Which EU regulations apply when deploying AI?

Usually several at once: the EU AI Act (AI-specific safety, risk tier, transparency, human oversight), the GDPR (any personal data in training, inputs or outputs), NIS2 (cyber-resilience and governance for essential/important entities), and DORA (the specialised regime for financial entities, especially third-party risk). The NIST AI RMF is a useful voluntary method to manage all of them coherently.

Do I need a DPIA and an AI Act assessment separately?

They overlap heavily. A well-run GDPR Data Protection Impact Assessment documents data flows, lawful basis, necessity, and risks of bias and error — much of which is also required as AI Act risk-management evidence for high-risk systems. Run them together so one assessment serves both regimes.

What are the most common compliance mistakes in AI projects?

Treating a pilot as exempt (prohibited uses and AI-literacy already apply), training on repurposed personal data without checking purpose compatibility, sending sensitive data to a third-party model API with no data-processing agreement or location control, shipping chatbots or deepfakes without AI disclosure, and leaving no one monitoring the model after go-live.

How do I make AI compliance efficient across all four regimes?

Build a single AI risk programme on the NIST AI RMF and your existing security framework, then treat the AI Act, GDPR, NIS2 and DORA as four lenses on the same work. Maintain one AI inventory, one set of risk assessments, and shared controls (human oversight, logging, vendor clauses). Build once, evidence many.

Deploying AI in the EU: The Complete Compliance Checklist

Deploying AI in the EU is rarely about a single regulation. A typical project touches the AI Act (is the system safe and lawful to place on the market?), the GDPR (is the personal-data processing lawful?), NIS2 (is it resilient and well-governed?), and — for financial entities — DORA. This checklist maps the four regimes onto the AI lifecycle so nothing falls through the cracks. Use the NIST AI RMF as the operating method underneath it.

TL;DR — who governs what

AI Act → AI-specific safety, risk tier, transparency, human oversight.
GDPR → any personal data in training, inputs or outputs.
NIS2 → cyber-resilience and governance if you are an essential/important entity.
DORA → the same, specialised, if you are a financial entity (third-party risk in particular).
One NIST AI RMF programme can generate most of the evidence all four expect.

The checklist, by lifecycle phase

1. Scope & design

Add the system to your AI inventory; assign an accountable owner. (AI Act, NIST Govern)
Classify the AI Act risk tier; stop immediately if it is a prohibited practice. (AI Act)
Identify personal data involved; set a lawful basis for training and for inference. (GDPR)
Decide build vs buy — and whether you are provider or deployer. (AI Act)
Red flag: “it’s just a pilot, compliance can wait.” Prohibited uses and the AI-literacy duty already apply.

2. Data & build

Apply data governance: quality, representativeness, minimisation, retention. (AI Act high-risk, GDPR)
Run a DPIA for profiling/scoring; reuse it as AI Act risk evidence. (GDPR Art. 35)
Engineer for accuracy, robustness and security (prompt injection, data poisoning, model theft). (AI Act, NIS2/DORA)
For RAG/LLMs, work the GenAI Profile risks (confabulation, IP, leakage). (NIST 600-1)
Red flag: training on repurposed personal data without checking purpose compatibility. (GDPR)

3. Vendors & supply chain

Assess AI/ICT vendors; put security and audit clauses in contracts. (NIS2 supply chain)
If you are a financial entity, apply DORA Art. 30 clauses and add the vendor to your Register of Information. (DORA)
Check where the model and data are hosted — see Cloud Act vs GDPR and sovereign cloud. (GDPR transfers)
Red flag: sending sensitive data to a third-party model API with no DPA and no location control.

4. Deploy

Implement human oversight proportionate to risk; avoid solely-automated significant decisions. (AI Act, GDPR Art. 22)
Meet transparency duties: disclose AI interaction; label AI-generated content. (AI Act Art. 50)
For high-risk: complete conformity assessment, technical documentation and EU registration. (AI Act)
Give people clear notices and a route to contest decisions. (GDPR)
Red flag: shipping a chatbot or deepfake feature with no AI disclosure.

5. Operate & monitor

Log operations; monitor drift, bias and performance over time. (AI Act, NIST Manage)
Wire AI failures into incident response and reporting. (NIS2 / DORA incident duties)
Honour data-subject rights, including erasure that reaches training data. (GDPR)
Maintain an exit strategy for critical AI/ICT services. (DORA Art. 28(8))
Red flag: no one watching the model after go-live — silent degradation is the common failure.

Ownership — who holds the pen

Artefact	Typical owner	Serves
AI inventory & risk classification	AI/Compliance lead	AI Act
DPIA / records of processing	DPO	GDPR (+ AI Act)
Security & threat testing	CISO / security team	AI Act, NIS2, DORA
Vendor contracts & register	Procurement + Legal	NIS2, DORA
Human-oversight & transparency design	Product owner	AI Act, GDPR

The one-sentence strategy

Run a single, well-governed AI risk programme — built on the NIST AI RMF and your existing security framework — and treat the AI Act, GDPR, NIS2 and DORA as four lenses on the same work rather than four separate projects. Build once, evidence many. That is both cheaper and more defensible than chasing each regulation in isolation.

General information, not legal advice. ICTLAB helps Belgian organisations deploy AI that stands up to the AI Act, GDPR, NIS2 and DORA — from classification to controls — see our AI & LLM and cybersecurity services, or talk to our team.

Need Help with RAG & LLM Integration?

Unlock your organization's knowledge with AI. We build retrieval-augmented generation systems that connect large language models to your proprietary data.

Learn More Contact Us

Deploying AI in the EU: A Compliance Checklist (AI Act + GDPR + NIS2 + DORA)