ai-act-mcp
Enables EU AI Act compliance assessment by classifying AI systems, listing obligations, computing deadlines, and scanning repos for required documentation, all running locally.
README
<div align="center">
ai-act-mcp
Lint your AI system for EU AI Act compliance — before the regulators do.
A local Model Context Protocol server that classifies any AI system under the EU AI Act, lists the obligations that apply to you with article citations, tells you your actual deadline, and scans your repo for missing compliance artifacts.
Runs entirely on your machine. Supports fully offline classification via a local small model — your system description never leaves your laptop.
Quick start · Offline with Ollama · All four tools · Contributing
</div>

Why this exists
The EU AI Act is live and has teeth:
- Feb 2025 — prohibited practices enforceable. €35M or 7% of global turnover.
- Aug 2025 — GPAI model obligations active.
- Aug 2026 — transparency requirements apply.
- Dec 2027 — high-risk (Annex III) obligations due.
Most teams have no idea which tier they're in. This gives you a grounded first pass in seconds, inside the agent you already use — with a citation for every claim so you can verify it.
⚠️ Informational triage, not legal advice. Confirm classifications with qualified counsel.
Tools
Four tools exposed to any MCP-compatible agent (Claude Code, Cursor, Claude Desktop, Windsurf, Cline, …):
| Tool | What it answers |
|---|---|
classify_risk |
"Is my system prohibited / high-risk / limited / minimal?" — with Annex III category + article citations |
check_obligations |
"Given my tier and role (provider or deployer), what must I do?" — obligation by obligation, with the specific deadline |
next_deadlines |
"When does this apply to me?" — the staggered 2025–2028 enforcement timeline |
scan_repo |
"Which compliance artifacts am I missing?" — pass / warn / fail checklist against your actual repo |
The rules live in a single versioned, citation-backed file: rules/ruleset.json. It reflects Regulation (EU) 2024/1689 as amended by the May 2026 Digital Omnibus agreement, and is date-stamped so you always know how current it is.
Install
Option A — npx (zero install, once published to npm)
{
"mcpServers": {
"ai-act": {
"command": "npx",
"args": ["-y", "ai-act-mcp"]
}
}
}
Option B — clone and build
git clone https://github.com/a2welt/ai-act-mcp
cd ai-act-mcp
npm install && npm run build
{
"mcpServers": {
"ai-act": {
"command": "node",
"args": ["/absolute/path/to/ai-act-mcp/dist/index.js"]
}
}
}
Client config locations:
| Client | File |
|---|---|
| Claude Desktop | ~/Library/Application Support/Claude/claude_desktop_config.json (macOS) · %APPDATA%\Claude\claude_desktop_config.json (Windows) |
| Claude Code | .mcp.json in project root, or claude mcp add ai-act node /path/to/dist/index.js |
| Cursor | .cursor/mcp.json |
| Windsurf | ~/.codeium/windsurf/mcp_config.json |
Restart your agent and ask: "Classify my hiring tool under the EU AI Act."
Fully offline — Ollama
Your AI-system description is exactly the kind of proprietary text you should not send to a cloud service. Run classification on a small local model instead — nothing leaves your machine:
# 1. Pull a model (any small instruct model works)
ollama pull llama3.2
# 2. Test it from your terminal (builds a vivid picture of what the tool does)
node demo/test-local.mjs
# 3. Register with your agent using the local backend
{
"mcpServers": {
"ai-act": {
"command": "node",
"args": ["/absolute/path/to/ai-act-mcp/dist/index.js"],
"env": {
"AI_ACT_CLASSIFIER": "local",
"AI_ACT_SLM_MODEL": "llama3.2"
}
}
}
}
The model only ever picks among the ruleset's enumerated, cited categories — it never invents law. This is what makes a small model reliable: you've constrained its job to classification-against-known-rules, not open-ended legal reasoning. If the model is unreachable for any reason, the server falls back to the deterministic keyword screen automatically.
