Spaces:
Sleeping
Sleeping
wlmbrown
commited on
Commit
·
b052718
1
Parent(s):
46c3659
removed deployers from scope of our system
Browse files- compliance_analysis.py +4 -8
- project_cc.yaml +25 -61
- utils.py +24 -9
compliance_analysis.py
CHANGED
@@ -10,18 +10,14 @@ project_variables = {
|
|
10 |
"high_risk_ai_system": False,
|
11 |
"gpai_model_systematic_risk": False
|
12 |
},
|
13 |
-
"
|
14 |
"provider": False,
|
15 |
-
"
|
16 |
-
"
|
17 |
-
"distributor": False,
|
18 |
-
"product_manufacturer": False,
|
19 |
-
"eu_located": False
|
20 |
},
|
21 |
"eu_market_status": {
|
22 |
"placed_on_market": False,
|
23 |
-
"put_into_service": False
|
24 |
-
"output_used": False
|
25 |
}
|
26 |
}
|
27 |
|
|
|
10 |
"high_risk_ai_system": False,
|
11 |
"gpai_model_systematic_risk": False
|
12 |
},
|
13 |
+
"operator_details": {
|
14 |
"provider": False,
|
15 |
+
"eu_located": False,
|
16 |
+
"output_used": False
|
|
|
|
|
|
|
17 |
},
|
18 |
"eu_market_status": {
|
19 |
"placed_on_market": False,
|
20 |
+
"put_into_service": False
|
|
|
21 |
}
|
22 |
}
|
23 |
|
project_cc.yaml
CHANGED
@@ -1,33 +1,16 @@
|
|
1 |
|
2 |
-
# Information related to high-level characteristics of AI project, including the role of the operator,
|
3 |
|
4 |
-
|
5 |
provider: # Art. 2
|
6 |
verbose: 'The operator of this AI project is a natural or legal person, public authority, agency or other body that develops an AI project or a general-purpose AI model or that has an AI system or a general-purpose AI model developed and places it on the market or puts the AI system into service under its own name or trademark, whether for payment or free of charge'
|
7 |
value: !!bool false
|
8 |
-
deployer: # Art. 2
|
9 |
-
verbose: 'AI project operator is a natural or legal person, public authority, agency or other body using an AI project under its authority except where the AI system is used in the course of a personal non-professional activity'
|
10 |
-
value: !!bool false
|
11 |
eu_located: # Art. 2
|
12 |
verbose: 'AI project operator has its place of establishment or location within the Union'
|
13 |
value: !!bool True
|
14 |
output_used: # Art. 2
|
15 |
verbose: 'The output produced by the AI project is used in the Union'
|
16 |
value: !!bool false
|
17 |
-
importer: # Art. 2
|
18 |
-
verbose: 'AI project operator is a natural or legal person located or established in the Union that places on the market an AI system that bears the name or trademark of a natural or legal person established in a third country'
|
19 |
-
value: !!bool false
|
20 |
-
distributor:
|
21 |
-
verbose: 'AI project operator is a natural or legal person in the supply chain, other than a provider or the importer, that makes an AI system available on the Union market'
|
22 |
-
value: !!bool false # Art. 2
|
23 |
-
product_manufacturer:
|
24 |
-
verbose: 'AI project operator is a product manufacturer'
|
25 |
-
value: !!bool false # Art. 2
|
26 |
-
|
27 |
-
# ypi: just to note that providers, deployers and product manufacturer that are outside of EU are still in scope if the output of AI is used within EU.
