Skip to main content

EU AI Act Readiness Assessment

Which of your AI systems the EU AI Act regulates, classified and documented in two weeks.

A fixed-fee assessment that inventories your AI systems, classifies each against the EU AI Act risk tiers, and shows where the documentation and monitoring obligations fall. You get a register, a gap analysis, and the remediation ranked by the date each obligation applies.

Fixed fee
€6,500
Duration
2 weeks
Format
Remote-first

At a glance

Fixed fee
€6,500
Duration
2 weeks
Format
Remote-first
Fee credit
Creditable in full within 8 weeks
Markets served
DACH and Benelux

Who it's for

  • You run or plan to run AI systems and you do not know which ones the Act treats as high-risk.
  • Your board or a customer is asking for an EU AI Act position and you have nothing written down.
  • You are about to build or buy an AI system and want its risk class settled before the budget is committed.
  • You are procuring an AI system from a vendor and need to know, before you sign, whether the contract shifts provider obligations onto you or leaves you as deployer only.
  • A works council is asking about an AI system’s classification before approving its rollout, and the answer needs a paper trail.

Scope and format

Two weeks, remote-first. We inventory the AI systems you use and plan, including the ones embedded in software you bought. We classify each against the Act tiers: prohibited under Article 5, high-risk under Article 6 and Annex III, transparency obligations under Article 50, or minimal. For each regulated system we check the obligations that follow: Annex IV technical documentation, risk management, data governance, human oversight, and post-market monitoring. Led by an IAPP-certified AI governance practitioner who has built and run an AI Centre of Excellence. You give us access to the people who own the systems and the documentation that exists.

What you get

AI system register

Every AI system in use and in plan, including embedded ones, in one inventory with its owner, purpose, and your role as provider or deployer. Embedded means AI features already running inside software you bought, such as Microsoft 365 Copilot or an SAP module’s built-in assistant, not only the systems your team built.

Risk classification per system

Each system mapped to its EU AI Act tier against Annex III, with the reasoning recorded for an auditor.

Obligation gap analysis

For each regulated system, the Annex IV documentation, oversight, and monitoring you have versus what the Act requires.

Remediation plan ranked by deadline

The work to close each gap, ordered by the date the obligation applies, so the nearest deadlines surface first.

Provider/deployer contract flag

Where a vendor contract shifts provider obligations onto you without saying so plainly, flagged before you sign, not after an audit finds it.

Readout session

A working session with your stakeholders to walk the register and agree what to address first.

Pricing

A fixed fee of €6,500. The scope above is the scope.

The full fee is creditable against a follow-on governance or build engagement booked within eight weeks of the readout.

Where your data sits

A remote-first assessment. Most of the work is with your people and your documentation. Where we need to see a system, we work in your tenant with read-only access scoped to the assessment and revoked on completion. No data leaves your environment, and we sign your data processing agreement before we start.

Governance & compliance

  • Every AI system classified to its EU AI Act risk tier, with the reasoning recorded for an auditor.
  • Provider versus deployer role established per system, since the obligations differ.
  • Read-only access where a system needs inspecting, scoped to the assessment and revoked on completion.
  • The register and classification documented for your AI governance records and your DPA.

Includes EU AI Act positioning and how we classify AI systems.

Read our governance approach

Common questions

How long does it take?

Two weeks, from kickoff to the readout session.

Do you provide AI Act training for our staff?

No. We assess and classify your AI systems and produce the documentation the Act requires as a deliverable. Staff training on the AI Act is a separate service we do not offer.

Does this cover AI we bought rather than built?

Yes. AI embedded in software you purchased is in scope. The obligations differ for a deployer versus a provider, and the register records which role you hold for each system.

What if a system comes out high-risk?

Then the plan lists the Annex IV documentation, human oversight, and post-market monitoring it needs, ranked by the date the obligation applies. If you want us to build that into the system, the fee credits against the engagement.

Who actually runs the assessment?

An IAPP-certified AI governance professional who has built and run an AI Centre of Excellence, and holds the AB-731 AI Transformation Leader certification. The same person classifies your systems and writes the register, not a junior analyst working from a checklist.

How do you determine each system’s risk classification?

We map its intended purpose and deployment context against the specific Annex III use-case category it falls under, or confirm none applies, then check Article 5’s prohibited practices and Article 50’s transparency duties in turn. Each classification is recorded against the exact Annex III entry it matches, not asserted, so it holds up if a customer’s auditor or a market surveillance authority asks how you got there.

The Act’s obligations phase in over several years. Why do this now rather than closer to the deadline?

Because the deadlines already differ by obligation: the prohibited-practices ban has applied since 2 February 2025, transparency and marking duties bind from 2 December 2026, and most Annex III high-risk obligations follow from 2 December 2027 under the June 2026 omnibus amendment. The register tells you which date reaches which system before the budget for it is committed.

Does the assessment cover general-purpose AI models like the ones behind Copilot or ChatGPT?

We assess your use of them: the system built on top and its intended purpose, since that is what the Act classifies. General-purpose model obligations sit with the model provider, not your organisation, unless you fine-tune or repackage the model yourself.

What if we operate in more than one EU member state?

The classification is EU-wide; only the market surveillance authority and national add-ons, such as a works council consultation requirement in Germany, vary by country. We flag the country-specific steps as part of the plan.

Can the register be handed to our legal or compliance team to maintain going forward?

Yes. It is built as a living document with an owner per system, not a one-off report. Keeping it current as systems change is the point.

Request the assessment