AI Compliance Needs Structure
78 percent of European companies have not yet taken any notable steps towards EU AI Act compliance. 83 percent have no inventory of their AI systems. 74 percent have not named a body responsible for AI governance. These figures do not come from a 2024 survey, but from the Vision Compliance Readiness Report of 2026. Four months before the deadline. The problem is not a lack of knowledge. Most managing directors have heard of the EU AI Act. The problem is a lack of structure.
Why the AI regulation is different
The EU AI Act is not a data protection law with a few new forms. The regulation comprises 180 recitals, 113 articles and 13 annexes. It distinguishes between prohibited practices, high-risk systems, systems with limited risk and minimal risk. It defines roles such as provider, deployer, importer and distributor, each triggering different obligations. And it requires documentation that has to be traceable for ten years. No company that does not engage intensively with the regulation can implement these requirements correctly on its own. That is not a weakness, but a consequence of the complexity of the rules.
Consulting remains important
I say this as someone who consults myself: for many SMEs, external support with AI compliance is sensible and often necessary. The risk classification of an AI-based applicant management system is a different task from that of a translation tool. The question of whether a company unintentionally becomes a provider by adapting an AI system requires expertise. And the fundamental rights impact assessment for high-risk systems is not a form you fill in on the side. Consulting provides context, experience and confidence with complex decisions.
What consulting alone does not solve
The problem begins where the consulting ends. A consultant creates an inventory, classifies systems and writes recommendations into a report. Then a PDF sits on the server. But compliance is not a state you establish once. It is an ongoing process. New AI systems are added, existing ones are changed, employees have to be trained, incidents have to be documented. Article 12 of the EU AI Act requires retention for ten years. Every change, every risk assessment, every measure has to be logged traceably. Excel lists and static reports fail exactly here. A forgotten entry, an overwritten cell, a missing version history, and the compliance evidence is worthless.
Structure as the foundation
What SMEs need is an end-to-end process that operationalises consulting knowledge. The first step is recording all AI systems in the company. Not only the obvious ones like ChatGPT or Copilot, but also the shadow AI in CRM systems, marketing tools or analytics platforms. Building on that come classification, risk assessment, training records and incident management. Every step has to be documented, versioned and auditable. That is not a project with a beginning and an end, but a cycle.
From methodology to platform
NADOVO began as a framework: a 5-phase methodology I use in consulting to guide SMEs through EU AI Act compliance in a structured way. The NADOVO Compliance Cycle covers the entire process, from inventory through risk classification to training records and incident management. This framework forms the basis for every compliance project I carry out with companies.
But a methodology alone does not solve the operational problem. Consulting results have to live somewhere, processes have to be versioned, changes logged traceably over ten years. That is why I developed NADOVO as a platform. The app operationalises the framework: automatic risk classification against Annex I and III, an immutable audit trail, exportable as PDF, CSV or JSON. Not an AI black box, but rule-based, deterministic results. Hosted on servers in Germany, without US cloud dependency.
NADOVO is currently in a closed beta. The first companies are testing the platform in practical use. As soon as solid results are available, I will report here in detail on the practical experience.
Start now, do not wait for the Omnibus
The European Parliament and the Council have set out their positions on the Digital Omnibus package, which among other things provides for deadline extensions for high-risk systems and relief for SMEs. The trilogues are underway. But the Omnibus is not yet applicable law. The general deployer obligations for August 2026 remain in place. And even with extended deadlines: implementing a structured compliance system takes, in our experience, 32 to 56 weeks. Whoever does not start now will not manage it in time. AI compliance is no secret. It is a craft. But like every craft, it needs the right tool.
Further reading:
About the author
Jochen Stier is co-founder of NADOVO with over 20 years of experience in process management and IT service management. He helps German SMEs implement the requirements of the EU AI Act systematically and pragmatically. His 5-phase framework NADOVO combines regulatory requirements with practical feasibility, without enterprise budgets or complex tools.
More articles
AI Technology Website Migration and SEO Ranking
Many fear a website migration destroys the Google ranking. That is true - if you do it wrong. What really happens and what matters.
read more ...
AI Technology Maintaining a Website Without an Agency
If you have a business website, you should be able to maintain it yourself. Why that does not work for most people - and how it can be done differently.
read more ...
AI Compliance Why I Built NADOVO
Why a process consultant with 20 years of experience builds his own AI compliance framework and his own platform - and what that has to do with the EU AI Act.
read more ...