Services · EU AI Act · Assessment

EU AI Act technical readiness assessment

Before you build a single control, you need to know which of your AI systems the Act touches and how hard. I inventory them and gather the technical facts, your legal team classifies the risk, and I turn that into a prioritised engineering roadmap to the 2 August 2026 deadline.

What the assessment delivers

AI system inventory

Every system you build, deploy or embed — including shadow AI and vendor features that have crept in unnoticed.

Classification worksheet

Each system lined up against Annex III, Article 5, Article 50 and GPAI with the technical evidence — ready for your legal team to make the formal call.

Provider/deployer inputs

The technical facts — do you fine-tune, modify or rebrand a bought model? — that legal needs to fix your role for each system.

Gap analysis & roadmap

A prioritised, engineering-level plan: what to build, in what order, to be ready before the deadline.

Why classification is the whole game — and why legal owns it

The AI Act is proportionate: a minimal-risk system needs almost nothing, while a high-risk system carries the full weight of risk management, data governance, logging, human oversight, technical documentation and conformity assessment. Getting the classification wrong is expensive in both directions — you either over-build controls you never needed, or you miss an enforceable obligation and carry real fine exposure. Precisely because the stakes are legal, the classification call belongs with your legal advisers, not with me. What this assessment does is give them a system-by-system worksheet with the technical evidence already assembled, so their call is fast and well-grounded — and so the engineering that follows is scoped to exactly what's required.

How it runs

  1. DiscoverStructured interviews and a technical sweep to surface every AI system, integration and embedded vendor feature.
  2. Classify (legal makes the call)I line each system up against Article 5, Annex III, Article 50 and GPAI with the technical evidence; your legal team makes the formal classification and fixes provider/deployer roles.
  3. Gap-analyseFor every in-scope system, compare current controls to the obligations that apply and record the delta.
  4. RoadmapA prioritised, costed plan of the engineering work, sequenced so the highest-risk systems are ready first.

Frequently asked questions

What exactly do I get from a readiness assessment?

A complete inventory of your AI systems, a classification worksheet that lines each system up against the Act's categories with the technical facts your legal team needs to make the call, a gap analysis of the technical controls each in-scope system is missing, and a prioritised engineering roadmap to close those gaps before the deadline. It's the document you take to legal for the formal classification, and to your engineering team for the build.

Do you classify risk yourself, or does legal?

Legal makes the call; I make it easy for them. Deciding whether a system is high-risk under Annex III, or whether you're the provider or the deployer, is a legal determination — get it wrong and someone carries fine exposure, so it shouldn't sit with an engineer. What I do is line every system up against the Act's categories (Article 5 bans, Annex III high-risk, Article 50 transparency, GPAI, minimal) with the technical evidence for each, so your legal advisers can classify quickly and confidently rather than starting from a blank page.

How long does it take?

Typically 1–2 weeks depending on how many AI systems and integrations you run. Week one is discovery — interviews, inventory and classification. The output roadmap lands at the end, scoped so the implementation phase can start immediately.

We don't even know how many AI systems we have. Is that a problem?

That's the normal starting point, and part of the value. AI has usually crept in through copilots, embedded vendor features, internal tools and fine-tuned models. I run a structured discovery to surface shadow AI as well as the obvious systems, so nothing enforceable gets missed.

What happens after the assessment?

You own the roadmap and can execute it however you like — with your own team, another vendor, or with me in the implementation phase. Nothing locks you in. Most companies move straight into implementing the high-risk controls because the deadline is tight.

This assessment is a technical and engineering exercise, not legal advice. Final legal interpretation stays with your own legal and compliance advisers.