The EU AI Act and SMB compliance

On July 12, 2024, the European Union (EU) Official Journal published the full text of the AI Act. This set into motion the final chapter of the most impactful security and privacy law since the General Data Protection Regulation (GDPR) came into force in 2018.
It will have enormous implications for how companies do business in the EU and globally.
We reviewed some of the law's requirements in a previous post, but in this one, we will examine the practical implications for small and medium businesses (SMBs).
The law applies broadly
Definitions are important when it comes to new legislation. And the AI Act is broad in this respect. For example, it defines an AI system as a machine-based one designed to operate with varying levels of autonomy and may exhibit adaptiveness after deployment.
This can cover many software applications that many SMBs use, develop, and resell. While the law does make specific allowances for SMBs and startups, they are not exempt from its requirements.
The act also lays out a variety of roles related to AI systems, such as:
- Provider - anyone who develops an AI system directly or contracts someone else to do so and puts it on the EU market under its own name or trademark
- Deployer - anyone using an AI system (with an exception for personal use)
- Importer - anyone in the EU who puts an AI system on the market with the name or trademark of anyone from a third country
- Distributor - anyone in the supply chain, other than the provider or the importer, who makes an AI system available on the EU market.
If there is any chance your company does any of these things with AI systems, you should keep reading.
Documentation requirements are piling up
A key task for any SMB dealing with EU AI Act requirements is determining whether an AI system for which they are responsible qualifies as a high risk.
If so, the act requires establishing:
- Risk and quality management systems: The focus here is to identify, analyze, estimate, and evaluate risks to health, safety, or fundamental rights. Companies also need to implement appropriate risk management measures.
- Implement a data governance program: Tracking the provenance and quality of training data can help to measure and manage biases and ensure representativeness.
- Detailed technical documentation: In addition to facilitating the safe operation of AI systems, it is also critical for demonstrating compliance with the requirements. It should describe the design, development process, and performance of the AI system.
- Transparency: Those responsible for AI systems need to provide clear and accessible information on their capabilities and limitations. The goal is to ensure users understand the operation and output of the AI system, including foreseeable risks.
- Accuracy, robustness, and cybersecurity: In addition to safety considerations, high-risk systems must ensure consistent performance throughout the lifecycle and resilience against errors, faults, and adversarial attacks.
- Post-market monitoring: By gathering data on the AI system's performance and compliance, risk management and quality systems can stay up to date.
- Human oversight: A final key requirement for high-risk AI systems is ensuring human operators can understand and appropriately respond to the AI system's operations and outputs.
Even for systems that are not high-risk, the AI Act has additional requirements for systems that create lifelike content (which the Act refers to as deep fakes) and more powerful general-purpose AI models.
Liability risk expands
Another challenge for SMBs under the EU AI Act will be the increased risk of government and private legal action. The EU AI Act lays out a series of fines to penalize non-compliance:
- 35,000,000 Euros or up to 7% of global annual revenue for using prohibited AI systems.
- 15,000,000 or up to 3% of global revenue for several other requirements.
- 7,5000,000 or 1% of revenue for supplying incorrect information.
SMBs can pay the lower of these two amounts, which can still be an enormous burden to a growing company.
Furthermore, additional EU regulation may make it easier for private parties to sue AI providers for product defects.
- Proposed changes to the Product Liability Directive (PLD) will create a presumption of defectiveness for AI products that do not comply with mandatory safety standards (including the EU AI Act). This will make it easier for private parties to win in court.
- The proposed AI Liability Directive (AILD) will make it easier to prove that even non-customers of AI products suffered harm, and thus entitle them to legal action.
ISO 42001 as a way to manage risk
Published at the end of 2023, ISO 42001 is a new compliance standard laying out best practices for building an AI Management System (AIMS). After being evaluated by an external auditor, companies can receive certification under the standard.
In addition to generally building customer trust and ensuring proper AI governance, ISO 42001 is also likely to be adopted as a harmonized standard under the EU AI Act. The biggest advantage here is that high-risk AI systems and general-purpose AI models will be presumed to be in conformity with much of the AI Act if they are also compliant with a harmonized standard (like ISO 42001).
While this is no guarantee, it goes a long way toward reducing risk. Other jurisdictions, like the State of Colorado in the United States, have taken similar steps by making ISO 42001 compliance a defense against some accused violations of the law.
Furthermore, implementing ISO 42001 is itself an effective way to manage risk. At a minimum, it requires:
- Laying out organizational roles and responsibilities when it comes to AI
- Monitoring for incidents and other non-conformities
- Conducting AI risk and impact assessments
It also includes an expansive set of optional controls in Annex A that facilitate:
- Responsible AI development goals, objectives, and procedures
- Using external input to improve AI system security and safety
- Effective data governance, classification, and labeling
Conclusion
The AI Act is the most consequential piece of AI legislation ever passed. And its impacts will be felt for decades. Whether or not you agree with the EU's regulatory approach, it will come into force over the next two years.
SMBs with any exposure to the EU market should carefully examine their business to determine if they meet any of the definitions of covered organizations. Even if they don't, the odds of similar legislation coming into effect in other jurisdictions are high, as Colorado has made clear.
Finally, certifying their AI Management System under ISO 42001 provides a legal defense in certain scenarios, reducing liability risk. At the same time, the preparation and auditing process itself will make the organization more resilient and responsible when using AI systems.
Are you interested in ISO 42001 certification for your company? Book a demo to learn more about how Scrut Automation can help.
Ready to see what security-first GRC really looks like?
Ready to see what security-first GRC really looks like?
Ready to see what security-first GRC really looks like?
