National Annex Specification

This specification defines the minimum structure for country-specific AEEF annexes (regulatory profiles) so they can be compared, audited, and maintained consistently.

Purpose

Use this specification to:

author new country annexes
normalize existing country profiles
support coverage scoring in the regional matrix
reduce drift across annexes

Annex Metadata (Required)

Each national annex MUST declare:

country
annex_id
status (draft, active, superseded)
assessment_date
last_reviewed
maintainer_owner
regulator_scope
sector_scope
language_scope
confidence_level (high, medium, low)

Required Annex Sections

1. Status Note and Claim Boundary

Must include:

assessment-based profile statement
not legal advice statement
no implied regulator endorsement statement

2. Applicability

Define triggers such as:

country of operation
country data subjects
regulated-sector contracts
government delivery
cross-border data transfer origin

3. Source Authority List

List applicable sources grouped by category:

privacy/data protection
cybersecurity
digital government
sector regulators
AI/ethics/risk frameworks (if applicable)

For each source, include:

source name
issuing authority
version/date (if known)
link/reference

4. Core-to-Annex Control Mapping

Map AEEF controls to national obligations and identify:

fully covered
partially covered
annex-only additions required

5. Annex-Only Controls

Define controls not already covered by AEEF core, including:

control ID
requirement text
integration point
evidence expectations

6. Evidence Requirements and Audit Readiness

Include:

evidence artifacts
retention expectations (where known)
audit readiness checklist
known evidence gaps

7. Data Residency and Cross-Border Transfer

Minimum content:

residency constraints
transfer conditions or assessment triggers
data-flow inventory expectations
hosting pattern notes (if applicable)

8. Sector Considerations

At minimum, address whether additional sector overlays are needed for:

banking/finance
telecom
healthcare
government/public sector
critical infrastructure

9. Annex Precedence and Interaction

Define:

core vs annex precedence
sector overlay interaction
conflict handling within the annex scope

10. Coverage Limitations

Explicitly state:

what is not covered
interpretation uncertainty areas
pending regulations or implementing guidance
update triggers

Conflict Resolution Rules (Core vs Annex)

If the annex is stricter than AEEF core, the stricter annex control applies within the annex scope.
If sector overlays add obligations, they are additive unless explicitly documented as alternatives.
If a conflict cannot be resolved, document it in the annex and escalate under Regional Scheme Governance.

Versioning and Update Cadence

Recommended:

quarterly review for active annexes
ad hoc patch releases for urgent regulatory changes
immediate status note updates when source validity is uncertain

Minimum Publishable Annex Standard (MVP)

An annex may be published as draft only if it includes:

status note
applicability
source authority list
at least one core-to-annex mapping table
data residency/transfer notes
audit readiness checklist
coverage limitations

Purpose​

Annex Metadata (Required)​

Required Annex Sections​

1. Status Note and Claim Boundary​

2. Applicability​

3. Source Authority List​

4. Core-to-Annex Control Mapping​

5. Annex-Only Controls​

6. Evidence Requirements and Audit Readiness​

7. Data Residency and Cross-Border Transfer​

8. Sector Considerations​

9. Annex Precedence and Interaction​

10. Coverage Limitations​

Conflict Resolution Rules (Core vs Annex)​

Versioning and Update Cadence​

Minimum Publishable Annex Standard (MVP)​

Related Documents​