Guide for determining which EU regulations apply to your organisation.
Quick test
Question 1: Do you use AI systems?
Do you use or develop AI/ML systems?
| Answer | Result |
|---|
| YES --- You develop your own AI | The AI Act applies --- Provider obligations |
| YES --- You use third-party AI (Claude, GPT) | The AI Act applies --- Deployer obligations |
| YES --- You sell AI solutions | The AI Act applies --- Distributor obligations |
| NO | The AI Act does not apply (but monitor developments) |
Question 2: Do you provide critical services?
Are you in any of these sectors?
| Sector | NIS2 category |
|---|
| Cloud computing, DNS, data centres | Essential |
| Banking, insurance | Essential |
| Healthcare, hospitals | Essential |
| Energy, transport | Essential |
| Public administration | Essential |
| Online marketplace, search engines | Important |
| Manufacturing (machinery, electronics, food) | Important |
| Postal services, waste management | Important |
| None of the above | Probably out of scope (verify with a lawyer based on size) |
Question 3: Do you process personal data?
Do you process data about natural persons (names, emails, IP addresses, cookies…)?
| Answer | Result |
|---|
| YES --- Customers | GDPR applies --- you must have a legal basis |
| YES --- Employees | GDPR applies --- you must have a legal basis |
| YES --- Website users | GDPR applies --- cookie consent, privacy policy |
| YES --- B2B contacts | GDPR applies --- legitimate interest (but carefully) |
| NO | GDPR does not apply (very rare) |
AI Act Scope
Who falls under the AI Act?
| Role | Definition | Example | Obligations |
|---|
| Provider | Develops/trains AI | Own ML models | Highest |
| Deployer | Deploys AI | Uses Claude in a product | Medium |
| Importer | Imports AI from non-EU | US AI system in the EU | Medium |
| Distributor | Distributes AI | Reselling AI | Lower |
Risk classification
NIS2 Scope
Criteria for scope determination
| Criterion | Essential | Important | Out of Scope |
|---|
| Sector | Annex I | Annex II | Other |
| Size | >250 employees OR | >50 employees OR | <50 employees AND |
| Turnover | >EUR 50M | >EUR 10M | <EUR 10M |
Annex I - Essential Entities (higher obligations)
| Sector | Examples |
|---|
| Energy | Electricity, gas, oil, hydrogen, district heating |
| Transport | Aviation, rail, waterborne, road |
| Banking | Credit institutions |
| Financial markets | Exchanges, clearing houses |
| Healthcare | Hospitals, laboratories, pharmacies, medical device manufacturers |
| Drinking water | Drinking water suppliers |
| Waste water | Waste water treatment |
| Digital infrastructure | DNS, TLD, cloud computing, data centres, CDN |
| ICT services B2B | Managed services, security services |
| Public administration | Central government bodies, regional (above threshold) |
| Space | Satellite operators |
Annex II - Important Entities (lower obligations)
| Sector | Examples |
|---|
| Postal services | Couriers, postal operators |
| Waste management | Waste processing |
| Chemicals | Manufacturing and distribution of chemicals |
| Food | Manufacturing and distribution of food |
| Manufacturing | Medical devices, computers, electronics, machinery, motor vehicles |
| Digital services | Online marketplace, search engines, social networks |
| Research | Research organisations |
NIS2 Decision Tree
GDPR Scope
Who falls under GDPR?
GDPR applies to every organisation that:
- Is established in the EU and processes personal data
- Is established outside the EU but:
- Offers goods/services to persons in the EU
- Monitors the behaviour of persons in the EU
Types of processing
| Data type | Examples | Legal basis |
|---|
| Customers | Names, emails, orders | Contract |
| Employees | Salaries, attendance, evaluations | Contract + Law |
| Marketing | Newsletter, cookies | Consent |
| Analytics | IP addresses, device info | Legitimate interest |
| Health | Diagnoses, records | Explicit consent + Law |
Special Category Data (Art. 9)
Special categories require explicit consent:
- Racial/ethnic origin
- Political opinions
- Religious beliefs
- Trade union membership
- Genetic data
- Biometric data
- Health data
- Sexual orientation
Overlap matrix
| Sector | AI Act | NIS2 | GDPR |
|---|
| SaaS/Cloud | Applies | Applies | Applies |
| Finance | Applies | Applies | Applies |
| Healthcare | Applies | Applies | Applies |
| E-commerce | Applies | Depends on size | Applies |
| Manufacturing | Applies | Depends on size | Applies |
| Consulting | Applies | Likely not | Applies |
| Media | Applies | Likely not | Applies |
Example scenarios
Scenario 1: SaaS Startup (50 employees, EUR 5M turnover)
| Regulation | Applicable? | Reason |
|---|
| AI Act | Yes | Use Claude for customer support |
| NIS2 | Possibly | Cloud computing, but below threshold |
| GDPR | Yes | Customer data, employee data |
Scenario 2: Bank (500 employees, EUR 100M turnover)
| Regulation | Applicable? | Reason |
|---|
| AI Act | Yes (High-Risk) | Credit scoring, fraud detection |
| NIS2 | Yes (Essential) | Annex I - Banking |
| GDPR | Yes | Customer financial data |
Scenario 3: Manufacturing company (100 employees, EUR 20M turnover)
| Regulation | Applicable? | Reason |
|---|
| AI Act | Yes (Low-Med) | Quality control AI, analytics |
| NIS2 | Yes (Important) | Annex II - Manufacturing |
| GDPR | Yes | Employee data, B2B contacts |
Next steps
- Determine scope for each regulation
- Consult a lawyer for edge cases
- Document your decisions for the audit trail
- Start with compliance -> Checklists