AI ACT

The EU's AI Regulation, also known as the AI Act, is the first comprehensive legislation regulating the use of artificial intelligence. The regulation governs the development, marketing, and use of AI systems in the EU based on their level of risk. The AI Regulation came into force in 2024, and the requirements will be phased in gradually between 2025 and 2027. For many organizations, this means that AI is no longer just a technical issue, but a business and management responsibility. 

Our experts at Nesp.ONE organizations build, operationalize, and maintain compliance with the EU AI Regulation, with a particular focus on risk reduction, security, and responsible implementation of AI. 

The AI Regulation is gradually coming into force: 

• February 2, 2025: Ban on high-risk AI practices comes into effect. 

• August 2, 2025: Regulations for generative AI models (such as ChatGPT) come into effect. 

• August 2, 2026: Full requirements for high-risk AI systems come into force. 

• August 2, 2027: Requirements for certain existing AI systems come into force. 

Danish companies should start their compliance work now in order to be ready for the deadlines. 

The AI Regulation applies to all Danish companies and organizations that: 

• Develops AI systems (providers). 

• Uses AI systems in a business context (users/deployers). 

• Imports AI systems from countries outside the EU. 

• Distributes AI systems on the Danish market. 

This applies both large groups and small businesses. Even if I only use third-party solutions such as Microsoft Copilot or ChatGPT, has I responsibility as user of AI. 

Nesp.ONE offer advice and practical solutions that effectively help companies with AI compliance. 

Yes, but the requirements depend on how Danish companies use these tools. 

Most Danish companies are users and must: 

• Assess risks associated with use (e.g., if employees use AI for customer service or document management). 

• Ensure that sensitive data is not leaked to AI systems. 

• Implement human oversight where appropriate. 

• Document the use, especially if AI output is used for decisions about individuals. 

If you develop your own AI solutions on top of these platforms, you may have responsibilities as a provider.

Nesp.ONE offers advice and practical solutions that effectively help companies meet all requirements and achieve compliance.

In Denmark, the AI Regulation is enforced through a coordinated effort led by the Agency for Digitization. The Danish Data Protection Agency and the Danish Court Administration assist with both enforcement and market surveillance, and all of this takes place within the EU's common framework and governance structure. 

The Danish Agency for Digitization  
The Danish Digitization Agency acts as the national coordinating supervisory authority for the AI Regulation in Denmark.

It is responsible for overall supervision and coordination of implementation and also acts as both the notifying authority and the central market surveillance authority under Danish law. In addition, the Agency for Digitization is Denmark's primary point of contact with other EU countries and the European Commission on matters relating to the AI Regulation. 

The Danish Data Protection Agency  
The Danish Data Protection Agency has been designated as one of Denmark's market surveillance authorities. The agency focuses in particular on those parts of the AI Regulation where the requirements for AI systems overlap with the protection of personal data, including prohibited practices and compliance with fundamental rights. 

Violations of the AI Regulation can result in significant fines: 

• Up to €35 million or 7% of global annual turnover (whichever is higher) for violating prohibited AI practices 

• Up to €15 million or 3% of global annual turnover for breach of other obligations in the Regulation 

• Up to €7.5 million or 1.5% of global annual turnover for providing incorrect information to authorities 

In addition to fines, non-compliance can result in reputational damage, loss of customer trust, and operational disruptions. Whether you have AI systems in operation or are in the start-up phase, our experts at Nesp.ONE help Nesp.ONE work Nesp.ONE a legally compliant and responsible manner. 

According to the EU's AI Regulation, the concept of AI system is broadly defined to cover many different types of intelligent software and machine-based solutions. An AI system is described as a machine-based system that: 

• has been developed to function with varying degrees of autonomy (i.e., it can perform tasks without direct human intervention to a certain extent). 

• can adapt after it has been put into use, e.g. by changing behavior based on new data or interactions. 

• based on a specific purpose, can analyze input data and generate output such as predictions, content, recommendations, or decisions. 

• delivers output that can affect both physical and digital environments, for example by influencing users or automating processes in a system. 

Examples of systems that may be covered by the definition: 

• chatbots and language models. 

• recommendation systems (e.g., for streaming or online shopping). 

• predictive analytics tools. 

• image recognition systems (machine vision). 

• autonomous robots or vehicles. 

• adaptive control systems in industry. 

Our experts at Nesp.ONE help you assess whether your solution falls under the definition of the AI Regulation and support you in your efforts to ensure compliance. 

The AI Regulation defines high-risk systems in two categories: 

1. AI systems in products regulated by EU safety legislation(medical devices, cars, toys, etc.)
2. AI systems used in specific areas, including:

• • Biometric identification. 

• • Critical infrastructure. 

• • Education and vocational training. 

• • Hiring and recruitment. 

• • Access to essential services (credit, insurance, healthcare). 

• • Law enforcement. 

• • Migration and border control. 

• • Legal system. 

If you are unsure, Nesp.ONE can assess the risks associated with your AI systems. 

The AI Regulation prohibits certain types of AI use altogether because they may violate fundamental rights or are considered an unacceptable risk.

Examples of prohibited AI practices include, among others:• Using AI to discriminate against people based on their race, gender, or other characteristics. 

• Social scoring systems, where citizens are assessed or ranked based on a kind of "trust score." 

• Manipulative AI that exploits vulnerable groups, such as children, the elderly, or other vulnerable individuals. 

