Spaces:

inesbedar
/

RegMap

Sleeping

App Files Files Community

inesbedar commited on Feb 13

Commit

e226e94

verified ·

1 Parent(s): 4abe55c

Upload 3 files

Browse files

Files changed (3) hide show

app.py +0 -0
phase2_rkb.py +1124 -0
requirements.txt +2 -0

app.py ADDED Viewed

The diff for this file is too large to render. See raw diff

phase2_rkb.py ADDED Viewed

	@@ -0,0 +1,1124 @@

+# ═══════════════════════════════════════════════════════════════
+# RegMap Phase 2 — Regulatory Knowledge Base
+# Qualification questions, obligations, overlaps, gap analysis
+# ═══════════════════════════════════════════════════════════════
+# ─────────────────────────────────────────────────
+# SECTION 1: QUALIFICATION QUESTIONS
+# For each AI-specific regulation, questions to
+# confirm applicability and determine obligation set
+# ─────────────────────────────────────────────────
+QUALIFICATION_QUESTIONS = {
+    # ── EU AI ACT ──
+    "EU AI Act (Regulation 2024/1689)": {
+        "questions": [
+            {
+                "id": "euaia_exception",
+                "text": "Is your AI system covered by any of the following exceptions to the EU AI Act?",
+                "type": "multi_select",
+                "options": [
+                    "The AI system is used exclusively for military, defence, or national security purposes (Art. 2(3))",
+                    "The AI system is used solely for scientific research and development and has not yet been placed on the market or put into service (Art. 2(6))",
+                    "The AI system is used for purely personal, non-professional purposes by a natural person (Art. 2(7))",
+                    "The AI system is released under a free and open-source licence with publicly available parameters, including weights (Art. 2(12))",
+                    "The AI system is operated by a third-country public authority under international law enforcement or judicial cooperation agreements (Art. 2(4))",
+                    "None of the above",
+                ],
+                "note": "The open-source exception does NOT apply if the system is classified as high-risk (Annex III), performs a prohibited practice (Art. 5), or is a GPAI model with systemic risk.",
+            },
+            {
+                "id": "euaia_prohibited",
+                "text": "Does your AI system perform any of the following practices prohibited under Art. 5 of the EU AI Act?",
+                "type": "multi_select",
+                "options": [
+                    "Subliminal manipulation techniques that cause or are likely to cause harm",
+                    "Exploitation of vulnerabilities of specific groups due to age, disability, or social/economic situation",
+                    "Social scoring by public authorities leading to detrimental treatment",
+                    "Real-time remote biometric identification in publicly accessible spaces for law enforcement (except narrow exceptions)",
+                    "Emotion recognition in the workplace or in education institutions (except for medical or safety reasons)",
+                    "Untargeted scraping of facial images from the internet or CCTV to build facial recognition databases",
+                    "Biometric categorisation to infer race, political opinions, trade union membership, religious beliefs, sex life or sexual orientation",
+                    "Individual predictive policing based solely on profiling or personality traits",
+                    "None of the above",
+                ],
+                "note": "If your system falls under any prohibited practice, it cannot be placed on the EU market. Penalties: up to €35M or 7% of global annual turnover.",
+            },
+            {
+                "id": "euaia_annex3",
+                "text": "Is your AI system used in any of the following high-risk domains listed in Annex III?",
+                "type": "multi_select",
+                "options": [
+                    "Biometric identification and categorisation of natural persons",
+                    "Management and operation of critical infrastructure (energy, transport, water, digital)",
+                    "Education and vocational training (access, admission, assessment)",
+                    "Employment, worker management, and access to self-employment (recruitment, screening, evaluation, monitoring)",
+                    "Access to essential private/public services (credit scoring, insurance, social benefits, emergency services)",
+                    "Law enforcement (risk assessment, polygraph, evidence evaluation, profiling)",
+                    "Migration, asylum, and border control (risk assessment, document verification)",
+                    "Administration of justice and democratic processes",
+                    "None of the above",
+                ],
+            },
+            {
+                "id": "euaia_art6_3",
+                "text": "Even if your system falls within an Annex III category, it may NOT be high-risk if ALL of the following conditions are met (Art. 6(3)). Do all apply?",
+                "type": "single_select",
+                "options": [
+                    "Yes — my system performs a narrow procedural task, improves a previous human activity, detects decision patterns without replacing human assessment, or is purely preparatory",
+                    "No — my system directly influences consequential decisions about individuals",
+                ],
+                "condition": "Show only if any Annex III category selected (not 'None of the above')",
+                "note": "Art. 6(3) exception: even within Annex III, a system is NOT high-risk if it does not pose significant risk of harm and meets specific conditions.",
+            },
+            {
+                "id": "euaia_transparency",
+                "text": "Does your AI system involve any of the following (Art. 50 — Transparency)?",
+                "type": "multi_select",
+                "options": [
+                    "Direct interaction with natural persons (chatbot, virtual assistant)",
+                    "Generation of synthetic audio, image, video or text content (deepfakes, GenAI output)",
+                    "Emotion recognition or biometric categorisation",
+                    "None of the above",
+                ],
+            },
+        ],
+    },
+    # ── EU AI ACT — GPAI ──
+    "EU AI Act — GPAI Framework (Chapter V)": {
+        "questions": [
+            {
+                "id": "gpai_systemic",
+                "text": "Does your general-purpose AI model meet any of the following criteria for systemic risk (Art. 51)?",
+                "type": "single_select",
+                "options": [
+                    "Yes — training compute exceeds 10^25 FLOPs",
+                    "Yes — designated as systemic risk by the European Commission (Art. 51(1)(b))",
+                    "No — standard GPAI model",
+                    "I don't know",
+                ],
+            },
+            {
+                "id": "gpai_open_source",
+                "text": "Is your GPAI model released under a free and open-source licence?",
+                "type": "single_select",
+                "options": [
+                    "Yes — open-source with publicly available model weights",
+                    "No — proprietary or restricted access",
+                ],
+                "note": "Open-source GPAI models have reduced obligations (only technical doc + copyright policy + training data summary). Exception does NOT apply if systemic risk.",
+            },
+        ],
+    },
+    # ── COLORADO AI ACT ──
+    "Colorado AI Act (SB 24-205)": {
+        "questions": [
+            {
+                "id": "co_consequential",
+                "text": "Does your AI system make or substantially influence consequential decisions in any of the following areas?",
+                "type": "multi_select",
+                "options": [
+                    "Education enrollment or opportunity",
+                    "Employment or employment opportunity",
