Skip to content
TapPass Internal

EU AI Act bundle

EU AI Act bundle

Section titled “EU AI Act bundle”

What it does: One-click pre-built policy that produces an EU AI Act–aligned deployment.

1. Vision context

Section titled “1. Vision context”

EU buyers — Collibra, regulated industries, public sector — filter on EU AI Act compliance before architecture conversations begin. Without a bundled answer, every customer assembles the compliance posture from scratch: tick categories, set concerns, write custom Rego. With a bundle, "my deployment is EU AI Act aligned" is one tick and a re-derive.

Beyond the convenience, the same bundle is reused across every customer. That makes it economically possible to certify the bundle once by external counsel, with that certification inherited by every deployment that applies it. That's the procurement-defensibility play.

2. Functional specification

Section titled “2. Functional specification”

Bundle YAML shape:

pack: eu-ai-act
version: v1
applies_when: high_risk_ai_system   # selects relevant subset of Articles
required_concerns:
  - gdpr_required
  - data_residency: eu
  - audit_required
  - human_oversight_required
  - accuracy_documentation
  - bias_monitoring
required_pipeline_steps:
  - audit_signing: { enabled: true }
  - detect_pii: { enabled: true, on_detection: block }
  - classify_data: { enabled: true }
  - require_human_approval: { for_capabilities: [destructive_action], enabled: true }
forbidden_capabilities:
  - undocumented_automated_decision
required_categories:
  - eu_residents
documentation_artifacts:
  - dpia_template
  - article_15_transparency_disclosure
provenance_tag: eu-ai-act@v1

Applied via: tappass policy apply --pack eu-ai-act --level <org|project|agent>.

Composes with: other packs (strictest-wins), org/project/agent cascade, and any manual overlay.

3. Technical design

Section titled “3. Technical design”

Lives at tappass/policy/compliance_packs/eu_ai_act/v1/. Per-version directory; operator can pin a version explicitly. The v2 directory ships when the regulation is updated; auto-migration policy is opt-in.

4. Definition of done

Section titled “4. Definition of done”
  • All acceptance_criteria pass.
  • External legal review of v1 against Articles 9–17.
  • Composition test: applied alongside gdpr-bundle and owasp-llm-bundle produces a sane merged pipeline (no contradictions).
  • Provenance test: every rule introduced by the pack is tagged correctly.
  • Documentation: trust center page describes what the pack covers and what it doesn't.

5. Coordination notes

Section titled “5. Coordination notes”

With policy-to-sandbox-config-builder: the pack compiles into a pipeline_config; the builder consumes that as one input among the cascade.

With Compliance team: bundle content is owned by Compliance/GRC, not Engineering. Engineering reviews technical claims; Legal reviews regulatory mapping.

Open questions:

  • (Q) Pack updates when the EU AI Act standard evolves — auto-roll customers forward, or pin to applied version? Lean: pin; operator must explicitly bump.
  • (Q) Sub-bundles for specific Article scopes (e.g., Article 14 human-oversight only)? Lean: start with the full high-risk pack; granularity comes if customers ask.

6. Out of scope

Section titled “6. Out of scope”
  • The compliance audit itself — TapPass writes the policy; the customer's auditor reviews their deployment.
  • Documentation customers must produce themselves (DPIAs, ROPAs) — pack ships templates, customer fills.