EU AI Act Compliance Mapping

Self-assessment cross-reference of your governance to EU AI Act requirements. 6 articles, 18 requirements, deadline tracking. Not a certified audit; not legal advice.

This is a self-assessment tool, not a certified audit and not legal advice. It cross-references your in-process governance configuration against EU AI Act articles 9, 11, 12, 14, 15, and 50. Use the output to prioritise gaps; consult qualified counsel for legal compliance opinions.

The EU AI Act is the world's first comprehensive AI regulation. governance-sdk cross-references 6 articles and 18 specific requirements against SDK features, letting you self-assess your governance posture programmatically.

Phased enforcement — no single deadline:

2025-02-02 — prohibited-practice ban (Art 5-7). NOT modelled here.

2025-08-02 — GPAI transparency obligations, including Art 50 tracked by this module.

2026-08-02 — high-risk system obligations: Arts 9, 11, 12, 14, 15 tracked by this module.

2027-08-02 — post-market + downstream obligations. NOT modelled here.

Maximum fine: 15M EUR or 3% of global annual turnover — whichever is higher.

6 Tracked Articles

Art. 9 — Risk Management System (4 requirements)

Establish and maintain a risk management system. Identify risks, implement mitigations, evaluate residual risks, test measures.

SDK mapping: Policy engine (blockTools, allowOnlyTools), enforcement (gov.enforce), 7-dimension scoring, enforcement playground

Art. 11 — Technical Documentation (3 requirements)

Document the AI system before market placement. System description, capabilities, monitoring configuration.

SDK mapping: Agent registration metadata (name, description, owner, tools), governance scoring with evidence, version-controlled config

Art. 12 — Record-Keeping (4 requirements)

Automatic recording of events. Traceability, integrity of logs, appropriate retention.

SDK mapping: Audit trail (gov.audit.log), rich event context, HMAC-SHA256 hash chaining (createIntegrityAudit), storage adapters

Art. 14 — Human Oversight (3 requirements)

Enable human intervention, understanding of capabilities, and real-time monitoring.

SDK mapping: requireApproval() policy, 7-dimension scoring with explainable evidence, queryable audit trail, fleet monitoring

Art. 15 — Accuracy, Robustness, Cybersecurity (2 requirements)

Resilience against errors and faults. Appropriate cybersecurity measures.

SDK mapping: Rate limiting, token budgets, HMAC-signed audit trail, agent authentication, tool blocking

Art. 50 — Transparency Obligations (2 requirements)

Disclose AI interaction to users. Mark AI-generated content in machine-readable format. Deadline: 2025-08-02 (earlier than the other articles — part of the GPAI transparency phase).

SDK mapping: Agent registration with disclosure metadata, audit trail with provenance (agent ID, timestamp, model version)

Run a Self-Assessment

The mapToEuAiAct() function (aliased as assessCompliance for backward compatibility) cross-references your governance configuration against all 18 requirements. It produces a report with per-article scores, gaps, and recommended next steps. The output is a posture snapshot, not a regulatory determination.

import { createGovernance } from 'governance-sdk';
import { mapToEuAiAct } from 'governance-sdk/compliance';

const gov = createGovernance({ rules: [...] });
const agents = await gov.storage.listAgents();

const report = await mapToEuAiAct({
  governance: gov,
  agents,
  auditIntegrity: true,       // Using createIntegrityAudit?
  humanOversight: true,        // requireApproval() or manual review process?
  logRetention: true,          // Configured log retention policy?
  configVersionControlled: true, // governance config in version control?
  policiesTested: true,        // Tested policies with representative scenarios?
});

// report:
// {
//   overallScore: 78,
//   status: "partial",
//   articles: [...],
//   agentsAssessed: 8,
//   criticalGaps: ["Record-Keeping (Art. 12): No explicit retention policy"],
//   recommendations: ["Configure log retention in your storage adapter"],
//   generatedAt: "2026-03-10T14:00:00Z",
//   daysUntilDeadline: 145,
//   disclaimer: "Not legal advice. This assessment covers a subset of EU AI Act…",
//   phasedDeadlines: {
//     prohibitedPractices:     "2025-02-02",  // Art 5-7 — NOT modelled
//     gpaiTransparency:        "2025-08-02",  // Art 50 — MODELLED
//     highRiskObligations:     "2026-08-02",  // Arts 9, 11, 12, 14, 15 — MODELLED
//     postMarketAndDownstream: "2027-08-02",  // NOT modelled
//   },
// }

Note: Some requirements cannot be checked automatically (e.g., "policies have been tested"). Pass boolean flags for these manual confirmations. The assessment is honest — it marks unconfirmed items as partial or non-compliant.

Deadline Tracking

import { getDaysUntilDeadline, getArticles } from 'governance-sdk/compliance';

// How many days until enforcement?
const days = getDaysUntilDeadline();
// → 145 (as of March 10, 2026)

// Get all tracked articles
const articles = getArticles();
// → [{ article: "9", title: "Risk Management System", ... }, ...]

Gap Analysis & Remediation

The report includes pre-computed critical gaps and de-duplicated remediation steps. You can also drill into individual article assessments.

// Drill into article-level assessments
for (const article of report.articles) {
  if (article.coverage === 'non-compliant') {
    for (const req of article.requirements) {
      if (req.status === 'non-compliant') {
        // req.evidence    → "No policy rules configured"
        // req.remediation → "Add policy rules via blockTools()..."
      }
    }
  }
}

// Or use the pre-computed critical gaps
report.criticalGaps.forEach((gap) => {
  // "Risk Management (Art. 9): No enforcement active"
  // "Record-Keeping (Art. 12): Audit logs are not tamper-evident"
});

// And the de-duplicated remediation steps
report.recommendations.forEach((rec) => {
  // "Enable createIntegrityAudit() for HMAC-SHA256 hash-chained logging"
  // "Add requireApproval() policy for sensitive operations"
});

Compliance Statuses

Status	Score	Meaning
compliant	80-100	Requirement fully addressed by SDK features and configuration
partial	40-79	Some coverage but gaps remain — see remediation steps
non-compliant	0-39	Critical gap — immediate action required

Warning: This module maps SDK features to EU AI Act requirements. It is not legal advice. Consult qualified legal counsel to confirm your specific compliance obligations based on your AI system's risk classification.