---
id: gh-ai-act-skill
name: "ai-act-skill"
url: https://skills.yangsir.net/skill/gh-ai-act-skill
author: morellid
domain: legal
tags: ["euaiact", "compliance", "ai-regulation", "risk-classification", "legal-tech"]
install_count: 3
rating: 4.00 (20 reviews)
github: https://github.com/morellid/ai-act-skill
---

# ai-act-skill

> 帮助AI产品团队和工程师快速分类AI系统在欧盟AI法案下的风险等级（禁止、高风险、有限、最小、GPAI）并明确相应合规义务。节省大量人工查阅法条的时间，降低因违规面临的最高3500万欧元或7%全球年营业额罚款风险，尤其适合需要将AI系统投放欧盟市场的提供者、部署者及合规顾问。

**Stats**: 3 installs · 4.0/5 (20 reviews)

## Before / After 对比

### 合规风险分类耗时对比

**Before**:

手动翻阅欧盟AI法案200+页文本，逐条对比系统特征，耗时约30分钟，容易遗漏关键条款。

**After**:

使用该技能自动匹配风险分类逻辑，5分钟内获得初步分类结果及义务清单，准确率大幅提升。

| Metric | Before | After | Change |
|---|---|---|---|
| 分类耗时 | 30分钟 | 5分钟 | -83% |

## Readme

---
name: ai-act-compliance
description: Supports compliance with the EU Artificial Intelligence Act (Regulation (EU) 2024/1689). Use when the user needs to classify an AI system under the AI Act risk categories (prohibited, high-risk, limited, minimal, GPAI), check provider or deployer obligations for high-risk systems, evaluate GPAI model obligations including systemic risk thresholds, verify transparency obligations under Article 50, or run a fundamental rights impact assessment (FRIA) under Article 27. Target users are AI system providers, deployers, importers, distributors, EU consultants on AI compliance, and engineers building AI products for the EU market.
license: MIT
---

# AI Act Compliance

EU Regulation 2024/1689 — practical compliance support for AI providers, deployers, and consultants.

## When to use this skill

Use when someone needs to:

- Classify an AI system or model under the AI Act (in scope? prohibited? high-risk? limited risk? minimal? GPAI? GPAI with systemic risk?)
- Identify the role(s) the organisation plays (provider, deployer, importer, distributor)
- Check obligations applicable to a high-risk system as **provider** (Articles 8–22)
- Check obligations applicable to a high-risk system as **deployer** (Articles 26–27, including FRIA)
- Check obligations applicable to a **GPAI model** provider (Articles 51–55)
- Verify **transparency obligations** under Article 50 (chatbots, synthetic content, emotion recognition, biometric categorisation, deepfakes)
- Map applicable **dates of application** for the specific system or role

**Do not use** when the user asks for:

- Legal advice on a specific case (this needs an EU AI lawyer with case-specific knowledge)
- Pre-existing legal opinions on national implementation in a specific Member State (rules will be added by national supervisory authorities; not yet finalised in many countries as of 2026)
- Drafting of EU-AI-Act-conformity declarations (CE marking) — the skill structures the documentation but does not produce the final signed document
- Compliance with sector-specific regimes that interact with the AI Act (e.g., Medical Devices Regulation, automotive type-approval) — these need dedicated skills

## Disclaimer

This skill is a support tool for compliance work, not a substitute for qualified legal or technical counsel. The AI Act is recent legislation with phased application (most obligations between 2 February 2025 and 2 August 2027) and the harmonised standards under preparation by CEN-CENELEC JTC 21 are not yet published. **Outputs require review by competent counsel and, for high-risk systems, by a notified body where applicable.** Penalties under Article 99 reach EUR 35 million or 7% of total worldwide annual turnover for prohibited-practice violations.

