Eu Compliance MCP

🚀 EU Regulations MCP Server

The EUR-Lex alternative for the AI age.

This MCP server enables users to query 50 EU regulations directly from Claude, Cursor, or any MCP-compatible client. It serves as a compliance reference for those building digital products, financial services, healthcare tech, or connected devices for the European market.

🚀 Quick Start

Use Remotely (No Install Needed)

Connect directly to the hosted version — zero dependencies, nothing to install.

Endpoint: https://eu-regulations-mcp.vercel.app/mcp

Claude Desktop — add to claude_desktop_config.json:

{
  "mcpServers": {
    "eu-regulations": {
      "type": "url",
      "url": "https://eu-regulations-mcp.vercel.app/mcp"
    }
  }
}

GitHub Copilot — add to VS Code settings.json:

{
  "github.copilot.chat.mcp.servers": {
    "eu-regulations": {
      "type": "http",
      "url": "https://eu-regulations-mcp.vercel.app/mcp"
    }
  }
}

Use Locally (npm)

npx @ansvar/eu-regulations-mcp

Claude Desktop — add to claude_desktop_config.json:

macOS: ~/Library/Application Support/Claude/claude_desktop_config.json Windows: %APPDATA%\Claude\claude_desktop_config.json

{
  "mcpServers": {
    "eu-regulations": {
      "command": "npx",
      "args": ["-y", "@ansvar/eu-regulations-mcp"]
    }
  }
}

Cursor / VS Code:

{
  "mcp.servers": {
    "eu-regulations": {
      "command": "npx",
      "args": ["-y", "@ansvar/eu-regulations-mcp"]
    }
  }
}

✨ Features

• Query 50 EU regulations: Including GDPR, AI Act, DORA, Chips Act, MiFID II, eIDAS, Medical Device Regulation, MDCG cybersecurity guidance, and more.
• Searchable and cross - referenceable: Makes EU regulations searchable, cross - referenceable, and AI - readable.
• Daily updates: Automatic freshness checks against EUR - Lex.
• Rich content: Contains 49 regulations, 2,528 articles, 3,869 recitals, 1,226 official definitions, and more.
• Control mappings: 709 mappings to ISO 27001:2022 & NIS2 CSF 2.0.
• Evidence requirements: 407 audit artifacts across all 49 regulations.
• Sector rules: 323 applicability rules across all sectors and industries.

💻 Usage Examples

Once connected, just ask naturally:

• "What are the risk management requirements under NIS2 Article 21?"
• "How long do I have to report a security incident under DORA?"
• "Compare GDPR breach notification with NIS2 incident reporting"
• "Does the EU AI Act apply to my recruitment screening tool?"
• "What are the essential cybersecurity requirements under the Cyber Resilience Act?"
• "Which regulations apply to a healthcare organization in Germany?"
• "Map DORA ICT risk management to ISO 27001 controls"
• "What is an EU Digital Identity Wallet under eIDAS 2.0?"
• "What are my data access rights under the Data Act?"

More examples: TEST_QUERIES.md — 60+ example queries organized by category

📚 Documentation

• Database SSL/TLS Configuration - Secure PostgreSQL connections for Cloudflare Workers deployments
• Security Policy - Vulnerability reporting and security best practices
• Coverage Gaps - Known missing content from EUR-Lex
• GitHub Actions Setup - CI/CD workflow configuration
• Privacy Policy - Data handling and retention notes
• Coverage Details — All 37 regulations with article counts
• Use Cases — Industry-specific guidance (fintech, healthcare, IoT, etc.)
• Available Tools — Detailed tool descriptions
• Development Guide — Adding regulations, webhooks, CI/CD
• Troubleshooting — Common issues and fixes
• Roadmap — Upcoming features (delegated acts, national transpositions)
• Test Queries — 60+ example queries

🔧 Technical Details

Why This Works

Verbatim Source Text (No LLM Processing):

• All article text is ingested from EUR-Lex/UNECE official sources
• Snippets are returned unchanged from SQLite FTS5 database rows
• Zero LLM summarization or paraphrasing — the database contains regulation text, not AI interpretations
• Note: HTML-to-text conversion normalizes whitespace/formatting, but preserves content

Smart Context Management:

• Search returns 32-token snippets with highlighted matches (safe for context)
• Article retrieval warns about token usage (some articles = 70k tokens)
• Cross-references help navigate without loading everything at once

Technical Architecture:

EUR-Lex HTML → Parse → SQLite → FTS5 snippet() → MCP response
                  ↑                    ↑
           Formatting only      Verbatim database query

Example: EUR-Lex vs. This MCP

EUR-Lex example: Download DORA PDF → Ctrl+F "incident" → Read Article 17 → Google "What's a major incident?" → Cross-reference NIS2 → Repeat for 5 regulations

This MCP: "Compare incident reporting requirements across DORA, NIS2, and CRA" → Done.

Directory Review Notes

Testing Account and Sample Data

This server is read-only and does not require a login account for functional review. For directory review, use the bundled dataset and these sample prompts:

• "What does NIS2 Article 21 require?"
• "Compare DORA and NIS2 incident reporting obligations."
• "Map ISO 27001 controls to DORA requirements."