|
28 |
-
# importer and distributor are only in scope if they locate within EU.
|
29 |
-
|
30 |
-
|
31 |
|
32 |
eu_market_status:
|
33 |
placed_on_market: # Art. 3(9)
|
@@ -58,6 +41,8 @@ gpai_model_systematic_risk:
|
|
58 |
verbose: 'The cumulative amount of computation used for the training of the AI project, as measured in floating point operations (FLOPs), has been greater than 10^25'
|
59 |
value: !!bool false
|
60 |
|
|
|
|
|
61 |
transparency_related:
|
62 |
direct_user_interaction:
|
63 |
verbose: 'The AI project is intended to interact directly with natural persons'
|
@@ -98,10 +83,6 @@ excepted:
|
|
98 |
verbose: 'AI project involves AI models that are released under a free and open-source licence that allows for the access, usage, modification, and distribution of the model, and whose parameters, including the weights, the information on the model architecture, and the information on model usage, are made publicly available. This exception shall not apply to general purpose AI models with systemic risks'
|
99 |
value: !!bool false
|
100 |
|
101 |
-
|
102 |
-
#ypi: add peronal and non-professional use
|
103 |
-
# ypi: The exemptions can be moved up to the operator role since it’s also related to Article 2.
|
104 |
-
|
105 |
# Information related to practices prohibited by the Act
|
106 |
|
107 |
prohibited_practice:
|
@@ -141,7 +122,7 @@ prohibited_practice:
|
|
141 |
verbose: 'The AI project involves use of ‘real-time’ remote biometric identification systems in publicly accessible spaces for the purposes of law enforcement stricly for the localisation or identification of a person suspected of having committed a criminal offence, for the purpose of conducting a criminal investigation or prosecution or executing a criminal penalty for offences referred to in Annex II and punishable in the Member State concerned by a custodial sentence or a detention order for a maximum period of at least four years.'
|
142 |
value: !!bool false
|
143 |
|
144 |
-
|
145 |
|
146 |
high_risk_ai_system:
|
147 |
safety_component: # Art. 6(1)(a)
|
@@ -199,6 +180,8 @@ high_risk_ai_system:
|
|
199 |
verbose: 'the AI project is intended to perform a preparatory task to an assessment relevant for the purposes of the use cases listed in Annex III.'
|
200 |
value: !!bool false
|
201 |
|
|
|
|
|
202 |
risk_management_system:
|
203 |
established: # Article 9
|
204 |
verbose: 'A risk management system has been established, implemented, documented and maintained for the AI project'
|
@@ -227,18 +210,14 @@ risk_management_system:
|
|
227 |
testing_threshold: # Art. 9(8)
|
228 |
verbose: 'Testing has or will be performed before the AI project is placed on the market and has or will be carried out against prior defined metrics and probabilistic thresholds that are appropriate to the intended purpose'
|
229 |
value: !!bool false
|
|
|
|
|
|
|
|
|
|
|
|
|
230 |
|
231 |
-
|
232 |
-
# vulnerable_groups: #Art. 9(9)
|
233 |
-
# verbose: 'Adverse impacts in the view of intended purpose the high-risk AI system on individuals under 18 and other vulnerable groups have been considered'
|
234 |
-
# value: !!bool true
|
235 |
-
# integration_with_other_laws: #Art. 9(10)
|
236 |
-
# description: 'For providers subject to other Union law requirements, risk management procedures may be integrated or combined with those established under such law.'
|
237 |
-
# value: !!bool true
|
238 |
-
|
239 |
-
|
240 |
-
|
241 |
-
|
242 |
|
243 |
technical_documentation:
|
244 |
drawn_up: # Art. 11(1)
|
@@ -290,6 +269,7 @@ technical_documentation:
|
|
290 |
### verbose: 'The Technical Documentation includes a general description of the AI project that covers instructions for use for the deployer and a basic description of the user-interface provided, where applicable.'
