MEOK SaaS AI

EU AI Act + SOC 2 + ISO 42001. One substrate for every SaaS.

Generic SaaS AI: EU AI Act applicability (limited, high-risk, or general-purpose), SOC 2 with AI overlay, ISO 42001 AIMS. MEOK ships it all as one signed evidence pack.

Frameworks

EU AI Act
Classification: limited (chatbots, deepfake disclosure), high-risk (employment, credit, education), or general-purpose (foundation models).
SOC 2 (AI overlay)
CC1-CC9 trust service criteria + AI-specific control additions (training data governance, model card).
ISO 42001 (AIMS)
AI Management System, Cl 6-10 controls, continual improvement, leadership accountability.
GDPR
Art 5-22, DPIA for high-risk processing, Art 22 right not to be subject to automated decisions.
NIS2 (essential/important entities)
If SaaS serves EU critical infrastructure (energy, transport, health, digital) - full NIS2 stack.
UK AI Bill (sectoral)
If serving regulated UK sectors (health, finance, legal, education) - sectoral regulator mapping.

MCPs in the SaaS bundle

pip install eu-ai-act-compliance-mcp
pip install soc2-compliance-ai-mcp
pip install iso-42001-ai-mcp
pip install gdpr-compliance-ai-mcp
pip install nis2-compliance-mcp
pip install agent-audit-logger-mcp
pip install agent-policy-enforcement-mcp
pip install agent-data-residency-mcp
pip install bias-detection-mcp

Frequently asked

Is my SaaS AI high-risk under the EU AI Act?

It depends on use case, not on being SaaS. Limited-risk obligations (transparency, deepfake/chatbot disclosure under Article 50) apply to most generative features. High-risk applies if your AI is used in employment, credit scoring, education or other Annex III areas. General-purpose / foundation models carry their own Chapter V obligations. MEOK classifies each feature and ships the matching evidence pack.

How does SOC 2 change when AI is in scope?

The Trust Service Criteria (CC1-CC9) still apply, but an AI overlay adds controls auditors now expect: training-data governance and provenance, model cards, model-change management, and monitoring for drift and bias. MEOK maps these AI-specific controls onto your existing SOC 2 control set so a single evidence chain covers both.

What does ISO 42001 require beyond SOC 2?

ISO/IEC 42001 is a full AI Management System (AIMS). Clauses 6-10 require leadership accountability, AI risk and impact assessment, defined objectives, operational controls and continual improvement, all kept under a documented management-system loop. It is the certifiable AI-governance backbone that SOC 2 and the EU AI Act both lean on, and MEOK runs it as the substrate under both.

Does NIS2 apply to my SaaS?

Only if you are an essential or important entity, typically SaaS serving EU critical infrastructure such as energy, transport, health or digital infrastructure, or qualifying as a digital service provider. If in scope, NIS2 adds cyber risk-management measures, supply-chain security and 24-hour incident notification. MEOK's nis2-compliance-mcp determines scope and ships the corresponding stack.

Get the bundle

199 GBP per month. Subscription includes monthly attestations and HMAC-signed evidence chain.

Start Pro →

CSOAI

Initializing...

Frameworks

EU AI Act

Classification: limited (chatbots, deepfake disclosure), high-risk (employment, credit, education), or general-purpose (foundation models).

SOC 2 (AI overlay)

CC1-CC9 trust service criteria + AI-specific control additions (training data governance, model card).

ISO 42001 (AIMS)

AI Management System, Cl 6-10 controls, continual improvement, leadership accountability.

GDPR

Art 5-22, DPIA for high-risk processing, Art 22 right not to be subject to automated decisions.

NIS2 (essential/important entities)

If SaaS serves EU critical infrastructure (energy, transport, health, digital) - full NIS2 stack.

UK AI Bill (sectoral)

If serving regulated UK sectors (health, finance, legal, education) - sectoral regulator mapping.