Remote Authentication (OAuth 2.0)

The default server runtime is read-only and can be deployed without authentication. If you deploy a remote authenticated endpoint, use OAuth 2.0 over TLS with certificates from recognized authorities.

⚠️ Important Disclaimers

Legal Advice

⚠️ Important Note

🚨 THIS TOOL IS NOT LEGAL ADVICE 🚨

Regulation text is sourced verbatim from EUR-Lex and UNECE (official public sources). However:

• Control mappings (ISO 27001, NIST CSF) are interpretive aids, not official guidance
• Applicability rules are generalizations, not legal determinations
• Cross-references are research helpers, not compliance mandates

Always verify against official sources and consult qualified legal counsel for compliance decisions.

Token Usage

⚠️ Important Note

⚠️ Context Window Warning

Some articles are very large (e.g., MDR Article 123 = ~70,000 tokens). The MCP server:

• Search tool: Returns smart snippets (safe for context)
• Get article tool: Returns full text (may consume significant tokens)
• Recommendation: Use search first, then fetch specific articles as needed

Claude Desktop has a 200k token context window. Monitor your usage when retrieving multiple large articles.

ISO Standards Copyright

No copyrighted ISO standards are included. Control mappings reference ISO 27001:2022 control IDs only (e.g., "A.5.1", "A.8.2"). The actual text of ISO standards requires a paid license from ISO. This tool helps map regulations to controls but doesn't replace the standard itself.

Related Projects: Complete Compliance Suite

This server is part of Ansvar's Compliance Suite - three MCP servers that work together for end-to-end compliance coverage:

🇪🇺 EU Regulations MCP (This Project)

Query 47 EU regulations directly from Claude

• GDPR, AI Act, DORA, NIS2, MiFID II, PSD2, eIDAS, MDR, and 39 more
• Full regulatory text with article-level search
• Cross-regulation reference and comparison
• Install: npx @ansvar/eu-regulations-mcp

🇺🇸 US Regulations MCP

Query US federal and state compliance laws directly from Claude

• HIPAA, CCPA, SOX, GLBA, FERPA, COPPA, FDA 21 CFR Part 11, and 8 more
• Federal and state privacy law comparison
• Breach notification timeline mapping
• Install: npm install @ansvar/us-regulations-mcp

🔐 Security Controls MCP

Query 1,451 security controls across 28 frameworks

• ISO 27001, NIST CSF, DORA, PCI DSS, SOC 2, CMMC, FedRAMP, and 21 more
• Bidirectional framework mapping and gap analysis
• Import your purchased standards for official text
• Install: pipx install security-controls-mcp

How They Work Together

Regulations → Controls Implementation Workflow:

1. "What are DORA's ICT risk management requirements?"
   → EU Regulations MCP returns Article 6 full text

2. "What security controls satisfy DORA Article 6?"
   → Security Controls MCP maps to ISO 27001, NIST CSF, and SCF controls

3. "Show me ISO 27001 A.8.1 implementation details"
   → Security Controls MCP returns control requirements and framework mappings

Complete compliance in one chat:

• EU/US Regulations MCPs tell you WHAT compliance requirements you must meet
• Security Controls MCP tells you HOW to implement controls that satisfy those requirements

Specialized: OT/ICS Security

🏭 OT Security MCP

Query IEC 62443, NIST 800-82/53, and MITRE ATT&CK for ICS

• Specialized for OT/ICS environments (manufacturing, energy, critical infrastructure)
• Security levels, Purdue Model, zone/conduit architecture
• MITRE ATT&CK for ICS threat intelligence
• Install: npx @ansvar/ot-security-mcp
• Use case: NIS2-compliant OT operators, industrial manufacturers, critical infrastructure

Specialized: Automotive Cybersecurity

🚗 Automotive Cybersecurity MCP

Query UNECE R155/R156 and ISO 21434

• Complete R155/R156 Revision 2 with all articles and annexes
• ISO 21434 clause guidance and work products
• R155 ↔ ISO 21434 cross-references
• Install: npx @ansvar/automotive-cybersecurity-mcp
• Use case: OEMs, Tier 1/2 suppliers, type approval preparation

Specialized: Sanctions Screening

🚨 Sanctions MCP

Offline-capable sanctions screening for third-party risk

• OFAC, EU, UN sanctions lists via OpenSanctions (30+ lists)
• Fuzzy name matching with confidence scoring
• PEP (Politically Exposed Person) checks
• Install: pip install ansvar-sanctions-mcp
• Use case: DORA Article 28 ICT third-party risk, AML/KYC compliance

About Ansvar Systems

We build AI-accelerated threat modeling and compliance tools for automotive, financial services, and healthcare. This MCP server started as our internal reference tool — turns out everyone building for EU markets has the same EUR-Lex frustrations.

So we're open-sourcing it. Navigating 37 regulations shouldn't require a legal team.

ansvar.eu — Stockholm, Sweden

Branching Strategy

This repository uses a dev integration branch. Do not push directly to main.

feature-branch → PR to dev → verify on dev → PR to main → deploy

• main is production-ready. Only receives merges from dev via PR.
• dev is the integration branch. All changes land here first.
• Feature branches are created from dev.

📄 License

Apache License 2.0. See LICENSE for details.

_{Built with care in Stockholm, Sweden}