# M3 Framework

> The Open Compliance Standard for SMEs.

M3 Framework is a lightweight, practical alternative to ISO 27001, designed specifically for Small and Medium Enterprises (SMEs). It focuses on three core pillars: Mount (Establish), Monitor (Observe), and Manage (Govern), ensuring compliance with GDPR, EU AI Act, and general cybersecurity best practices.

## Core Concepts
- **Mount**: Establish the security baseline with ready-to-use policies and tools.
- **Monitor**: Continuous observability using automated tools (e.g., Sinaptic.AI).
- **Manage**: Governance, incident response, and evolution of the compliance posture.

## Ecosystem
- **Official Tools**: Validated software like Sinaptic.AI (DLP, Shadow AI monitoring).
- **Partners**: Consultants and agencies that help implement M3.
- **License**: Fully open source. The standard text is released under CC BY 4.0; the code, CSV annexes, and templates under Apache 2.0. Free for any use, including unrestricted commercial use (consulting, audits, derivative products, SaaS), subject only to attribution.

## Links
- [Home](https://m3framework.org/index.html)
- [Tools](https://m3framework.org/tools.html)
- [About](https://m3framework.org/about.html)
- [Partnership](https://m3framework.org/partnership.html)
- [License](https://m3framework.org/license.html)

## Guides
- [EU AI Act Compliance](https://m3framework.org/eu-ai-act.html): Practical guide for SMEs to understanding risk categories and compliance steps.
- [ISO 27001 & 42001](https://m3framework.org/iso-compliance.html): How M3 serves as a lightweight alternative and stepping stone to ISO certification.
- [NIST AI RMF](https://m3framework.org/nist-ai-rmf.html): Mapping M3's approach to the four core functions of the NIST AI Risk Management Framework.