EU AI Act Governance Kit
58 ready-to-use documents for the complete implementation of the EU AI Regulation (EU) 2024/1689. Personalised with your company name, audit-ready, suitable for both AI providers and deployers.
Concrete risks & enforcement practice
Art. 4 AI literacy obligation
All staff using AI must be trained — from February 2025.
Fines up to EUR 35 million
Provider/deployer obligations + transparency (Art. 16, 26, 50): up to EUR 15 million / 3% revenue. Prohibited AI practices (Art. 5): up to EUR 35 million / 7%.
Document high-risk AI
Risk management, technical documentation, conformity assessment — all mandatory.
Everything you need under the EU AI Act
AI System Inventory & Classification
Complete inventory template, risk classification decision tree, prohibited practices screening (Art. 5), Annex III high-risk check.
AI Literacy (Art. 4)
AI literacy policy, training records, acceptable use policy. Mandatory since 2 February 2025.
Deployer Obligations (Art. 26)
Compliance checklist, usage logs, input data relevance review, employee notification, affected persons information.
Fundamental Rights Impact Assessment (Art. 27)
FRIA template + authority notification template for affected entities.
Provider Obligations (high-risk)
Risk management system (Art. 9), data governance (Art. 10), technical documentation Annex IV (Art. 11), logging, instructions for use, accuracy/robustness.
QMS, Conformity & Post-Market
QMS handbook (Art. 17), conformity assessment (Art. 43), declaration of conformity, EU database registration, post-market monitoring (Art. 72), incident response (Art. 73).
Transparency (Art. 50) & Watermarking
Disclosure templates, C2PA / SynthID watermarking concept for AI-generated content.
Complaint Channel (Art. 85)
Internal complaint channel concept with interfaces to GDPR, anti-discrimination law and whistleblower protection.
3 steps to your kit
Fill out the order form
Company details, VAT ID (optional, for reverse-charge), select your tier. You receive an immediate order confirmation by email.
Invoice & bank transfer
Within 24 hours (business days) you receive a proper invoice. Payment term 14 days by bank transfer. For EU B2B with valid VAT ID: reverse-charge.
Download by email
Once payment is received, you get a signed download link to all personalised professional templates. Link valid for 7 days, extendable once.
Choose your tier
Purchase as a business under § 1 KSchG / § 14 BGB. By clicking "Order" you accept our Terms and Privacy Policy.
- 58 editable templates
- Personalised with your company name
- Buy once, always up-to-date
- 60-day money-back guarantee*
- License for buyer + corporate group (§ 15 AktG)
- 58 editable templates
- Personalised with your company name
- Buy once, always up-to-date
- 60-day money-back guarantee*
- License for buyer + corporate group (§ 15 AktG)
- E-learning module (employee training)
- 58 editable templates
- Personalised with your company name
- Buy once, always up-to-date
- 60-day money-back guarantee*
- License for buyer + corporate group (§ 15 AktG)
- E-learning module (employee training)
- Trainer pack (PowerPoint + trainer materials for in-house training)
All documents are pre-filled with your company name and license ID. Download link via email.
Multi-company license for corporate groups
Multiple independent sister companies without group affiliation (§ 15 AktG)? +50% surcharge extends the license to 3 companies in total (main customer + 2 sister companies).
Example: Plus 1,290 EUR × 1.50 = 1,935 EUR. Choose the multi-company license at checkout. Details in our Terms § 6.
Note: Templates are based on current case law and source-verified before delivery. Customisation to your specific company situation and final legal review are recommended. 60-day money-back guarantee* per Terms § 8.
Frequently bought together
What we stand for
Money-back guarantee
If you find any errors, we refund the full purchase price. Details in Terms § 8.
Always current
Updates without time limit within the major version: new regulatory guidelines, CJEU rulings, known follow-up phases of a regulation. Terms § 7.
Source-based + documented
Every document is based on EU regulatory text, BfDI/DSK/BSI/EDPB guidelines, and supreme court case law — the as-of date is noted in each document.
Frequently asked questions
Am I affected by the EU AI Act?
Yes, as soon as you deploy or provide AI systems. Common misconception: every user of ChatGPT, Microsoft 365 Copilot, DeepL or automated recruiting tools is a deployer under Art. 3(4) EU AI Act. Art. 4 (AI literacy obligation) applies since 02.02.2025 — even if you don't consider yourself an "AI company". You are a provider if you develop AI systems or market them under your own name. High-risk obligations (Annex III: HR, education, law enforcement) additionally from 02.08.2026.