Backend options
AI_ACT_CLASSIFIER |
Where the description goes | Quality | Notes |
|---|---|---|---|
keyword (default) |
Nowhere — pure local logic | Good | Instant, zero dependencies, deterministic |
local |
Stays on your machine (Ollama) | Better | Privacy-first; requires Ollama running |
host |
Your agent's model via MCP sampling | Best | Requires client sampling support |
Extra env vars for local mode:
| Variable | Default | Description |
|---|---|---|
AI_ACT_SLM_MODEL |
llama3.2 |
Any model name Ollama has pulled |
AI_ACT_OLLAMA_URL |
http://localhost:11434 |
Ollama server URL |
AI_ACT_SLM_TIMEOUT_MS |
30000 |
Timeout before falling back to keyword |
Example
Prompt: I'm building a tool that screens job applicants' CVs and ranks them. Classify it under the EU AI Act.
# AI Act risk classification
**Likely tier: High-risk** (Art. 6 + Annex I / Annex III)
Permitted but subject to the heaviest obligations (risk management, data
governance, logging, human oversight, conformity assessment, registration).
## ⚠️ Possible high-risk categories (Annex III)
- **Employment**: recruitment, screening, filtering applications, evaluating
candidates, or decisions on promotion/termination/task allocation — Annex III(4)
> Check the Art. 6(3) exemption: system does NOT pose a significant risk of harm
to health, safety or fundamental rights…
## What to do next
Run `check_obligations` with tier "high" and your role (provider or deployer)
for the full obligation list, and `next_deadlines` for your timeline.
---
Ruleset 2026.06 (current as of 2026-06-09). Informational triage only.
Not legal advice. Verify against the official text and consult qualified counsel.
Run the tests
npm test
15 tests covering classification, obligations, deadlines, repo scanning, all three classifier backends, and the offline fallback path.
Roadmap
- [x] Four core tools — classify, obligations, deadlines, repo scan
- [x] Versioned, citation-backed ruleset (
rules/ruleset.json) - [x] Pass / warn / fail repo artifact checklist
- [x] Per-tier deadlines in obligation output
- [x] Pluggable classifier backends — keyword (default), local SLM (fully offline via Ollama), host-model sampling
- [ ]
npm publish— zero-installnpxsetup - [ ] FRIA (fundamental rights impact assessment) scaffold generator
- [ ] GPAI Code of Practice checklist
- [ ] Ruleset auto-update workflow as Omnibus amendments are adopted
Contributing
Corrections to the ruleset — with article citations — are the most valuable contributions. See CONTRIBUTING.md for the full guide.
Quick ways to help:
- 🔍 Found a wrong classification? Open a ruleset correction issue
- 🐛 Something broken? Open a bug report
- ⭐ Find it useful? Star the repo — it helps compliance teams discover it
License
MIT — see LICENSE
推荐服务器
Baidu Map
百度地图核心API现已全面兼容MCP协议,是国内首家兼容MCP协议的地图服务商。
Playwright MCP Server
一个模型上下文协议服务器,它使大型语言模型能够通过结构化的可访问性快照与网页进行交互,而无需视觉模型或屏幕截图。
Magic Component Platform (MCP)
一个由人工智能驱动的工具,可以从自然语言描述生成现代化的用户界面组件,并与流行的集成开发环境(IDE)集成,从而简化用户界面开发流程。
Audiense Insights MCP Server
通过模型上下文协议启用与 Audiense Insights 账户的交互,从而促进营销洞察和受众数据的提取和分析,包括人口统计信息、行为和影响者互动。
VeyraX
一个单一的 MCP 工具,连接你所有喜爱的工具:Gmail、日历以及其他 40 多个工具。
graphlit-mcp-server
模型上下文协议 (MCP) 服务器实现了 MCP 客户端与 Graphlit 服务之间的集成。 除了网络爬取之外,还可以将任何内容(从 Slack 到 Gmail 再到播客订阅源)导入到 Graphlit 项目中,然后从 MCP 客户端检索相关内容。
Kagi MCP Server
一个 MCP 服务器,集成了 Kagi 搜索功能和 Claude AI,使 Claude 能够在回答需要最新信息的问题时执行实时网络搜索。
e2b-mcp-server
使用 MCP 通过 e2b 运行代码。
Neon MCP Server
用于与 Neon 管理 API 和数据库交互的 MCP 服务器
Exa MCP Server
模型上下文协议(MCP)服务器允许像 Claude 这样的 AI 助手使用 Exa AI 搜索 API 进行网络搜索。这种设置允许 AI 模型以安全和受控的方式获取实时的网络信息。