Home About Us Services Cases News Free consult →

Home / Services / EU AI Act

EU AI Act Compliance and AI Governance

AI system risk classification, AI governance frameworks, FRIA impact assessments and ISO 42001 implementation. Practical and legally grounded.

The EU AI Act is in force and the first obligations are already active. Inventorying an AI portfolio, classifying risks, putting an AI governance framework in place and — for high-risk systems — running a Fundamental Rights Impact Assessment: this is no longer optional. It is the legal reality for organisations that deploy or supply AI.

DCBS combines legal analysis of the AI Act text with operational implementation through ISO 42001 as a management system. For further reading: see the article on FRIA execution under the EU AI Act.

01 — What it covers

AI Act in practice

Five building blocks: risk classification, AI governance framework, FRIA, ISO 42001 management system and ongoing AI compliance advice. Designed to align with your existing GDPR and data governance structure.

AI system risk classification

Systematic classification of AI systems under the AI Act: prohibited, high-risk, limited risk or minimal risk. Includes AI Act high-risk classification for Annex III systems and GPAI assessment for general-purpose AI.

AI governance framework setup

AI governance framework with policy, role allocation (AI owner, technical lead, DPO), inventory processes and escalation paths. Scalable from one AI system to a portfolio of dozens.

FRIA: high-risk AI impact assessment

Fundamental Rights Impact Assessment for high-risk AI systems: identification of affected fundamental rights, risk assessment, mitigations and accountability. In line with AI Act Article 27.

ISO 42001 implementation

ISO 42001 AI management system — the international management system for responsible AI. Implementation that builds on ISO 27001 or existing management cycles. Audit-ready without duplicate documentation tracks.

AI compliance advice and monitoring

Ongoing AI compliance advice on new AI implementations: vendor assessment, contract review, deployment-impact and accountability towards supervision. Includes preparation for AI Act enforcement.

02 — When DCBS is relevant to you

AI portfolio not classified

A growing number of AI systems are deployed in operations, but there is no inventory, no risk classification and no clear view of which systems fall under which AI Act category.

High-risk AI system before go-live

An AI system under Annex III (critical infrastructure, education, employment, access to public services, law enforcement) is approaching go-live and requires a FRIA plus high-risk obligations met before market introduction.

ISO 42001 track under consideration

Clients or the organisation itself want a demonstrable AI management system. ISO 42001 implementation is the direction, but help is needed on gap analysis and alignment with existing ISO 27001 structure.

03 — What you get

Concrete deliverables

  • AI portfolio inventory with per-system risk classification
  • AI governance framework: policy, role allocation, escalation paths
  • FRIA report for high-risk systems, in line with AI Act Article 27
  • ISO 42001 gap analysis + implementation roadmap
  • AI literacy training material for key staff
  • Ongoing advisory line for new AI deployments
04 — Approach

Four steps

  1. Discovery & portfolio scan — inventory of AI systems in use, including shadow AI (productivity tools, embedded AI in SaaS). First-pass classification under AI Act categories.
  2. Risk classification & prioritisation — final per-system classification with corresponding obligations. Prioritisation by risk and go-live date.
  3. Governance implementation & FRIAs — setting up the governance framework, executing FRIAs for high-risk systems, deploying ISO 42001 controls.
  4. Embedding & AI literacy — ongoing monitoring, AI literacy training for relevant staff, preparation for AI Act enforcement and possible audits.
05 — For whom

Organisations that deploy or supply AI

DCBS works for organisations with AI systems in production or in the pipeline: financial institutions, (semi-)public sector organisations, organisations deploying AI in customer-facing processes, and international corporates. AI providers and AI deployers with obligations under the EU AI Act find here the combination of legal analysis and operational implementation. For specific case examples — see our cases.

Set up AI Act compliance?

Free 30-minute intake call. The conversation explores where your AI portfolio stands under the Act — and which priorities are feasible.

Book intake → Contact via form