Which tier fits me — Basis, Plus or Komplett?
Basis (EUR 990 net) — You have internal compliance staff (DPO/CISO/HR lead) who can adapt and implement all documents themselves. No employee e-learning required.
Plus (EUR 1,290 net) — most popular — You want to train employees interactively (e.g. to fulfil the AI literacy obligation under Art. 4 EU AI Act or the Section 12 AGG protective measures for the liability privilege). Includes a ready-made e-learning module with quiz and attendance certificate.
Komplett (EUR 1,490 net) — You want to run the trainings internally and repeatedly (e.g. for new hires) without booking an external trainer every time. Additionally includes the Trainer Pack: PowerPoint slides with notes, trainer handbook and quiz pool.
What is included in the kit?
58 editable templates covering the full EU AI Act compliance cycle: AI inventory + risk classification, AI literacy policy (Art. 4), deployer obligations (Art. 26), Fundamental Rights Impact Assessment (Art. 27), provider obligations (Art. 9-15), QMS handbook (Art. 17), conformity assessment (Art. 43), post-market monitoring (Art. 72), incident response (Art. 73), transparency disclosures (Art. 50), complaint channel (Art. 85). Personalised with your company name.
Can I keep the templates forever?
Yes. After purchase you receive a download link containing all personalised professional templates. The files belong to you completely — you can store, integrate, edit and archive them. No cloud dependency, no per-device license activation, no internet connection required for use.
What does "buy once, always up-to-date" mean?
You receive all updates of the kit as long as the kit is maintained in its current major version. Updates arrive when authorities publish new guidance, new case law is published, or known follow-up phases of a regulation kick in (e.g., EU AI Act Annex III from 02.08.2026). If a substantially new regulation supersedes the existing one, a new major version emerges — existing customers receive a 50% discount. Details in Terms § 7.
What does the 60-day money-back guarantee cover?
If a template content is provably legally incorrect (proven by a lawyer's letter or authority statement), we refund the purchase price. Deadline: 60 days from delivery. Details in Terms § 8.
When does the EU AI Act apply to me?
Staged entry into force: prohibited practices and AI literacy (Art. 4) since 02.02.2025. General-Purpose AI rules since 02.08.2025. High-risk AI (Annex III) from 02.08.2026. AI under EU product safety law from 02.08.2027. Even if you only deploy third-party AI tools (ChatGPT, Copilot), Art. 4 AI literacy applies from day one.
Am I a provider or a deployer?
Provider = you develop / place AI on the market under your name. Deployer = you use AI under your authority (e.g., internal HR AI). Most SMEs are deployers. Watch out: significant modification of a third-party AI can make you a provider (Art. 25), with full Annex IV documentation duties.
What about fines?
Up to EUR 35 million or 7% of worldwide annual turnover for prohibited practices (Art. 5). Up to EUR 15 million or 3% for other infringements. Up to EUR 7.5 million or 1% for incorrect information to authorities. Significantly higher than the GDPR ceiling.
Does the AI Act overlap with GDPR?
Yes. AI systems processing personal data trigger both regimes. DPIA (GDPR Art. 35) and FRIA (AI Act Art. 27) overlap and can be combined. The kit includes a mapping matrix and a combined DPIA/FRIA template.
Am I subject to the EU AI Act if we only use ChatGPT internally?
Yes, as a Deployer under Art. 3(4) EU AI Act. Obligations: AI literacy under Art. 4 (since 02.02.2025), risk classification of the specific use case, and human oversight where applicable. If ChatGPT is used for HR, recruiting, evaluations or other Annex III areas, the high-risk obligations kick in from 02.08.2026 (Digital Omnibus proposal 19.11.2025: shift to 02.12.2027 — not yet adopted, trilogue ongoing).
Do working students and interns need AI training?
Yes, if they use AI systems or work with their outputs (Art. 4). "Staff and other persons" covers everyone in an organisation who uses AI — regardless of contract type. Industry standard: 30-60 minute introductory training with a knowledge test and certificate.
Is an HR recruiting tool high-risk under Annex III?
