Services · EU AI Act and AI Governance
The EU AI Act has been in force since February 2025 — the next hard obligations come from August 2026 for high-risk AI systems and from August 2027 for embedded AI in regulated products. Anyone using Microsoft 365 Copilot, Copilot for Sales, Copilot for Service, Copilot Studio agents, or Microsoft Foundry is a deployer under obligation — and as a builder of your own agents, even a provider. arades GmbH advises you as a Microsoft Partner and Microsoft Licensing Partner on EU AI Act implementation in the Microsoft Cloud context: risk classification, documentation, AI governance, training. Fixed price, honest risk assessment, clear roadmap.
EU AI Act — definition and status 2026
The EU AI Act (Regulation (EU) 2024/1689) is the first comprehensive AI regulation worldwide. Published in July 2024, in force since August 1, 2024, with phased applicability over up to three years. As of May 2026 the first obligations are already active and the next stages are months away. Unlike GDPR and NIS2, the EU AI Act is not a "compliance on demand" law — it applies from day one, and fines are high (up to €35 million or 7% of global annual revenue for the most serious infringements).
For mid-market companies using Microsoft Copilot, Copilot Studio, or Microsoft Foundry, two roles arise. First — and this affects almost everyone: you are a deployer (user) of AI systems. This results primarily in training, transparency, and oversight obligations. Second — and this affects everyone building their own Copilot Studio agents or Foundry models: you become a provider of derived AI systems with significantly higher obligations — risk assessment, documentation, conformity assessment, bias testing, audit trails.
An honest EU AI Act advisory covers five areas:
As a Microsoft Partner based in Offenbach am Main, we serve mid-market companies across the Rhine-Main region and beyond — from Frankfurt through Darmstadt and Wiesbaden to Aschaffenburg.
EU AI Act phases
Prohibition of unacceptable AI practices (social scoring, manipulative AI, untargeted scraping of facial images, emotion recognition in work/school, risk profiling for law enforcement without narrow exceptions). AI Literacy obligation: all employees who operate AI systems or use their outputs must be trained. This also affects Microsoft 365 Copilot users broadly.
Obligations for general-purpose AI models (GPAI): technical documentation, copyright compliance, transparency report. This obligation affects Microsoft as a provider of the underlying models — but not directly its customers, with one exception: anyone substantially adapting a GPAI model (fine-tuning, own data basis at large volume) may become a provider and inherits the corresponding obligations. Plus: the AI Office at the EU Commission is operational and can take initial market surveillance actions.
High-risk AI obligations become fully effective: risk management system, data governance, technical documentation, record-keeping (logs), transparency toward deployers, human oversight, accuracy and cybersecurity requirements, conformity assessment before placing on market. Plus transparency obligations for AI-generated content (watermarking, labeling of chatbots, deepfakes). Anyone building or deploying high-risk AI has extensive work here. Anyone "only" using Microsoft Copilot Standard has mostly deployer obligations (see February 2025).
Extended requirements for embedded AI in regulated products (medical devices, toys, machinery, lifts, pressure equipment, etc.) — relevant for mid-market companies whose products already need CE conformity assessments. AI becomes part of the product conformity assessment here.
The four risk categories
The EU AI Act distinguishes four risk levels. Which level your AI system reaches decides on obligations, effort, and fine exposure.
Generally banned AI systems: social scoring by authorities, manipulative AI against vulnerable groups, untargeted face scraping, emotion recognition in work or school, biometric categorization by protected attributes, real-time biometric identification in public spaces by law enforcement (with narrow exceptions). Fine up to €35 million or 7% of global annual revenue.
AI in regulated products or areas from Annex III: critical infrastructure, education and vocational training, employment and HR management (e.g., AI applicant screening), access to public services, law enforcement, asylum and migration management, justice, democratic processes. Plus embedded AI in regulated products (medical, machinery, toys). Extensive obligations on documentation, conformity assessment, human oversight, risk management system, logs, transparency.
AI systems with transparency obligations: chatbots must identify as AI (Microsoft Copilot Studio agents typically fall here), deepfakes must be labeled, AI-generated content needs watermarks (synthetic audio, video, text in certain contexts), emotion recognition outside work/school must be disclosed. Obligations are moderate but concrete to implement.
