visibility. | Nearest existing risk: MR-063 AI inventory blind spots (internal visibility; Art. 26(8)/49 is the external regulatory registration duty).
Art. 50
MappedClearTransparency to and disclosure toward affected persons.
Art. 50(3)
MappedClearBiometric scraping prohibition, law-enforcement biometric authorisation, biometric/emotion disclosure. | Nearest existing risk: MR-055 Lack of explainability / MR-031 Deepfakes (neither names the Art. 50 disclosure duties).
Art. 50(4)
MappedClearDeepfake disclosure duty. | Nearest existing risk: MR-055 Lack of explainability / MR-031 Deepfakes (neither names the Art. 50 disclosure duties).
Art. 53 (provider)
MappedClearIP/copyright exposure from procured-model training data and outputs.
Art. 71
MappedClearNearest existing risk: MR-063 AI inventory blind spots (internal visibility; Art. 26(8)/49 is the external regulatory registration duty).
Art. 72
MappedClearMonitoring and serious-incident reporting/suspension. | Nearest existing risk: MR-068 Inadequate incident response (the organizational capability; Art. 26(5)/72/73 is the mandatory authority-reporting and suspension duty).
Art. 73
MappedClearMonitoring and serious-incident reporting/suspension. | Nearest existing risk: MR-068 Inadequate incident response (the organizational capability; Art. 26(5)/72/73 is the mandatory authority-reporting and suspension duty).
CoP Copyright Ch. Commitment 1
MappedClearIP/copyright exposure from procured-model training data and outputs.
CoP GPAI Code of Practice, Copyright Chapter, Commitment 1 (Measures 1.1-1.5)
MappedClearNearest existing risk: MR-039 IP and copyright infringement (the deployer-facing outcome; this adds the upstream provider-compliance dependency).
CoP GPAI Code of Practice, Safety and Security Chapter, Commitments 1-10
MappedClearNearest existing risk: MR-065 Vendor churn / MR-052 Emergent dangerous capabilities / MR-046 Inadequate evaluation (deployer-side; not the provider safety-assurance dependency).
CoP GPAI Code of Practice, Transparency Chapter, Commitment 1 (Measures 1.1-1.3)
MappedClearNearest existing risk: MR-045 Insufficient documentation / MR-065 Vendor churn (deployer-side and change-side; not the provider documentation-supply dependency).
CoP S&S Ch. Commitment 6
MappedClearCybersecurity of the system and model weights. | Model/weight security in the supply chain.
CoP S&S Ch. Commitment 9
MappedClearMonitoring and serious-incident reporting/suspension.
CoP S&S Ch. Commitments 1-10
MappedClearDependency on provider documentation and safety assurance.
CoP S&S Ch. Commitments 2-5
MappedClearTesting and evaluation of the deployed system. | Systemic-risk / dangerous-capability assessment by the provider.
CoP Transparency Ch. Commitment 1
MappedClearDependency on provider documentation and safety assurance.
CoP Transparency Ch. Measure 1.2
MappedClearProvider instructions and documentation the deployer relies on.
(umbrella for all EU AI Act obligations)
MappedClearGeneric compliance umbrella; Article-specific duties are split into EU-### gaps per the brief.

Descriptions are each source framework's own text, where it provides one; long entries are clipped here.