EU AI Act Compliance Costs: First-Year and Ongoing Resource Modelling

Compliance investment ranges from EUR 350,000 for a small organisation with a single high-risk system to EUR 2,880,000 for a large organisation with twenty-five systems in the first year. Annual ongoing costs range from EUR 155,000 to EUR 1,820,000. These figures cover five cost categories: staffing, tooling, infrastructure, external advisory, and ongoing maintenance.

The cost model is based on three organisational profiles. A small organisation has one to three high-risk AI systems, 50 to 200 employees, and limited in-house AI expertise. A medium organisation has four to ten high-risk systems, 200 to 2,000 employees, and established AI engineering capability. A large organisation has ten or more high-risk systems, 2,000 or more employees, and a dedicated AI governance function. All figures are in euros and reflect 2026 market rates for compliance, engineering, and advisory services in Western European jurisdictions.

The per-system cost decreases significantly for subsequent systems because shared artefacts including the QMS, governance pipeline, monitoring infrastructure, role definitions, and template library are reusable. The marginal cost of the second system is approximately 60 to 70 per cent of the first; by the fifth system, marginal cost is approximately 40 to 50 per cent. This economics of scale means the first system is always the most expensive, and each additional system benefits from the infrastructure investment.

aisdp preparation is a multi-disciplinary effort spanning approximately twenty to twenty-eight weeks for a medium-complexity system. Seven roles contribute to the initial preparation phase, with FTE allocations varying by organisational profile.

The AI Governance Lead requires 0.3 FTE (external consultant) for small organisations, 0.5 FTE (internal, shared) for medium, and 0.25 FTE (internal, dedicated function) for large, at day rates of EUR 1,200 to 1,800. The Technical SME requires 0.5, 0.4, and 0.3 FTE respectively at EUR 800 to 1,200 per day. The AI System Assessor requires 0.2 to 0.3 FTE at EUR 1,000 to 1,500. The Legal and Regulatory Advisor requires 0.15 to 0.2 FTE at EUR 1,500 to 2,500. The Conformity Assessment Coordinator requires 0.1 to 0.2 FTE at EUR 1,000 to 1,400. Data and ML engineers contribute 0.2 to 0.3 FTE at EUR 700 to 1,000, and security engineers contribute 0.1 to 0.15 FTE at EUR 800 to 1,200.

Total FTE per system for initial preparation is approximately 1.65 for small organisations, 2.05 for medium, and 1.35 for large. Estimated staffing cost per system for the six-month preparation engagement ranges from EUR 180,000 to 350,000 for small (external-heavy), EUR 150,000 to 310,000 for medium (blended), and EUR 100,000 to 240,000 for large (internal-heavy, shared services).

Ongoing annual maintenance requires approximately 0.34 FTE per system for small organisations, 0.48 for medium, and 0.36 for large, covering quarterly AISDP review, PMM operation, operator training, regulatory scanning, annual assessment refresh, and governance meetings. Annual staffing cost per system ranges from EUR 55,000 to 110,000 for small, EUR 65,000 to 130,000 for medium, and EUR 50,000 to 105,000 for large organisations.

The recommended tooling stack spans thirteen categories. Annual licence costs for a medium organisation range from EUR 80,000 to 345,000 for a commercial stack, or EUR 20,000 to 60,000 for an open-source-maximised stack.

Pipeline orchestration tools such as Dagster Cloud or Prefect Cloud cost EUR 5,000 to 25,000 annually, with Dagster OSS or Apache Airflow as free alternatives. Experiment tracking through managed MLflow or Weights and Biases costs EUR 6,000 to 30,000. Data validation via Great Expectations Cloud costs EUR 5,000 to 15,000. Policy engines such as Styra DAS cost EUR 8,000 to 30,000, with Open Policy Agent as a free alternative. Security scanning through Snyk or Semgrep costs EUR 5,000 to 20,000.

Monitoring and observability through Datadog or Grafana Cloud costs EUR 10,000 to 50,000, with Grafana plus Prometheus as a free stack. AI governance platforms such as Credo AI or Holistic AI, which have no equivalent open-source alternatives at comparable maturity, cost EUR 20,000 to 80,000. Learning management systems for AI literacy cost EUR 5,000 to 20,000.

The cost differential between commercial and open-source stacks is substantial. The trade-off is operational: open-source tools require internal hosting, maintenance, and integration effort that commercial tools provide as managed services. For small organisations, the open-source stack with managed hosting is typically most cost-effective. For large organisations, commercial tools reduce operational burden and provide enterprise support. Feature flags, progressive delivery, and GitOps tooling are available as open-source at zero licence cost.

Infrastructure costs are driven by monitoring compute, evidence storage, PMM data storage, evaluation compute, CI/CD pipeline compute, and disaster recovery. Annual infrastructure cost for a medium organisation ranges from EUR 16,000 to 80,000.

Monitoring compute for Prometheus, alert evaluation, and dashboards costs EUR 3,000 to 12,000. Evidence storage for governance artefacts and immutable audit logs costs EUR 2,000 to 8,000 using cold storage after the first year. PMM data storage for inference logs and monitoring metrics costs EUR 5,000 to 30,000, the largest infrastructure component driven by inference volume and retention period. Evaluation compute for fairness analysis, sentinel testing, and cascade testing costs EUR 3,000 to 15,000. CI/CD governance gates cost EUR 2,000 to 10,000. Disaster recovery adds EUR 1,000 to 5,000.

