FAQ
Getting Started
How does NADOVO work? What is the compliance journey?
NADOVO guides you through EU AI Act compliance in 5 phases. You work through the phases in order:
Phase 1 — Discover: Capture all AI systems in your company (e.g. ChatGPT, Microsoft Copilot, AI-powered HR tools).
Phase 2 — Define: For each AI system, create one or more AI processes — the concrete use case (intended purpose and scope). Based on this intended purpose, NADOVO automatically determines the risk class (under EU AI Act Annex I and III).
Phase 3 — Assess: Evaluate the risks of your AI processes and plan measures for risk mitigation.
Phase 4 — Implement: Ensure sufficient AI competence of your employees (Art. 4 EU AI Act) and implement the necessary measures.
Phase 5 — Monitor: Capture and report AI incidents when something goes wrong.
Important — the core of the NADOVO approach: It is not the AI system that is classified, but the individual AI process (the use case). The intended purpose determines the risk level — the same AI system can be classified differently depending on the application. This is why EU AI Act compliance in NADOVO starts with the process, not the system.
Tip: You do not have to complete all phases at once. Start with Phase 1 and work your way forward step by step. The dashboard shows your progress at all times.
In what order should I proceed?
The recommended order for getting started:
- Add an AI model ("AI Models" module) — first add the models you use to "My models" (select from the catalog or create a custom model). Important: when creating an AI system you can only choose from models you have already added — you cannot add a model from within the AI system wizard. If the model you need is missing, briefly leave the wizard (your draft is preserved), add it in the "AI Models" module and return.
- Create AI system (Phase 1) — enter your AI system and link the model(s). If the model is not yet known or none is set up, select "Model unknown". The wizard guides you through 5 steps.
- Release AI system — set the status to "In operation".
- Create AI process (Phase 2) — describe the use case (intended purpose and scope). NADOVO classifies the process automatically.
- Release AI process — for high-risk processes, you must first perform an assessment (see below).
- Training & measures (Phase 4) — document your employees' AI competence and implement the measures.
Important: An AI process can only be released once the linked AI system has the status "In operation". NADOVO will notify you if anything is missing.
What is the difference between AI system, AI process and assessment?
These three elements form the core of NADOVO:
AI system (Phase 1): This is the technology itself — for example "ChatGPT" or "Microsoft Copilot". Here you capture which AI model you are using, where it is hosted, and who is responsible for it.
AI process (Phase 2): This is the concrete use case of an AI system — for example "Customer support via ChatGPT" or "Application pre-screening with an AI HR tool". An AI system can have multiple processes. Key point: it is the process that is classified, not the system — the same AI system can have different risk levels depending on the use case.
Assessment (Phase 3): This is the risk evaluation for a specific AI process. Here you identify risks, define measures, and document how you keep those risks under control.
Relationship: An AI system has one or more AI processes. Each AI process can have an assessment. The three elements are linked — changes to one element can affect the others.
How do I manage my team and roles?
In the "Organisation" module (visible to company admins), the "Employees" tab is where you manage your team:
- Add employee: you invite by email, first and last name; the person receives an email with a sign-up link. New employees are automatically assigned the "Employee" role.
- Status: Active, Inactive, Pending (open invitation) or Expired. You can deactivate/activate employees and resend or delete invitations.
Roles:
- Company Admin — full access including the Organisation and team management
- Employee — standard access to the company features
In the "Company" tab you also maintain your company profile and the person responsible for EU AI Act compliance — this data flows automatically into official documents.
AI Models
What is the difference between AI models and AI systems?
AI models are the underlying models (e.g. GPT-4, Claude, Gemini) — a library you choose from. In the "AI Models" module you define under "My models" which models are used in your company.
AI systems (Phase 1) are the concrete AI systems you actually deploy and must document under the EU AI Act. An AI system references one or more AI models: when creating it, you select the models used in the "AI selection" step — from the models you have already added — and specify each model's "role in the system" (e.g. classifier, generator).
