Are we even in scope for the AI Act?

If you build, brand, sell, import, or use an AI system in the EU, almost certainly yes — the Act reaches providers and deployers alike. The real question is which tier each system sits in. The first thing the assessment does is separate the systems that carry heavy high-risk obligations from the ones that only carry transparency duties, so you spend effort where the Act actually demands it.

We only use vendor AI — does that make us a deployer?

Usually yes. If you use an AI system under your own authority, you are a deployer and carry deployer obligations — operating within the provider's instructions, human oversight, monitoring, and a fundamental rights impact assessment under Article 27 where the deployment falls within its scope. Buying AI from a vendor does not move every obligation onto the vendor; we map exactly which duties stay with you.

What about general-purpose AI models?

GPAI models sit on their own obligation track, separate from the high-risk classification of the systems built on them. If you build on a foundation model or provide one, we record the GPAI duties as a distinct line so they are not lost between the provider and deployer columns.

How are your citations grounded?

Every regulatory claim is resolved against Regulation (EU) 2024/1689 through the Ansvar gateway at article level. Where the source for a requirement cannot be retrieved, we mark the regulatory basis unresolved rather than cite a training-data guess. A senior reviewer checks every article number before the report ships.

How long does it take?

It depends on how many systems are in scope and how much governance material already exists. We give an honest range at the scoping call; a focused single-system readiness check is far quicker than an estate-wide one. We confirm the duration in writing before work starts.

Pricing is scoped per engagement against the number of systems and the depth of evidence review you need. Contact us with a short description of your AI estate and we will return a fixed scope and price — we do not quote a number we cannot stand behind.

Services

AI Act Readiness Assessment

Classify your AI systems against the EU AI Act, then know exactly which obligations apply before they bite.

We assess your AI systems against the EU AI Act — classification under Articles 5 and 6, the obligations that follow from your role, and a remediation path — grounded in Regulation (EU) 2024/1689 through the Ansvar gateway, with senior-reviewer QA on every finding.

System inventory and risk classification against Article 5, Article 6, and Annex III
Obligations mapped to your role: provider, deployer, importer, or distributor
Gap register with per-obligation status, evidence, and owner
Board-ready readout and a prioritised remediation plan
Every citation verified against the EU source

Classification: prohibited, high-risk, or neither

The EU AI Act (Regulation (EU) 2024/1689) regulates AI by risk, not by sector. The first question for any system is which risk bucket it sits in, because the bucket decides the whole obligation set. We work that question against the legislation, not against a generic checklist.

Article 5 lists the practices that are banned outright — among them untargeted scraping of facial images, social scoring by public authorities, and certain biometric categorisation. If any system you run touches a prohibited practice, no amount of documentation makes it compliant; it has to stop. We flag these first.

Article 6 sets the rules for high-risk classification. A system is high-risk on one of two routes: it is a safety component of a product already covered by EU harmonisation law (the Annex I route), or it falls under one of the use cases in Annex III — areas such as creditworthiness scoring of natural persons, recruitment and worker management, access to essential services, and biometric identification. Annex III is where most enterprise AI lands. We triage every system against the actual Annex III list and record why it is in or out.

Systems that are neither prohibited nor high-risk still carry transparency duties — users have to be told when they are interacting with AI or seeing AI-generated content. We capture those too, so nothing is mislabelled as out of scope.

Obligations by role: provider, deployer, importer, distributor

The same AI system imposes different duties depending on what you do with it. The Act draws a hard line between the provider that develops or brands a system and the deployer that uses one under its own authority, with separate, lighter duties for importers and distributors. Most organisations are deployers of vendor AI and providers of the systems they build in-house — often both at once, for different systems.

Providers of high-risk systems carry the heavy obligations: a risk-management system, data governance, technical documentation, record-keeping that lets a decision be traced back to its input under Article 12, human oversight, accuracy and robustness, conformity assessment under Article 43, and registration in the EU database under Article 49.

Deployers have their own duties — operating the system within the provider's instructions, assigning human oversight, monitoring, and, where a deployment falls within scope, completing a fundamental rights impact assessment under Article 27. A common and expensive mistake is assuming that buying AI from a vendor moves all the obligations onto the vendor. It does not.

General-purpose AI models carry a distinct obligation track of their own. Where you build on a foundation model, or provide one, we note the GPAI duties separately so they are not lost between the provider and deployer columns.

