[{"data":1,"prerenderedAt":665},["ShallowReactive",2],{"navigation":3,"\u002Fen\u002Fblog\u002Feu-ai-act-hosting":294,"\u002Fen\u002Fblog\u002Feu-ai-act-hosting-surround":660},[4,8,12,16,20,24,28,32,36,40,44,48,52,56,60,64,68,72,76,80,84,88,92,96,100,104,108,112,116,120,124,128,132,136,140,144,148,152,156,160,164,168,172,176,180,184,188,207,219,250,287],{"title":5,"path":6,"stem":7},"Build and Deploy a Modern Website in 5 Minutes","\u002Fen\u002Fblog\u002Fbuild-with-loveable","en\u002F3.blog\u002F1.build-with-loveable",{"title":9,"path":10,"stem":11},"The Vercel Alternative for the German Mittelstand: Sovereign Hosting on Hetzner with lowcloud","\u002Fen\u002Fblog\u002Fdigital-sovereignty-lowcloud-vs-vercel-b2b","en\u002F3.blog\u002F10.digital-sovereignty-lowcloud-vs-vercel-b2b",{"title":13,"path":14,"stem":15},"Cloud Sovereignty Framework: How the EU Is Finally Making Cloud Sovereignty Measurable","\u002Fen\u002Fblog\u002Fcloud-sovereignty-framework","en\u002F3.blog\u002F12.cloud-sovereignty-framework",{"title":17,"path":18,"stem":19},"Avoiding Cloud Vendor Lock-in: What Real Sovereignty Means Technically","\u002Fen\u002Fblog\u002Fcloud-vendor-lock-in","en\u002F3.blog\u002F13.cloud-vendor-lock-in",{"title":21,"path":22,"stem":23},"Digital Sovereignty with Kubernetes: When Is Open Source Truly Sovereign?","\u002Fen\u002Fblog\u002Fkubernetes-digital-sovereignty","en\u002F3.blog\u002F14.kubernetes-digital-sovereignty",{"title":25,"path":26,"stem":27},"What Is DevOps as a Service and When Does It Actually Make Sense?","\u002Fen\u002Fblog\u002Fdevops-as-a-service","en\u002F3.blog\u002F15.devops-as-a-service",{"title":29,"path":30,"stem":31},"Cloud Sovereignty Governance: Why This Topic Belongs in the Boardroom, Not the Server Room","\u002Fen\u002Fblog\u002Fcloud-sovereignty-governance","en\u002F3.blog\u002F16.cloud-sovereignty-governance",{"title":33,"path":34,"stem":35},"PaaS vs. DaaS: What","\u002Fen\u002Fblog\u002Fpaas-vs-daas","en\u002F3.blog\u002F17.paas-vs-daas",{"title":37,"path":38,"stem":39},"Sovereign Cloud: Can SaaS Really Maintain Control Over Your Data?","\u002Fen\u002Fblog\u002Fsovereign-cloud-saas-data-control","en\u002F3.blog\u002F18.sovereign-cloud-saas-data-control",{"title":41,"path":42,"stem":43},"DevOps vs. DevOps as a Service – Which One Fits Your Team?","\u002Fen\u002Fblog\u002Fdevops-vs-devops-as-a-service","en\u002F3.blog\u002F19.devops-vs-devops-as-a-service",{"title":45,"path":46,"stem":47},"Docker Fundamentals -  Understanding Container Virtualization","\u002Fen\u002Fblog\u002Fhow-docker-works","en\u002F3.blog\u002F2.how-docker-works",{"title":49,"path":50,"stem":51},"The 7 Biggest DevOps Problems in SMBs – And How to Fix Them","\u002Fen\u002Fblog\u002Fdevops-problems-smb","en\u002F3.blog\u002F20.devops-problems-smb",{"title":53,"path":54,"stem":55},"PostgreSQL Helm Chart: How to Deploy Postgres on Kubernetes","\u002Fen\u002Fblog\u002Fpostgresql-helm-chart-kubernetes","en\u002F3.blog\u002F21.postgresql-helm-chart-kubernetes",{"title":57,"path":58,"stem":59},"Platform Engineering vs. DevOps – What","\u002Fen\u002Fblog\u002Fplatform-engineering-vs-devops","en\u002F3.blog\u002F22.platform-engineering-vs-devops",{"title":61,"path":62,"stem":63},"Cloud Act vs. GDPR: The Risk for EU Businesses","\u002Fen\u002Fblog\u002Fcloud-act-vs-gdpr","en\u002F3.blog\u002F23.cloud-act-vs-gdpr",{"title":65,"path":66,"stem":67},"Cut