Skip to main content
Glama
CSOAI-ORG

EU AI Act Compliance MCP

by CSOAI-ORG
OverviewSchemaRelated ServersScoreDiscussions
Python
Hybrid

audit_report

Assess EU AI Act compliance for AI systems: classify risk, check requirements, generate documentation, calculate penalties, and produce a complete audit report.

Instructions

Generate a complete EU AI Act audit report.

Runs classification, compliance check, documentation generation, and penalty assessment — then combines everything into a comprehensive markdown audit report. This is the all-in-one tool for compliance officers.

Args: system_name: Name of the AI system. provider_name: Legal name of the AI system provider. provider_contact: Provider contact details. version: System version number. purpose: System's intended purpose and use context. description: General description of the system. data_types: Types of data processed. decision_scope: What decisions the system makes or assists with. architecture_description: Description of system architecture. has_risk_management: Whether risk management system exists. has_data_governance: Whether data governance practices exist. has_technical_docs: Whether technical documentation exists. has_logging: Whether automatic logging is implemented. has_transparency_info: Whether transparency info exists. has_human_oversight: Whether human oversight measures exist. has_accuracy_testing: Whether accuracy/robustness testing is done. annual_global_turnover_eur: Annual global turnover in EUR. is_sme: Whether the company is an SME. caller: Identifier for rate limiting. tier: "free" (10 calls/day) or "pro" (unlimited, $29/mo).

Behavior: This tool generates structured output without modifying external systems. Output is deterministic for identical inputs. No side effects. Free tier: 10/day rate limit. Pro tier: unlimited. No authentication required for basic usage.

When to use: Use this tool when you need to assess, audit, or verify compliance requirements. Ideal for gap analysis, readiness checks, and generating compliance documentation.

When NOT to use: Do not use as a substitute for qualified legal counsel. This tool provides technical compliance guidance, not legal advice.

Input Schema

TableJSON Schema
NameRequiredDescriptionDefault
system_nameYes
provider_nameYes
provider_contactYes
versionYes
purposeYes
descriptionYes
data_typesYes
decision_scopeYes
architecture_descriptionYes
has_risk_managementNo
has_data_governanceNo
has_technical_docsNo
has_loggingNo
has_transparency_infoNo
has_human_oversightNo
has_accuracy_testingNo
annual_global_turnover_eurNo
is_smeNo
callerNoanonymous
tierNofree
api_keyNo

Output Schema

TableJSON Schema
NameRequiredDescriptionDefault
resultYes

Implementation Reference

  • server.py:1471-1771 (handler)
    The audit_report function is the tool's handler. It calls classify_ai_risk, check_compliance, assess_penalties, and get_timeline internally, then assembles everything into a comprehensive markdown audit report with executive summary, risk classification, compliance checklist, penalty exposure, implementation timeline, and recommendations.
    @mcp.tool()
def audit_report(
    system_name: str,
    provider_name: str,
    provider_contact: str,
    version: str,
    purpose: str,
    description: str,
    data_types: str,
    decision_scope: str,
    architecture_description: str,
    has_risk_management: bool = False,
    has_data_governance: bool = False,
    has_technical_docs: bool = False,
    has_logging: bool = False,
    has_transparency_info: bool = False,
    has_human_oversight: bool = False,
    has_accuracy_testing: bool = False,
    annual_global_turnover_eur: float = 0,
    is_sme: bool = False,
    caller: str = "anonymous",
    tier: str = "free", api_key: str = "") -> str:
    """Generate a complete EU AI Act audit report.

    Runs classification, compliance check, documentation generation, and
    penalty assessment — then combines everything into a comprehensive
    markdown audit report. This is the all-in-one tool for compliance officers.

    Args:
        system_name: Name of the AI system.
        provider_name: Legal name of the AI system provider.
        provider_contact: Provider contact details.
        version: System version number.
        purpose: System's intended purpose and use context.
        description: General description of the system.
        data_types: Types of data processed.
        decision_scope: What decisions the system makes or assists with.
        architecture_description: Description of system architecture.
        has_risk_management: Whether risk management system exists.
        has_data_governance: Whether data governance practices exist.
        has_technical_docs: Whether technical documentation exists.
        has_logging: Whether automatic logging is implemented.
        has_transparency_info: Whether transparency info exists.
        has_human_oversight: Whether human oversight measures exist.
        has_accuracy_testing: Whether accuracy/robustness testing is done.
        annual_global_turnover_eur: Annual global turnover in EUR.
        is_sme: Whether the company is an SME.
        caller: Identifier for rate limiting.
        tier: "free" (10 calls/day) or "pro" (unlimited, $29/mo).

