EU Compliance MCP Server

EU Regulations MCP Server

MCP server providing structured access to full-text EU regulations via Claude, Cursor, and other MCP-compatible clients.

Query 61 EU regulations — from GDPR and AI Act to DORA, Chips Act, MiFID II, eIDAS, Medical Device Regulation, MDCG cybersecurity guidance, and more — directly from Claude, Cursor, or any MCP-compatible client.

If you're building digital products, financial services, healthcare tech, or connected devices for the European market, this is your compliance reference.

Built by Ansvar Systems — Stockholm, Sweden

---

Why This Exists

EU compliance is scattered across EUR-Lex PDFs, official journals, and regulatory sites. Whether you're:

• A developer implementing GDPR data rights or NIS2 incident reporting
• A product team navigating AI Act risk assessments or Medical Device conformity
• A compliance officer mapping ISO 27001 to DORA requirements
• A legal researcher comparing PSD2 authentication vs. eIDAS trust services

...you shouldn't need a law degree and 47 browser tabs. Ask Claude. Get the exact article. With context.

This MCP server makes EU regulations searchable, cross-referenceable, and AI-readable.

---

Quick Start

Use Remotely (No Install Needed)

Connect directly to the hosted version — zero dependencies, nothing to install.

Endpoint: https://mcp.ansvar.eu/eu-regulations/mcp

Claude Desktop — add to claude_desktop_config.json:

{
  "mcpServers": {
    "eu-regulations": {
      "type": "url",
      "url": "https://mcp.ansvar.eu/eu-regulations/mcp"
    }
  }
}

GitHub Copilot — add to VS Code settings.json:

{
  "github.copilot.chat.mcp.servers": {
    "eu-regulations": {
      "type": "http",
      "url": "https://mcp.ansvar.eu/eu-regulations/mcp"
    }
  }
}

Use Locally (npm)

npx @ansvar/eu-regulations-mcp

Claude Desktop — add to claude_desktop_config.json:

macOS: ~/Library/Application Support/Claude/claude_desktop_config.json Windows: %APPDATA%\Claude\claude_desktop_config.json

{
  "mcpServers": {
    "eu-regulations": {
      "command": "npx",
      "args": ["-y", "@ansvar/eu-regulations-mcp"]
    }
  }
}

Cursor / VS Code:

{
  "mcp.servers": {
    "eu-regulations": {
      "command": "npx",
      "args": ["-y", "@ansvar/eu-regulations-mcp"]
    }
  }
}

Example Queries

Once connected, just ask naturally:

• "What are the risk management requirements under NIS2 Article 21?"
• "How long do I have to report a security incident under DORA?"
• "Compare GDPR breach notification with NIS2 incident reporting"
• "Does the EU AI Act apply to my recruitment screening tool?"
• "What are the essential cybersecurity requirements under the Cyber Resilience Act?"
• "Which regulations apply to a healthcare organization in Germany?"
• "Map DORA ICT risk management to ISO 27001 controls"
• "What is an EU Digital Identity Wallet under eIDAS 2.0?"
• "What are my data access rights under the Data Act?"

More examples: TEST_QUERIES.md — 60+ example queries organized by category

---

What's Included

• 61 Regulations — GDPR, DORA, NIS2, AI Act, CRA, Chips Act, MiCA, eIDAS 2.0, Medical Device Regulation, and 50 more
• 4,095 Articles (including 50 individually addressable annexes) + 4,970 Recitals + 1,448 Official Definitions
• 16 Regulation Guides — Pitfalls, proportionality tiers, cross-regulation analysis, key article structures for DORA, CRA, AI Act, GDPR, NIS2, MDR, MiCA, DSA, Data Act, PLD, and 6 more
• Full-Text Search — Find relevant articles and annexes across all regulations instantly
• Control Mappings — 709 mappings to ISO 27001:2022 & NIST CSF 2.0
• Evidence Requirements — 407 audit artifacts across all 61 regulations
• Sector Rules — 323 applicability rules across all sectors and industries
• Daily Updates — Automatic freshness checks against EUR-Lex