IT Costs with Automation: The Biggest Lever","\u002Fen\u002Fblog\u002Freduce-it-costs-automation","en\u002F3.blog\u002F24.reduce-it-costs-automation",{"title":69,"path":70,"stem":71},"NIS2 Compliance for DevOps Teams: What You Need to Do","\u002Fen\u002Fblog\u002Fnis2-compliance-devops","en\u002F3.blog\u002F25.nis2-compliance-devops",{"title":73,"path":74,"stem":75},"Self-Hosted EU Alternatives: Host LibreOffice & More","\u002Fen\u002Fblog\u002Fself-hosted-eu-alternatives","en\u002F3.blog\u002F26.self-hosted-eu-alternatives",{"title":77,"path":78,"stem":79},"DORA Compliance for DevOps: What the EU Resilience Act Means","\u002Fen\u002Fblog\u002Fdora-compliance-devops","en\u002F3.blog\u002F27.dora-compliance-devops",{"title":81,"path":82,"stem":83},"Cloud TCO: Hidden Costs AWS, Azure & GCP Don't Show You","\u002Fen\u002Fblog\u002Fcloud-tco-hidden-costs","en\u002F3.blog\u002F28.cloud-tco-hidden-costs",{"title":85,"path":86,"stem":87},"Data Residency vs. Data Sovereignty: What Really Matters","\u002Fen\u002Fblog\u002Fdata-residency-vs-data-sovereignty","en\u002F3.blog\u002F29.data-residency-vs-data-sovereignty",{"title":89,"path":90,"stem":91},"Self-Host n8n on Hetzner: Complete Docker Setup Guide","\u002Fen\u002Fblog\u002Fself-hosted-n8n-on-hetzner","en\u002F3.blog\u002F3.self-hosted-n8n-on-hetzner",{"title":93,"path":94,"stem":95},"Manual Deployments: An Underestimated Risk for SMBs","\u002Fen\u002Fblog\u002Fmanual-deployment-risks","en\u002F3.blog\u002F30.manual-deployment-risks",{"title":97,"path":98,"stem":99},"DevOps Tool Sprawl: How It Happens and How to Stop It","\u002Fen\u002Fblog\u002Fdevops-tool-sprawl","en\u002F3.blog\u002F31.devops-tool-sprawl",{"title":101,"path":102,"stem":103},"Kubernetes Monitoring: Using Logs and Metrics Effectively","\u002Fen\u002Fblog\u002Fkubernetes-monitoring-logs-metrics","en\u002F3.blog\u002F32.kubernetes-monitoring-logs-metrics",{"title":105,"path":106,"stem":107},"OB7 Case Study: Website Deployment Without Infrastructure Overhead","\u002Fen\u002Fblog\u002Fob7-case-study-lowcloud-deployment","en\u002F3.blog\u002F33.ob7-case-study-lowcloud-deployment",{"title":109,"path":110,"stem":111},"DevOps in SMBs: Why Missing Roles Become a Real Risk","\u002Fen\u002Fblog\u002Fmissing-devops-roles-smb","en\u002F3.blog\u002F34.missing-devops-roles-smb",{"title":113,"path":114,"stem":115},"Simplify Kubernetes Configuration: The Path to Human-Readable Cloud","\u002Fen\u002Fblog\u002Fsimplify-kubernetes-configuration","en\u002F3.blog\u002F35.simplify-kubernetes-configuration",{"title":117,"path":118,"stem":119},"Collaborative DevOps: How Modern Teams Build Cloud Apps Together","\u002Fen\u002Fblog\u002Fcollaborative-devops-teams","en\u002F3.blog\u002F36.collaborative-devops-teams",{"title":121,"path":122,"stem":123},"Knowledge Documentation in DevOps Teams: How to Actually Reduce Your Bus Factor","\u002Fen\u002Fblog\u002Fdevops-knowledge-documentation-bus-factor","en\u002F3.blog\u002F37.devops-knowledge-documentation-bus-factor",{"title":125,"path":126,"stem":127},"What Is PaaS? Platform as a Service Explained","\u002Fen\u002Fblog\u002Fwhat-is-paas","en\u002F3.blog\u002F38.what-is-paas",{"title":129,"path":130,"stem":131},"EU AI Act Hosting: What Changes for AI Workload