LIVE · v1.3 STABLE
BUILD 2026.05.27
COMPLIANCE MATRIX
AGPL-3.0 · 3 EVAL CASES · 0 ASSERTIONS

AI ACT
OBLIGATIONS
by ROLE
× RISK TIER.

Maps the full set of AI Act duties for a given role and risk tier. Obligation extraction by role × tier, RACI assignments, priority sequencing against deadlines, GDPR crosswalk, FRIA + DPIA triggers, and an actionable compliance matrix — in one guided pass.

REG. (EU) 2024/1689   ·   ART. 4 AI LITERACY   ·   ART. 9–15   ·   ART. 16–17   ·   ART. 26–27 FRIA   ·   ART. 43 CONFORMITY   ·   ART. 49 EU DATABASE   ·   ART. 50 TRANSPARENCY   ·   ART. 53 · 55 GPAI   ·   ART. 72 POST-MARKET   ·   ANNEX III · ANNEX I   ·   AI OMNIBUS 2026   ·   REG. (EU) 2024/1689   ·   ART. 4 AI LITERACY   ·   ART. 9–15   ·   ART. 16–17   ·   ART. 26–27 FRIA   ·   ART. 43 CONFORMITY   ·   ART. 49 EU DATABASE   ·   ART. 50 TRANSPARENCY   ·   ART. 53 · 55 GPAI   ·   ART. 72 POST-MARKET   ·   ANNEX III · ANNEX I   ·   AI OMNIBUS 2026
§ 01 · CAPABILITIES

SIX PRIMITIVES.
One SKILL.

Each capability is documented separately, tested separately, and called by the workflow at the right moment. Compose them or invoke individually.

01
ROLE × TIER MATRIX
Obligation set loaded from the role (provider, deployer, importer, distributor) crossed with the risk tier (prohibited, high-risk, GPAI, Art. 50, minimal). Art. 4 AI competence applies to every combination.
02
RACI ASSIGNMENT
Every obligation is tagged Responsible / Accountable / Consulted / Informed across IT, Legal, Compliance, HR, and management. Turns a duty list into ownership.
03
PRIORITY SEQUENCING
Obligations grouped Immediate / Short-term / Ongoing / Periodic against compliance deadlines — Annex III 2 Dec 2027 and Annex I 2 Aug 2028, both AI Omnibus-postponed.
04
GDPR CROSSWALK
Maps Art. 26(9) DPIA, Art. 26(11) transparency, Art. 10 data governance and incident reporting to their GDPR parallels (Art. 35, 13/14, 25, 33/34).
05
FRIA + IMPACT TRIGGERS
Detects when Art. 27 fundamental rights assessment fires (public bodies, public-service providers, Annex III Nr. 5(b)/5(c) deployers) and scaffolds the DPIA + FRIA.
06
ISO 42001 ALIGNMENT
Maps required management systems — Art. 9 risk, Art. 10 data quality, Art. 17 QMS, Art. 72 post-market — against ISO/IEC 42001 AI management system structure.
§ 02 · WORKFLOW

FROM INPUT
to ARTEFACT.

Ten structured steps. The human stays accountable; the skill carries the structure, the citations, and the document trail.

01
Disclaimer & web check
Non-blocking disclaimer. Search for current harmonized standards, notified body designations, and ISO 42001 alignment guidance on activation.
02
Context detection
Consume an Assessment Context block from a prior AI Act skill (classifier / roles / quick) or take a free-text narrative.
03
Coverage analysis
Map the input to 6 fields: risk classification, role, org size, sector, jurisdiction, existing frameworks. Ask only about gaps — max 2 intake turns.
04
Obligation set load
Read the reference set for the role × tier: high-risk provider, high-risk deployer, GPAI, low-risk, or Art. 6(4) Annex III exception.
05
Obligation count preview
State N obligations across K categories before walking through them in four batches.
06
Batched assessment
Four batches — Technical Measures, Organizational Measures, Management Systems, Impact Assessments. User marks each obligation in place / partial / not addressed.
07
GDPR cross-reference
At relevant points, surface the GDPR parallel and suggest the matching GDPR skill (DPIA, transparency notice, dual incident procedure).
08
Priority decision tree
Resolve obligations through the role + tier tree. Flag critical-timeline items first — e.g. Art. 26(6) 6-month log retention must be live from day one.
09
Implementation roadmap
Sequence obligations Immediate / Short-term / Ongoing / Periodic with a quarterly action calendar and resource estimates by org size.
10
Obligations matrix output
Emit the RACI-tagged matrix across all four categories plus GDPR cross-refs, a summary, and an Assessment Context block for handoff to /ai-act-report.
§ 03 · ANATOMY

WHAT'S
IN the SKILL.

