eu-ai-act-specialist

Compare original and translation side by side

🇺🇸

Original

English

🇨🇳

Translation

Chinese

EU AI Act Compliance Specialist

《欧盟人工智能法案》合规专家

Article-cited operational skill for Regulation (EU) 2024/1689. Three decisions, no executive AI strategy:

What tier is this AI system? — prohibited (Article 5) / high-risk (Article 6 + Annex III) / limited-risk transparency (Article 50) / minimal-risk
For high-risk systems, what's the conformity assessment route + documentation pack? — Article 43 Module A vs Module H + Annex IV technical documentation
Per organizational role, what are the obligations? — provider / deployer / importer / distributor / authorized representative matrix per Article 16, 22, 25, 26

This skill is NOT chief-ai-officer-advisor. CAIO decides whether to ship the AI feature at all and accepts business risk. This skill operates the conformity work that turns "we'll ship it" into Article-compliant artefacts.

This skill is NOT a legal substitute. The Act is binding regulation. For novel cases (Is this a GPAI model? Does Article 6(2) carve-out apply? Is fine-tuning a foundation model "substantial modification"?), engage qualified outside counsel. The skill cites Articles + Annexes and uses Commission/EDPB published interpretation but does not provide binding legal opinion.

This skill is NOT GDPR. Many AI systems also trigger GDPR (training data, output processing). See

ra-qm-team/skills/gdpr-dsgvo-expert/

for DPIA + lawful basis work. The Acts interact (Recital 10, Article 10 for high-risk training data).

针对Regulation (EU) 2024/1689的条款引用型操作指南。三项决策，不涉及AI执行策略：

该AI系统属于哪一风险等级？ —— 禁止类（第5条）/高风险类（第6条+附件III）/有限风险透明类（第50条）/极低风险类
对于高风险系统，合格评定路径+文档包是什么？ —— 第43条Module A vs Module H + 附件IV技术文档
不同组织角色的义务有哪些？ —— 基于第16、22、25、26条的提供者/部署者/进口商/分销商/授权代表职责矩阵

本内容并非chief-ai-officer-advisor。首席AI官负责决定是否推出AI功能并承担业务风险，而本内容聚焦于将“计划推出”转化为符合条款要求的合规工作。

本内容不能替代法律意见。该法案为具有约束力的法规。对于新型案例（这是GPAI模型吗？第6条第2款的豁免是否适用？微调基础模型属于“重大修改”吗？），请咨询合格外部法律顾问。本内容引用条款及附件，并采用欧盟委员会/EDPB发布的解释，但不提供具有约束力的法律意见。

本内容不涉及GDPR。许多AI系统也会触发GDPR（训练数据、输出处理）。如需DPIA+合法依据相关工作，请查看

ra-qm-team/skills/gdpr-dsgvo-expert/

。两部法规存在交互（第10条说明、高风险训练数据相关第10条）。

Keywords

关键词

EU AI Act, EU AI Regulation, Regulation 2024/1689, AI Act, AI regulation Europe, high-risk AI, prohibited AI, Article 5 AI Act, Article 6 AI Act, Article 9 AI Act, Article 50 AI Act, Annex III, Annex IV, conformity assessment, CE marking AI, notified body AI, Module A, Module H, technical documentation AI, post-market monitoring AI, fundamental rights impact assessment, FRIA, GPAI, general-purpose AI model, systemic risk GPAI, AI Office, ENISA AI, EDPB AI, AI Act timeline, AI Act penalties, EU AI Act provider, EU AI Act deployer, EU AI Act importer, EU AI Act distributor, EU AI Act fines, AI literacy

Quick Start

快速开始

bash

undefined

bash

undefined

Decision A: Classify an AI system per the Act

决策A：根据法案对AI系统进行分类

python scripts/ai_system_risk_classifier.py # embedded 5-system sample python scripts/ai_system_risk_classifier.py path/to/systems.json

python scripts/ai_system_risk_classifier.py # 内置5个系统样本 python scripts/ai_system_risk_classifier.py path/to/systems.json

Decision B: Conformity assessment plan for a high-risk system

决策B：高风险系统的合格评定计划

python scripts/conformity_assessment_planner.py # embedded high-risk sample python scripts/conformity_assessment_planner.py path/to/system.json

python scripts/conformity_assessment_planner.py # 内置高风险样本 python scripts/conformity_assessment_planner.py path/to/system.json