|
291 |
### value: !!bool false
|
292 |
|
|
|
293 |
|
294 |
record_keeping:
|
295 |
logging_generally: # Article 12(1)
|
@@ -320,6 +300,8 @@ record_keeping:
|
|
320 |
verbose: 'For the remote biometric identification systems high-risk AI systems referred to in point 1 (a), of Annex III, the logging capabilities shall provide, at a minimum, the identification of the natural persons involved in the verification of the results, as referred to in Article 14(5)'
|
321 |
value: !!bool false
|
322 |
|
|
|
|
|
323 |
transparency_and_provision_of_information_to_deployers:
|
324 |
interpretability: # Art. 13(1)
|
325 |
verbose: 'AI project is designed and developed to ensure operation is sufficiently transparent for deployers to interpret output and use appropriately'
|
@@ -367,6 +349,8 @@ transparency_and_provision_of_information_to_deployers:
|
|
367 |
verbose: 'Instructions include description of mechanisms for deployers to collect, store, and interpret logs, if applicable'
|
368 |
value: !!bool false
|
369 |
|
|
|
|
|
370 |
human_oversight:
|
371 |
designed: # Art. 14(1)
|
372 |
verbose: 'AI project is designed and developed so as to be effectively overseen by natural persons during use, including through the use of appropriate human-machine interface tools'
|
@@ -396,6 +380,8 @@ human_oversight:
|
|
396 |
verbose: 'For Annex III point 1(a) systems, actions or decisions require verification by at least two competent persons, with exceptions for law enforcement, migration, border control, or asylum'
|
397 |
value: !!bool false
|
398 |
|
|
|
|
|
399 |
accuracy_robustness_cybersecurity:
|
400 |
design: # Art. 15(1)
|
401 |
verbose: 'The AI project is designed and developed to achieve appropriate levels of accuracy, robustness, and cybersecurity, performing consistently throughout its lifecycle'
|
@@ -419,6 +405,8 @@ accuracy_robustness_cybersecurity:
|
|
419 |
verbose: 'The AI project includes technical solutions that address AI-specific vulnerabilities, including measures against data poisoning, model poisoning, adversarial examples, and confidentiality attacks'
|
420 |
value: !!bool false
|
421 |
|
|
|
|
|
422 |
quality_management_system:
|
423 |
quality_management_system: # Art. 17(1)(a)
|
424 |
verbose: 'The AI project is subject to a quality management system with strategy for regulatory compliance'
|
@@ -433,6 +421,8 @@ quality_management_system:
|
|
433 |
verbose: 'The quality management system that the AI project was subject to includes examination, test, and validation procedures before, during, and after development'
|
434 |
value: !!bool false
|
435 |
|
|
|
|
|
436 |
fundamental_rights_assessment:
|
437 |
process: # Art. 27(1)(a)
|
438 |
verbose: 'AI project has been subject to a fundamental rights impact assessment that includes a description of the deployer’s processes in which the AI project will be used in line with its intended purpose'
|
@@ -596,30 +586,4 @@ additional_provider_obligations: # apply these only if operator == provider and
|
|
596 |
verbose: 'The AI project complies with accessibility requirements in accordance with Directives (EU) 2016/2102 and (EU) 2019/882'
|
597 |
value: !!bool false
|
598 |
|
599 |
-
additional_deployer_obligations: # apply these only if operator == deployer and ai_project_type == high_risk_ai_system
|
600 |
-
accordance_with_instructions: # Article 26 (1)
|
601 |
-
verbose: 'If operator is a deployer, that deployer has taken appropriate technical and organisational measures to ensure they use such systems in accordance with the instructions for use accompanying the systems'
|
602 |
-
value: !!bool false
|
603 |
-
human_oversight: # Article 26 (2)
|
604 |
-
verbose: 'If operator is a deployer, that deployer has assigned human oversight to natural persons who have the necessary competence, training and authority, as well as the necessary support.'
|
605 |
-
value: !!bool false
|
606 |
-
relevant_input: # Article 26 (4)
|
607 |
-
verbose: 'If operator is a deployer, to the extent the deployer exercises control over the input data, that deployer shall ensure that input data is relevant and sufficiently representative in view of the intended purpose of the AI project'
|
608 |
-
value: !!bool false
|
609 |
-
monitoring: # Article 26 (5)
|
610 |
-
verbose: 'If operator is a deployer, that deployer shall monitor the operation of the AI project on the basis of the instructions for use and, where relevant, inform providers in accordance with Article 72'
|
611 |
-
value: !!bool false
|
612 |
-
monitoring: # Article 26 (6)
|
613 |
-
verbose: 'If operator is a deployer, that deployer shall keep the logs automatically generated by the AI project to the extent such logs are under their control, for a period appropriate to the intended purpose of the AI project, of at least six months, unless provided otherwise in applicable Union or national law, in particular in Union law on the protection of personal data.'