See what a real security- first GRC platform looks like
Ready to see what security-first GRC really looks like?
Focus on the traveler experience. We’ll handle the regulations.
Get Scrut. Achieve and maintain compliance without the busywork.
Choose risk-first compliance that’s always on, built for you, and never in your way.
Ready to see what security-first GRC
One platform, every framework. No more duplicate work.
You can’t manage user access if you’re always playing catch-up.
Explore the future of enterprise GRC
Tired of chasing vendors for risk assessments?
Join the thousands of companies automating their compliance with Scrut.
The right partner makes all the difference. Let’s grow together.
Make your business easy to trust, put security transparency front and center.
Risk-first security starts with risk-first visibility.
Secure your team from the inside out.
Don't settle for slow, expensive compliance. Get Scrut instead.
Risk-first compliance for forward-thinking teams.
Audits without the back-and-forth. Just seamless collaboration.
Scale fast. Stay compliant. Automate the rest.
Compliance? Done and dusted, in half the time.
Get ahead of GDPR compliance before it becomes a problem.
Outgrowing table-stakes compliance? Create custom frameworks with ease.
Navigate SOC 2 compliance, minus the stress.
PCI DSS compliance, minus the panic.
Take the wheel of your HIPAA certification journey today.
We’ve got what you need to fast-track your ISO 27001 certification.
Make your NIST AI RMF journey as smooth as possible.
Your GRC team, multiplied and AI-backed.
Modern compliance for the evolving education landscape.
Ready to simplify healthcare compliance?
Don’t let compliance turn into a bottleneck in your SaaS growth.
Find the right compliance frameworks for your business in minutes
Ready to see what security-first GRC really looks like?
Real-time visibility into every asset
Ready to simplify fintech compliance?
The Scrut Platform helps you move fast, stay compliant, and build securely from the start.
Scrut helps you set up a security program that scales with your business and stands up to audits. Without last-minute chaos.
Scrut helps you streamline audits, close deals faster, and stay ahead of risk without slowing down your team. Because trust shouldn’t take months to earn.
Scrut helps you set up a security program that scales with your business and stands up to audits. Without last-minute chaos.
Tag, classify, and monitor assets in real time—without the manual overhead.
Whether you're entering new markets or launching new products, Scrut helps you stay compliant without slowing down.
Scrut pulls compliance data straight from the tools you already use—so you don’t have to dig for evidence, chase approvals, or manually track controls.
Less manual work, more customizability. The Scrut Platform gives you everything you need to align your compliance to your business’s priorities.
With Scrut, you’re not just adding a tool to your offering—you’re adding a competitive edge. Join our Partner Network and help your clients streamline their GRC program.
Gaining trust is your first step to growing and cracking better deals. The Scrut Platform comes pre-built with all the tools you need to showcase a firm security posture and build confidence.
Don’t settle for rigid systems—Scrut ensures your risk management strategy is as flexible as your business needs.
Start building a security-first culture. Save your operations from improper training and a lack of compliance awareness.
Scrut fast-tracks compliance so you can focus on scaling, not scrambling. Automate compliance tasks and accelerate enterprise deals—without the grind.
Automate assessments, track compliance, and get full visibility into third-party risk—all in one place.
Scrut automates compliance tasks, supports proactive risk management, and saves you time, so you can focus on growing your business. Start building trust with customers and scaling confidently.
Leave legacy GRC behind. Meet the AI-powered platform built for teams managing risk and compliance in real time.
Give auditors direct access, keep track of every request, and manage audits effortlessly—all in one place.
Scrut ensures access permissions are correct, up-to-date, and fully compliant.
Whether you need fast results or a fully tailored program mapped to your risks and needs, Scrut delivers exactly what you need, when you need it. Ready to start?
Scrut unifies compliance across all your frameworks, so you can stop juggling systems and start scaling securely.
Manually managing your compliance processes and audits can get inefficient and overwhelming. Scrut automates these outdated, manual processes and eliminates your last-minute worries.
Access automated compliance, real-time risk tracking, and expert-backed support—all in one platform. Get started with Scrut!
Less manual work, more customizability. The Scrut Platform gives you everything you need to align your compliance to your business’s priorities.
The Scrut Platform helps you move fast, stay compliant, and build securely from the start.
Earn trust and back it up with solid evidence. Scrut takes you through the SOC 2 compliance journey step-by-step, navigating every complexity you face.
Manage your PCI DSS compliance with real-time monitoring and effortless automation. Get started with Scrut today!
Securing your PHI shouldn’t be a constant hassle. Scrut automates your workflows—from risk assessments to monitoring—so you can put your compliance worries on the back burner.
Automate security controls, simplify audits, and keep your ISMS aligned with the latest standards. Get started with Scrut!
Tackle potential AI risks with NIST AI RMF-compliant controls and get expert support every step of the way.
Offload the grunt compliance work to us. Execute manual, draining GRC tasks with the reliable AI-powered Scrut Teammates without switching contexts or bottlenecks.
Whether you're managing student data, partnering with educational institute, or expanding to new geographies—Scrut gives you the tools to stay compliant, manage risk, and build trust at every step.
Scaling healthcare doesn’t have to come at the cost of security. Scrut keeps your organization compliant, audit-ready, and protected—no matter how fast you grow.
Scrut automates the hard parts of compliance and security so you can move fast and stay ahead of risks from day one.
The Scrut Platform helps you move fast, stay compliant, and build securely from the start.
Growth in fintech comes with heavy scrutiny. Scrut helps you stay compliant, audit-ready, and secure—without slowing down your momentum.



