Skip to main content
NewArticle 4 literacy templates are now in the platform. Free to use for any firm in EU scope.
EU AI Act readiness · for SMEs in scope

Protection for Small-Medium Enterprises impacted by the EU AI Act.
Compliance in weeks, not months.

cosantio is the AI governance company for small and medium firms in regulated industries. We turn the EU AI Act, and the governance regimes around it, into the workflow your company and board need to run. Purpose-built for firms without an in-house AI ethics committee or a six-figure consultancy budget.

Get the Scorecard Book a 20-minute call

Free / No login / PDF in 5 minutes

app.cosantio.ai/sample-broker/inventory

AI Inventory

9 systems · 3 classified high-risk · EIOPA Opinion mapped

Total
9
+1 this month
High-risk
3
FRIA required
POG coverage
82%
+8% QoQ
Readiness
76%
Audit-ready
PPPricePilot
Life pricing engine
High
54%
UAUnderwriteAI
Health risk assessment
High
72%
CSClaimsSort
Claims triage
High
88%
QBQuoteBot
Customer chat
Limited
100%
BIBrokerInsights
Reporting analytics
Minimal
100%

The regulatory clock. Already in force.

4 live  /  2 pending
02 Feb 2025
Prohibited AI practices
Art. 5
In force
02 Aug 2025
General-purpose AI model rules
Art. 51-55
In force
In force · Now
AI literacy obligations
Art. 4
Enforced
In effect · Now
Penalty regime
Art. 99
Active
02 Dec 2027
High-risk standalone AI systems
Annex III
Coming
02 Aug 2028
High-risk AI in regulated products
Annex I
Coming

Your company has obligations now. The standalone high-risk regime applies from 2 December 2027. Firms using AI in creditworthiness, insurance pricing, hiring, performance management, biometrics, education, or critical infrastructure all fall in scope.

cosaint
Irish, noun · protection

cosantio is rooted in the Irish word cosaint: protection, the kind given by a guardian, not a guard. A modern brand for an old idea, that the people building with new technology deserve to be protected as carefully as the people it touches.

The companies most exposed to AI regulation, small and medium enterprises in regulated industries, are often the firms least equipped to deal with it. Our first focus is the obligation bearing down on them right now: the EU AI Act. But the real job is the one underneath every regime: know what AI you run, govern it, and be able to prove it. Our platform is built for them, by people who've spent careers translating regulation into workflow.

Read the story
The problem

Existing AI governance tools weren't built for SMEs.

The AI governance platforms regulators reference are priced for FTSE 100 firms, configured by AI ethics committees, and implemented by Big-4 teams over multi-month or even multi-year engagements.

The person carrying it might be a Head of Risk and Compliance who already owns three other regimes, or the managing director, or the one operations or HR lead who 'does compliance' alongside everything else, with a board meeting next month and deadlines closing in.

What you actually need:

  1. A register of every AI system the firm uses
  2. A Fundamental Rights Impact Assessment (FRIA) for the high-risk ones
  3. An AI literacy log: proof your staff have been trained on safe and lawful AI use, as required under Article 4
  4. A board pack in language the non-execs understand
  5. An audit trail when EIOPA or the Central Bank writes back

None of which a platform alone produces. cosantio combines the software with the people to run it. The artefacts get produced, your team gets supported, and there's a named person on the line when the audit lands.

The platform

cosantio is the AI governance platform built for regulated SMEs.

We don't sell 'responsible AI frameworks'. We sell the artefacts a regulator, a carrier, or a board actually asks to see. Software paired with hands-on services, at SME-grade prices, with a named person on the line when the audit lands.

01

Built for SME scale.

A 30-person credit union, a 12-person MGA, a 50-person payments firm. Designed around the resources you actually have, not the AI ethics committee you don't.

02

Regulator-specific, not generic.

Mapped directly to Central Bank of Ireland, EIOPA, ESMA, EBA, and DPC obligations. Annex III §5(b) and §5(c) named explicitly. No generic 'responsible AI' abstractions.

03

Artefacts, not frameworks.

Inventory, FRIA, literacy log, board pack, audit trail. The things a regulator asks for. The things a carrier auditor wants to see. Produced and version-controlled.

What's in the platform

Everything you need for EU AI Act readiness.

Six core modules covering every artefact the AI Act, EIOPA, the Central Bank, and the DPC ask to see. One workspace, one source of truth, one audit trail.

Article 11 · Annex IV

AI Inventory & Register.

A single register of every AI system in use across your firm. Owners, purposes, vendors, data flows, classification against Annex III.