    Behavior:
        This tool generates structured output without modifying external systems.
        Output is deterministic for identical inputs. No side effects.
        Free tier: 10/day rate limit. Pro tier: unlimited.
        No authentication required for basic usage.

    When to use:
        Use this tool when you need to assess, audit, or verify compliance
        requirements. Ideal for gap analysis, readiness checks, and generating
        compliance documentation.

    When NOT to use:
        Do not use as a substitute for qualified legal counsel. This tool
        provides technical compliance guidance, not legal advice.
    """
    allowed, msg, tier = check_access(api_key)
    if not allowed:
        return {"error": msg, "upgrade_url": "https://meok.ai/pricing"}
    limit_err = _check_rate_limit(caller, tier)
    if limit_err:
        return {"error": "rate_limited", "message": limit_err}

    # Run sub-analyses (bypass rate limiting for internal calls)
    classification_raw = json.loads(classify_ai_risk(f"{purpose} {description} {data_types} {decision_scope}", caller, "pro"))
    compliance_raw = json.loads(check_compliance(
        system_name, purpose, data_types, decision_scope,
        has_risk_management, has_data_governance, has_technical_docs,
        has_logging, has_transparency_info, has_human_oversight,
        has_accuracy_testing, caller, "pro"))

    risk_level = classification_raw.get("classification", "unknown")

    # Determine applicable penalty tier
    penalty_type = "prohibited" if risk_level == "prohibited" else "high_risk_obligations"
    penalty_raw = json.loads(assess_penalties(penalty_type, annual_global_turnover_eur, is_sme, caller, "pro"))
    timeline_raw = json.loads(get_timeline(caller, "pro"))

    date_str = datetime.now().strftime("%Y-%m-%d %H:%M UTC")

    # Find next deadline
    today = datetime.now().date()
    next_deadline = None
    for entry in EU_AI_ACT_TIMELINE:
        d = datetime.strptime(entry["date"], "%Y-%m-%d").date()
        if d > today:
            next_deadline = entry
            break

    # Build compliance summary table
    compliance_rows = ""
    for item in compliance_raw.get("checklist", []):
        status_icon = "PASS" if item["overall_status"] == "PASS" else "**FAIL**"
        compliance_rows += f"| {item['article']} | {item['title']} | {status_icon} |\n"

    # Build the report
    report = f"""# EU AI Act Compliance Audit Report

**System:** {system_name}
**Provider:** {provider_name} ({provider_contact})
**Version:** {version}
**Audit Date:** {date_str}
**Audited by:** MEOK AI Labs EU AI Act Compliance Server

---

## Executive Summary

| Field | Value |
|-------|-------|
| **Risk Classification** | **{risk_level.upper()}** |
| **Classification Confidence** | {classification_raw.get('confidence', 'N/A')} |
| **Compliance Score** | {compliance_raw.get('compliance_score', 'N/A')} |
| **Checks Passed** | {compliance_raw.get('summary', {}).get('passed', 0)} / {compliance_raw.get('summary', {}).get('total_checks', 0)} |
| **GDPR Relevant** | {'Yes' if compliance_raw.get('gdpr_relevant') else 'No'} |
| **Special Category Data** | {'Yes - DPIA likely required' if compliance_raw.get('special_category_data') else 'No'} |
| **Maximum Penalty Exposure** | EUR {penalty_raw.get('penalty_calculation', {}).get('applicable_maximum_eur', 'N/A')} |
| **Next Enforcement Deadline** | {next_deadline['date'] + ' — ' + next_deadline['event'] if next_deadline else 'All deadlines passed'} |

---

## 1. Risk Classification (Article 6, Annex III)

**Classification: {risk_level.upper()}**

{classification_raw.get('analysis', '')}

"""

    if classification_raw.get("prohibited_matches"):
        report += "### Prohibited Practice Matches (Article 5)\n\n"
        for match in classification_raw["prohibited_matches"]:
            report += f"- **{match['article']}**: {match['description']}\n"
            report += f"  - Matched keywords: {', '.join(match['matched_keywords'])}\n"
        report += "\n"

    if classification_raw.get("high_risk_matches"):
        report += "### High-Risk Area Matches (Annex III)\n\n"
        for match in classification_raw["high_risk_matches"]:
            report += f"- **Area {match['area']}: {match['title']}** ({match['article_ref']})\n"
            report += f"  - {match['description']}\n"
            for sub in match.get("subcategories", []):
                report += f"    - {sub}\n"
        report += "\n"

    if classification_raw.get("limited_risk_triggers"):
        report += f"### Limited Risk Transparency Triggers\n\n"
        report += f"Matched: {', '.join(classification_raw['limited_risk_triggers'])}\n\n"

    report += f"""---

## 2. Compliance Checklist (Articles 9-15)

| Article | Requirement | Status |
|---------|-------------|--------|
{compliance_rows}

