Emit EU AI Act Annex IV technical-documentation + FRIA evidence-pack scaffolds with verbatim-cited regulatory text and a hash-chained manifest. OSS Python CLI + GitHub Action.
Annex IV of Regulation (EU) 2024/1689 (the AI Act) lists nine sections of technical documentation that every provider of a high-risk AI system must compile before placing the system on the market. The text is dense, normative, and unforgiving:
- Section 1 alone has eight sub-points (a-h), some conditional on hardware vs. API delivery.
- Section 2 has eight sub-points covering data lineage, validation procedures, cybersecurity, and pre-determined change controls.
- Section 9 requires a post-market monitoring plan tied to Article 72.
Teams scaffold these documents by hand, copy-pasting Annex IV text from PDFs, and inevitably drift from the canonical wording. The Digital Omnibus political agreement of 7 May 2026 deferred high-risk deadlines (Annex III high-risk to 2027-12-02; Annex I product-integrated to 2028-08-02), but it did not simplify Annex IV. The structure is still nine sections. The wording is still verbatim-binding.
This project ships:
- A scaffolder that emits a 9-file evidence-pack skeleton per Annex IV.
- A FRIA (Fundamental Rights Impact Assessment) template per Article 27.
- A hash-chained manifest mapping each section to the exact Article/Annex paragraph it derives from, so an auditor can re-verify the chain end-to-end.
- A GitHub Action wrapper that runs scaffold + completeness validation on every commit.
The verbatim regulatory text bundled in src/ai_act_conformity/data/annex_iv.yaml is sourced from artificialintelligenceact.eu and cross-checked against the EUR-Lex consolidated text at eli/reg/2024/1689.
pip install ai-act-conformityaiact-conformity scaffold \
--system-name "ClinicalTriageAI v2.1" \
--risk-tier high-risk-annex-iii \
--output evidence-pack/Emits:
evidence-pack/
├── 1_general_description.md
├── 2_detailed_description.md
├── 3_data_and_data_governance.md
├── 4_logging_and_traceability.md
├── 5_risk_management.md
├── 6_changes_and_versions.md
├── 7_lifecycle_design.md
├── 8_human_oversight.md
└── 9_conformity_assessment.md
Each file ships with:
- The verbatim Annex IV text for that section (quoted, with source URL).
- A "What you must provide" checklist derived from the sub-points (a, b, c...).
- An empty "Evidence" block for the team to fill in.
aiact-conformity fria-template --output fria.mdGenerates the Article 27 Fundamental Rights Impact Assessment template with the six required content elements (paragraph 1, points a-f).
aiact-conformity manifest --regime ai-act --output manifest.jsonProduces a JSON manifest mapping each Annex IV section to:
- The specific Article + Annex paragraph it derives from.
- A SHA-256 of the verbatim regulatory text (so drift from the source is immediately visible).
- A rolling SHA-256 chain across all sections (tamper-evident).
Same hash-chain pattern as our dcm-anon DICOM anonymizer and cra-sbom-evidence CRA SBOM evidence emitter.
# .github/workflows/ai-act.yml
name: AI Act evidence pack
on: [push, pull_request]
jobs:
evidence:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v4
- uses: plusultra-tools/ai-act-conformity-action@v1
with:
system-name: ${{ github.event.repository.name }}
risk-tier: high-risk-annex-iii
output-dir: evidence-pack/CI fails if any of the nine Annex IV section files is missing or empty beyond the scaffolded headers.
- It is not legal advice. A conformity assessment under Article 43 still requires a notified body for Annex III systems. This tool emits the documentation skeleton — your legal/regulatory team owns the content.
- It does not auto-classify risk tier. Whether your system is "high-risk under Annex III", "Annex I product-integrated", "limited-risk", or "minimal-risk" is a judgement call the operator makes. The tool takes
--risk-tieras input; it does not infer it. - It does not run the conformity assessment. Annex IV Section 8 requires the EU declaration of conformity referred to in Article 47. Drafting and signing that declaration is the provider's responsibility.
- It is not a substitute for the harmonised standards work. Section 7 lists harmonised standards applied; CEN-CENELEC JTC 21 is still publishing them. The tool reminds you to list them; it does not pick them for you.
- OSS (this repo, MIT): the CLI + GitHub Action are free, forever.
- Hosted SaaS (planned, Stripe €49-99/mo): retained audit logs across releases, multi-product workspace, continuous Annex-IV-section completion monitoring, drift alerts when EUR-Lex publishes amendments. Waitlist on the Carrd landing page.
Why the split? Most teams need the scaffolder once per system. Teams shipping multiple high-risk systems, or operating in regulated sectors (medical devices, automotive, banking), need the continuous monitoring layer.
The AI Act prohibitions (Article 5) entered into force on 2025-02-02. GPAI obligations (Chapter V) entered into force on 2025-08-02. The Digital Omnibus political agreement of 7 May 2026 deferred:
- Annex III high-risk obligations: 2027-12-02 (was 2026-08-02).
- Annex I product-integrated high-risk obligations: 2028-08-02 (was 2027-08-02).
- Article 50 transparency obligations: 2026-12-02 (post-Omnibus).
Urgency is therefore moderate but real: any high-risk AI system entering the EU market in 2027 or 2028 needs Annex IV documentation in place. Teams that start in late 2027 will be in the same scramble that hit GDPR-2018 latecomers.
Commission's Article 50 transparency guidelines were published 2026-05-08, with consultation open until 2026-06-03 — Article 50 deliverables (transparency disclosures for AI-generated content) are out of scope for this tool's v0.1 (which focuses on Annex IV + FRIA).
If you use this tool in a conformity assessment package, please cite:
@software{plusultra_ai_act_conformity_2026,
author = {plusUltra Labs},
title = {ai-act-conformity-pack: Annex IV evidence-pack scaffolder for Regulation (EU) 2024/1689},
year = {2026},
publisher = {Zenodo},
doi = {10.5281/zenodo.<DOI-pending>}
}
DOI will be minted on the v0.1.0 release.
MIT — see LICENSE.
- dcm-anon — DICOM anonymizer with verbatim DICOM PS3.15 Annex E + UNE-EN ISO 25237 citations and SHA-chain audit. Same evidence-pack pattern.
- cra-sbom-evidence — Cyber Resilience Act SBOM evidence emitter with CycloneDX + verbatim Regulation (EU) 2024/2847 Annex I citations.
Issues and PRs welcome. Security reports: see SECURITY.md.