+                    "Financial or lending services",
+                    "Government services or benefits",
+                    "Healthcare services",
+                    "Housing",
+                    "Insurance",
+                    "Legal services",
+                    "None of the above — system does not make consequential decisions",
+                ],
+            },
+            {
+                "id": "co_exception",
+                "text": "Does any of the following exceptions apply?",
+                "type": "multi_select",
+                "options": [
+                    "System is approved/regulated by a federal agency (FDA, FAA, etc.) with equivalent or stricter standards",
+                    "System performs only narrow procedural tasks without influencing consequential decisions",
+                    "System is used solely to detect, prevent, or mitigate discrimination or increase diversity",
+                    "System is used solely to detect decision-making patterns without replacing human judgment",
+                    "AI-powered chatbot (disclosure-only obligation)",
+                    "None of the above",
+                ],
+            },
+        ],
+    },
+    # ── TEXAS TRAIGA ──
+    "Texas TRAIGA (HB 1709)": {
+        "questions": [
+            {
+                "id": "tx_deployer",
+                "text": "Do you deploy a generative AI system that creates synthetic content (text, images, audio, video)?",
+                "type": "single_select",
+                "options": [
+                    "Yes — we deploy generative AI producing synthetic content",
+                    "No — our system does not generate synthetic content",
+                ],
+            },
+        ],
+    },
+    # ── UTAH AI POLICY ACT ──
+    "Utah AI Policy Act (SB 149)": {
+        "questions": [
+            {
+                "id": "ut_regulated",
+                "text": "Is your AI system used in a regulated occupation or industry in Utah (e.g. licensed professionals, insurance, financial services)?",
+                "type": "single_select",
+                "options": [
+                    "Yes — used in a regulated occupation/industry",
+                    "No — not used in regulated contexts",
+                ],
+            },
+            {
+                "id": "ut_interaction",
+                "text": "Does your AI system interact directly with consumers?",
+                "type": "single_select",
+                "options": [
+                    "Yes — direct consumer interaction",
+                    "No — no direct consumer interaction",
+                ],
+            },
+        ],
+    },
+    # ── CALIFORNIA ADMT ──
+    "California CCPA / ADMT Regulations": {
+        "questions": [
+            {
+                "id": "ca_threshold",
+                "text": "Does your organization meet the CCPA applicability thresholds?",
+                "type": "multi_select",
+                "options": [
+                    "Annual gross revenue exceeding $25 million",
+                    "Buys, sells, or shares personal information of 100,000+ California consumers/households/devices",
+                    "Derives 50%+ of annual revenue from selling/sharing personal information",
+                    "None of the above",
+                ],
+            },
+            {
+                "id": "ca_admt",
+                "text": "Does your AI system qualify as automated decision-making technology (ADMT) under the CPPA regulations?",
+                "type": "single_select",
+                "options": [
+                    "Yes — makes or assists decisions on employment, housing, education, health, insurance, financial, or legal matters",
+                    "Yes — processes personal information to profile consumers",
+                    "No — does not qualify as ADMT",
+                ],
+            },
+        ],
+    },
+    # ── ILLINOIS AI VIDEO INTERVIEW ──
+    "Illinois AI Video Interview Act (HB 3773)": {
+        "questions": [
+            {
+                "id": "il_video",
+                "text": "Does your AI system analyze video interviews of job applicants?",
+                "type": "single_select",
+                "options": [
+                    "Yes — AI analyzes applicant video interviews",
+                    "No",
+                ],
+            },
+        ],
+    },
+    # ── DIFC REGULATION 10 ──
+    "DIFC Regulation 10 (AI Processing)": {
+        "questions": [
+            {
+                "id": "difc_autonomous",
+                "text": "Does your AI system process personal data in an autonomous or semi-autonomous manner within the DIFC?",
+                "type": "single_select",
+                "options": [
+                    "Yes — autonomous/semi-autonomous processing of personal data in DIFC",
+                    "No",
+                ],
+            },
+            {
+                "id": "difc_commercial_high_risk",
+                "text": "Is the AI system used for commercial purposes and does it involve high-risk processing activities?",
+                "type": "single_select",
+                "options": [
+                    "Yes — commercial use with high-risk processing (e.g. profiling, automated decisions with legal effects, special category data, systematic monitoring)",
+                    "No — either non-commercial or no high-risk processing",
+                ],
+                "note": "High-risk commercial use triggers mandatory AI system certification and appointment of an Autonomous Systems Officer (ASO). Full enforcement from January 2026.",
+            },
+            {
+                "id": "difc_profiling",
+                "text": "Does the system involve any of the following?",
+                "type": "multi_select",
+                "options": [
+                    "Profiling of individuals",
+                    "Automated decision-making with legal or significant effects",
+                    "Processing of special categories of personal data (health, biometric, etc.)",
+                    "Systematic monitoring of individuals",
+                    "None of the above",
+                ],
+            },
+        ],
+    },
+}
+# ─────────────────────────────────────────────────
+# SECTION 2: OBLIGATIONS
+# Per regulation, per role, per risk level
+# ─────────────────────────────────────────────────
+OBLIGATIONS = {
+    # ════════════════════════════════════════════
+    # AI-SPECIFIC — FULL DEEP DIVE
+    # ═════════════════════════════════════════���══
+    "EU AI Act (Regulation 2024/1689)": {
+        "prohibited": {
+            "label": "Prohibited AI Practice (Art. 5)",
+            "obligations": [
+                "Immediately cease and remove the AI system from the EU market",
+                "Penalties: up to €35M or 7% of global annual turnover",
+            ],
+        },
+        "high_risk_provider": {
+            "label": "High-Risk AI System — Provider Obligations",
+            "obligations": [
+                "Art. 9 — Establish and maintain a risk management system throughout the AI system's lifecycle",
+                "Art. 10 — Implement data governance: training, validation, and testing datasets must be relevant, representative, and free of errors",
+                "Art. 11 — Prepare and maintain technical documentation (before placing on market and keep up to date)",
+                "Art. 12 — Enable automatic recording of events (logging) for traceability",
+                "Art. 13 — Design system for sufficient transparency to allow deployers to interpret output and use appropriately",
+                "Art. 14 — Design for effective human oversight, enabling human-machine interface tools",
+                "Art. 15 — Achieve appropriate levels of accuracy, robustness, and cybersecurity",
+                "Art. 17 — Establish and document a quality management system (QMS)",
+                "Art. 43 — Complete conformity assessment (self-assessment or third-party depending on Annex III category)",
