The AI Act regulation (EU 2024/1689) requires risk classification for every AI system in use, reinforced obligations on high-risk uses, and Article 50 transparency for interaction systems. Luxgap supports your end-to-end AI Act compliance, and offers software whose architecture lets you pick the AI engine: commercial GPAI to get started fast, or open-source on-premise AI for full sovereignty.
Whether AI is developed in-house, bought from a vendor or embedded in a SaaS, you are accountable for its compliance. The schedule is known: prohibited uses since February 2025, GPAI since August 2025, high-risk systems from August 2026. Our AI lawyers scope, qualify, document and pass the audit.
Inventory of every AI system in production or planned (including AI embedded in HR, marketing, anti-fraud SaaS). AI Act classification: prohibited, high-risk, limited risk, minimal risk. Continuously maintained AI system register.
For every high-risk system: technical documentation (Annex IV), quality management system (Article 17), risk management (Article 9), human oversight (Article 14), DPIA coupled with GDPR if personal data is processed. Everything ready for market placement or ILR inspection.
Chatbots, generated content, deepfakes, emotion recognition systems: mandatory disclosure to users. We write compliant wordings, information banners, and update your T&Cs. Synthetic content marking on the technical side.
Internal AI committee, new tool review process, employee charter (Copilot, ChatGPT, Claude, etc.), incident procedure, register of significant AI decisions. Direct link with the external DPO mandate when personal data is involved.
AI Act Article 4: AI literacy is mandatory for any employee using an AI system. Training tailored by function (HR, finance, legal, ops), with the certifying PECB offer if requested.
Annual audit to confirm posture, documentation refresh, watch on implementing acts, CEN-CENELEC harmonised standards, and AI Office decisions. As your systems evolve, the register follows.
All our software (DPO Assist, KYC Luxembourg, Third Party Register, GDPR erasure, LuxApps SIRH) is built on the same architecture: a business layer decoupled from the AI engine. You choose your engine based on regulatory and sovereignty constraints. The business layer stays the same.
Claude · OpenAI · Mistral · Gemini
For uses where data can transit through a GPAI provider, you immediately benefit from the best models on the market (Claude Opus 4.7, GPT-5, Mistral Large, Gemini 2.5). European contracting, no data reuse for training, Luxgap-side logging for audit. Ideal for note-taking, summarisation, classification, drafting assistance.
Llama · Mistral · Qwen · vLLM · Ollama
For data that must not leave your infrastructure: Article 41 LSF banking secrecy, defence, health, classified data. Production-grade open-source models (Llama 3.3 70B, Mistral 8x22B, Qwen 2.5 72B) installed on a dedicated server at your site, behind your firewall, with no outbound API calls. Strict versioning for reproducible audit.
Automatic routing: within the same software, you can route sensitive tasks to the on-premise engine and benign tasks to the cloud engine. Policy by field, by client, by document type. No proprietary lock-in.
When AI touches state secrecy, banking secrecy, medical secrecy or defence secrecy, the choice of engine is not a preference: it is an obligation. Our software is built for that constraint from the very first ticket.
Ministries · Municipalities · Defence · Hospitals
Banks · Funds · Trustees · Insurance · Health
A law firm does the AI Act analysis but does not touch code. A tech integrator installs the AI but ignores legal obligations. A cyber consultant secures it but validates neither the law nor the model architecture. Luxgap brings all three teams to every AI file.
Risk classification, coupled DPIA, AI vendor contracts, Article 50 transparency, usage charter. External DPO mandate extended to AI available.
Infra hardening (dedicated server, segmentation, FIDO2 MFA, encryption), model governance, AI incident response, ISO 27001 compliance of the deployment, external CISO if needed.
Modular architecture (business layer + swappable AI engine), fine-tuning on your data, IT integration, automated tests. Stack: Python/FastAPI, PostgreSQL, vLLM, Ollama, Mistral, Qdrant. No uncontrolled US cloud dependency.
AI Act audit in 2 to 4 weeks, or sovereign AI POC on your real data with no long-term commitment. Reply within one business day.
Contact us →
