Services
Regulation (EU) 2024/1689 is now law. Prohibited practices apply since February 2025, GPAI obligations since August 2025, and the full high-risk regime lands 2 August 2026. We classify your AI systems against Annex III and Annex I, write the Annex IV / Annex XI technical documentation, stand up the Article 9 risk management and Article 17 quality management systems, and run post-market monitoring per Article 72 — integrated with your existing GDPR, ISO 27001 and SOC 2 controls instead of duplicated alongside them. Engineering-grade evidence, lawyer-readable memos, board-ready risk register. From 6,500 EUR for the Readiness Assessment.
The EU AI Act has extraterritorial reach — if your AI output is used in the EU, you are in scope regardless of where your company is incorporated. Fines reach 35 million EUR or 7 percent of global turnover for prohibited practices, 15 million EUR or 3 percent for high-risk violations. But most SaaS products are not high-risk; the value is a defensible classification memo, a clean documentation pack, and an evidence library that does double duty as your ISO 42001 and SOC 2 inputs. We have done this for SaaS vendors, AI-native startups, and US companies entering the EU market — the deliverable is operational, not theatrical.
System-by-system mapping against Annex III (eight high-risk areas), Annex I (regulated products), Article 5 prohibitions, and Article 50 limited-risk obligations. Written with article-level citations so your counsel can sign off without re-doing the work.
The full pack for high-risk systems: system description, intended purpose, risk management, data governance, human oversight design, accuracy/robustness/cybersecurity metrics, logging, post-market monitoring plan. Versioned Markdown in your repo, not a one-time PDF.
If you fine-tune a GPAI model you may inherit provider duties under Article 25(1)(c). We deliver the Annex XI pack — model card, training data summary, energy reporting, and the Article 53(1)(c) copyright policy aligned to the EU AI Office template.
Article 9 RMS as a living system, not a binder. Hazard identification, residual risk evaluation, mitigation tracking, and integration with your ISO 27001 register so the same control evidences both regimes.
Article 72 PMM plan, Article 73 serious-incident reporting workflow, drift and accuracy dashboards, and the playbook for notifying competent authorities within the statutory 15 days when needed.
Instructions for use per Article 13, transparency notices per Article 50, deployer FIA (fundamental rights impact assessment) template per Article 27 — ready to ship to enterprise customers asking AI Act questions in their procurement RFPs.
Week 1: inventory every AI system and GPAI model in your stack, classify against Annex III/I, identify prohibited practices, and write the classification memo. Most clients discover that two-thirds of their AI is limited-risk or out of scope — defensibly.
Week 2: gap each in-scope system against the relevant articles, score each gap by deadline and effort, and produce a remediation roadmap aligned with the 2 February 2025, 2 August 2025, 2 August 2026 and 2 August 2027 milestones.
Weeks 3–8: stand up the Article 9 RMS and Article 17 QMS, write the Annex IV (or Annex XI for GPAI) documentation in your repo, implement logging per Article 12, and ship the Article 13 instructions for use and Article 50 transparency notices.
From month three: quarterly evidence refresh, regulatory monitoring (EU AI Office guidance, harmonised standards as they publish, national competent authorities), Article 73 incident drills, and an annual third-party-ready audit dry run.
Two weeks, fixed scope. Classification memo, gap analysis against the applicable articles, remediation roadmap mapped to AI Act deadlines, and a 60-minute executive briefing with the founder and counsel. 6,500 EUR fixed.
Six to eight weeks. Full Annex IV or Annex XI technical documentation, Article 9 RMS, Article 10 data governance policy, Article 72 post-market monitoring plan, Article 13 instructions for use, Article 50 transparency notices, and the public model card. 18,000 EUR fixed.
Ongoing monthly retainer. Quarterly evidence refresh, regulatory monitoring, Article 73 incident reporting support, annual audit dry run, deployer/customer RFP answer pack maintenance. 4,500 EUR/month.
Conformity assessment with a notified body (Article 43, route via Annex VII) is quoted separately when the system requires third-party assessment. Three-month minimum on Compliance Operations, month-to-month thereafter with 30 days notice. NDA, DPA and IP assignment signed before kickoff.
Production GenAI on OpenAI, Anthropic, Mistral and open-weight models — with Article 50 transparency baked into the design.
Read more →
Fine-tuning with the Article 25(1)(c) provider-vs-deployer boundary documented, so you do not inherit GPAI provider duties by accident.
Read more →
Autonomous agents with Article 14 human-oversight controls and Article 12 logging designed in from day one, not bolted on for audit.
