AI Act compliance and CIS Benchmark – two innovations that will be appreciated by management
AI Act compliance and CIS Benchmark – two innovations that will be appreciated by management
Artificial intelligence has quickly moved from pilots to routine processes – in customer support, marketing, HR and cybersecurity. At the same time, pressure from regulators and partners is growing: they want to see that you use AI safely, transparently, and with clear accountability. BDO is therefore expanding its portfolio with two practical services that translate compliance into the language of management: AI Act compliance and CIS Benchmark assessment.
AI Act: why it's not just a topic for lawyers and IT
The EU AI Act is the first comprehensive framework for regulating AI and builds on risk management. AI divides systems according to the level of risk and emphasizes risk management, testing, transparency and auditability for high-risk solutions. Importantly, it affects not only companies that develop or supply AI, but also organizations that "only" use AI – for example, in HR, critical infrastructure or security surveillance tools.
Deadlines and sanctions are key for management. The obligations are gradually starting up between 2025 and 2027 and non-compliance can become more expensive – BDO states penalties of up to EUR 35 million or 7% of turnover. AI governance is thus becoming a topic for the board – similar to cybersecurity in recent years.
Regardless of regulation, company management should have a clear framework and processes in place to effectively and safely use AI tools, whether in-house or within third-party products throughout their lifecycle – from onboarding, through common use, development to generational renewal.
New: BDO AI Act Compliance – Turning Regulation into a Manageable Project
BDO conceives AI Act compliance in such a way that it can be grasped as a managerial program, not as an endless legal debate. In practice, it starts with a quick "AI Act compliance check" – verifying whether you are within the scope of regulation, what role you play in the value chain (e.g. provider/deployer) and what types of AI you actually use in the company. Where the AI Act does not raise clear questions or is not sufficient from our point of view, we take inspiration from NIST's internationally recognized AI security management framework.
The check is followed by a structured procedure, which typically includes:
- defining the scope and roles (where AI is created, where you buy it, where you deploy it)
- classification of AI systems according to risk
- setting up documentation and processes to stand up to the regulator and clients
- training ("AI literacy") and setting up responsibilities so that the rules do not remain just on paper
CIS Benchmarks: a security baseline that can be measured
While the AI Act addresses governance and accountability in AI, CIS Benchmarks targets one of the most common causes of incidents: poorly set up systems. CIS Benchmarks are prescriptive recommendations for secure configuration, created by expert consensus; CIS describes them as recommendations for more than 25+ product families.
For leadership, CIS Benchmarking sets cybersecurity by scale: instead of feelings, you get a clear picture of compliance, critical deviations, and remediation priorities (including the ability to verify compliance using specialized tools).
BDO's CIS Benchmark gives you "hard proof" of security – it quickly reveals the biggest configuration risks in key systems and transforms them into a priority roadmap that can be immediately managed and defended before the audit and the board.
New: BDO CIS Benchmark assessment – diagnostics and remediation plan
Within BDO Digital in the Czech Republic, you will already find services focused on managing cyber risks and their impact on business (e.g. security health-check, CISO as a Service, vulnerability testing or penetration tests). The CIS Benchmark assessment fits into this portfolio as a quick, very concrete start or "reset" of safety hygiene.
A typical output for management is designed so that decisions can be made according to it:
- Board-ready report: What's in scope, overall status/compliance, and critical deviations
- Prioritization: "Quick Wins" vs. Structural Change
- Roadmap and responsibilities: who, what and by when – including recommended control rhythm
Why Tackle AI Act Compliance and CIS Benchmark Together
Both innovations have a common denominator: trust and resilience. The AI Act pushes for transparency, risk management, and the ability to demonstrate the "how and why" of AI making decisions. CIS Benchmarking provides a solid foundation for the secure operation of the infrastructure on which AI (and your key systems) runs.
How to get started without big projects
The fastest way is a short introductory workshop: AI Act quick check + scope design for CIS Benchmark assessment. The result is a simple plan for management: what to do, in what order, who owns the risk, and what is the impact on the business.