Is your AI app high-risk in Europe?
One command tells you which EU AI Act risk tier your code is in, why, and what to fix. 30 seconds, free, no account.
$ regula check . --explain Classification: HIGH-RISK Annex III, Category 5 WHY: scoring.py:23 — essential_services Code: score = model.predict(applicant) Legal basis: Annex III — Articles 9-15 False positive if: not a credit decision ROLE: DEPLOYER (confidence: high) - OpenAI API usage detected OBLIGATIONS: [HIGH] Art. 9 Risk management — 40-60h [HIGH] Art. 14 Human oversight — 16-24h Total: 160-324h | Deadline: Dec 2027 ⚠ Omnibus agreed 7 May 2026, EP approved 16 Jun 2026, Council approved 29 Jun 2026 (pending OJ publication)
$ regula plan . COMPLIANCE PLAN · HIGH-RISK (Annex III, Category 5) Priority 1 — Risk Management System (Art. 9) Effort: 40–60h × No risk assessment file found × No model evaluation documented Priority 2 — Human Oversight (Art. 14) Effort: 16–24h × No review-before-action pattern detected × No override mechanism found Priority 3 — Technical Documentation (Art. 11) Effort: 8–12h ✓ Annex IV template: regula docs . Total: 64–96h estimated effort
$ regula gap . COMPLIANCE GAP ASSESSMENT Art. 9 Risk management ██░░░░░░░░ 20% FAIL Art. 10 Data governance ████░░░░░░ 40% WARN Art. 11 Documentation ██████░░░░ 60% WARN Art. 12 Record-keeping ████████░░ 80% PASS Art. 13 Transparency ░░░░░░░░░░ 0% FAIL Art. 14 Human oversight ███░░░░░░░ 30% FAIL Art. 15 Accuracy █████░░░░░ 50% WARN Run: regula plan . for a prioritised fix list
$ regula comply EU AI Act Compliance Checklist Overall compliance score: 42/100 × Article 9 Risk Management 20% NEEDS WORK ~ Article 10 Data Governance 40% PARTIAL ~ Article 11 Technical Documentation 60% PARTIAL ✓ Article 12 Record-Keeping 80% PASS × Article 13 Transparency 0% NOT FOUND × Article 14 Human Oversight 30% NEEDS WORK ~ Article 15 Accuracy & Robustness 50% PARTIAL 1/7 obligations have strong evidence Run: regula comply --article 9 for deep-dive
Who is this for?
Developers shipping AI products, and the businesses that use them.
Do you know your legal exposure?
If your team builds or uses AI, the EU AI Act may apply, even outside the EU. Most tools fall under limited or minimal risk. Building with Claude Code or Cursor? Paste regula assess in your chat. Have a developer? Send them this page.
EU users? The AI Act applies to you.
Article 2 is extraterritorial. Most chatbots and productivity tools are limited-risk: one transparency disclosure, nothing more. Scan to confirm.
- Works on AI-generated code (Cursor, Lovable, Bolt, Claude Code)
- Generates Annex IV documentation from your actual code
- CI/CD integration · JSON · SARIF · 12 compliance frameworks
Locally verifiable evidence.
Regula generates signed, timestamped evidence packs with SHA-256 integrity manifests. Every finding is traceable to a file and line. Verify the chain yourself. See a sample report → · Evidence pack tiers →
What Regula tells you
The EU AI Act sorts every AI system into a risk tier. Regula scans your code, tells you which tier applies, and gives you the fix list.
Regula tells you where your code lands, and exactly why.
How it works
Three steps. No account, no API key, no data leaves your machine.
Scan
regula
Compliance score, findings, and next steps.
Act
regula comply
Obligation checklist with pass/fail per article.
What it does
Regula combines code scanning with governance questionnaires. It reads your code for risk patterns, and provides structured self-assessments for the organisational obligations code cannot verify. It generates artefacts an auditor can review, not just findings.
What's missing?
Risk management, data governance, logging, transparency, human oversight, accuracy. Scored per article with effort estimates.
regula gap .
Is your AI code secure?
Prompt injection, unsafe model loading, unvalidated AI output, hardcoded keys, and other AI-specific vulnerabilities.
regula check . · regula guardrails .
Human review analysis
Traces AI outputs across files. Checks whether each path to a user-facing endpoint passes through a human review gate.
regula oversight .
Can you prove compliance?
Annex IV technical documentation generated from your actual code. Functions, dependencies, and logging coverage pre-populated.
regula docs . · regula conform .
