Skip to main content

A decision-ready compliance report for the EU AI Act

Deterministic Annex III classification plus an article-by-article obligation gap analysis, Annex IV documentation checklist, and a remediation plan sequenced against the August 2026 enforcement deadline.

Regulation (EU) 2024/1689 attaches concrete duties to whatever risk tier your AI system lands in, and most Annex III high-risk obligations start applying on 2 August 2026. This report takes a written description of your system, classifies it against Article 5 prohibitions, the Annex III high-risk categories, the general-purpose AI model track, and Article 50 transparency duties, then works through every obligation the classification triggers.

The output is built for the person who has to act on it: a per-article gap analysis with current-state evidence quoted from your description and a severity rating, a documentation checklist mapped to Annex IV, and a prioritised remediation plan with effort estimates sequenced against the enforcement timeline. It is designed for engineering leads and compliance owners preparing for a conformity assessment or scoping the work one would require.

Nothing about the input is silently optional, because the report is only as valid as the evidence behind it. Every field is either supplied or explicitly declined, and each decline is recorded in a deterministic input_coverage grade that ships with the report. The strongest report anchors classification deterministically: walk the free EU AI Act risk classifier decision tree and pass its answers in as decision_tree_answers, and the report runs the same codified Annex III tree and forces the analysis to match that classification or explicitly justify any divergence. If you skip the tree, you must say so, and the classification is derived by the analysis pass instead.

What it costs

Pricing

$1.50 per report

  • USDC on Base via x402
  • Card via Stripe checkout
  • No account
  • No API key
  • No subscription

Flat $1.50 per report, the same price on both payment rails.

Call it from your agentSee an example report

Invalid input is rejected before payment: if your call fails validation, you are never charged. A retry with the same payment authorization returns the cached report instead of charging twice.

Inputs

Every input field this tool accepts, with validation rules enforced before payment.
Field Required Rules Description
system_description Required Minimum 50 characters. Total input capped at 60,000 characters. A written description of the AI system: what it does, who uses it, what decisions it informs, and the context it operates in.
model_card Required Minimum 50 characters, or the exact string 'declined' to explicitly opt out. Counts toward the 60,000-character total cap. The model card or equivalent documentation for any model the system uses. Declining is recorded in the input_coverage grade and the report's limitations.
data_flows Required Minimum 50 characters, or the exact string 'declined' to explicitly opt out. Counts toward the 60,000-character total cap. A description of the data flows: what data enters the system, where it comes from, and where outputs go. Declining is recorded in the input_coverage grade and the report's limitations.
decision_tree_answers Required Array of integer answer indices from the free risk classifier's decision tree. Required unless skip_decision_tree is true. Answers from the deterministic Annex III decision tree. The resulting classification is injected as binding evidence the analysis must match or explicitly justify diverging from.
skip_decision_tree Required Boolean. Exactly one of decision_tree_answers or skip_decision_tree: true must be sent; sending neither, or both, is rejected free of charge. Explicitly skips the decision tree. The tree answers are then derived by AI from your description, the derivation is marked ai_derived with per-question confidence, and the skip lowers the input_coverage grade.

How the report is produced

  1. Validate deterministic

    Every input is checked before any payment. system_description needs at least 50 characters of substantive content; model_card and data_flows each need 50 characters or an explicit 'declined'; exactly one of decision_tree_answers or skip_decision_tree must be sent; and the combined input is capped at 60,000 characters. Anything else is rejected free of charge with a structured error explaining what to fix.

  2. Parse deterministic

    The codified Annex III decision tree runs on every call. When you supply decision_tree_answers it runs before any charge: it walks Article 3(1) definition screening, Article 5 prohibitions, the GPAI track, the Annex I product route, and the Annex III areas, and incomplete answers return the next question, its options, and the path so far, without charging. A complete path yields a deterministic classification with cited articles, obligations, and an evidence checklist that is attached to the final report and injected as binding evidence. When you explicitly skip, the tree answers are derived by AI instead and marked ai_derived with per-question confidence. The input_coverage grade is computed deterministically from what you supplied versus declined.

  3. Rule engine planned

    A codified obligation rule set will map each classification outcome to the exact articles it triggers (Articles 9-15, 16-27, 50, and Chapter V), with stable rule IDs and static references into the Regulation. Severity and completeness scores will be computed by fixed formula, never by a model.