Operators","\u002Fen\u002Fblog\u002Feu-ai-act-hosting","en\u002F3.blog\u002F39.eu-ai-act-hosting",{"title":133,"path":134,"stem":135},"Docker Compose Tutorial: Managing Multi-Container Apps Made Easy","\u002Fen\u002Fblog\u002Fdocker-compose-for-beginners","en\u002F3.blog\u002F4.docker-compose-for-beginners",{"title":137,"path":138,"stem":139},"Full-Stack Developer Reality: What the Title Actually Means","\u002Fen\u002Fblog\u002Ffull-stack-developer-reality","en\u002F3.blog\u002F40.full-stack-developer-reality",{"title":141,"path":142,"stem":143},"Cloud Egress Fees Compared: AWS vs. Azure vs. GCP Pricing","\u002Fen\u002Fblog\u002Fcloud-egress-fees","en\u002F3.blog\u002F41.cloud-egress-fees",{"title":145,"path":146,"stem":147},"Bring Your Own Cloud: What the Model Means and Why It","\u002Fen\u002Fblog\u002Fbring-your-own-cloud","en\u002F3.blog\u002F42.bring-your-own-cloud",{"title":149,"path":150,"stem":151},"Zero-Config Kubernetes: Why Simplicity Wins","\u002Fen\u002Fblog\u002Fzero-config-kubernetes","en\u002F3.blog\u002F43.zero-config-kubernetes",{"title":153,"path":154,"stem":155},"Minimalist Cloud Architecture: Why Less Complexity Means More Stability","\u002Fen\u002Fblog\u002Fminimalist-cloud-architecture","en\u002F3.blog\u002F44.minimalist-cloud-architecture",{"title":157,"path":158,"stem":159},"Software Deployment for SMBs: How Small Teams Ship Faster","\u002Fen\u002Fblog\u002Fsmb-software-deployment","en\u002F3.blog\u002F45.smb-software-deployment",{"title":161,"path":162,"stem":163},"EU Data Act: What Businesses and DevOps Teams Need to Know","\u002Fen\u002Fblog\u002Feu-data-act-business-devops","en\u002F3.blog\u002F46.eu-data-act-business-devops",{"title":165,"path":166,"stem":167},"Data Governance Act: What SMBs and DevOps Teams Need to Know","\u002Fen\u002Fblog\u002Fdata-governance-act-devops-guide","en\u002F3.blog\u002F47.data-governance-act-devops-guide",{"title":169,"path":170,"stem":171},"Self-Host Docmost with Docker Compose and Traefik: Complete Guide","\u002Fen\u002Fblog\u002Fself-host-docmost-with-docker-and-traefik","en\u002F3.blog\u002F5.self-host-docmost-with-docker-and-traefik",{"title":173,"path":174,"stem":175},"What Is Kubernetes? A Practical Guide to Container Orchestration","\u002Fen\u002Fblog\u002Fwhat-is-kubernetes","en\u002F3.blog\u002F6.what-is-kubernetes",{"title":177,"path":178,"stem":179},"The Cloud Illusion: Why a Server Location in Germany Doesn’t Guarantee Digital Sovereignty","\u002Fen\u002Fblog\u002Fcloud-illusion-digital-sovereignty","en\u002F3.blog\u002F7.cloud-illusion-digital-sovereignty",{"title":181,"path":182,"stem":183},"S3-Compatible Object Storage: The Best Solutions at a Glance","\u002Fen\u002Fblog\u002Fs3-compatible-object-storage","en\u002F3.blog\u002F8.s3-compatible-object-storage",{"title":185,"path":186,"stem":187},"Deployment as a Bottleneck: When AI Codes Faster Than You Can Deploy","\u002Fen\u002Fblog\u002Fdeployment-bottleneck","en\u002F3.blog\u002F9.deployment-bottleneck",{"title":189,"path":190,"stem":191,"children":192,"icon":206},"Getting Started","\u002Fen\u002Fdocs\u002Fgetting-started","en\u002F1.docs\u002F1.getting-started\u002F1.index",[193,196,201],{"title":194,"path":190,"stem":191,"icon":195},"Introduction","i-lucide-house",{"title":197,"path":198,"stem":199,"icon":200},"Get Started","\u002Fen\u002Fdocs\u002Fgetting-started\u002Fget-started","en\u002F1.docs\u002F1.getting-started\u002F2.get-started","i-lucide-rocket",{"title":202,"path":203,"stem":204,"icon":205},"How