AboutBlogBusiness First AIFounder FreedomBook a conversation

Serving customers across borders, the multi-jurisdiction AI compliance picture for SMEs

May 11, 2026
A woman at her office desk in late afternoon writing in a notebook with four hand-drawn columns labelled UK, EU, US, Canada, a closed laptop and a half-drunk mug of tea to one side
TL;DR

An SME serving customers in two or more of the UK, EU, US and Canada has all four jurisdictions applying simultaneously, on the basis of customer location, not business location. The proportionate response is a single highest-common-denominator standard, anchored on UK or EU GDPR for personal data and the EU AI Act for AI obligations, applied uniformly. A small set of exceptions, including Quebec data residency and EU cookie consent, need jurisdiction-specific handling.

Key takeaways

- Territorial reach is the rule that catches owners out. UK GDPR, EU GDPR, the EU AI Act, US state laws and Quebec's Law 25 apply on the basis of where the customer or data subject lives, not where the business is based. - The pragmatic SME pattern is the highest-common-denominator approach. Identify the most stringent requirement on each compliance dimension (transparency, data subject rights, retention, human review), and apply it uniformly to every customer. - Four genuine exceptions defeat uniform application. Quebec data residency, EU ePrivacy cookie consent, sector-specific regulation (FCA, MHRA, EEOC, FDA), and cross-border data transfer mechanisms (SCCs, the EU-US Data Privacy Framework) need jurisdiction-specific or sector-specific handling. - ISO/IEC 42001, published December 2023, is the AI management system standard that maps closely to the convergent baseline across all four jurisdictions and is the most efficient single framework for an SME running this approach without certifying to it. - The trigger for specialist help is functional, not size-based. When one jurisdiction crosses about 25 per cent of revenue, when you enter a regulated sector, when you process special-category data at scale, or when you deploy a high-risk AI system, the workload exceeds owner-led compliance.

The owner of a 14-person UK marketing services firm sat down to work out which AI rules apply to her business and realised, partway through, that she had been thinking about the problem wrongly. She is UK-based. Her customers are roughly a quarter in the UK, a quarter in Ireland and the Netherlands, a third in the United States, and the remainder in Toronto and Montreal. She had assumed the question was “which jurisdiction do I sit in”. The actual question is “which combinations of rules apply to which of my customers”, and the answer is all four at once.

A meaningful share of UK SMEs are now in this position without having consciously chosen it. Customers crossed the border through ordinary growth and the regulatory picture quietly became four overlapping pictures. The pragmatic answer is to pick one standard that satisfies all four and apply it everywhere, with a small set of explicit exceptions.

What is multi-jurisdiction AI compliance for SMEs?

Multi-jurisdiction AI compliance is the practice of meeting the AI and data protection rules of every territory your customers or data subjects live in, regardless of where your business itself is based. The trigger is the customer, not the company. An SME with customers in two or more jurisdictions is operating four overlapping regulatory regimes simultaneously. The compliance question is which rules apply to which customer category, not which single jurisdiction the business sits in.

The principle that makes this work is territorial reach. Article 3 of UK GDPR brings any organisation offering goods or services to UK individuals into scope, and Article 3 of EU GDPR does the same for EU individuals. The EU AI Act applies on the same logic when AI outputs affect EU residents. Colorado, Texas, California, New York and Illinois each apply their state rules on the basis of resident location. Quebec’s Law 25 applies on the basis of Quebec residency. None of these care where the company is incorporated, where servers sit, or what nationality the founder holds.

Why does multi-jurisdiction AI compliance matter for your business?

It matters because the cost of framing it wrong is full exposure in jurisdictions you assumed did not apply. An owner running on “UK rules cover everything” is exposed to EU GDPR enforcement on the EU portion of the base, state-level enforcement on the US portion, and Quebec Law 25 on the Canadian portion. The fine framework is the same whether a customer category is one per cent of revenue or fifty.

It also matters because the workable response is more efficient than the obvious one. Running four parallel compliance regimes is expensive in time and money for an SME. PwC’s 2024 Global Privacy Index found that SMEs serving both EU and North American jurisdictions allocated about 3.1 per cent of revenue to privacy and data protection compliance, compared with about 1.8 per cent for single-jurisdiction SMEs. The IAPP Westin Research survey found SMEs with customers in more than three jurisdictions had compliance costs roughly twice the single-jurisdiction baseline. The highest-common-denominator approach is the pattern that closes most of that gap.

Where will you actually meet multi-jurisdiction AI compliance?

You will meet it in four places. First, in the moment of mapping the customer base. An honest inventory of where customers and data subjects live, sometimes for the first time, is the trigger for every other decision. Without that map, the compliance question stays abstract and the cost of being wrong stays invisible.