• Certain forms of biometric surveillance, particularly mass surveillance using real-time facial recognition in public spaces (with a few very narrow exceptions for law enforcement agencies). 

• AI that attempts to predict crime based solely on profiling. 

The AI Regulation is broadly structured around a risk-based approach, where the requirements depend on how AI is used and what consequences it may have: 

• High-risk AI covers systems used in areas of great importance to humans, such as recruitment, credit assessment, health, education, or compliance. This involves requirements for governance, documentation, data quality, and human oversight, among other things.

• Low-risk AI primarily requires transparency, for example, that users are clearly informed when they interact with AI or generative AI.

• Low-risk AI can generally be used freely, but it is still recommended to follow best practices and ensure responsible use.

We at Nesp.ONE help you with a risk assessment of your AI systems. 

No, ISO 27001 certification is not a requirement in the AI Regulation, but: 

• Companies with ISO 27001 already have many of the governance structures required for AI compliance. 

• AI-specific risks can be integrated into existing ISMS (Information Security Management System). 

• ISO 42001 (new standard for AI management) can supplement AI compliance work. 

Nesp.ONE companies extend existing ISO 27001 certification to include AI-specific controls. 

A key focus of AI law is transparency and accountability. Organizations must be able to explain how their AI solutions work, what data they are based on, and how risks are managed. At the same time, there must be clear roles and human control so that important decisions are not blindly left to automated systems. 

Human-in-the-loop (HITL) or human oversight means that a human actively monitors and can intervene in the AI system's decision-making. The purpose of this is to reduce risks such as bias, erroneous automatic decisions, technical errors, and situations where AI can cause harm or violate people's rights. 

 AIsystems, especially high-risk AI systems, must be developed and used in a way that allows humans to understand the system, supervise it, and intervene if necessary. 

In practice, this means that organisations using high-risk AI must not blindly follow the AI's output. When AI affects people's safety, rights or opportunities, humans must continue to be responsible for the final decision.

Bias in AI means that the system systematically favors or discriminates against certain groups (based on gender, age, ethnicity, etc.). Bias can arise through: 

• Skewed training data (e.g., only data from men). 

• Algorithm design error. 

• Hidden connections in data. 

How to avoid bias: 

• Quality assurance of training data for representativeness. 

• Test for discriminatory output before deployment. 

• Continuous monitoring of the system's decisions during operation. 

• Various teams in AI development. 

• Documentation of data quality and test results. 

The AI Regulation requires high-risk systems to be tested for bias before and during use. We at Nesp.ONE help you test for bias.

AI law translates expectations about responsible AI into concrete and enforceable requirements. Organizations must be able to demonstrate that their AI systems are designed and used in a way that respects fundamental rights and societal values, prevents unfair bias and discriminatory outcomes, ensures genuine transparency and explainability, and enables human oversight and intervention. At the same time, the systems must function stably, securely, and predictably over time. 

These expectations apply across the entire AI lifecycle, from data selection and model design to implementation, monitoring, and ongoing improvements. Ethical AI within an AI legal framework is not a theoretical ideal, but a practical management responsibility that requires documented decisions, clear lines of responsibility, and operational control. 

For organizations that get started early, there is an opportunity to build a strong foundation for responsible AI: 

• Increase trust among customers, employees, and partners. 

• Reduce business and reputation risks. 

• Make AI easier to scale in a secure and controlled manner.

• Provide clarity for management and the board of directors. 

• Support innovation without slowing down business. 

Organizations that work in a structured way with ethical and responsible AI are stronger both legally and commercially. 

A well-defined AI governance framework based on ethical decision-making, clear responsibilities, and robust operational processes. 

Developing and implementing AI systems that are fair, secure, non-discriminatory, and reliable not only reduces regulatory risk. It also strengthens trust within the organization, protects its reputation, and enables sustainable innovation on a large scale. 

A clear understanding of the ethical and legal implications of AI enables management to integrate compliance into strategy, investment decisions, and operational management. 

AI governance must extend beyond IT and data teams and be anchored in management, risk management and internal controls, compliance, legal and audit functions, as well as with system, product and data managers. Without governance, responsible AI cannot be documented and the organisation's regulatory robustness is weakened. 

Our experts at Nesp.ONE organizations build, operationalize, and maintain compliance with the EU AI Regulation. 

The EU's AI Regulation introduces binding requirements across the entire AI lifecycle. From design and development to implementation and post-deployment monitoring, compliance requires operational maturity in areas such as: 

• Risk management and classification of AI systems. 

• Data governance, data quality, and traceability. 

• Transparency, explainability, and information for users. 

• Human oversight and accountability. 

• Ongoing monitoring and corrective measures. 

Organizations with a strong ethical and governance foundation are better equipped to meet these requirements effectively and consistently. 

We at Nep.ONE help organizations build, operationalize, and maintain compliance with EU AI Act – with a particular focus on risk reduction, security, and responsible implementation of AI. Whether your organization already uses AI systems or is planning future initiatives, we help you ensure regulatory compliance, ethical integrity, and strategic coherence – without slowing down innovation. 

Start by  

1. Map your AI usage: Identify all AI systems in the organization (including third-party tools).
2. Classify risk: Assess which systems are high-risk, generative AI, or limited risk.
3. Gap analysis: Compare your current setup with the requirements of the regulation. 
4. Prioritize: Focus first on high-risk systems and systems with significant compliance gaps.
5. Implement governance: Establish processes, documentation, and controls.

Nesp.ONE a free initial assessment to help you identify your AI landscape and next steps.