+                "Art. 47 — Affix CE marking upon successful conformity assessment",
+                "Art. 49 — Register in EU database before placing on market",
+                "Art. 72 — Establish post-market monitoring system",
+                "Art. 73 — Report serious incidents to market surveillance authorities",
+            ],
+            "deadline": "August 2, 2026 (most obligations); August 2, 2027 (systems already on market)",
+            "penalty": "Up to €15M or 3% of global annual turnover",
+        },
+        "high_risk_deployer": {
+            "label": "High-Risk AI System — Deployer Obligations",
+            "obligations": [
+                "Art. 26(1) — Implement appropriate technical and organisational measures to use system in accordance with instructions",
+                "Art. 26(2) — Assign human oversight to competent, trained, authorised individuals",
+                "Art. 26(4) — Monitor operation and inform provider/distributor of risks or incidents",
+                "Art. 26(5) — Conduct a Fundamental Rights Impact Assessment (FRIA) before deploying high-risk systems in: law enforcement, migration, public services, education, employment, essential services",
+                "Art. 26(6) — Use system only for intended purpose as described in instructions of use",
+                "Art. 26(7) — Inform affected individuals that they are subject to high-risk AI system use",
+                "Art. 26(8) — Ensure human oversight is exercised effectively",
+                "Art. 26(11) — Keep logs automatically generated by the high-risk AI system for at least 6 months",
+            ],
+            "deadline": "August 2, 2026",
+            "penalty": "Up to €15M or 3% of global annual turnover",
+        },
+        "limited_risk": {
+            "label": "Limited Risk — Transparency Obligations (Art. 50)",
+            "obligations": [
+                "Art. 50(1) — Inform individuals that they are interacting with an AI system (unless obvious from context)",
+                "Art. 50(2) — Label AI-generated synthetic content (audio, image, video, text) in machine-readable format",
+                "Art. 50(3) — Deployers of emotion recognition or biometric categorisation must inform exposed individuals",
+                "Art. 50(4) — Deployers of deepfake systems must disclose content is AI-generated (exception: artistic/satirical freedom with editorial safeguards)",
+            ],
+            "deadline": "August 2, 2025",
+            "penalty": "Up to €15M or 3% of global annual turnover",
+        },
+        "minimal_risk": {
+            "label": "Minimal Risk",
+            "obligations": [
+                "Art. 4 — Ensure AI literacy: staff and operators must have sufficient understanding of AI systems they develop or use",
+            ],
+            "deadline": "February 2, 2025 (AI literacy)",
+        },
+    },
+    "EU AI Act — GPAI Framework (Chapter V)": {
+        "gpai_standard": {
+            "label": "GPAI Model — Standard Obligations (Art. 53)",
+            "obligations": [
+                "Art. 53(1)(a) — Prepare and maintain technical documentation of the model including training and testing process",
+                "Art. 53(1)(b) — Prepare information and documentation for downstream providers integrating the model",
+                "Art. 53(1)(c) — Establish a policy to comply with EU Copyright Directive (including text and data mining opt-out)",
+                "Art. 53(1)(d) — Publish a sufficiently detailed summary of training data content",
+            ],
+        },
+        "gpai_systemic": {
+            "label": "GPAI Model with Systemic Risk — Additional Obligations (Art. 55)",
+            "obligations": [
+                "Art. 55(1)(a) — Perform model evaluation including adversarial testing",
+                "Art. 55(1)(b) — Assess and mitigate systemic risks",
+                "Art. 55(1)(c) — Track, document and report serious incidents to AI Office and national authorities",
+                "Art. 55(1)(d) — Ensure adequate level of cybersecurity protection",
+                "All standard GPAI obligations (Art. 53) also apply",
+            ],
+        },
+        "gpai_open_source": {
+            "label": "Open-Source GPAI Model — Reduced Obligations",
+            "obligations": [
+                "Art. 53(2) — Only technical documentation and copyright compliance policy required",
+                "Training data summary still required",
+                "If model has systemic risk: full Art. 53 + Art. 55 obligations apply regardless of open-source status",
+            ],
+        },
+    },
+    "Colorado AI Act (SB 24-205)": {
+        "developer": {
+            "label": "Developer Obligations",
+            "obligations": [
+                "Make available to deployers a general statement of reasonably foreseeable uses and known harmful uses",
+                "Provide high-level summary of training data used",
+                "Provide documentation on known limitations and how the system was evaluated for performance and bias",
+                "Publish on website a statement describing types of high-risk AI systems developed and risk management practices",
+                "Report known or reasonably foreseeable risks of algorithmic discrimination to the Colorado Attorney General and deployers",
+            ],
+        },
+        "deployer": {
+            "label": "Deployer Obligations",
+            "obligations": [
+                "Implement a risk management policy and program governing deployment of high-risk AI",
+                "Complete an annual impact assessment for each high-risk AI system",
+                "Disclose to consumers: when they are interacting with an AI system, when AI is a substantial factor in a consequential decision, and that they can request human review",
+                "Provide consumers with an explanation of the decision, right to correct data, and right to appeal",
+                "Notify the Attorney General within 90 days of discovering algorithmic discrimination",
+                "Review AI system outputs for algorithmic discrimination",
+            ],
+        },
+        "affirmative_defense": "Compliance with NIST AI RMF or equivalent recognised framework may serve as an affirmative defense",
+        "deadline": "June 30, 2026 (delayed from Feb 1, 2026)",
+        "penalty": "Violations treated as unfair trade practices under Colorado Consumer Protection Act",
+    },
+    "Texas TRAIGA (HB 1709)": {
+        "deployer": {
+            "label": "Deployer Obligations",
+            "obligations": [
+                "Disclose to each person that content is generated by AI when deploying generative AI producing synthetic content",
+                "Mark or label AI-generated content with clear disclosure",
+                "Prohibition on using generative AI to create materially deceptive content intended to influence elections",
+            ],
+        },
+        "deadline": "September 1, 2025",
+    },
+    "Utah AI Policy Act (SB 149)": {
+        "all_operators": {
+            "label": "All AI Operators — Disclosure Obligations",
+            "obligations": [
+                "Disclose to individuals that they are interacting with generative AI (if direct interaction)",
+                "Regulated occupations: clearly disclose use of AI when providing services in a regulated industry",
+                "Prohibition on using AI to represent that a person is a licensed professional if they are not",
+            ],
+        },
+        "deadline": "May 1, 2024 (already in effect)",
+    },
+    "California CCPA / ADMT Regulations": {
+        "deployer": {
+            "label": "ADMT Deployer Obligations",
+            "obligations": [
+                "Pre-use notice: inform consumers about ADMT use before processing begins",
+                "Right to opt out: provide mechanism for consumers to opt out of ADMT for significant decisions",
+                "Access request: respond to consumer requests about ADMT logic and outputs",
