- The EU AI Act applies in stages - for most companies the duties concern transparency, documentation and human oversight.
- If you only use AI (rather than provide it), your duties are manageable - but you must know and evidence them.
- Well-built systems meet the core requirements as a by-product: traceability, human in the loop, data discipline.
Transparency up front: we are engineers, not a law firm. This article gives a technical-organisational orientation and is no substitute for legal advice - for binding answers, your lawyer belongs at the table.
What it is about
The EU AI Act is the world's first comprehensive AI law. It sorts AI systems by risk: prohibited practices, high-risk systems with strict requirements, systems with transparency duties, and the large remainder with minimal requirements. The duties phase in over several years - waiting is still not a strategy, because documentation is hard to invent retroactively.
Am I a provider or a deployer?
The most important switch: whoever develops an AI system and offers it under their own name is a provider - with the full duty catalogue of their risk class. Whoever merely uses a system in their own operation is a deployer - with much leaner but real duties: use the system as intended, ensure oversight, report incidents.
The typical Mittelstand case - a support chatbot, a document pipeline in accounting, an internal knowledge assistant - mostly plays in the lower risk classes. That is no all-clear: transparency and oversight duties apply there too.
The core duties, translated practically
| Requirement | What it means in practice | Technical answer |
|---|---|---|
| Transparency | Users must know AI is involved | Labelling in the interface, clear notices |
| Human oversight | AI does not decide essentials alone | Approval steps, four-eyes gates |
| Traceability | Decisions must be reconstructible | Logging of inputs, outputs, corrections |
| Data discipline | Know which data flows where | Documented data flows, EU hosting or on-premise |
Why good architecture is half the compliance
The AI Act's requirements overlap conspicuously with what solid AI systems need anyway. An example from our practice: in the document pipeline we operate for entsorgo, no invoice is booked automatically - every one passes human approval, every correction is logged and flows back into the system as learned knowledge. That is good engineering - and incidentally exactly the human oversight and traceability the AI Act demands.
"Compliance is cheap when you build it in from the start - and expensive when you retrofit it."
DUNA engineering principle
Your to-do list
- Inventory: which AI systems run at your company - including the unofficial browser tabs?
- Classification: per system: provider or deployer, which risk class?
- Labelling: make AI contact transparent for users.
- Oversight: define approval steps where decisions carry weight.
- Documentation: data flows, models, responsibilities in writing.
- Training: build demonstrable AI competence in the team.


