EU AI Act Compliance

Tier: Enterprise | Type: Feature | Category: Legal | Version: 1.0.0

Comprehensive compliance toolkit for the EU AI Act (Regulation (EU) 2024/1689) providing risk classification, mandatory technical documentation, conformity assessment, human oversight workflows, transparency logging, and data governance assessment.

---

1. Overview

Plugin Name: EU AI Act Compliance Slug: eu-ai-act-compliance Required Tier: Enterprise Plugin Type: Feature Category: Legal Author: Dryade License: DSUL

What It Does

Automates EU AI Act compliance workflows for organizations deploying AI systems in the European Union. Classifies AI systems against the 4-tier risk taxonomy (unacceptable/high/limited/minimal), generates mandatory Annex IV technical documentation, runs conformity self-assessments, and provides human oversight approval gates with full transparency logging.

Key Capabilities

• Annex III risk classification engine covering all 8 high-risk AI categories
• Annex IV technical documentation generator with completeness scoring
• Article 43 conformity self-assessment (Annex VI / VII routing)
• Article 14 human oversight approval gates with approve/reject/override
• Articles 12-13 transparency logging with audit trail export
• Article 10 data governance and bias assessment

---

2. User Stories

Primary User Stories

US-1: Risk Classification

As a compliance officer, I want to classify an AI system's risk level so that I know which regulatory obligations apply before deployment.

Acceptance Criteria:

• [x] System accepts structured description of an AI system
• [x] Returns one of 4 risk levels with article references
• [x] Identifies applicable Annex III category for high-risk systems

US-2: Documentation Generation

As a legal team member, I want to generate an Annex IV documentation template so that I can prepare mandatory technical documentation efficiently.

Acceptance Criteria:

• [x] Template covers all 10 Annex IV sections
• [x] Pre-fills available system information
• [x] Tracks completeness per section

US-3: Human Oversight

As a risk manager, I want approval gates on high-risk AI decisions so that we comply with Article 14 human oversight requirements.

Acceptance Criteria:

• [x] Create approval requests for AI decisions
• [x] Approve, reject, or override with audit trail
• [x] Oversight level proportional to risk classification

Edge Cases

• Empty or incomplete system descriptions: Returns minimal risk with low confidence
• None values in input fields: Handled gracefully without errors
• Unknown domains: Default to minimal risk unless other indicators match

---

3. Architecture

Component Diagram

+-------------------+     +---------------------+     +------------------+
|   Plugin Router   | --> |   Risk Classifier   | --> |   Demo Data      |
|   routes.py       |     |   risk_classifier.py|     |   data/*.json    |
+-------------------+     +---------------------+     +------------------+
        |                         |
        |-- Documentation Gen     |-- Conformity Assessment
        |   documentation_        |   conformity_
        |   generator.py          |   assessment.py
        |                         |
        |-- Human Oversight       |-- Transparency Logger
        |   human_oversight.py    |   transparency_logger.py
        |                         |
        +-- Data Governance ------+
            data_governance.py

Components

| Component | File | Responsibility | |-----------|------|----------------| | Router | routes.py | API endpoints for all 6 modules | | Risk Classifier | risk_classifier.py | Annex III risk classification engine | | Documentation Generator | documentation_generator.py | Annex IV template generation | | Conformity Assessment | conformity_assessment.py | Article 43 self-assessment | | Human Oversight | human_oversight.py | Article 14 approval workflows | | Transparency Logger | transparency_logger.py | Articles 12-13 decision logging | | Data Governance | data_governance.py | Article 10 data quality and bias | | Plugin Entry | plugin.py | EnterprisePluginProtocol lifecycle | | Demo Data | data/ | 11 demo JSON files |

Dependencies

• Internal: core.plugins.EnterprisePluginProtocol, core.plugin_config_store.PluginConfigStore
• External: None (no external packages required)
• Plugin: None (standalone plugin)

---

4. API Spec

REST Endpoints

| Method | Path | Description | |--------|------|-------------| | GET | /health | Health check | | POST | /classify-risk | Classify AI system risk level | | GET | /annex-iii | List Annex III categories | | GET | /risk-levels | List 4 risk levels | | GET | /obligations/{level} | Obligations per risk level | | POST | /documentation/template | Generate Annex IV template | | POST | /documentation/assess-completeness | Score documentation completeness | | GET | /documentation/annex-iv | Empty Annex IV structure | | POST | /conformity/create-assessment | Create conformity checklist | | POST | /conformity/evaluate | Evaluate filled checklist | | POST | /conformity/assessment-path | Determine Annex VI/VII path | | POST | /oversight/request | Create approval request | | POST | /oversight/{id}/approve | Approve request | | POST | /oversight/{id}/reject | Reject request | | POST | /oversight/{id}/override | Override AI output | | GET | /oversight/pending | List pending requests | | GET | /oversight/report | Oversight activity report | | GET | /oversight/compliance/{name} | Article 14 compliance check | | POST | /transparency/log | Log AI decision | | GET | /transparency/logs | Query transparency logs | | GET | /transparency/log/{id} | Get single log entry | | GET | /transparency/report/{name} | Article 13 report | | GET | /transparency/export/{name} | Export for audit trail | | GET | /transparency/article-12-status/{name} | Article 12 check | | POST | /data-governance/assess-training-data | Training data quality | | POST | /data-governance/assess-bias | Bias assessment | | POST | /data-governance/report | Data governance report | | GET | /data-governance/article-10-checklist | Article 10 checklist |

Request/Response Examples

POST /classify-risk

// Request
{
    "name": "CV Screener",
    "purpose": "automated resume screening",
    "domain": "employment",
    "capabilities": ["ranking"],
    "data_types": ["personal"],
    "deployment_context": "hr_department",
    "affects_natural_persons": true
}

