Open-source CLI · v1.7.3 · Apache 2.0

Is your AI app high-risk in Europe?

One command tells you which EU AI Act risk tier your code is in, why, and what to fix. 30 seconds, free, no account.

no account, no API key · fully offline · Guides GitHub ↗
$ regula check . --explain

Classification: HIGH-RISK
  Annex III, Category 5

WHY:
  scoring.py:23 — essential_services
    Code: score = model.predict(applicant)
    Legal basis: Annex III — Articles 9-15
    False positive if: not a credit decision

ROLE: DEPLOYER (confidence: high)
  - OpenAI API usage detected

OBLIGATIONS:
  [HIGH] Art. 9  Risk management   — 40-60h
  [HIGH] Art. 14 Human oversight  — 16-24h
  Total: 160-324h | Deadline: Dec 2027
  ⚠ Omnibus agreed 7 May 2026, EP approved 16 Jun 2026, Council approved 29 Jun 2026 (pending OJ publication)
$ regula plan .

COMPLIANCE PLAN  ·  HIGH-RISK (Annex III, Category 5)

Priority 1 — Risk Management System (Art. 9)
  Effort: 40–60h
  × No risk assessment file found
  × No model evaluation documented

Priority 2 — Human Oversight (Art. 14)
  Effort: 16–24h
  × No review-before-action pattern detected
  × No override mechanism found

Priority 3 — Technical Documentation (Art. 11)
  Effort: 8–12h
   Annex IV template: regula docs .

Total: 64–96h estimated effort
$ regula gap .

COMPLIANCE GAP ASSESSMENT

Art. 9  Risk management    ██░░░░░░░░  20%  FAIL
Art. 10 Data governance    ████░░░░░░  40%  WARN
Art. 11 Documentation      ██████░░░░  60%  WARN
Art. 12 Record-keeping     ████████░░  80%  PASS
Art. 13 Transparency       ░░░░░░░░░░   0%  FAIL
Art. 14 Human oversight    ███░░░░░░░  30%  FAIL
Art. 15 Accuracy           █████░░░░░  50%  WARN

Run: regula plan . for a prioritised fix list
$ regula comply

EU AI Act Compliance Checklist
  Overall compliance score: 42/100

  × Article 9   Risk Management              20%  NEEDS WORK
  ~ Article 10  Data Governance              40%  PARTIAL
  ~ Article 11  Technical Documentation      60%  PARTIAL
   Article 12  Record-Keeping              80%  PASS
  × Article 13  Transparency                 0%  NOT FOUND
  × Article 14  Human Oversight             30%  NEEDS WORK
  ~ Article 15  Accuracy & Robustness       50%  PARTIAL

  1/7 obligations have strong evidence

Run: regula comply --article 9 for deep-dive

Who is this for?

Developers shipping AI products, and the businesses that use them.

If you run the business

Do you know your legal exposure?

If your team builds or uses AI, the EU AI Act may apply, even outside the EU. Most tools fall under limited or minimal risk. Building with Claude Code or Cursor? Paste regula assess in your chat. Have a developer? Send them this page.

If you write the code

EU users? The AI Act applies to you.

Article 2 is extraterritorial. Most chatbots and productivity tools are limited-risk: one transparency disclosure, nothing more. Scan to confirm.

  • Works on AI-generated code (Cursor, Lovable, Bolt, Claude Code)
  • Generates Annex IV documentation from your actual code
  • CI/CD integration · JSON · SARIF · 12 compliance frameworks
regula check .
If you audit compliance

Locally verifiable evidence.

Regula generates signed, timestamped evidence packs with SHA-256 integrity manifests. Every finding is traceable to a file and line. Verify the chain yourself. See a sample report → · Evidence pack tiers →

What Regula tells you

The EU AI Act sorts every AI system into a risk tier. Regula scans your code, tells you which tier applies, and gives you the fix list.

Prohibited
Social scoring · Emotion inference · Real-time biometrics · Subliminal manipulation
Art. 5, banned outright →
High-Risk
Credit scoring · Hiring · Healthcare services · Education · Law enforcement
Art. 9–15 apply →
Limited Risk
Chatbots · Synthetic content · Emotion recognition · Deep fakes
Transparency rules →
Minimal Risk
Spam filters · AI games · Basic recommendations · Search ranking
No mandatory requirements →

Regula tells you where your code lands, and exactly why.