In short: the AI model is the underlying technology, the AI system is your specific use of it.
How do I add AI models? Can I import my own?
The "AI Models" module has two areas:
- Model catalog: a central library of known models curated by NADOVO. With "Select" you add a model to "My models" (or "Select all from {provider}" for all of a provider's models).
- My models: your selected models, grouped by provider.
Using a model that isn't in the catalog? With "Add custom model" you create a company-specific model (name, provider, version, category, description) — it gets the "Custom model" badge.
No matching model yet? If you don't yet know which model is used — or forgot to add it — you can still create the AI system and select the "unknown" model when linking, then add the specific model later.
Note: There is no file import (e.g. JSON) for end users — the catalog is maintained centrally. So you either select from the catalog or add your own models.
AI Systems (Phase 1)
What do the different AI system statuses mean?
| Status | Meaning | What you can do |
|---|---|---|
| Draft | The system is still being edited | Edit, delete or release |
| In operation | The system is active and released | Deactivate or create new version |
| Out of operation | The system is temporarily not in operation | Reactivate |
| Retired | The system was replaced by a new version | View only, no further editing |
What happens when I deactivate an AI system?
When you deactivate an AI system, NADOVO automatically updates all linked elements:
- AI processes connected to this system are set to "Paused"
- Assessments connected to these processes receive the status "Review required"
Why? When an AI system is no longer in operation, the associated processes cannot continue to run. The EU AI Act regulation requires you to keep your risk assessments up to date — when something on the system changes, the assessments must be reviewed.
What do you need to do?
- If the deactivation is temporary: reactivate the system later. When reactivating, you decide per process whether it is reactivated or stays paused; the associated assessments remain at "Review required" and must be checked again.
- If the deactivation is permanent: archive the processes and, if applicable, create new ones for a replacement system.
What does "Create new version" mean for an AI system?
When something substantial changes on an AI system — for example a different AI model, new infrastructure, or a new data location — you create a new version instead of overwriting the existing system.
Why a new version instead of just editing? The EU AI Act requires that changes are documented traceably (Art. 12). With versioning, the old state is preserved and the change is verifiable at any time — including for auditors and supervisory authorities.
What happens when you create a new version?
- NADOVO copies all data of the current version into a new draft
- You edit the changed fields in the wizard
- In the last step you see a summary of the changes
- After release, the old version is archived and the new version becomes active
- Linked AI processes are paused and must also be updated
Tip: You do not have to manage version numbers yourself. NADOVO automatically detects what has changed and suggests a suitable version.
AI Processes (Phase 2)
What is a risk class and how is it determined?
The EU AI Act distinguishes four risk levels (the app shows these labels in English). In NADOVO the risk class applies to the AI process (the use case), not to the AI system as a whole:
| Risk level | Meaning | Examples | Consequence |
|---|---|---|---|
| UNACCEPTABLE | Banned AI practices | Social scoring, manipulative systems | Must not be used |
| HIGH-RISK | High-risk AI in sensitive areas | Application pre-screening, credit scoring, biometric identification | Strict requirements, mandatory assessment |
| LIMITED | AI with transparency obligations | Chatbots, deepfake detection | Transparency requirements |
| MINIMAL | Low risk | Spam filters, AI-powered search | No special requirements |
How does NADOVO determine the risk level? Automatically — per process. From your entries (intended purpose and scope), NADOVO recognizes relevant terms and matches them against the official criteria of the EU AI Act regulation (Annex I and III). This immediately produces a classification suggestion — a quick, supporting starting point for your assessment. The expert decision stays with you: you review the suggestion and adjust it if needed.
Can I change the risk level? Yes. If you believe the automatic classification is incorrect, you can override it manually. You can optionally provide a justification, which is documented in the audit trail.
Disclaimer (risk classification): This risk class is an automatically generated suggestion intended to support the assessment. It does not constitute a legally binding classification. The binding classification and the responsibility for it lie with the provider or deployer of the assessed AI system. A professional and legal review of the result is recommended.