**Pending: Digital Omnibus on AI.** Provisional political agreement reached on **7 May 2026** between the European Parliament and the Council on the Commission's 19 November 2025 proposal. The agreement: (i) shifts high-risk obligations to **2 December 2027** (Annex III stand-alone systems and Article 50 transparency) and **2 August 2028** (Annex I embedded safety components); (ii) adds a new Article 5 prohibition on AI systems generating non-consensual intimate imagery ("nudifier apps") and CSAM, with **2 December 2026** compliance once in force; (iii) narrows the "safety component" definition (excludes assistive or performance-optimising AI from Annex I high-risk); (iv) extends SME exemptions to small mid-cap enterprises; (v) streamlines GPAI enforcement through the EU AI Office. Formal adoption and OJ publication are pending (co-legislator target: before 2 August 2026). Until OJ publication, the binding deadlines remain the original Article 113 calendar and the new Article 5 prohibition is not yet in force. Article 4 (AI literacy) and the existing Article 5 prohibitions — in force since 2 February 2025 — and Chapter V GPAI obligations — in force since 2 August 2025 — are not affected. Skill outputs should mention the pending change whenever 2 August 2026 high-risk or Article 50 deadlines are cited, and flag systems that may fall under the future nudifier/CSAM prohibition.

## Sub-tasks

Based on the user's request, load the relevant task file:

- **System classification**: user asks "is my system in scope? what category? am I a provider or deployer?" — read [`tasks/classify-system.md`](tasks/classify-system.md). **Always start here unless classification is already established.**
- **Prohibited practices check**: user wants to verify no Article 5 prohibition is triggered — read [`tasks/check-prohibited-practices.md`](tasks/check-prohibited-practices.md)
- **High-risk provider obligations**: classified high-risk + role is provider — read [`tasks/check-high-risk-provider.md`](tasks/check-high-risk-provider.md)
- **High-risk deployer obligations**: classified high-risk + role is deployer (incl. FRIA) — read [`tasks/check-deployer-obligations.md`](tasks/check-deployer-obligations.md)
- **GPAI provider obligations**: providing a general-purpose AI model — read [`tasks/check-gpai-provider.md`](tasks/check-gpai-provider.md)
- **Transparency obligations (Article 50)**: any AI system interacting with humans / generating synthetic content — read [`tasks/check-transparency.md`](tasks/check-transparency.md)

If the request is generic ("help me with the AI Act"), start with classification.

## General process

1. Identify the user's role(s) and system(s).
2. Run classification first (`classify-system.md`) unless explicitly stated.
3. Based on classification, route to the relevant obligations task.
4. For each obligation, capture: applicable? met? gap analysis? remediation steps?
5. Always include applicable dates of application (the AI Act phases obligations; some rules already in force, others up to August 2027). Where the cited deadline is one that the **Digital Omnibus on AI** (provisional political agreement 7 May 2026, formal adoption pending) would shift — i.e., 2 August 2026 high-risk Annex III and Article 50 transparency, and 2 August 2027 Annex I embedded — flag the pending move to 2 December 2027 / 2 August 2028 in the output. If the system might fall under the agreed-but-not-yet-in-force prohibition on non-consensual intimate imagery / CSAM (compliance deadline 2 December 2026 once published in the OJ), flag that too.
6. Conclude with the appropriate disclaimer and a call to legal review.

## Sources

Authoritative references in [`references/sources.yaml`](references/sources.yaml). Primary:

- **Regulation (EU) 2024/1689** (the AI Act) — Articles cited: 3, 5, 6, 9, 10, 14, 15, 16, 22, 26, 27, 50, 51, 53, 55, 99; Annex III
- **GPAI Code of Practice** (final version July 2025) — voluntary tool to demonstrate compliance with Article 53
- **Commission Guidelines on the scope of obligations for providers of GPAI models** (July 2025)
- **CEN-CENELEC JTC 21** — harmonised standards under preparation (track the published list at <https://digital-strategy.ec.europa.eu/en/policies/ai-act-standardisation>)

Pending (track, treat as indicative until finalised):

- **Commission draft Article 50 transparency guidelines** (8 May 2026, public consultation until 3 June 2026) — `sources.yaml` id `ec-art50-transparency-guidelines-draft-2026`. Will become the authoritative Commission interpretation of Article 50 once final; promote to a primary source with a textual extract at that point.
- **Commission draft guidelines on the classification of high-risk AI systems** (19 May 2026, public consultation until 23 June 2026) — `sources.yaml` id `ec-high-risk-classification-guidelines-draft-2026`. Required by Article 96 AI Act. Will become the authoritative Commission interpretation of Article 6 and Annex III (safety-component test, Annex III use-case examples, Art. 6(3) derogation) once final; promote to a primary source with a textual extract at that point.

Textual extracts of the cited articles in [`references/extracts/`](references/extracts/).

