EU AI Act compliance for JavaScript and TypeScript developers

JavaScript and TypeScript are the backbone of modern web applications, and increasingly the backbone of AI-powered ones. If you use the OpenAI SDK, Vercel AI SDK, LangChain, TensorFlow.js, or any AI library in a product that reaches EU users, the EU AI Act applies to you. The regulation does not care which language you write in. It cares what your code does to people.

25 June 2026 · Kuziva Muzondo

Why JavaScript and TypeScript developers need to pay attention

AI in JavaScript used to mean a handful of TensorFlow.js demos. That changed. The OpenAI SDK, Anthropic SDK, Vercel AI SDK, Mastra, and LangChain all have first-class JavaScript and TypeScript support. Server-side JS applications now routinely call foundation models, run inference pipelines, and make automated decisions that affect real people.

The EU AI Act (Regulation 2024/1689) regulates AI systems based on what they do, not how they are built. A Node.js API that scores job applicants using GPT-4 has the same obligations as a Python service doing the same thing. Whether the AI Act applies depends on your use case, not your runtime.

Regula supports 8 programming languages, including JavaScript and TypeScript. It scans your .js, .ts, .jsx, and .tsx files for import patterns, function calls, and variable names that map to EU AI Act obligations.

JS/TS AI libraries Regula detects

Regula identifies AI-related patterns from the most common JavaScript and TypeScript libraries. Here is what it looks for.

OpenAI SDK and Anthropic SDK

API calls via openai and @anthropic-ai/sdk. If your application calls openai.chat.completions.create() or uses the Anthropic messages API, Regula detects it. Using a third-party API does not exempt you from the AI Act — Article 9 (risk management) and Article 26 place obligations on deployers, not just providers. If you build on top of a foundation model, you inherit obligations based on your use case.

Vercel AI SDK and Mastra

The @ai-sdk package (Vercel AI SDK) and @mastra are increasingly common in Next.js and Node.js applications. They abstract away provider-specific details, which is convenient for development but can obscure the fact that your application is using AI systems covered by the regulation. Regula detects these imports and flags them for review.

LangChain (JavaScript)

The @langchain package brings agent autonomy patterns, tool use, and retrieval-augmented generation to JavaScript. Regula flags agent chains where an LLM decides which tools to invoke, because autonomous decision-making raises the risk tier when it affects people.

TensorFlow.js and transformers.js

@tensorflow/tfjs enables model training and inference directly in the browser or in Node.js. transformers.js brings Hugging Face transformer models to JavaScript. Both allow on-device or server-side ML without a Python backend. Regula detects model loading, prediction calls, and pipeline instantiation from these libraries.

brain.js

A neural network library for JavaScript. Less common in production than the libraries above, but Regula still detects it. A brain.js model that classifies loan applications has the same regulatory obligations as one built with scikit-learn in Python.

Important: not every match is high-risk. An OpenAI import in a chatbot demo and an OpenAI import in a production hiring tool are different things. Regula reports what it finds; you decide whether the context makes it relevant.

Comment stripping and how Regula reads JS/TS files

Regula strips comments before scanning, so commented-out code does not produce false positives. For JavaScript and TypeScript files, it handles both single-line comments (//) and block comments (/* */). This means:

// import OpenAI from 'openai'  ← not flagged (commented out)

/*
const anthropic = new Anthropic()
anthropic.messages.create(...)   ← not flagged (block comment)
*/

import OpenAI from 'openai'      ← flagged (live code)

Regula scans the actual code your application runs, not dead code left behind in comments.

Quick start: scanning a JavaScript project

pipx install regula-ai
regula check .                      # scan current directory
regula check . --domain employment  # activate domain-specific patterns
regula assess                       # interactive: does the AI Act apply?

regula check scans all JavaScript and TypeScript files in the directory tree. It does not execute your code, install dependencies, or send data anywhere. Everything runs locally.

You can also scan JavaScript code directly in your browser at getregula.com/assess/. The web assessment tool includes a client-side code scanner with 648 detection patterns — no installation required.

Why the --domain flag matters for JS projects

In Python, AI library imports tend to be explicit: import torch, from sklearn.ensemble import RandomForestClassifier. In JavaScript and TypeScript, AI usage is often wrapped behind generic API calls or abstracted by frameworks like the Vercel AI SDK. A call to generateText() does not immediately reveal what domain the AI is operating in.