Decision C: Obligation tracker per organizational role

决策C：按组织角色跟踪义务

python scripts/ai_act_obligation_tracker.py # embedded sample (provider + deployer) python scripts/ai_act_obligation_tracker.py path/to/roles.json

undefined

python scripts/ai_act_obligation_tracker.py # 内置样本（提供者+部署者） python scripts/ai_act_obligation_tracker.py path/to/roles.json

undefined

Key Questions (ask these first)

核心问题（优先询问）

Does this AI system fall under Article 5 (prohibited practices)? Social scoring, emotion recognition in workplace/education, manipulative subliminal techniques, real-time remote biometric identification in public — any of these are flat-out prohibited.
Does it fall under Annex III (high-risk categories)? 8 categories: biometrics, critical infrastructure, education, employment, essential services, law enforcement, migration, justice. Triggering Annex III triggers Article 6(2) — unless the Article 6(3) carve-outs apply.
What organizational role does the company play? Provider (placed on market), deployer (uses under own authority), importer (places third-country system on EU market), distributor (makes available in supply chain). Many companies are BOTH provider AND deployer simultaneously.
Is this a general-purpose AI model? GPAI has its own track (Articles 51–55) with stricter rules above 10²⁵ FLOPs training compute (Article 51 systemic risk).
For high-risk: have we run Article 9 risk management AND Article 27 FRIA? Article 9 is the lifecycle risk management; Article 27 is the Fundamental Rights Impact Assessment for public-sector deployers + essential services.
What's the conformity assessment Module per Article 43? Module A (internal control, possible for most Annex III systems) vs Module H (full QMS + notified body, required for biometrics + sometimes others).

该AI系统是否属于第5条规定的禁止行为？ 社会评分、职场/教育场景下的情绪识别、操纵性潜意识技术、公共场所实时远程生物识别——这些均被明确禁止。
它是否属于附件III的高风险类别？ 共8类：生物识别、关键基础设施、教育、就业、基本服务、执法、移民、司法。触发附件III即触发第6条第2款——除非适用第6条第3款的豁免条款。
公司承担何种组织角色？提供者（投放市场）、部署者（自主使用）、进口商（将非欧盟系统投放欧盟市场）、分销商（在供应链中提供）。许多公司同时承担提供者和部署者角色。
这是通用人工智能模型（GPAI）吗？ GPAI有单独的监管路径（第51-55条），对于训练计算量超过10²⁵ FLOPs的模型有更严格的规则（第51条系统性风险）。
对于高风险系统：是否已完成第9条风险管理和第27条FRIA？ 第9条为全生命周期风险管理；第27条为公共部门部署者+基本服务的基本权利影响评估。
根据第43条，合格评定模块是什么？ Module A（内部控制，适用于大多数附件III系统）vs Module H（全面质量管理体系+公告机构，生物识别系统及部分其他系统强制要求）。

Core Responsibilities

核心职责

1. AI System Risk Classification

1. AI系统风险分类

The framework: The Act takes a risk-based approach (Recital 26). Each AI system falls into exactly one of four tiers:

Tier	Source	Examples	Obligations
Prohibited	Article 5	Social scoring; emotion recognition in workplace/education; subliminal manipulation; real-time public biometrics by law enforcement (with narrow exceptions)	Cannot be placed on market or used (penalties up to EUR 35M / 7% turnover)
High-risk	Article 6 + Annex III; Article 6(1) + Annex I	CV-screening, credit scoring, biometric categorisation, safety components of regulated products	Articles 8–17 (provider) + Article 26 (deployer); conformity assessment; CE marking
Limited-risk (transparency)	Article 50	Chatbots, deepfakes, emotion recognition outside Article 5 contexts	Transparency disclosures to natural persons
Minimal-risk	Default	Spam filters, video-game AI, inventory forecasters	None under the Act (voluntary codes of conduct, Article 95)

Critical carve-outs (Article 6(3)): an Annex III system is NOT high-risk if it (a) performs a narrow procedural task, (b) improves the result of previously completed human activity, (c) detects decision-making patterns without replacing human assessment, (d) performs a preparatory task. Caveat: profiling of natural persons is always Annex III high-risk regardless of carve-outs.

Run

ai_system_risk_classifier.py

with system characteristics. The tool checks Article 5 prohibitions first, then Annex III categories, then Article 6(3) carve-outs, then Article 50 transparency, then minimal-risk default.