  4. Analysis ai-constrained

    Two structured-output passes run today. First, a classification pass by a language model constrained by a fixed JSON schema determines risk tier (prohibited, high_risk, limited_risk, minimal_risk), Annex III categories, prohibited-practice flags, GPAI applicability, transparency obligations, and cited articles, recording ambiguities and coverage notes rather than guessing. When the decision tree ran, this pass must match its classification or justify divergence. Second, a report pass consumes that classification and produces the obligation gap analysis, documentation checklist, and remediation plan, each conforming to a fixed JSON schema. The model cannot return free text.

  5. Render ai-constrained

    The structured JSON report is returned together with a rendered markdown artifact in the MCP response, with the deterministic decision-tree analysis attached when it ran. A downloadable PDF deliverable is planned.

What the report contains

Every section of the structured report, returned as JSON plus a rendered markdown artifact.
Section What it holds
summary A concise executive summary of the system's position under the Act.
risk_tier The concluded risk tier for the system.
obligation_gaps Per-article gap entries, each with the obligation, current-state evidence from your description, the gap, and a severity of critical, high, medium, or low.
documentation_checklist Required documents mapped to their Annex IV reference, each with a status of missing, partial, or described.
remediation_plan Prioritised actions with the articles they address, an effort estimate of small, medium, or large, and deadline context against the enforcement timeline.
disclaimer A mandatory statement that this is automated analysis, not legal advice.
input_coverage A deterministic grade of the evidence behind the report: full, partial, or description_only, plus whether each of model_card and data_flows was provided or declined and whether the decision tree was user_supplied or ai_derived. Computed by code, never by a model.
deterministic_analysis The verbatim output of the Annex III decision tree: the computed classification, the path taken, and the articles it triggers. User-supplied answers are binding; AI-derived answers are marked as such. The analysis passes must reconcile with it or justify any divergence.
markdown The full report formatted with headings and tables, including a limitations section when coverage notes were recorded.

Example output

An illustrative, abridged example of what a paid call returns.

Download sample PDF
report.md

EU AI Act Compliance Report: Northwind Talent Cloud

Overview

This report analyzes the Northwind Talent Cloud system against the requirements of the EU AI Act. The system is classified as high-risk under Annex III, 2(a) (recruitment and selection).

Input coverage: partial. The model card was declined and the decision tree was skipped (answers AI-derived); the data-flows description was provided.

Compliance Gap Analysis

ArticleObligationSeverity
9Risk ManagementCritical
10Data GovernanceCritical
14Human OversightCritical
52TransparencyHigh

Limitations & Coverage Notes

  • The caller explicitly declined to supply a model card, so training-data and evaluation claims could not be assessed against documentation.
  • The decision tree was explicitly skipped; the Annex III classification was derived by AI from the description rather than user-walked answers.
  • The lack of explainability (xAI) in the current 0-100 scoring model represents a potential violation of the duty to ensure human control.

Remediation Strategy

Prioritization is set against the August 2026 deadline for high-risk systems. Failure to address the lack of human override capabilities (Art 14) and applicant transparency (Art 52) poses the highest risk of enforcement action.