Yes, very likely. Annex III No. 4(a) EU AI Act covers AI systems for recruitment, selection and evaluation of candidates. Obligations from 02.08.2026: risk management, technical documentation per Annex IV, human oversight, FRIA for Deployers (Digital Omnibus proposal 19.11.2025: shift to 02.12.2027 — not yet adopted). German AGG liability already applies TODAY: in cases of algorithmic discrimination indicators, the employer bears the burden of proof under § 22 AGG.
Is ISO 42001 sufficient as proof of EU AI Act compliance?
ISO 42001 (AI Management System) covers a large part of the obligations — particularly Art. 9 (risk management) and Art. 17 (QMS). Not included: conformity assessment (Art. 43), EU database registration (Art. 49), FRIA (Art. 27), GPAI Code of Practice. ISO 42001 is a useful building block but not a complete substitute.
When do I become a Provider through "substantial modification"?
Under Art. 25 EU AI Act, when you substantially modify an AI system, place it on the market under your own name, or substantially change its intended purpose. Example: you build your own RAG system on top of a GPAI API and market it as a "legal AI assistant". Consequence: full Provider obligations apply.
What is GPAI with systemic risk?
GPAI models with cumulative training compute of ≥ 10²&sup5; FLOPs are classified as systemically risky (Art. 51 EU AI Act). Currently (2026) this only captures the largest frontier models (GPT-4 class, Claude Opus, Gemini Ultra). Obligations under Art. 55: model evaluation, adversarial testing, incident reporting to the AI Office.
Do we have to label AI-generated marketing copy?
From 02.08.2026 yes — Art. 50(4) EU AI Act requires labelling of AI-generated text on matters of public interest (Digital Omnibus proposal 19.11.2025: shift to 02.12.2027 — not yet adopted, trilogue ongoing). Exemptions: editorial human review, artistic contexts. Practical recommendation: build in disclaimers now — good for consumer trust.
AI literacy under Art. 4 — how long is "sufficient"?
The regulation does not specify a number of hours. Industry recommendation (Bitkom, TÜV-Akademie): 2-4 hours of basic training, deepened by role. Content: AI definition, risk categories, prohibited practices (Art. 5), transparency obligations (Art. 50), human oversight, automation bias. With quiz and attendance record.
What are the prohibited AI practices under Art. 5?
Eight main categories (in force since 02.02.2025): manipulation through subliminal techniques; exploitation of vulnerabilities; social scoring by public authorities; real-time biometrics in public spaces (law enforcement exceptions); predictive policing; image databases through indiscriminate scraping; emotion recognition in the workplace; biometric categorisation. Fines up to EUR 35 million / 7% of turnover.
Do I need an AI officer?
The EU AI Act does not provide for an "AI officer" analogous to the DPO. However: Art. 26(2) requires Deployers of high-risk AI to assign persons with the necessary competence, training and authority for human oversight. Industry standard: AI Governance Officer plus formal appointment in the Deployer role.
Microsoft Copilot — does it fall under the AI Act?
Yes. Copilot is a GPAI system (Microsoft as Provider) plus possible embedded high-risk use cases (e.g., recruiting). As a Deployer you must classify use cases, train AI literacy, and conduct a FRIA where applicable. Microsoft fulfils the Provider obligations itself — you are responsible for the deployment.
What is the AI Office?
The AI Office is a unit within the EU Commission (DG CNECT), responsible for enforcing GPAI obligations, the Code of Practice (final 10.07.2025), sandbox coordination, and technical standards. Market surveillance for non-GPAI obligations rests with the national authorities (DE: Bundesnetzagentur).
AI Act for SMEs — are there any relaxations?
Limited. Art. 62 EU AI Act provides SME preferential treatment on conformity assessment fees. Art. 57 creates regulatory sandboxes (DE: Bundesnetzagentur as national sandbox authority) — SME-prioritised. The substantive obligations (Annex III) apply unchanged.
Am I subject to the AI Act if I only use SaaS tools with AI features (e.g., Zoom transcription)?
Yes, as a Deployer under the EU AI Act. AI literacy under Art. 4 is mandatory. For additional Annex III use cases (HR, profiling), the high-risk Deployer obligations kick in from 12/2027. An inventory of all deployed AI features is the first step.
Conformity assessment — internal or external?
For most high-risk AI systems: internal conformity assessment (Art. 43(2)). External assessment by a notified body only in special cases (Annex III No. 1: biometrics plus certain sub-categories). 90% of high-risk applications can be assessed internally — with a documented QMS.