Reverse crosswalk
EU AI Act 2024/1689 + GPAI Code of Practice (deployer)
43 entries, 43 mapped to canonical risks. Each entry below is shown with the canonical risk it maps to, or the reason it sits outside the register.
| Framework entry | Description | Disposition | Register mapping | Confidence | Note |
|---|---|---|---|---|---|
Art. 4 | Mapped | Clear | AI literacy of staff. | Nearest existing risk: MR-048 AI competence and skills gaps (the capability gap; Art. 4 is the enforceable literacy duty for all deployers). | ||
Art. 5 | Mapped | Clear | Nearest existing risk: MR-060 Use outside intended scope / MR-040 Regulatory non-compliance (neither names the prohibited-practice categories). | ||
Art. 5(a) | Mapped | Clear | Manipulative and exploitative techniques prohibited. | ||
Art. 5(b) | Mapped | Clear | Manipulative and exploitative techniques prohibited. | ||
Art. 5(c) | Mapped | Clear | Data-driven bias and social-scoring prohibition. | ||
Art. 5(e) | Mapped | Clear | Biometric scraping prohibition, law-enforcement biometric authorisation, biometric/emotion disclosure. | ||
Art. 9 | Mapped | Clear | Risk-management system maintained for the deployed high-risk system. | Testing and evaluation of the deployed system. | ||
Art. 10 | Mapped | Clear | Data-driven bias and social-scoring prohibition. | Lawful data processing and DPIA linkage. | Input-data relevance and representativeness. | ||
Art. 12 | Mapped | Clear | Log generation and retention (>= 6 months). | ||
Art. 13 | Mapped | Clear | Provider instructions and documentation the deployer relies on. | Transparency to and disclosure toward affected persons. | ||
Art. 14 | Mapped | Clear | Human oversight assigned and effective. | ||
Art. 15 | Mapped | Clear | Cybersecurity of the system and model weights. | Testing and evaluation of the deployed system. | Accuracy maintained in use. | Robustness maintained in use. | ||
Art. 26(1) | Mapped | Clear | Use within the provider's instructions for use. | ||
Art. 26(2) | Mapped | Clear | Human oversight assigned and effective. | ||
Art. 26(4) | Mapped | Clear | Input-data relevance and representativeness. | ||
Art. 26(5) | Mapped | Clear | Monitoring and serious-incident reporting/suspension. | Nearest existing risk: MR-068 Inadequate incident response (the organizational capability; Art. 26(5)/72/73 is the mandatory authority-reporting and suspension duty). | ||
Art. 26(6) | Mapped | Clear | Log generation and retention (>= 6 months). | ||
Art. 26(7) | Mapped | Clear | Nearest existing risk: MR-040 Regulatory non-compliance (generic; the worker-information duty is not otherwise named). | ||
Art. 26(8) | Mapped | Clear | Registration and inventory visibility. | Nearest existing risk: MR-063 AI inventory blind spots (internal visibility; Art. 26(8)/49 is the external regulatory registration duty). | ||
Art. 26(9) | Mapped | Clear | Lawful data processing and DPIA linkage. | ||
Art. 26(10) | Mapped | Clear | Biometric scraping prohibition, law-enforcement biometric authorisation, biometric/emotion disclosure. | ||
Art. 26(11) | Mapped | Clear | Transparency to and disclosure toward affected persons. | Nearest existing risk: MR-055 Lack of explainability (interpretability of the decision, not the duty to notify the affected person). | ||
Art. 26(12) | Mapped | Clear | Generic compliance umbrella; Article-specific duties are split into EU-### gaps per the brief. | ||
Art. 27 | Mapped | Clear | Fundamental-rights impact assessment (specific variant of the impact-assessment process). | Nearest existing risk: MR-067 Absence of AI impact assessment (the ISO-derived process risk; Art. 27 is the specific fundamental-rights, public-service variant with a notification duty). | ||
Art. 49 | Mapped | Clear | Registration and inventory visibility. | Nearest existing risk: MR-063 AI inventory blind spots (internal visibility; Art. 26(8)/49 is the external regulatory registration duty). | ||
Art. 50 | Mapped | Clear | Transparency to and disclosure toward affected persons. | ||
Art. 50(3) | Mapped | Clear | Biometric scraping prohibition, law-enforcement biometric authorisation, biometric/emotion disclosure. | Nearest existing risk: MR-055 Lack of explainability / MR-031 Deepfakes (neither names the Art. 50 disclosure duties). | ||
Art. 50(4) | Mapped | Clear | Deepfake disclosure duty. | Nearest existing risk: MR-055 Lack of explainability / MR-031 Deepfakes (neither names the Art. 50 disclosure duties). | ||
Art. 53 (provider) | Mapped | Clear | IP/copyright exposure from procured-model training data and outputs. | ||
Art. 71 | Mapped | Clear | Nearest existing risk: MR-063 AI inventory blind spots (internal visibility; Art. 26(8)/49 is the external regulatory registration duty). | ||
Art. 72 | Mapped | Clear | Monitoring and serious-incident reporting/suspension. | Nearest existing risk: MR-068 Inadequate incident response (the organizational capability; Art. 26(5)/72/73 is the mandatory authority-reporting and suspension duty). | ||
Art. 73 | Mapped | Clear | Monitoring and serious-incident reporting/suspension. | Nearest existing risk: MR-068 Inadequate incident response (the organizational capability; Art. 26(5)/72/73 is the mandatory authority-reporting and suspension duty). | ||
CoP Copyright Ch. Commitment 1 | Mapped | Clear | IP/copyright exposure from procured-model training data and outputs. | ||
CoP GPAI Code of Practice, Copyright Chapter, Commitment 1 (Measures 1.1-1.5) | Mapped | Clear | Nearest existing risk: MR-039 IP and copyright infringement (the deployer-facing outcome; this adds the upstream provider-compliance dependency). | ||
CoP GPAI Code of Practice, Safety and Security Chapter, Commitments 1-10 | Mapped | Clear | Nearest existing risk: MR-065 Vendor churn / MR-052 Emergent dangerous capabilities / MR-046 Inadequate evaluation (deployer-side; not the provider safety-assurance dependency). | ||
CoP GPAI Code of Practice, Transparency Chapter, Commitment 1 (Measures 1.1-1.3) | Mapped | Clear | Nearest existing risk: MR-045 Insufficient documentation / MR-065 Vendor churn (deployer-side and change-side; not the provider documentation-supply dependency). | ||
CoP S&S Ch. Commitment 6 | Mapped | Clear | Cybersecurity of the system and model weights. | Model/weight security in the supply chain. | ||
CoP S&S Ch. Commitment 9 | Mapped | Clear | Monitoring and serious-incident reporting/suspension. | ||
CoP S&S Ch. Commitments 1-10 | Mapped | Clear | Dependency on provider documentation and safety assurance. | ||
CoP S&S Ch. Commitments 2-5 | Mapped | Clear | Testing and evaluation of the deployed system. | Systemic-risk / dangerous-capability assessment by the provider. | ||
CoP Transparency Ch. Commitment 1 | Mapped | Clear | Dependency on provider documentation and safety assurance. | ||
CoP Transparency Ch. Measure 1.2 | Mapped | Clear | Provider instructions and documentation the deployer relies on. | ||
(umbrella for all EU AI Act obligations) | Mapped | Clear | Generic compliance umbrella; Article-specific duties are split into EU-### gaps per the brief. |
Descriptions are each source framework's own text, where it provides one; long entries are clipped here.