2026–27
High-risk obligations for Annex III systems now apply from December 2027, following the Digital Omnibus provisional agreement of 7 May 2026, approved by European Parliament on 16 June 2026. Annex I product-embedded systems apply from August 2028. The Council approved it on 29 June 2026; publication in the Official Journal is expected before 2 August 2026. Either way, the requirements do not change — only the timeline. You need to know where you stand.

How it works

Three steps. No account, no API key, no data leaves your machine.

Step 1

Install

pipx install regula-ai
Works on every OS. Other methods ↗

Step 2

Scan

regula
Compliance score, findings, and next steps.

Step 3

Act

regula comply
Obligation checklist with pass/fail per article.

419
risk patterns (source)
8
programming languages
12
compliance frameworks (source)
0
runtime dependencies

What it does

Regula combines code scanning with governance questionnaires. It reads your code for risk patterns, and provides structured self-assessments for the organisational obligations code cannot verify. It generates artefacts an auditor can review, not just findings.

Assess
Gaps

What's missing?

Risk management, data governance, logging, transparency, human oversight, accuracy. Scored per article with effort estimates.

regula gap .
Security

Is your AI code secure?

Prompt injection, unsafe model loading, unvalidated AI output, hardcoded keys, and other AI-specific vulnerabilities.

regula check . · regula guardrails .
Oversight

Human review analysis

Traces AI outputs across files. Checks whether each path to a user-facing endpoint passes through a human review gate.

regula oversight .
Evidence
Documentation

Can you prove compliance?

Annex IV technical documentation generated from your actual code. Functions, dependencies, and logging coverage pre-populated.

regula docs . · regula conform .
Evidence

Conformity assessment pack

Article 43 evidence: 26 files mapped to Articles 9–15, per-article readiness scores, SHA-256 integrity hashes.

regula conform . · regula evidence-pack .
Integrity

Tamper-evident & signed

SHA-256 manifest + Ed25519 signing + RFC 3161 timestamps. Prove when the assessment was produced and that it has not been altered.

regula conform --sign --timestamp .
AI BOM

AI Bill of Materials

CycloneDX 1.7 AI-BOMs with model provenance, GPAI tier annotations per Art 51–55, and detected training datasets.

regula sbom --ai-bom .
Integrate
Cross-regulation

12 framework mappings

Each AI Act article is mapped to ISO 42001, NIST AI RMF, SOC 2, OWASP, and 8 other framework obligations. One scan surfaces requirements across all 12 frameworks.

regula gap .
API

REST API for GRC tools

Seven HTTP endpoints that return the same JSON envelope as the CLI. Plug Regula into ServiceNow, Jira, or your own GRC platform.

regula api-server --port 8487
Dashboard

Web dashboard

Governance posture at a glance. Risk distribution, compliance gaps per article, interactive self-assessment, and export to JSON/SARIF/HTML. No terminal needed.

localhost:8487/v1/dashboard

61 commands total · Python, JS, TS, Java, Go, Rust, C, C++ · Cross-maps to ISO 42001, NIST AI RMF, OWASP LLM Top 10, EU CRA, and 7 other frameworks. Full CLI reference →

Runs where you work

Terminal, CI/CD, editor, pre-commit. One tool, every workflow.

Terminal

pipx install regula-ai && regula check .

CI/CD

GitHub Action: kuzivaai/getregula@v1 with SARIF upload

VS Code

Inline WARN/BLOCK decorators. Scan on save.

Claude Code / Cursor

MCP server: regula mcp-server

Pre-commit

regula install pre-commit

GDPR dual-compliance

regula gdpr — 14 patterns, 4 AI Act/GDPR hotspots

Where Regula fits in the market

Code scanning plus governance questionnaires. One of several tools in the EU AI Act ecosystem. Each solves a different part of the problem.

Governance SaaS
Contact sales

Credo AI, Saidot, Enzai, IBM watsonx.governance, Microsoft Purview. Evidence workflows, control libraries, continuous monitoring, legal-expert policy updates. Built for compliance departments, not developers. No published pricing.

Runtime testing
Open source

Garak, Giskard, Promptfoo. Prompt-injection, jailbreak and bias red-teaming against running models. Complementary to Regula, not overlapping. They test behaviour; Regula reads code.

