EU AI Act Compliance Skills — Open-Source Infrastructure for AI Agent Compliance

The Compliance Architecture Problem

The EU AI Act entered into force on 1 August 2024. Its requirements apply in stages — with obligations for high-risk systems and general-purpose AI models coming into full effect from August 2026. This timeline is shorter than it looks. Organisations building and deploying AI systems now face a dual challenge: the regulation is already active, and its operational requirements — technical documentation, transparency obligations, incident reporting, human oversight protocols — demand systematic implementation, not one-time review.

The structural problem is translation. Legal texts describe obligations in terms of roles and risk categories. Engineering teams build in terms of functions and pipelines. The gap between "you must maintain technical documentation" and "here is what the agent must log, when, and in what format" is not bridged by reading the Act. It requires something more practical: compliance instructions that an AI system can actually act on.

That is the problem this repository addresses.

What the Repository Does

The euai_act-compliance-skills repository is a structured collection of compliance instructions derived directly from Regulation (EU) 2024/1689, designed to be embedded into AI agents operating within organisations subject to the Act. Each "skill" is a self-contained instruction set that tells an AI agent what to do — or not do — in a specific compliance domain.

The framework is deliberately infrastructure-level: it does not assume a particular AI provider, orchestration layer, or deployment context. A skill that instructs an agent on transparency disclosures works whether the underlying model is Claude, GPT-4, Gemini, Llama, or Mistral. An orchestration pipeline built on LangChain, LlamaIndex, AutoGen, or CrewAI can load these skills without modification. The compliance layer is separated from the implementation layer by design.

Structure: 64 Skills, 12 Domains

The repository organises its 64 skill files across 12 thematic folders that mirror the Act's architecture:

00_INDEX — The master router and system classifier. An agent loads this first to determine which downstream skills apply based on its risk classification and operating context. The index also contains the glossary of defined terms from the Act, ensuring consistent interpretation across skill files.

01_CORE — Always-active baseline compliance skills that apply to every AI system within scope, regardless of risk tier. These cover fundamental obligations that cannot be conditional: data quality principles, basic transparency requirements, and documentation minimums.

02_ROLE_SKILLS — The Act distinguishes sharply between providers (those who develop or place AI systems on the market), deployers (organisations that operate AI systems under their own authority), and importers (entities bringing AI systems into the EU from third countries). Each role carries different obligations. These skills load conditionally based on how the deploying organisation has classified its position.

03_HIGH_RISK — High-risk AI systems face the Act's most demanding requirements: conformity assessments, registration in the EU database, post-market monitoring, and mandatory human oversight provisions. This folder contains the full compliance stack for systems classified as high-risk under Annex III of the Act.

04_GPAI — General-purpose AI models — those that can perform a wide range of distinct tasks — are subject to a separate and evolving compliance regime under Title III of the Act. These skills incorporate the GPAI Code of Practice and the Commission guidelines that operationalise the GPAI provisions.

05_TRANSPARENCY through 11_ROLE_GUIDANCE cover user-facing disclosure requirements, incident reporting protocols, sector-specific overlays (including healthcare, education, and critical infrastructure), sanctions reference tables, and plain-language guidance for developers, compliance leads, and business teams.

The risk-tiered loading architecture is the framework's key engineering decision. A minimal-risk chatbot — the vast majority of deployed AI — loads only 01_CORE and the relevant role skills. A high-risk recruitment screening tool loads the full stack. Compliance overhead scales with actual regulatory exposure.

Version 2.4: Regulation in Motion

One of the less-discussed challenges of EU AI Act compliance is that the regulatory text is not static. The Act itself was a framework: the Commission was mandated to issue delegated acts, guidelines, and codes of practice that fill in operational detail. Those documents have been arriving throughout 2025 and into 2026.

Version 2.4 of this repository (released May 2026) is the first public compliance framework to incorporate three critical second-generation documents: the Commission's General-Purpose AI Code of Practice (adopted 10 July 2025), and two sets of Commission Guidelines — C(2025)884 on prohibited AI practices and C(2025)5052 on the definition of AI systems. These documents resolve significant ambiguities in the original Act text, particularly around GPAI model obligations and the boundary of what counts as an "AI system" under the regulation.

Organisations that built compliance programmes against the 2024 Act text alone are working from an incomplete picture. The repository tracks regulatory development as it occurs and updates skill files when Commission guidance changes the operational meaning of an obligation.

Who It's For

The primary audiences are engineering teams building AI agent systems and compliance leads within organisations subject to the Act. For engineers, the repository provides ready-to-embed instruction sets that can be loaded into any agent orchestration framework — the compliance layer is written as agent skills, not as a legal checklist. For compliance leads, the folder structure mirrors the Act's architecture directly, making it straightforward to audit coverage against specific articles and annexes.

The framework is also of direct relevance to organisations in the EU AI Act's high-risk categories — healthcare, education, employment, critical infrastructure, and law enforcement — where the cost of non-compliance is highest and the operational complexity of meeting the Act's requirements is greatest.

A plain-language guidance layer (folder 11_ROLE_GUIDANCE) is included for business teams and non-technical stakeholders who need to understand what the Act requires of their organisation without working through the regulatory text directly.

Access and Licence

The repository is publicly available on GitHub under a Creative Commons Attribution 4.0 International licence (CC BY 4.0). It can be used freely in commercial and non-commercial contexts, with attribution. The framework explicitly does not constitute legal advice; organisations should consult qualified EU regulatory counsel for binding legal determinations. ABQ Institute maintains the repository and intends to update skill files as the regulatory landscape evolves.