It Works","\u002Fen\u002Fdocs\u002Fgetting-started\u002Fhow-it-works","en\u002F1.docs\u002F1.getting-started\u002F3.how-it-works","i-lucide-lightbulb",false,{"title":208,"path":209,"stem":210,"children":211,"icon":206},"Guides","\u002Fen\u002Fdocs\u002Fguides","en\u002F1.docs\u002F2.guides\u002F1.index",[212,214],{"title":208,"path":209,"stem":210,"icon":213},"i-lucide-book-open",{"title":215,"path":216,"stem":217,"icon":218},"Connect a Container Registry","\u002Fen\u002Fdocs\u002Fguides\u002Fcontainer-registries","en\u002F1.docs\u002F2.guides\u002F2.container-registries","i-lucide-container",{"title":220,"path":221,"stem":222,"children":223,"icon":206},"App Services","\u002Fen\u002Fdocs\u002Fapp-services","en\u002F1.docs\u002F3.app-services\u002F1.index",[224,225,230,235,240,245],{"title":220,"path":221,"stem":222,"icon":200},{"title":226,"path":227,"stem":228,"icon":229},"Build Settings","\u002Fen\u002Fdocs\u002Fapp-services\u002Fbuild-settings","en\u002F1.docs\u002F3.app-services\u002F2.build-settings","i-lucide-settings",{"title":231,"path":232,"stem":233,"icon":234},"Env Variables","\u002Fen\u002Fdocs\u002Fapp-services\u002Fenvironment-variables","en\u002F1.docs\u002F3.app-services\u002F3.environment-variables","i-lucide-key",{"title":236,"path":237,"stem":238,"icon":239},"Custom Domains","\u002Fen\u002Fdocs\u002Fapp-services\u002Fcustom-domains","en\u002F1.docs\u002F3.app-services\u002F4.custom-domains","i-lucide-globe",{"title":241,"path":242,"stem":243,"icon":244},"Health Checks","\u002Fen\u002Fdocs\u002Fapp-services\u002Fhealth-checks","en\u002F1.docs\u002F3.app-services\u002F5.health-checks","i-lucide-heart-pulse",{"title":246,"path":247,"stem":248,"icon":249},"Autoscaling","\u002Fen\u002Fdocs\u002Fapp-services\u002Fautoscaling","en\u002F1.docs\u002F3.app-services\u002F6.autoscaling","i-lucide-scaling",{"title":251,"path":252,"stem":253,"children":254,"icon":206},"Helm Releases","\u002Fen\u002Fdocs\u002Fhelm-releases","en\u002F1.docs\u002F4.helm-releases\u002F1.index",[255,257,262,267,272,277,282],{"title":251,"path":252,"stem":253,"icon":256},"i-lucide-package",{"title":258,"path":259,"stem":260,"icon":261},"Deploy PostgreSQL","\u002Fen\u002Fdocs\u002Fhelm-releases\u002Fdeploy-postgresql","en\u002F1.docs\u002F4.helm-releases\u002F2.deploy-postgresql","i-lucide-database",{"title":263,"path":264,"stem":265,"icon":266},"Deploy Redis","\u002Fen\u002Fdocs\u002Fhelm-releases\u002Fdeploy-redis","en\u002F1.docs\u002F4.helm-releases\u002F3.deploy-redis","i-lucide-zap",{"title":268,"path":269,"stem":270,"icon":271},"Deploy n8n","\u002Fen\u002Fdocs\u002Fhelm-releases\u002Fdeploy-n8n","en\u002F1.docs\u002F4.helm-releases\u002F4.deploy-n8n","i-lucide-workflow",{"title":273,"path":274,"stem":275,"icon":276},"Deploy RustFS","\u002Fen\u002Fdocs\u002Fhelm-releases\u002Fdeploy-rustfs","en\u002F1.docs\u002F4.helm-releases\u002F5.deploy-rustfs","i-lucide-hard-drive",{"title":278,"path":279,"stem":280,"icon":281},"Deploy OpenSearch","\u002Fen\u002Fdocs\u002Fhelm-releases\u002Fdeploy-opensearch","en\u002F1.docs\u002F4.helm-releases\u002F6.deploy-opensearch","i-lucide-search",{"title":283,"path":284,"stem":285,"icon":286},"Deploy