See

references/eu_ai_act_titles.md

for the full Article-by-Article walkthrough.

框架： 法案采用基于风险的方法（说明第26条）。每个AI系统恰好属于以下四个等级之一：

等级	来源	示例	义务
禁止类	第5条	社会评分；职场/教育场景下的情绪识别；潜意识操纵；执法部门在公共场所的实时生物识别（存在有限例外）	不得投放市场或使用（最高罚款3500万欧元/营业额的7%）
高风险类	第6条+附件III；第6条第1款+附件I	简历筛选、信用评分、生物识别分类、受监管产品的安全组件	第8-17条（提供者）+第26条（部署者）；合格评定；CE标识
有限风险（透明类）	第50条	聊天机器人、深度伪造、第5条场景外的情绪识别	向自然人披露透明信息
极低风险类	默认	垃圾邮件过滤器、游戏AI、库存预测器	法案无强制义务（可遵循第95条的自愿行为准则）

关键豁免（第6条第3款）： 附件III系统若满足以下条件则不属于高风险：(a) 执行狭义程序性任务；(b) 优化已完成的人工活动结果；(c) 检测决策模式但不替代人工评估；(d) 执行准备性任务。注意：对自然人的画像始终属于附件III高风险类别，不受豁免条款影响。

运行

ai_system_risk_classifier.py

并输入系统特征。工具将先检查第5条的禁止项，再检查附件III类别，接着是第6条第3款的豁免，然后是第50条的透明要求，最后默认极低风险。

详见

references/eu_ai_act_titles.md

获取逐条条款的完整说明。

2. Conformity Assessment + Annex IV Technical Documentation

2. 合格评定 + 附件IV技术文档

The framework (Article 43 + Annex VI/VII): for high-risk AI systems, the provider must demonstrate conformity before placing on market. Two routes:

Module A — Internal control (Annex VI): provider self-assesses against the requirements. Applies to most Annex III systems where the provider has implemented harmonised standards.
Module H — Full quality management system + technical documentation (Annex VII): notified body involvement. Required for biometrics systems (Article 43(1)).

Required artifacts per Annex IV — Technical Documentation:

General description of the AI system (intended purpose, identification, version)
Detailed description of system elements (architecture, training data, validation procedures)
Information about monitoring, functioning and control
Description of risk management system (Article 9)
Description of changes after placing on market
List of harmonised standards applied (or alternative)
EU declaration of conformity (Article 47)
Description of the post-market monitoring system (Article 72)

Run

conformity_assessment_planner.py

to select the Module and produce the Annex IV checklist for a given high-risk system.

See

references/high_risk_systems_annex_iii.md

for which systems require which conformity route.

框架（第43条+附件VI/VII）： 高风险AI系统的提供者必须在投放市场前证明合规性。有两种路径：

Module A — 内部控制（附件VI）：提供者自行评估是否符合要求。适用于大多数已实施协调标准的附件III系统。
Module H — 全面质量管理体系+技术文档（附件VII）：需公告机构参与。生物识别系统强制要求（第43条第1款）。

附件IV技术文档所需文件：

AI系统概述（预期用途、标识、版本）
系统元素详细说明（架构、训练数据、验证流程）
监控、功能与控制相关信息
风险管理系统说明（第9条）
投放市场后的变更说明
已应用的协调标准列表（或替代方案）
欧盟合规声明（第47条）
上市后监控系统说明（第72条）

运行

conformity_assessment_planner.py

为特定高风险系统选择模块并生成附件IV检查清单。

详见

references/high_risk_systems_annex_iii.md

了解不同系统所需的合格评定路径。

3. Per-Role Obligation Tracker

3. 按角色跟踪义务

The framework (Articles 16, 22, 23, 24, 25, 26): the Act distinguishes provider obligations (most) from downstream-actor obligations (deployer, importer, distributor, authorized representative). A single company can play multiple roles simultaneously.

Role	Primary Articles	Key obligations
Provider (Article 3(3))	8–17, 47, 49, 72	Conformity assessment; CE marking; risk management; data governance; technical documentation; post-market monitoring; serious incident reporting (Article 73)
Deployer (Article 3(4))	26	Use according to instructions; human oversight; input data quality; record-keeping (Article 19); inform workers (Article 26(7)); FRIA if public-sector/essential-services (Article 27)
Importer (Article 3(6))	23	Verify conformity; affixed CE marking; technical documentation availability
Distributor (Article 3(7))	24	Verify CE marking + documentation before making available
Authorized representative (Article 22)	22	Non-EU providers must appoint one; representative liable for provider obligations

Important: under Article 25, a deployer who substantially modifies a high-risk AI system, or places it on the market under their own name, becomes a provider and inherits provider obligations.