Second, in the compliance dimensions themselves. The convergent areas across all four jurisdictions are transparency in AI decision-making, human review of significant algorithmic outcomes, fairness and non-discrimination, and accountability through documentation. For each of these, the highest-common-denominator approach means identifying the most stringent requirement across the four regimes and applying it uniformly. EU AI Act transparency for high-risk systems sets the bar. GDPR data subject access rights set the bar. GDPR retention necessity sets the bar.

Third, in the four genuine exceptions where uniform application breaks. Quebec Law 25 imposes data residency obligations that require certain personal data of Quebec residents to be stored or backed up in Canada, which a uniform global storage policy cannot satisfy. The EU ePrivacy Directive requires opt-in consent for cookies, incompatible with US opt-out frameworks. Sector-specific regulation (FCA and FINRA in financial services, MHRA and FDA in healthcare, EEOC and New York’s Local Law 144 in employment AI) imposes obligations on top of the general framework. Cross-border data transfers between the UK or EU and the US run on Standard Contractual Clauses or the Data Privacy Framework.

Fourth, in the regulatory tracking infrastructure that keeps the picture current. The White & Case AI Watch tracker, the IAPP Global AI Law tracker, the OECD AI Policy Observatory, the DLA Piper Data Protection Laws of the World database, and the Future of Privacy Forum US state trackers are the cross-jurisdiction references many SMEs lean on. None of them charge for access at the level a typical SME needs.

When to ask versus when to ignore multi-jurisdiction AI compliance

Ask the question whenever the customer base spans more than one of the four jurisdictions in roughly material proportions. The threshold is not zero. An EU customer making up two per cent of revenue still brings EU GDPR and EU AI Act obligations into play for that two per cent. Ignore the temptation to assume small share equals no exposure. The legal test is presence, not proportion.

Also ask whenever you are about to change one of the structural inputs. Onboarding the first customer in a new jurisdiction. Adding a sector-regulated client (financial services, healthcare, government, employment-screening). Deploying a new AI system that touches personal data or makes decisions about individuals. Adopting a vendor that processes data outside the UK and EU. Each of these is the moment to revisit the highest-common-denominator map rather than after the fact.

The trigger to bring in specialist help is functional, not size-based. Four reliable indicators stand out. One customer category crosses about 25 per cent of revenue. You enter a regulated sector with sector-specific AI obligations. You begin processing special-category data (health, biometric, racial or ethnic origin, political opinion, religious belief) at any volume. You deploy a system that falls inside the EU AI Act Annex III high-risk categories. Any one of these is the moment to scope specialist support to assess maturity, fix gaps, set procedures, and hand back to internal management with periodic review.

Size proxies are less reliable. A 50-person firm with simple uniform compliance across a single jurisdiction often runs with less external help than a 20-person firm with complex multi-jurisdiction exposure.

The most useful adjacent concept is the AI management system standard, ISO/IEC 42001, published in December 2023. The standard specifies governance, risk management, data quality, human oversight, and continuous improvement requirements that map to the convergent baseline across all four jurisdictions. An SME running highest-common-denominator compliance benefits from organising the work using ISO/IEC 42001 even without certifying, because the framework is internationally recognised.

The four jurisdictional posts each cover their territory in depth. The EU AI Act for UK and EU SMEs is the most prescriptive of the four and tends to set the highest-common-denominator bar on transparency and high-risk obligations. The UK pro-innovation pivot covers the UK approach and the Data (Use and Access) Act 2025. The US patchwork covers state-level fragmentation across Colorado, Texas, California, New York and Illinois. The Canada, AIDA and provincial post covers PIPEDA and Quebec Law 25, currently the most stringent AI rule in North America.

For internal practice, the minimum viable AI policy for a small business and the audit trail an SME actually needs give the policy and documentation backbone the highest-common-denominator approach assumes. The proportionate AI risk register is the structured way to inventory the AI systems that the multi-jurisdiction question then applies to.

The cluster does not replace specialist legal advice, particularly on cross-border data transfer mechanics or any decision that turns on a sector-specific regulator. The framework is right at the level of orientation. The detail is properly a solicitor’s. If you want to talk through where your firm sits across the four jurisdictions and what a proportionate response looks like at your scale, book a conversation.

