Every compliance conversation eventually comes down to budget. EU AI Act compliance is no different — and the cost estimates circulating in the market vary enormously, from reassuringly small to eye-watering. The reality for mid-market European companies is somewhere specific, and understanding what drives cost is more useful than any single headline figure.
This post breaks down where the money goes, compares approaches, and gives you a realistic framework for what your organization should plan to spend.
What Large Enterprises Are Spending
Industry research and early compliance engagements suggest that large enterprises — those with multiple complex AI systems, dedicated compliance teams, and regulatory exposure across multiple jurisdictions — are spending in the range of €400,000–€600,000 to reach initial EU AI Act compliance. For organizations with many high-risk systems or those operating in highly regulated sectors (financial services, healthcare, critical infrastructure), costs can exceed €1 million.
These figures include:
- External legal and consulting fees
- Technical infrastructure changes
- Internal staff time (legal, compliance, IT, data science)
- Ongoing monitoring tooling
- Training and process development
Large enterprise costs are instructive but not directly comparable to what mid-market companies face. The scale of the problem is different — as is the ability to absorb it.
Realistic Cost Ranges for Mid-Market Companies
For companies with 50–3,000 employees operating a limited number of AI systems, realistic total compliance costs break down as follows:
1–3 high-risk AI systems, limited complexity: €50,000–€100,000
4–10 high-risk AI systems, moderate complexity: €100,000–€200,000
Complex deployments with custom AI development: €200,000–€400,000
These ranges assume a combination of internal staff time and external support. They do not assume a ground-up rebuild of affected systems — they assume documentation, risk management processes, and monitoring are the primary workstreams.
Cost Breakdown by Workstream
Risk Assessment and Classification (€5,000–€30,000)
Before any compliance work can begin, you need to know what you have. This means conducting an AI system inventory and classifying each system against the EU AI Act’s risk framework. For companies with well-documented systems and clear data governance, this is straightforward. For companies that have adopted AI incrementally through SaaS tools and custom integrations, it requires significant investigative work.
External consultants typically charge €150–€300 per hour for this work. An initial classification engagement for 5–10 systems can run €15,000–€30,000. Internal resources cost less per hour but typically have other responsibilities — actual elapsed time is often longer.
Technical Documentation (€20,000–€80,000 per system)
Annex IV documentation is the most significant cost driver for mid-market companies. Each high-risk AI system requires a structured technical documentation package covering system description, development methodology, training data governance, testing and validation, human oversight design, and post-market monitoring plans.
Producing this documentation from scratch — by working with system developers, data scientists, legal teams, and compliance staff — typically takes 2–6 weeks of intensive work per system. At consulting rates, that is €20,000–€80,000 per system depending on complexity. With multiple systems, this cost compounds quickly.
Testing and Validation (€10,000–€40,000)
High-risk systems require evidence of accuracy, robustness, and cybersecurity. For systems already in production, this means retroactively generating or compiling test results in a format that satisfies regulatory requirements. For new systems, it means building validation into the development process. External testing and validation services range from €10,000 to €40,000 per system.
Ongoing Monitoring Infrastructure (€15,000–€60,000 per year)
The EU AI Act requires continuous monitoring of high-risk systems in production. This means logging, incident detection, performance tracking against declared metrics, and mechanisms to identify unexpected behavior. Building this infrastructure — or integrating it into existing observability tooling — is a one-time implementation cost plus ongoing operational expense.
Legal Review and Regulatory Registration (€10,000–€25,000)
High-risk AI systems must be registered in the EU database before deployment. Legal review of documentation for regulatory adequacy, plus registration and ongoing updates, typically requires specialized outside counsel. Budget €10,000–€25,000 for initial legal work, with annual maintenance costs thereafter.
Staff Training (€3,000–€10,000)
Human oversight requirements mean that staff interacting with or supervising high-risk AI systems need specific training. This is often underbudgeted. Well-designed training programs for a team of 10–30 people, delivered by qualified trainers, cost €3,000–€10,000.
DIY vs. Platform Approach: A Direct Comparison
The Full DIY Route
A mid-market company that manages compliance entirely through internal resources and specialist external consultants might spend:
| Workstream | Cost Estimate |
|---|---|
| Risk assessment (5 systems) | €25,000 |
| Technical documentation (3 high-risk systems) | €120,000 |
| Testing and validation | €30,000 |
| Monitoring infrastructure (build) | €40,000 |
| Legal review and registration | €20,000 |
| Staff training | €8,000 |
| Total (year 1) | €243,000 |
This does not include ongoing staff time for documentation maintenance, which is a recurring cost the regulation explicitly requires.
The Platform-Assisted Route
Compliance platforms like Aikraft handle the most labor-intensive workstreams — risk classification guidance, automated Annex IV documentation generation, continuous monitoring, and regulatory change tracking — through software. The economics shift significantly:
| Workstream | Cost Estimate |
|---|---|
| Platform subscription (Pro, annual) | €5,988 |
| Risk assessment (guided, internal team) | €5,000 |
| Documentation (platform-generated, legal review) | €30,000 |
| Testing and validation | €25,000 |
| Monitoring infrastructure (platform-native) | Included |
| Legal review and registration | €15,000 |
| Staff training | €6,000 |
| Total (year 1) | €86,988 |
The difference is primarily in documentation and monitoring — the two workstreams where structured software tooling has the largest impact on labor hours. The platform does not replace legal advice or eliminate the need for internal ownership, but it eliminates a large portion of the billable consultant hours that drive up DIY costs.
The ROI of Compliance vs. Fine Risk
A useful framing: compliance spending is also risk mitigation spending. The maximum fine for high-risk system violations is 3% of global annual turnover or €15 million, whichever is higher.
For a mid-market company with €80 million annual revenue, a 3% fine is €2.4 million. Compliance spend of €80,000–€150,000 represents a cost of roughly 3–6% of the potential maximum fine — for ongoing protection against it.
This is not an argument that enforcement is certain or that fines will be imposed at maximum levels. It is an argument that the expected value calculation favors investment. National authorities are building enforcement capacity specifically for this regulation, and they have publicly stated intent to act.
Beyond fines, non-compliant systems can be ordered off the market. For a company whose operations depend on an AI-assisted HR tool or credit decisioning system, operational disruption is a more immediate risk than the fine itself.
Where to Reduce Cost Without Increasing Risk
Use software for documentation generation. The documentation burden is real, but much of it is structured and repeatable. Platforms that auto-generate Annex IV documentation from system intake forms can reduce documentation labor by 60–70%.
Prioritize your highest-risk systems first. Not every system requires the same investment. Focus initial compliance work on your Annex III high-risk systems. Minimal-risk systems need no specific Act compliance work.
Use a phased approach. Document and register your highest-risk systems before August 2, 2026, even if lower-risk systems are still in progress. Demonstrating active good-faith compliance effort is preferable to having no documentation at all.
Negotiate documentation from vendors. If you are deploying a third-party high-risk AI system, the provider has obligations too — including providing technical documentation to deployers. Push your vendors for their Annex IV documentation before commissioning new work.
For a detailed view of what Annex IV documentation requires, see our complete documentation checklist.
Ready to see what compliance actually costs for your specific situation? View Aikraft’s pricing — including a free tier for a single AI system — and get an instant estimate of your documentation and monitoring coverage.