From lawvable-awesome-legal-skills
Maps EU AI Act obligations based on role and risk tier into a compliance matrix with RACI assignments. Generates checklists for provider and deployer duties.
How this skill is triggered — by the user, by Claude, or both
Slash command
/lawvable-awesome-legal-skills:eu-ai-act-obligations-oliver-schmidt-prietzThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Map the full set of legal obligations based on **role + risk tier** under the AI Act (Regulation (EU) 2024/1689), producing an actionable compliance matrix with RACI assignments and implementation priorities.
LICENSE.txtREADME.mdreferences/art6-4-documentation.mdreferences/case-studies.mdreferences/compliance-roadmap.mdreferences/conformity-assessment.mdreferences/eu-database-registration.mdreferences/fria-template.mdreferences/gdpr-crosswalk.mdreferences/gpai-obligations.mdreferences/high-risk-deployer-obligations.mdreferences/high-risk-provider-obligations.mdreferences/low-risk-obligations.mdreferences/management-systems.mdreferences/organizational-measures.mdreferences/post-market-monitoring.mdreferences/regulatory-overlays.mdreferences/technical-measures.mdMap the full set of legal obligations based on role + risk tier under the AI Act (Regulation (EU) 2024/1689), producing an actionable compliance matrix with RACI assignments and implementation priorities.
IMPORTANT NOTICE This assessment provides structured guidance based on the EU AI Act (Regulation (EU) 2024/1689). It does not constitute legal advice. Implementation of compliance measures should involve qualified legal counsel and relevant technical experts.
Do you acknowledge this and wish to proceed?
Wait for acknowledgment before proceeding.
On activation — search for:
EU AI Act harmonized standards EN ISO implementing requirements [current year]
EU AI Act conformity assessment notified bodies guidance [current year]
For management systems — search for:
ISO 42001 AI management system alignment EU AI Act [current year]
EU AI Act quality management system requirements guidance
For national rules — search for:
[user's jurisdiction] AI Act national implementation measures [current year]
[user's jurisdiction] AI Act supervisory authority designation
For conformity assessment — search for:
EU AI Act conformity assessment procedures latest guidance
EU AI Act notified body designations [current year]
Step 1 — Context detection (always first):
"Let's map your AI Act obligations."
If you've run prior AI Act skills (/ai-act-classifier, /ai-act-roles, /ai-act-quick), paste the Assessment Context block below. Otherwise, describe your situation in your own words.
Step 2 — Coverage analysis (internal — do not show this table to the user):
Map the context block or narrative to these 6 fields:
| # | Field | Source in context block | Fallback |
|---|---|---|---|
| 1 | Risk classification | "Classification:" line | Ask |
| 2 | Organizational role | "Role:" line | Ask |
| 3 | Organization size | "Org Size:" line | Ask |
| 4 | Sector | "Sector:" line | Ask |
| 5 | Jurisdiction(s) | "Jurisdiction:" line | Ask |
| 6 | Existing frameworks | Not in context block | Always ask |
If the user needs classification help → suggest running /ai-act-classifier first. If the role hasn't been determined yet → suggest running /ai-act-roles first.
Step 3 — Adaptive follow-up:
Existing compliance status is always asked since it's new information not carried in the context block. Frame conversationally:
"One more thing — which compliance foundations do you already have in place? (Risk management, data quality, QMS, DPIA, incident reporting, AI literacy training, or starting from scratch)"
Maximum 2 interaction turns for intake. If a field remains unclear, mark as [UNCLEAR — proceeding with cautious assumptions].
Based on role + risk tier, load the applicable obligation set.
Read the relevant reference files:
Deployer + High-Risk → Read references/high-risk-deployer-obligations.md Provider + High-Risk → Read references/high-risk-provider-obligations.md Any role + Low-Risk/Minimal → Read references/low-risk-obligations.md Non-high-risk Annex III (Art. 6(3) exception) → Read references/art6-4-documentation.md GPAI provider → Read references/gpai-obligations.md FRIA-triggering deployer → Read references/fria-template.md for Art. 27 FRIA methodology and fillable template Provider conformity assessment → Read references/conformity-assessment.md for Art. 43 track selection, EU Declaration, and CE marking Provider post-market monitoring → Read references/post-market-monitoring.md for Art. 72 monitoring system design and serious incident reporting EU database registration → Read references/eu-database-registration.md for Art. 49 registration process (provider and deployer tracks) All roles → Art. 4 AI competence obligation always applies
Obligation count preview:
"Based on your role as [Role] of a [risk tier] system, you have N obligations across K categories. I'll walk through them in 4 batches."
