AI and regulation
The landscape
Rules that do not stand still.
AI regulation is not a finished chapter — it is a chapter being written while you read it. The EU AI Act entered into force in 2024 and is being rolled out towards 2026, but it is only the framework. Delegated acts, technical standards and national interpretations keep filling the gap between legal text and operational reality. Datatilsynet, the Danish Data Protection Authority, publishes guidance. The EDPB clarifies. Courts decide. For a company that wants to use AI responsibly, it is not enough to have read the law once. The landscape moves, and the requirements for your solutions move with it.
The EU AI Act
Risk-based, and unforgiving for those who do not keep up.
The EU AI Act classifies AI systems by risk — from unacceptable to minimal — and imposes very different obligations depending on where your solution lands. High-risk systems, such as automated decisions about creditworthiness, employment or health, require documentation, human oversight, audit trails and registration in an EU database. Generative AI — the category large language models belong to — has its own requirements: transparency around AI-generated content, copyright safeguards and risk assessments for the most powerful models. These requirements are not designed to block innovation. They are not designed to be ignored either.
GDPR & AI
The General Data Protection Regulation did not pause because AI arrived.
GDPR applies in full, including when processing happens inside a language model. That creates concrete requirements for any AI solution that touches personal data: what is the legal basis for processing? Does the solution follow the principle of data minimisation? And if the AI makes or supports decisions about people — what about the right to human review? Article 22 on automated decisions is not new, but it is suddenly very relevant. The right to an explanation, access, erasure and objection does not disappear because an answer comes from a model rather than a human. And the question of what happens to data sent to an external LLM provider is not merely technical. It is legal.
Data governance
Who owns what — and who is responsible?
Data governance in an AI context is about more than backup policies. It is about understanding the data flows across the whole system: what is sent to the model, what is logged, what is used to improve it, and who can access what along the way. Many companies discover too late that operational data — product information, customer data, internal processes — has unintentionally ended up in a training pipeline at a third-party provider. Or that they cannot document what an AI system recommended and when, because no audit trail was built in. Good data governance is not bureaucracy. It is the infrastructure that makes it possible to prove that you acted responsibly.
Our approach
Compliance by design — not compliance by accident.
At Token Effort, we do not build solutions and add compliance as a layer afterwards. We build them with the regulation inside the architecture from day one. In practice, that means choosing models and providers that support GDPR and EU AI Act obligations; designing data flows that minimise exposure; adding audit trails and logging that give you answers when questions arrive; and keeping an eye on the regulatory landscape so we can warn you before a change hits. We are not lawyers, and we do not replace legal advice. We are the technical partner that makes sure your solutions are built to withstand review — not to avoid it.
The partnership
The law changes. Your solutions do not have to fall behind.
The distinct value in working with Token Effort is that you do not only get a supplier who builds what you ask for and disappears. You get a partner who follows the development and proactively adapts your solutions when rules change. The EU AI Act is not the last word. National implementation, sector-specific regulation and court decisions will continue to shape requirements in the coming years. Companies that have built AI on a solid foundation will adapt without drama. Those that have not will have to rethink from the ground up — at the worst possible time. Choose to build it correctly from the start.