AI systems without specific obligations: spam filters, recommendation systems in e-commerce, AI in video games, translation tools, writing assistants. The majority of Microsoft 365 Copilot standard use cases typically fall here — but caution: as soon as Copilot is used in HR processes, customer-critical decisions, or regulatorily sensitive areas, classification can move higher.
Microsoft Copilot & Foundry · specific compliance obligations
Microsoft Copilot is not one product but a product family with at least five relevant variants in the mid-market context. Each has a slightly different compliance logic under the EU AI Act:
General productivity assistant for Word, Excel, PowerPoint, Outlook, Teams. In standard use typically Category 4 (minimal risk), but you as deployer are responsible for AI Literacy training (since Feb 2025). Specifically: employees must understand what Copilot does, where its limits lie, how data is processed, and how to verify output. We deliver training modules as part of the audit.
App-specific Copilots in CRM and ERP. In most cases Category 4, but with impact on personnel decisions or credit scoring also Category 3 or 2. Example: if Copilot for Sales does lead prioritization that flows into account management, that's usually still Category 4. But if scores automatically lead to customer blocking without human review, it tips toward high risk.
This is where it gets complex: as soon as you build your own Copilot Studio agents, you typically become a provider of an AI system. Obligations depend on the agent's use case — an internal knowledge assistant is usually Category 4, an external customer service bot is Category 3 (transparency obligation: must identify as AI), an HR screening bot would be Category 2 (high risk).
Anyone using Microsoft Foundry for RAG with their own data or fine-tuning of their own models moves into provider territory. GPAI obligations may apply here (documentation, copyright compliance, transparency report), plus all high-risk obligations if the use case falls into Annex III.
Microsoft provides several tools that technically support compliance: Microsoft Purview Audit (full audit trails for Copilot interactions — license E5 or add-on), Microsoft Defender for Cloud Apps (shadow-AI detection in the tenant), Microsoft Entra ID Conditional Access for AI workloads, Copilot Studio Governance Tools, Microsoft Foundry Content Safety (bias and toxicity filters, prompt shields). We configure these tools so EU AI Act obligations become technically demonstrable.
Three advisory formats
We deliver EU AI Act advisory in three clearly scoped fixed-price formats. You choose the format based on maturity and investment readiness. No hourly billing, no open end.
1-day audit with a subsequent written report. Content: inventory of currently used AI systems (Microsoft Copilot, Copilot Studio, Foundry, third-party), initial risk classification per use case, gap analysis against current EU AI Act obligations, three concrete immediate actions with expected impact. Suitable as a first audit or preparation for a deeper governance buildout.
Fixed price · price on request
2–3 days on-site in Offenbach, Frankfurt, or at your location — or remote via Microsoft Teams. Content: complete AI system inventory, risk classification per EU AI Act, AI Governance Register buildout, AI policy as a document, training plan for AI Literacy, roadmap for August 2026 obligations, Microsoft Cloud configuration (Purview, Defender, Entra ID) as an action list.
Fixed price · price on request · delivery: 2–3 weeks
Quarterly AI governance reviews as a recurring service. For organizations operating multiple Copilot Studio agents or Foundry models that need continuous governance discipline — classifying new AI use cases, audit trail analysis, mandatory updates following EU market surveillance decisions, training updates for new employees, Microsoft feature assessments.
Price on request
The most common mistakes · what we regularly see in EU AI Act audits
The AI Literacy obligation has applied since February 2025 to all employees who operate AI systems or use their outputs. That covers nearly every Microsoft 365 Copilot user. In most companies this training simply hasn't happened — a documentable violation with fine potential. We deliver training modules including participation evidence as part of the Quick Audit.
Employees use unauthorized AI tools (ChatGPT free, Claude, Perplexity, local LLMs) for business data — often with data protection risk and without EU AI Act governance. Microsoft Defender for Cloud Apps detects this shadow AI in the tenant. We configure detection as part of the Strategy Workshop.
Custom Copilot Studio agents often grow in Power Platform sprawl without anyone checking whether an agent triggers a high-risk or transparency obligation under the EU AI Act. We check all agents in the tenant and classify them per Annex III.
