The 2 August 2025 the first requirements come into play generative and General-Purpose AI Models (GPAI) in force under the EU's AI Regulation (AI Act). Municipal chatbots are basically in the category "limited risk", but if they process sensitive personal data or make automatic decisions, they are classified as "high risk" with significantly stricter requirements. (reuters.com, digital-strategy.ec.europa.eu)
| Requirements | Why it affects chatbots | What the municipality must do |
|---|---|---|
| Transparency | The citizen has the right to know that they are talking to an AI. | Show the message “You are talking to an AI assistant” on first contact. |
| Logging & documentation | GPAI vendors must provide model maps and training data summaries. | Require full technical documentation (§ 53) in the contract. |
| Data security | "High risk" triggers requirements for risk management, DPIA and incident management. | Map the data flow, carry out the DPIA and create a contingency plan for data leaks. |
| Point | What you should do | Practical help | Output |
|---|---|---|---|
| 1. Make a risk assessment | Map use-cases, data types and degree of decision → decide whether the chatbot is "limited" or "high" risk. | Use Promtes Risk Heat Map Template: probability × consequence. | Classification note + decision on DPIA need. |
| 2. Update consent & cookie banners | Explain the purpose, legal basis, data categories and the citizen's rights. | Embed text fragments from the Norwegian Data Protection Authority's template; test on mobile. | New banner + updated privacy policy. |
| 3. Add AI Act requirements to supplier contract | Include: model maps, eval metrics, event reporting and Article 53 documentation. | Use our Kravspec form (A3) – completed in 15 min. | Contract annex + supplier roadmap for compliance. |
| 4. Train the support staff | Practice spotting hallucinations, bias and misclassifications. | 2-hour micro-learning + role card: first-line, AI-owner, DPO. | Course certificates + incident flow in Teams. |
| 5. Plan annual audit | Review training data, performance, fairness and safety logs once a year – or with major model updates. | Use CNIL's open-source PIA tool for re-DPIA and report template. | Audit report for management + improvement backlog. |
Tip: If you want to be at the cutting edge, test against the EU AI Office's future already now Code of Practice (expected end of 2025). (artificialintelligenceact.eu)
Promte's platform comes with:
EU hosting or on-prem, no third country transfers
Automatic modelkort-generator & version control
This way you can go from idea to completion GDPR and AI Act ready chatbot in weeks, not months.