Conformity assessment pack
Article 43 evidence: 26 files mapped to Articles 9–15, per-article readiness scores, SHA-256 integrity hashes.
regula conform . · regula evidence-pack .
Tamper-evident & signed
SHA-256 manifest + Ed25519 signing + RFC 3161 timestamps. Prove when the assessment was produced and that it has not been altered.
regula conform --sign --timestamp .
AI Bill of Materials
CycloneDX 1.7 AI-BOMs with model provenance, GPAI tier annotations per Art 51–55, and detected training datasets.
regula sbom --ai-bom .
12 framework mappings
Each AI Act article is mapped to ISO 42001, NIST AI RMF, SOC 2, OWASP, and 8 other framework obligations. One scan surfaces requirements across all 12 frameworks.
regula gap .
REST API for GRC tools
Seven HTTP endpoints that return the same JSON envelope as the CLI. Plug Regula into ServiceNow, Jira, or your own GRC platform.
regula api-server --port 8487
Web dashboard
Governance posture at a glance. Risk distribution, compliance gaps per article, interactive self-assessment, and export to JSON/SARIF/HTML. No terminal needed.
localhost:8487/v1/dashboard
61 commands total · Python, JS, TS, Java, Go, Rust, C, C++ · Cross-maps to ISO 42001, NIST AI RMF, OWASP LLM Top 10, EU CRA, and 7 other frameworks. Full CLI reference →
Runs where you work
Terminal, CI/CD, editor, pre-commit. One tool, every workflow.
Terminal
pipx install regula-ai && regula check .
CI/CD
GitHub Action: kuzivaai/getregula@v1 with SARIF upload
VS Code
Inline WARN/BLOCK decorators. Scan on save.
Claude Code / Cursor
MCP server: regula mcp-server
Pre-commit
regula install pre-commit
GDPR dual-compliance
regula gdpr — 14 patterns, 4 AI Act/GDPR hotspots
Where Regula fits in the market
Code scanning plus governance questionnaires. One of several tools in the EU AI Act ecosystem. Each solves a different part of the problem.
Credo AI, Saidot, Enzai, IBM watsonx.governance, Microsoft Purview. Evidence workflows, control libraries, continuous monitoring, legal-expert policy updates. Built for compliance departments, not developers. No published pricing.
Garak, Giskard, Promptfoo. Prompt-injection, jailbreak and bias red-teaming against running models. Complementary to Regula, not overlapping. They test behaviour; Regula reads code.
Code scanning + governance questionnaires. Runs on your laptop in one command. Stdlib-only Python core, zero production dependencies, fully offline. pipx install regula-ai, scan your project, get a clear answer. Apache 2.0 / EUPL 1.2; detection rules under DRL 1.1.
| Feature | Regula | AIR Blackbox | Systima Comply | EuConform | Enterprise SaaS |
|---|---|---|---|---|---|
| Approach | Static code scan | Scan + runtime trust layers | AST-based scan | Questionnaire + bias eval | Platform / dashboard |
| Languages | 8 families | Python | JS/TS/Python | Not a code scanner | Not a code scanner |
| Detection patterns | 419 | 51 checks | 37+ frameworks | Questionnaire | Varies |
| Dependencies | Zero (stdlib) | Multiple | npm | Next.js + Ollama | SaaS |
| Offline | Fully offline | Local | Local | Local + Ollama | Cloud |
| Evidence signing | Ed25519 + RFC 3161 | — | — | — | Varies |
| Framework mappings | 12 | 3 | EU AI Act | EU AI Act | Multiple |
| CI/CD integration | GitHub Action + SARIF | GitHub Action | GitHub Action | — | Native |
| Annex IV docs | Free | — | — | PDF reports | Built-in |
| Price | Free (Apache 2.0 / EUPL 1.2) | Free (Apache 2.0) | Free (Apache 2.0) | Free (MIT) | Typically unpublished |
Pick the tool whose language coverage and trade-offs fit your stack. Regula covers the most languages and framework mappings among the open-source options listed above. For runtime agent governance, see Microsoft’s Agent Governance Toolkit.
What Regula does not do
A compliance tool that overstates its capabilities is worse than no tool at all. Here is what Regula actually is, and what it isn't.
Not legal advice
Regula identifies risk indicators in code for developer review. It does not determine compliance. A qualified legal professional should review any classification before you act on it.
