EU AI Act

How Nexus maps to Articles 5, 10, 12, 15, 26, 43, and 73

EU AI Act

Nexus provides infrastructure controls that map to high-risk AI system obligations under the EU AI Act. This page summarizes the mapping for compliance officers and legal teams.

This mapping is product documentation, not legal advice. Engage qualified counsel for conformity assessments.

Summary matrix

ArticleRequirementNexus control
Art. 5Prohibited practicesNPL rules block prohibited tool classes (e.g. social scoring patterns, covert manipulation payloads)
Art. 10Data governanceTenant RLS, data classification on tool metadata, connector sandboxing
Art. 12Record-keepingHash-chained audit trail, 7-year retention
Art. 15Accuracy, robustness, cybersecurityFail-closed policy gate, Kill Switch v2, MFA on operator console
Art. 26Deployer obligationsShadow mode for pre-deployment validation, human takeover hooks
Art. 43Conformity assessmentConformity bundle export with manifest hash
Art. 73Reporting serious incidentsDORA-aligned incident classification, audit export for regulator notification

Prohibited practices (Article 5)

NPL policy packs can encode deny rules for tool patterns associated with prohibited AI practices. The MCP Gateway inspects execution payloads, not prompts, so blocked actions are evidence-backed with stable rule IDs.

Example policy pin:

hardalion://nato-prou-strict-financial@1.0.0

View policy source on GitHub →

Record-keeping (Article 12)

Every agent tool call through Nexus produces an append-only audit entry with:

  • Timestamp (UTC)
  • Agent ID and AgentIAM credential reference
  • Tool name, input parameters (masked where sensitive)
  • Policy decision and matched rule IDs
  • Confidence score and human override flag

Verify integrity: Immutable audit trail.

Deployer workflow (Article 26)

Recommended deployer sequence:

  1. Register AI system in Nexus inventory (/api/v1/compliance/ai-system-inventory)
  2. Run shadow mode on production-like traffic
  3. Complete FRIA where required (POST /api/v1/compliance/fria)
  4. Export conformity bundle before go-live
  5. Enable enforce mode with pinned policy version

Conformity evidence

Generate a conformity bundle for auditors:

curl -X POST "https://nexus.hardalion.com/api/v1/compliance/export/conformity-bundle" \
  -H "Authorization: Bearer $TENANT_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "ai_system_id": "ais_trading_agent_v2",
    "include_audit_sample": true
  }'

See Compliance exports for Annex IV and deployer pack formats.

Fundamental Rights Impact Assessment

Nexus supports FRIA lifecycle management:

  • Create: POST /api/v1/compliance/fria
  • Update: PATCH /api/v1/compliance/fria/{id}
  • Link to agent executions and audit samples