Detailed coverage: docs/coverage.md Use cases by industry: docs/use-cases.md Available tools: docs/tools.md

---

🎬 See It In Action

Why This Works

Verbatim Source Text (No LLM Processing):

• All article text is ingested from EUR-Lex/UNECE official sources
• Snippets are returned unchanged from SQLite FTS5 database rows
• Zero LLM summarization or paraphrasing — the database contains regulation text, not AI interpretations
• Note: HTML-to-text conversion normalizes whitespace/formatting, but preserves content

Smart Context Management:

• Search returns 32-token snippets with highlighted matches (safe for context)
• Article retrieval warns about token usage (some articles = 70k tokens)
• Cross-references help navigate without loading everything at once

Technical Architecture:

EUR-Lex HTML → Parse → SQLite → FTS5 snippet() → MCP response
                  ↑                    ↑
           Formatting only      Verbatim database query

Example: EUR-Lex vs. This MCP

EUR-Lex example: Download DORA PDF → Ctrl+F "incident" → Read Article 17 → Google "What's a major incident?" → Cross-reference NIS2 → Repeat for 5 regulations

This MCP: "Compare incident reporting requirements across DORA, NIS2, and CRA" → Done.

---

📚 Documentation

• Database SSL/TLS Configuration - Secure PostgreSQL connections for Cloudflare Workers deployments
• Security Policy - Vulnerability reporting and security best practices
• Coverage Gaps - Known missing content from EUR-Lex
• GitHub Actions Setup - CI/CD workflow configuration
• Privacy Policy - Data handling and retention notes

---

Directory Review Notes

Testing Account and Sample Data

This server is read-only and does not require a login account for functional review. For directory review, use the bundled dataset and these sample prompts:

• "What does NIS2 Article 21 require?"
• "Compare DORA and NIS2 incident reporting obligations."
• "Map ISO 27001 controls to DORA requirements."

Remote Authentication (OAuth 2.0)

The default server runtime is read-only and can be deployed without authentication. If you deploy a remote authenticated endpoint, use OAuth 2.0 over TLS with certificates from recognized authorities.

⚠️ Important Disclaimers

Legal Advice

🚨 THIS TOOL IS NOT LEGAL ADVICE 🚨

Regulation text is sourced verbatim from EUR-Lex and UNECE (official public sources). However:

• Control mappings (ISO 27001, NIST CSF) are interpretive aids, not official guidance
• Applicability rules are generalizations, not legal determinations
• Cross-references are research helpers, not compliance mandates

Always verify against official sources and consult qualified legal counsel for compliance decisions.

Token Usage

⚠️ Context Window Warning

Some articles are very large (e.g., MDR Article 123 = ~70,000 tokens). The MCP server:

• Search tool: Returns smart snippets (safe for context)
• Get article tool: Returns full text (may consume significant tokens)
• Recommendation: Use search first, then fetch specific articles as needed

Claude Desktop has a 200k token context window. Monitor your usage when retrieving multiple large articles.

ISO Standards Copyright

No copyrighted ISO standards are included. Control mappings reference ISO 27001:2022 control IDs only (e.g., "A.5.1", "A.8.2"). The actual text of ISO standards requires a paid license from ISO. This tool helps map regulations to controls but doesn't replace the standard itself.

