Description
Create and maintain Java enterprise regulation skills for the EU regulatory stack identified in #848 and expanded in the issue discussion.
These skills translate EU regulatory concerns into reviewable Java engineering controls. They are not legal advice. Applicability, classification, legal interpretation, regulatory reporting, and final compliance decisions must be escalated to the appropriate legal, compliance, privacy, security, risk, resilience, product, platform, trust-and-safety, data-governance, or business owners.
Scope
Covered baseline
AI Act (Regulation (EU) 2024/1689) : implemented as 801-regulations-eu-ai-act. AI-specific rules, GPAI, transparency, human oversight, governance evidence, and AI-system classification.DORA (Regulation (EU) 2022/2554) : implemented as 802-regulations-dora. ICT risk management and digital operational resilience in financial-sector or critical ICT contexts. Source: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32022R2554 GDPR (Regulation (EU) 2016/679) : implemented as 803-regulations-gdpr. Personal-data processing, privacy controls, data-subject rights, retention, transfers, and breach evidence. Source: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679
EU regulation additions
NIS2 (Directive (EU) 2022/2555) : implemented as 804-regulations-eu-nis2. Cybersecurity risk management, critical-sector security, supply-chain security, incident escalation, continuity, and operational evidence. Source: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32022L2555 . Merged in feat(skills): add EU NIS2 regulation skill #862 Cyber Resilience Act / CRA (Regulation (EU) 2024/2847) : implemented as 805-regulations-eu-cyber-resilience-act. Security-by-design, vulnerability handling, security updates, product security documentation, SBOM/dependency evidence, and coordinated disclosure. Source: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32024R2847 . Merged in feat(skills): add EU Cyber Resilience Act regulation skill #866 Data Act (Regulation (EU) 2023/2854) : implemented as 806-regulations-eu-data-act. Data access, sharing, portability, interoperability, cloud switching, non-personal data governance, and data-request workflows. Source: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32023R2854 . Merged in feat(skills): add EU Data Act regulation skill #868 Digital Services Act / DSA (Regulation (EU) 2022/2065) : implemented as 807-regulations-eu-digital-services-act. Intermediary and platform controls, notice-and-action workflows, recommender and advertising transparency, user redress, systemic-risk evidence, and trust-and-safety escalation. Source: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32022R2065 . Merged in feat(skills): add EU Digital Services Act regulation skill #865 Digital Markets Act / DMA (Regulation (EU) 2022/1925) : implemented as 808-regulations-eu-digital-markets-act. Gatekeeper platform concerns, interoperability, business-user data access, consent-dependent data combination, self-preferencing evidence, and platform-control safeguards. Source: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32022R1925 . Merged in feat(skills): add EU Digital Markets Act regulation skill #867 Digital Omnibus (2025) : implemented as 809-regulations-eu-digital-omnibus. Cross-cutting EU digital simplification proposals affecting AI, cybersecurity, data, privacy, and reporting workflows. Treat as proposal-stage simplification tracking, not a settled single-regulation checklist. Sources: https://commission.europa.eu/news-and-media/news/simpler-digital-rules-help-eu-businesses-grow-2025-11-19_en and https://digital-strategy.ec.europa.eu/en/policies/digital-rulebook . Merged in feat(skills): add EU Digital Omnibus regulation skill #864
Regulation skill numbering
EU regulation skills use 801-809 for the current baseline and completed EU stack.
UK regulation skills start at 821.
USA regulation skills start at 831.
Expected Outcome
801, 802, and 803 EU regulation skills as the baseline pattern.skills/ output out of scope unless a release profile is intentionally run later.
OpenSpec Changes
Completed / archived baseline
documentation/openspec/changes/archive/2026-06-14-add-eu-regulation-skills
Completed per-regulation changes
Implementation Check
Source
Derived from #848 and the GenAI Regulatory Stack (EU) issue comment in this issue.
Description
Create and maintain Java enterprise regulation skills for the EU regulatory stack identified in #848 and expanded in the issue discussion.