The --domain flag tells Regula which sector your application operates in. Without it, Regula only flags patterns that are high-risk regardless of domain (prohibited practices like social scoring, real-time biometric identification). With a domain flag, Regula activates sector-specific patterns:

  • --domain employment — hiring, recruitment, workforce management (Annex III Category 4)
  • --domain medical — medical triage, diagnostic, treatment recommendation (healthcare AI guide)
  • --domain education — student assessment, admissions, learning analytics
  • --domain finance — credit scoring, insurance pricing, fraud detection

For JavaScript projects where AI usage may be less explicit in the code, the domain flag is particularly useful.

Understanding the output

Here is what Regula produces when it classifies a JavaScript file with employment-related AI patterns:

$ regula classify --file hiring_scorer.js
HIGH-RISK: Employment and workers management - Articles 9, 10, 11, 12, 13, 14, 15

And a full check with the domain flag:

$ regula check sample_js_hiring.js --domain employment

Regula Scan: sample_js_hiring.js
============================================================

  Verdict: HIGH-RISK
  Your project is classified as high-risk under EU AI Act Annex III.
  You must comply with Articles 9-15 before the enforcement deadline.

  Why:
    1. sample_js_hiring.js:16 — Employment and workers management
       (Art. 9, Art. 10)
  Files scanned:      1
  High-risk:          1

  HIGH-RISK INDICATORS:
    [BLOCK] [ 95] sample_js_hiring.js — Employment and workers management [plan]
      Add human oversight before automated hiring/employment decisions

The three tiers:

  • BLOCK (confidence 80+, or prohibited practice): high confidence this is a regulated AI pattern. You need to act on this before deployment.
  • WARN (confidence 50-79): moderate confidence. Worth investigating. May be a regulated pattern or may be a false positive depending on context.
  • INFO (confidence below 50): low confidence indicator. Regula found something that could be relevant but likely needs more context to determine.

The number in brackets (e.g. [ 95]) is the confidence score. The lifecycle tag ([plan], [develop], [deploy]) indicates which phase of development the finding is most relevant to.

Common JavaScript patterns Regula flags

CV screening and candidate ranking

// Flagged: employment screening patterns
const ranked = scoreResume(applicant, model)
const shortlist = candidates.filter(c => c.score > threshold)
const filtered = filterApplicants(applications, criteria)

Annex III Category 4 covers AI systems used in employment: screening applications, evaluating candidates, and making recruitment decisions. Function names like scoreResume, rankCandidates, and filterApplicants combined with model scoring patterns trigger this category. See the recruitment and hiring guide for a detailed breakdown of employment obligations.

AI API calls with no logging

// Flagged: API call with no record-keeping
const response = await openai.chat.completions.create({
  model: 'gpt-4',
  messages: [{ role: 'user', content: userData }]
})
return response.choices[0].message.content  // no log

Article 12 requires high-risk AI systems to have automatic logging of events during operation. If your application calls an AI API to process personal data and you are not logging the inputs, outputs, and timestamps, that is a gap. This is common in Express and Next.js API routes where developers focus on the response and forget the audit trail.

Content generation without disclosure

// Flagged: AI-generated content without transparency
const reply = await generateText({
  model: openai('gpt-4'),
  prompt: userMessage
})
res.json({ message: reply.text })  // user not told this is AI

Article 50 (transparency obligations) requires that people are told when they are interacting with an AI system. A chatbot that responds to users without disclosing it is AI-generated, or a content tool that produces text without labelling it as synthetic, has a transparency gap.

Sentiment analysis on user content

// Flagged: emotion/sentiment inference
import { pipeline } from '@xenova/transformers'
const classifier = await pipeline('sentiment-analysis')
const result = await classifier(customerMessage)

Running sentiment analysis or emotion detection on user-submitted content triggers Article 50 transparency requirements. If the results feed into decisions about the user — customer service priority, content moderation, access to services — the risk tier escalates further.

What Regula does not check in JavaScript

Regula is a static analysis tool. There are things it cannot do, and you should know what they are.