## Limits

This skill does NOT:

- Replace legal counsel or notified body conformity assessment.
- Produce signed conformity declarations or CE marking documentation ready for submission.
- Cover Member State-specific national implementing measures (e.g., national AI authorities' guidance, where relevant).
- Cover sector regimes interacting with the AI Act (medical devices, automotive type-approval, financial services AI use cases under existing sectoral regulation).
- Track post-2026 jurisprudence and Commission delegated/implementing acts in real time — the user must verify the date of last update of `references/sources.yaml`.
- Replicate the EU Commission's official Compliance Checker at the AI Act Service Desk (<https://ai-act-service-desk.ec.europa.eu/>) — for authoritative self-assessment, use that tool.

**Every output requires review by qualified counsel before adoption or filing.**

--- README.md ---

# AI Act Compliance Skill

> An agent skill for compliance work on **Regulation (EU) 2024/1689 — the EU Artificial Intelligence Act**. Compatible with **Anthropic Claude Code**, **OpenAI Codex**, and any **AGENTS.md**-aware coding agent (Cursor, Windsurf, GitHub Copilot, Devin, Amp).
>
> **Status: v0.1.0-alpha — public, usable, seeking validators.** The content is grounded in the Official Journal text and the 2025 Commission guidelines, but external review is wide open. If you are a compliance officer, EU AI law expert, or engineering lead with hands-on AI Act experience: please open issues, suggest corrections, or email `ai@davidemorelli.it`. Acknowledged contributors get credit in the README and a citation when the skill ships v0.1.0 stable.
>
> **Pending: Digital Omnibus on AI.** A provisional political agreement between the European Parliament and the Council was reached on **7 May 2026** on the Commission's 19 November 2025 proposal. The agreement confirms **2 December 2027** for stand-alone high-risk (Annex III) systems and Article 50 transparency, and **2 August 2028** for high-risk safety components of Annex I products. It also adds a **new Article 5 prohibition on AI systems generating non-consensual intimate imagery (so-called "nudifier apps") and child sexual abuse material**, with a compliance deadline of **2 December 2026** once in force. Co-legislators target formal adoption before 2 August 2026. Until publication in the Official Journal, the legally binding deadlines remain the original Article 113 calendar and the new prohibition is not yet in force. Article 4 (AI literacy) and the existing Article 5 prohibitions — in force since 2 February 2025 — and Chapter V GPAI obligations — in force since 2 August 2025 — are not affected.

## Looking for validators

Specifically, we are interested in feedback on:

- **Article 5 borderlines**: workplace emotion recognition, biometric categorisation carve-outs, real-time RBI law-enforcement exceptions
- **Annex III scope edges**: where high-risk classification is ambiguous in real systems
- **Article 27 FRIA**: who has actually drafted one for a public-sector deployer; what worked, what did not
- **GPAI thresholds**: how the 10²⁵ FLOPs criterion is being interpreted for fine-tuned and downstream-adapted models
- **Article 50 transparency**: implementation patterns for chatbot disclosure, synthetic-content marking, deep-fake notices

Open an issue at <https://github.com/morellid/ai-act-skill/issues>, or send a private note to `ai@davidemorelli.it`.

## What is this?

A self-contained agent skill that helps compliance teams, AI engineers, and consultants run common tasks on the EU AI Act:

- Classify an AI system or model (in scope? prohibited? high-risk? limited? GPAI? systemic risk?)
- Identify roles (provider, deployer, importer, distributor)
- Check provider obligations for high-risk systems (Articles 8–22)
- Check deployer obligations including the Fundamental Rights Impact Assessment / FRIA (Articles 26–27)
- Check GPAI provider obligations (Articles 51–55)
- Verify transparency obligations under Article 50 (chatbots, synthetic content, deepfakes)

## Installation

The repository **is** the skill. Drop it into your agent's skills directory. The skill follows the `SKILL.md` + frontmatter convention used by both Claude Code and Codex.

| Agent | Skills directory |
|---|---|
| Anthropic Claude Code | `~/.claude/skills/ai-act-compliance/` |
| OpenAI Codex | `~/.agents/skills/ai-act-compliance/` |

### Option A — install via the helper script (Claude Code / Codex only)

```bash
git clone https://github.com/morellid/ai-act-skill.git
cd ai-act-skill
./install.sh                       # default: Claude Code
./install.sh --target codex        # Codex only
./install.sh --target both         # both agents
./install.sh --force --target both # replace existing installs without prompting
```

The script symlinks the repository into the chosen native target(s) by default (so `git pull` upgrades the installed skill in place). Set `INSTALL_MODE=copy` for a snapshot copy.

