Can I use ChatGPT for customer data?

Only with proper DPA and SCCs. We recommend EU-hosted alternatives or anonymization first.

Do automations count as automated decision-making?

Not usually. GDPR Article 22 applies to decisions with legal or significant effects. Most workflow automations are excluded.

Is my support chatbot high-risk?

Usually not. High-risk applies to decisions affecting rights or safety. FAQ bots are limited risk, requiring only transparency.

What about AI for CV screening?

This is explicitly high-risk under Annex III. Requires full documentation, testing, and human oversight.

Does NIS2 apply to my suppliers?

Yes. You must audit supplier security. This affects an estimated 50,000 additional companies indirectly.

What if I am under 50 employees?

Size thresholds have exceptions. Trust services, DNS providers, and TLD registries are covered regardless of size.

What is the third-party provider register?

A detailed list of all ICT vendors, contracts, and dependencies. Deadline: April 30, 2025.

Does DORA apply to our automation tools?

If they process financial data or support critical functions, yes. They must be documented and auditable.

Compliance & Regulations for AI Automation

Since 2018

GDPR

The General Data Protection Regulation governs how personal data of EU residents is collected, stored, and processed.

Who is affected?

Any company processing personal data of EU residents, regardless of where the company is located.

Key Requirements

Purpose limitation: Data only for specified purposes
Data minimization: Collect only what you need
Right to erasure: Delete data on request
Breach notification: 72 hours to report
Data Processing Agreements with all processors

Business Implications

US cloud services require Standard Contractual Clauses (SCCs) and additional safeguards
AI tools processing personal data need Data Processing Agreements
Automated decision-making requires human oversight option

FluxHuman Advantage

Data Sovereignty using Self-Hosting: We prefer n8n on your servers (or EU cloud like Hetzner). Data stays in your jurisdiction.
Local AI: With our "Sovereign" package, LLMs run locally. No data sent to OpenAI.
Data Minimization: Our scripts process data transiently without unnecessary storage.

FAQ

Phased 2024-2027

EU AI Act

The world's first comprehensive AI regulation. Classifies AI systems by risk level and sets requirements accordingly.

Who is affected?

Anyone developing or deploying AI systems in the EU. Requirements depend on risk classification.

Timeline

Phase 1Feb 2025: Prohibited AI practices banned

Phase 2Aug 2025: GPAI model rules apply

Phase 3Aug 2026: High-risk AI rules enforced

Risk Categories

Prohibited: Social scoring, manipulative AI, real-time biometrics in public
High-Risk: HR decisions, credit scoring, critical infrastructure
Limited Risk: Chatbots (transparency required)
Minimal Risk: Most business automation

Business Implications

High-risk AI requires conformity assessment, documentation, human oversight
Chatbots must disclose they are AI
Most workflow automation falls under minimal risk

FluxHuman Advantage

Determinism over Hallucination: Human-in-the-Loop processes require approval for critical decisions.
Transparency: You own the source code, so AI operations are fully auditable. No black box.
Categorization: We focus on "Minimal Risk" automation and "Limited Risk" chatbots.

FAQ

DE: Dec 2025 / AT: Oct 2026

NIS2

The Network and Information Security Directive 2 expands cybersecurity requirements to more sectors and smaller companies.

Who is affected?

Medium and large companies (50+ employees or €10M+ turnover) in covered sectors. In Germany: ~30,000 companies.

Covered Sectors

Energy, Transport, Banking, Healthcare, Digital Infrastructure, Manufacturing, Waste, Chemicals, Food, Postal, Research

Key Requirements

Risk management policies and procedures
Incident reporting within 24 hours
Supply chain security audits
Business continuity plans
Management liability: Directors personally accountable

Business Implications

Software vendors become part of your attack surface
Security questionnaires for every new tool
No more shadow IT purchases by departments

FluxHuman Advantage

Zero Supply Chain Risk: You get the keys. No permanent vendor access.
Minimized Attack Surface: Self-hosting behind VPNs/Firewalls keeps automation off the public internet.
Update Sovereignty: You decide when to update. No forced changes that break workflows.

FAQ

Since Jan 2025

DORA

The Digital Operational Resilience Act creates a unified framework for ICT risk management in the financial sector.

Who is affected?

Banks, insurers, investment firms, payment providers, crypto service providers, and their critical ICT providers.

Key Requirements

ICT risk management framework
Incident classification and reporting
Regular resilience testing
Third-party provider register (due April 2025)
Exit strategies for all critical vendors

Business Implications

No vendor lock-in allowed, must be able to switch providers
All ICT providers must be documented and monitored
Contracts must include security, audit rights, and exit clauses

FluxHuman Advantage

Perfect Exit Strategy: You own the source code. If we disappear, your system keeps running.
Independence: Built on standard tech, any developer can maintain the system.
No Proprietary Cloud: We use Open Source standards (Docker, Postgres, Python), not closed platforms.

Compliance by Architecture.

EU AI Act

Who is affected?

Timeline

Risk Categories

Business Implications

FluxHuman Advantage

FAQ

NIS2

Who is affected?

Covered Sectors

Key Requirements

Business Implications

FluxHuman Advantage

FAQ

DORA

Who is affected?

Key Requirements

Business Implications

FluxHuman Advantage

FAQ

Our Principles

Ownership vs Rent

Open Source Standards

Safety First Architecture

Documentation Included

Not Sure Which Regulations Apply?