  • Runtime model behaviour. Regula reads your source files. It does not execute your code, load models, or observe inference behaviour. A model that discriminates at runtime will not be caught by static analysis.
  • Bundled or minified code. Regula scans source files. If your AI logic is in a bundled dist/ file or a minified production build, Regula will not detect it. Point it at your source directory, not your build output.
  • Dynamic imports and string interpolation. import(libraryName) where libraryName is a variable at runtime cannot be resolved statically. Regula catches literal import strings, not computed ones.
  • Third-party API behaviour. If you call a REST API that happens to use AI internally, Regula will not know. It detects known AI SDK patterns, not arbitrary HTTP calls to AI services.
  • Training data quality. Regula can detect whether model loading or training patterns exist, but it cannot assess whether your training data is representative, balanced, or free of bias. Article 10 (data and data governance) requires this, but it is beyond code scanning.

Regula and questionnaire-based assessments are complementary. Code scanning catches what is in your source files; questionnaires capture organisational context that code cannot express. Regula does both — regula assess runs a guided questionnaire alongside the code scan.

CI/CD integration for JavaScript projects

Add Regula to your GitHub Actions pipeline so every pull request gets scanned. Here is a minimal workflow for a JavaScript or TypeScript project:

# .github/workflows/regula.yml
name: EU AI Act Scan

on:
  pull_request:
    paths:
      - '**.js'
      - '**.ts'
      - '**.jsx'
      - '**.tsx'

jobs:
  regula-check:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Set up Python
        uses: actions/setup-python@v5
        with:
          python-version: '3.12'

      - name: Install Regula
        run: pipx install regula-ai

      - name: Scan for AI Act risk patterns
        run: regula check . --format json > regula-report.json

      - name: Upload report
        uses: actions/upload-artifact@v4
        with:
          name: regula-report
          path: regula-report.json

Regula is a Python tool, so the workflow needs a Python setup step even though your project is JavaScript. The scan reads your JS/TS source files without executing them — no npm install required.

The --format json flag outputs structured JSON, which you can parse in subsequent steps or feed into dashboards. Regula also supports --format sarif for GitHub Code Scanning integration.

If you want the workflow to fail on BLOCK-tier findings, add --ci to the check command. Regula returns a non-zero exit code when it finds WARN or BLOCK-tier indicators.

Omnibus amendment and enforcement timeline

The EU AI Act entered into force on 1 August 2024. Article 5 (prohibited practices) became enforceable on 2 February 2025. However, the EU Omnibus simplification package has changed the timeline for Annex III high-risk categories: the provisional agreement was reached on 7 May 2026, and the European Parliament approved it on 16 June 2026. The Council approved it on 29 June 2026; pending OJ publication, Annex III high-risk obligations (Articles 9-15) are deferred to 2 December 2027.

That deferral is not a reason to ignore compliance. Building risk management, human oversight, and logging into your JavaScript applications now means less rework when the deadline arrives. Retrofitting compliance into a production system is harder than building it in from the start.

From scan to compliance: what to do with findings

A Regula scan is a starting point, not a finish line. If your JavaScript project gets a HIGH-RISK verdict, here is a practical sequence:

  1. Verify the context. Does the flagged pattern actually affect people in the EU? A candidate ranking function in an internal tool for a 5-person team in New Zealand is different from one in a SaaS product with EU customers.
  2. Map to specific articles. Regula tells you which articles apply. Read them. Article 9 requires a risk management system. Article 14 requires human oversight. These are specific obligations with specific requirements.
  3. Add logging and audit trails. Article 12 requires automatic logging. In a Node.js application, this means logging AI inputs, outputs, timestamps, and model versions. Structured logging libraries like Pino or Winston work well for this.
  4. Add human oversight controls. Article 14 requires that humans can understand and override AI decisions. In a hiring tool, this means a human reviews AI-ranked candidates before any decision is made.
  5. Document everything. The AI Act requires technical documentation (Article 11) and transparency to users (Article 13). Start writing it now, not the week before the deadline.

If you are not sure whether the AI Act applies to your project at all, start with regula assess or use the web assessment tool — it walks you through the key questions without requiring any code scanning.


Related


Last verified: 25 June 2026 · Author: Kuziva Muzondo · Not legal advice. Regula identifies risk indicators in code for developer review. It does not determine compliance or replace professional legal counsel.