EU AI Act Compliance Cost: What SMEs Should Actually Budget For
A practical breakdown of what EU AI Act compliance costs for SMEs — the real drivers are engineering time, documentation work, training, and ongoing monitoring.
Updated 25 May 2026 after the EU's Digital Omnibus agreement (7 May 2026): the Annex III high-risk compliance deadline has moved from 2 August 2026 to 2 December 2027 (Annex I to 2 August 2028). Article 50(2) transparency obligations still apply 2 August 2026. See our Omnibus update for the full timeline.
What the EU AI Act actually requires
Before estimating cost, it helps to be precise about what the regulation demands. Not every AI system triggers the heavy obligations. The work depends on the risk classification and on whether the organisation acts as a provider or a deployer.
For a high-risk AI system under Annex III, a provider must produce and maintain:
- A risk management system across the full lifecycle (Article 9)
- Data and data governance practices for training, validation, and testing datasets (Article 10)
- Technical documentation to the level of detail specified in Annex IV (Article 11)
- Record-keeping and logging capabilities (Article 12)
- Transparency and instructions for use for deployers (Article 13)
- Human oversight design by the provider and effective oversight by the deployer (Article 14)
- Appropriate levels of accuracy, robustness, and cybersecurity (Article 15)
- A quality management system covering the entire organisation's provider operations (Article 17)
- Conformity assessment before placing the system on the market (Article 43)
- Post-market monitoring and serious-incident reporting (Articles 72, 73)
Deployers of high-risk systems carry a lighter but distinct set of obligations, including monitoring the system in operation, ensuring human oversight actually happens, keeping logs, and — for public authorities and several private-sector use cases — completing a Fundamental Rights Impact Assessment under Article 27 before first use.
Every organisation using AI, regardless of risk level, has an AI literacy obligation under Article 4: staff who operate or are affected by AI systems must have sufficient understanding of how those systems work.
For limited-risk systems (Article 50), obligations reduce to transparency: users must be told they are interacting with AI, AI-generated content must be labelled, and certain synthetic media must be marked as such.
Minimal-risk systems — the vast majority of AI in use today — have no mandatory obligations beyond the general AI literacy requirement.
The point of listing these is simple: a precise cost estimate starts with a precise obligation list, and the obligation list starts with a correct classification. Three minutes in the free Witness classifier returns the article-level obligation list any cost model needs as input.
The real cost drivers
Compliance cost is not a single line item. It is the sum of four kinds of work:
Engineering and product time. Implementing logging (Article 12), transparency disclosures (Article 50), human oversight mechanisms (Article 14), and the accuracy and cybersecurity measures of Article 15 typically touches the product itself. These are development changes, not paperwork.
Documentation time. Annex IV technical documentation is detailed. It covers the system's intended purpose, development process, architecture, training data, validation methods, risk management measures, and change management. Filling it out accurately takes the people who built the system — not a junior writing from a template blindly.
Legal review time. Risk classification, Article 5 prohibited-practice edge cases, and deployer/provider role determination benefit from legal input. Most SMEs do not need a continuous retainer; they need targeted review at specific decision points.
Training and ongoing monitoring. Article 4 literacy training is a recurring expense. Article 9 risk management and Article 72 post-market monitoring are continuous, not one-off. When the system changes — new training data, new features, an updated model — the documentation has to move with it.
Categories of spend
A realistic SME budget lives in four buckets:
Personnel time (internal). This is the largest line for most companies and the most underestimated. For a single high-risk system, a realistic planning figure is 40 to 100 hours of internal staff time across engineering, product, compliance, and legal stakeholders. More AI systems, more complex architectures, or less prior documentation maturity push this higher. The SME compliance playbook maps the typical six-week sequence smaller teams use to spread that load.
Tooling. Software that structures the compliance work — classification, Annex IV generation, Article 9 risk register, Article 27 FRIA, Article 4 literacy training, post-market monitoring — turns what would be blank-page work into guided completion. Self-service compliance tooling is typically priced in the low hundreds to low thousands of euros annually for SMEs.
Legal review. Targeted review of the completed documentation, classification rationale, and any Article 5 edge cases. Scope- and jurisdiction-dependent, but usually a bounded, quotable engagement rather than an open-ended retainer.
Optional external audit or third-party conformity assessment. For most Annex III systems, a provider can conduct conformity assessment internally under Annex VI. Annex III point 1 biometric systems may require third-party assessment by a notified body under Annex VII where harmonised standards or common specifications do not fully cover the applicable requirements, which is a separate cost centre entirely.
How a self-service tool fits into this
A self-service compliance tool does not replace legal judgment or engineering work. What it does is reduce the structural overhead that otherwise falls on internal staff:
- Classification is structured as a decision tree so the output is consistent and auditable
- Annex IV documentation is generated from filled-in forms with field-level article references, so every data point has a regulatory anchor
- Article 9 risk management is captured in a standing register rather than reinvented per project
- Article 27 FRIA is structured as a template covering the required elements for in-scope deployers
- Article 4 literacy training is delivered through modules with completion tracking
- Updates can be applied directly in the workspace when the system changes, rather than triggering a new external engagement
The output is documentation the organisation owns. The work is done by the people who know the system. The tool provides structure, article citations, and formatting — it does not pretend to be a lawyer.
Penalty context
The cost of compliance is bounded. The cost of non-compliance is not. Article 99 of the EU AI Act sets the maximum administrative fines:
| Violation | Maximum penalty |
|---|---|
| Prohibited AI practices (Article 5) | €35 million or 7% of global annual turnover, whichever is higher |
| High-risk system obligations or transparency obligations | €15 million or 3% of global annual turnover |
| Providing incorrect, incomplete, or misleading information to authorities | €7.5 million or 1% of global annual turnover |
For SMEs, Article 99(6) applies the lower of the two alternatives — the fixed amount or the percentage — which bounds worst-case exposure but does not remove it. Our free Article 99 fine estimator runs your specific revenue band against the statutory ceilings in seconds, which makes the abstract numbers concrete. Enforcement also carries non-monetary consequences: withdrawal of the AI system from the market, reputational damage, and contractual fallout with customers who increasingly require compliance as a procurement condition.
Framing the decision
The compliance choice for most SMEs is not "pay a huge fee or do nothing." It is a spectrum between two honest options:
Build and document in-house with efficient tooling. The organisation's own engineering and compliance staff produce the documentation, supported by software that enforces structure and article-level accuracy. External legal review is used selectively where it adds the most value — classification edge cases, Article 5 analysis, and a final read-through of the finished documentation.
Outsource more of the work to external parties. Legal and advisory firms can produce the documentation on behalf of the organisation. The scope is larger, the timeline is longer, and the internal team still has to provide the underlying technical facts — nobody outside the company knows the architecture, training data, or operational controls better than the people who operate them. Our in-house versus external paths breakdown walks through the honest tradeoffs of each option.
Most SMEs land somewhere in between. A realistic budget for a single high-risk AI system, assuming internal engineering capacity and targeted external legal review, sits in the low thousands of euros for the first year, with ongoing maintenance being a fraction of that. Systems with more complexity, more jurisdictions, or weaker internal documentation maturity shift the figure upward.
The regulation is new, the deadline is firm (2 August 2026 for most high-risk obligations under Article 113), and the penalty ceiling is substantial. A disciplined, internally-led programme with good tooling and targeted legal review is almost always the most efficient path for an SME.
To find out which obligations actually apply to your AI system, start with a free classification — it takes minutes and returns the exact article-level obligation list you need to budget against.
Check if the EU AI Act applies to you
Free classification in 3 minutes. No signup required.
Get Started