Why can't I release my high-risk process?
For AI processes with the risk level "HIGH-RISK" or "UNACCEPTABLE", stricter requirements apply. Release is a multi-stage process:
Step 1: Complete the process in the wizard (finish all 5 steps)
Step 2: Submit the process "For review" — This signals that the process is ready for a risk assessment.
Step 3: Perform the assessment — Go to the "Risk management" area and perform a risk assessment for this process. The assessment includes:
- Identifying risks
- Evaluating likelihood and impact
- Defining measures for risk mitigation
- Creating a Human Oversight Plan
- Carrying out a Fundamental Rights Impact Assessment (FRIA)
Step 4: Approve the assessment — Make sure all mandatory fields are filled in (at least 1 risk, at least 1 measure per risk, Human Oversight Level, all FRIA categories rated).
Step 5: Release the process — Only when the assessment has the status "Approved" can you release the process.
Why so many steps? Art. 9 of the EU AI Act regulation requires that high-risk AI systems undergo a documented risk management process BEFORE they are deployed. The multi-stage release ensures that you can demonstrably meet this requirement.
Processes with low risk (LIMITED/MINIMAL): Here a direct release without an assessment is sufficient. NADOVO detects the risk level automatically and adjusts the release process accordingly.
What does the status "Paused" mean for an AI process?
A process is paused automatically when something changes on the linked AI system:
Reason 1 — AI system deactivated: The system was temporarily taken out of operation. As soon as the system is reactivated, you can reactivate the process as well.
Reason 2 — New version of the AI system: A new version of the AI system was released. The old version has been archived, and the process still points to the old version. You need to create a new process version and link the new AI system.
How do I find out why my process is paused? NADOVO shows you the next step directly in the process overview:
- "Reactivate" — when the AI system is active again
- "Create new version" — when the AI system has been replaced by a new version
- "AI system must be activated first" — when the AI system is still deactivated
What happens to my assessment when the process is changed?
When you substantially change an AI process, the associated assessment must be reviewed. NADOVO automatically sets the assessment status to "Review required" in the following cases:
- The risk class has changed (e.g. from "LIMITED" to "HIGH-RISK")
- The linked AI system has been swapped
- The linked AI system was deactivated — the process is paused and the assessment must be reviewed
What do you need to do? Open the assessment, check whether the risk evaluation is still up to date, and approve it again. If the risk class has changed, you may need to identify additional risks or perform the FRIA.
Note: Assessments still in progress ("In progress") are not changed automatically — they still need to be completed anyway.
Risk Evaluation & Assessment (Phase 3)
What is an assessment and when do I need one?
An assessment is a systematic risk evaluation for an AI process. NADOVO automatically indicates whether an assessment is required:
| Indicator | Meaning | Action |
|---|---|---|
| "Required" | High-risk process — assessment is mandatory | Assessment must be performed and approved before the process can be released |
| "Recommended" | The process handles personal data, operates with high autonomy or continuously learns | Assessment is recommended but not mandatory for release |
| "Not required" | Low risk, no special characteristics | No assessment needed |
What must be included in an assessment for high-risk processes?
The EU AI Act sets clear requirements for risk management of high-risk AI. NADOVO guides you through the assessment in 6 steps:
Step 1 — Select process: Choose the AI process for which you want to perform the assessment.
Step 2 — Check prohibited practices: Check whether your AI use falls under the prohibited practices in Annex I.
Step 3 — Identify risks: Capture all relevant risks for your AI use (e.g. discrimination, data protection breach, faulty decisions).
Step 4 — Evaluation and measures: Evaluate each risk by likelihood and impact. Define at least one mitigation measure for each risk.
Step 5 — Human Oversight and FRIA:
- Human Oversight: Define how humans monitor AI decisions and can intervene.
- FRIA (Fundamental Rights Impact Assessment): Evaluate the impact on fundamental rights across 6 categories.
Step 6 — Summary: Review the overall evaluation and accept the residual risk.