### Detailed Findings

"""

    for item in compliance_raw.get("checklist", []):
        report += f"#### {item['article']} — {item['title']}\n\n"
        report += f"*{item['description']}*\n\n"
        for check in item["checks"]:
            icon = "PASS" if check["status"] == "PASS" else "FAIL"
            report += f"- [{icon}] {check['check']}\n"
        report += "\n"

    report += f"""---

## 3. Penalty Exposure (Article 99)

| Parameter | Value |
|-----------|-------|
| **Violation Type** | {penalty_raw.get('violation_type', 'N/A')} |
| **Legal Basis** | {penalty_raw.get('legal_basis', 'N/A')} |
| **Fixed Maximum** | EUR {penalty_raw.get('penalty_calculation', {}).get('fixed_maximum_eur', 'N/A')} |
| **Turnover Percentage** | {penalty_raw.get('penalty_calculation', {}).get('turnover_percentage', 'N/A')} |
| **Company Turnover** | EUR {penalty_raw.get('penalty_calculation', {}).get('company_turnover_eur', 'N/A')} |
| **Applicable Maximum** | EUR {penalty_raw.get('penalty_calculation', {}).get('applicable_maximum_eur', 'N/A')} |
| **SME Status** | {'Yes — proportionate penalties apply' if is_sme else 'No'} |

### Aggravating Factors to Monitor
"""

    for factor in penalty_raw.get("aggravating_factors", []):
        report += f"- {factor}\n"

    report += "\n### Mitigating Factors to Leverage\n"
    for factor in penalty_raw.get("mitigating_factors", []):
        report += f"- {factor}\n"

    report += f"""

---

## 4. Implementation Timeline

"""

    for entry in timeline_raw.get("timeline", []):
        report += f"- **{entry['date']}** — {entry['event']} [{entry['status']}]\n"
        report += f"  - Reference: {entry['article_reference']}\n"

    report += f"""

---

## 5. Recommendations

"""

    if risk_level == "prohibited":
        report += """### CRITICAL — Prohibited System

1. **IMMEDIATELY** cease development and deployment of this AI system
2. Seek urgent legal counsel on Article 5 compliance
3. Assess whether any exceptions apply (e.g., law enforcement exceptions under Article 5(1)(h))
4. Document all steps taken for regulatory cooperation
5. Consider system redesign to fall outside prohibited categories

"""
    elif risk_level == "high-risk":
        failed_articles = [item for item in compliance_raw.get("checklist", []) if item["overall_status"] == "FAIL"]
        if failed_articles:
            report += "### Priority Actions (Non-Compliant Requirements)\n\n"
            for i, item in enumerate(failed_articles, 1):
                report += f"{i}. **{item['article']} — {item['title']}**: Establish and document compliance measures\n"
            report += "\n"

        report += """### General High-Risk Compliance Actions

1. Establish or review the Risk Management System (Article 9) — continuous lifecycle process
2. Implement data governance per Article 10, including bias assessments
3. Complete Annex IV technical documentation (use the `generate_documentation` tool)
4. Deploy automatic event logging (Article 12)
5. Prepare instructions for use and transparency information (Article 13)
6. Design and document human oversight measures (Article 14)
7. Conduct accuracy, robustness, and cybersecurity testing (Article 15)
8. Register the system in the EU database (Article 49)
9. Plan conformity assessment procedure (Article 43)
10. Establish post-market monitoring system (Article 72)

"""
    else:
        report += """### Minimal/Limited Risk Actions

1. Consider voluntary adoption of high-risk requirements (Article 95 codes of conduct)
2. Ensure transparency obligations are met if applicable (Article 50)
3. Monitor regulatory developments — classification may change with delegated acts
4. Consider joining the AI Pact for early adoption recognition

"""

    if compliance_raw.get("gdpr_relevant"):
        report += """### GDPR Alignment

- Ensure lawful basis for personal data processing
- Conduct Data Protection Impact Assessment (DPIA) if processing special category data
- Review data minimisation and purpose limitation compliance
- Verify data subject rights mechanisms are in place

"""

    report += f"""---

## 6. Technical Documentation Status

{"Technical documentation exists — verify it follows Annex IV structure." if has_technical_docs else "**ACTION REQUIRED**: No technical documentation declared. Use the `generate_documentation` tool to create an Annex IV-compliant template."}