|
614 |
-
value: !!bool false
|
615 |
-
employees: # Article 26 (7)
|
616 |
-
verbose: 'If operator is a deployer and an employer, before putting into service or using a AI project at the workplace, that deployers shall inform worker representatives and the affected workers that they will be subject to the use of the AI project.'
|
617 |
-
value: !!bool false
|
618 |
-
employees: # Article 26 (8)
|
619 |
-
verbose: 'If operator is a deployer and a public authority, or Union institution, body, office or agency, that deployer shall register the AI project in the EU database per Article 49(3)'
|
620 |
-
value: !!bool false
|
621 |
-
employees: # Article 26 (9)
|
622 |
-
verbose: 'If operator is a deployer and if applicable, the deployer used the information provided under Article 13 of this Regulation to comply with their obligation to carry out a data protection impact assessment under Article 35 of Regulation (EU) 2016/679 or Article 27 of Directive (EU) 2016/680'
|
623 |
-
value: !!bool false
|
624 |
|
625 |
-
# Couple more to add from Article 26, using same format
|
|
|
1 |
|
2 |
+
# Information related to high-level characteristics of AI project, including the role of the operator, their location, and where the output is used
|
3 |
|
4 |
+
operator_details:
|
5 |
provider: # Art. 2
|
6 |
verbose: 'The operator of this AI project is a natural or legal person, public authority, agency or other body that develops an AI project or a general-purpose AI model or that has an AI system or a general-purpose AI model developed and places it on the market or puts the AI system into service under its own name or trademark, whether for payment or free of charge'
|
7 |
value: !!bool false
|
|
|
|
|
|
|
8 |
eu_located: # Art. 2
|
9 |
verbose: 'AI project operator has its place of establishment or location within the Union'
|
10 |
value: !!bool True
|
11 |
output_used: # Art. 2
|
12 |
verbose: 'The output produced by the AI project is used in the Union'
|
13 |
value: !!bool false
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
14 |
|
15 |
eu_market_status:
|
16 |
placed_on_market: # Art. 3(9)
|
|
|
41 |
verbose: 'The cumulative amount of computation used for the training of the AI project, as measured in floating point operations (FLOPs), has been greater than 10^25'
|
42 |
value: !!bool false
|
43 |
|
44 |
+
# Information related to the additional transparency requirements in Article 50, if applicable
|
45 |
+
|
46 |
transparency_related:
|
47 |
direct_user_interaction:
|
48 |
verbose: 'The AI project is intended to interact directly with natural persons'
|
|
|
83 |
verbose: 'AI project involves AI models that are released under a free and open-source licence that allows for the access, usage, modification, and distribution of the model, and whose parameters, including the weights, the information on the model architecture, and the information on model usage, are made publicly available. This exception shall not apply to general purpose AI models with systemic risks'
|
84 |
value: !!bool false
|
85 |
|
|
|
|
|
|
|
|
|
86 |
# Information related to practices prohibited by the Act
|
87 |
|
88 |
prohibited_practice:
|
|
|
122 |
verbose: 'The AI project involves use of ‘real-time’ remote biometric identification systems in publicly accessible spaces for the purposes of law enforcement stricly for the localisation or identification of a person suspected of having committed a criminal offence, for the purpose of conducting a criminal investigation or prosecution or executing a criminal penalty for offences referred to in Annex II and punishable in the Member State concerned by a custodial sentence or a detention order for a maximum period of at least four years.'
|
123 |
value: !!bool false
|
124 |
|
125 |
+
# Information related to whether or not the project, if an AI system, is a high-risk AI system
|
126 |
|
127 |
high_risk_ai_system:
|
128 |
safety_component: # Art. 6(1)(a)
|
|
|
180 |
verbose: 'the AI project is intended to perform a preparatory task to an assessment relevant for the purposes of the use cases listed in Annex III.'
