# Risk Classification — aiactaudit.pl **Document version:** 1.0 **Date:** 2026-05-05 **Owner:** Piotr Reder (sole proprietor) **Project:** aiactaudit.pl (EU AI Act compliance audit service for SMB SaaS) --- ## EU AI Act applicability assessment **Question:** Does aiactaudit.pl fall into Annex III high-risk AI system definition under Article 6(2) of Regulation (EU) 2024/1689 (EU AI Act)? **Answer:** **NO.** aiactaudit.pl is a service business with a static landing page + audit delivery workflow. NO AI system in production runtime affecting decisions about natural persons. --- ## Detailed analysis ### What aiactaudit.pl IS - **Static HTML/CSS landing pages** deployed on Vercel (no AI inference at request time) - **Service workflow:** 1. Lead intake via form (no AI processing of submission) 2. Manual audit work by Piotr Reder (human expert, no AI delegation) 3. PDF deliverable generation via template substitution (no AI generation) 4. Email delivery via Resend API (no AI content generation in production emails) ### What aiactaudit.pl IS NOT - ❌ NOT an AI system as defined by Article 3(1) AI Act - ❌ NOT placing AI on EU market as provider - ❌ NOT deploying AI affecting natural persons - ❌ NOT using LLM API in customer-facing decision flow ### AI use in OPERATIONAL tooling (out of scope for Annex III) **Internal use only — does not affect classification:** - Claude Code CLI used by Piotr for content drafting (markdown blog posts, email templates) - Manual review by Piotr before any output reaches client - AIR Blackbox CLI used for self-assessment (eat-own-dog-food experiment) - Apollo lead enrichment (third-party SaaS, separate compliance scope) - Google Analytics 4 for traffic analysis (separate GDPR scope) These are **author's tools**, not AI systems integrated into the service product. Analogous to a lawyer using Microsoft Word with autocomplete — Word's AI features don't make the lawyer's service an "AI system". --- ## Annex III decision tree applied | Annex III area | Applicable? | Reasoning | |---|---|---| | 1. Biometric ID | ❌ No | No biometric processing | | 2. Critical infrastructure | ❌ No | No infrastructure management | | 3. Education | ❌ No | Not an educational AI | | 4. Employment | ❌ No | Not an HR/recruitment AI | | 5. Essential services | ❌ No | Not credit/insurance/healthcare AI | | 6. Law enforcement | ❌ No | Not LE AI | | 7. Migration | ❌ No | Not migration AI | | 8. Justice | ❌ No | Not judicial AI | **Conclusion:** Tier 3 (Minimal Risk) per EU AI Act. No mandatory obligations under Articles 9-15. --- ## What DOES apply ### Article 50 — Transparency for limited-risk AI **Status:** Marginal applicability. aiactaudit.pl does NOT have customer-facing chatbots or AI-generated content in the product. Blog content generated with Claude Code assistance is human-reviewed before publication; not real-time AI generation visible to users. **Recommended action:** Add disclosure in About page or blog "Editorial process" page noting AI-assisted content drafting with human review. Voluntary best practice, not mandatory. ### GDPR (Regulation (EU) 2016/679) **Status:** Applies. aiactaudit.pl processes: - Lead emails + names + company info (intake form submissions) - Visitor analytics (GA4 with anonymize_ip) - Cookie data (essential only currently — no advertising cookies) **Documentation:** - `/privacy.html` — privacy policy live - `RoPA.md` — Records of Processing Activities (this directory) - DPIA — not required (no special category data, no large-scale monitoring) - DPO — not appointed (not required for sole proprietor solo operation) ### NIS2 (Directive (EU) 2022/2555) **Status:** Likely NOT applicable. aiactaudit.pl is not in scope sectors (energy, banking, healthcare, water, etc.) and headcount + revenue below thresholds. **Action:** No mandatory NIS2 compliance. Best practices applied (HSTS, HTTPS, MFA on Vercel/GitHub accounts). ### EAA (Directive (EU) 2019/882) — European Accessibility Act **Status:** Applies from 28.06.2025 for B2C services. **aiactaudit.pl is B2B (audit service for SMB SaaS founders)** — primary B2B classification, EAA scope marginal. **Action:** WCAG 2.1 AA compliance recommended as best practice. Currently: HTML semantic structure, alt text on images, keyboard navigation. Formal accessibility audit deferred to post-bramka 09.05. --- ## Self-scan results (AIR Blackbox 2026-05-05) Used `air-blackbox comply --scan` on this project. Results: **6 passing / 31 warnings / 20 failing of 57 checks**. **Interpretation:** 80% of checks N/A because AIR Blackbox is designed for AI applications (LangChain agents, OpenAI Assistants production deployments). aiactaudit.pl is NOT an AI application — it's a service business with a landing page. **Real gaps identified from this scan (addressed):** 1. ✅ This document (`RISK_CLASSIFICATION.md`) — explicitly states "service business, not AI system per Annex III" 2. ✅ `RoPA.md` (companion file) — Records of Processing Activities for GDPR 3. ✅ `SECURITY.md` (companion file) — security posture documentation 4. Public version of these docs as part of `/about` or `/legal` page (TODO) **Full self-scan analysis:** See `audits_internal/self_scan_2026-05-05.json` and blog post `/blog-self-scan-meta.html` (PL + EN). --- ## Review schedule - **Quarterly review** (next: 2026-08-05) — re-assess if any product changes introduce AI features - **Trigger review** if: - aiactaudit.pl introduces AI-powered features (e.g. automated audit generation via LLM) - Service expands to high-risk industry verticals as deployer - Product line additions (e.g. continuous monitoring tool) introduce AI runtime --- ## Disclaimer This classification is the operator's good-faith assessment based on plain reading of EU AI Act Article 6(2) and Annex III. Regulatory interpretation may differ. For legally binding classification, consult EU AI Act-specialized counsel before regulatory inquiry.