eu-ai-act-classifier

EU AI Act Classifier

Determines an AI system's risk tier under EU Regulation 2024/1689 (the EU AI Act), explains the legal basis for that classification, and outputs a tailored compliance obligations checklist based on the system type and the user's role in the AI value chain.

---

Step 1 — Gather System Information

Collect the following before classifying. Infer from conversation where possible:

1. What does the system do? (plain-language description of function and outputs)
2. Who uses it? (end users, operators, affected individuals)
3. What decisions does it inform or make? (and what are the stakes?)
4. Where is it deployed? (EU market, EU users, or outside EU?)
5. What is the user's role? — provider (develops/places on market), deployer (uses in own context), importer, or distributor?
6. Is it a general-purpose AI model? (e.g., a foundation model or LLM)

If critical information is missing, ask before classifying. A wrong tier is worse than a delayed answer.

---

Step 2 — Classify the Risk Tier

Work through the classification logic in order. The first match wins.

2a. Check for Prohibited Practices (Article 5)

Load references/prohibited.md. If the system matches any prohibited practice → output PROHIBITED and stop. Do not proceed to further classification.

2b. Check for High-Risk Classification (Annex III + Article 6)

Load references/high-risk.md. Check both pathways:

• Article 6(1) — safety component of a product regulated under EU harmonisation legislation (Annex I)
• Article 6(2) / Annex III — standalone high-risk AI in one of eight listed domains

If either pathway matches → classify as HIGH-RISK.

2c. Check for General-Purpose AI (GPAI) (Articles 51–56)

Load references/gpai.md. If the system is a general-purpose AI model (trained on broad data, usable across many tasks) → classify as GPAI and determine if it is a GPAI model with systemic risk (≥10^25 FLOPs training compute or designated by Commission).

GPAI classification can overlap with other tiers — a GPAI model embedded in a high-risk system carries both sets of obligations.

2d. Check for Limited Risk (Articles 50)

If the system involves: chatbots, deepfakes, emotion recognition, or biometric categorisation → classify as LIMITED RISK (transparency obligations apply).

2e. Default: Minimal Risk

If none of the above apply → classify as MINIMAL RISK (no mandatory obligations, voluntary codes of conduct encouraged).

---

Step 3 — Output the Classification

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
🇪🇺 EU AI ACT CLASSIFICATION
System: [name / description]
Role: [Provider / Deployer / Importer / Distributor]
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

⚠️ ADVISORY NOTICE
───────────────────
This output is generated by an AI skill and is provided for informational and
governance support purposes only. It does not constitute legal advice, regulatory
advice, or a formal compliance determination. Do not rely on this output as a
substitute for advice from qualified legal counsel, a licensed compliance
professional, or a certified auditor. Review all outputs with appropriate human
expertise before taking compliance action.
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

RISK TIER: [PROHIBITED / HIGH-RISK / GPAI / LIMITED RISK / MINIMAL RISK]

LEGAL BASIS
────────────
[Specific article(s) and annex entries that determine this classification,
with a plain-language explanation of why they apply]

CLASSIFICATION CONFIDENCE
──────────────────────────
🟢 High — clear match to specific provision
🟡 Medium — likely match; legal review recommended
🔴 Low — ambiguous; qualified legal advice required

NOTES / EDGE CASES
───────────────────
[Any nuance, overlapping classifications, or borderline factors]
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

---

Step 4 — Output the Obligations Checklist

Load references/obligations-[tier].md for the relevant tier and role, then generate:

━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
📋 COMPLIANCE OBLIGATIONS
Tier: [tier] | Role: [role]
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

MANDATORY REQUIREMENTS
───────────────────────
For each obligation, mark: ✅ Done | ⚠️ In progress | ❌ Not started

[ ] [Obligation] — Article ref — Deadline: [date or "before market placement"]
[ ] [Obligation] — Article ref
...

KEY DEADLINES
──────────────
[Relevant phase-in dates from the EU AI Act timeline]

RECOMMENDED NEXT STEPS
────────────────────────
1. [Most urgent action]
2. [Second]
3. [Third]
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━

Reference files for obligations:

• references/obligations-high-risk.md
• references/obligations-gpai.md
• references/obligations-limited-risk.md

---

Step 5 — Offer Follow-On Actions

After classification and obligations output, offer:

1. Save as Markdown — classification memo as a .md file for legal/compliance records
2. Gap analysis — assess which obligations are already met vs. outstanding
3. Cross-framework map — map obligations to ISO 42001 or NIST AI RMF equivalents
4. Compliance gate — trigger hitl-compliance-gate with EU AI Act pre-selected for a HITL sign-off

---

Key Principles

• Advisory only — All outputs produced by this skill are for informational and governance support purposes only. They do not constitute legal advice, regulatory advice, or a formal compliance determination. No output from this skill should be relied upon as a substitute for advice from qualified legal counsel, a licensed compliance professional, or a certified auditor with jurisdiction-specific expertise.
• Classify conservatively — when in doubt between two tiers, flag the higher one
• Role matters — provider obligations are the heaviest; deployer obligations depend on use case
• GPAI is additive — GPAI obligations stack on top of any other applicable tier
• Jurisdictional scope — the Act applies if the AI output is used in the EU, regardless of where the provider is based
• Always flag legal review for Medium/Low confidence classifications — this tool supports compliance work but is not a substitute for qualified legal advice