+                "Impact assessment: conduct and document risk assessment for ADMT use cases with significant effects",
+                "Non-discrimination: ensure ADMT does not result in differential treatment based on protected characteristics",
+            ],
+        },
+        "threshold_note": "Applies only to businesses meeting CCPA thresholds: $25M+ revenue, 100K+ consumers data, or 50%+ revenue from data sales",
+    },
+    "Illinois AI Video Interview Act (HB 3773)": {
+        "employer": {
+            "label": "Employer Obligations",
+            "obligations": [
+                "Notify each applicant that AI will be used to analyze the video interview",
+                "Provide information on how the AI works and what characteristics it evaluates",
+                "Obtain consent from the applicant before using AI analysis",
+                "Limit sharing of video: only persons whose expertise is necessary to evaluate applicant may view",
+                "Destroy video within 30 days of applicant's request",
+                "Report demographic data on applicants to the Department of Commerce annually (if >500 employees)",
+            ],
+        },
+    },
+    "DIFC Regulation 10 (AI Processing)": {
+        "deployer_operator": {
+            "label": "Deployer / Operator — General Obligations",
+            "obligations": [
+                "Provide clear and explicit notice to users at initial use: explain the AI technology, whether it operates autonomously, and its impact on privacy rights",
+                "Design and operate the AI system in accordance with principles of ethics, fairness, transparency, security, and accountability",
+                "Conduct a mandatory Data Protection Impact Assessment (DPIA) specifically addressing AI-related risks and mitigation strategies",
+                "Implement human oversight mechanisms for automated decision-making",
+                "Ensure data subjects can challenge AI system outcomes and request human review",
+                "Be able to explain AI processing in non-technical terms with supporting evidence",
+                "Maintain records of AI processing activities",
+                "Implement data protection by design and by default for AI systems",
+                "Monitor AI system outputs for accuracy, fairness, and bias",
+            ],
+        },
+        "high_risk": {
+            "label": "High-Risk AI Processing — Additional Obligations",
+            "obligations": [
+                "Obtain AI system certification under the DIFC Commissioner's certification scheme (certification is system-specific, not entity-specific)",
+                "Appoint an Autonomous Systems Officer (ASO) with substantially similar status, competencies, and tasks as a Data Protection Officer (DPO) — the same person may serve as both ASO and DPO if competencies align",
+                "The ASO must monitor AI compliance, conduct DPIAs, review risks with senior management, and make recommendations for accountability",
+                "Ensure the AI system processes personal data solely for human-defined or human-approved purposes",
+                "Report significant findings from impact assessments to the DIFC Commissioner of Data Protection",
+            ],
+            "note": "Full enforcement of high-risk processing requirements from January 2026.",
+        },
+    },
+    # ════════════════════════════════════════════
+    # PRIVACY — KEY OBLIGATIONS (AI-relevant)
+    # ════════════════════════════════════════════
+    "GDPR (Regulation 2016/679)": {
+        "key_obligations": [
+            "Art. 6 — Establish a lawful basis for processing personal data (consent, legitimate interest, contract, etc.)",
+            "Art. 13-14 — Transparency: inform data subjects about processing, purpose, recipients, and rights",
+            "Art. 22 — Right not to be subject to solely automated decisions with legal/significant effects; right to human intervention",
+            "Art. 25 — Data protection by design and by default",
+            "Art. 30 — Maintain records of processing activities",
+            "Art. 35 — Conduct a Data Protection Impact Assessment (DPIA) when processing likely to result in high risk",
+            "Art. 37 — Appoint a Data Protection Officer (DPO) if required (public authority, large-scale monitoring, special categories)",
+            "Art. 5(1)(c) — Data minimisation: process only what is necessary for specified purpose",
+        ],
+        "ai_relevant_note": "DPIA under Art. 35 GDPR can be combined with FRIA under EU AI Act Art. 26(5) into a single assessment document.",
+    },
+    "ePrivacy Directive (2002/58/EC)": {
+        "key_obligations": [
+            "Obtain consent for use of cookies and tracking technologies on AI interfaces",
+            "Ensure confidentiality of electronic communications processed by AI systems",
+            "Restrictions on processing traffic and location data for AI purposes without consent",
+        ],
+    },
+    "UAE Federal PDPL (Decree-Law 45/2021)": {
+        "key_obligations": [
+            "Establish a lawful basis for processing personal data in the UAE",
+            "Obtain explicit consent for processing sensitive personal data",
+            "Inform data subjects about processing purposes, categories, and rights",
+            "Implement appropriate security measures for personal data",
+            "Restrict cross-border transfer of personal data (adequacy or safeguards required)",
+            "Data subjects have the right to object to automated decision-making including profiling",
+        ],
+    },
+    "DIFC Data Protection Law (Law No. 5 of 2020)": {
+        "key_obligations": [
+            "Register with the DIFC Commissioner of Data Protection",
+            "Establish a lawful basis for processing (consent, contract, legitimate interests, etc.)",
+            "Conduct DPIA for high-risk processing activities",
+            "Appoint a DPO if required",
+            "Implement data protection by design and by default",
+            "Data subjects have the right not to be subject to solely automated decisions with legal effects",
+        ],
+        "ai_relevant_note": "DPIA under DIFC DPL should be coordinated with Algorithmic Impact Assessment under Regulation 10.",
+    },
+    "ADGM Data Protection Regulations 2021": {
+        "key_obligations": [
+            "Register with the ADGM Office of Data Protection",
+            "Establish a lawful basis for processing",
+            "Conduct risk assessment for high-risk processing",
+            "Implement appropriate safeguards for cross-border transfers",
+            "Data subjects have right to object to automated decision-making",
+        ],
+    },
+    "State Data Protection Laws (CCPA, CTDPA, etc.)": {
+        "key_obligations": [
+            "Right to know: inform consumers what personal information is collected and how it is used",
+            "Right to delete: honor consumer requests to delete personal data",
+            "Right to opt-out of sale/sharing of personal information",
+            "Right to opt-out of automated decision-making (CCPA ADMT)",
+            "Conduct data protection risk assessments for high-risk processing",
+        ],
+    },
+    "HIPAA (Health Insurance Portability and Accountability Act)": {
+        "key_obligations": [
+            "Ensure AI systems handling Protected Health Information (PHI) comply with Privacy Rule",
+            "Implement Security Rule administrative, physical, and technical safeguards for ePHI",
+            "Execute Business Associate Agreements (BAA) with AI vendors processing PHI",
+            "Minimum necessary: limit AI access to only the PHI needed for the specific function",
+        ],
+    },
+    "COPPA (Children's Online Privacy Protection Act)": {
+        "key_obligations": [
+            "Obtain verifiable parental consent before collecting personal information from children under 13",
+            "Provide parents with notice of data practices and right to review/delete child's data",
