You built a tool server. Claude calls it. Now the EU wants to know: are you a regulated AI deployer? Find your risk tier in 2 minutes — before the August 2026 enforcement deadline.
The Model Context Protocol is infrastructure — a transport layer that lets AI hosts like Claude, Cursor, or Windsurf call your tools and read your resources. Most MCP server developers assume they're writing plumbing, not AI. That framing is legally untested and increasingly risky.
Under the EU AI Act's Article 3 definition, an "AI system" is a machine-based system designed to infer from inputs how to generate outputs such as actions, content, predictions, or recommendations. When your MCP server exposes a search_documents tool that an AI model calls, who designed the inferencing loop? You did — you defined the schema, the retrieval logic, and what context gets passed to the model. In regulatory terms, you may be a deployer who has integrated a GPAI model into a system that operates in a specific domain. Deployers carry real obligations under the Act, regardless of whether the underlying model is OpenAI's or Anthropic's.
The risk tier depends entirely on what your server exposes and in what domain. An MCP server that reads public GitHub repos is probably minimal risk. An MCP server that reads employee HR records so an AI agent can draft performance reviews lands squarely in Annex III territory — and that means mandatory conformity assessments, technical documentation, and audit trails before you ship to EU users.
MCP servers exposing HR databases, medical records, financial data, legal case files, or law enforcement systems. Conformity assessment required before EU deployment.
MCP servers powering chatbot interfaces where EU users interact. Article 50 requires clear disclosure that they're communicating with an AI system.
MCP servers reading public repos, docs, or dev tooling. No mandatory obligations — but robots.txt and AI disclosure are still best practice.
The filesystem MCP server from Anthropic is the most widely deployed reference implementation. In a personal developer workflow on a local machine, it's minimal risk — no EU Act obligations. But when that same server is deployed in a SaaS product where an AI agent reads customer-uploaded documents, analyzes them, and takes actions, the calculus changes. If those documents contain personal data about EU subjects — employment contracts, medical histories, financial statements — and the agent's actions influence decisions about those people, you're assembling a high-risk AI system. Run the full assessment to draw the exact line for your deployment context.
Building an MCP server that exposes query_database and run_sql tools so a Claude agent can answer business questions directly against a production database? The risk tier depends entirely on the schema. An agent querying an analytics table of anonymized pageviews: minimal risk. An agent querying an HR database to help managers pull individual performance metrics and draft promotion recommendations: this is Annex III's "employment and workers management" category — high risk. The assessment maps your specific tables and use case against the regulatory text so there's no guesswork.
Gmail and Outlook MCP connectors that let AI agents read, draft, and send emails on behalf of users are among the most powerful in the ecosystem — and among the most legally ambiguous. The EU AI Act doesn't classify email management as inherently high-risk, but an AI agent that reads emails, infers relationship dynamics, and takes automated actions (scheduling meetings, sending replies, triaging to lawyers) is making consequential decisions on behalf of real people. If those people are EU data subjects, Article 50 transparency obligations apply at minimum, and you need to assess whether the automated decision-making loop triggers GDPR Article 22 on top of EU AI Act obligations. The assessment covers both angles.
Many teams are building MCP servers over their Notion workspace, Confluence wiki, or internal docs so employees can ask an AI assistant questions about company policy, product specs, or procedures. This is the textbook minimal-to-limited-risk scenario. No Annex III categories apply when the content is non-sensitive internal documentation. But if that same server also exposes HR policies, compensation bands, or disciplinary procedures — and the AI assistant is available to employees asking about their own employment situation — you may cross into the employment management category. The risk boundary is fuzzier than it looks, and the assessment tells you exactly where it falls.
Puppeteer-based and Playwright-based MCP servers that let agents browse the web, extract data, and compile research reports are increasingly common. As a standalone research tool for developers, this is minimal risk. But when the scraping output feeds into scoring, ranking, or decision-making about individuals — for example, an agent that researches job candidates and produces a hiring recommendation — you've built an employment-related AI system that may be high-risk under Annex III regardless of whether a human reviews the final output. The key is the purpose of the output, not just the mechanism of collection.
Enterprise compliance platforms price for legal teams at Fortune 500 companies — not for the MCP developer shipping on a weekend. Here's the honest comparison for the core assessment use case:
| Tool | Price | MCP / Developer Context | Instant Report | No Login Required |
|---|---|---|---|---|
| TinyTools EU AI Act Assessment | Free | ✓ Yes | ✓ Yes | ✓ Yes |
| Securiti AI Governance | ~$30k/yr | ✗ Generic | ✓ Yes | ✗ No |
| OneTrust AI Governance | ~$25k+/yr | ✗ Generic | ✓ Yes | ✗ No |
| TrustArc AI Risk Manager | ~$15k/yr | ✗ Generic | ✗ Delayed | ✗ No |
| Lumenova AI Compliance | ~$10k/yr | ✗ Generic | ✓ Yes | ✗ No |
| DIY (reading EUR-Lex) | Free | ✗ Manual | ✗ No | ✓ Yes |
Enterprise pricing estimates based on publicly available tiers as of 2026. TinyTools is free and fully browser-side — no data about your server ever leaves your device.
Implementing the protocol alone does not. Deploying a system where an AI model calls your MCP server to take actions that affect real people in the EU is what creates obligations. The protocol is transport; the deployed capability is the regulated system.
Anthropic is responsible for Claude as a GPAI model provider. You are responsible for how you deploy Claude within your specific system. These are separate regulatory roles. Anthropic's compliance with GPAI rules does not discharge your deployer obligations if you're using Claude in a high-risk context.
If you're a developer using your own server locally for personal productivity, there's a strong argument the Act doesn't apply — you're not deploying a system that affects other persons. But the moment you distribute the server as a product or service used by others in the EU, the Act's deployer framework becomes relevant.
For violations related to high-risk systems: up to €15 million or 3% of global annual turnover, whichever is higher. For smaller companies, the absolute cap of €15 million is the binding limit. These penalties apply from August 2026 for Annex III high-risk systems.
The key questions are: what domain does the output affect (employment, health, finance, law enforcement, education, critical infrastructure, biometrics, or migration)? And does the output influence a decision about a specific person? If yes to both, you're likely high-risk under Annex III. The assessment walks through all eight categories with concrete examples.