Keycloak","\u002Fen\u002Fdocs\u002Fhelm-releases\u002Fdeploy-keycloak","en\u002F1.docs\u002F4.helm-releases\u002F7.deploy-keycloak","i-lucide-shield-check",{"title":288,"path":289,"stem":290,"children":291,"icon":206},"Glossary","\u002Fen\u002Fdocs\u002Fglossary","en\u002F1.docs\u002F5.glossary\u002F1.index",[292],{"title":288,"path":289,"stem":290,"icon":293},"i-lucide-book-a",{"id":295,"title":129,"authors":296,"badge":302,"body":303,"date":651,"description":652,"extension":653,"image":654,"lastUpdated":302,"meta":656,"navigation":657,"path":130,"published":657,"seo":658,"stem":131,"tags":302,"__hash__":659},"posts\u002Fen\u002F3.blog\u002F39.eu-ai-act-hosting.md",[297],{"name":298,"to":299,"avatar":300},"Thomas Ens","\u002Fabout\u002Fthomasens",{"src":301},"\u002Fimages\u002Fblog\u002Fauthors\u002Fthomas.jpeg",null,{"type":304,"value":305,"toc":639},"minimark",[306,311,315,320,331,360,363,367,370,390,405,408,412,415,418,450,453,457,460,486,489,493,496,499,510,513,517,520,527,534,564,568,571,576,579,584,587,592,595,600,603,608,611,616,619,623,626,629,632],[307,308,310],"h1",{"id":309},"eu-ai-act-hosting-what-changes-for-ai-workload-operators-now","EU AI Act Hosting: What Changes for AI Workload Operators Now",[312,313,314],"p",{},"Since August 2024, the EU AI Act has been officially in force — the first comprehensive AI regulation worldwide. What initially sounds abstract to many companies is becoming increasingly concrete: anyone deploying, integrating, or running AI systems on their infrastructure now has obligations that can no longer be ignored. Especially for hosting customers running AI workloads in their environment or using SaaS tools with AI capabilities, pressing questions are emerging.",[316,317,319],"h2",{"id":318},"what-is-the-eu-ai-act","What Is the EU AI Act?",[312,321,322,323,330],{},"The ",[324,325,329],"a",{"href":326,"rel":327},"https:\u002F\u002Fwww.bundesregierung.de\u002Fbreg-de\u002Faktuelles\u002Fai-act-2285944",[328],"nofollow","EU AI Act"," follows a risk-based approach. AI systems are classified into four categories:",[332,333,334,342,348,354],"ul",{},[335,336,337,341],"li",{},[338,339,340],"strong",{},"Unacceptable risk:"," Prohibited (e.g., social scoring by authorities, real-time biometric surveillance in public spaces)",[335,343,344,347],{},[338,345,346],{},"High risk:"," Strict requirements for documentation, conformity, and monitoring (e.g., AI in HR, credit scoring, medical devices)",[335,349,350,353],{},[338,351,352],{},"Limited risk:"," Transparency obligations toward users (e.g., chatbots)",[335,355,356,359],{},[338,357,358],{},"Minimal risk:"," No special obligations (e.g., spam filters, AI in games)",[312,361,362],{},"The bans for systems in the \"unacceptable risk\" category have been in effect since February 2025. Full requirements for high-risk AI systems take effect from August 2026.",[316,364,366],{"id":365},"who-is-affected-providers-deployers-importers","Who Is Affected? Providers, Deployers, Importers",[312,368,369],{},"The AI Act distinguishes clear roles:",[332,371,372,378,384],{},[335,373,374,377],{},[338,375,376],{},"Provider:"," Anyone who develops or places an AI system on the market.",[335,379,380,383],{},[338,381,382],{},"Deployer:"," Anyone who uses an AI system in their own context — companies using AI tools in their processes.",[335,385,386,389],{},[338,387,388],{},"Importer and Distributor:"," Anyone who imports or