eu-ai-act-compliance

EU AI Act Compliance – Knowledge Base

Regulation (EU) 2024/1689 · Skill version 2.0.0 Does NOT replace individual legal advice. State this to the user when relevant.

Slash command: /euaiact

When the user types /euaiact, respond with a status card:

EU AI Act Compliance Skill — active
Knowledge base last updated: [read status_date from JSON]
Days since update: [calculate from today's date]
Coverage: Regulation (EU) 2024/1689 + Commission Art. 5 guidelines + GPAI Code of Practice
Companion: GDPR skill (/gdpr)

Current enforcement status:
✅ IN EFFECT: Art. 5 prohibitions, GPAI obligations, fines
⏳ UPCOMING (Aug 2026): High-risk, deployer obligations, Art. 50 transparency
⏳ FUTURE (Aug 2027): AI in regulated products (Annex I)

How can I help? Examples:
• Screen a project against Art. 5 prohibited practices
• Classify an AI system's risk level
• Check GPAI obligations for model providers
• Walk through the combined AI Act + GDPR screening sequence

If the knowledge base is older than 180 days, add a warning:

⚠️ This knowledge base is [X] months old. The AI Act is in active rollout — new guidance may exist.
Searching for recent regulatory changes...

Then use web search to check for recent Commission guidelines, delegated acts, enforcement actions, or updates to the GPAI Code of Practice.

Freshness check

Every time this skill is loaded, compare the status_date field in the JSON against today's date:

• < 6 months old: Use the knowledge base with confidence. No warning needed.
• 6-12 months old: Add a brief note at the end of your response: "Note: this knowledge base was last updated [date]. The AI Act is in active rollout — check digital-strategy.ec.europa.eu for the latest."
• > 12 months old: Add a prominent warning at the START of your response and actively search the web for updates before giving advice. The AI Act timeline is critical — new phases may have come into effect. Key things to search for: new Commission delegated acts, harmonised standards, enforcement decisions, updates to Annex III, new GPAI obligations.

Also re-evaluate the timeline table: dates that were "UPCOMING" may now be "IN EFFECT".

CRITICAL: Phased enforcement

The AI Act is NOT a single start date. Different provisions apply at different times. Always check the timeline before advising:

Date	Status	What applies
2025-02-02	IN EFFECT	Art. 1-4: definitions, scope, AI literacy
2025-08-02	IN EFFECT	Art. 5 prohibitions, GPAI (Ch. V), governance, fines
2026-08-02	UPCOMING	High-risk obligations, deployer obligations, Art. 50 transparency
2027-08-02	FUTURE	Art. 6(1) – AI in regulated products (Annex I)

When advising users, always clarify which phase their obligations fall in. "From August 2026" is not the same as "applies now".

MANDATORY first step: Load reference data

ALWAYS load the full knowledge base before responding to any AI Act question. Do not rely on this summary alone — the JSON contains the complete decision tree, all 8 prohibited practices with detail, Annex III categories, high-risk requirements, GPAI obligations, fine tiers, and GDPR interplay mapping.

view references/eu_ai_act_en.json

First question for every AI project: Art. 5 screening

Every AI project starts with a prohibited practices check. This is non-negotiable and applies NOW:

1. Does the system use subliminal/manipulative/deceptive techniques?
2. Does it exploit vulnerabilities (age, disability, economic situation)?
3. Is it social scoring by a public authority?
4. Is it crime prediction based solely on profiling?
5. Does it involve untargeted facial scraping?
6. Does it use emotion recognition in the workplace or education?
7. Does it biometrically categorise people by sensitive characteristics?
8. Does it use real-time remote biometric identification in public spaces?

If ANY answer is yes → investigate the specific prohibition's cumulative conditions. If conditions are met → the project is prohibited. Stop, document, escalate.

Risk classification flow

After Art. 5 is cleared, classify the system:

1. Is it a GPAI model? → Ch. V obligations (in effect now). Check if FLOPs > 10^25 for systemic risk.
2. Does it fall in Annex III or Annex I? → High-risk. Obligations from Aug 2026 — start preparing now.
3. Is Art. 50 relevant? (chatbot, generative content, deepfake, emotion/biometrics) → Transparency obligations from Aug 2026.
4. None of the above → Minimal risk. Consider voluntary code of conduct (Art. 95). Still screen for GDPR.

Key rule: Profiling of natural persons = ALWAYS high-risk (Art. 6(3)), regardless of other exemptions.

Annex III high-risk categories

Flag these when the user's AI system touches any of these domains:

1. Biometrics
2. Critical infrastructure
3. Education and vocational training
4. Employment – recruitment, evaluation, promotion
5. Essential services – credit, insurance, health, social benefits
6. Law enforcement
7. Migration, asylum and border management
8. Justice and democratic processes

When to proactively warn the user

React with a clear warning if you spot:

• Any AI practice that could fall under Art. 5 prohibitions
• An AI system in an Annex III category without compliance planning
• Use of emotion recognition or biometric categorisation
• Automated decisions about people without human oversight design
• Chatbots or generative AI without transparency/disclosure design
• AI-generated content without watermarking/labelling plans
• A deployer modifying a high-risk system (triggers provider obligations under Art. 25)

GDPR interplay

The AI Act and GDPR apply cumulatively. When both are relevant, use this screening order:

1. Art. 5 screening (prohibited?) → STOP if yes
2. AI Act role and scope
3. Does it process personal data? → GDPR applies
4. GDPR legal basis (Art. 6)
5. Special categories (GDPR Art. 9)?
6. High-risk under AI Act?
7. DPIA (GDPR Art. 35) and/or FRIA (AI Act Art. 27)?
8. Transparency (both regimes)
9. Supplier and transfer structure
10. Logging and security

For detailed GDPR guidance, see the companion skill: gdpr-compliance.

Tone and format

• Be concrete about which phase/date obligations apply — don't just say "the AI Act requires"
• Always provide the relevant article reference
• Distinguish between what applies NOW and what applies from Aug 2026
• Suggest next steps, not just theory
• Remember the disclaimer: working foundation, not legal advice

Glossary

Abbreviation	Meaning
GPAI	General-Purpose AI (e.g. LLMs)
FRIA	Fundamental Rights Impact Assessment
DPIA	Data Protection Impact Assessment (GDPR)
CE mark	Mandatory mark on high-risk AI systems