|
181 |
value: !!bool false
|
182 |
|
183 |
+
# Information related to the risk management system requirements for high-risk AI systems (Article 9)
|
184 |
+
|
185 |
risk_management_system:
|
186 |
established: # Article 9
|
187 |
verbose: 'A risk management system has been established, implemented, documented and maintained for the AI project'
|
|
|
210 |
testing_threshold: # Art. 9(8)
|
211 |
verbose: 'Testing has or will be performed before the AI project is placed on the market and has or will be carried out against prior defined metrics and probabilistic thresholds that are appropriate to the intended purpose'
|
212 |
value: !!bool false
|
213 |
+
vulnerable_groups: #Art. 9(9)
|
214 |
+
verbose: 'Adverse impacts in the view of intended purpose the high-risk AI system on individuals under 18 and other vulnerable groups have been considered'
|
215 |
+
value: !!bool true
|
216 |
+
integration_with_other_laws: #Art. 9(10)
|
217 |
+
description: 'For providers subject to other Union law requirements, risk management procedures may be integrated or combined with those established under such law.'
|
218 |
+
value: !!bool true
|
219 |
|
220 |
+
# Information related to the risk management system requirements for high-risk AI systems (Article 11)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
221 |
|
222 |
technical_documentation:
|
223 |
drawn_up: # Art. 11(1)
|
|
|
269 |
### verbose: 'The Technical Documentation includes a general description of the AI project that covers instructions for use for the deployer and a basic description of the user-interface provided, where applicable.'
|
270 |
### value: !!bool false
|
271 |
|
272 |
+
# Information related to the record keeping requirements for high-risk AI systems (Article 12)
|
273 |
|
274 |
record_keeping:
|
275 |
logging_generally: # Article 12(1)
|
|
|
300 |
verbose: 'For the remote biometric identification systems high-risk AI systems referred to in point 1 (a), of Annex III, the logging capabilities shall provide, at a minimum, the identification of the natural persons involved in the verification of the results, as referred to in Article 14(5)'
|
301 |
value: !!bool false
|
302 |
|
303 |
+
# Information related to the requirements that the providers of high-risk AI systems provide certain information to deployers (Article 13)
|
304 |
+
|
305 |
transparency_and_provision_of_information_to_deployers:
|
306 |
interpretability: # Art. 13(1)
|
307 |
verbose: 'AI project is designed and developed to ensure operation is sufficiently transparent for deployers to interpret output and use appropriately'
|
|
|
349 |
verbose: 'Instructions include description of mechanisms for deployers to collect, store, and interpret logs, if applicable'
|
350 |
value: !!bool false
|
351 |
|
352 |
+
# Information related to the human oversight requirements for high-risk AI systems (Article 14)
|
353 |
+
|
354 |
human_oversight:
|
355 |
designed: # Art. 14(1)
|
356 |
verbose: 'AI project is designed and developed so as to be effectively overseen by natural persons during use, including through the use of appropriate human-machine interface tools'
|
|
|
380 |
verbose: 'For Annex III point 1(a) systems, actions or decisions require verification by at least two competent persons, with exceptions for law enforcement, migration, border control, or asylum'
|
381 |
value: !!bool false
|
382 |
|
383 |
+
# Information related to the accuracy, robustness, and cybersecurity requirements for high-risk AI systems (Article 15)
|
384 |
+
|
385 |
accuracy_robustness_cybersecurity:
|
386 |
design: # Art. 15(1)
|
387 |
verbose: 'The AI project is designed and developed to achieve appropriate levels of accuracy, robustness, and cybersecurity, performing consistently throughout its lifecycle'
|
|
|
405 |
verbose: 'The AI project includes technical solutions that address AI-specific vulnerabilities, including measures against data poisoning, model poisoning, adversarial examples, and confidentiality attacks'
|
406 |
value: !!bool false
|
407 |
|
408 |
+
# Information related to the quality management system requirements for high-risk AI systems (Article 17)
|
409 |
+
|
410 |