// Response
{
    "risk_level": "high",
    "category": "ANNEX-III-4",
    "subcategory": "Employment, workers management and access to self-employment",
    "article_references": ["Annex III, point 4", "Article 6(2)"],
    "obligations": ["Article 9", "Article 10", "..."],
    "rationale": "System falls within Annex III category...",
    "confidence_score": 0.85
}

---

5. Data Flow

Processing Pipeline

1. User submits AI system description via POST /classify-risk
2. Risk classifier checks against prohibited practices (Article 5)
3. If not prohibited, checks against Annex III high-risk categories
4. If not high-risk, checks for limited-risk transparency obligations (Article 50)
5. Returns risk level with applicable obligations and article references

Demo Data Description

The data/ directory contains:

• _catalog.json: Index of all demo data files
• annex_iii_categories.json: Full Annex III category reference
• sample_risk_assessment.json: 3 example risk classifications
• sample_documentation.json: Example Annex IV documentation
• sample_conformity_checklist.json: Example filled checklist
• sample_oversight_log.json: Example oversight records
• sample_transparency_records.json: Example transparency logs
• prohibited_practices.json: Article 5 prohibited practices
• harmonised_standards.json: ISO/IEC AI standards reference
• bias_assessment_template.json: Bias assessment template
• training_data_quality_report.json: Example data quality report

Total: 11 demo files covering all compliance domains.

---

6. Security Considerations

Data Handling

• PII: No -- plugin processes system descriptions, not personal data
• Encryption: Database-level (inherits core DB TLS + encryption at rest)
• Data Retention: Persisted to core ai_decision_log table (survives restarts, hash-chained)

External API Keys

None required. Plugin operates fully offline.

Isolation

• Plugin runs in sandboxed context via core plugin loader
• Transparency logs persisted to core ai_decision_log table
• No external API calls
• Falls back to in-memory when DB unavailable (test/standalone mode)

---

7. Test Plan

Test Classes

| Class | Tests | Coverage | |-------|-------|----------| | TestPluginAttributes | 10 | Manifest fields | | TestPluginMarketplace | 4 | Marketplace metadata | | TestDemoData | 5 | Data files presence | | TestClassifyUnacceptable | 3 | Prohibited practices | | TestClassifyHighRisk | 5 | Annex III categories | | TestClassifyLimited | 2 | Transparency obligations | | TestClassifyMinimal | 2 | No obligations | | TestAnnexIII | 2 | Category structure | | TestRiskLevels | 1 | Level definitions | | TestObligations | 4 | Obligation lookup | | TestGracefulHandling | 3 | Edge cases | | TestRiskEndpoints | 4 | Risk API | | TestDocumentationEndpoints | 3 | Documentation API | | TestConformityEndpoints | 4 | Conformity API | | TestOversightEndpoints | 5 | Oversight API | | TestTransparencyEndpoints | 4 | Transparency API | | TestDataGovernanceEndpoints | 4 | Data governance API |

Running Tests

cd dryade-plugins
python -m pytest enterprise/eu-ai-act-compliance/tests/ -x -v --tb=short

---

8. Deployment Notes

Requirements

No additional packages required beyond the Dryade core.

Configuration

Default plugin configuration:

{
    "data_source": "mock",
    "risk_threshold": "high",
    "include_recitals": true,
    "auto_documentation": false
}

Compatibility

• Min Dryade Version: 1.0.0
• Python: >=3.11
• Notes: No external API keys required. Fully offline operation.

---

9. User Guide

Getting Started

1. Ensure your Dryade instance has an enterprise tier license
2. Install the plugin via the marketplace or dryade-pm push
3. Use the API endpoints to classify AI systems and generate compliance artifacts

Common Workflows

Workflow 1: Classify and Document

1. POST /classify-risk with AI system description
2. If high-risk: POST /documentation/template to generate Annex IV docs
3. Fill documentation sections, then POST /documentation/assess-completeness
4. POST /conformity/create-assessment for conformity checklist

Workflow 2: Oversight and Transparency

1. POST /oversight/request before executing AI decisions
2. Human reviewer: POST /oversight/{id}/approve or /reject or /override
3. POST /transparency/log to record decision with rationale
4. GET /transparency/report/{name} for Article 13 compliance summary

---

10. Compliance References

All article references are from Regulation (EU) 2024/1689 (EU AI Act):

• Article 5: Prohibited AI practices
• Article 6: Classification rules for high-risk AI systems
• Articles 9-15: Requirements for high-risk AI systems
• Article 43: Conformity assessment
• Article 47: EU declaration of conformity
• Article 50: Transparency obligations for certain AI systems
• Annex III: High-risk AI system areas
• Annex IV: Technical documentation
• Annex VI: Internal control procedure
• Annex VII: Conformity assessment with notified body

---

11. Changelog

1.0.0 (2026-03-15)

• Initial release
• Annex III risk classification engine (8 high-risk categories, 6 prohibited practices)
• Annex IV technical documentation generator (10 mandatory sections)
• Article 43 conformity self-assessment (41 checklist items, Annex VI/VII routing)
• Article 14 human oversight workflows (approve/reject/override)
• Articles 12-13 transparency logging with audit trail export
• Article 10 data governance and bias assessment (5 bias categories)
• 11 demo data files for offline operation
• 65 automated tests

Future Roadmap

• [ ] Integration with core audit_admin hash-chain for transparency logs
• [ ] EU AI Office regulatory update tracking
• [ ] Multi-language support (all 24 EU official languages)
• [ ] PDF export for Annex IV documentation
• [ ] Automated EU declaration of conformity generation