Compliance
AI Agent Legal Framework — EU AI Act Compliance
From risk assessment to a complete compliance package: how SMEs deploy digital employees legally.
From August 2026, companies deploying AI agents with customer contact must meet extensive compliance requirements. This framework connects the EU AI Act and GDPR into a practical process: risk assessment, document generation, killswitch configuration and tamper-proof hash chain. A wizard guides through the entire process.
The Problem: Two Laws, No Tool
Anyone deploying an AI agent in production must comply with two regulatory frameworks simultaneously: the EU AI Act (transparency, risk assessment, logging) and GDPR (data protection, processing records, data subject rights). For large enterprises, expensive compliance platforms exist (EUR 50,000+/year). For SMEs, as of March 2026, no comparable product exists.
The result: most SMEs either ignore the topic or create documents manually in Word — with no connection between documents and no link to the actual agent configuration.
EU AI Act transparency obligations (Art. 50) apply from this date. GDPR obligations (Art. 30, 35) already apply NOW for anyone processing personal data. Penalty: up to EUR 20 million or 4% of global annual turnover.
Legal Requirements Overview
| Requirement | Legal Source | Deadline | Max. Penalty |
|---|---|---|---|
| AI labeling at first contact | EU AI Act Art. 50(1) | 02.08.2026 | EUR 15M / 3% |
| Machine-readable content marking | EU AI Act Art. 50(2) | 02.08.2026 | EUR 15M / 3% |
| Human oversight / killswitch | EU AI Act Art. 14 | 02.08.2026 | EUR 15M / 3% |
| Automatic log retention (min. 6 months) | EU AI Act Art. 12 | 02.08.2026 | EUR 15M / 3% |
| Processing records | GDPR Art. 30 | NOW | EUR 20M / 4% |
| DPIA before deployment | GDPR Art. 35 | NOW | EUR 20M / 4% |
| Right to human review | GDPR Art. 22 | NOW | EUR 20M / 4% |
The Wizard Approach: Documents and Configuration from One Process
Core principle: compliance documents and agent configuration are generated in the same process. Not set up the agent first and then catch up on documentation — but both simultaneously. Only this way do reality and documentation match.
8-Step Wizard:
Agent Identity
Define name, email, company, role and tasks
Risk Assessment
Questionnaire: Limited Risk or High Risk? 10-15 questions
Scope & Permissions
Which systems? Read/Write/Create per system
GDPR Compliance
DPIA, processing records, privacy notice (auto-populated)
EU AI Act Compliance
Art. 50 Transparency Kit: email signature, social bio, voice announcement
Killswitch & Human Oversight
3-level killswitch: PAUSE, STOP, DECOMMISSION
Generate Agent Configuration
SOUL.md, network policy, vault, start script
Finalize Compliance Package
PDF export, hash chain, git commit, ERP tracking
Risk Assessment: Limited Risk vs. High Risk
The EU AI Act distinguishes between risk classes. Most SME agents (customer service, email, social media) fall under "Limited Risk" — with transparency obligations but without the heavy requirements for high-risk systems.
| Question | If YES... | Risk Class |
|---|---|---|
| Does the agent make decisions with legal effect? | High Risk (Annex III) | HIGH |
| Does the agent process biometric data? | High Risk or prohibited | HIGH |
| Does the agent evaluate people (scoring, profiling)? | High Risk | HIGH |
| Does the agent only interact with customers (info, support)? | Limited Risk | LIMITED |
| Does the agent only create content (text, image)? | Limited Risk | LIMITED |
An agent that answers emails, posts on social media or forwards customer inquiries is typically Limited Risk. This means: transparency obligations (labeling) but no DPIA under EU AI Act Art. 9 and no conformity assessment. The GDPR DPIA may still be required.
3-Level Killswitch: Human Oversight per Art. 14
| Level | Action | When to Use |
|---|---|---|
| Level 1: PAUSE | Agent stops, saves state, waits for resume | Agent behaves unexpectedly, situation unclear |
| Level 2: STOP | Immediately terminate, cancel all running actions | Agent making errors that could cause damage |
| Level 3: DECOMMISSION | Permanently deactivate, revoke keys, archive logs | Agent no longer needed or compromised |
This is defined in the wizard. Typical setup: the owner (CEO) can trigger all 3 levels. Team members can trigger Level 1 (PAUSE). Automated systems can trigger Level 1 on anomaly detection. Level 3 (DECOMMISSION) should always be manual.
Hash Chain: Tamper-Proof Documentation
Compliance documents must be provably unaltered. A SHA-256 hash chain ensures every change is traceable. If an old document is tampered with, all subsequent hashes break.
Hash chain principle:
Document v1 → SHA-256: a1b2c3... (previous: null)
Document v2 → SHA-256: d4e5f6... (previous: a1b2c3...)
Document v3 → SHA-256: g7h8i9... (previous: d4e5f6...)
Tamper with v1?
→ Hash of v1 changes
→ previous_hash of v2 no longer matches
→ Chain is broken = tampering detectedA hash chain is NOT a blockchain. It runs locally, needs no network and no cryptography infrastructure. It only proves that documents were not altered after the fact. For legally binding electronic signatures you need eIDAS / qualified signatures — that is a separate topic.
Market Situation: No SME Product Available
| Provider | Target | Cost/Year | Agent-Specific? |
|---|---|---|---|
| Credo AI | Enterprise | EUR 50,000+ | Yes, but not for SMEs |
| Holistic AI | Enterprise | EUR 50,000+ | Partially |
| OneTrust | Enterprise | EUR 50,000+ | No, generic |
| AI Agent Legal Framework | SME | Open source (engine) | Yes, incl. agent configuration |
Studies show: only 56 out of 100 DACH SMEs know about the EU AI Act (compared to 82 out of 100 for GDPR). Awareness is low, the deadline is close. Those who start now have an advantage.
Das Wichtigste
- ✓EU AI Act Art. 50 deadline: August 2, 2026. Transparency obligations for ALL AI systems with customer contact.
- ✓GDPR obligations (Art. 30, 35) already apply NOW. A DPIA is required before deploying an AI agent.
- ✓Compliance documents and agent configuration must come from the same process — otherwise documentation will not match reality.
- ✓3-level killswitch (PAUSE, STOP, DECOMMISSION) is the practical path to Human Oversight per Art. 14.
- ✓Hash chain (SHA-256) makes compliance documents tamper-proof — no blockchain needed, runs locally.
- ✓No SME compliance tool exists currently. Those who act now gain an advantage before the deadline.
Sources
- Base spec: Internal design specification — AI Agent Legal Framework design (internal)
- EU AI Act (Regulation 2024/1689) — Full text on EUR-Lex
- EU AI Act Overview — Risk classes and obligations
- Data Protection Impact Assessment (DPIA) — When required, how to conduct
- GDPR Basics — Art. 30, Art. 35
War dieser Artikel hilfreich?
Next step: operationalize compliance
Use ready-to-run GDPR templates, checklists and practical guidance for AI systems that need documentation and auditability.
- Local and self-hosted by default
- Documented and auditable
- Built from our own runtime
- Made in Austria