+            "Limit data collection to what is reasonably necessary for the AI system's activity",
+            "Implement reasonable security measures for children's personal data",
+        ],
+    },
+    "FERPA (Family Educational Rights and Privacy Act)": {
+        "key_obligations": [
+            "Obtain consent before disclosing student education records to AI system providers (unless exception applies)",
+            "Ensure AI vendors qualify as 'school officials' with legitimate educational interest if processing student records",
+            "Maintain student right to inspect and request correction of education records used by AI",
+        ],
+    },
+    "Illinois BIPA (Biometric Information Privacy Act)": {
+        "key_obligations": [
+            "Develop and publish a written biometric data retention/destruction policy",
+            "Obtain informed written consent before collecting biometric identifiers",
+            "Provide specific disclosures about collection purpose and retention period",
+            "Prohibition on selling, leasing, or profiting from biometric data",
+            "Private right of action: individuals can sue for statutory damages ($1,000-$5,000 per violation)",
+        ],
+    },
+    # ════════════════════════════════════════════
+    # OTHERS — AWARENESS FLAGS
+    # ════════════════════════════════════════════
+    "Copyright Directive (2019/790)": {
+        "flags": [
+            "Art. 4 — Text and data mining (TDM) exception for research organisations and cultural heritage institutions",
+            "Art. 4 — Commercial TDM allowed unless rightsholder has expressly reserved rights (opt-out)",
+            "Training AI on copyrighted content requires compliance with TDM provisions",
+            "Consult legal counsel on licensing requirements for training data",
+        ],
+    },
+    "NIS2 Directive (2022/2555)": {
+        "flags": [
+            "Entities operating AI in essential/important sectors must implement cybersecurity risk management measures",
+            "Incident reporting obligations to national CSIRT within 24 hours (early warning) and 72 hours (full notification)",
+            "Supply chain security requirements apply to AI component providers",
+            "Consult legal counsel for sector-specific NIS2 implementation in your Member State",
+        ],
+    },
+    "Product Liability Directive (2024/2853)": {
+        "flags": [
+            "AI software is classified as a 'product' — standalone liability for defective AI",
+            "Defectiveness can be presumed if provider fails to disclose information or comply with safety requirements",
+            "Strict liability for providers — no need to prove fault",
+            "2-year transposition period — Member States must implement by late 2026",
+        ],
+    },
+    "Equal Treatment Directives": {
+        "flags": [
+            "AI systems making or supporting employment, education, or service decisions must not discriminate on protected grounds",
+            "Applies to gender (2006/54/EC), racial/ethnic origin (2000/43/EC), religion/age/disability/sexual orientation (2000/78/EC)",
+            "Indirect discrimination through AI proxy variables (e.g. postal code correlating with ethnicity) can be unlawful",
+        ],
+    },
+    "Consumer Rights Directive / GPSR": {
+        "flags": [
+            "AI systems interacting directly with consumers must provide clear pre-contractual information",
+            "General Product Safety Regulation (2023/988) applies to consumer-facing AI products",
+            "Safety obligations throughout product lifecycle including post-market monitoring",
+        ],
+    },
+    "Medical Device Regulation (MDR 2017/745)": {
+        "flags": [
+            "AI-based clinical decision support, diagnostic or therapeutic systems may qualify as medical devices",
+            "Requires CE marking via conformity assessment (self-assessment or Notified Body depending on class)",
+            "Clinical evaluation and post-market clinical follow-up required",
+            "Dual regulation: MDR + AI Act apply simultaneously for AI-based medical devices",
+        ],
+    },
+    "Machinery Regulation (2023/1230)": {
+        "flags": [
+            "AI-integrated robots, drones, autonomous vehicles and industrial machinery must comply",
+            "Safety components with AI that learn or evolve are classified as high-risk machinery",
+            "New cybersecurity requirements for connected machinery throughout lifecycle",
+            "Conformity assessment required — self-assessment or third-party depending on Annex I category",
+            "Applies from January 20, 2027 (replaces Machinery Directive 2006/42/EC)",
+        ],
+    },
+    "Digital Services Act (DSA 2022/2065)": {
+        "flags": [
+            "Online platforms using algorithmic recommendation systems must offer non-profiling alternative",
+            "Transparency obligations: provide information on recommendation system parameters",
+            "Systemic risk assessment required for very large online platforms (>45M EU users)",
+            "Content moderation decisions using AI must be explained to affected users",
+        ],
+    },
+    "Radio Equipment Directive (RED 2014/53)": {
+        "flags": [
+            "Connected devices with AI must meet cybersecurity, data protection, and anti-fraud requirements",
+            "Delegated acts require compliance with privacy-by-design for radio equipment processing personal data",
+            "Applies to IoT devices, wearables, smart home devices with embedded AI",
+        ],
+    },
+    "FTC Act Section 5 (Unfair/Deceptive Practices)": {
+        "flags": [
+            "FTC has actively pursued enforcement against deceptive or unfair AI practices",
+            "AI systems must not deceive consumers about capabilities, data use, or human involvement",
+            "Unfair practices include AI systems causing substantial consumer injury",
+            "FTC guidance emphasises transparency, fairness, and accountability in AI",
+        ],
+    },
+    "Title VII (Civil Rights Act)": {
+        "flags": [
+            "AI-driven employment decisions must not result in disparate treatment or disparate impact based on race, color, religion, sex, or national origin",
+            "EEOC has issued guidance on AI and algorithmic hiring tools",
+            "Employers are liable for discriminatory AI even if provided by a third-party vendor",
+        ],
+    },
+    "ADA (Americans with Disabilities Act)": {
+        "flags": [
+            "AI systems in employment and public accommodation must not discriminate against individuals with disabilities",
+            "Reasonable accommodation obligations extend to AI-driven processes",
+            "AI accessibility requirements for public-facing systems",
+        ],
+    },
+    "ECOA (Equal Credit Opportunity Act)": {
+        "flags": [
+            "AI credit scoring and lending decisions must not discriminate on prohibited bases",
+            "Adverse action notices required when AI contributes to credit denial",
+            "Model explainability requirements for credit decisions",
+        ],
+    },
+    "FCRA (Fair Credit Reporting Act)": {
+        "flags": [
+            "AI systems generating consumer reports must ensure accuracy",
+            "Consumers have right to dispute inaccurate AI-generated information",
+            "Permissible purpose requirements apply to AI-based consumer report use",
+        ],
+    },
+    "Fair Housing Act": {
+        "flags": [
+            "AI in housing advertising, tenant screening, and lending must not discriminate",
+            "Algorithmic redlining and proxy discrimination are enforceable violations",
+            "HUD has investigated algorithmic discrimination in housing platforms",
+        ],
+    },
+    "Copyright Law (Decree-Law 38/2021) — No TDM exception": {
+        "flags": [
+            "CRITICAL: UAE has no text and data mining exception — all training data must be licensed",