Feature comparison of EU AI Act compliance tools: Regula, AIR Blackbox, Systima Comply, EuConform, and Enterprise SaaS
Feature Regula AIR Blackbox Systima Comply EuConform Enterprise SaaS
ApproachStatic code scanScan + runtime trust layersAST-based scanQuestionnaire + bias evalPlatform / dashboard
Languages8 familiesPythonJS/TS/PythonNot a code scannerNot a code scanner
Detection patterns41951 checks37+ frameworksQuestionnaireVaries
DependenciesZero (stdlib)MultiplenpmNext.js + OllamaSaaS
OfflineFully offlineLocalLocalLocal + OllamaCloud
Evidence signingEd25519 + RFC 3161Varies
Framework mappings123EU AI ActEU AI ActMultiple
CI/CD integrationGitHub Action + SARIFGitHub ActionGitHub ActionNative
Annex IV docsFreePDF reportsBuilt-in
PriceFree (Apache 2.0 / EUPL 1.2)Free (Apache 2.0)Free (Apache 2.0)Free (MIT)Typically unpublished

Pick the tool whose language coverage and trade-offs fit your stack. Regula covers the most languages and framework mappings among the open-source options listed above. For runtime agent governance, see Microsoft’s Agent Governance Toolkit.

What Regula does not do

A compliance tool that overstates its capabilities is worse than no tool at all. Here is what Regula actually is, and what it isn't.

Not legal advice

Regula identifies risk indicators in code for developer review. It does not determine compliance. A qualified legal professional should review any classification before you act on it.

Pattern matching, not understanding

83.5% precision on production code (blind-labelled random corpus, N=115, measured on v1.7.0). 15.2% on AI library source code — the hardest corpus, since those libraries implement AI rather than using it for regulated decisions. Published benchmark →

Scaffolds, not substance

Annex IV docs, evidence packs, and governance frameworks are pre-filled scaffolds. A human must complete them with substantive content. Regula cannot verify that a risk management system actually operates.

Full limitations disclosure →

Guides & analysis

Technical guides for developers and analysis of AI regulation.

All 8 guides & 14 articles →

Common questions

Answers grounded in the regulation. Every claim cites a specific Article.

Does the EU AI Act apply to my company if I'm outside the EU?

Yes. Article 2(1)(c) applies extraterritorially. If your AI system's output is used in the EU, the regulation applies regardless of where your company is established. This covers UAE, UK, US, Brazil, and any non-EU provider or deployer.

Is my AI app prohibited under the EU AI Act?

Social scoring, subliminal manipulation, real-time facial recognition in public spaces, and emotion inference in workplaces are banned outright under Article 5. Regula scans your code for patterns that map to these prohibited uses.

What makes an AI system high-risk?

Annex III lists eight high-risk categories including credit scoring, hiring, healthcare services, education assessment, law enforcement, border control, essential services, and democratic process integrity. Regula identifies code patterns that match each category.

When does the EU AI Act start being enforced?

Article 5 prohibitions took effect on 2 February 2025. GPAI obligations took effect on 2 August 2025. High-risk obligations (Annex III) are now due 2 December 2027, following the Digital Omnibus provisional agreement of 7 May 2026, approved by European Parliament on 16 June 2026. The Council approved it on 29 June 2026; publication in the Official Journal is expected before 2 August 2026.

What are the fines under the EU AI Act?

Prohibited AI practices (Article 5) carry fines up to €35 million or 7% of global annual turnover, whichever is higher. High-risk violations carry fines up to €15 million or 3% of turnover. Non-compliance with information requirements carries fines up to €7.5 million or 1% of turnover.

Is Regula free?

Yes. Regula is open-source under the Apache 2.0 or EUPL 1.2 licence. No account, no API key, no sales call. Install with pipx install regula-ai and run it locally. All 61 commands, all 419 risk patterns, and all 12 compliance framework mappings are free.

Does the EU AI Act overlap with GDPR, DORA, or NIS2?

Yes, significantly. High-risk AI systems that process personal data must also comply with GDPR, and other regulations like DORA and NIS2 may apply depending on your sector. Regula cross-maps AI Act obligations to ISO 42001, NIST AI RMF, SOC 2, OWASP, and 8 other frameworks in a single scan.

Does Regula work with AI-generated code?

Yes. Regula scans source files regardless of who or what wrote them. AI-generated code carries the same EU AI Act obligations as hand-written code — Article 2 does not distinguish by authorship. Run regula check . on any project.

What should I do right now to prepare?

Three steps, under five minutes: (1) install with pipx install regula-ai, (2) run regula assess to check whether the Act applies to your product, (3) if it does, run regula check . to see your risk tier and findings. No account, no API key, no data leaves your machine.

Find out where you stand

One command. Takes 30 seconds. No account needed.

Not ready to install? Get notified when deadlines change.

You're on the list. Major releases only.

No spam. Major releases and EU AI Act deadline reminders only.