Single-folder skill. SKILL.md is the runtime spec; references hold the knowledge corpus; evals hold the proof.

ai-act-obligations/
├── evals  # Test cases + assertions
│   └── evals.json  # 3 cases, 0 assertions
├── references  # Reference corpus
│   ├── art6-4-documentation.md
│   ├── case-studies.md
│   ├── compliance-roadmap.md
│   ├── conformity-assessment.md
│   ├── eu-database-registration.md
│   ├── fria-template.md
│   ├── gdpr-crosswalk.md
│   ├── gpai-obligations.md
│   ├── high-risk-deployer-obligations.md
│   ├── high-risk-provider-obligations.md
│   ├── low-risk-obligations.md
│   ├── management-systems.md
│   ├── organizational-measures.md
│   ├── post-market-monitoring.md
│   ├── regulatory-overlays.md
│   └── technical-measures.md
├── CHANGELOG.md  # Version history
├── README.md  # Deployment guide
└── SKILL.md  # Main skill instructions
§ 04 · DEPLOYMENT

INSTALL
and INVOKE.

Two deployment surfaces. The skill auto-triggers on relevant keywords once installed.

CLAUDE.AI USER SKILLS

  1. Settings → Profile → Custom Skills
  2. Upload the entire ai-act-obligations/ folder
  3. Skill auto-triggers on relevant keywords

CLAUDE CODE / MCP

  1. Copy folder to your skills directory:
cp -r ai-act-obligations/ \
   ~/.claude/skills/user/
§ 05 · OUTPUTS

WHAT YOU
get BACK.

Every output is documented, version-pinned, and traceable to its source citation.

Obligations matrix
RACI-tagged table per category — Technical Measures, Organizational Measures, Management Systems Required, Impact Assessments — with legal basis, priority, status, and effort.
Implementation roadmap
Obligations sequenced Immediate / Short-term / Ongoing / Periodic against deadlines, with a quarterly action calendar and size-based resource estimates.
GDPR cross-reference table
Each AI Act obligation mapped to its GDPR parallel and a recommended combined action.
FRIA scaffold
Art. 27 fundamental rights impact assessment template, generated when the deployer triggers the obligation.
Assessment Context block
Structured handoff block — system, classification, basis, role, sector, jurisdiction, GPAI status — to paste into /ai-act-report.
§ 06 · EVALS

TESTED
before SHIPPED.

Every release runs against a fixed test suite. Assertions check numeric consistency, citation accuracy, and decision-tree branches.

03
Test Cases
0
Assertions
100%
Coverage Required
00
I'm the legal department of the City of Munich (a German municipality, public-se...
0 ASSERTS
01
Continuing the JurisLM case: we are the French legal-tech (downstream GPAI provi...
0 ASSERTS
02
I'm the GC at our German HR-tech GmbH (TalentScreenAI vendor — see earlier role-...
0 ASSERTS
§ 07 · REGULATORY BASIS

WHAT IT
cites.

Every legal verdict resolves to one of these instruments. No invented articles, no synthetic recitals.

EU AI Act (Reg. 2024/1689)
Titles III, IV, V — high-risk, GPAI, and transparency obligations.
Art. 9–17
Technical requirements (Art. 9–15) and provider obligations + QMS (Art. 16–17) for high-risk systems.
Art. 26–27
Deployer obligations and Art. 27 fundamental rights impact assessment.
Art. 43 · 49 · 50 · 72
Conformity assessment, EU database registration, transparency, and post-market monitoring.
Art. 53 & 55 + Code of Practice
GPAI provider obligations, standard and systemic-risk, and the GPAI Code of Practice.
AI Omnibus 2026 postponements
Annex III to 2 Dec 2027; Annex I to 2 Aug 2028 — the deadlines priority sequencing runs against.
§ 08 · TRUST

EVERY STEP,
auditable.

The trace is the product. Nothing happens off the record — no hidden tool calls, no silent retrieval, no opaque chain-of-thought.

§
Source-anchored obligations.
Every duty in the matrix carries its Article cite — Art. 4, Art. 26(6), Art. 27 — back to Regulation (EU) 2024/1689.
VERIFIED
Reproducible matrix.
Pin a build; regenerate the same role × tier obligation set and RACI assignments years later for audit defence.
IMMUTABLE
Deadline-aware sequencing.
Priorities run against AI Omnibus-adjusted dates — Annex III 2 Dec 2027, Annex I 2 Aug 2028 — not stale pre-postponement deadlines.
ENFORCED
**
EU-native.
Built on AI Act roles, Annex III tiers, ISO 42001 alignment, and the GDPR crosswalk. Not a retrofitted checklist.
NATIVE

EU AI Act Obligations Mapper — Deployment Guide

📄 View the interactive skill page →

See CHANGELOG.md for version history.