+            "Using copyrighted content to train AI models without licence is potentially infringing",
+            "Consult legal counsel on licensing requirements for all training data used in UAE context",
+        ],
+    },
+    "Cybercrime Law (Decree-Law 34/2021)": {
+        "flags": [
+            "Art. 42 — Creating or disseminating deepfakes or manipulated content using AI is a criminal offence",
+            "Unauthorised access to AI systems or data is punishable",
+            "Interception of electronic communications by AI systems without authorisation is prohibited",
+        ],
+    },
+    "Civil Transactions Law (Federal Law 5/1985)": {
+        "flags": [
+            "Art. 292 — 'Guardian of things' doctrine may apply to AI system operators for harm caused",
+            "General tort liability framework applies to AI-caused damage",
+            "No AI-specific liability framework yet — general civil law applies",
+        ],
+    },
+    "Consumer Protection (Federal Law 15/2020)": {
+        "flags": [
+            "AI interacting with consumers must not engage in deceptive or misleading practices",
+            "Product safety requirements apply to AI-powered consumer products",
+        ],
+    },
+    "Anti-Discrimination (Decree-Law 34/2023)": {
+        "flags": [
+            "Prohibition of discrimination based on race, colour, ethnic origin, religion, or disability applies to AI decisions",
+            "Potential liability if AI system produces discriminatory outcomes in UAE",
+        ],
+    },
+    "Labour Law (Decree-Law 33/2021)": {
+        "flags": [
+            "AI in employment (hiring, monitoring, evaluation, termination) must respect worker rights",
+            "Workplace surveillance using AI must be proportionate and disclosed to employees",
+            "Worker data processed by AI subject to data protection obligations",
+        ],
+    },
+}
+# ─────────────────────────────────────────────────
+# SECTION 3: OVERLAP ANALYSIS
+# Obligations that can be combined across regulations
+# ─────────────────────────────────────────────────
+OVERLAP_ANALYSIS = [
+    {
+        "id": "dpia_fria",
+        "title": "Impact Assessment — GDPR DPIA + EU AI Act FRIA",
+        "regulations": ["GDPR (Regulation 2016/679)", "EU AI Act (Regulation 2024/1689)"],
+        "recommendation": "Combine the GDPR Data Protection Impact Assessment (Art. 35) with the EU AI Act Fundamental Rights Impact Assessment (Art. 26(5)) into a single comprehensive assessment document. The AI Act FRIA builds on DPIA requirements — a unified document avoids duplication and ensures both legal bases are covered.",
+        "shared_elements": [
+            "Description of processing/AI system and purpose",
+            "Assessment of necessity and proportionality",
+            "Risk assessment to rights and freedoms",
+            "Mitigation measures",
+            "Monitoring and review mechanisms",
+        ],
+    },
+    {
+        "id": "dpia_difc_aia",
+        "title": "Impact Assessment — DIFC DPL DPIA + DIFC Regulation 10 AIA",
+        "regulations": ["DIFC Data Protection Law (Law No. 5 of 2020)", "DIFC Regulation 10 (AI Processing)"],
+        "recommendation": "Combine the DIFC Data Protection Law DPIA with the Regulation 10 Algorithmic Impact Assessment into a single document. Both require risk assessment of personal data processing with overlapping content requirements.",
+        "shared_elements": [
+            "Description of AI processing activities",
+            "Assessment of risks to data subjects",
+            "Fairness, accuracy, and bias evaluation",
+            "Mitigation and monitoring measures",
+        ],
+    },
+    {
+        "id": "transparency_multi",
+        "title": "Transparency Obligations — EU AI Act + GDPR + Consumer Rights",
+        "regulations": ["EU AI Act (Regulation 2024/1689)", "GDPR (Regulation 2016/679)", "Consumer Rights Directive / GPSR"],
+        "recommendation": "Consolidate transparency disclosures: AI Act Art. 50 (AI interaction/content disclosure), GDPR Art. 13-14 (data processing information), and Consumer Rights Directive (pre-contractual information) can be delivered through a unified transparency notice.",
+        "shared_elements": [
+            "Disclosure that user is interacting with AI",
+            "Purpose and logic of processing",
+            "Data categories used",
+            "Rights available to individuals",
+        ],
+    },
+    {
+        "id": "human_oversight_multi",
+        "title": "Human Oversight — EU AI Act + GDPR Art. 22 + Colorado",
+        "regulations": ["EU AI Act (Regulation 2024/1689)", "GDPR (Regulation 2016/679)", "Colorado AI Act (SB 24-205)"],
+        "recommendation": "Implement a unified human oversight mechanism that satisfies: EU AI Act Art. 14 (human oversight for high-risk), GDPR Art. 22 (right to human intervention in automated decisions), and Colorado's requirement for human review of consequential decisions. A single human-in-the-loop process can address all three.",
+        "shared_elements": [
+            "Right to request human review",
+            "Competent, trained human reviewers",
+            "Ability to override AI decisions",
+            "Documentation of human oversight process",
+        ],
+    },
+    {
+        "id": "risk_management_multi",
+        "title": "Risk Management — EU AI Act + Colorado + NIST AI RMF",
+        "regulations": ["EU AI Act (Regulation 2024/1689)", "Colorado AI Act (SB 24-205)"],
+        "recommendation": "Build your risk management system on the NIST AI Risk Management Framework, which serves as an affirmative defense under Colorado law and aligns closely with EU AI Act Art. 9 requirements. One framework can satisfy both jurisdictions.",
+        "shared_elements": [
+            "Risk identification and assessment",
+            "Bias and discrimination testing",
+            "Documentation and record-keeping",
+            "Monitoring and continuous improvement",
+        ],
+    },
+    {
+        "id": "bias_testing_multi",
+        "title": "Bias & Discrimination Testing — Colorado + Title VII + EU Equal Treatment",
+        "regulations": ["Colorado AI Act (SB 24-205)", "Title VII (Civil Rights Act)", "Equal Treatment Directives"],
+        "recommendation": "Implement a unified bias testing programme covering protected characteristics across both US and EU frameworks. Test for disparate impact (US) and indirect discrimination (EU) simultaneously using the same test suite.",
+        "shared_elements": [
+            "Testing across protected characteristics",
+            "Disparate impact / indirect discrimination analysis",
+            "Documentation of results and remediation",
+            "Ongoing monitoring post-deployment",
+        ],
+    },
+    {
+        "id": "incident_reporting",
+        "title": "Incident Reporting — EU AI Act + NIS2 + GDPR",
+        "regulations": ["EU AI Act (Regulation 2024/1689)", "NIS2 Directive (2022/2555)", "GDPR (Regulation 2016/679)"],
+        "recommendation": "Create a unified incident response plan covering: AI serious incidents (AI Act Art. 73), cybersecurity incidents (NIS2 — 24h/72h), and personal data breaches (GDPR Art. 33 — 72h). Parallel notification channels but shared internal triage process.",
+        "shared_elements": [
+            "Internal incident detection and triage",
+            "Root cause analysis",
+            "Notification to authorities within required timeframes",
+            "Remediation and documentation",
+        ],
+    },
+    {
+        "id": "technical_documentation",
+        "title": "Technical Documentation — EU AI Act + GPAI + Machinery Regulation",
+        "regulations": ["EU AI Act (Regulation 2024/1689)", "EU AI Act — GPAI Framework (Chapter V)", "Machinery Regulation (2023/1230)"],
+        "recommendation": "Structure technical documentation to satisfy EU AI Act Annex IV (high-risk) or Annex XI (GPAI), and if applicable, Machinery Regulation Annex III requirements in a single document set. Significant overlap in system description, risk analysis, and testing documentation.",