distributes AI systems from third countries.",[312,391,392,393,398,399,404],{},"For hosting customers, the deployer role is particularly relevant. Anyone integrating ",[324,394,397],{"href":395,"rel":396},"https:\u002F\u002Fopenai.com\u002Fde-DE\u002F",[328],"OpenAI",", ",[324,400,403],{"href":401,"rel":402},"https:\u002F\u002Fazure.microsoft.com\u002Fde-de\u002Fproducts\u002Fai-foundry\u002Ftools",[328],"Azure Cognitive"," Services, or other AI APIs into their own applications and running them on hosting infrastructure qualifies as a deployer — with all corresponding obligations.",[312,406,407],{},"This applies even when the underlying model is hosted by a third-party provider. What matters is the deployment of AI in your own product or process, not the development of the model itself.",[316,409,411],{"id":410},"what-obligations-arise-for-deployers","What Obligations Arise for Deployers?",[312,413,414],{},"The specific requirements depend on the risk classification of each AI system. For systems with limited risk, a transparency obligation is often sufficient: users must know when they are interacting with an AI.",[312,416,417],{},"For high-risk systems, the effort is significantly greater:",[332,419,420,426,432,438,444],{},[335,421,422,425],{},[338,423,424],{},"Technical documentation:"," The system must be documented — its purpose, how it works, and known limitations.",[335,427,428,431],{},[338,429,430],{},"Logging and monitoring:"," Operators must maintain logs to ensure the traceability of AI decisions. Depending on the area of application, retention periods of at least six months apply.",[335,433,434,437],{},[338,435,436],{},"Risk assessment:"," An internal review of whether and how the system can affect individuals' fundamental rights.",[335,439,440,443],{},[338,441,442],{},"Human oversight:"," High-risk systems must not operate fully autonomously. There must be mechanisms for human control.",[335,445,446,449],{},[338,447,448],{},"Registration:"," Certain high-risk AI systems must be registered in an EU-wide database.",[312,451,452],{},"Anyone operating AI-powered candidate screening, automated credit decisions, or medical diagnostic tools must carefully assess which category their system falls into.",[316,454,456],{"id":455},"high-risk-ai-special-requirements-for-systems-in-sensitive-areas","High-Risk AI: Special Requirements for Systems in Sensitive Areas",[312,458,459],{},"Annex III of the AI Act lists the areas where AI systems are generally considered high-risk:",[332,461,462,465,468,471,474,477,480,483],{},[335,463,464],{},"Biometric identification and categorization",[335,466,467],{},"Critical infrastructure (energy, water, transport)",[335,469,470],{},"Education and vocational training",[335,472,473],{},"Employment and workforce management (e.g., automated CV analysis)",[335,475,476],{},"Essential services (credit, social benefits)",[335,478,479],{},"Law enforcement",[335,481,482],{},"Migration and border control",[335,484,485],{},"Justice and democratic processes",[312,487,488],{},"Anyone deploying AI in any of these areas — even if it's \"just\" a purchased tool — should assess the classification now. The AI Act explicitly requires deployers to independently determine whether a system falls under the high-risk category.",[316,490,492],{"id":491},"ai-act-and-gdpr-where-the-frameworks-overlap","AI