Imagine an employee from the design department using a public AI tool to summarize the technical specifications of a new prototype. The task is completed in minutes—but confidential information was processed outside the controlled IT environment. Data protection wasn’t verified, the works council wasn’t involved, and no one knows whether the use case falls under the EU AI Act.
This is exactly where AI compliance begins.
Companies don’t have to ban AI. They need a framework that enables safe use: with clear guidelines, trained employees, appropriate permissions, GDPR-compliant data processing, and controlled AI systems. This guide explains which obligations under the AI Act, the GDPR, and labor law are relevant—and how mid-sized companies can safely implement AI.
Key Takeaways
-
AI Act Deadlines: Most AI Act obligations, including enforcement and sanction mechanisms, will take effect on August 2, 2026.
-
Severe Penalties: Violations may result in fines of up to 35 million euros or 7% of global annual revenue.
-
AI Competence Requirement: As of February 2025, Article 4 of the AI Act mandates that companies build AI competence within their organizations.
-
GDPR Remains in Effect: The GDPR and the AI Act complement each other; the AI Act does not replace data protection.
-
Secure Solution: Closed, EU-hosted, or EU-controlled AI systems can significantly facilitate GDPR-compliant use—provided that data processing agreements, authorization frameworks, logging, and internal policies are properly implemented.
What Is AI Compliance? Definition and Significance
The use of artificial intelligence offers enormous productivity benefits but requires clear guidelines. AI compliance goes far beyond mere data protection. It encompasses ethical guidelines, transparency requirements, IT security, and governance structures. Companies must primarily keep three legal frameworks in mind: the EU AI Act, the GDPR, and national labor law (in particular, the Works Constitution Act).
AI Compliance Definition: AI compliance refers to the totality of all measures that ensure the use of artificial intelligence within a company complies with applicable legal, ethical, and organizational requirements—in particular the EU AI Act, the GDPR, and national labor law.
Implementing these requirements is not merely an IT task, but rather a strategic management decision. Companies that establish AI compliance early on not only protect themselves from severe penalties but also build the necessary trust among employees and customers. A sustainable AI strategy for companies forms the foundation for this.
EU AI Act: Deadlines, Risk Categories, and Obligations
The EU AI Act is the world’s first comprehensive regulatory framework for artificial intelligence. It takes a risk-based approach: The higher the risk an AI system poses to users’ fundamental rights and safety, the stricter the regulatory requirements.
The 4 Risk Categories of the AI Act

The regulation divides AI systems into four categories. For small and medium-sized enterprises, it is crucial to classify their own systems correctly.
| Risk Class | Examples | Obligations |
|---|---|---|
| Forbidden Risk | Social Scoring, Real-Time Biometric Monitoring | Prohibited as of February 2, 2025 |
| High Risk | HR Screening, Credit Decisions, Medical AI | Risk Management, Documentation, Human Oversight |
| Limited Risk | Chatbots, AI-generated text | Transparency and Labeling Requirements |
| Minimal Risk | Spam filters, image processing AI | No specific obligations |
Key AI Act Deadlines
Companies must prepare for a phased rollout of the regulation. The key milestones are:
| Date | Duty |
|---|---|
| August 1, 2024 | AI Act Takes Effect |
| February 2, 2025 | Prohibitions (Art. 5) and the AI competency requirement (Art. 4) apply |
| August 2, 2025 | Obligations apply to GPAI models (e.g., ChatGPT, Gemini) |
| August 2, 2026 | Most of the AI Act's obligations apply (including enforcement and sanction mechanisms) |
| August 2, 2027 | Additional Obligations for Certain High-Risk AI Systems (Especially in Regulated Products) |
Provider vs. Operator: What Applies to Companies?
A common misconception among small and medium-sized enterprises (SMEs) is the assumption that the AI Act applies only to developers of AI models. The reality is different: Most SMEs act as operators (deployers) because they use third-party AI tools. As operators, you are also subject to strict obligations, especially if you use high-risk systems.
GDPR and AI: Data Protection When Using AI Systems

The EU AI Act does not replace the General Data Protection Regulation (GDPR), but rather supplements it. For companies, this means: Where personal data is processed, the GDPR continues to apply in full.
A key principle is that, for personal or confidential company data, the use of public AI tools without appropriate contractual, technical, and organizational safeguards is generally unsuitable and poses a risk under data protection law. Data processing agreements (DPAs) are absolutely essential. When using high-risk AI, a data protection impact assessment (DPIA) may also be mandatory.
Shadow AI: The Underestimated Risk in Small and Medium-Sized Businesses

