1
Classify your AI system
30–60 min (with legal counsel)The EU AI Act obligations that apply to you depend entirely on your AI system's risk classification. Most agentic deployments built on MCP fall into one of three categories:
Minimal riskMost deployments
General-purpose tools, productivity assistants, internal automation. Most freelance and SMB deployments. No mandatory compliance obligations — but audit logging is still recommended practice.
Limited riskTransparency required
Systems interacting with users without disclosure, or generating certain types of content. Transparency obligations apply (Art. 50). Users must know they are interacting with an AI system.
High risk (Annex III)Full obligations — Aug 2, 2026
Systems used in employment decisions, credit scoring, education assessment, critical infrastructure, law enforcement, or migration. Full Chapter III obligations apply from August 2, 2026.
Note: If you are unsure of your classification, start with Annex III of the EU AI Act and consult qualified legal counsel. The classification determines which of the following steps are legally required versus best practice.
2
Identify your obligations
With legal counselBased on your classification, review which articles apply. For most agentic MCP deployments the key technical obligations are:
Art. 12 — Record-keepingHigh-risk
Immutable audit log, six-month minimum retention.
Art. 13 — TransparencyHigh-risk
Observable call stream, Agent Lineage documentation.
Art. 14 — Human oversightHigh-risk
Override and interruption capability for any tool call.
Art. 9 — Risk managementHigh-risk
Continuous anomaly detection and documented risk controls.
Art. 50 — Transparency (users)Limited + High-risk
Disclosure that users are interacting with an AI system.
Note: Review the full article mapping for implementation details on each obligation.
3
Enable the compliance module
~15 minutesInstall @businys/ops and enable the compliance middleware. All four core obligation areas are covered by a single configuration:
npm install @businys/ops
# mcp-ops.config.json
{
"auditLog": true, // Art. 12 record-keeping
"lineage": true, // Art. 13 traceability
"confirmation": true, // Art. 14 human oversight
"reputation": true, // Art. 9 risk management
"dataRegion": "eu-west-1" // Data residency
}
Note: Run npx @businys/ops init to scaffold the config file. Run npx @businys/ops deploy to connect to your hosted dashboard.
4
Run your first compliance export
After 24–48 hours of operationAfter your system has been running with the compliance module enabled, generate your first Article 13 documentation package from the dashboard:
Navigate to your project
Open your project in the hosted dashboard at businysdotdev.vercel.app.
Open Compliance → Export
Select the date range for your compliance export. Minimum 24 hours recommended for a meaningful baseline.
Download the package
The package includes: call volume summary, tool inventory, agent identity list, error rate analysis, anomaly summary, and lineage sample.
Review with your legal team
The documentation package is the foundation for your conformity assessment process. Your legal counsel reviews it, not builds it.
Note: The compliance export is a PDF and JSON package. The JSON version is machine-readable for integration with GRC tools.
5
Establish ongoing monitoring
ContinuousEU AI Act compliance is not a one-time certification — it requires continuous monitoring throughout the system's lifetime (Art. 17, Art. 72). The @businys/ops dashboard provides:
Real-time anomaly feed
Loop detection, burst protection, error spike alerts. Every anomaly logged with context.
Reputation scores per agent
Continuous scoring based on call patterns, error rates, and flagged behaviours. Degradation triggers alerts.
Monthly compliance summaries
Aggregate report covering call volume, error rates, human override events, and anomaly count. Exportable for legal review.
Audit log retention
Six-month minimum retention enforced. Records are immutable with SHA-256 hash chain integrity verification.
Note: Post-market monitoring (Art. 72) requires documenting and analysing relevant data throughout the system's lifetime. The dashboard analytics constitute that documentation.