Pattern matching, not understanding
83.5% precision on production code (blind-labelled random corpus, N=115, measured on v1.7.0). 15.2% on AI library source code — the hardest corpus, since those libraries implement AI rather than using it for regulated decisions. Published benchmark →
Scaffolds, not substance
Annex IV docs, evidence packs, and governance frameworks are pre-filled scaffolds. A human must complete them with substantive content. Regula cannot verify that a risk management system actually operates.
Guides & analysis
Technical guides for developers and analysis of AI regulation.
EU AI Act for Python Developers
Scan Python AI code for risk patterns. PyTorch, TensorFlow, scikit-learn, LangChain.
Article 9: Risk Management System
What the regulation requires, what code scanning can detect, and what needs human review.
EU AI Act for Healthcare AI
Medical devices, clinical decision support, and the MDR/IVDR intersection.
Article 5: Prohibited Practices
The 10 practices banned under Article 5, including the Omnibus additions.
The Omnibus Trilogue Failed. The August 2026 Deadline Is Back.
The first political trilogue ended without agreement on 28 April after 12 hours. The follow-up trilogue succeeded on 7 May; Parliament and Council approved the December 2027 deferral in June 2026.
Questionnaires vs Code Scanning
Questionnaires capture what you said. Code scanning shows what you did. Neither replaces the other.
Does the EU AI Act Apply to Your AI App?
Five questions to check whether your product falls under EU AI Act scope.
EU AI Act Risk Tiers in Actual Code
What prohibited, high-risk, and limited-risk indicators look like in real code.
Most Startups Are Ignoring the AI Act
Why that's rational today, three triggers for when it stops being rational, and what preparing actually means.
Common questions
Answers grounded in the regulation. Every claim cites a specific Article.
Does the EU AI Act apply to my company if I'm outside the EU?
Yes. Article 2(1)(c) applies extraterritorially. If your AI system's output is used in the EU, the regulation applies regardless of where your company is established. This covers UAE, UK, US, Brazil, and any non-EU provider or deployer.
Is my AI app prohibited under the EU AI Act?
Social scoring, subliminal manipulation, real-time facial recognition in public spaces, and emotion inference in workplaces are banned outright under Article 5. Regula scans your code for patterns that map to these prohibited uses.
What makes an AI system high-risk?
Annex III lists eight high-risk categories including credit scoring, hiring, healthcare services, education assessment, law enforcement, border control, essential services, and democratic process integrity. Regula identifies code patterns that match each category.
When does the EU AI Act start being enforced?
Article 5 prohibitions took effect on 2 February 2025. GPAI obligations took effect on 2 August 2025. High-risk obligations (Annex III) are now due 2 December 2027, following the Digital Omnibus provisional agreement of 7 May 2026, approved by European Parliament on 16 June 2026. The Council approved it on 29 June 2026; publication in the Official Journal is expected before 2 August 2026.
What are the fines under the EU AI Act?
Prohibited AI practices (Article 5) carry fines up to €35 million or 7% of global annual turnover, whichever is higher. High-risk violations carry fines up to €15 million or 3% of turnover. Non-compliance with information requirements carries fines up to €7.5 million or 1% of turnover.
Is Regula free?
Yes. Regula is open-source under the Apache 2.0 or EUPL 1.2 licence. No account, no API key, no sales call. Install with pipx install regula-ai and run it locally. All 61 commands, all 419 risk patterns, and all 12 compliance framework mappings are free.
Does the EU AI Act overlap with GDPR, DORA, or NIS2?
Yes, significantly. High-risk AI systems that process personal data must also comply with GDPR, and other regulations like DORA and NIS2 may apply depending on your sector. Regula cross-maps AI Act obligations to ISO 42001, NIST AI RMF, SOC 2, OWASP, and 8 other frameworks in a single scan.
Does Regula work with AI-generated code?
Yes. Regula scans source files regardless of who or what wrote them. AI-generated code carries the same EU AI Act obligations as hand-written code — Article 2 does not distinguish by authorship. Run regula check . on any project.
What should I do right now to prepare?
Three steps, under five minutes: (1) install with pipx install regula-ai, (2) run regula assess to check whether the Act applies to your product, (3) if it does, run regula check . to see your risk tier and findings. No account, no API key, no data leaves your machine.
Find out where you stand
One command. Takes 30 seconds. No account needed.
Not ready to install? Get notified when deadlines change.
No spam. Major releases and EU AI Act deadline reminders only.