Is my AI app prohibited under the EU AI Act?

Social scoring, subliminal manipulation, real-time facial recognition in public spaces, and emotion inference in workplaces are banned outright under Article 5. Regula scans your code for patterns that map to these prohibited uses.

Does the EU AI Act apply to my company if I'm outside the EU?

Yes. Article 2(1)(c) applies extraterritorially. If your AI system's output is used in the EU, the regulation applies regardless of where your company is established. This covers UAE, UK, US, Brazil, and any non-EU provider or deployer.

What makes an AI system high-risk under the EU AI Act?

Annex III lists eight high-risk categories including credit scoring, hiring, medical diagnosis, education assessment, law enforcement, border control, essential services, and democratic process integrity. Regula identifies code patterns that match each category.

When does the EU AI Act start being enforced?

Article 5 prohibitions took effect on 2 February 2025. GPAI obligations (Articles 53-55) took effect on 2 August 2025. High-risk obligations (Articles 9-15) take effect on 2 August 2026. A proposed Digital Omnibus may delay some Annex III deadlines to December 2027 but is not yet law.

Yes. Regula is open-source under the MIT licence. No account, no API key, no sales call. Install with pipx install regula-ai (see docs/installation.md for uv and pip alternatives) and run it locally on your codebase. The full CLI, all 55 commands (including `regula handoff` for Garak/Giskard/Promptfoo scoping and `regula regwatch` for delta-log drift warnings), all 404 risk patterns, and all 12 compliance framework mappings are free.

What are the fines under the EU AI Act?

Prohibited AI practices (Article 5) carry fines up to €35 million or 7% of global annual turnover, whichever is higher. High-risk violations carry fines up to €15 million or 3% of turnover. Non-compliance with information requirements carries fines up to €7.5 million or 1% of turnover.

Can Regula test AI models for bias?

Regula includes an optional bias evaluation command (regula bias) that runs CrowS-Pairs and BBQ stereotype benchmarks against a local Ollama model, with statistical confidence intervals. It is a development-time starting point for Article 10 bias documentation, not a production fairness testing tool. For production bias measurement, use dedicated platforms like IBM watsonx.governance or Fiddler AI.

Open-source CLI · v1.7.0 · MIT + DRL 1.1

Is your AI app legal in Europe?

One command tells you which EU AI Act risk tier your code is in, why, and what to fix — in 30 seconds, free, no account.

no account, no API key · · GitHub ↗

▶ just want to see it work? regula demo

check

plan

gap

comply

$ regula check . --explain

Classification: HIGH-RISK
  Annex III, Category 5

WHY:
  scoring.py:23 — essential_services
    Code: score = model.predict(applicant)
    Legal basis: Annex III — Articles 9-15
    False positive if: not a credit decision

ROLE: DEPLOYER (confidence: high)
  - OpenAI API usage detected

OBLIGATIONS:
  [HIGH] Art. 9  Risk management   — 40-60h
  [HIGH] Art. 14 Human oversight  — 16-24h
  Total: 160-324h | Deadline: Aug 2026
  ⚠ Omnibus may delay to Dec 2027 (not yet law)

$ regula plan .

COMPLIANCE PLAN  ·  HIGH-RISK (Annex III, Category 5)

Priority 1 — Risk Management System (Art. 9)
  Effort: 40–60h
  × No risk assessment file found
  × No model evaluation documented

Priority 2 — Human Oversight (Art. 14)
  Effort: 16–24h
  × No review-before-action pattern detected
  × No override mechanism found

Priority 3 — Technical Documentation (Art. 11)
  Effort: 8–12h
  ✓ Annex IV template: regula docs .

Total: 64–96h estimated effort

$ regula gap .

COMPLIANCE GAP ASSESSMENT

Art. 9  Risk management    ██░░░░░░░░  20%  FAIL
Art. 10 Data governance    ████░░░░░░  40%  WARN
Art. 11 Documentation      ██████░░░░  60%  WARN
Art. 12 Record-keeping     ████████░░  80%  PASS
Art. 13 Transparency       ░░░░░░░░░░   0%  FAIL
Art. 14 Human oversight    ███░░░░░░░  30%  FAIL
Art. 15 Accuracy           █████░░░░░  50%  WARN

Run: regula plan . for a prioritised fix list

$ regula comply

EU AI Act Compliance Checklist
  Overall compliance score: 42/100

  × Article 9   Risk Management              20%  NEEDS WORK
  ~ Article 10  Data Governance              40%  PARTIAL
  ~ Article 11  Technical Documentation      60%  PARTIAL
  ✓ Article 12  Record-Keeping              80%  PASS
  × Article 13  Transparency                 0%  NOT FOUND
  × Article 14  Human Oversight             30%  NEEDS WORK
  ~ Article 15  Accuracy & Robustness       50%  PARTIAL

  1/7 obligations have strong evidence

Run: regula comply --article 9 for deep-dive

2026–27

High-risk obligations begin August 2026 — or December 2027 if the Digital Omnibus is adopted (Parliament voted 569–45 in favour, March 2026; trilogue from 28 April). Either way, the requirements do not change. You need to know where you stand.