This helper is for **native Claude Code / Codex skill installs**. If you want to vendor the repo into a project for Cursor, Windsurf, GitHub Copilot, Devin, Amp, or another AGENTS.md-aware harness, use **Option D**. A custom-path run such as `./install.sh /path/to/project/.vendor/ai-act-skill` only copies/symlinks the repo; it does **not** create the project-local `AGENTS.md` pointer or per-agent adapter files.

### Option B — clone directly into the skills directory

```bash
# Claude Code
git clone https://github.com/morellid/ai-act-skill.git ~/.claude/skills/ai-act-compliance

# Codex
git clone https://github.com/morellid/ai-act-skill.git ~/.agents/skills/ai-act-compliance
```

### Option C — Codex `$skill-installer`

Inside a Codex session:

```
$skill-installer https://github.com/morellid/ai-act-skill
```

### Option D — use from another agent (Cursor, Windsurf, GitHub Copilot, Devin, Amp, …)

Many agents read `AGENTS.md` natively (60 000+ repositories already do; the format is governed by the Linux Foundation Agentic AI Foundation). For those agents, vendor this skill into your own project and add a short pointer in your project's `AGENTS.md`:

```bash
# In YOUR project repository:
git submodule add https://github.com/morellid/ai-act-skill.git .vendor/ai-act-skill
```

Then add to your project's `AGENTS.md`:

```markdown
## EU AI Act compliance

When the user asks AI Act questions, walk through the tasks at
`.vendor/ai-act-skill/tasks/` (classify first, then check prohibitions,
then route to provider/deployer/GPAI/transparency). Source extracts at
`.vendor/ai-act-skill/references/extracts/`. Cite articles precisely;
always close with the "support tool, not legal advice" disclaimer.
```

For per-agent adapters (Cursor MDC rule, GitHub Copilot instructions), see [`adapters/`](adapters/) in this repository.

### Option E — download a release zip

```bash
mkdir -p ~/.claude/skills    # or ~/.agents/skills for Codex
curl -L https://github.com/morellid/ai-act-skill/archive/refs/tags/v0.1.0.zip \
  -o /tmp/ai-act-skill.zip
unzip -d ~/.claude/skills /tmp/ai-act-skill.zip
mv ~/.claude/skills/ai-act-skill-* ~/.claude/skills/ai-act-compliance
```

### Option F — install via `npx skills` (vercel-labs CLI)

The [`vercel-labs/skills`](https://github.com/vercel-labs/skills) CLI auto-detects the `SKILL.md` at the repo root and installs it into your agent's skills directory.

```bash
npx skills add morellid/ai-act-skill
```

By default the CLI installs into `~/.claude/skills/`. Use `--list` to preview, or pass an explicit target with the CLI's flags (see `npx skills add --help`).

### Option G — drag-and-drop on Claude.ai (web)

If you use Claude only via the web (claude.ai, no Claude Code), grab the prebuilt skill zip from the [GitHub Releases](https://github.com/morellid/ai-act-skill/releases) and upload it.

1. Open the latest release: <https://github.com/morellid/ai-act-skill/releases/latest>
2. Download `ai-act-compliance.zip`.
3. Go to <https://claude.ai/customize/skills> and upload (or drag-and-drop) the file.

The zip contains the skill in a single top-level directory (`ai-act-compliance/` with `SKILL.md`, `tasks/`, `references/`, `examples/`, `LICENSE`). Do not extract it before upload.

After installation, restart your agent (Claude Code or Codex) so the new skill is discovered.

### Uninstall

```bash
./uninstall.sh                     # default: Claude Code
./uninstall.sh --target codex      # Codex only
./uninstall.sh --target both       # both agents
# or manually:
rm -rf ~/.claude/skills/ai-act-compliance
rm -rf ~/.agents/skills/ai-act-compliance
```

## How to use it (once installed)

In any Claude Code or Codex session, ask questions or give tasks that touch the AI Act:

> "Classify this system under the AI Act: it's a CV-screening tool for HR..."
>
> "Run a FRIA on this high-risk deployment of an emotion-recognition system."
>
> "Check our GPAI model obligations — we're at 5×10²⁵ FLOPs of training compute."

