English

Deutsch

English

Deutsch

Appearance

Knowledge & Best Practices

This page combines background on the EU AI Act and practical best practices for getting started and ongoing operation. How the NADOVO platform is structured and how the 5-phase framework works is explained in Getting started. Specific how-to questions are answered in the FAQ.

The EU AI Act – in brief

The EU AI Act (Regulation (EU) 2024/1689) is the first comprehensive AI regulation in the world. It follows a risk-based approach: the higher the risk of an AI application, the stricter the obligations. It entered into force on 1 August 2024, but the obligations apply in staggered phases.

Who does it affect? Providers and deployers of AI systems — including those outside the EU, as soon as the AI is used in the EU or its output is used there. For SMEs, the deployer role is the most relevant (see below).

The key deadlines:

  • 2 February 2025 — The prohibitions (Article 5) apply, and the AI literacy obligation (Article 4) takes effect.
  • 2 August 2025 — Obligations for providers of general-purpose AI models (GPAI).
  • 2 August 2026 — Most of the regulation applies, in particular to high-risk systems under Annex III: conformity assessment, registration, risk management, logging and human oversight.
  • 2 August 2027 — High-risk systems under Annex I (regulated products) and a transition period for previously placed GPAI models.

Full guide

A detailed explanation of the EU AI Act, the obligations and deadlines is in the free guide "EU AI Act Compliance for SMEs": download the PDF.

Risk classes & roles

The EU AI Act distinguishes four risk classes:

  • Unacceptable (prohibited) — practices under Article 5, e.g. social scoring or certain manipulative and biometric applications. Such systems are banned and must be discontinued.
  • High — systems under Annex III (eight areas, including employment and essential services) or Annex I. The most extensive obligations apply here; in NADOVO a risk assessment is mandatory for high-risk processes before the process can be released.
  • Limitedtransparency obligations apply (Article 50): users must be able to tell that they are interacting with an AI (e.g. chatbots), and synthetic content must be labelled.
  • Minimal — no specific obligations. The vast majority of AI applications fall into this class.

Two roles determine the scope of your obligations:

  • Provider — develops an AI system or places it on the market under its own name. The more extensive obligations apply.
  • Deployer — uses an AI system under its own responsibility in a professional capacity. The obligations are more manageable. Most mid-sized companies are deployers for all of their AI systems.

The core formula

Asset + application area = AI process — and from that the risk class follows. An AI system alone says nothing about the risk; only the use case determines the classification. More on this in the NADOVO framework.

Best practices: getting started

Where do I start if I haven't captured anything yet?

Begin with the five to ten most important AI systems — not with a claim to completeness. Here is how to get an overview:

  • Go through your IT landscape: which software in use has AI features? Many standard applications (Microsoft 365 Copilot, CRM with lead scoring, accounting with document classification) now contain AI.
  • Ask the departments: which AI tools are used in each department?
  • Check cloud services: which SaaS solutions use AI in the background? Such features are often added later via updates.

An inventory that captures around 80% of your AI systems is the basis for everything else. Then go through the NADOVO sequence for each system: clarify the role → describe the AI process (use case) → the risk class follows automatically.

Tip: Better to start with 80% and add to it step by step than to wait for the perfect complete picture.

What is "shadow AI" — and how do I find it?

Shadow AI refers to AI tools used in the company without IT or the compliance officers knowing about them. Typical cases are employees who use ChatGPT, Midjourney or DeepL on their own — or standard software that gains new AI features via an update.

Why this is a risk: what is not captured cannot be assessed — neither in terms of risk class nor data protection.

How to uncover shadow AI:

  • Ask specifically in the departments which AI tools and features are actually used.
  • Review the current feature lists of your cloud services — AI features have often been added that did not exist at procurement.
  • Set up an internal AI usage policy that clarifies which tools are allowed and which data must not go into external AI services.

Then capture any uncovered tools as an AI system in NADOVO.

How many AI systems does a typical company have?

Most mid-sized companies (50-500 employees) use 5-20 AI systems, often without realising it. Typical examples:

  • ChatGPT / Claude — Text generation, research, summaries
  • Microsoft Copilot — Office automation, email drafts
  • AI-powered HR tools — Application pre-screening, employee analysis
  • Chatbots — Customer support on the website
  • AI analytics tools — Sales forecasts, fraud detection
  • AI translation tools — DeepL, Google Translate in business operations

Tip: Ask around in all departments which AI tools are in use. Often employees use AI tools on their own without IT knowing.

Organising responsibility

Who should be responsible for AI compliance in the company?

Ideally there is a central point of contact who coordinates AI compliance. This can be:

  • the data protection officer with an extended mandate,
  • the IT lead, or
  • a specifically designated person.

In NADOVO you set the person responsible for the EU AI Act in the Organisation module.

No staff for this? With the External AI Compliance Officer, NADOVO formally assumes responsibility as your external AI officer — including formal appointment, ongoing monitoring of regulatory changes, quarterly reviews and audit support. This way you are covered from week 1, without building internal expertise or hiring staff.

Quick wins & ongoing operation

What are typical "quick wins" at the start?

Some measures can be implemented immediately and with little effort — and noticeably reduce risk:

  • Add a transparency notice: when customers interact with a chatbot or an AI, inform them (transparency obligation under Article 50).
  • Set up an internal AI usage policy: rules on which AI tools are allowed and which data must not be entered into external AI services.
  • Appoint a responsible person: a central point of contact for all AI topics.
  • Capture the most important systems first: even an 80% inventory creates an overview and enables prioritisation.

These steps cost little but immediately lay the basis for the further phases.

How often should I review my AI compliance?

At least annually — or on the following occasions:

  • An AI system is updated or replaced
  • A new AI system is introduced
  • An AI incident occurs
  • Regulation changes (new guidelines, implementing regulations)
  • The area of use of an AI system changes

NADOVO supports you with automatic status changes and the dashboard, which shows you open tasks and critical incidents.

Do I need a lawyer for EU AI Act compliance?

NADOVO does not replace legal advice, but it significantly reduces the need for it:

  • The automatic risk classification gives you a quick starting point — instead of working through the 113 articles and 13 annexes of the regulation yourself
  • The structured assessments guide you through the regulatory requirements without requiring you to know the legal text in detail
  • The 10-year documentation ensures your compliance is verifiable at any time

When to bring in a lawyer:

  • If you use AI systems with a "HIGH-RISK" risk level and are unsure whether the classification is correct
  • If you place AI systems on the market as a provider
  • If an AI incident with serious consequences occurs

Disclaimer (risk classification): This risk class is an automatically generated suggestion intended to support the assessment. It does not constitute a legally binding classification. The binding classification and the responsibility for it lie with the provider or deployer of the assessed AI system. A professional and legal review of the result is recommended.

As of June 2026

© 2026 CONTORO SOLUTIONS OÜ. All rights reserved.
NADOVO - nadovo.ai