AI creates new opportunities,
but the legal risks
are easy to overlook
AI in business without internal rules
According to a Bitkom study, more than one in three companies already uses AI. The real figure is likely higher, because many employees have been using ChatGPT, Gemini and similar tools as part of their daily workflow for some time, often without any internal guidelines in place. Emails are drafted, contracts summarised, data analysed. Management is often unaware.
That is not just an organisational problem. It is also a legal one.
What's at stake
Three typical scenarios from business practice and their legal consequences.
An employee pastes a complete client contract into an AI tool to save time. They do not realise that by doing so, that information has left the company.
Breach of data protection and potentially confidentiality obligations, exposure to damages claims and loss of client trust
An employee asks AI to produce a market analysis. The output looks convincing but contains incorrect figures. The error goes unnoticed.
Business decisions made on a false basis, financial losses and exposure to liability
A company uses an AI-powered recruitment tool. What no one realises: the system falls under the high-risk category of the EU AI Act.
Violations of the EU AI Act, fines of up to EUR 35 million or 7 percent of global annual turnover
What already applies and what comes next
The European AI Regulation is already in force, with the final compliance deadlines arriving in August 2026.
EU AI Act takes effect
The EU AI Act has taken effect and applies progressively to all companies that use or make AI systems available in the EU, regardless of where they are headquartered.
AI Literacy Obligation
Every company that uses AI systems must be able to demonstrate that its employees have received adequate training. This applies not just to IT departments, but to everyone who uses AI.
Obligations for Providers and Deployers of High-Risk AI
From August 2026, the core obligations for high-risk AI come into full effect: risk management, technical documentation, human oversight, transparency requirements and reporting obligations to authorities. Any company operating a high-risk AI system must be compliant by that date.
How I can help
Which AI tools are being used in your organisation — perhaps even under the radar? I help you get a complete picture.
Does the EU AI Act apply to your company? Which specific obligations apply to you, and in what role: deployer, provider, or both?
Clear, practical guidelines for AI use that employees can understand and follow.
Documented training for your team that meets the AI literacy obligation and is tailored to your specific use cases.
AI agreements with providers, licensing terms, liability clauses: I review contracts before you sign and draft the ones you put in front of others.
AI evolves fast, and the law keeps pace. I keep you up to date and support you in adapting your compliance framework when needed.
2 in 1: External DPO and AI advisory
If you appoint me as your external DPO, the AI advisory work builds on the same foundation: the initial assessment and onboarding do not have to be repeated, I already know your organisation, and you have a single point of contact for both areas — which overlap considerably in practice.
Do you know which AI tools
are currently in use across your organisation?
For most executives, the fact that employees use AI comes as no surprise. That it carries legal risks often does. A short conversation is usually enough to get a first sense of where action is needed.