quality_management_system:
|
411 |
quality_management_system: # Art. 17(1)(a)
|
412 |
verbose: 'The AI project is subject to a quality management system with strategy for regulatory compliance'
|
|
|
421 |
verbose: 'The quality management system that the AI project was subject to includes examination, test, and validation procedures before, during, and after development'
|
422 |
value: !!bool false
|
423 |
|
424 |
+
# Information related to the fundamental rights assessment that is required of high-risk AI systems (Article 27)
|
425 |
+
|
426 |
fundamental_rights_assessment:
|
427 |
process: # Art. 27(1)(a)
|
428 |
verbose: 'AI project has been subject to a fundamental rights impact assessment that includes a description of the deployer’s processes in which the AI project will be used in line with its intended purpose'
|
|
|
586 |
verbose: 'The AI project complies with accessibility requirements in accordance with Directives (EU) 2016/2102 and (EU) 2019/882'
|
587 |
value: !!bool false
|
588 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
589 |
|
|
utils.py
CHANGED
@@ -55,26 +55,41 @@ def set_eu_market_status(project_variables, project_cc_yaml):
|
|
55 |
return project_variables
|
56 |
|
57 |
|
58 |
-
def
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
59 |
|
60 |
ai_system = project_variables['ai_project_type']['ai_system']
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
61 |
|
62 |
if not check_excepted(project_cc_yaml):
|
63 |
-
if
|
64 |
-
return True
|
65 |
-
if deployer and eu_located: # Article 2.1(b)
|
66 |
-
return True
|
67 |
-
if (provider or deployer) and (ai_system and eu_located and output_used): # Article 2.1(c)
|
68 |
-
return True
|
69 |
-
if (importer or distributor) and ai_system: # Article 2.1(d)
|
70 |
return True
|
71 |
-
if
|
72 |
return True
|
73 |
else:
|
|
|
74 |
return False
|
75 |
|
76 |
def check_excepted(project_cc_yaml):
|
77 |
if project_cc_yaml['excepted']['scientific'] or project_cc_yaml['excepted']['pre_market'] or (ai_system and project_cc_yaml['excepted']['open_source_ai_system']) or (gpai_model and project_cc_yaml['excepted']['open_source_gpai_system']):
|
|
|
78 |
return True
|
79 |
else:
|
80 |
return False
|
|
|
55 |
return project_variables
|
56 |
|
57 |
|
58 |
+
def check_within_scope_cc(project_variables):
|
59 |
+
|
60 |
+
# Check that the person filling out the form (the operator) is in fact a provider;
|
61 |
+
|
62 |
+
if project_variables['operator_details']['provider']:
|
63 |
+
return True
|
64 |
+
else:
|
65 |
+
print("The initial versiton of the Compliance Cards System is for provider-side compliance analyses only.")
|
66 |
+
return False
|
67 |
+
|
68 |
+
def check_within_scope_act(project_variables, project_cc_yaml):
|
69 |
+
|
70 |
+
# Check that the project is within the scope of the Act
|
71 |
|
72 |
ai_system = project_variables['ai_project_type']['ai_system']
|
73 |
+
gpai_model = project_variables['ai_project_type']['gpai_model']
|
74 |
+
|
75 |
+
placed_on_market = project_variables['eu_market_status']['placed_on_market']
|
76 |
+
put_into_service = project_variables['eu_market_status']['put_into_service']
|
77 |
+
|
78 |
+
eu_located = project_variables['operator_details']['eu_located']
|
79 |
+
output_used = project_variables['operator_details']['output_used']
|
80 |
|
81 |
if not check_excepted(project_cc_yaml):
|
82 |
+
if ((ai_system and (placed_on_market or put_into_service)) or (gpai_model and placed_on_market)): # Article 2.1(a)
|
|
|
|
|
|
|
|
|
|
|
|
|
83 |
return True
|
84 |
+
if (ai_system and eu_located and output_used): # Article 2.1(c)
|
85 |
return True
|
86 |
else:
|
87 |
+
print("Your project is not within the scope of the Act and its requirements.")
|
88 |
return False
|
89 |
|
90 |
def check_excepted(project_cc_yaml):
|
91 |
if project_cc_yaml['excepted']['scientific'] or project_cc_yaml['excepted']['pre_market'] or (ai_system and project_cc_yaml['excepted']['open_source_ai_system']) or (gpai_model and project_cc_yaml['excepted']['open_source_gpai_system']):
|
92 |
+
print("Your project falls into one of the exemptions from the Act.")
|
93 |
return True
|
94 |
else:
|
95 |
return False
|