A contribution to the public debate on a possible future standardisation and regulatory framework. Questions of technical and functional safety are deliberately excluded and will be addressed separately in an announced second impulse paper.
A lawn-mowing robot in the garden and a humanoid care companion in the bedroom of a person with dementia should not be evaluated by the same logic when it comes to data sovereignty and data security. Today they often are.
This paper proposes classifying smart robotic systems along six context dimensions into five categories (HU-RAC 1 to HU-RAC 5) and assigning each category a graduated expectation profile on questions of data protection, key sovereignty, tenant isolation, AI reference and operational continuity. The approach follows the principle of the most stringent condition: the highest classification on a single axis determines the overall category.
HU-RAC is not intended to replace existing legal acts, but to act as an overlay: a domain-specific organising and translation grid that makes the GDPR, the AI Act, the Machinery Regulation, the Cyber Resilience Act and the relevant ISO standards applicable in context. The regulatory frameworks exist; what is missing is their coherent, robotics-specific operationalisation.
The framework integrates a second perspective: the commercial one. The RARI framework of Persona AI (Radford, Humanoids Summit 2025) shows that precisely industries with complex regulatory environments — Healthcare, Home — exhibit the lowest commercial readiness. A clear classification system lowers compliance friction and raises adoption readiness exactly where the market is currently stalling. In this reading, standardisation becomes a lever for market opening.
The gap is not hypothetical. Three events from the past 18 months show how concrete it becomes as soon as service robots enter sensitive areas.
Approximately 6,700 devices compromised through a flaw in the MQTT backend. Attackers with valid credentials could, by manipulating device references, access cameras, microphones and floor plans of other users' apartments.
A market-dominant US technology group withdrew its zero-knowledge cloud-storage feature for British users after the British security authorities issued a corresponding order. Comparable legal bases exist in Germany (G10 Act, TKÜV) and France.
A European manufacturer of networked blood-pressure devices filed for insolvency, shut down its cloud — and with it the apps without which the devices were inoperable, plus the historical user data not held locally.
The model proposes six observation axes, each evaluated individually. The overall classification follows the principle of the most stringent condition: the highest value on any axis determines the category.
From private outdoor through commercial-enclosed and publicly intensive areas to care, education, childcare and militarily sensitive contexts.
Stationary, wheel-based mobile, flight-capable, bipedal or dynamically stable, aquatic. Each form factor triggers different machine-safety aspects.
From pure machine telemetry through person-identifiable environmental data and biometrics up to intimate long-term observation.
Classified by the AI Act: from trivial functions through limited risk and high risk up to high risk with vulnerable target group or state sensitivity.
Kinematic energy, reach, interaction capability with humans. Used here as context information; safety expectations are addressed in a separate paper.
Operator only, employees, uninvolved third parties, vulnerable groups, or legally specially protected circles such as bearers of professional secrets.
The overall category is determined by the highest value on any of the six axes — analogous to hazardous-goods classification. A second rule prevents under-classification of multi-faceted systems: if three or more axes lie in the mid-range, at least HU-RAC 3 is reached, even if no single axis reaches the highest level.
Two narrow exceptions apply: technically enclosed temporary high-risk modes (with explicit consent, air-gapped processing and audit logs) and pure research deployments under Art. 89 GDPR with ethics-committee supervision may be classified one tier lower for the duration of the research, where this is documented in the DPIA.
The matrices translate the five categories into a differentiated expectation profile across data sovereignty, AI reference, cybersecurity, key sovereignty, tenant isolation, data-subject protection and standards connection. Below: the data-sovereignty matrix as a representative excerpt. The full set of seven matrices is contained in the paper.
| Aspect (Data Sovereignty & Data Protection) | HU-RAC 1 | HU-RAC 2 | HU-RAC 3 | HU-RAC 4 | HU-RAC 5 |
|---|---|---|---|---|---|
| Data processing in EU/CH | R | E-Min | E-Min | E-Min | E-Min |
| Independence from US hyperscalers | – | R | E-Plus | E-Plus | E-Min |
| Complete DPA under Art. 28 GDPR | R | E-Min | E-Min | E-Min | E-Min |
| Art. 48 GDPR clause | – | E-Plus | E-Min | E-Min | E-Min |
| Disclosure of sub-processors | – | E-Min | E-Min | E-Min | E-Min |
| Consent requirement for changes | – | – | E-Plus | E-Min | E-Min |
| Warrant canary / transparency obligation | – | – | R | E-Plus | E-Plus |
| Art. 9 GDPR concept for biometrics | – | – | R | E-Min | E-Min |
| DPIA with data-flow documentation | – | – | R | E-Min | E-Min |
| Sovereign cloud (C5-certified) | – | – | O | R | E-Min |
The split into E-Min and E-Plus allows a realistic self-assessment: start-ups and SMEs can begin with E-Min and declare E-Plus as a development roadmap without falling out of the HU-RAC category. The matrices are cumulative in intent: a higher category encompasses the underlying considerations and adds further ones.
