EU AI Act Compliance: In-House vs External Paths
Three real paths SMEs can take to EU AI Act compliance: fully in-house with tooling, hybrid in-house plus targeted legal review, or fully outsourced external advisory. Honest tradeoffs.
Updated 25 May 2026 after the EU's Digital Omnibus agreement (7 May 2026): the Annex III high-risk compliance deadline has moved from 2 August 2026 to 2 December 2027 (Annex I to 2 August 2028). Article 50(2) transparency obligations still apply 2 August 2026. See our Omnibus update for the full timeline.
Three paths, three different cost structures
The EU AI Act does not prescribe how compliance work gets done. It prescribes what the output must look like — technical documentation to the level of Annex IV, a risk management system under Article 9, a Fundamental Rights Impact Assessment under Article 27 where applicable, conformity assessment under Article 43, and so on. How the organisation produces those artifacts is its own choice.
In practice, SMEs end up on one of three paths:
- Fully in-house with tooling — compliance produced by internal staff, supported by structured software
- Hybrid — in-house production plus targeted external legal review at specific decision points
- Fully outsourced — external advisory produces most of the compliance artifacts on behalf of the organisation
None of these is objectively correct. Each makes a different bet on where the organisation's scarce resources should go: internal time, external fees, or both. The breakdown of EU AI Act compliance costs puts realistic euro ranges on each path so the choice is not made on gut feel.
Path 1: Fully in-house with tooling
In this model, the organisation's own engineers, product managers, and compliance staff produce the classification, documentation, and ongoing monitoring artifacts. Software enforces structure — decision trees for classification, templated Annex IV sections with field-level article references, standing risk registers for Article 9, FRIA workflows for Article 27, and literacy training modules for Article 4.
When it fits:
- The technical team understands the AI system well enough to describe its architecture, training data, validation methods, and operational controls
- The organisation has one or a small number of AI systems with standard classification outcomes (e.g. a clear Annex III category, no edge cases on Article 5)
- Speed matters — the team can start the same day rather than waiting weeks for external scoping
- Budget is constrained and the organisation wants to keep knowledge in-house
When it does not fit:
- The AI system sits in a genuinely ambiguous zone on Article 5 prohibited practices, or between high-risk and limited risk, where legal judgment is load-bearing
- The team does not have anyone who can describe the system's technical details with the specificity Annex IV requires
- The use case requires third-party conformity assessment by a notified body (notably Annex III point 1 biometric systems under Annex VII where harmonised standards or common specifications do not fully cover the requirements)
Tradeoff: the organisation retains full ownership of the compliance determination. That means full responsibility too. There is no external firm sharing the accountability.
Path 2: Hybrid
The hybrid path combines in-house production with targeted external legal review. Most of the work — classification, Annex IV documentation, Article 9 risk register, Article 27 FRIA, Article 4 literacy programme — happens internally, typically with the same tooling as Path 1. External legal counsel is engaged at specific points:
- Final review of the classification rationale and any Article 5 analysis
- A second-look read-through of the completed technical documentation before it is signed off
- Targeted advice on cross-jurisdictional questions if the organisation operates in multiple Member States
- Interaction with supervisory authorities if the organisation applies for a regulatory sandbox under Articles 57–62
When it fits:
- The organisation wants external validation of its compliance work but does not need external staff to do the work itself
- The internal team is capable of producing the documentation but wants a qualified second opinion before it is finalised
- Budget allows for bounded, quotable legal engagements rather than an open-ended retainer
When it does not fit:
- The compliance work has not started yet and the internal team has no bandwidth — external review only adds value against work that exists
- The regulatory interaction required is substantial enough that a proper advisory relationship makes more sense than spot legal review
Tradeoff: higher spend than pure in-house, but meaningful risk reduction on the specific decisions where legal judgment matters most. For many SMEs this is the most balanced option.
Path 3: Fully outsourced external advisory
In this model, external advisors — law firms, specialist AI regulation practices, or general management advisory — conduct the compliance work on behalf of the organisation. Typical deliverables include stakeholder interviews to inventory AI systems, classification reports, Annex IV documentation produced by the advisor, risk management frameworks, conformity assessment support, and training materials.
When it fits:
- The AI portfolio is large and complex enough that internal coordination across business units is itself a significant undertaking
- The architecture is genuinely novel and does not map cleanly to existing Annex III categories
- The organisation faces a specific regulatory interaction — a notified body conformity assessment, a regulatory sandbox application, or an enforcement action — where specialist counsel is essential
- Internal capacity is unavailable and the deadline is close
When it does not fit:
- The AI use case is standard and the internal team could produce the same artifacts more cheaply and faster with structured tooling
- The organisation wants the compliance knowledge to live in-house after the engagement ends — consultancy deliverables are snapshots and typically leave a limited knowledge residue once the advisors have finished
Tradeoff: external advisory can be substantial in cost, scope-dependent, and timeline-dependent. The engagement produces a set of documents, usually as static PDFs and slide decks, that the organisation then has to maintain internally as the AI system evolves. Subsequent updates often require re-engagement.
A practical framing
Three questions tend to settle the choice:
1. Can the internal team describe the AI system with the specificity Annex IV requires? If yes, in-house production (Path 1 or 2) is viable. If not, either invest in building that description capability or accept the cost of Path 3. Our Annex IV technical documentation template makes the specificity bar explicit so you can answer this honestly.
2. Is there genuine legal ambiguity in the classification or an Article 5 edge case? If yes, external legal input adds real value — Path 2 or 3 depending on scope. If the classification is unambiguous (most SME cases fall here), Path 1 or 2 is sufficient. The Witness AI System Classifier makes this classification step quick and explicit so the ambiguity question becomes answerable.
3. What happens after launch? Compliance is ongoing — Article 72 post-market monitoring, Article 9 continuous risk management, and system-change updates are recurring, not one-off. Paths 1 and 2 leave the organisation capable of maintaining compliance internally. Path 3 typically requires repeat engagements.
If you are taking Path 1 or 2, tools like Witness provide the structure: a classification decision tree tied to the Annex III categories, an Annex IV generator with field-level article references, Article 27 FRIA workflows, an Article 9 risk register, Article 4 literacy training modules, and exports that hold up to audit. The compliance determination stays with the organisation; the tooling handles the format, article citations, and recurring maintenance.
Conclusion
Most SME compliance work is not exotic. It is standard Annex III classification, Annex IV documentation, Article 9 risk management, and Article 27 FRIA for in-scope deployers. That work benefits from structure, from article-level accuracy, and from a workspace that can be updated when the system changes — things software is good at.
External legal review is valuable at specific decision points: classification edge cases, Article 5 analysis, and a final read-through of the finished documentation. That work benefits from human judgment and professional accountability — things software cannot replace. The step-by-step compliance checklist shows exactly where those decision points sit in the wider workflow.
Large, complex, or novel AI deployments justify broader external engagement. Standard SME deployments usually do not.
To understand which path actually fits your situation, start with a free classification. The output — risk level, role, and article-level obligation list — is the prerequisite for any meaningful budget or scoping conversation, whether internal or external.
Check if the EU AI Act applies to you
Free classification in 3 minutes. No signup required.
Get Started