Act and GDPR: Where the Frameworks Overlap",[312,494,495],{},"The EU AI Act and the GDPR are not alternatives — they apply in parallel. Wherever AI systems process personal data, both regulatory frameworks apply simultaneously.",[312,497,498],{},"In concrete terms, this means:",[332,500,501,504,507],{},[335,502,503],{},"Automated decisions with significant impact (Article 22 GDPR) still require a legal basis and remain contestable by affected individuals.",[335,505,506],{},"The technical requirements of the AI Act — particularly logging and traceability — can conflict with GDPR principles of data minimization and purpose limitation. This requires well-thought-out approaches.",[335,508,509],{},"Data Protection Impact Assessments (DPIAs) under the GDPR can be combined with the AI Act risk assessment. This saves effort and creates consistent documentation.",[312,511,512],{},"A common mistake: companies assume GDPR compliance is sufficient. However, the AI Act adds systemic requirements that go beyond data protection.",[316,514,516],{"id":515},"infrastructure-as-a-compliance-lever-why-the-operating-location-matters","Infrastructure as a Compliance Lever: Why the Operating Location Matters",[312,518,519],{},"One aspect that gets overlooked in many AI Act discussions: where AI workloads run has direct compliance relevance.",[312,521,522,523,526],{},"Running AI inference on US-based cloud services creates not only a ",[324,524,525],{"href":62},"GDPR issue through potential third-country transfers"," — it also means losing control over technical measures like logging, auditability, and access restrictions that the AI Act requires.",[312,528,529,530,533],{},"European, sovereign infrastructure offers a structural advantage here — because ",[324,531,532],{"href":86},"data residency alone is not sovereignty",":",[332,535,536,542,548,558],{},[335,537,538,541],{},[338,539,540],{},"Data localization:"," AI processing stays in the EU — no transfer issues.",[335,543,544,547],{},[338,545,546],{},"Full technical control:"," Logging requirements can be implemented without restrictions from third-party providers.",[335,549,550,553,554,557],{},[338,551,552],{},"Auditability:"," All evidence can be provided seamlessly during regulatory audits. The EU's ",[324,555,556],{"href":14},"Cloud Sovereignty Framework"," provides formal criteria for verifying these protections.",[335,559,560,563],{},[338,561,562],{},"Contractual clarity:"," With a European provider, data processing agreements and AI Act-compliant arrangements can be concluded directly and without legal risks.",[316,565,567],{"id":566},"what-should-hosting-customers-do-now","What Should Hosting Customers Do Now?",[312,569,570],{},"The AI Act is being phased in gradually. Those who act today have a clear advantage. The following steps are specifically recommended:",[312,572,573],{},[338,574,575],{},"1. Inventory your AI systems",[312,577,578],{},"Which AI tools and APIs are being used in which processes? This includes embedded AI features in SaaS products that you operate yourself.",[312,580,581],{},[338,582,583],{},"2. Perform risk classification",[312,585,586],{},"For each identified system: does it fall under high, limited, or minimal risk? The European Commission has published guidance documents to help with this.",[312,588,589],{},[338,590,591],{},"3. Close