The HU-RAC category alone represents the infringement and regulatory risks. Whether a system's failure leads to production standstill or only to a postponed test series is a separate question. The framework therefore adds two orthogonal dimensions.
Level A — process- or safety-critical (≥ 20% of core operational performance, statutory availability obligations, or recovery > 72 h).
Level B — operationally important, but bridgeable within 24 h.
Level C — failure tolerable, no third parties affected.
R1 — established large enterprise.
R2 — stable mid-sized enterprise.
R3 — start-up with elevated insolvency or change-of-control risk. For HU-RAC 4 and 5, R3 is only justifiable with fully developed continuity mechanisms.
| HU-RAC × Level | Minimum Cloud Autonomy | Further Requirements |
|---|---|---|
| HU-RAC 4 × A | 24 months | Basic functions local; data export possible at any time; source and data escrow mandatory |
| HU-RAC 4 × B | 12 months | Basic functions local; data export; source escrow recommended |
| HU-RAC 3 × A | 12 months | Core operation local; data export; exit clauses contractual |
| HU-RAC 3 × B | 6 months | Core operation local; data export |
| HU-RAC 2 × C | Recommended | Easy data export possible; degraded mode optional |
The threshold values are intended as discussable orientation and can be refined in concrete standardisation procedures.
HU-RAC positions itself as an overlay, not a replacement. The four-step process shows how it embeds in a classification decision without competing with the GDPR, the AI Act or the Machinery Regulation.
Does the system fall into a high-risk category under Annex III or as a safety component? Do the obligations under Art. 9 ff. apply (risk management, data quality, documentation, logging, transparency, human oversight, accuracy)?
Classification into HU-RAC 1–5 along the six axes, applying the aggregation logic. Determination of the business-criticality level A/B/C and the provider-resilience class R1/R2/R3.
Are personal data processed? If so: Art. 6 legal basis, Art. 9 special categories, Art. 28 DPA, Art. 35 DPIA obligation (regularly required from HU-RAC 3 onwards), Art. 44 ff. third-country transfer, Art. 48 orders by third countries.
Derivation of additional expectations from the matrices: key sovereignty, tenant isolation, data-subject protection, cybersecurity, standards connection. Plus: sectoral law (MDR, social-security law, KRITIS) and the Machinery Regulation (MR 2023/1230).
The paper deliberately does not address questions of technical and functional safety. These deserve their own conceptual framework, with their own professional culture, normative references and circle of participants. Mixing both fields in a single paper would do justice to neither.
Excluded from scope are: emergency-stop logic and shutdown concepts for dynamically stable and flight-capable systems; behaviour during power loss in bipedal humanoids and quadrupeds; power-and-force-limiting thresholds in non-industrial contexts; dynamic stability and crash risks; aerospace intersection issues; certifiability of learning AI components as a safety function under ISO 13849-1; and approval and type-examination issues by notified bodies.
Humanide GmbH is preparing a second impulse paper on these technical and functional safety questions, with a focus on shutdown logic for dynamically stable systems, demarcation from the classical emergency-stop concept under ISO 13850, certifiability of learning safety functions, and interfaces with aviation approval. Both papers will cross-reference each other.
This paper is not a standard and does not wish to become one — unless the resonance from professional circles makes the step plausible. For that case, the following connection possibilities are conceivable:
The author does not regard this paper as a final word, but as an invitation to discussion. Feedback, criticism and proposals for extensions are expressly welcome.
The distribution and citation of this impulse paper is expressly welcomed, provided that the authorship of Humanide GmbH is named and the character as a non-binding discussion document remains recognisable.
Humanide GmbH
Dittmar Müller, Managing Director
Mauritiussteinweg 11, 50676 Cologne, Germany
Email: info@humanide.com
Phone: +49 221 922840
LinkedIn: in/dittmarmueller
Information pursuant to Section 5 of the German Telemedia Act (TMG).