---

Related Projects: Complete Compliance Suite

This server is part of Ansvar's Compliance Suite - three MCP servers that work together for end-to-end compliance coverage:

🇪🇺 EU Regulations MCP (This Project)

Query 61 EU regulations directly from Claude

• GDPR, AI Act, DORA, NIS2, MiFID II, PSD2, eIDAS, MDR, and 41 more
• Full regulatory text with article-level search
• Cross-regulation reference and comparison
• Install: npx @ansvar/eu-regulations-mcp

🇺🇸 US Regulations MCP

Query US federal and state compliance laws directly from Claude

• HIPAA, CCPA, SOX, GLBA, FERPA, COPPA, FDA 21 CFR Part 11, and 8 more
• Federal and state privacy law comparison
• Breach notification timeline mapping
• Install: npm install @ansvar/us-regulations-mcp

🔐 Security Controls MCP

Query 1,451 security controls across 28 frameworks

• ISO 27001, NIST CSF, DORA, PCI DSS, SOC 2, CMMC, FedRAMP, and 21 more
• Bidirectional framework mapping and gap analysis
• Import your purchased standards for official text
• Install: pipx install security-controls-mcp

How They Work Together

Regulations → Controls Implementation Workflow:

1. "What are DORA's ICT risk management requirements?"
   → EU Regulations MCP returns Article 6 full text

2. "What security controls satisfy DORA Article 6?"
   → Security Controls MCP maps to ISO 27001, NIST CSF, and SCF controls

3. "Show me ISO 27001 A.8.1 implementation details"
   → Security Controls MCP returns control requirements and framework mappings

Complete compliance in one chat:

• EU/US Regulations MCPs tell you WHAT compliance requirements you must meet
• Security Controls MCP tells you HOW to implement controls that satisfy those requirements

Specialized: OT/ICS Security

🏭 OT Security MCP

Query IEC 62443, NIST 800-82/53, and MITRE ATT&CK for ICS

• Specialized for OT/ICS environments (manufacturing, energy, critical infrastructure)
• Security levels, Purdue Model, zone/conduit architecture
• MITRE ATT&CK for ICS threat intelligence
• Install: npx @ansvar/ot-security-mcp
• Use case: NIS2-compliant OT operators, industrial manufacturers, critical infrastructure

Specialized: Automotive Cybersecurity

🚗 Automotive Cybersecurity MCP

Query UNECE R155/R156 and ISO 21434

• Complete R155/R156 Revision 2 with all articles and annexes
• ISO 21434 clause guidance and work products
• R155 ↔ ISO 21434 cross-references
• Install: npx @ansvar/automotive-cybersecurity-mcp
• Use case: OEMs, Tier 1/2 suppliers, type approval preparation

Specialized: Sanctions Screening

🚨 Sanctions MCP

Offline-capable sanctions screening for third-party risk

• OFAC, EU, UN sanctions lists via OpenSanctions (30+ lists)
• Fuzzy name matching with confidence scoring
• PEP (Politically Exposed Person) checks
• Install: pip install ansvar-sanctions-mcp
• Use case: DORA Article 28 ICT third-party risk, AML/KYC compliance

---

About Ansvar Systems

We build AI-accelerated threat modeling and compliance tools for automotive, financial services, and healthcare. This MCP server started as our internal reference tool — turns out everyone building for EU markets has the same EUR-Lex frustrations.

So we're open-sourcing it. Navigating 61 regulations shouldn't require a legal team.

ansvar.eu — Stockholm, Sweden

---

Documentation

• Coverage Details — All 61 regulations with article counts
• Use Cases — Industry-specific guidance (fintech, healthcare, IoT, etc.)
• Available Tools — Detailed tool descriptions
• Development Guide — Adding regulations, webhooks, CI/CD
• Troubleshooting — Common issues and fixes
• Roadmap — Upcoming features (delegated acts, national transpositions)
• Coverage Gaps — Known limitations
• Test Queries — 60+ example queries

---

Branching Strategy

This repository uses a dev integration branch. Do not push directly to main.

feature-branch → PR to dev → verify on dev → PR to main → deploy

• main is production-ready. Only receives merges from dev via PR.
• dev is the integration branch. All changes land here first.
• Feature branches are created from dev.

License

Apache License 2.0. See LICENSE for details.

---