One of the biggest risks in German small and medium-sized businesses is so-called shadow IT. Employees use personal AI tools to make their work easier and, in doing so, unknowingly upload sensitive company or customer data. This leads to uncontrollable GDPR violations and massive security vulnerabilities.
“The biggest compliance pitfall for SMEs isn’t the official AI strategy, but uncontrolled shadow IT. When employees copy sensitive data into public models out of convenience, the company loses all control over its intellectual property.” – Bastian Maiworm, Co-Founder & CRO at amberSearch
Closed, EU-hosted, or controlled AI systems can significantly simplify GDPR-compliant use—provided that service agreements, authorization policies, logging, and internal guidelines are properly implemented.
A Private AI or a comparable architecture provides the necessary control for this.
Labor Law and the Works Council in AI Implementation
The implementation of AI systems in Germany is not merely a matter of data protection and the AI Act; it also has a massive impact on labor law. This is an aspect that is often underestimated in practice but is crucial for a successful rollout.
Pursuant to Section 87(1)(6) of the Works Constitution Act (BetrVG), the works council has a mandatory right of co-determination regarding the introduction of technical equipment intended to monitor the behavior or performance of employees. Since modern AI systems theoretically enable far-reaching analyses, this right applies in most cases. Furthermore, pursuant to Section 90( 1 No. 3 of the BetrVG, there is a duty to provide information regarding workplace design.
Practical Tip: An AI works council agreement provides legal certainty and fosters acceptance. It should clearly define the intended use of AI, data access, planned training measures, and control mechanisms. A transparent, neutral dialogue with the works council from the outset prevents future roadblocks.
Liability and Copyright in AI Use
Who is liable if the AI makes a wrong decision or provides incorrect information? This question concerns many decision-makers.
The Liability Issue
As the operator of an AI system, the company bears primary liability for damages resulting from AI errors. Executives may even be held personally liable if they have not implemented adequate control measures (governance). The upcoming EU AI Liability Directive will also shift the burden of proof in favor of the injured party.
The Copyright Issue
AI-generated content is generally not protected by copyright in Germany, as it lacks a human creator. At the same time, there is a risk that AI outputs could infringe on the copyrights of third parties if the training model used protected works.
Practical Tip: Companies should implement an internal policy for AI-generated content. This policy must define labeling requirements, review processes (human-in-the-loop), and clear responsibilities.
AI Governance: Roles, Guidelines, and Responsibilities
AI compliance must not operate in isolation but must be embedded within an overarching governance structure. Before companies invest heavily in AI, they should define clear responsibilities.
Effective Governance Structures:
- AI steering committee comprising the CIO, CISO, and data protection officer
- Clear responsibilities for approvals and monitoring
- Integration into existing risk management and ISMS
Appointing an AI officer or a dedicated team helps manage risk analyses. A written AI policy provides clarity and reduces “shadow AI.” It should regulate permitted and prohibited tools, the handling of personal data, and approval processes for new use cases.
5 Steps to AI Compliance

The theory is complex, but implementation doesn’t have to be. With this 5-step framework, midsize companies can establish solid AI compliance.
Step 1 – AI Inventory: Identify All AI Systems
Document all AI tools used within the company. Make a point of identifying shadow IT. Determine: What data is being processed? Who has access to the systems?
Step 2 – Risk Assessment and Risk Classification
Classify each identified AI system according to the risk categories defined in the AI Act. Identify high-risk systems and prioritize the corresponding compliance measures.
Step 3 – Create an AI Policy
Define a company-wide AI policy. This policy specifies which AI tools are permitted, how they may be used, and who is responsible. The guiding principle is: policy first, training second.
Step 4 – Build AI Competence (Mandatory Training under Art. 4 of the AI Act)
As of February 2025, all companies are required to ensure that their employees have sufficient AI competency. Conduct regular training sessions and document them carefully.
Mandatory AI Training: These 4 Phases Companies Need to Know
Step 5 – Use Secure AI Tools and Monitor Them Continuously
Choosing the right AI tools is a key compliance decision. Ensure EU hosting, that model training does not use your company data, granular access rights management, and the existence of a Data Processing Agreement (DPA).
Selecting Secure AI Software: Criteria for Businesses
The make-or-buy decision depends on specific use cases and available resources. When selecting AI software, compliance aspects should be considered early on.
Key Selection Criteria:
- Data Protection and Hosting Location: Prefer solutions hosted in the EU or in Germany.
- Role-Based Access Control (RBAC): The system must respect existing access rights.
- Logging and audit functions: Traceability of AI outputs and access is essential.
- Integration: Seamless integration with Microsoft 365, CRM, and DMS.
Scattered knowledge across SharePoint, CRM, and DMS is a risk factor. Controlled information provision minimizes business risks. See also our Best Practices for Enterprise Search and how to calculate the ROI of AI tools.
What Companies Should Do in the Next 30 Days
AI is already in use—the only question is: is it controlled or risky? The complexity and dynamics of AI deployment present companies with challenges regarding ethical standards and compliance.
Recommendations for the next 30 days:
- Conduct an inventory of AI usage (uncover shadow IT).
- Bring key stakeholders (IT, compliance, data protection, works council) together.
- Define broad priorities and draft an initial AI policy.
- Select a pilot area and implement a controlled business AI solution.
AI compliance is a competitive advantage: It enables faster decision-making, lower risk, and greater attractiveness as an employer.