404

risk patterns checked

programming languages

compliance frameworks

external dependencies

What Regula tells you

The EU AI Act sorts every AI system into a risk tier. Regula scans your code, tells you which tier applies, and gives you the fix list.

Prohibited

Social scoring · Emotion inference · Real-time biometrics · Subliminal manipulation

Art. 5 — banned outright →

High-Risk

Credit scoring · Hiring · Medical diagnosis · Education · Law enforcement

Art. 9–15 apply →

Limited Risk

Chatbots · Synthetic content · Emotion recognition · Deep fakes

Transparency rules →

Minimal Risk

Spam filters · AI games · Basic recommendations · Search ranking

No mandatory requirements →

Regula tells you where your code lands — and exactly why.

How it works

Three steps. No account, no API key, no data leaves your machine.

Step 1

Install

pipx install regula-ai
Works on every OS. Other methods ↗

Step 2

Scan

regula
Compliance score, findings, and next steps.

Step 3

Act

regula comply
Obligation checklist with pass/fail per article.

Who is this for?

Developers shipping AI products — and the businesses that use them.

If you run the business

Do you know your legal exposure?

If your team builds or uses AI, the EU AI Act may apply — even outside the EU. Most tools fall under limited or minimal risk. Building with Claude Code or Cursor? Paste regula assess in your chat. Have a developer? Send them this page.

↗ Copy link to send to your developer

▶ Run regula assess — no code needed

If you write the code

EU users? The AI Act applies to you.

Article 2 is extraterritorial. Most chatbots and productivity tools are limited-risk — one transparency disclosure, nothing more. Scan to confirm.

Works on AI-generated code (Cursor, Lovable, Bolt, Claude Code)
Generates Annex IV documentation from your actual code
CI/CD integration · JSON · SARIF · 12 compliance frameworks

regula check .

If you audit compliance

Verifiable evidence, not self-attestation.

Regula generates signed, timestamped evidence packs with SHA-256 integrity manifests. Every finding is traceable to a file and line. Verify the chain yourself.

▶ regula evidence-pack --sign .

Beyond classification

Regula reads your code directly — not a questionnaire. It generates artefacts an auditor can review, not just findings.

Gaps

What's missing?

Risk management, data governance, logging, transparency, human oversight, accuracy — scored per article with effort estimates.

regula gap .

Documentation

Can you prove compliance?

Annex IV technical documentation generated from your actual code. Functions, dependencies, and logging coverage pre-populated.

regula docs . · regula conform .

Security

Is your AI code secure?

Prompt injection, unsafe model loading, unvalidated AI output, hardcoded keys, and other AI-specific vulnerabilities.

regula check . · regula guardrails .

Evidence

Conformity assessment pack

Article 43 evidence — 26 files mapped to Articles 9–15, per-article readiness scores, SHA-256 integrity hashes.

regula conform . · regula evidence-pack .

AI BOM

AI Bill of Materials

CycloneDX 1.7 AI-BOMs with model provenance, GPAI tier annotations per Art 51–55, and detected training datasets.

regula sbom --ai-bom .

Oversight

Human review analysis

Traces AI outputs across files. Checks whether each path to a user-facing endpoint passes through a human review gate.

regula oversight .

Built for audit, not just scanning

Regula generates evidence an auditor can independently verify — not just a list of findings.

Integrity

Tamper-evident evidence

Every evidence pack includes a SHA-256 manifest. Files are content-hashed at generation time. Any modification breaks the chain.

regula evidence-pack . · regula verify pack/

Signing

Cryptographic non-repudiation

Sign evidence packs with Ed25519 keys and RFC 3161 timestamps. Prove when the assessment was produced and that it has not been altered.

regula evidence-pack --sign --timestamp .

Cross-regulation

GDPR + DORA + NIS2 overlap

Each AI Act article is mapped to corresponding GDPR, DORA, and NIS2 obligations. One scan surfaces requirements across all four regulations.

regula gap .

Freshness

Regulatory staleness warnings

regula regwatch compares your last scan against the current regulatory state and warns if your compliance posture may have drifted.

regula regwatch

Audit trail

Hash-chained event log

Append-only, hash-chained audit log. Every scan, finding, and suppression is recorded with a verifiable chain of integrity.

regula audit log · regula audit verify

Free Annex IV

Documentation, not just detection

Generate Annex IV technical documentation, model cards, QMS scaffolds, and SME-simplified conformity packs — free, from your actual code.

regula docs . · regula conform --sme .

