DUNA Digital
MagazineLaw · 6 min read

EU AI Act: what companies need to do now.

DUNA DigitalEngineering & AI · 7 July 2026
The gist in 20 seconds
  • The EU AI Act applies in stages - for most companies the duties concern transparency, documentation and human oversight.
  • If you only use AI (rather than provide it), your duties are manageable - but you must know and evidence them.
  • Well-built systems meet the core requirements as a by-product: traceability, human in the loop, data discipline.

Transparency up front: we are engineers, not a law firm. This article gives a technical-organisational orientation and is no substitute for legal advice - for binding answers, your lawyer belongs at the table.

What it is about

The EU AI Act is the world's first comprehensive AI law. It sorts AI systems by risk: prohibited practices, high-risk systems with strict requirements, systems with transparency duties, and the large remainder with minimal requirements. The duties phase in over several years - waiting is still not a strategy, because documentation is hard to invent retroactively.

Am I a provider or a deployer?

The most important switch: whoever develops an AI system and offers it under their own name is a provider - with the full duty catalogue of their risk class. Whoever merely uses a system in their own operation is a deployer - with much leaner but real duties: use the system as intended, ensure oversight, report incidents.

The typical Mittelstand case - a support chatbot, a document pipeline in accounting, an internal knowledge assistant - mostly plays in the lower risk classes. That is no all-clear: transparency and oversight duties apply there too.

The core duties, translated practically

RequirementWhat it means in practiceTechnical answer
TransparencyUsers must know AI is involvedLabelling in the interface, clear notices
Human oversightAI does not decide essentials aloneApproval steps, four-eyes gates
TraceabilityDecisions must be reconstructibleLogging of inputs, outputs, corrections
Data disciplineKnow which data flows whereDocumented data flows, EU hosting or on-premise

Why good architecture is half the compliance

The AI Act's requirements overlap conspicuously with what solid AI systems need anyway. An example from our practice: in the document pipeline we operate for entsorgo, no invoice is booked automatically - every one passes human approval, every correction is logged and flows back into the system as learned knowledge. That is good engineering - and incidentally exactly the human oversight and traceability the AI Act demands.

"Compliance is cheap when you build it in from the start - and expensive when you retrofit it."

DUNA engineering principle

Your to-do list

  • Inventory: which AI systems run at your company - including the unofficial browser tabs?
  • Classification: per system: provider or deployer, which risk class?
  • Labelling: make AI contact transparent for users.
  • Oversight: define approval steps where decisions carry weight.
  • Documentation: data flows, models, responsibilities in writing.
  • Training: build demonstrable AI competence in the team.
Introducing AI - compliant from day one?We build oversight, logging and EU hosting right in.
To the AI Hub
Share