Structured JSON excerpt
{
  "summary": "The Northwind Talent Cloud is a high-risk AI system under Annex III, 2(a) as it facilitates recruitment. Current compliance gaps are significant, specifically regarding transparency, interpretability, and robust human oversight mechanisms.",
  "risk_tier": "high_risk",
  "input_coverage": {
    "grade": "partial",
    "model_card": "declined",
    "data_flows": "provided",
    "decision_tree": "ai_derived"
  },
  "obligation_gaps": [
    {
      "article": "Article 9",
      "obligation": "Risk Management System",
      "current_state": "No formal risk assessment provided for the lifecycle of the AI system.",
      "gap": "Missing continuous iterative risk management process to identify hazards for candidates.",
      "severity": "critical"
    },
    {
      "article": "Article 10",
      "obligation": "Data Governance",
      "current_state": "Model is trained on historical hiring data.",
      "gap": "Lack of bias detection, mitigation, and dataset representative analysis to ensure fairness in recruitment.",
      "severity": "critical"
    },
    {
      "article": "Article 14",
      "obligation": "Human Oversight",
      "current_state": "No built-in workflow to override or contest rankings.",
      "gap": "Lack of 'human-in-the-loop' controls for overriding AI decisions and preventing automation bias.",
      "severity": "critical"
    },
    {
      "article": "Article 52",
      "obligation": "Transparency for Natural Persons",
      "current_state": "Applicants are not informed of AI usage.",
      "gap": "Non-compliance with the duty to inform candidates that they are subject to an AI-driven recruitment process.",
      "severity": "high"
    }
  ],
  "documentation_checklist": [
    {"document": "Risk Management System Documentation", "annex_iv_reference": "Section 2", "status": "missing"},
    {"document": "Technical Specifications (Data, Algorithms)", "annex_iv_reference": "Section 3", "status": "partial"},
    {"document": "Transparency and Instructions", "annex_iv_reference": "Section 5", "status": "missing"}
  ],
  "remediation_plan": [
    {
      "priority": 1,
      "action": "Implement mandatory applicant transparency disclosures (Art 52) and establish a human oversight override mechanism (Art 14).",
      "articles": ["Article 14", "Article 52"],
      "effort": "large",
      "deadline_context": "Immediate-term to meet transparency and fundamental rights requirements."
    }
  ],
  "disclaimer": "This report is an automated compliance analysis generated for informational purposes only. It does not constitute professional legal advice. Compliance with the EU AI Act requires a holistic review by legal counsel."
}

Call it from an agent

This report is a paid tool on the systemprompt-reports MCP server. Discovery is free: connect, list tools, and read schemas without paying. Payment happens per call over HTTP using the x402 protocol.

claude mcp add --transport http systemprompt-reports https://systemprompt.io/api/v1/mcp/systemprompt-reports/mcp

Endpoint: https://systemprompt.io/api/v1/mcp/systemprompt-reports/mcp · Tool: eu_ai_act_compliance

How payment works

  1. Call the tool with your input. The server validates it first; invalid input is rejected with no charge.
  2. The server replies with HTTP 402 and exact payment requirements: amount, USDC asset contract, network, and receiving address.
  3. Your wallet signs a USDC transfer authorization and the call is retried with an X-PAYMENT header. The server verifies and settles it on-chain through a facilitator before running the tool.
  4. The response includes the full report and an X-PAYMENT-RESPONSE header with the on-chain transaction receipt. Retrying with the same authorization returns the cached report without a second charge.

Frequently asked questions

Is my system description stored or published?
Your input is processed to produce the report and is not published. The report is returned only to the caller that paid for it.
What happens if my input is invalid?
Validation runs before payment. If system_description is under 50 characters, model_card or data_flows is neither substantive nor an explicit 'declined', you send neither (or both) of decision_tree_answers and skip_decision_tree, or the total input exceeds 60,000 characters, the request is rejected with a structured error and you are not charged. The same applies to an incomplete decision tree: the tool returns the next question to answer, free of charge.
Why do I have to decline inputs explicitly?
Because the report's validity depends on the evidence behind it. A silently missing model card would produce a weaker report that looks identical to a strong one. Instead, every input is either supplied or explicitly declined, and each decline is recorded in a deterministic input_coverage grade (full, partial, or description_only) that ships with the report and is quoted in its limitations, so the reader always knows what the analysis did and did not see.
What if I retry the same request?
The same payment authorization returns the cached report for 10 minutes, so a retry does not result in a double charge.
How do I pay without an account?
No account is needed. Pay $1.50 per report either by card, through the Stripe checkout link returned in the 402 response, or with USDC on Base via the x402 protocol. The report is returned in the same MCP call once payment settles.
Is this legal advice?
No. The report is an informational, automated analysis of your description against the text of the Act. It does not create a lawyer-client relationship and every report carries a disclaimer stating so. Confirm conclusions with qualified counsel before relying on them.
How reproducible is the classification?
The Annex III decision tree is fully deterministic: the same answers always produce the same classification, articles, and checklist, and that output is attached to the report verbatim. The analysis passes are constrained to fixed JSON schemas and must reconcile with the tree; a codified obligation rule engine with stable rule IDs is planned to make the gap analysis deterministic as well.

Run governed AI agents on your own infrastructure

These free tools come from the team behind systemprompt.io, a self-hosted AI governance library: one Rust binary with a governance pipeline, audit trails, RBAC, and cost attribution. If your company is putting agents into production, see it against your own use case.

Request a demo