Ethical and trustworthy AI governance in an AI-regulated reality Management system for information security: The EU's AI Act introduces a new regulatory reality for organizations that develop, use, or depend on artificial intelligence. For the first time, ethical principles such as fairness, transparency, accountability, and human oversight have been made binding requirements that affect how AI may be used in practice.

In the same way that GDPR changed the way organizations work with data protection, AI law is expected to set a global standard for the responsible and trustworthy use of AI. Although public debate often focuses on generative AI, the regulation is largely aimed at AI systems that are embedded in core business processes. Systems that affect people, decisions, pricing, access, and risk assessments. For senior management, working with EU AI law is a matter of governance, ethics, and risk management.

Why ethical AI is crucial in an AI law context: AI law translates expectations of responsible AI into concrete and enforceable requirements. Organizations must be able to demonstrate that their AI systems are designed and used in a way that respects fundamental rights and societal values. Among other things, they must prevent unfair bias and discriminatory outcomes, ensure real transparency and explainability, and enable human oversight and intervention.

At the same time, the systems must function in a stable, secure, and predictable manner over time. These expectations apply across the entire AI lifecycle, from data selection and model design to implementation, monitoring, and ongoing improvements. Ethical AI in an AI legal framework is not a theoretical ideal, but a practical management responsibility that requires documented decisions, clear lines of responsibility, and operational control.

AI governance as the foundation for trustworthy AI: Many organizations already use AI-driven solutions without necessarily labeling them as AI. Decision support tools, scoring models, optimization engines, and predictive analytics are often viewed as technical components rather than potential ethical and business risks.

AI law changes this approach. The regulation does not focus on how advanced the technology is, but on how AI systems affect people. Any system that has a significant impact on individual outcomes requires structured governance and responsible use.

This requires a setup where AI governance extends beyond IT and data teams and is anchored in management, risk management and internal controls, compliance, legal and audit functions, as well as with system, product and data managers. Without governance, responsible AI cannot be documented and the organisation's regulatory robustness is weakened.

What is the EU AI Regulation and why is it important?

The EU's AI Regulation (AI Act) is the world's first comprehensive legislation on artificial intelligence. The regulation will gradually come into force between 2025 and 2027, creating a new and common regulatory reality for organizations that develop and use artificial intelligence throughout the EU, including Denmark.

 The aim is to ensure that AI systems are safe, transparent, and respect fundamental rights, while promoting innovation. For the first time, ethical principles such as fairness, transparency, accountability, and human oversight have been made binding requirements that affect how AI may be used in practice.

Who is covered by the requirements of the EU's AI Regulation in Denmark?

The EU's AI Regulation applies broadly and covers far more Danish companies than many people think. The Regulation distinguishes between different roles and risk categories. Roles covered by the Regulation:

Providers: Companies that develop AI systems or have them developed under their own name/trademark. Examples include Danish software developers who build AI readings or organizations that fine-tune existing AI models.

Importers: Companies that bring AI systems from countries outside the EU into the Danish market.

Distributors: Companies that distribute AI systems in Denmark.

Users: Any Danish company or organization that uses an AI system in a commercial context or in public service. Examples include companies that use AI for HR screening, credit assessment, chatbots for customer service, or quality control.

At Nesp.ONE , we Nesp.ONE that AI compliance is about more than documentation. It's about the choices you make, the processes you create, and the systems you develop. This requires a setup where AI governance extends beyond IT and data teams and is anchored in management, risk management, and internal controls, legal and audit functions, as well as system, product, and data managers.

 We help organizations build, operationalize, and maintain compliance with EU AI law with a focus on security, risk reduction, and responsible implementation. We offer:

GAP analysis

We provide you with a clear overview of where you stand today and what it takes to become AI-compliant. This includes:

AI readiness and risk assessment

• We assess your current AI usage and help you understand what the AI Act requires.

AI readiness and risk assessment

• We develop principles and practical guidelines for transparency, ethical and responsible use. 

Data management and bias control

• We help you ensure quality, traceability, and fairness requirements in both training and operational data.

Education and skills development

• We equip your teams with concrete knowledge about ethical AI, secure development, and your compliance responsibilities.

Legal, technical, and governance expertise all in one place:
AI compliance isn't just a legal issue. It's not just an IT project either. And it can't be solved with better processes alone. It requires all three parts, and that's exactly what Nesp.ONE .
Why is interdisciplinarity critical?

The EU's AI Regulation imposes requirements that cut across traditional silos:

• Legal documentation requirements demand a technical understanding of how AI models are trained

• Technical safeguards must be translated into understandable governance processes

• Governance structures must be supported by both legal frameworks and technical control environments

Many Danish companies face a complex regulatory landscape, of which the AI Regulation is just one part. The good news is that these sets of rules overlap and can reinforce each other if implemented in a coordinated manner.

The EU AI Regulation and ISO 27001

ISO 27001 is the standard for information security management, which many Danish companies are already certified under.

 Both ISO 27001 and the EU's AI Regulation require risk-based management and documentation, but with different regulatory logic; ISO 27001 focuses on information assets and organizational security, while the AI Regulation sets specific requirements for the development, use, and management of AI systems—especially high-risk AI. There are significant synergies between the two sets of rules. AI systems can be incorporated into a company's existing ISMS, where AI-specific risks (e.g., data quality, model robustness, and misuse scenarios) are added to the existing risk register and addressed using already implemented control processes.

At Nesp.ONE , we Nesp.ONE you extend your existing ISO 27001 certification to include AI-specific controls. This means that AI-specific controls, processes, and documentation are integrated into your current management system, reducing the need for parallel compliance and measures.

