Maps the full set of AI Act duties for a given role and risk tier. Obligation extraction by role × tier, RACI assignments, priority sequencing against deadlines, GDPR crosswalk, FRIA + DPIA triggers, and an actionable compliance matrix — in one guided pass.
Each capability is documented separately, tested separately, and called by the workflow at the right moment. Compose them or invoke individually.
Ten structured steps. The human stays accountable; the skill carries the structure, the citations, and the document trail.
Single-folder skill. SKILL.md is the runtime spec; references hold the knowledge corpus; evals hold the proof.
ai-act-obligations/ ├── evals # Test cases + assertions │ └── evals.json # 3 cases, 0 assertions ├── references # Reference corpus │ ├── art6-4-documentation.md │ ├── case-studies.md │ ├── compliance-roadmap.md │ ├── conformity-assessment.md │ ├── eu-database-registration.md │ ├── fria-template.md │ ├── gdpr-crosswalk.md │ ├── gpai-obligations.md │ ├── high-risk-deployer-obligations.md │ ├── high-risk-provider-obligations.md │ ├── low-risk-obligations.md │ ├── management-systems.md │ ├── organizational-measures.md │ ├── post-market-monitoring.md │ ├── regulatory-overlays.md │ └── technical-measures.md ├── CHANGELOG.md # Version history ├── README.md # Deployment guide └── SKILL.md # Main skill instructions
Two deployment surfaces. The skill auto-triggers on relevant keywords once installed.
ai-act-obligations/ foldercp -r ai-act-obligations/ \ ~/.claude/skills/user/
Every output is documented, version-pinned, and traceable to its source citation.
Every release runs against a fixed test suite. Assertions check numeric consistency, citation accuracy, and decision-tree branches.
Every legal verdict resolves to one of these instruments. No invented articles, no synthetic recitals.
The trace is the product. Nothing happens off the record — no hidden tool calls, no silent retrieval, no opaque chain-of-thought.
See CHANGELOG.md for version history.
EU AI Act Obligations Mapper — produces an actionable compliance matrix for a given role + risk tier:
ai-act-obligations/
├── SKILL.md # Main skill instructions (deploy this)
├── CHANGELOG.md # Version history
├── evals/
│ └── evals.json # Test cases
└── references/
├── high-risk-provider-obligations.md # Art. 16, 9, 10, 11, 12, 13, 14, 15
├── high-risk-deployer-obligations.md # Art. 26, 27 (FRIA)
├── gpai-obligations.md # Art. 53, 55, Code of Practice
├── low-risk-obligations.md # Art. 50 transparency + voluntary measures
├── technical-measures.md # Risk mgmt, data governance, logging, etc.
├── organizational-measures.md # QMS, post-market monitoring, incident reporting
├── management-systems.md # Art. 17 QMS specifics
├── conformity-assessment.md # Annex VI/VII procedures
├── post-market-monitoring.md # Art. 72 post-market system
├── eu-database-registration.md # Art. 71 EU database workflow
├── art6-4-documentation.md # Art. 6(4) exception documentation
├── fria-template.md # Fundamental Rights Impact Assessment scaffold
├── gdpr-crosswalk.md # AI Act ↔ GDPR mapping
├── regulatory-overlays.md # Sector-specific compliance layers
├── compliance-roadmap.md # Priority decision tree + sequencing
└── case-studies.md # Worked obligation-mapping examples
ai-act-obligations/ folder structureai-act-obligations/ folder to your skills directory:
bash
cp -r ai-act-obligations/ /path/to/your/skills/user/ai-act-obligations/Tell the skill your role and risk tier (or just describe the system):
"We're the deployer of a high-risk AI system used for credit scoring in Germany. What obligations do we have, and what should we prioritise in the first 6 months?"
The skill will produce a tailored obligation matrix with RACI and priorities.
| Phase | Description |
|---|---|
| Phase 1: Input Context | Context-aware adaptive intake — role, risk tier, sector, jurisdiction; consumes prior skill output if provided |
| Phase 2: Obligation Mapping | Tier-specific obligation list with priority decision tree |
| Phase 3: Implementation Roadmap | Sequenced plan against deadlines with quick-win identification |
| Phase 4: Obligations Matrix Output | RACI-tagged matrix: technical measures, organisational measures, management systems, impact assessments, GDPR cross-refs |
| Feature | Description |
|---|---|
| Role × Tier Matrix | All combinations (provider/deployer/importer/distributor × prohibited/high-risk/GPAI/Art. 50/minimal) |
| RACI Assignments | Per-obligation R/A/C/I tagging |
| Technical Measures | Art. 9, 10, 11, 12, 13, 14, 15 implementation guidance |
| Organisational Measures | Art. 17 QMS, post-market monitoring, incident reporting |
| Conformity Assessment | Annex VI / VII procedure routing |
| EU Database Registration | Art. 71 high-risk system registration |
| FRIA Support | Art. 27 fundamental rights impact assessment scaffold |
| GDPR Crosswalk | Mapping to GDPR obligations (DPIA, controller/processor) |
| Sector Overlays | Banking, medical devices, employment, biometrics |
| Compliance Roadmap | Priority decision tree + deadline-aware sequencing |
| Document | Reference |
|---|---|
| EU AI Act | Regulation (EU) 2024/1689 — Titles III, IV, V |
| Art. 9–15 | Technical requirements for high-risk systems |
| Art. 16–17 | Provider obligations + QMS |
| Art. 26–27 | Deployer obligations + FRIA |
| Art. 50 | Transparency obligations |
| Art. 53, 55 | GPAI obligations (standard + systemic risk) |
| Art. 71 | EU database registration |
| Art. 72 | Post-market monitoring |
| GPAI Code of Practice | Art. 53 implementation framework |
| GDPR | Crosswalk for DPIA + controller/processor obligations |
This skill provides structured AI Act obligations guidance based on Regulation (EU) 2024/1689. It is not legal advice. Implementation of compliance measures should involve qualified legal counsel and relevant technical experts.
Licensed under AGPL-3.0 — see LICENSE at the repo root.
Created by Oliver Schmidt-Prietz — OneZero Legal