These skills translate EU regulatory concerns into reviewable Java engineering controls. They are not legal advice. Applicability, classification, legal interpretation, regulatory reporting, and final compliance decisions must be escalated to the appropriate legal, compliance, privacy, security, risk, resilience, product, platform, trust-and-safety, data-governance, or business owners.
Scope
Covered baseline
801-regulations-eu-ai-act. AI-specific rules, GPAI, transparency, human oversight, governance evidence, and AI-system classification.802-regulations-dora. ICT risk management and digital operational resilience in financial-sector or critical ICT contexts. Source: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32022R2554803-regulations-gdpr. Personal-data processing, privacy controls, data-subject rights, retention, transfers, and breach evidence. Source: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679EU regulation additions
804-regulations-eu-nis2. Cybersecurity risk management, critical-sector security, supply-chain security, incident escalation, continuity, and operational evidence. Source: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32022L2555. Merged in feat(skills): add EU NIS2 regulation skill #862805-regulations-eu-cyber-resilience-act. Security-by-design, vulnerability handling, security updates, product security documentation, SBOM/dependency evidence, and coordinated disclosure. Source: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32024R2847. Merged in feat(skills): add EU Cyber Resilience Act regulation skill #866806-regulations-eu-data-act. Data access, sharing, portability, interoperability, cloud switching, non-personal data governance, and data-request workflows. Source: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32023R2854. Merged in feat(skills): add EU Data Act regulation skill #868807-regulations-eu-digital-services-act. Intermediary and platform controls, notice-and-action workflows, recommender and advertising transparency, user redress, systemic-risk evidence, and trust-and-safety escalation. Source: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32022R2065. Merged in feat(skills): add EU Digital Services Act regulation skill #865808-regulations-eu-digital-markets-act. Gatekeeper platform concerns, interoperability, business-user data access, consent-dependent data combination, self-preferencing evidence, and platform-control safeguards. Source: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32022R1925. Merged in feat(skills): add EU Digital Markets Act regulation skill #867809-regulations-eu-digital-omnibus. Cross-cutting EU digital simplification proposals affecting AI, cybersecurity, data, privacy, and reporting workflows. Treat as proposal-stage simplification tracking, not a settled single-regulation checklist. Sources: https://commission.europa.eu/news-and-media/news/simpler-digital-rules-help-eu-businesses-grow-2025-11-19_en and https://digital-strategy.ec.europa.eu/en/policies/digital-rulebook. Merged in feat(skills): add EU Digital Omnibus regulation skill #864Regulation skill numbering
801-809for the current baseline and completed EU stack.821.831.Expected Outcome
801,802, and803EU regulation skills as the baseline pattern.skills/output out of scope unless a release profile is intentionally run later.OpenSpec Changes
Completed / archived baseline
documentation/openspec/changes/archive/2026-06-14-add-eu-regulation-skillsCompleted per-regulation changes
documentation/openspec/changes/add-eu-nis2-regulation-skill— feat(skills): add EU NIS2 regulation skill #862documentation/openspec/changes/add-eu-cyber-resilience-act-regulation-skill— feat(skills): add EU Cyber Resilience Act regulation skill #866documentation/openspec/changes/add-eu-data-act-regulation-skill— feat(skills): add EU Data Act regulation skill #868documentation/openspec/changes/add-eu-digital-services-act-regulation-skill— feat(skills): add EU Digital Services Act regulation skill #865documentation/openspec/changes/add-eu-digital-markets-act-regulation-skill— feat(skills): add EU Digital Markets Act regulation skill #867documentation/openspec/changes/add-eu-digital-omnibus-regulation-skill— feat(skills): add EU Digital Omnibus regulation skill #864Implementation Check
skills-generator/src/main/resources/skill-indexes/801-skill.xmlthrough809-skill.xmlexist onmain.skills-generator/src/main/resources/skills.xmlregisters skills801through809.801through809.#862,#864,#865,#866,#867, and#868have successful check rollups.Source
Derived from #848 and the GenAI Regulatory Stack (EU) issue comment in this issue.