Mandatory fields for approval:
- At least 1 risk identified
- For each risk, at least 1 measure defined
- Human Oversight Level set
- All 6 FRIA categories rated
What does "Review required" mean for an assessment?
This status means that something has changed in the context and you need to check whether your risk evaluation is still current.
Possible triggers:
- The linked AI system was deactivated (the process is paused)
- The linked AI system was swapped
- The risk class of the process has changed
What do you need to do?
- Open the assessment
- Check whether the identified risks and measures still apply
- Adjust the evaluation if needed
- Approve the assessment again
Versioning
Why are there versions, and what do the numbers mean?
NADOVO uses version numbers (e.g. 1.0.0, 1.1.0, 2.0.0) to document changes to AI systems and AI processes traceably. This matters because the EU AI Act requires changes to AI systems to be documented and retained for at least 10 years (Art. 12).
You do not need to worry about the version numbers. NADOVO automatically detects what has changed and suggests a suitable version number. You can simply accept the suggestion.
If you're curious — here's how the logic works:
| Change | Example | Version number |
|---|---|---|
| Substantial change | Different AI model, different role, different infrastructure | 1.0.0 → 2.0.0 |
| Minor change | New responsible person, updated description | 1.0.0 → 1.1.0 |
| Minimal change | Correction in the name, notes updated | 1.0.0 → 1.0.1 |
Can I still edit a released AI system or process?
No — and that is by design. A released element represents a reviewed and documented state. If you want to make changes, create a new version:
- Click "Create new version" in the action menu
- NADOVO creates a copy as a draft
- Edit the desired fields
- In the last wizard step you see a summary of the changes
- Release the new version
The old version is archived automatically. All changes are documented in the audit trail.
Why can't I just overwrite? If an auditor or supervisory authority wants to trace how your AI system was configured 2 years ago, the old state must be available. Versioning makes that possible at any time.
Phase 4 — Training & Measures
Is training mandatory? What does the EU AI Act require?
A specific training course is not legally required. Article 4 of the EU AI Act requires that people who operate or use AI systems have a sufficient level of AI competence ("AI literacy") — and that you, as a company, take appropriate measures to achieve it. So it is about demonstrable competence, not a mandatory training.
In NADOVO we deliberately model this competence as training — because in everyday business it is the clearest approach, is already common practice in many companies, and is easiest to track and prove. This lets you plan, document and evidence your employees' AI competence in one place.
What you should do:
- Ensure sufficient AI competence for everyone who works with AI systems — e.g. via training, briefings or guidelines
- Document this in NADOVO
- Upload records (certificates, attendance confirmations)
- Keep an eye on validity — NADOVO shows you when a record expires
How do I manage my employees' AI competence?
You document and evidence your employees' AI competence in Training Management — there, NADOVO maps the competence records as training:
- Create: record a training session with participants, date and format (e.g. in-person, online, self-study); optionally mark it as mandatory.
- Participant tracking: maintain the status per participant (invited, completed, absent) — individually or "complete all".
- Records: upload certificates/attendance confirmations (PDF/DOC/PPT, max. 10 MB).
- Validity & recertification: based on a validity period, NADOVO calculates an expiry date and shows via a badge whether a record is valid, expiring soon or expired.
- Templates: reuse existing training as a template.
This keeps your team's AI competence documented and verifiable in one place.
How do I document risk-mitigation measures (Phase 4)?
In the "Task Management" module you track the risk-mitigation measures — i.e. implementing the measures defined in the assessment (Phase 3).
- Origin: measures are derived automatically from risk assessments or created manually ("New task"). Measures derived from assessments are linked to the corresponding risk and process; manually created tasks are not linked to any process.
- Fields: title, type (technical, organizational, human oversight), description, responsible person, due date.
- Completion: in the overview you mark a measure as open or implemented via a checkbox; overdue measures are highlighted.
- Export: measures can be exported as CSV/JSON or to tools such as Trello, Teams Planner or Jira.
