Can I use ChatGPT for customer data?

Only with proper DPA and SCCs. We recommend EU-hosted alternatives or anonymization first.

Do automations count as automated decision-making?

Not usually. GDPR Article 22 applies to decisions with legal or significant effects. Most workflow automations are excluded.

Is my support chatbot high-risk?

Usually not. High-risk applies to decisions affecting rights or safety. FAQ bots are limited risk, requiring only transparency.

What about AI for CV screening?

This is explicitly high-risk under Annex III. Requires full documentation, testing, and human oversight.

Does NIS2 apply to my suppliers?

Yes. You must audit supplier security. This affects an estimated 50,000 additional companies indirectly.

What if I am under 50 employees?

Size thresholds have exceptions. Trust services, DNS providers, and TLD registries are covered regardless of size.

What is the third-party provider register?

A detailed list of all ICT vendors, contracts, and dependencies. Deadline: April 30, 2025.

Does DORA apply to our automation tools?

If they process financial data or support critical functions, yes. They must be documented and auditable.

Compliance & Regulations for AI Automation

GDPR

Since 2018

The General Data Protection Regulation governs how personal data of EU residents is collected, stored, and processed.

Who is affected?

Any company processing personal data of EU residents, regardless of where the company is located.

Key Requirements

Purpose limitation: Data only for specified purposes
Data minimization: Collect only what you need
Right to erasure: Delete data on request
Breach notification: 72 hours to report
Data Processing Agreements with all processors

Business Implications

US cloud services require Standard Contractual Clauses (SCCs) and additional safeguards
AI tools processing personal data need Data Processing Agreements
Automated decision-making requires human oversight option

FluxHuman Approach

EU hosting preferred. No data to US services without your consent. All automations documented.

FAQ

EU AI Act

Phased 2024-2027

The world's first comprehensive AI regulation. Classifies AI systems by risk level and sets requirements accordingly.

Who is affected?

Anyone developing or deploying AI systems in the EU. Requirements depend on risk classification.

Timeline

Phase 1Feb 2025: Prohibited AI practices banned

Phase 2Aug 2025: GPAI model rules apply

Phase 3Aug 2026: High-risk AI rules enforced

Risk Categories

Prohibited: Social scoring, manipulative AI, real-time biometrics in public
High-Risk: HR decisions, credit scoring, critical infrastructure
Limited Risk: Chatbots (transparency required)
Minimal Risk: Most business automation

Business Implications

High-risk AI requires conformity assessment, documentation, human oversight
Chatbots must disclose they are AI
Most workflow automation falls under minimal risk

FluxHuman Approach

We design use cases to stay in the minimal or limited risk categories where possible.

FAQ

NIS2

DE: Dec 2025 / AT: Oct 2026

The Network and Information Security Directive 2 expands cybersecurity requirements to more sectors and smaller companies.

Who is affected?

Medium and large companies (50+ employees or €10M+ turnover) in covered sectors. In Germany: ~30,000 companies.

Covered Sectors

Energy, Transport, Banking, Healthcare, Digital Infrastructure, Manufacturing, Waste, Chemicals, Food, Postal, Research

Key Requirements

Risk management policies and procedures
Incident reporting within 24 hours
Supply chain security audits
Business continuity plans
Management liability: Directors personally accountable

Business Implications

Software vendors become part of your attack surface
Security questionnaires for every new tool
No more shadow IT purchases by departments

FluxHuman Approach

Open standards, documented processes, no black boxes. We provide security documentation.

FAQ

DORA

Since Jan 2025

The Digital Operational Resilience Act creates a unified framework for ICT risk management in the financial sector.

Who is affected?

Banks, insurers, investment firms, payment providers, crypto service providers, and their critical ICT providers.

Key Requirements

ICT risk management framework
Incident classification and reporting
Regular resilience testing
Third-party provider register (due April 2025)
Exit strategies for all critical vendors

Business Implications

No vendor lock-in allowed, must be able to switch providers
All ICT providers must be documented and monitored
Contracts must include security, audit rights, and exit clauses

FluxHuman Approach

No vendor lock-in. Open standards. Exit strategy always possible. Full documentation.

Understand regulations. Use automation right.

EU AI Act

Who is affected?

Timeline

Risk Categories

Business Implications

FluxHuman Approach

FAQ

NIS2

Who is affected?

Covered Sectors

Key Requirements

Business Implications

FluxHuman Approach

FAQ

DORA

Who is affected?

Key Requirements

Business Implications

FluxHuman Approach

FAQ

Our Principles

Vendor Freedom

Maintainable by Anyone

AI Only Where It Helps

You Approve What Matters

Not Sure Which Regulations Apply?