Skip to content
Compliance

Built in, not bolted on.

GDPR, EU AI Act, NIS2, DORA — met by default. Your data stays your data.

GDPREU AI ActNIS2DORA
Since 2018

GDPR

The General Data Protection Regulation governs how personal data of EU residents is collected, stored, and processed.

Who is affected?

Any company processing personal data of EU residents, regardless of where the company is located.

Key Requirements

  • Purpose limitation: Data only for specified purposes
  • Data minimization: Collect only what you need
  • Right to erasure: Delete data on request
  • Breach notification: 72 hours from becoming aware (Art. 33)
  • Data Processing Agreements with all processors

Business Implications

  • US cloud services need an EU-US Data Privacy Framework (DPF) certification, or SCCs with additional safeguards if the vendor isn't DPF-certified
  • AI tools processing personal data need Data Processing Agreements
  • Automated decision-making requires human oversight option

FluxHuman Advantage

  • Data Sovereignty using Self-Hosting: We prefer n8n on your servers (or EU cloud like Hetzner). Data stays in your jurisdiction.
  • Local AI: With our "Sovereign" package, LLMs run locally. No data sent to OpenAI.
  • Data Minimization: Our workflows process data through the pipeline and do not persist it beyond what is required for the automation.

Only with proper DPA and SCCs. We recommend EU-hosted alternatives or anonymization first.

Not usually. GDPR Article 22 applies to decisions with legal or significant effects. Most workflow automations are excluded.

Phased 2024-2028

EU AI Act

The world's first comprehensive AI regulation. Classifies AI systems by risk level and sets requirements accordingly.

Who is affected?

Anyone developing or deploying AI systems in the EU. Requirements depend on risk classification.

⚠ High-risk AI obligations deferred to Dec 2027 — 18 months to get compliant.

Do you know how your AI systems are classified? The Digital Omnibus (May 2026) pushed high-risk obligations to Dec 2027 — but chatbot transparency rules still apply from Aug 2026. The companies that prepare during this window will be audit-ready while others scramble.

Book a compliance check now →

Timeline

Phase 1Feb 2025: Prohibited AI practices banned
Phase 2Aug 2025: GPAI model rules apply
Phase 3Dec 2027: High-risk AI rules enforced (Omnibus-deferred from Aug 2026)

Risk Categories

  • Prohibited: Social scoring, manipulative AI, real-time biometrics in public
  • High-Risk: HR decisions, credit scoring, critical infrastructure
  • Limited Risk: Chatbots (transparency required)
  • Minimal Risk: Most business automation

Business Implications

  • High-risk AI requires conformity assessment, documentation, human oversight
  • Chatbots must disclose they are AI
  • Most workflow automation falls under minimal risk

FluxHuman Advantage

  • Controlled AI: Workflow orchestration (n8n) is deterministic. AI components use human-in-the-loop approval for critical decisions, reducing (but not eliminating) hallucination risk.
  • Transparency: You own the source code, so AI operations are fully auditable. No black box.
  • Categorization: We focus on "Minimal Risk" automation and "Limited Risk" chatbots.

Usually not. High-risk applies to decisions affecting rights or safety. FAQ bots are limited risk, requiring only transparency.

This is explicitly high-risk under Annex III. Requires full documentation, testing, and human oversight.

DE: in force / AT: 1 Oct 2026

NIS2

The Network and Information Security Directive 2 expands cybersecurity requirements to more sectors and smaller companies.

Who is affected?

Medium and large companies (50+ employees or €10M+ turnover) in covered sectors. In Germany: ~30,000 companies.

Covered Sectors

Energy, Transport, Banking, Healthcare, Digital Infrastructure, Manufacturing, Waste, Chemicals, Food, Postal, Research

Key Requirements

  • Risk management policies and procedures
  • Incident reporting: 24h early warning, 72h notification, 1-month final report (Art. 23)
  • Supply chain security measures (Art. 21(2)(d))
  • Business continuity plans
  • Multi-factor authentication and access control (Art. 21(2)(j))

Business Implications

  • Software vendors become part of your attack surface
  • Security questionnaires for every new tool
  • No more shadow IT purchases by departments

FluxHuman Advantage

  • Reduced Supply Chain Risk: You hold the infrastructure. No permanent vendor access reduces third-party exposure.
  • Minimized Attack Surface: Self-hosting behind VPNs/Firewalls keeps automation off the public internet.
  • Update Sovereignty: You decide when to update. No forced changes that break workflows.

Yes. You must assess supplier security under Art. 21(2)(d). The supply-chain effect reaches many thousands of upstream companies indirectly.

Size thresholds have exceptions. Trust services, DNS providers, and TLD registries are covered regardless of size.

Since Jan 2025

DORA

The Digital Operational Resilience Act creates a unified framework for ICT risk management in the financial sector.

Who is affected?

Banks, insurers, investment firms, payment providers, crypto service providers, and their critical ICT providers.

Key Requirements

  • ICT risk management framework
  • Incident classification and reporting
  • Regular resilience testing
  • Third-party provider register (since April 2025)
  • Exit strategies for all critical vendors

Business Implications

  • You must have documented exit strategies and the ability to switch providers (not necessarily no vendor lock-in)
  • All ICT providers must be documented and monitored
  • Contracts must include security, audit rights, and exit clauses

FluxHuman Advantage

  • Documented Exit Strategy: You own the source code and infrastructure. If we disappear, your system keeps running.
  • Independence: Built on standard tech, any developer can maintain the system.
  • No Proprietary Cloud: We use Open Source standards (Docker, Postgres, Python), not closed platforms.

A detailed list of all ICT vendors, contracts, and dependencies. Deadline: April 30, 2025.

If they process financial data or support critical functions, yes. They must be documented and auditable.

Our Principles

Ownership vs Rent

Compliance requires control. You buy our solutions, you don't rent them. You own the code — the strongest compliance position there is.

Open Source Standards

We use n8n, Docker, and Python. Auditors love these global standards. No obscure proprietary tech.

Safety First Architecture

We separate logic from data. Sensitive data flows through the pipeline but is not logged unnecessarily.

Documentation Included

You get code and data flow documentation. Saves your DPO days of work.

Not Sure Which Regulations Apply?

A quick call to assess your compliance landscape. No commitment.