High-risk AI systems must keep records of their use from August 2026. Microsoft Purview Audit can deliver this for Copilot interactions — but only if the license (Microsoft 365 E5 or Audit add-on) is in place and the configuration is active. In the audit we check license and configuration.
Chatbots in customer portals or on websites must identify themselves as AI from August 2026. We see bots marketed as "your personal advisor" — a clear violation of the transparency obligation. In the Strategy Workshop we revise the bot conversation logic.
The EU AI Act partly regulates information obligations between provider and deployer. Anyone using Microsoft Copilot should know the Microsoft contracts and Microsoft EU AI Act documentation. Anyone using third-party AI should see their providers' obligations in their own contract terms. In the audit we review the contractual position.
Further
Platform overview of all Microsoft AI tools: Microsoft 365 Copilot, app Copilots, Copilot Studio, Microsoft Foundry.
NIS2 Quick Assessment, GDPR reviews. Compliance across multiple regulations (NIS2, EU AI Act, GDPR) considered together.
Holistic Microsoft advisory in which AI governance is an integral part alongside identity, security, and adoption.
Calculate Copilot licenses, check Microsoft 365 E5 add-ons for Purview Audit — as a fixed-price audit.
Anyone building Copilot Studio agents needs Power Platform governance. Audit, policies, and tooling for ALM and lifecycle.
AI Literacy training for Microsoft 365 Copilot, Copilot Studio workshops, Foundry model-build training. Fixed price per module.
Frequently asked questions on EU AI Act advisory
The EU AI Act (Regulation (EU) 2024/1689) is the world's first comprehensive AI law, in force since August 2024 with phased applicability. Since Feb 2025, prohibitions on unacceptable practices and AI Literacy obligations apply. From Aug 2025, GPAI obligations. From Aug 2026, full high-risk obligations and transparency requirements. From Aug 2027, extended high-risk obligations for embedded AI in regulated products.
Quick Audit, AI Governance Strategy Workshop, and Architecture-as-a-Service are available as fixed-price formats. Full EU AI Act implementation projects (inventory, classification, documentation, governance buildout, training) are calculated modularly depending on employee count and number of AI use cases. Prices on request.
You're in two roles: as a deployer (user) typically AI Literacy training, transparency, human oversight. As a provider of your own Copilot Studio agents or Foundry models, significantly higher obligations — risk assessment, conformity documentation, bias testing, audit trails. Microsoft itself is the provider of the underlying models and fulfills its share.
Category 1 — Prohibited (banned): e.g., social scoring, manipulative AI. Category 2 — High risk (extensive obligations): AI in regulated products or areas like HR, education, critical infrastructure. Category 3 — Limited risk (transparency obligation): chatbots, deepfakes, AI-generated content. Category 4 — Minimal: no specific obligations (spam filters, writing assistants).
A good partner combines regulatory understanding (EU AI Act, GDPR, NIS2 in interplay), deep Microsoft Cloud understanding (Copilot, Foundry, Purview, Defender), mid-market pragmatism, and fixed-price discipline. arades GmbH has been a Microsoft Partner since 2007 with a CMMI methodology in management — demonstrable experience with governance and audit requirements.
To take with you · two materials
Two depths for different reading needs. The factsheet is a quick reference (3–5 min) and immediately downloadable. The whitepaper is market education with methodology and comparison data (15–30 min) — you get it by email after a short request.
3–5 min read · direct download · no form
Concise overview: scope, key figures, pricing model, process — ideal to forward to CFO, procurement, or the business line.
15–30 min read · by email on request
Methodology, comparison data, recommendation framework — material for internal argumentation with stakeholders.
Related services
Parallel compliance obligation — same governance buildout, common audit structures.
Read more →
AI in general — platform decision, RAG, Foundry, EU LLMs.
Read more →
QM structures as the basis of sustainable AI governance.
Read more →
AI architecture under regulatory constraints — tenant strategy, data governance.
Read more →
Request EU AI Act advisory
30 minutes initial conversation — we clarify whether a Quick Audit, Strategy Workshop, or Architecture-as-a-Service is the right format. You get a concrete assessment promptly.
To take with you
Two-page quick reference with package structure, delivery areas, and three reasons for arades — immediately downloadable, no form. Ideal to forward to CFO, procurement, or IT lead.
3–5 min read · direct download · no form