Incident Management (Phase 5)
What is an AI incident and when do I have to report it?
An AI incident is an event in which an AI system leads to harm or malfunction — for example discriminatory decisions, data protection breaches, or faulty outcomes with real-world effects.
Reporting deadlines under EU AI Act (Art. 73) — each from discovery of the incident:
| Severity | Reporting deadline | Example |
|---|---|---|
| Critical | 2 days | AI system causes significant harm to health or safety |
| Serious | 15 days | AI system systematically makes discriminatory decisions |
| Minor | No reporting obligation | Isolated error without larger effects |
NADOVO shows the remaining reporting deadline as a color-coded indicator so you don't miss a deadline.
How do I report an incident to the authority?
For reportable incidents (serious/critical), NADOVO supports you with the reporting workflow in the incident detail:
- Responsible authority: depending on your company's country (e.g. Germany: Bundesnetzagentur, plus AT/CH/EU), NADOVO shows the contact details (email, portal, phone). Prerequisite: the country must be maintained in your company profile in the "Organisation" module — otherwise the correct authority cannot be determined and NADOVO only shows a general EU reference.
- Prepare the report: you can copy a prepared notification text or download it as an .eml file; you record the authority's case number in the incident.
- Status: the incident moves through New → Authority notified → Resolved (and can be withdrawn if needed).
- Document the resolution: record the root cause as well as corrective and preventive actions to close the incident traceably.
Incidents with the "Minor" severity generally have no reporting obligation.
Audit Trail & Documentation
What does NADOVO document automatically?
NADOVO automatically logs all changes to your AI systems, processes, assessments, training, and incidents. You don't have to document anything manually.
What is recorded:
- Who changed what, and when
- Which fields were changed (old and new value)
- Releases and approvals
- Status changes (including automatic ones, e.g. through cascading)
- Risk classifications and changes to them
Retention: 10 years, as required by EU AI Act Art. 12.
Export: You can export the audit trail as PDF (read-only), CSV or JSON at any time.
Where do I find the audit trail?
You find the audit trail directly on each element — there is no separate audit module. Open an AI system, a process, an assessment, a training or an incident and open the audit trail dialog there. It shows the full change history (who, what, when; old and new value) and can be exported as PDF (read-only), CSV or JSON.
Note: The audit trail button is only visible to company admins.
Relationships & Automations
Why do status values change automatically?
NADOVO ensures that your compliance documentation stays consistent. When something changes on an AI system, the linked processes and assessments must be reviewed — this is a requirement of the EU AI Act (Art. 9, Risk Management).
Overview of automatic status changes:
| What you do | What NADOVO does automatically | Why |
|---|---|---|
| Deactivate AI system | Processes → Paused, Assessments → Review required | System no longer in operation, processes cannot continue |
| Reactivate AI system | Selected processes → Released again | System is in operation again |
| Release new version of AI system | Old processes → Paused | Old system was replaced, processes must be moved to the new version |
| Risk class of a process changes | Assessment → Review required | Risk evaluation was based on the old risk class |
| Link a new AI system in the process | Assessment → Review required | Risk evaluation was based on the old system |
Rule of thumb: When NADOVO changes a status automatically, the platform shows you the next step directly in the overview. Just follow the hints.
How do AI system, process and assessment relate to each other?
The three elements are linked hierarchically:
AI system (e.g. "ChatGPT")
|
|-- In operation, v1.2.0
|
+-- AI process (e.g. "Customer support")
| |
| |-- Released, v1.0.0
| |
| +-- Assessment (risk evaluation)
| |-- Approved
|
+-- AI process (e.g. "Content creation")
|
|-- Draft, v1.0.0Rule: An AI system must be "In operation" before linked processes can be released. For high-risk processes, an assessment must additionally be approved before the process can be released.
Changes flow top-down: When the AI system changes, processes and assessments are updated automatically. The reverse is not true — a change to the assessment has no impact on the AI system.
As of June 2026