documentation gaps",[312,593,594],{},"High-risk systems require complete technical documentation. If you don't have it yet, start now — regardless of whether the system was developed in-house or purchased.",[312,596,597],{},[338,598,599],{},"4. Set up logging and monitoring",[312,601,602],{},"Technical measures for tracing AI decisions need to be integrated into operations. This is not a one-time project but an ongoing process.",[312,604,605],{},[338,606,607],{},"5. Review your infrastructure",[312,609,610],{},"Where are AI workloads running? If you rely on non-European services, assess whether migrating to sovereign infrastructure makes sense — for both compliance and operational reasons.",[312,612,613],{},[338,614,615],{},"6. Clarify internal responsibilities",[312,617,618],{},"The AI Act doesn't prescribe a dedicated \"AI officer,\" but clear responsibilities for AI governance are sensible. Who is internally responsible for risk assessment and documentation?",[316,620,622],{"id":621},"conclusion-the-ai-act-is-not-a-future-problem","Conclusion: The AI Act Is Not a Future Problem",[312,624,625],{},"A widespread misconception is that the AI Act is still a long way off. The first bans have been in effect since early 2025, full high-risk requirements apply from August 2026 — but the preparation window is now. Anyone who only analyzes their AI systems shortly before the deadline will run into problems.",[312,627,628],{},"For hosting customers, this means concretely: understand your own AI usage, know your deployer obligations, and set up your infrastructure so that technical compliance requirements can be met. Sovereign, European infrastructure is not a nice-to-have — it's a structural advantage that saves effort and reduces risk.",[630,631],"hr",{},[312,633,634,635,638],{},"The DevOps-as-a-Service platform is a ",[324,636,637],{"href":22},"Kubernetes-based sovereign application"," operated entirely in Germany. If you want to run AI workloads in compliance with the AI Act — with full data control, comprehensive logging, and clear contractual foundations — you'll find a solid technical basis here.",{"title":640,"searchDepth":641,"depth":641,"links":642},"",2,[643,644,645,646,647,648,649,650],{"id":318,"depth":641,"text":319},{"id":365,"depth":641,"text":366},{"id":410,"depth":641,"text":411},{"id":455,"depth":641,"text":456},{"id":491,"depth":641,"text":492},{"id":515,"depth":641,"text":516},{"id":566,"depth":641,"text":567},{"id":621,"depth":641,"text":622},"2026-03-26","The EU AI Act introduces new obligations for AI system operators. What hosting customers need to know about risk classification, logging, and sovereign infrastructure.","md",{"src":655},"\u002Fimages\u002Fblog\u002Feu-ai-act-hosting.jpg",{},true,{"title":129,"description":652},"lLfESldhKUnhBTD5SDhw6xm7b0mbgUidNxLrl0nrg9k",[661,663],{"title":125,"path":126,"stem":127,"description":662,"children":-1},"Learn how Platform as a Service works, its key benefits for development teams, and why Kubernetes-based PaaS solutions are ideal for modern applications.",{"title":133,"path":134,"stem":135,"description":664,"children":-1},"Learn Docker Compose from scratch - This tutorial explains how to manage multi-container applications with a single YAML file and why Docker Compose is essential for selfhosting.",1775388341361]