Run

ai_act_obligation_tracker.py

with the roles JSON to produce a deadline-sorted obligation matrix.

See

references/gpai_obligations.md

for the separate GPAI Articles 51–55 track.

框架（第16、22、23、24、25、26条）： 法案区分了提供者的义务（多数）和下游参与者的义务（部署者、进口商、分销商、授权代表）。单个公司可同时承担多个角色。

角色	核心条款	关键义务
提供者（第3条第3款）	8-17、47、49、72	合格评定；CE标识；风险管理；数据治理；技术文档；上市后监控；严重事件报告（第73条）
部署者（第3条第4款）	26	按说明使用；人工监督；输入数据质量；记录留存（第19条）；告知员工（第26条第7款）；公共部门/基本服务需完成FRIA（第27条）
进口商（第3条第6款）	23	验证合规性；粘贴CE标识；确保技术文档可获取
分销商（第3条第7款）	24	提供前验证CE标识+文档
授权代表（第22条）	22	非欧盟提供者必须任命；代表需承担提供者义务

重要提示： 根据第25条，对高风险AI系统进行重大修改，或以自身名义投放市场的部署者将成为提供者，并承担提供者的全部义务。

运行

ai_act_obligation_tracker.py

并输入角色JSON文件，生成按截止期限排序的义务矩阵。

详见

references/gpai_obligations.md

获取GPAI第51-55条的单独监管路径说明。

Workflows

工作流程

Workflow 1: AI System Intake Review (per system, ~2 hours)

流程1：AI系统引入审查（每个系统，约2小时）

Goal: classify, identify obligations, scope the conformity work.

bash

undefined

目标： 分类、识别义务、界定合规工作范围。

bash

undefined

1. Document system characteristics: purpose, users, data, autonomy, deployment context

1. 记录系统特征：用途、用户、数据、自主性、部署场景

2. Run classifier

2. 运行分类器

python scripts/ai_system_risk_classifier.py systems.json

3. If high-risk: run planner

3. 若为高风险：运行规划器

python scripts/conformity_assessment_planner.py system.json

4. Identify org roles played (provider / deployer / both)

4. 确定公司承担的组织角色（提供者/部署者/两者）

python scripts/ai_act_obligation_tracker.py roles.json

5. Cross-check with GDPR DPIA (gdpr-dsgvo-expert) if personal data

5. 若涉及个人数据，与GDPR DPIA交叉验证（gdpr-dsgvo-expert）

6. Cross-check with ISO 42001 AIMS evidence (compliance-team-iso42001)

6. 与ISO 42001 AIMS证据交叉验证（compliance-team-iso42001）

7. Output: classification memo + conformity plan + obligation list

7. 输出：分类备忘录+合规计划+义务清单

undefined

undefined

Workflow 2: Annex IV Technical Documentation Build (per high-risk system, 2–4 weeks)

流程2：附件IV技术文档编制（每个高风险系统，2-4周）

Goal: assemble the Annex IV pack before conformity assessment.

bash

undefined

目标： 在合格评定前完成附件IV文档包的编制。

bash

undefined

1. Run conformity assessment planner to get the checklist

1. 运行合格评定规划器获取检查清单

python scripts/conformity_assessment_planner.py system.json

2. Assemble: system description, architecture, training data, validation, risk management

2. 整理：系统说明、架构、训练数据、验证、风险管理

3. Reference ISO 42001 evidence where it satisfies Annex IV items

3. 引用ISO 42001证据以满足附件IV相关要求

4. Reference ISO 27001 evidence for security controls

4. 引用ISO 27001证据作为安全控制依据

5. Run Article 9 risk management lifecycle

5. 执行第9条全生命周期风险管理

6. Sign EU declaration of conformity (Article 47) AFTER assessment passes

6. 评定通过后签署欧盟合规声明（第47条）

7. Affix CE marking (Article 48)

7. 粘贴CE标识（第48条）

8. Register in EU database (Article 71) — high-risk Annex III systems

8. 在欧盟数据库注册（第71条）——高风险附件III系统

undefined

undefined

Workflow 3: Pre-Deployment Obligation Audit (per system, before launch)