The agent will load this skill, route to the right sub-task, and produce a structured analysis with citations.

In Codex you can also invoke it explicitly:

```
/skills ai-act-compliance
```

## Repository layout

```
ai-act-skill/
├── SKILL.md                     ← the skill entry point (agent reads this)
├── README.md                    ← this file (humans read this)
├── LICENSE                      ← MIT
├── CHANGELOG.md
├── install.sh                   ← installer (Claude Code / Codex / both)
├── uninstall.sh
├── .gitignore
├── AGENTS.md                    ← cross-agent guidance (Codex, Cursor, Windsurf, Copilot, …)
├── agents/                      ← agent-specific UI metadata
│   └── openai.yaml              ← Codex display name + default prompt
├── adapters/                    ← drop-in adapters for non-skill formats
│   ├── copilot-instructions.md  ← GitHub Copilot
│   ├── cursor-rule.mdc          ← Cursor IDE rule
│   └── README.md                ← how to vendor + adapt
├── tasks/                       ← detailed sub-task instructions
│   ├── classify-system.md
│   ├── check-prohibited-practices.md
│   ├── check-high-risk-provider.md
│   ├── check-deployer-obligations.md
│   ├── check-gpai-provider.md
│   └── check-transparency.md
├── references/                  ← official-source metadata + textual extracts
│   ├── sources.yaml
│   └── extracts/
│       ├── ai-act-art-3-definitions.md
│       ├── ai-act-art-5-prohibited.md
│       ├── ai-act-art-6-9-high-risk-classification.md
│       ├── ai-act-annex-iii-high-risk-list.md
│       ├── ai-act-art-26-27-deployer-fria.md
│       ├── ai-act-art-50-transparency.md
│       └── ai-act-art-51-55-gpai.md
├── examples/                    ← test fixtures
│   ├── classify-customer-service-chatbot/
│   └── classify-hr-emotion-recognition/
└── scripts/
    ├── validate.sh              ← skill self-check
    ├── fetch-references.sh      ← downloads source PDFs and verifies hashes
    └── build_releases.sh        ← builds dist/ai-act-compliance.zip for claude.ai drag-and-drop
```

## Versioning

Semantic versioning, tagged in git (`git tag v0.1.0`). GitHub auto-generates downloadable zips for each tag at `https://github.com/.../archive/refs/tags/<tag>.zip`.

## Validation and tests

The skill ships with two example fixtures (HR emotion recognition, customer service chatbot) under `examples/`, each with a synthetic input and the expected output. To run a structural self-check:

```bash
./scripts/validate.sh
```

For external validation resources (the AI Act is not amenable to fully automated test suites — compliance is fact-specific), see [`references/sources.yaml`](references/sources.yaml) for:

- The Commission's official Compliance Checker at the AI Act Service Desk
- The artificialintelligenceact.eu open-source tracker
- Harmonised standards under preparation by CEN-CENELEC JTC 21 (publication expected from 2026)

## Contributing

Issues and PRs welcome. Two non-negotiable principles:

1. **Only official sources** — every normative claim must trace back to the Regulation, an EU Commission delegated/implementing act, an EU AI Office guideline, an EDPB joint guideline, or a published harmonised standard. Hashes in `references/sources.yaml`.
2. **Disclaimer always present** — the skill is a support tool, never a substitute for legal counsel or notified body assessment.

## Acknowledgements

- **Richard B.** ([LinkedIn](https://www.linkedin.com/in/richard-b-42469439b/)) — flagged the Digital Omnibus on AI timeline change (Commission proposal 19 November 2025; Council and Parliament alignment in March 2026) before v0.1.0 stable, prompting the pending-delay disclosure pass across the skill and the landing page.

## Licence

MIT — see [LICENSE](LICENSE).

## Disclaimer

This skill is provided for informational and compliance-support purposes. It does not constitute legal advice, does not replace assessment by a qualified lawyer, and does not replace conformity assessment by a notified body where required. Penalties under Article 99 of the AI Act reach EUR 35 million or 7% of total worldwide annual turnover for the most serious violations. Use at your own risk.

---
*Source: https://skills.yangsir.net/skill/gh-ai-act-skill*
*Markdown mirror: https://skills.yangsir.net/api/skill/gh-ai-act-skill/markdown*