ai-act-mcp

Lint your AI system for EU AI Act compliance — before the regulators do.

A local Model Context Protocol server that classifies any AI system under the EU AI Act, lists the obligations that apply to you with article citations, tells you your actual deadline, and scans your repo for missing compliance artifacts.

Runs entirely on your machine. Supports fully offline classification via a local small model — your system description never leaves your laptop.

Quick start · Offline with Ollama · All four tools · Contributing

Recording the demo: install VHS, run npm run build, then cd demo && vhs demo.tape. A demo.gif will appear — drop it here.

Why this exists

The EU AI Act is live and has teeth:

• Feb 2025 — prohibited practices enforceable. €35M or 7% of global turnover.

• Aug 2025 — GPAI model obligations active.

• Aug 2026 — transparency requirements apply.

• Dec 2027 — high-risk (Annex III) obligations due.

Most teams have no idea which tier they're in. This gives you a grounded first pass in seconds, inside the agent you already use — with a citation for every claim so you can verify it.

⚠️ Informational triage, not legal advice. Confirm classifications with qualified counsel.

Related MCP server: GDPR Compliance for AI Systems MCP Server

Tools

Four tools exposed to any MCP-compatible agent (Claude Code, Cursor, Claude Desktop, Windsurf, Cline, …):

The rules live in a single versioned, citation-backed file: rules/ruleset.json. It reflects Regulation (EU) 2024/1689 as amended by the May 2026 Digital Omnibus agreement, and is date-stamped so you always know how current it is.

Install

Option A — npx (zero install, once published to npm)

{
  "mcpServers": {
    "ai-act": {
      "command": "npx",
      "args": ["-y", "ai-act-mcp"]
    }
  }
}

Option B — clone and build

git clone https://github.com/a2welt/ai-act-mcp
cd ai-act-mcp
npm install && npm run build

{
  "mcpServers": {
    "ai-act": {
      "command": "node",
      "args": ["/absolute/path/to/ai-act-mcp/dist/index.js"]
    }
  }
}

Client config locations:

Restart your agent and ask: "Classify my hiring tool under the EU AI Act."

Fully offline — Ollama

Your AI-system description is exactly the kind of proprietary text you should not send to a cloud service. Run classification on a small local model instead — nothing leaves your machine:

# 1. Pull a model (any small instruct model works)
ollama pull llama3.2

# 2. Test it from your terminal (builds a vivid picture of what the tool does)
node demo/test-local.mjs

# 3. Register with your agent using the local backend

{
  "mcpServers": {
    "ai-act": {
      "command": "node",
      "args": ["/absolute/path/to/ai-act-mcp/dist/index.js"],
      "env": {
        "AI_ACT_CLASSIFIER": "local",
        "AI_ACT_SLM_MODEL": "llama3.2"
      }
    }
  }
}

The model only ever picks among the ruleset's enumerated, cited categories — it never invents law. This is what makes a small model reliable: you've constrained its job to classification-against-known-rules, not open-ended legal reasoning. If the model is unreachable for any reason, the server falls back to the deterministic keyword screen automatically.

Backend options

Extra env vars for local mode:

Example

Prompt: I'm building a tool that screens job applicants' CVs and ranks them. Classify it under the EU AI Act.

# AI Act risk classification

**Likely tier: High-risk** (Art. 6 + Annex I / Annex III)

Permitted but subject to the heaviest obligations (risk management, data
governance, logging, human oversight, conformity assessment, registration).

## ⚠️ Possible high-risk categories (Annex III)
- **Employment**: recruitment, screening, filtering applications, evaluating
  candidates, or decisions on promotion/termination/task allocation — Annex III(4)

> Check the Art. 6(3) exemption: system does NOT pose a significant risk of harm
  to health, safety or fundamental rights…

## What to do next
Run `check_obligations` with tier "high" and your role (provider or deployer)
for the full obligation list, and `next_deadlines` for your timeline.

---
Ruleset 2026.06 (current as of 2026-06-09). Informational triage only.
Not legal advice. Verify against the official text and consult qualified counsel.

Run the tests

npm test

15 tests covering classification, obligations, deadlines, repo scanning, all three classifier backends, and the offline fallback path.

Roadmap

• Four core tools — classify, obligations, deadlines, repo scan

• Versioned, citation-backed ruleset (rules/ruleset.json)

• Pass / warn / fail repo artifact checklist

• Per-tier deadlines in obligation output

• Pluggable classifier backends — keyword (default), local SLM (fully offline via Ollama), host-model sampling

• npm publish — zero-install npx setup

• FRIA (fundamental rights impact assessment) scaffold generator

• GPAI Code of Practice checklist

• Ruleset auto-update workflow as Omnibus amendments are adopted

Contributing

Corrections to the ruleset — with article citations — are the most valuable contributions. See CONTRIBUTING.md for the full guide.

Quick ways to help:

• 🔍 Found a wrong classification? Open a ruleset correction issue

• 🐛 Something broken? Open a bug report

• ⭐ Find it useful? Star the repo — it helps compliance teams discover it

License

MIT — see LICENSE