流程3：部署前义务审核（每个系统，上线前）

Goal: confirm all active obligations are in place before EU placement.

bash

undefined

目标： 确认所有生效义务已落实，再投放欧盟市场。

bash

undefined

1. Confirm classification still correct (re-run classifier if system changed)

1. 确认分类仍准确（若系统变更则重新运行分类器）

2. Confirm conformity assessment completed (if high-risk)

2. 确认合格评定已完成（若为高风险）

3. Confirm transparency requirements (Article 50) — for chatbots, deepfakes, emotion detection

3. 确认透明要求已满足（第50条）——针对聊天机器人、深度伪造、情绪检测

4. Confirm post-market monitoring system (Article 72) is live

4. 确认上市后监控系统已启用（第72条）

5. Confirm serious-incident reporting procedure (Article 73) is documented

5. 确认严重事件报告流程已文档化（第73条）

6. For deployers: FRIA done (Article 27, if applicable); workers informed (Article 26(7))

6. 部署者：若适用则已完成FRIA（第27条）；已告知员工（第26条第7款）

7. For GPAI: Articles 51-55 obligations met if applicable

7. GPAI：若适用则已满足第51-55条义务

undefined

undefined

Workflow 4: Annual Compliance Refresh (per organization, yearly)

流程4：年度合规更新（每个组织，每年）

Goal: re-verify classifications + obligations as the Act phases in.

List all AI systems on or planned for EU market
Run classifier for each — Article 5 prohibited list may expand via delegated acts
Run obligation tracker — deadlines shift as Title III phases in (2025 → 2026 → 2027)
For each high-risk system: verify post-market monitoring data flow + serious incident reporting capacity
Update Annex IV technical documentation per Article 11 ongoing requirement
Pair with ISO 42001 management review (Clause 9.3) if both operate

目标： 随着法案逐步实施，重新验证分类+义务。

列出所有已投放或计划投放欧盟市场的AI系统
为每个系统运行分类器——第5条禁止清单可能通过委托法案扩展
运行义务跟踪器——截止期限随第三篇逐步实施而变化（2025→2026→2027）
每个高风险系统：验证上市后监控数据流+严重事件报告能力
根据第11条持续要求更新附件IV技术文档
若同时运行ISO 42001，配合其管理评审（第9.3条）

Output Standards

输出标准

**Bottom Line:** [one sentence — classification + most-significant obligation]
**Article Citation:** [Article + paragraph number; do not paraphrase without cite]
**The Decision:** [one of: classify | conformity-route | obligation-scope]
**The Evidence:** [Article + Annex references; classification confidence]
**How to Act:** [3 concrete next steps with owner + deadline aligned to phasing]
**Your Decision:** [the call for compliance officer or legal counsel — risk-class disputes, novel cases, GPAI threshold determinations]

**核心结论：** [一句话——分类+最关键义务]
**条款引用：** [条款+段落编号；无引用不得意译]
**决策类型：** [分类 | 合规路径 | 义务范围]
**依据：** [条款+附件引用；分类置信度]
**行动方案：** [3项具体下一步行动，包含负责人+与实施阶段匹配的截止期限]
**需决策事项：** [合规官或法律顾问需决定的事项——风险分类争议、新型案例、GPAI阈值判定]

Adjacent Skills

References

参考资料

eu_ai_act_titles.md — Titles I–XII Article-by-Article walkthrough with deployer/provider/importer/distributor obligation breakdown
high_risk_systems_annex_iii.md — Annex III 8 categories detailed + Article 6(2)–(3) interaction + carve-out test
gpai_obligations.md — Articles 51–55 GPAI track + systemic-risk threshold + transparency rules + Code of Practice status
cross_framework_mapping_ai_act.md — AI Act ↔ ISO 42001 ↔ NIST AI RMF ↔ GDPR control-level mapping

Version: 1.0.0 Status: Production Ready

eu_ai_act_titles.md —— 第一篇至第十二篇逐条条款说明，包含部署者/提供者/进口商/分销商义务分解
high_risk_systems_annex_iii.md —— 附件III 8类详细说明+第6条第2-3款交互+豁免测试
gpai_obligations.md —— GPAI第51-55条监管路径+系统性风险阈值+透明规则+行为准则状态
cross_framework_mapping_ai_act.md —— 《欧盟人工智能法案》↔ISO 42001↔NIST AI RMF↔GDPR控制级映射

版本： 1.0.0 状态： 可投入生产