Skip to main content
If you ship an AI agent to EU users, the AI Act puts three obligations on the system itself: don’t drive prohibited practices, tell people they’re talking to AI, and keep a technical record of what the system did. The EU AI Act pack maps those obligations to real gateway controls and materializes them into a guardrail you can run in observe mode first, then take live — with an auditor-verifiable report at the end. This page is the EU-AI-Act-specific landing on top of the general compliance flow. For the mechanics that every pack shares — observe-first, plan gating, the signed report — start at the compliance overview.

1. What eu ai act compliance covers on the gateway

The eu_ai_act pack maps the EU Artificial Intelligence Act (jurisdiction EU, effective 2024-08-01) to three content-plane controls. Each one is a real, editable guardrail rule — not a checkbox — built from the same preset library you can author against by hand.
Blocks manipulation and jailbreak attempts that drive prohibited behaviour. Built from the Prompt-Injection Basics preset plus a jailbreak regex-block rule, so injection and jailbreak intent are caught on the request before the model sees them.
Enforces a disclosure so users know they are interacting with AI. Built from the Legal Disclaimer Enforce preset, which flags output that gives definitive legal/financial advice for team review.
Logs guardrail decisions for the technical record. Built from the Compliance Logger (observe-only) preset — it records PII occurrences and policy decisions without blocking or modifying traffic.
These are the obligations the gateway can carry: enforcement on inputs and outputs, a disclosure surface, and a decision record. Organizational duties the regulation also imposes — your Art. 9 risk management system and Art. 14 human-oversight measures — live in the pack’s control matrix as Organizational: true items for you to evidence outside the gateway. See shared responsibility.

2. One concrete example: install, observe, go live

Pack work uses your console session (UserAuth) — not a relay sk-orca-… key. Browsing the catalog and checking readiness are free for any workspace Member; installing is a workspace Admin action on a paid plan, enforced server-side so a direct API call can’t bypass the gate.
1

Browse and check readiness (Member, free)

Open Compliance → Frameworks and select EU AI Act. Readiness shows how the three controls map to your current policies before you commit to anything.
2

Install the pack (Admin, paid)

Installing from the console issues POST /api/compliance/packs/eu_ai_act/install. One call materializes the controls into a real, editable guardrail tagged with the pack’s provenance — created in observe mode, so it flags instead of blocking and you collect “would-have-blocked” evidence on live traffic without affecting it.
POST /api/compliance/packs/eu_ai_act/install
3

Watch the matches

Review what the prohibited-practice and transparency controls would catch in the Guardrails matches feed (GET /api/guardrail/match, Member). Tune any rule in the console — it’s a standard guardrail, so every edit, version, and revert path works unchanged.
4

Take it live and attach

Flip the guardrail out of observe mode when the evidence looks right, then attach it to the keys your EU-facing agents use by setting guardrail_id on the key (or make it the workspace default). Now Art. 5 blocks enforce on the request before metering.
A guardrail_blocked result is an HTTP 400 that costs no quota — an input-stage block is caught pre-metering, and it’s marked skip-retry, so a blocked prohibited-practice attempt never burns spend or loops.

3. Ship a signed, verifiable report

When you’re enforcing, generate the compliance report: an Ed25519-signed, SHA-256-stamped artifact you can export as CSV, JSON, or PDF and hand to an auditor. Anyone can verify it without an account.

Signed report

What the report contains and how it’s signed.

Verify a report

The public verify endpoint and pubkey — auditors confirm authenticity independently.
Reports are stamped and stored under your declared data-residency region (us / eu / uk / ap / cn / global). For an EU AI Act filing you’ll usually set residency to eu; a report is only served under a matching declared region, and cross-region reads are withheld.
Data residency is the region of the compliance report artifact, not geo-pinning of where inference runs. It controls where your signed evidence lives and who can read it, not where model traffic is routed. See data residency.

4. EU AI Act alongside the rest of your program

The EU AI Act rarely lands alone. The same install flow covers the adjacent AI-governance and EU-privacy frameworks, each materializing its own editable controls (the AI-governance packs are guardrail-only; the GDPR pack also adds a firewall policy for its cross-border-transfer control):
PackFramework
iso_42001ISO/IEC 42001 AI management system
nist_ai_rmfNIST AI Risk Management Framework
gdprEU General Data Protection Regulation

ISO 42001

AI management-system evidence.

NIST AI RMF

Map / Measure / Manage controls.

GDPR

EU personal-data obligations.
The Art. 5 prohibited-practice control is the gateway’s defense against the same threats your security policies already track — prompt injection and jailbreaks. If you want to harden those independently of the compliance pack, the firewall and guardrail references go deeper.

5. Where to go next

Install a pack

The full install mechanics, shared across every framework.

Observe vs enforce

How observe mode turns into live enforcement, deliberately.

Guardrails reference

The content-plane controls the EU AI Act pack is built from.

Prompt injection

The threat the Art. 5 prohibited-practice guard defends against.
Install in observe mode, watch what the prohibited-practice and transparency controls would catch, take them live on your EU-facing keys, then ship a signed report. That’s eu ai act compliance as a configuration, not a project.