The gap register: per-obligation status, evidence, owner

Classification tells you which obligations apply. The gap register tells you where you stand against each one. For every applicable obligation we record the current status, the evidence that supports it, and the owner who has to close it — the same structure an auditor or a market-surveillance authority will expect to see.

Each row cites the provision it answers to. A finding against record-keeping points at Article 12; a finding against conformity assessment points at Article 43. Where the gateway returns only weak or unscoped sources for a requirement, we mark the regulatory basis unresolved rather than dress a training-data guess up as a citation. No uncited findings ship.

What you receive

Two artefacts. A board-ready readout that states, in plain terms, which of your systems are in scope, what risk tier each one sits in, and where the material exposure is — the document you put in front of a risk committee. And a remediation plan that turns the gap register into sequenced, owned work, with the highest-exposure gaps first.

Both are delivered as a structured, cited report. Every regulatory claim traces to Regulation (EU) 2024/1689 at article level, so your own counsel or auditor can check our work against the source rather than taking it on trust.

Timeline and the regulatory clock

The AI Act applies in stages rather than all at once. The prohibitions in Article 5 came into application first, ahead of the rest of the regime. The obligations for high-risk systems phase in later — the risk-management requirements for high-risk systems under Article 9 apply from 2 August 2026. That staged structure is why classification is urgent now: the systems most likely to need work are the ones whose deadline is still ahead, and the remediation runway is finite.

We verify the application-date framing against the legislation through the gateway as part of the engagement. Where a date claim cannot be grounded to the source, we say so rather than commit you to a deadline we cannot cite.

What you receive

AI system inventory and classification. Every system triaged against Article 5, Article 6, and Annex III, with the in-scope / out-of-scope reasoning recorded per system.
Role and obligation map. Your provider / deployer / importer / distributor role per system, with the obligation set that follows — GPAI duties noted separately.
Gap register. Per-obligation status, supporting evidence, and named owner, each row cited to the article it answers to.
Board-ready readout. A plain-language summary of scope, risk tiers, and material exposure for a risk committee.
Remediation plan. Sequenced, owned actions with the highest-exposure gaps first, exported as PDF and CSV.

How it's delivered

Scoping call. An included call to agree which systems are in scope and confirm we have the architecture and documentation to assess them.
System intake. You send the system inventory, model and vendor details, and any existing AI governance material through a secure, EU-hosted upload.
Classification and gap analysis. We classify each system and build the gap register against the obligations that apply, grounded in the legislation through the gateway.
Senior review. A senior reviewer checks every finding and citation before anything ships — no uncited findings, no unverified article numbers.
Readout. We walk the board-ready summary and remediation plan with you live, then hand over the cited report.

Questions buyers ask first

Are we even in scope for the AI Act?: If you build, brand, sell, import, or use an AI system in the EU, almost certainly yes — the Act reaches providers and deployers alike. The real question is which tier each system sits in. The first thing the assessment does is separate the systems that carry heavy high-risk obligations from the ones that only carry transparency duties, so you spend effort where the Act actually demands it.
We only use vendor AI — does that make us a deployer?: Usually yes. If you use an AI system under your own authority, you are a deployer and carry deployer obligations — operating within the provider's instructions, human oversight, monitoring, and a fundamental rights impact assessment under Article 27 where the deployment falls within its scope. Buying AI from a vendor does not move every obligation onto the vendor; we map exactly which duties stay with you.
What about general-purpose AI models?: GPAI models sit on their own obligation track, separate from the high-risk classification of the systems built on them. If you build on a foundation model or provide one, we record the GPAI duties as a distinct line so they are not lost between the provider and deployer columns.
How are your citations grounded?: Every regulatory claim is resolved against Regulation (EU) 2024/1689 through the Ansvar gateway at article level. Where the source for a requirement cannot be retrieved, we mark the regulatory basis unresolved rather than cite a training-data guess. A senior reviewer checks every article number before the report ships.
How long does it take?: It depends on how many systems are in scope and how much governance material already exists. We give an honest range at the scoping call; a focused single-system readiness check is far quicker than an estate-wide one. We confirm the duration in writing before work starts.
What does it cost?: Pricing is scoped per engagement against the number of systems and the depth of evidence review you need. Contact us with a short description of your AI estate and we will return a fixed scope and price — we do not quote a number we cannot stand behind.