+        "shared_elements": [
+            "System description and intended purpose",
+            "Risk analysis and mitigation",
+            "Design and development process",
+            "Testing and validation results",
+        ],
+    },
+]
+# ─────────────────────────────────────────────────
+# SECTION 4: GAP ANALYSIS (AI-specific only)
+# Coverage % when compliant with regulation A,
+# what % of regulation B is already met
+# ─────────────────────────────────────────────────
+# Matrix format: GAP_ANALYSIS[source_reg][target_reg] = coverage %
+# Read as: "If compliant with source_reg, you cover X% of target_reg"
+GAP_ANALYSIS = {
+    "EU AI Act (Regulation 2024/1689)": {
+        "Colorado AI Act (SB 24-205)": {
+            "coverage": 72,
+            "covered": [
+                "Risk management system maps to Colorado's risk management policy requirement",
+                "Technical documentation satisfies Colorado's documentation obligations",
+                "Human oversight provisions cover Colorado's human review requirements",
+                "Post-market monitoring aligns with ongoing discrimination testing",
+            ],
+            "gaps": [
+                "Colorado-specific annual impact assessment format",
+                "Colorado-specific consumer notification requirements (right to explanation, right to appeal)",
+                "Attorney General notification within 90 days of discovering discrimination",
+                "Colorado's affirmative defense documentation (NIST AI RMF compliance)",
+            ],
+        },
+        "Texas TRAIGA (HB 1709)": {
+            "coverage": 85,
+            "covered": [
+                "AI Act Art. 50 transparency obligations largely cover Texas disclosure requirements",
+                "AI-generated content labelling satisfies Texas synthetic content marking",
+            ],
+            "gaps": [
+                "Texas-specific election-related prohibition on deceptive AI content",
+            ],
+        },
+        "Utah AI Policy Act (SB 149)": {
+            "coverage": 80,
+            "covered": [
+                "AI Act transparency obligations cover Utah disclosure requirements",
+                "AI system documentation supports Utah regulated-industry disclosures",
+            ],
+            "gaps": [
+                "Utah-specific regulated occupation disclosure format",
+            ],
+        },
+        "California CCPA / ADMT Regulations": {
+            "coverage": 60,
+            "covered": [
+                "Risk management and documentation align with California impact assessment requirements",
+                "Transparency provisions overlap with pre-use notice requirements",
+            ],
+            "gaps": [
+                "CCPA-specific consumer opt-out mechanism for ADMT",
+                "California-specific access request response procedures",
+                "CCPA threshold applicability analysis ($25M / 100K consumers)",
+            ],
+        },
+        "Illinois AI Video Interview Act (HB 3773)": {
+            "coverage": 50,
+            "covered": [
+                "Transparency obligations partially cover Illinois notification requirements",
+            ],
+            "gaps": [
+                "Illinois-specific informed written consent for video analysis",
+                "30-day video destruction requirement on applicant request",
+                "Annual demographic reporting to Department of Commerce",
+            ],
+        },
+        "DIFC Regulation 10 (AI Processing)": {
+            "coverage": 74,
+            "covered": [
+                "Risk management system maps to DIFC Algorithmic Impact Assessment",
+                "Human oversight requirements align",
+                "Transparency and explainability provisions align",
+                "Post-market monitoring covers ongoing monitoring requirement",
+            ],
+            "gaps": [
+                "DIFC-specific registration with Commissioner of Data Protection",
+                "DIFC-specific AIA format and reporting requirements",
+                "DIFC DPL compliance (separate from Regulation 10)",
+            ],
+        },
+    },
+    "Colorado AI Act (SB 24-205)": {
+        "EU AI Act (Regulation 2024/1689)": {
+            "coverage": 55,
+            "covered": [
+                "Risk management policy partially satisfies EU AI Act Art. 9",
+                "Impact assessment partially covers FRIA requirements",
+                "Algorithmic discrimination testing aligns with bias requirements",
+            ],
+            "gaps": [
+                "EU AI Act conformity assessment and CE marking",
+                "Technical documentation to EU Annex IV standard",
+                "Quality Management System (QMS)",
+                "EU database registration",
+                "Post-market monitoring system to EU standard",
+                "Serious incident reporting to EU authorities",
+                "Data governance requirements (Art. 10)",
+            ],
+        },
+        "DIFC Regulation 10 (AI Processing)": {
+            "coverage": 65,
+            "covered": [
+                "Impact assessment maps to Algorithmic Impact Assessment",
+                "Risk management policy aligns",
+                "Bias testing covers fairness monitoring",
+            ],
+            "gaps": [
+                "DIFC-specific data protection requirements",
+                "DIFC Commissioner registration and reporting",
+                "DIFC-specific consent and transparency requirements",
+            ],
+        },
+    },
+    "DIFC Regulation 10 (AI Processing)": {
+        "EU AI Act (Regulation 2024/1689)": {
+            "coverage": 45,
+            "covered": [
+                "Algorithmic Impact Assessment partially covers FRIA",
+                "Human oversight requirements align",
+                "Transparency requirements partially align",
+            ],
+            "gaps": [
+                "Full conformity assessment and CE marking",
+                "Technical documentation to EU standard",
+                "Quality Management System",
+                "EU database registration",
+                "Post-market monitoring to EU standard",
+                "Data governance (Art. 10) — specific training data requirements",
+                "Logging and record-keeping to EU specification",
+            ],
+        },
+        "Colorado AI Act (SB 24-205)": {
+            "coverage": 55,
+            "covered": [
+                "Algorithmic Impact Assessment maps to annual impact assessment",
+                "Fairness monitoring covers discrimination testing",
+                "Transparency requirements partially align",
+            ],
+            "gaps": [
+                "Colorado-specific consumer notification format",
+                "Attorney General notification requirement",
+                "Colorado-specific affirmative defense documentation",
+            ],
+        },
+    },
+}
+# ─────────────────────────────────────────────────
+# SECTION 5: REGULATION URLS
+# ─────────────────────────────────────────────────
+REGULATION_URLS = {
+    "EU AI Act (Regulation 2024/1689)": "https://eur-lex.europa.eu/eli/reg/2024/1689/oj",
+    "EU AI Act — GPAI Framework (Chapter V)": "https://eur-lex.europa.eu/eli/reg/2024/1689/oj",
+    "Colorado AI Act (SB 24-205)": "https://leg.colorado.gov/bills/sb24-205",
+    "Texas TRAIGA (HB 1709)": "https://capitol.texas.gov/BillLookup/History.aspx?LegSess=89R&Bill=HB1709",
+    "Utah AI Policy Act (SB 149)": "https://le.utah.gov/~2024/bills/static/SB0149.html",
+    "California CCPA / ADMT Regulations": "https://cppa.ca.gov/regulations/",
+    "Illinois AI Video Interview Act (HB 3773)": "https://www.ilga.gov/legislation/publicacts/fulltext.asp?Name=101-0260",
+    "DIFC Regulation 10 (AI Processing)": "https://www.difc.ae/business/laws-regulations/data-protection/",