Read more →GDPR-aligned · ISO 27001 ready · SOC 2 Type II in progress · HIPAA-capable · ISO/IEC 42001-aligned
We read the model code, the data pipeline, and the eval suite before we write a memo. Our deliverables hold up because they reflect what the system actually does, not what a slide deck claims it does.
AI Act, GDPR, ISO 27001, ISO 42001, SOC 2, NIS2, CRA — the underlying controls overlap. We build a single versioned evidence library that discharges duties across all of them instead of running parallel binders.
DPA and NDA signed before kickoff, repo access, attendance in your engineering staff meeting and your board legal update. The documentation lives in your stack and is owned by your team after handover.
For conformity assessment we work directly with EU notified bodies (Annex VII route 2) and prepare the submission to the standard the body expects — not the standard a generalist consultant assumes.
The EU AI Act (Regulation (EU) 2024/1689) entered into force on 1 August 2024 and applies in tranches. Prohibited AI practices (Article 5) became applicable 2 February 2025. Obligations for general-purpose AI models (Chapter V) apply from 2 August 2025, including transparency, technical documentation, and copyright policy. Most obligations for high-risk AI systems (Chapter III) apply from 2 August 2026. Obligations for high-risk AI systems embedded in regulated products under Annex I (medical devices, machinery, toys, in-vitro diagnostics, etc.) apply from 2 August 2027. If you sell into the EU, EEA, or your output is used in the EU, you are in scope even if your company is incorporated in the US — Article 2 has extraterritorial reach.
We classify against Annex III (eight high-risk areas: biometrics, critical infrastructure, education, employment, essential services including credit scoring and life/health insurance pricing, law enforcement, migration/asylum/border control, administration of justice and democratic processes) and Annex I (AI as a safety component in regulated products). Limited-risk systems under Article 50 (chatbots, emotion recognition, biometric categorisation, deepfakes) only have transparency duties. Minimal-risk systems have voluntary codes. We deliver a written classification memo with article citations and a risk register the board can read. About 60 percent of SaaS products we classify end up limited-risk and only need transparency notices and watermarking — that decision alone saves six-figure compliance cost.
No, you remain a downstream provider or deployer, not a GPAI provider. GPAI provider obligations (Article 53) apply to the model creator — OpenAI, Anthropic, Google DeepMind, Mistral. But you inherit downstream duties: maintain instructions for use, monitor for systemic risks, and if you fine-tune a GPAI model on your data, you can become the provider of a derived GPAI model under Article 25(1)(c). We map the upstream/downstream boundary, document it in your contract with the model provider, and write the fine-tuning policy that keeps you out of provider-class obligations unless you genuinely want to be a provider.
Annex IV defines it for high-risk systems: a general description of the system and intended purpose; a detailed description of components and development process; monitoring, functioning and control; risk management system per Article 9; training, validation and test data per Article 10; technical means for human oversight per Article 14; accuracy, robustness and cybersecurity metrics per Article 15; the quality management system per Article 17; logs and the post-market monitoring plan per Article 72. For GPAI models, Annex XI applies — model card, training data summary, energy consumption, and copyright compliance policy. We deliver the full pack as versioned Markdown in your repo, plus a public-facing model card and a deployer-facing instruction sheet.
Heavily, and the trick is one integrated controls map. The Article 9 risk management system can reuse your ISO 27001 risk register. The Article 10 data governance requirements align tightly with GDPR Articles 5, 25 and 32 — same DPIA framework with extra fairness and bias documentation. ISO/IEC 42001:2023 AI management system covers about 70 percent of Article 17 quality management requirements; if you are pursuing ISO 42001 certification we sequence it to discharge AI Act duties at the same time. The Data Act, NIS2, and the Cyber Resilience Act add adjacent obligations that share evidence — we deliver a unified evidence library, not five duplicate ones.
Three packages. Readiness Assessment is 6,500 EUR fixed (two weeks): classification memo, gap analysis against the relevant articles, remediation roadmap, and an executive briefing. Documentation Pack is 18,000 EUR fixed (six to eight weeks): full Annex IV or Annex XI documentation, risk management system, data governance policy, post-market monitoring plan, instructions for use, and the public model card. Ongoing Compliance Operations is 4,500 EUR/month: quarterly evidence refresh, regulatory monitoring (EU AI Office, national competent authorities, harmonised standards from CEN-CENELEC JTC 21), incident reporting support per Article 73, and one annual third-party-ready audit dry run. Conformity assessment with a notified body is quoted separately when required.