The ten-year evidence retention obligation under Article 18 is less expensive than organisations often assume. For a medium-complexity system generating approximately 50 GB of evidence per year, the cumulative storage cost at cold storage rates is approximately EUR 2,400 over ten years. The real cost lies in the operational effort of ensuring evidence remains retrievable and archive infrastructure remains functional over a decade.

External advisory costs depend on the organisation's internal capability and the system's regulatory pathway. Initial legal counsel from an AI Act specialist costs EUR 15,000 to 50,000, with an annual retainer of EUR 5,000 to 20,000. Notified body engagement for systems requiring third-party costs EUR 20,000 to 60,000 per system. Independent fairness evaluation costs EUR 10,000 to 30,000. External AISDP audit costs EUR 15,000 to 40,000 per cycle. Regulatory sandbox participation costs approximately EUR 10,000 to 25,000 in internal effort.

First-year costs including initial AISDP preparation total EUR 350,000 for a small organisation with one system, comprising EUR 250,000 staffing, EUR 40,000 tooling, EUR 20,000 infrastructure, and EUR 40,000 external advisory. For three systems, the first-year total reaches EUR 715,000. A medium organisation with five systems faces EUR 1,020,000 in the first year; with ten systems, EUR 1,600,000. A large organisation with fifteen systems faces EUR 2,030,000; with twenty-five systems, EUR 2,880,000.

Annual ongoing costs at steady state are EUR 155,000 for a small organisation with one system, EUR 310,000 for three systems, EUR 610,000 for a medium organisation with five systems, EUR 1,015,000 for ten systems, EUR 1,265,000 for a large organisation with fifteen systems, and EUR 1,820,000 for twenty-five systems. Staffing is consistently the dominant cost category across all profiles, accounting for 60 to 75 per cent of total expenditure.

The staffing-heavy cost structure means that automation delivers the largest cost reduction. Every manual compliance task that can be automated, including documentation generation, evidence collection, threshold monitoring, and report production, reduces the ongoing staffing requirement. The governance pipeline described in strategic synthesis is the primary automation mechanism. Shared services across systems reduce per-system infrastructure and tooling costs, and process standardisation reduces the learning curve for each new system.

The cost model is incomplete without the enforcement exposure it is designed to avoid. The penalty framework under Article 99 creates three tiers of financial exposure.

Placing a non-compliant high-risk system on the market under Article 99(3) carries a maximum fine of EUR 15 million or 3 per cent of global annual turnover, with typical estimated ranges of EUR 500,000 to 5,000,000 for first offences at mid-market organisations. Operating a prohibited AI practice under Article 99(2) carries EUR 35 million or 7 per cent of turnover. Supplying incorrect information to authorities under Article 99(4) carries EUR 7,500,000 or 1 per cent of turnover.

Beyond regulatory fines, the AI Liability Directive proposal introduces a rebuttable presumption of fault that substantially lowers the claimant's evidentiary burden in civil proceedings. Court-determined damages are unlimited. Reputational damage from published enforcement findings, media coverage, customer confidence erosion, and talent retention impact is unquantifiable but significant.

For a medium-sized organisation with EUR 500 million annual turnover, a single Article 99(3) fine at 3 per cent would be EUR 15 million, more than ten times the annual ongoing compliance cost for ten systems. The compliance programme is, in financial terms, an insurance premium whose expected return is substantial. The investment required to achieve compliance is a fraction of the exposure it mitigates, at any organisational scale.

The business case for EU AI Act compliance addresses four audiences, each requiring different emphasis.

The CFO needs the cost model with per-system estimates, the non-compliance exposure analysis, and the marginal cost reduction demonstrating that subsequent systems are progressively cheaper. The key message: the first system is the most expensive; each additional system benefits from shared infrastructure; and the cost of non-compliance dwarfs the cost of compliance at any scale.

The CEO needs strategic framing: compliance is a market access requirement, not a discretionary investment. High-risk AI systems cannot legally be placed on the EU market after August 2026 without a conformity assessment and AISDP. The choice is not whether to invest but whether to invest now, when the organisation has time to do it well, or later under time pressure that increases cost and reduces quality.

The board needs the risk exposure analysis: maximum fine thresholds, personal liability dimensions for executive leadership, and reputational risk assessment. Board members with fiduciary responsibilities should understand that knowingly operating non-compliant systems after August 2026 creates a risk the board has a duty to manage.

Engineering leadership needs the tooling and infrastructure investment, FTE allocation, and the delivery timeline. The compliance infrastructure, once built, serves every system in the portfolio and generates evidence as a byproduct of normal engineering workflows. Organisations that cannot commit the full investment should consider a phased approach: Phase 1 addresses the highest-risk system, building governance infrastructure and templates; Phase 2 extends to the next tranche using Phase 1 assets; Phase 3 addresses remaining systems. This spreads investment over 18 to 24 months, with interim compensating controls for systems awaiting full compliance.