AI compliance — pragmatically, audit-ready, without buzzwords.

What 'AI compliance' actually means

AI compliance is not a separate discipline — it's the intersection of GDPR, the EU AI Act, sector-specific rules (BaFin, MDR/IVDR, BSI for critical infrastructure) and your existing ISMS or compliance system.

EU AI Act in practice

GDPR for AI

The familiar set of duties applies: lawful basis, transparency, purpose limitation, data minimization, integrity, accountability. Plus AI-specific aspects: training data origin, explainability, re-identification risk, automated decisions (Article 22).

• Lawful basis for input data and (separately) for any model fine-tuning.
• DPIA per Article 35 if high risk — almost always for personal data.
• Subject rights also for AI outputs (access, deletion, objection).
• Subprocessor chain documented end-to-end.

Sectoral rules (BaFin, MDR, KRITIS)

Banks and insurers face BaFin expectations on model risk management. Medical AI lands in MDR/IVDR. Critical infrastructure operators have BSI requirements on availability and integrity. Public administration has IT security law obligations. We know the requirements and design architectures that meet horizontal and sectoral rules at the same time.

Our compliance playbook

1. Inventory: which AI systems already run, what risk class are they in?
2. DPIA + AI Act assessment per system (combined where possible).
3. TOMs (Article 32) and DPA (Article 28) tightened to AI specifics.
4. Audit trail with automated evidence (logs, model versions, prompts).
5. Quarterly review and event-driven re-checks.