Overview

EU AI Act Obligations Mapper — produces an actionable compliance matrix for a given role + risk tier:

  • Role × tier obligation matrix — provider, deployer, importer, distributor across prohibited, high-risk, GPAI, Art. 50, minimal
  • RACI assignments for each obligation (Responsible / Accountable / Consulted / Informed)
  • Implementation priorities sequenced against compliance deadlines
  • Technical measures — risk management, data governance, logging, transparency, human oversight, accuracy/robustness, cybersecurity
  • Organisational measures — quality management, post-market monitoring, incident reporting, conformity assessment
  • Management systems — what is required (e.g., Art. 17 QMS) vs. recommended
  • Impact assessments required (DPIA, FRIA, conformity assessment) with cross-references
  • GDPR crosswalk — overlap and interplay between AI Act and GDPR obligations
  • Regulatory overlays — sector-specific layers (banking, medical devices, employment)
  • Art. 6(4) documentation support for Art. 6(3)-exception users
  • EU database registration workflow for Annex III high-risk systems
  • Compliance roadmap with priority decision tree

File Structure

ai-act-obligations/
├── SKILL.md                                  # Main skill instructions (deploy this)
├── CHANGELOG.md                              # Version history
├── evals/
│   └── evals.json                            # Test cases
└── references/
    ├── high-risk-provider-obligations.md     # Art. 16, 9, 10, 11, 12, 13, 14, 15
    ├── high-risk-deployer-obligations.md     # Art. 26, 27 (FRIA)
    ├── gpai-obligations.md                   # Art. 53, 55, Code of Practice
    ├── low-risk-obligations.md               # Art. 50 transparency + voluntary measures
    ├── technical-measures.md                 # Risk mgmt, data governance, logging, etc.
    ├── organizational-measures.md            # QMS, post-market monitoring, incident reporting
    ├── management-systems.md                 # Art. 17 QMS specifics
    ├── conformity-assessment.md              # Annex VI/VII procedures
    ├── post-market-monitoring.md             # Art. 72 post-market system
    ├── eu-database-registration.md           # Art. 71 EU database workflow
    ├── art6-4-documentation.md               # Art. 6(4) exception documentation
    ├── fria-template.md                      # Fundamental Rights Impact Assessment scaffold
    ├── gdpr-crosswalk.md                     # AI Act ↔ GDPR mapping
    ├── regulatory-overlays.md                # Sector-specific compliance layers
    ├── compliance-roadmap.md                 # Priority decision tree + sequencing
    └── case-studies.md                       # Worked obligation-mapping examples

Deployment

Claude.ai (User Skills)

  1. Go to Settings → Profile → Custom Skills (or equivalent)
  2. Upload the entire ai-act-obligations/ folder structure
  3. The skill will auto-trigger when you ask to map obligations, build a compliance checklist, or assess provider/deployer duties under the AI Act

Claude Code / Custom MCP Setup

  1. Copy the ai-act-obligations/ folder to your skills directory: bash cp -r ai-act-obligations/ /path/to/your/skills/user/ai-act-obligations/
  2. Ensure the skill is registered in your configuration

Usage

Quick Start

Tell the skill your role and risk tier (or just describe the system):

"We're the deployer of a high-risk AI system used for credit scoring in Germany. What obligations do we have, and what should we prioritise in the first 6 months?"

The skill will produce a tailored obligation matrix with RACI and priorities.

Trigger Phrases

  • "Map AI Act obligations" / "Check what we need to do" / "Compliance checklist"
  • "Deployer obligations" / "Provider duties" / "Art. 26" / "Art. 16-17"
  • "AI literacy Art. 4" / "DPIA" / "FRIA" / "fundamental rights assessment"
  • "Pflichtenkatalog"

Workflow

Phase Description
Phase 1: Input Context Context-aware adaptive intake — role, risk tier, sector, jurisdiction; consumes prior skill output if provided
Phase 2: Obligation Mapping Tier-specific obligation list with priority decision tree
Phase 3: Implementation Roadmap Sequenced plan against deadlines with quick-win identification
Phase 4: Obligations Matrix Output RACI-tagged matrix: technical measures, organisational measures, management systems, impact assessments, GDPR cross-refs

Capabilities Summary

Feature Description
Role × Tier Matrix All combinations (provider/deployer/importer/distributor × prohibited/high-risk/GPAI/Art. 50/minimal)
RACI Assignments Per-obligation R/A/C/I tagging
Technical Measures Art. 9, 10, 11, 12, 13, 14, 15 implementation guidance
Organisational Measures Art. 17 QMS, post-market monitoring, incident reporting
Conformity Assessment Annex VI / VII procedure routing
EU Database Registration Art. 71 high-risk system registration
FRIA Support Art. 27 fundamental rights impact assessment scaffold
GDPR Crosswalk Mapping to GDPR obligations (DPIA, controller/processor)
Sector Overlays Banking, medical devices, employment, biometrics
Compliance Roadmap Priority decision tree + deadline-aware sequencing

Regulatory Basis

Document Reference
EU AI Act Regulation (EU) 2024/1689 — Titles III, IV, V
Art. 9–15 Technical requirements for high-risk systems
Art. 16–17 Provider obligations + QMS
Art. 26–27 Deployer obligations + FRIA
Art. 50 Transparency obligations
Art. 53, 55 GPAI obligations (standard + systemic risk)
Art. 71 EU database registration
Art. 72 Post-market monitoring
GPAI Code of Practice Art. 53 implementation framework
GDPR Crosswalk for DPIA + controller/processor obligations

License & Disclaimer

This skill provides structured AI Act obligations guidance based on Regulation (EU) 2024/1689. It is not legal advice. Implementation of compliance measures should involve qualified legal counsel and relevant technical experts.

Licensed under AGPL-3.0 — see LICENSE at the repo root.


Created by Oliver Schmidt-Prietz — OneZero Legal