With the new AI regulation casting a wide net across the industry in Europe, Dermot McCann, Executive Vice President and General Manager for EMEA at Kaseya, believes the need for compliance is not only important – it’s essential.
At Kaseya’s partner event in Reading earlier this month, he stressed that no one within the AI ecosystem—from vendors to MSPs and end-users—can afford to ignore it.
“They have to be able to demonstrate compliance with it," McCann says. "This Act is going to fundamentally reshape how AI is developed, deployed, and monitored," noting that the regulatory demands are particularly intense for high-risk AI systems.
The AI Act, the world’s first major AI law, was approved in May, harmonising rules on AI use and development across the EU. Although EU-focused, it affects UK businesses using AI in the EU.
Noncompliance, such as systems posing unacceptable risks like threatening people's safety, livelihood, and rights can result in fines up to €35 million or 7% of global turnover, with lesser penalties for other violations and false information, according to law firm Skadden.
However, he also sees significant opportunities for MSPs who navigate these challenges effectively.“For MSPs, the challenge lies in integrating these new compliance demands into their existing operations, but this also presents an opportunity to enhance their service offerings and build greater trust with their clients."
To successfully navigate these changes, McCann advises: “An MSP is going to have to look at data protection, cybersecurity protection, and AI within the same risk management framework as part of the delivery of their services to their end-users."
Navigating the dynamic environment: ‘MSPs are just setting out on their AI journey’
MSPs have historically evolved alongside their clients, transitioning from traditional IT management to cloud adoption and, more recently, focusing more intently on cybersecurity.
Andre Schindler, General Manager EMEA at NinjaOne, attributes this shift to "increasing regulatory pressures and market demands." He points out that with the introduction of Network and Information Security (NIS2) directive—a legislative act aimed at establishing a high, uniform level of cybersecurity across the EU—now regulates all MSPs with 50 or more employees. A major change with NIS2 requires the formal reporting of significant incidents to national authorities which places MSPs and the regulated industries under even greater scrutiny .
As businesses confront the challenges and opportunities presented by AI – a market projected to reach $158.6 billion by 2028, according to Canalys – MSPs must reassess their strategies.
This isn't new for them, as Schindler observes: “As business enablers for their customers, MSPs work in an extremely dynamic environment,” emphasising the need for agility in responding to these shifts.
He points out that many MSPs are just beginning their AI journey, focusing on understanding the technology’s potential impact on their operations and clients.
“They’re focusing on learning about AI and its impact on their business and customers.
“The EU’s AI Act separates AI products and services into different categories, from high risk to limited risk. MSPs will have to take this into account when it comes to exploring AI opportunities, both for their own use and within their portfolios.
“However, since many MSPs are just setting out on their AI journey, they are unlikely to have any sunk cost that the AI Act could put at risk."
Effective internal governance: ‘Training and clear guidelines are critical’
Effective internal governance is therefore essential to minimise these risks and ensure that AI technologies are used responsibly and securely.
Toby Stephenson, CTO of Neuways, a Derby-based MSP with over 15 years' experience of supporting over 300 companies worldwide, emphasises the importance of establishing clear policies and guidelines for staff when using AI tools.
He believes that company policies should serve as a guide for employees, helping them navigate the complexities of AI use without compromising data security.
"One of the things that I’m a firm believer in is that company policies are part of an education pack for the staff—they’re the guardrails or the handbook for how to work within the business," says Stephenson.
“This is crucial when using AI tools like ChatGPT or Microsoft’s Co-Pilot, which, if not managed correctly, could inadvertently expose sensitive information.”
Stephenson also highlights the importance of awareness and education when it comes to AI tools, which are often misunderstood or misused.
"AI can be incredibly powerful, but without proper understanding, it can also be dangerous. This is why training and clear guidelines are so critical," he explains.
He advocates for the role of an internal AI advocate—someone within the organisation who can oversee the use of AI tools and ensure that they are implemented in a way that aligns with both regulatory requirements and the company’s strategic goals.
"Having a dedicated AI advocate ensures there’s someone keeping an eye on both the benefits and the risks, making sure the organisation stays on track," Stephenson adds.
Beyond internal governance, the support of vendors is also critical in helping MSPs meet the challenges of the EU AI Act. Vendors are responsible for ensuring that the AI products they develop meet the stringent standards set by the new regulations.
Dermot McCann explains how Kaseya has been proactive in this area, incorporating an AI data engine that leverages telemetry into their technologies.
"Our approach is to ensure that our products not only meet compliance standards but also help our partners—like MSPs—deliver better, more secure services," McCann notes.
Implications of the EU AI Act: ‘With great power comes great responsibility’
The proactive stance taken by the EU, as seen previously with the General Data Protection Regulation (GDPR), often sets a precedent that other regions follow.
McCann anticipates that similar regulatory frameworks will emerge in other parts of the world, including the United States.
"The GDPR was a big pioneering move for the EU in general data protection, and other countries followed suit very quickly. I think the AI Act will have a similar trajectory," he observes.
This anticipated global impact means that MSPs and vendors worldwide must begin considering the implications of such regulations.
As Toby Stephenson aptly puts it, "With great power comes great responsibility," a sentiment that captures the essence of the challenges and opportunities that lie ahead.
Picture l-r: Andre Schindler, General Manager EMEA at NinjaOne, Dermot McCann, Executive Vice President and General Manager for EMEA at Kaseya, and Toby Stephenson, CTO of Neuways