Batched assessment (4 batches replacing per-obligation questioning):
Present obligations grouped by category. For each batch, show a table with all obligations in that category and ask the user to respond to the entire batch at once:
| Batch | Category | Typical obligations |
|---|---|---|
| 1 | Technical Measures | Use per instructions, monitoring, input data, log retention, data quality |
| 2 | Organizational Measures | Oversight persons, inform affected persons, employee info, AI competence, incident reporting, registration, authority cooperation |
| 3 | Management Systems | Risk management, data quality mgmt, QMS, post-market monitoring |
| 4 | Impact Assessments | DPIA, FRIA |
For each batch, present a table:
Batch [X] of 4: [Category]
# Obligation Legal Basis Priority Status 1 [obligation] [article] [Immediate/Short-term/Ongoing] Already in place / Partially addressed / Not yet addressed "For each obligation, indicate: already in place, partially addressed, or not yet addressed. You can respond with just the numbers (e.g., '1,3 = in place; 2,4 = partial; 5 = not addressed')."
Progress indicator after each batch: "Batch [X] of 4 complete. [N] obligations remaining."
Smart defaults: If the user indicated "starting from scratch" in Phase 1, default all obligations to "not yet addressed" and confirm: "Since you're starting from scratch, I've marked all obligations as not yet addressed. Any exceptions?"
Target: 4-5 interaction turns instead of 20+.
Flag priority levels: critical timeline obligations first (e.g., Art. 26(6) 6-month log retention must be operational from day one).
Read references/gdpr-crosswalk.md.
At relevant obligation points, suggest existing GDPR skills:
| Obligation | Trigger | Suggestion |
|---|---|---|
| Art. 26(9) DPIA | High-risk deployer | "Perform a DPIA incorporating the provider's Art. 13 information about system capabilities and limitations" |
| Art. 26(11) inform affected persons | Deployer transparency | "Prepare a combined AI Act/GDPR transparency notice covering Art. 26(11) and Art. 13/14 GDPR" |
| Art. 10 data governance | Provider data quality | "Conduct a data inventory review mapping AI training data against GDPR data quality and minimization principles" |
| Art. 26(7) employee information | Workplace AI | "Prepare employee AI transparency documentation combining Art. 26(7) and GDPR Art. 13/14 requirements" |
| Art. 26(5) serious incidents | Incident detected | "Establish a dual incident reporting procedure covering both AI Act (Art. 73) and GDPR (Art. 33/34) timelines" |
| Personal data processing | Any AI processing personal data | "Review your GDPR Art. 28 processor agreement to include AI Act cooperation provisions (Art. 25(2))" |
┌─────────────────────────┐
│ ROLE + RISK TIER │
└────────────┬────────────┘
│
┌─────────────────┼──────────────────┐
│ │ │
▼ ▼ ▼
┌─────────┐ ┌──────────────┐ ┌──────────────┐
│ PROVIDER│ │ DEPLOYER │ │ GPAI MODEL │
│ │ │ │ │ PROVIDER │
└────┬────┘ └──────┬───────┘ └──────┬───────┘
│ │ │
▼ ▼ ▼
High-Risk? High-Risk? Systemic Risk?
├─ YES: ├─ YES: ├─ YES:
│ Art. 8-17 │ Art. 26 │ Art. 53 + 55
│ Art. 17 QMS │ Art. 27 FRIA ├─ NO:
│ Art. 9 Risk │ Art. 26(9) DPIA │ Art. 53
│ Art. 43 CA │ Art. 49(3) Reg └────────────
│ Art. 49 Reg └────────────
│ ├─ NO (Art. 50):
├─ NO │ Art. 50 only
│ (Art. 50): ├─ NO (Minimal):
│ Art. 50 │ Art. 4 only
│ +Art. 6(4) └────────────
│ if Annex III
└────────────
ALL ROLES: Art. 4 AI Competence (always applies)
For worked obligation mapping examples, see references/case-studies.md.
Group obligations by timeline:
1. IMMEDIATE (before deployment / already overdue if deployed):
2. SHORT-TERM (within 3 months of deployment):
3. ONGOING (continuous):
4. PERIODIC (regular intervals):
Read references/technical-measures.md, references/organizational-measures.md, and references/management-systems.md for detailed requirements.
For the full compliance timeline with quarterly action calendar, resource estimates by organization size, and dependency mapping between activities, reference references/compliance-roadmap.md.