---

*This audit report was generated by the MEOK AI Labs EU AI Act Compliance MCP Server.*
*It is based on Regulation (EU) 2024/1689 as published in the Official Journal.*
*This report does not constitute legal advice. Consult qualified legal counsel for definitive compliance guidance.*

**MEOK AI Labs** | [meok.ai](https://meok.ai) | The only MCP server for EU AI Act compliance
"""

    return {
        "format": "markdown",
        "report": report,
        "risk_classification": risk_level,
        "compliance_score": compliance_raw.get("compliance_score"),
        "max_penalty_eur": penalty_raw.get("penalty_calculation", {}).get("applicable_maximum_eur"),
        "failed_requirements": [
            item["article"] for item in compliance_raw.get("checklist", [])
            if item["overall_status"] == "FAIL"
        ],
        "meok_labs": "https://meok.ai",
    }
  • server.py:1471-1471 (registration)
    The tool is registered via the @mcp.tool() decorator on the FastMCP instance 'mcp' (line 429). This is the registration mechanism for the audit_report tool.
    @mcp.tool()
  • server.py:1472-1492 (schema)
    The function signature serves as the input schema with typed parameters for system details, compliance flags, financial info, and API key.
    def audit_report(
    system_name: str,
    provider_name: str,
    provider_contact: str,
    version: str,
    purpose: str,
    description: str,
    data_types: str,
    decision_scope: str,
    architecture_description: str,
    has_risk_management: bool = False,
    has_data_governance: bool = False,
    has_technical_docs: bool = False,
    has_logging: bool = False,
    has_transparency_info: bool = False,
    has_human_oversight: bool = False,
    has_accuracy_testing: bool = False,
    annual_global_turnover_eur: float = 0,
    is_sme: bool = False,
    caller: str = "anonymous",
    tier: str = "free", api_key: str = "") -> str:
  • server.py:48-51 (helper)
    Helper used by audit_report (line 1536) to authenticate and check access/rate limits before generating the report.
    def check_access(api_key: str = ""):
    """Unified access check — works with or without shared auth engine."""
    return _shared_check_access(api_key)
  • server.py:62-77 (helper)
    Helper used by audit_report (via check_access) to enforce the free tier daily rate limit of 10 calls.
    def _check_rate_limit(caller: str = "anonymous", tier: str = "free") -> Optional[str]:
    """Returns error string if rate-limited, else None. No API key required for free tier."""
    if tier == "pro":
        return None
    now = datetime.now()
    cutoff = now - timedelta(days=1)
    _usage[caller] = [t for t in _usage[caller] if t > cutoff]
    if len(_usage[caller]) >= FREE_DAILY_LIMIT:
        return (
            f"Free tier limit reached ({FREE_DAILY_LIMIT}/day). "
            "Upgrade to MEOK AI Labs Pro for unlimited access at $29/mo: "
            "https://meok.ai/mcp/eu-ai-act/pro"
        )
    _usage[caller].append(now)
    return None

Tool Definition Quality

A4.7/5.0
Behavior5/5

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

With no annotations, the description fully discloses that the tool generates structured output without side effects, is deterministic, has rate limits by tier, and requires no authentication. This is exemplary transparency.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Conciseness4/5

Is the description appropriately sized, front-loaded, and free of redundancy?

Well-structured with clear sections and front-loaded purpose. However, the Args list is long (21 parameters), making the description somewhat lengthy but still efficient for a complex tool.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Completeness5/5

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

Given the tool's complexity (21 parameters, no annotations, but has output schema), the description covers all necessary aspects: purpose, parameters, behavior, and usage conditions. It is comprehensive.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Parameters5/5

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

Despite 0% schema description coverage, the description includes an Args section with brief explanations for all 21 parameters, adding meaning beyond the schema titles.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Purpose5/5

Does the description clearly state what the tool does and how it differs from similar tools?

Clearly states 'Generate a complete EU AI Act audit report' and describes sub-steps. Differentiates from siblings by calling itself 'all-in-one tool for compliance officers', while siblings like assess_penalties and check_compliance are sub-tasks.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Usage Guidelines4/5

Does the description explain when to use this tool, when not to, or what alternatives exist?

Provides explicit 'When to use' and 'When NOT to use' sections, but does not explicitly contrast with sibling tools. It gives good context for usage but lacks direct alternative guidance.

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.

Install Server

Other Tools

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/CSOAI-ORG/eu-ai-act-compliance-mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server