Sources

- Information Commissioner's Office. UK GDPR Article 3, Territorial scope, the foundational rule for which organisations come within UK data protection law on the basis of monitoring or offering to UK individuals. https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/uk-gdpr-and-eu-gdpr/art-3-territorial-scope/ - European Commission. EU AI Act full text on the EUR-Lex portal, the binding text on territorial scope (Article 2), high-risk classifications (Annex III), and transparency obligations (Article 50). https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32024R1689 - White & Case. AI Watch Global regulatory tracker, the cross-jurisdiction reference for enacted and proposed AI legislation across the UK, EU, US states and Canada, regularly updated. https://www.whitecase.com/insight-our-thinking/ai-watch-global-regulatory-tracker - OECD AI Policy Observatory, country-specific profiles of AI policy and regulation across OECD member countries, useful for comparing UK, EU, US and Canadian approaches at a structural level. https://oecd.ai/en/dashboards/policy-observatory - IAPP. Global AI law and policy tracker, the cross-jurisdiction tracker maintained by the International Association of Privacy Professionals covering AI rules and how they interact with privacy frameworks. https://iapp.org/resources/article/global-ai-legislation-tracker/ - DLA Piper. Data Protection Laws of the World, the cross-jurisdiction database covering more than 150 countries including the UK, EU member states, US states and Canadian provinces. https://www.dlapiperdataprotection.com/index.html?t=law&c=GB - Commission Nationale d'accès à l'information du Québec. Quebec Law 25 (Act respecting the protection of personal information in the private sector), the live framework that brings algorithmic decision transparency and data residency obligations for Quebec residents. https://www.legisquebec.gouv.qc.ca/en/document/cs/A-2.1 - European Commission. Standard Contractual Clauses for international transfers, the template contractual mechanism for transferring personal data from the EU and UK to jurisdictions without adequacy. https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-transfer/standard-contractual-clauses-scc_en - US Department of Commerce. EU-US Data Privacy Framework, the live transfer mechanism in operation since July 2023 for personal data of EU residents transferred to participating US organisations. https://www.dataprivacyframework.gov/ - International Organization for Standardization. ISO/IEC 42001, the AI management system standard published December 2023, the cross-jurisdiction governance framework many SMEs running multi-jurisdiction compliance use to organise their work. https://www.iso.org/standard/81230.html

Frequently asked questions

I am UK-based with a handful of EU and US customers. Do all four jurisdictions really apply to me?

Yes, on the basis of where your customers and data subjects live. Article 3 of UK GDPR catches any organisation offering goods or services to UK individuals, EU GDPR does the same for EU individuals, the EU AI Act applies when AI outputs affect EU residents, and Colorado, Texas, California, New York, Illinois and Quebec each apply their state or provincial rules on the basis of resident location. The "small share" framing does not exempt you. The lawful workaround is the highest-common-denominator pattern, not pretending the rules do not apply.

What does highest-common-denominator actually mean in practice?

For each dimension of compliance you choose the most stringent requirement across all jurisdictions you serve and apply it to every customer. On transparency, you implement the EU AI Act standard for high-risk systems. On data subject access, you implement UK or EU GDPR access rights. On retention, you implement the GDPR necessity principle. On consent for AI processing, you implement the Quebec Law 25 standard for algorithmic decisions. The result is one process per dimension, not four.

When does this stop being something I can run myself and start needing specialist help?

Functionally, when the workload exceeds owner-led compliance. The reliable triggers are these. One customer category crosses about 25 per cent of revenue. You enter a regulated sector (financial services brings the FCA or FINRA, healthcare brings the MHRA or FDA, employment AI in New York, Illinois, California). You process special-category data at scale (health, biometric, racial or ethnic origin). You deploy a high-risk AI system under the EU AI Act Annex III. Any one of these is the point to bring in specialist support.

Written by Dr Dave Heath, AI consultant and business strategist.

This post is general information and education only, not legal, regulatory, financial, or other professional advice. Regulations evolve, fee benchmarks shift, and every situation is different, so please take qualified professional advice before acting on anything you read here. See the Terms of Use for the full position.

Ready to talk it through?

Book a free 30 minute conversation. No pitch, no pressure, just a useful chat about where AI fits in your business.

Book a conversation

Related reading

An owner at her desk with two printed documents in front of her, a tools register and a policy, a pen resting on the page and a mug of tea nearby

The audit trail an SME actually needs, and the one it does not

Enterprise content tells SMEs to log every AI prompt and response. The proportionate audit trail for a 12-person firm is two pages of standing documentation plus a short per-incident note.

A founder and an operations lead at a meeting table with a printed two-page draft between them, two coffee mugs and a notebook, mid-conversation

Your minimum viable AI policy as a small business

Many published AI policy templates are sized for HR and legal teams. The version that fits a 5 to 50 person firm is two pages, plain language, five sections, drafted in ninety minutes. Shorter than expected, longer than the typical SME currently has written down.

An owner sitting at her office desk in late afternoon reviewing a printed Canadian privacy and AI summary, pen and notebook in hand, with a closed laptop and a mug of tea in front of her and a wall map of Canada with Quebec and Ontario circled behind

AI governance in Canada, AIDA and what is happening at provincial level

Canada's federal AI bill died in January 2025, but Quebec's Law 25 already applies extraterritorially, Ontario's framework is moving, and PIPEDA still sits underneath it all. Here is what a non-Canadian SME with Canadian customers actually has to do.

If any of this sounds familiar, let's talk.

The next step is a conversation. No pitch, no pressure. Just an honest discussion about where you are and whether I can help.

Book a conversation
AboutBlogBusiness First AIFounder FreedomContactBook a conversation
Privacy PolicyTermsCookie Policy

© 2026 Larocca Consulting Ltd