The EU's AI Regulation and NIS2

The NIS2 Directive/NIS2 Act sets requirements for cybersecurity and risk management for companies in designated critical and important sectors, including energy, transport, banking, health, and digital infrastructure.

 NIS2 is technology-neutral, but a number of the directive's requirements are directly relevant to AI systems when these form part of a company's network and information systems or support critical business processes. This applies in particular to requirements concerning:

• Security in the software development cycle (relevant for AI model training and deployment)
• Vulnerability management
• Business continuity

For companies covered by both NIS2 and the AI Regulation Nesp.ONE an integrated cybersecurity and AI governance framework. AI systems are treated as part of your critical IT infrastructure, with specific controls for AI-specific risks such as adversarial attacks, data poisoning, and model drift.

The EU AI Regulation and CRA

The Cyber Resilience Act (CRA) sets security requirements for products with digital elements. If your company develops or sells software products with AI functionality, you must comply with both the CRA's security requirements and the AI Regulation's requirements.

Examples could be AI-driven cybersecurity software, IoT devices with AI, and SaaS platforms with AI features. We help product companies integrate both CRA and AI compliance into the product development process so that security requirements and AI documentation are built in from the design phase.

Nesp.ONEstrength lies in looking at your overall compliance landscape. We design a single, comprehensive risk assessment process that addresses:

• Information security risks (ISO 27001)
• AI-specific risks (AI Regulation)
• Cybersecurity threats (NIS2)
• Product safety (CRA)

Documentation is structured to meet the requirements of all relevant regulations simultaneously – without duplication. We prepare you to conduct external audits effectively across standards.

At Nesp.ONE , we Nesp.ONE organizations build ethical, responsible, and trustworthy AI governance that meets the requirements of EU AI law without overcomplicating processes or hindering business.

Our experts deliver tangible results that make a difference to your business. Our consulting services focus on providing an overview of ethical risks, governance gaps, and regulatory exposure, as well as establishing clear frameworks, policies, and processes for responsible AI.

We also support data governance, bias management, and offer targeted training for boards of directors, executive management, and key functions.

Get started on your compliance journey in relation to the EU's AI Regulation

Understanding your position in relation to EU AI law and taking the first step towards AI compliance doesn't have to be overwhelming. At Nesp.ONE , we Nesp.ONE it easy to get started and help management teams clarify priorities, governance needs, and next steps well in advance.

Contact us today.

AI systems classified as high-risk under EU AI law are subject to stricter requirements that directly reflect ethical principles.

Organizations are expected to work systematically with risk management throughout the AI life cycle, solid data governance with a focus on quality and fairness, technical documentation that enables transparency and traceability, and clear mechanisms for human oversight and intervention. In addition, ongoing monitoring and control after implementation are essential.

Many organizations already use systems that fall into this category. The challenge is rarely whether the requirements apply, but whether they are put into practice, managed across the organization, and can be explained to authorities and stakeholders.

We help organizations build ethical, responsible, and trustworthy AI governance that meets the requirements of EU AI law without overcomplicating processes or hindering business.

Our advice focuses on providing an overview of ethical risks, governance deficiencies, and regulatory exposure, as well as establishing clear frameworks, policies, and processes for responsible AI.

We also support data governance, bias management, and offer targeted training for boards of directors, executive management, and key functions.

First challenge: Understanding why and where AI makes sense - The journey toward trustworthy AI begins long before an AI system is purchased or developed. The first step is to clarify why AI is relevant and what specific tasks the technology can solve in a meaningful way.

Not all challenges require an AI solution. AI can affect citizens' rights, access to services, and general well-being, which is why it is crucial to identify potential risks at an early stage. Just because a technology can be used does not necessarily mean that it should be used. This is especially true if core values such as fairness, transparency, or accountability come into play.

This initial clarification is also crucial to the decision on whether an AI solution should be purchased from a supplier or developed specifically for the municipality's needs. Both choices entail different obligations and roles in relation to the EU's AI Act.

From ambition to responsible implementation: Denmark is one of the world’s most digitized societies. With a strong digital economy and a highly digitized public sector, there is significant potential for applying artificial intelligence (AI) in local governments. AI can contribute to increased efficiency, better decision-making, and more cohesive services for citizens.

At the same time, this comes with a great deal of responsibility. Local governments must ensure that the implementation of AI does not undermine the high level of trust that citizens place in public institutions. Therefore, the focus should not merely be on adopting AI, but on implementing trustworthy AI.

Local governments handle personal information and sensitive data on a daily basis. It is therefore essential that AI solutions comply with applicable data protection laws and are designed to minimize the risk of bias and discrimination.

But legality alone is not enough. AI in the public sector must also be ethically sound and reflect society's values. This implies, among other things, transparency, respect for citizens' rights, and clear accountability. At the same time, the technology must be robust, stable, and secure—even in unforeseen situations.

For many municipalities, balancing these legal, ethical, and technical requirements is a complex task without specialized support.

When municipalities implement AI, they have a special responsibility to protect the dignity and well-being of their residents. This means, among other things, that there must be genuine human oversight and supervision, that AI systems are secure and resilient to attacks, and that the results are reliable and reproducible.

Data must never be used illegally or in ways that could lead to discrimination. At the same time, AI-based solutions must be accessible to all citizens, and active measures must be taken to avoid unfair bias.

Implementing trustworthy AI is challenging, but it also presents an opportunity. With the right approach, local governments can harness the potential of AI while strengthening citizens’ trust in the public sector.

This is where targeted AI consulting makes a real difference: by helping municipalities turn their ambitions into responsible, compliant, and value-driven AI solutions—all the way from strategy to implementation.