+    "GDPR (Regulation 2016/679)": "https://eur-lex.europa.eu/eli/reg/2016/679/oj",
+    "ePrivacy Directive (2002/58/EC)": "https://eur-lex.europa.eu/eli/dir/2002/58/oj",
+    "UAE Federal PDPL (Decree-Law 45/2021)": "https://u.ae/en/about-the-uae/digital-uae/data/data-protection-laws",
+    "DIFC Data Protection Law (Law No. 5 of 2020)": "https://www.difc.ae/business/laws-regulations/data-protection/",
+    "ADGM Data Protection Regulations 2021": "https://en.adgm.thomsonreuters.com/rulebook/data-protection-regulations-2021",
+    "State Data Protection Laws (CCPA, CTDPA, etc.)": "https://cppa.ca.gov/regulations/",
+    "HIPAA (Health Insurance Portability and Accountability Act)": "https://www.hhs.gov/hipaa/index.html",
+    "COPPA (Children's Online Privacy Protection Act)": "https://www.ftc.gov/legal-library/browse/rules/childrens-online-privacy-protection-rule-coppa",
+    "FERPA (Family Educational Rights and Privacy Act)": "https://www2.ed.gov/policy/gen/guid/fpco/ferpa/index.html",
+    "Illinois BIPA (Biometric Information Privacy Act)": "https://www.ilga.gov/legislation/ilcs/ilcs3.asp?ActID=3004",
+    "Copyright Directive (2019/790)": "https://eur-lex.europa.eu/eli/dir/2019/790/oj",
+    "NIS2 Directive (2022/2555)": "https://eur-lex.europa.eu/eli/dir/2022/2555/oj",
+    "Product Liability Directive (2024/2853)": "https://eur-lex.europa.eu/eli/dir/2024/2853/oj",
+    "Equal Treatment Directives": "https://eur-lex.europa.eu/eli/dir/2000/78/oj",
+    "Consumer Rights Directive / GPSR": "https://eur-lex.europa.eu/eli/reg/2023/988/oj",
+    "Medical Device Regulation (MDR 2017/745)": "https://eur-lex.europa.eu/eli/reg/2017/745/oj",
+    "Machinery Regulation (2023/1230)": "https://eur-lex.europa.eu/eli/reg/2023/1230/oj",
+    "Digital Services Act (DSA 2022/2065)": "https://eur-lex.europa.eu/eli/reg/2022/2065/oj",
+    "Radio Equipment Directive (RED 2014/53)": "https://eur-lex.europa.eu/eli/dir/2014/53/oj",
+    "FTC Act Section 5 (Unfair/Deceptive Practices)": "https://www.ftc.gov/legal-library/browse/statutes/federal-trade-commission-act",
+    "Title VII (Civil Rights Act)": "https://www.eeoc.gov/statutes/title-vii-civil-rights-act-1964",
+    "ADA (Americans with Disabilities Act)": "https://www.ada.gov/law-and-regs/ada/",
+    "ECOA (Equal Credit Opportunity Act)": "https://www.consumerfinance.gov/rules-policy/regulations/1002/",
+    "FCRA (Fair Credit Reporting Act)": "https://www.ftc.gov/legal-library/browse/statutes/fair-credit-reporting-act",
+    "Fair Housing Act": "https://www.justice.gov/crt/fair-housing-act-1",
+    "Copyright Law (Decree-Law 38/2021) — No TDM exception": "https://u.ae/en/about-the-uae/digital-uae/data/data-protection-laws",
+    "Cybercrime Law (Decree-Law 34/2021)": "https://u.ae/en/information-and-services/justice-safety-and-the-law/cyber-safety-and-digital-security",
+    "Civil Transactions Law (Federal Law 5/1985)": "https://elaws.moj.gov.ae/",
+    "Consumer Protection (Federal Law 15/2020)": "https://u.ae/en/information-and-services/business/consumer-protection",
+    "Anti-Discrimination (Decree-Law 34/2023)": "https://u.ae/en/information-and-services/social-affairs/combating-discrimination-and-hatred",
+    "Labour Law (Decree-Law 33/2021)": "https://u.ae/en/information-and-services/jobs/labour-law-and-general-information",
+}
+# ─────────────────────────────────────────────────
+# SECTION 6: OTHER REGULATIONS — ONE-LINERS
+# ─────────────────────────────────────────────────
+OTHER_REG_ONE_LINERS = {
+    "Copyright Directive (2019/790)": "Text and data mining for AI training requires compliance with opt-out provisions — commercial use needs rightsholder permission unless research exception applies.",
+    "NIS2 Directive (2022/2555)": "AI systems in essential/important sectors must meet cybersecurity risk management and incident reporting obligations.",
+    "Product Liability Directive (2024/2853)": "AI software is a 'product' under EU law — providers face strict liability for defective AI without needing to prove fault.",
+    "Equal Treatment Directives": "AI-driven decisions in employment, education, or services must not discriminate on protected grounds (gender, race, age, disability, religion).",
+    "Consumer Rights Directive / GPSR": "Consumer-facing AI products must provide clear pre-contractual information and meet general product safety requirements.",
+    "Medical Device Regulation (MDR 2017/745)": "AI-based diagnostic, clinical decision support, or therapeutic systems may require CE marking as medical devices.",
+    "Machinery Regulation (2023/1230)": "AI in robots, drones, and autonomous machinery must meet safety and cybersecurity requirements — applies from January 2027.",
+    "Digital Services Act (DSA 2022/2065)": "Online platforms using AI recommendation systems must offer non-profiling alternatives and explain algorithmic decisions.",
+    "Radio Equipment Directive (RED 2014/53)": "Connected devices with embedded AI (IoT, wearables) must comply with cybersecurity and privacy-by-design requirements.",
+    "FTC Act Section 5 (Unfair/Deceptive Practices)": "AI systems must not deceive consumers about capabilities, data use, or human involvement — FTC actively enforces.",
+    "Title VII (Civil Rights Act)": "AI employment tools must not cause disparate impact based on race, colour, religion, sex, or national origin.",
+    "ADA (Americans with Disabilities Act)": "AI in employment and public accommodation must not discriminate against individuals with disabilities and must allow reasonable accommodation.",
+    "ECOA (Equal Credit Opportunity Act)": "AI credit scoring and lending decisions must be non-discriminatory, with adverse action notices when AI contributes to denial.",
+    "FCRA (Fair Credit Reporting Act)": "AI systems generating consumer reports must ensure accuracy and allow consumers to dispute inaccurate information.",
+    "Fair Housing Act": "AI in housing advertising, tenant screening, and lending must not discriminate — algorithmic redlining is an enforceable violation.",
+    "Copyright Law (Decree-Law 38/2021) — No TDM exception": "CRITICAL: UAE has no text and data mining exception — all copyrighted training data must be licensed.",
+    "Cybercrime Law (Decree-Law 34/2021)": "Creating or disseminating deepfakes and accessing AI systems without authorisation are criminal offences in the UAE.",
+    "Civil Transactions Law (Federal Law 5/1985)": "General tort liability applies to AI-caused damage under the 'guardian of things' doctrine — operators may be liable.",
+    "Consumer Protection (Federal Law 15/2020)": "AI interacting with UAE consumers must not engage in deceptive or misleading practices.",
+    "Anti-Discrimination (Decree-Law 34/2023)": "AI decisions in the UAE must not discriminate based on race, colour, ethnic origin, religion, or disability.",
+    "Labour Law (Decree-Law 33/2021)": "AI in employment (hiring, monitoring, evaluation) must respect worker rights and disclose workplace surveillance.",
+}
+# ─────────────────────────────────────────────────
+# SECTION 7: CONTEXTUAL NOTES
+# ─────────────────────────────────────────────────
+DIFC_CONTROLLER_NOTE = (
+    "Under DIFC Regulation 10, a 'deployer' is the entity that directs, authorises, or benefits from the operation of the AI system and its output — "
+    "comparable to a data controller. An 'operator' is the entity that runs the system on behalf of the deployer — comparable to a data processor. "
+    "Most compliance obligations fall on the deployer."
+)
+# ─────────────────────────────────────────────────
+# SECTION 8: DISCLAIMER
+# ─────────────────────────────────────────────────
+DISCLAIMER = (
+    "This analysis is provided for informational and orientation purposes only. "
+    "It does not constitute legal advice. The regulatory landscape is evolving rapidly — "
+    "obligations, deadlines, and enforcement approaches may change. "
+    "Always consult qualified legal counsel for definitive compliance guidance tailored to your specific situation."
+)

requirements.txt ADDED Viewed

	@@ -0,0 +1,2 @@


1	+ streamlit==1.41.1
2	+ reportlab