55 commands

pipx install regula-ai, then run any of these on your project.

regula assess Yes/no questions — no code needed — get your tier

regula check . Scan your codebase against 404 risk patterns

regula comply EU AI Act obligation checklist with pass/fail status per article

regula plan . Prioritised to-do list with effort estimates

regula gap . Per-article compliance gap assessment

regula docs . Generate Annex IV documentation

regula evidence-pack . Bundle everything for an auditor

regula conform . Article 43 conformity evidence — 26 files, SHA-256 hashed

regula oversight . Article 14 human oversight analysis

regula sbom --ai-bom . AI Bill of Materials (CycloneDX 1.7)

regula owasp-agentic . OWASP Top 10 for Agentic Applications

regula gpai-check . Map GPAI code to Code of Practice chapters

regula bias Stereotype bias evaluation — CrowS-Pairs + BBQ benchmarks with confidence intervals (requires Ollama)

regula verify pack/ SHA-256 integrity check for evidence packs

Python, JS, TS, Java, Go, Rust, C, C++ · Cross-maps to ISO 42001, NIST AI RMF, OWASP LLM Top 10, EU CRA, and 7 other frameworks.

What Regula does not do

A compliance tool that overstates its capabilities is worse than no tool at all. Here is what Regula actually is — and isn't.

Not legal advice

Regula identifies risk indicators in code for developer review. It does not determine compliance. A qualified legal professional should review any classification before you act on it.

Pattern matching, not understanding

15.2% precision on open-source codebases at INFO tier. 0 false positives at BLOCK tier (the CI default). Published benchmark →

Scaffolds, not substance

Annex IV docs, evidence packs, and governance frameworks are pre-filled scaffolds. A human must complete them with substantive content. Regula cannot verify that a risk management system actually operates.

Full limitations disclosure →

We scan ourselves

Regula's own codebase is scanned on every commit. Here is what happens.

71 of 85 source files suppressed

83.5% of Regula's own Python files require # regula-ignore comments. A compliance tool that discusses prohibited practices must contain the vocabulary of prohibited practices. This is structural, not a bug.

0 active findings, 31 suppressed

Five files contain prohibited-practice vocabulary (they explain, document, or detect those practices). All five are suppressed via # regula-ignore. The scan reports zero active prohibited findings — suppression works, and every suppression is a documented governance decision.

What this means

Having a tool is not the same as having governance. Each suppression is a micro-governance decision that requires human judgment about context, intent, and purpose — exactly what the EU AI Act requires.

Where Regula fits in the market.

A developer-side static scanner. One of several tools in the EU AI Act ecosystem — each solves a different part of the problem.

Governance SaaS

Contact sales

Credo AI, Saidot, Enzai, IBM watsonx.governance, Microsoft Purview. Evidence workflows, control libraries, continuous monitoring, legal-expert policy updates. Built for compliance departments, not developers. No published pricing.

Runtime testing

Open source

Garak, Giskard, Promptfoo. Prompt-injection, jailbreak and bias red-teaming against running models. Complementary to Regula, not overlapping — they test behaviour, Regula reads code.

Regula

Free & open source

Static code scanner. Runs on your laptop in one command. Stdlib-only Python core, zero production dependencies, fully offline. pipx install regula-ai, scan your project, get a clear answer. MIT licence.

	Regula	AIR Blackbox	Systima Comply	EuConform	Enterprise SaaS
Approach	Static code scan	Scan + runtime trust layers	AST-based scan	Questionnaire + bias eval	Platform / dashboard
Languages	8 families	Python	JS/TS	N/A	N/A
Detection patterns	404	48 checks	37+ frameworks	Questionnaire	Varies
Dependencies	Zero (stdlib)	Multiple	npm	Next.js + Ollama	SaaS
Offline	Fully offline	Local	Local	Local + Ollama	Cloud
Evidence signing	Ed25519 + RFC 3161	—	—	—	Varies
Framework mappings	12	3	EU AI Act	EU AI Act	Multiple
CI/CD integration	GitHub Action + SARIF	GitHub Action	GitHub Action	—	Native
Annex IV docs	Free	—	—	PDF reports	Built-in
Price	Free (MIT)	Free (Apache 2.0)	Free (OSS)	Free (MIT + EUPL)	$30K–$200K/yr

Pick the tool whose language coverage and trade-offs fit your stack. Regula covers the most languages and framework mappings among the open-source options listed above. For runtime agent governance, see Microsoft’s Agent Governance Toolkit.

Latest from the blog

Analysis of AI regulation and compliance patterns.

Regulation

Find out where you stand

One command. Takes 30 seconds. No account needed.

$ pipx install regula-ai copy

No spam. Major releases and EU AI Act deadline reminders only.