## AI Act Compliance Obligations Matrix
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
Role: [Role] | Risk Tier: [Tier] | Basis: [legal basis]
Organization: [name] | Date: [date]
### Technical Measures
| # | Obligation | Legal Basis | Priority | Status | RACI | Effort |
|---|-----------|-------------|----------|--------|------|--------|
| 1 | Use system per operating instructions | Art. 26(1) | Immediate | [ ] | IT=R, Legal=A | Low |
| 2 | Monitor system operation | Art. 26(5) | Immediate | [ ] | IT=R, Compliance=A | Medium |
| 3 | Ensure input data relevance | Art. 26(4) | Immediate | [ ] | IT=R, Business=A | Medium |
| 4 | Retain auto-generated logs (6 months) | Art. 26(6) | Immediate | [ ] | IT=R, Legal=A | Low |
| 5 | Data quality management | Art. 10 | Short-term | [ ] | IT=R, Data=A | High |
### Organizational Measures
| # | Obligation | Legal Basis | Priority | Status | RACI | Effort |
|---|-----------|-------------|----------|--------|------|--------|
| 1 | Assign qualified oversight persons | Art. 26(2) | Immediate | [ ] | HR=R, Legal=A | Medium |
| 2 | Inform affected persons | Art. 26(11) | Immediate | [ ] | Legal=R, Comms=A | Medium |
| 3 | Inform employees/works council | Art. 26(7) | Short-term | [ ] | HR=R, Legal=A | Medium |
| 4 | AI competence training | Art. 4 | Short-term | [ ] | HR=R, Mgmt=A | Medium |
| 5 | Incident reporting procedure | Art. 26(5) s.3 | Immediate | [ ] | Legal=R, IT=C | High |
| 6 | Register use in EU database | Art. 49(3) | Short-term | [ ] | Legal=R | Low |
| 7 | Cooperate with authorities | Art. 26(12) | Ongoing | [ ] | Legal=R, Mgmt=A | Low |
### Management Systems Required
| System | Legal Basis | Scope | Existing? |
|--------|------------|-------|-----------|
| Risk Management | Art. 9 | Continuous lifecycle risk assessment | [ ] |
| Data Quality Mgmt | Art. 10 | Training/validation/test data governance | [ ] |
| Quality Management | Art. 17 | Processes, procedures, compliance concept | [ ] |
| Post-Market Monitoring | Art. 72 | Monitoring throughout lifetime | [ ] |
### Impact Assessments Required
| Assessment | Legal Basis | When | Status |
|-----------|------------|------|--------|
| DPIA | Art. 26(9) + Art. 35 GDPR | Before deployment | [ ] |
| Fundamental Rights Assessment | Art. 27 | Before deployment (public bodies + certain private) | [ ] |
### GDPR Cross-References
| AI Act Obligation | GDPR Parallel | Recommended Action |
|------------------|---------------|----------------|
| Art. 26(9) DPIA | Art. 35 GDPR | Perform DPIA per Art. 35 GDPR incorporating Art. 13 information |
| Art. 26(11) inform persons | Art. 13/14 GDPR | Draft combined AI Act + GDPR transparency notice |
| Art. 10 data governance | Art. 25 GDPR (DPbD) | Conduct data inventory and governance review |
| Art. 26(7) employee info | Art. 13/14 GDPR | Prepare employee AI transparency documentation |
| Incident reporting | Art. 33/34 GDPR | Establish dual AI Act/GDPR incident reporting procedure |
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
SUMMARY:
TOTAL: [X] obligations | [Y] immediate | [Z] require legal judgment
Timeline: [X] already compliant | [Y] gaps identified | [Z] not yet assessed
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
ASSESSMENT CONTEXT (paste into next skill)
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
System: [name]
Classification: [risk tier]
Basis: [legal basis]
Role: [role]
Quasi-Provider: [risk level]
Sector: [sector]
Jurisdiction: [list]
Org Size: [size]
Art. 50: [applicable triggers]
GPAI: [yes/no, systemic risk]
NEXT STEPS:
→ Run /ai-act-report to generate formal assessment documentation
→ Address [Y] immediate gaps as priority
→ Establish management systems within [timeline]
━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━
references/enforcement-framework.md for penalty tiers (up to €35M / 7% turnover for Art. 5 violations, €15M / 3% for other infringements), enforcement architecture, and practical risk assessment factorsnpx claudepluginhub lawve-ai/awesome-legal-skillsDetermines EU AI Act obligations by role (provider/deployer) and risk class, and compiles Annex IV technical documentation for high-risk AI systems.
Performs a fast 15-25 minute preliminary EU AI Act classification and compliance assessment with conversational triage workflow.
Manages EU AI Act per-system inventory tracking roles (provider, deployer, etc.) and risk tiers (prohibited, high-risk, etc.) per AI system, not per company.