Staying Compliant in 2025: What the EU AI Act, SOC 2 & NIS2 Mean for You

Compliance is a crucial but often overwhelming aspect of running a business, especially for startups. As regulatory frameworks become more complex, it’s more important than ever for businesses of all sizes to stay on top of compliance requirements.

This online session provides key insights from Kilian, co-founder of Kertos, and Jana, co-founder of beams, on how startups can navigate the changing compliance landscape, focusing on frameworks like GDPR, NIS2, SOC 2, and the European AI Act.

The session kicked off with a 15-minute crash course from Kilian, breaking down the most relevant compliance frameworks in clear, founder-friendly language. It was followed by a 30-minute live conversation and Q&A with Jana, diving deeper into practical questions and real startup use cases.

Here’s a summary of the session:

Why Compliance Matters More Than Ever

Historically, compliance has been seen as a concern mainly for large enterprises. However, with the introduction of regulations like the EU AI Act, NIS2, and rising expectations for certifications such as ISO and SOC2, even startups and small businesses must adhere to these rules. Kilian emphasizes that founders and operational leaders at startups need to pay attention to compliance early on.

By staying compliant, startups can’t only avoid costly legal issues but also build trust with customers, partners, and investors - allowing them to scale safely in an increasingly regulated environment.

1. Ensuring Compliance Without Overcommitting Resources

The conversation starts with a key question: how can startups ensure compliance without dedicating too much time and resources? Kilian explains the importance of:

Employee Training: Basic training is essential and can be achieved through training videos, written policies, and documented confirmations.

Documenting AI Tools: Even simple tools, such as Notion with AI features, must be registered and documented if used within the company.

Data Sharing Limits: Employees should understand the limits of data sharing, not only for regulatory compliance but also to protect business secrets.

2. Navigating the EU AI Act

A significant topic discussed is the EU AI Act, which affects many startups. Kilian advises a three-step approach to ensure compliance:

Awareness: Understanding the implications of AI usage.

Documentation: Documenting all AI tools and their applications within the organization.

Education: Ensuring staff are trained on the proper use of AI.

For high-risk AI use cases, such as automated HR decision-making, startups must register with authorities and provide transparent communication to affected individuals.

3. High-Risk AI Scenarios and Transparency

Kilian delves into high-risk AI scenarios, such as AI-based decision-making in recruitment or performance evaluations. Transparency is key in these cases. Affected individuals must be informed if AI is used to make decisions, including details on:

How the AI model works.

Whom to contact for concerns about the decision.

4. Disclosing AI Usage to Authorities (audience question)

The webinar also discusses real-world cases where clients had to disclose their AI usage to authorities. Kilian emphasizes that while the focus is currently on transparency, startups must document their AI usage and decision-making processes. This helps maintain compliance without the fear of unexpected regulatory actions.

5. Certifications: SOC 2 and ISO

The focus then shifted to certifications like SOC 2 and ISO:

SOC 2 Certification: A US-focused standard that reports on an organization’s data protection practices.

ISO Certification: An international standard with more rigid requirements.

To obtain these certifications, startups must implement controls, select auditors, and monitor compliance continuously. Kilian stresses that obtaining certification is not the end of the journey—maintaining compliance is an ongoing process.

6. Managing Compliance for Multi-Country Teams (audience question)

For organizations with international teams, maintaining consistent compliance across regions is crucial. Kilian discusses how:

EU-Based Teams: The EU AI Act offers a harmonized compliance framework.

International Teams: The General Data Protection Regulation (GDPR) may apply, especially if personal data is shared across borders.

7. Practical Tips for Maintaining Compliance

In the final segment, Kilian offers practical tips to help startups maintain compliance in their daily operations:

Standardizing Processes: Ensure consistency in vendor evaluations, software access management, and documentation updates.

Using Secure Tools: Minimize unnecessary access to sensitive data and ensure secure systems.

Building Compliance into Daily Workflows: Compliance should become a natural part of the workflow.

8. Final Thoughts: Compliance Doesn't Have to Be Overwhelming

Kilian concludes with an encouraging message: compliance doesn’t have to be overwhelming. By focusing on the basics, maintaining transparency, and developing consistent habits, startups can build a strong foundation for compliance without excessive complexity.

With the right tools, like Kertos and beams, and a focus on the fundamentals, startups can confidently navigate the evolving compliance landscape and ensure they remain on the right side of regulations, positioning themselves for long-term success.

Interested in more panels like this? Visit https://usebeams.com/events or follow us on LinkedIn for future sessions, resources, and updates.

👉

Want to generate your tool stack overview? Try our SaaS insights platform for a comprehensive view of all your tools, incl. usage and actionable recommendations to maximize your ROI. It only takes 1 minute to set up: https://app.usebeams.com/company-login