Is €1,250 enough for a real legal assessment, or is this a glorified checklist?

It is a legal assessment, not a checklist. The price reflects a scoped, fixed deliverable — one AI system, one regime — rather than an open-ended engagement billed by the hour. A Big Four advisory firm would charge more for the same work; a self-serve tool would charge less and give you a template, not a legal position. €1,250 is the fixed price for a defined output, not a signal of depth.

I’m a small team — is this built for enterprise or for us?

It is built for product teams, not compliance departments. The intake is short, the deliverable is written in plain language, and the debrief call is designed to answer questions from founders and engineers, not just lawyers. No prior legal knowledge is required to use the output.

We think we’re minimal risk — do we actually need this?

If you’re certain, you don’t. But most teams that believe they’re minimal risk haven’t systematically checked Article 5, haven’t run through Annex III, and haven’t settled their provider or deployer role. The assessment is worth doing when there’s genuine uncertainty, not as a formality when you already have a defensible position. If you’re asking the question, you probably don’t have certainty yet.

What if the assessment finds a serious problem?

Finding a problem before launch is the best possible outcome. An Article 5 issue discovered now is a product decision. The same issue discovered during a regulatory investigation is a different situation entirely. The assessment tells you what the problem is, what your options are, and what remediation looks like — so you decide with full information.

We’re not in the EU — does this apply to us?

The Act reaches you the moment your system’s output is used in the Union. UK, US, and Canadian companies are frequently in scope without realising it. The assessment confirms whether and how the Act reaches your product and what it requires of you.

Can I use this for investor or acquirer due diligence?

Yes. The written assessment memo and Living Compliance File™ are specifically structured to hold up under due diligence scrutiny. Investors and acquirers are asking about AI Act compliance now, not on the enforcement date.

What if I disagree with the classification?

The assessment sets out the legal reasoning behind every determination. If you have a different reading of how the law applies to your system, the debrief call is the place to test it. If the reasoning doesn’t hold up on examination, we revise. If it does, you have a documented position you can defend.

Is the output something my legal team can actually work with?

Yes. The written memo is structured so your legal counsel can review, rely on, and build from it — not a summary they have to redo from scratch. Several clients pass it directly to their lawyers as the starting point for their compliance file.

Why pay €4,950 when the AI Act assessment is €1,250?

Because most AI products don’t fall under one law. If your system processes personal data — which almost every AI product does — GDPR applies alongside the AI Act. If it’s delivered as software, the Cyber Resilience Act may apply too. Assessed separately, you duplicate work on the overlaps and miss the gaps between regimes. The cross-framework assessment does all of it together, and the price reflects the additional work involved. If your product genuinely only touches the AI Act, the €1,250 assessment is the right product.

How do I know which frameworks actually apply to my product?

You don’t need to know before booking. That determination is part of the work. The scoping call and intake process establish which frameworks reach your product and which don’t, and the applicability analysis at the start of the engagement rules each regime in or out with reasoning. You won’t be paying for frameworks that don’t apply.

We already had a GDPR audit — do we need this?

A GDPR audit covers your organisation’s data processing in general. The AI-specific GDPR issues — Article 22 automated decision-making, DPIA triggers specific to AI, data minimisation tension with model training — are usually not covered in a standard privacy audit. This assessment focuses on where GDPR lands on your AI system specifically, not your data processing in general.

What if only some frameworks turn out to apply?

The scope is confirmed at intake. If fewer frameworks apply than expected, that is reflected in the output — you get a clear ruling-out with reasoning for each law that doesn’t reach you, which is itself a useful compliance record. The price does not adjust downward post-intake, which is why the scoping call matters: if the picture at intake suggests a single-regime assessment is sufficient, we’ll tell you before work begins.

Is this recognised by EU regulators?

The output is a lawyer-built legal assessment, not a certificate or accreditation. It does not replace a formal conformity assessment by a notified body where one is required. What it gives you is a defensible legal position — documented, reasoned, and structured so any regulator can read it. That is what a market surveillance authority will ask for first.

We have multiple AI products. Can this cover all of them?

The engagement covers one AI system. Additional systems are quoted separately. In practice, once the framework applicability analysis is done for your organisation, subsequent systems take less time because the groundwork is already established. Ask about multi-system pricing on the scoping call.

How current is the legal analysis?

The assessment reflects the Act as in force at the time of delivery, including any delegated acts, harmonised standards, and Commission guidance published to that date. The Act is still developing and guidance continues to emerge. This is not a living document that updates automatically — it is a snapshot of your legal position at a point in time. If significant guidance is published after delivery that materially affects your classification, that triggers a conversation, not an automatic revision.

What does an authorised representative actually do? Is this just a registered address?

No. A letterbox AR service gives you a name and address to put on a form. This service gives you a named EU-established lawyer who can actually respond to a regulatory authority if they write to you — with knowledge of your product and your compliance position. The Act places real obligations on the AR, including maintaining a copy of your technical documentation and cooperating with authorities.

A letterbox cannot do that. We can.

Do I actually need this? Is the AR requirement enforced in AI Act?

Article 22 is a hard requirement for non-EU providers of high-risk AI systems, not a recommendation. Market surveillance authorities are beginning enforcement activity. Operating without a compliant AR when one is required is a straightforward breach — the kind that is easy to identify and straightforward to act on. It is also the kind of gap that surfaces immediately in investor or acquirer due diligence.

What happens if a regulator contacts you about my product?

We receive the correspondence, notify you immediately, and coordinate the response. We do not take legal positions on your behalf without your involvement — the AR role is to be the point of contact, not to make decisions unilaterally. If the enquiry escalates to an enforcement matter, that is a separate legal engagement.

What if my product changes during the year?

Material changes — new use cases, new deployment contexts, new data processing — may affect your classification and your AR obligations. The annual review call is specifically designed to catch these. If a change is significant enough to require a formal scope amendment, we tell you before we proceed. The AR mandate covers the system as scoped at appointment; changes outside that scope need to be agreed.

Is €2,400 the total cost, or will I be invoiced for additional work?

€2,400 per year is the fixed retainer for the service as described. Authority correspondence handling, the annual review call, and regulatory alerts are all included. Work outside that scope — a reclassification assessment, legal representation in proceedings, documentation drafting — is a separate engagement quoted separately. Nothing additional is charged without your agreement in advance.

Can you act as AR if we haven’t done an assessment with you?

Yes, though in practice most clients come through an assessment first, since that is how we establish knowledge of your product and its compliance position. If you appoint us as AR without a prior assessment, a short intake process establishes the product context we need. We will not accept an AR appointment for a product we have no visibility of.

What if the Act changes after I buy your services?

The Act’s core documentation requirements are stable — Annex IV, Article 9, and Article 10 are not going to be substantially rewritten. What changes is guidance on how to interpret and apply them. The completion notes will flag where interpretive guidance is still developing. If a delegated act or harmonised standard materially changes documentation or assessment structure, we issue an updated version free of charge.