Humanide GmbH
Mauritiussteinweg 11
50676 Cologne
Germany
Mauritiussteinweg 11
50676 Cologne
Germany
Dittmar Müller
Managing Director
Phone: +49 221 922840
Email: info@humanide.com
Local Court of Cologne (Amtsgericht Köln)
Registration number: HRB 115169
Registered office: Cologne
VAT ID under § 27a UStG:
DE362951755
The European Commission provides a platform for online dispute resolution (ODR): https://ec.europa.eu/consumers/odr. You can find our email address above in this legal notice. We are neither willing nor obliged to participate in dispute resolution proceedings before a consumer arbitration board.
As a service provider, we are responsible for our own content on these pages in accordance with Section 7 (1) of the German Telemedia Act (TMG) and general legislation. However, pursuant to Sections 8 to 10 TMG, we are not obliged to monitor transmitted or stored third-party information or to investigate circumstances that indicate illegal activity. Obligations to remove or block the use of information under general laws remain unaffected. Liability in this respect is only possible from the time we become aware of a specific legal violation. Upon becoming aware of such violations, we will remove the content immediately.
Our website contains links to external third-party websites over whose content we have no influence. Therefore, we cannot assume any liability for this external content. The respective provider or operator of the linked pages is always responsible for their content. The linked pages were checked for possible legal violations at the time of linking. Illegal content was not recognisable at the time of linking. However, permanent monitoring of the content of linked pages is not reasonable without concrete indications of a legal violation. If we become aware of any legal violations, we will remove such links immediately.
The content and works created by the website operators on these pages are subject to German copyright law. Duplication, editing, distribution, and any form of exploitation outside the limits of copyright law require the written consent of the respective author or creator. Downloads and copies of this site are permitted for private, non-commercial use only. Insofar as the content on this site was not created by the operator, the copyrights of third parties are respected. In particular, third-party content is identified as such. Should you nevertheless become aware of a copyright infringement, please notify us accordingly. Upon becoming aware of legal violations, we will remove such content immediately.
eRecht24
Information on the processing of personal data on this website is provided in the Privacy Notice below.
Information pursuant to Art. 13 GDPR on the processing of personal data on this website. Last updated: 30 April 2026.
The controller responsible for the processing of personal data on this website within the meaning of Art. 4 (7) GDPR is:
Humanide GmbH
Mauritiussteinweg 11, 50676 Cologne, Germany
Phone: +49 221 922840
Email: info@humanide.com
Humanide GmbH has not appointed a Data Protection Officer, as the conditions of Art. 37 GDPR and Section 38 BDSG (German Federal Data Protection Act) are not met. For data protection inquiries, please contact the controller using the details above.
This website is a static technical publication. It does not use cookies, tracking technologies, web analytics, social media plugins, embedded videos, externally loaded fonts, or any other third-party services. No personal data is collected through forms, registration or comments — none of these features exist on this site.
When you access this website, our hosting provider (IONOS SE, Elgendorfer Str. 57, 56410 Montabaur, Germany — acting as processor under Art. 28 GDPR pursuant to a data processing agreement) automatically records the following information in server log files:
These data are stored for a maximum of 8 weeks and are processed exclusively for ensuring the technical security and stability of the website (defence against attacks, troubleshooting). The legal basis is Art. 6 (1) lit. f GDPR (legitimate interest in operating a secure and stable website). The data are not merged with other data sources and are not used for the creation of usage profiles.
This website uses SSL/TLS encryption for the transmission of all content. You can recognise an encrypted connection by the "https://" prefix and the lock symbol in your browser.
This website contains links to external resources (e.g. www.humanide.com, ec.europa.eu, linkedin.com). When you click such a link, you leave this website and enter the data protection regime of the respective external operator. We have no influence on, and accept no responsibility for, the data processing on these external pages.
Under the GDPR, you have the following rights regarding personal data concerning you:
The competent supervisory authority for Humanide GmbH is the Landesbeauftragte für Datenschutz und Informationsfreiheit Nordrhein-Westfalen (LDI NRW), Kavalleriestr. 2–4, 40213 Düsseldorf, Germany. To exercise your rights, please contact the controller using the details above.
We may update this Privacy Notice to reflect changes in our processing activities or legal requirements. The current version, identified by the "last updated" date above, applies to all visits to this website.