High risk-systems will need to be registered in a centralized EU database, and also, include post-market monitoring systems. This is a lot of work. So a likely outcome is for large companies to hire specialized firms, or develop in-house teams, to produce such documentation. /15
Microsoft does not really implement any sort of meaningful data protection; they just have the lawyer power to claim compliance. Choosing a Free alternative means that the institution needs to cover the liability itself... The end result is negative for data protection.
The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!