As artificial intelligence becomes increasingly embedded in healthcare, research institutions are facing a new kind of responsibility. Scientific excellence is no longer enough. Institutions that develop, test or coordinate AI-based health solutions must also demonstrate that they understand how to protect data, manage cybersecurity risks, ensure transparency, prepare for audits, and align their work with emerging European regulatory frameworks.
This was the broader motivation behind the recent short-term scientific exchange carried out by the Head of the Legal Department of the Faculty of Computer Science and Engineering (FCSE) at the Jožef Stefan Institute (JSI) in Ljubljana, within the framework of the ChatMED project.
The stay came at a very timely moment. With the EU AI Act entering the implementation stage, the European Health Data Space becoming a reality, cybersecurity obligations becoming more demanding, and GDPR remaining a central pillar for all research involving personal and sensitive data, it has become clear that legal and administrative readiness must be built at institutional level. For a faculty that coordinates international projects and develops research in artificial intelligence, healthcare and digital transformation, these questions are no longer abstract. They directly affect how projects are planned, implemented, documented and sustained.
Before Ljubljana: understanding the institutional starting point
The stay in Ljubljana was preceded by a careful internal reflection on the current regulatory and institutional landscape. Before the visit, the researcher reviewed existing national legislation and FCSE procedures related to personal data protection, cybersecurity, health data and artificial intelligence.
This preparatory phase revealed several important insights.
First, while North Macedonia has adopted a Law on Personal Data Protection aligned with the GDPR, FCSE’s internal procedures in this area were outdated and needed to be revised. This raised a practical question: how should a research institution correctly define roles, responsibilities and agreements when sensitive data are processed in international projects?
Second, cybersecurity emerged as an increasingly important institutional concern. North Macedonia has adopted a law on the security of network and information systems, inspired by the NIS2 Directive, but operational practice is still new and developing. For a computer science faculty, this means that cybersecurity can no longer be treated only as a technical issue. It must become part of project governance, documentation, internal procedures and risk management.
Third, the European Health Data Space opened a wider discussion on how health data should be accessed, shared and reused for research. In North Macedonia, systems such as “Moj Termin” and “Moe Zdravje” already exist, but the broader regulatory and operational framework for EHDS-aligned research use is still emerging. This is particularly relevant for AI-in-health projects, where access to structured, lawful and interoperable data is essential.
Finally, the EU AI Act raised questions about institutional coordination, risk classification, human oversight, transparency and AI literacy. The preparatory analysis showed that although FCSE has strong human capacity in artificial intelligence, national-level AI governance is still developing. This creates both a challenge and an opportunity: institutions such as FCSE can help shape good practice by building their own internal mechanisms for responsible AI research.
Ljubljana as a benchmarking and knowledge-transfer experience
The short-term stay at JSI provided an opportunity to compare FCSE’s situation with the practices of a mature European research institution. The discussions covered several interconnected areas: management of international projects, GDPR implementation, AI Act readiness, EHDS-related data governance, audit preparation and cybersecurity.
One of the most useful insights concerned project-management infrastructure. JSI uses a centralized project-management system where project applications, awarded projects, financial plans, project categories and expenditure flows are recorded. This showed the importance of having a structured institutional memory for projects — not only for financial transparency, but also for audit readiness, reporting and long-term coordination.
The discussions also highlighted the need for clear documentation. International research projects require more than scientific deliverables. They require data-management plans, retention rules, controller-processor agreements, internal responsibilities, audit trails, timesheets, procurement documentation, and clear procedures for researchers and administrative staff.
In the field of GDPR, the stay confirmed the importance of updating institutional procedures and defining practical mechanisms for sensitive-data processing. This includes clarifying who acts as controller and processor, how data-sharing agreements are concluded, how long data are retained, how anonymization or synthetic data may be used, and how research purposes are documented.
The AI Act discussions were particularly important because they connected European regulation with national institutional reality. Slovenia has already identified supervisory bodies for different aspects of AI Act implementation. This helped FCSE reflect on which institutions in North Macedonia could play analogous roles, including bodies responsible for electronic communications, personal data protection, market supervision, health, digital transformation and accreditation.
The EHDS discussions showed that even EU institutions are still in the process of adapting their internal documents and procedures to this new regulation. This was an important lesson: readiness does not mean having all answers immediately. It means creating institutional mechanisms that can evolve as regulations become clearer and implementation acts are adopted.
Cybersecurity was another valuable area of reflection. The stay confirmed that NIS2-related readiness should not be limited to technical infrastructure. It should also include institutional policies, incident-response procedures, access control, documentation, responsibility allocation and awareness among researchers.
From legal awareness to operational readiness
The most important outcome of the stay is a shift in perspective.
Regulations such as GDPR, NIS2, the AI Act and EHDS should not be understood as separate legal obligations handled only by a legal department. They should be translated into everyday institutional practice.
For FCSE, this means building an operational model in which legal, technical, administrative and research functions work together. A project involving AI and health data should not begin only with a scientific idea. It should also begin with questions such as:
Who is responsible for data protection?
Is a DPIA needed?
Which data are truly necessary?
Who has access to them?
How are they stored and protected?
Can the data be transferred?
Are the roles of all partners legally defined?
Is the AI system low-risk, high-risk or outside the scope of the AI Act?
Is human oversight ensured?
What happens in case of a cybersecurity incident?
Are documents ready for audit?
Can the institution prove that the project is compliant, transparent and accountable?
These are not obstacles to research. They are conditions for trustworthy research.
Why this matters for ChatMED and future projects
The insights from the Ljubljana stay are directly relevant for ChatMED. As a project focused on generative artificial intelligence in healthcare, ChatMED operates at the intersection of sensitive data, AI models, clinical knowledge, patient trust and institutional responsibility.
The project therefore offers a concrete context in which FCSE can develop and test its own institutional mechanisms. These mechanisms can include updated data-protection procedures, data-sharing templates, DPIA guidance, cybersecurity workflows, AI risk-assessment checklists, audit documentation and training for researchers.
In this sense, the short-term stay was not only a mobility activity. It was a step toward strengthening FCSE’s capacity to coordinate complex European projects in a responsible and sustainable way.
A broader lesson for widening institutions
The experience also points to a broader lesson for research institutions in widening countries.
European regulations are becoming more demanding, but compliance cannot be achieved by simply reading legal texts. It requires institutional translation. Each university, faculty or research centre must ask how abstract requirements become concrete procedures, documents, roles, systems and responsibilities.
For widening institutions, this is especially important. Strong scientific ideas must be supported by strong institutional infrastructure. Project coordinators must be able to demonstrate not only research excellence, but also the capacity to manage data, security, ethics, legal obligations and audit requirements.
The FCSE case shows that this transformation can begin through targeted knowledge exchange, internal diagnosis and practical benchmarking with experienced European partners.
Looking ahead
Following the Ljubljana stay, FCSE will continue working on the operationalization of these insights. The goal is to move from fragmented regulatory awareness toward a coherent institutional framework for trustworthy AI-in-health research.
This includes updating internal procedures, strengthening the role of data protection, improving project-management and audit readiness, preparing for AI Act obligations, aligning with future EHDS requirements, and building cybersecurity awareness across research teams.
In the long term, these mechanisms will not only support ChatMED. They will strengthen FCSE’s position as a reliable coordinator and partner in future European research projects.
The key lesson is simple: trustworthy AI does not start with the algorithm. It starts with the institution that designs, governs and takes responsibility for it.
