Article-by-article coverage¶
| EU AI Act Article | Obligation | Lex Custis OSS v0.1 | Commercial edition adds | Source of truth |
|---|---|---|---|---|
| Art. 5 | Prohibited practices | n/a — we don't help with banned practices | — | — |
| Art. 9 | Risk management system | Boilerplate in dossier PDF | Full risk register + lifecycle UI | services/report_generator.py |
| Art. 10 | Data governance | provider_manifest.json |
Full dataset registry + bias reports | services/dossier_service.py |
| Art. 11 | Technical documentation | Annex IV PDF in dossier zip | Customisable per deployer | services/dossier_service.py |
| Art. 12 | Automatic event logs | HMAC-SHA-256 chain (core feature) | KMS-backed key, log rotation | services/audit_service.py |
| Art. 13 | Transparency / IFU | Intended purpose + limits in dossier | Versioned per-deployer IFU generator | services/report_generator.py |
| Art. 14 | Human oversight | Accept / modify / reject records | Org-level pause toggle | models/audit_log.py::AuditLogOversight, components/OversightControls.tsx |
| Art. 15 | Accuracy, robustness, cybersecurity | Aggregate metrics in dossier | Rolling drift detection + alerts | services/dossier_service.py::_build_metrics |
| Art. 16 | Summary of provider obligations | Covered via Arts. 9–15, 17, 19, 47, 49 | — | — |
| Art. 17 | Quality management system | QMS posture (CI + SECURITY + CONTRIBUTING) | Customer-facing QMS statement | .github/workflows/, SECURITY.md |
| Art. 19 | Retention (≥6 months) | Append-only, indefinite | Retention policy engine | PG role REVOKE |
| Art. 26 | Deployer obligations | /compliance + /incidents dashboards |
Weekly trend view | routers/compliance.py, routers/incidents.py |
| Art. 27 | FRIA | — | FRIA wizard | — |
| Art. 40–49 | Standards, conformity, CE marking, registration | — (compliance-officer scope) | EU database export (when Commission publishes template) | — |
| Art. 50 | Transparency (AI marking) | AI-generated marker on every response | — | components/ChatMessage.tsx |
| Art. 53 | GPAI provider obligations | Provider manifest + upstream disclosure URL | Per-model snapshot pinning | services/dossier_service.py::_build_provider_manifest |
| Art. 55 | Systemic-risk GPAI | n/a — we don't train GPAI | — | — |
| Art. 71 | EU database registration | — | JSON export when template published | — |
| Art. 72 | Post-market monitoring | Aggregates per period | PMM plan generator + trend dashboards | services/dossier_service.py |
| Art. 73 | Serious incident reporting | Full workflow with SLA + JSON export | Direct-submission APIs | services/incident_service.py, routers/incidents.py |
| Art. 82 | Corrective measures | — (operational response) | Incident-auto-throttle hook | — |
| Art. 99 | Penalties | n/a — this is what we help you avoid | — | — |
By compliance function¶
"I need to show that every AI decision is logged"¶
Art. 12 → services/audit_service.py.
Proof points: HMAC chain, per-org key, integrity endpoint at
GET /api/v1/compliance/integrity-check, offline verifiable from dossier.
"I need a technical-documentation package for release vX"¶
Art. 11 → GET /api/v1/compliance/dossier?period_start&period_end.
services/dossier_service.py.
Proof points: Annex IV-structured PDF + 6 companion files + signed manifest.
"Our MSA is asking about a specific incident from last quarter"¶
Art. 73 → /incidents/<uuid>/export.
services/incident_service.py.
Proof points: classification, detection timestamp, SLA target, submission reference, resolution notes, linked audit entry.
"A deployer asks 'how do I know your model isn't drifting?'"¶
Art. 15 → metrics.json in the dossier.
Proof points: period aggregates (confidence min/avg/max, PII rate, bias-flag rate, oversight rate). Full drift detection is commercial edition.
"We need oversight records for the audit"¶
Art. 14 → audit_log_oversight table joined via audit_log_id.
routers/chat.py::log_oversight.
Proof points: one row per accepted / modified / rejected action, separated from the append-only chain.