CreditScore ProHigh · §5(b)
AffordAIHigh · §5(b)
ChatAssistLimited · Art. 50
Article 27

FRIA Studio.

Guided Fundamental Rights Impact Assessments. Three required lenses, structured interview flow, version-controlled output.

Affected groups identified
Mitigation measures
Human oversight planPending review
Article 4

AI Literacy Log.

Track who's been trained, on what, when. Auto-prompts for refresher training. Evidence package ready for the DPC or a carrier audit.

87% staff trained+12% QoQ
Boardroom · Audit committee

Board Pack Generator.

Quarterly board packs in regulator-grade language. Risk posture, FRIA coverage, incidents, vendor exposure. One PDF, ready to share.

Q2 2026 packReady
Q1 2026 packFiled
Article 25 · Vendor risk

Vendor AI Register.

Track every third-party AI system your firm uses. Vendor obligations, model cards, change notifications, sub-processor visibility.

14 vendors tracked12 attested
2 awaiting attestationAction req.
Article 12 · Audit trail

Audit Trail.

Time-stamped evidence of every decision, review, and update. The record a regulator or carrier auditor asks for, generated automatically.

Last entry09:42 · today
This quarter1,247 events
The services

From 'what AI are we using?' to audit-ready.

Start with the free Scorecard: eight questions, three minutes, a regulator-grade PDF of where you stand. From there, the natural next step is usually a Masterclass or an Exposure Audit, and these six services compose to fit your firm. Each produces an artefact your board, your auditor, and your supervisor can read. See all services →

01
Train

AI Act Masterclass.

A sector-specific session that gets your board and team fluent fast, and helps meet the Article 4 literacy duty in force since February 2025.

Output: Briefed team + literacy record
02
Assess

Regulatory Exposure Audit.

A structured review of how your firm uses AI, mapped against the Act: provider or deployer, prohibited uses, and what is likely high-risk under Annex III.

Output: Prioritised exposure report
03
Train

AI Literacy Rollout.

A structured Article 4 literacy programme across your firm, with the maintained log and evidence trail you can show a regulator.

Output: Literacy programme + log
04
Build

AI Act Readiness Sprint.

The core engagement. Inventory, classification against Annex III, policies, and the governance structure, building a defensible posture ahead of 2 December 2027.

Output: Inventory + policies + board pack
05
Assess

Fundamental Rights Assessment.

For a single high-risk system, a full FRIA completed end to end under Article 27, with cited evidence and documented mitigations.

Output: Regulator-ready FRIA
06
Sustain

Compliance as a Service.

An ongoing retainer with a named fractional AI Governance Officer: monthly reviews, quarterly board packs, and someone on the line when a regulator writes back.

Output: Named officer + board packs
Who it's for

If you use AI to make decisions about people, this is for you.

Pricing a policy, approving a loan, screening a job applicant: when AI helps make calls like these, the EU AI Act treats it as high-risk and your firm picks up real obligations. Find your industry below to see exactly which rules apply, who regulates them, and what you need to have ready.

Annex III §5(c) · EIOPA · POG

Insurance.

MGAs, brokers, and carriers operating in EU markets. Pricing, underwriting, and claims AI under the Annex III §5(c) high-risk regime.

Read more
Annex III §5(b) · CBI · DORA

Financial services.

Credit unions, retail credit firms, payments and EMI, MiCA CASPs. Creditworthiness and credit-scoring AI under the Annex III §5(b) high-risk regime.

Read more
Annex III §4 · WRC · DPC

Employment & HR.

Any SME using AI in hiring, performance management, or task allocation. Often overlooked, always in scope under Annex III §4.

Read more
Chapter III · Annex III §1 to 8

Other high-risk sectors.

Education, biometrics, critical infrastructure, law enforcement, migration, justice. See the full Chapter III map.

Browse all sectors

Get up to speed first.

Browse all resources →
Downloads
Guides and templates you can use today.Guides · checklists · templates

Practical documents your team can pick up and run with, including the SME guide to the Act, an AI inventory register, and an Article 4 literacy checklist.

Explainers
Short reads on the parts that matter.Free · no login

Straight answers to the questions regulated firms actually ask: the deadlines, what counts as high-risk, and whether you are a provider or a deployer.

Primary sources
Go straight to the source.Official EU texts

The primary texts we work from: the official AI Act on EUR-Lex, the European AI Office, and a searchable browser for the Act text.

The Act is already in force. Don't wait for 2027 to find out where you stand.

Get the cosantio Scorecard. Eight questions, three minutes, a PDF that tells you exactly where your firm stands against every AI Act obligation, including the ones already live.

Get the Scorecard Or book a 20-minute call