Total Cost of Compliance: Worked Estimates by Organisation Size

First-year compliance costs range from approximately 350,000 euros for a small organisation with one high-risk AI system to 2,880,000 euros for a large organisation managing twenty-five systems. These estimates include the initial ai system description profile preparation alongside ongoing operational expenditure. Staffing consistently represents the largest cost component, accounting for more than half of total spend across every organisation profile. The remaining budget divides among tooling, infrastructure, and external advisory services.

The following table presents estimated first-year costs, broken down by organisation profile and cost category.

Small organisations with a single system rely more heavily on external advisory services relative to their total spend. As the system count increases, the per-system cost decreases because governance infrastructure, templates, and institutional knowledge are shared across systems. Compliance Cost Modelling provides the full breakdown of individual cost components, including staffing models and tooling investment profiles.

Annual ongoing compliance costs are substantially lower than first-year costs, reflecting the front-loaded nature of initial AISDP preparation and infrastructure investment. A small organisation with one system can expect ongoing costs of approximately 155,000 euros per year, while a large organisation with twenty-five systems faces approximately 1,820,000 euros annually.

The cost model is incomplete without the enforcement exposure it is designed to mitigate. The eu ai act establishes a tiered penalty structure with fines that substantially exceed the cost of any compliance programme, making the financial case for investment straightforward.

The business case for EU AI Act compliance investment should address four distinct audiences, each requiring different evidence and framing. Tailoring the argument to each stakeholder group increases the likelihood of securing the necessary budget and organisational commitment.

The CFO needs the cost model presented in the staffing, tooling, infrastructure, and total cost sections, the non-compliance exposure analysis, and the marginal cost reduction for additional systems. The key message for finance leadership is clear: the first system is the most expensive, each subsequent system is cheaper, and the cost of non-compliance dwarfs the cost of compliance at any scale.

The CEO needs the strategic framing. Compliance is a market access requirement, not a discretionary investment. High-risk AI systems cannot legally be placed on the EU market after August 2026 without a conformity assessment and AISDP. The choice is not whether to invest; it is whether to invest now, when the organisation has time to do it well, or later, under time pressure that will increase cost and reduce quality.

The board needs the risk exposure analysis: the maximum fine thresholds, the personal liability dimensions for executive leadership, and the reputational risk assessment. Board members with fiduciary responsibilities should understand that knowingly operating non-compliant AI systems after August 2026 creates a governance risk that the board has a duty to manage. Conformity Assessment Procedures explains the assessment requirements that the board should understand.

The AI Governance Lead implements cost tracking for the compliance programme using the organisation's existing financial management tools. Each cost category, including staffing, tooling, infrastructure, and external advisory, is tracked separately to enable meaningful analysis. Per-system costs are tracked to support marginal cost calculations. Quarterly cost reports are provided to the CFO and reviewed by the AI Governance Lead for optimisation opportunities.

Three strategies reduce the ongoing cost of compliance. First, automation: every manual compliance task that can be automated, such as documentation generation, evidence collection, threshold monitoring, and report production, reduces the staffing cost. The governance pipeline is the primary automation mechanism. Second, shared services: monitoring infrastructure, evidence storage, governance pipeline components, and template libraries are shared across systems, reducing the per-system infrastructure and tooling cost. Third, process standardisation: a standard AISDP preparation process, applied consistently across systems, reduces the learning curve for each new system and enables the assessment team to work more efficiently. Tooling and Infrastructure Investment covers the specific tooling decisions that drive these cost reductions.

Organisations that cannot commit the full investment should consider a phased approach that spreads the cost over eighteen to twenty-four months rather than concentrating it in a single preparation cycle. This approach prioritises the highest-risk system first, building governance infrastructure and institutional knowledge that reduce subsequent costs.

Phase 1 addresses the highest-risk system in the portfolio: the system most likely to attract regulatory attention, most likely to cause harm, or most commercially important. The investment in Phase 1 builds the governance infrastructure, the templates, and the institutional knowledge that reduce the cost of subsequent phases.

Phase 2 extends to the next tranche of systems, leveraging the infrastructure and templates established in Phase 1. Phase 3 addresses the remaining systems. The phased approach carries an explicit risk: systems in Phase 2 and Phase 3 remain non-compliant during the preparation period. The AI Governance Lead assesses this risk and determines whether interim compensating controls, such as enhanced monitoring, restricted deployment, and increased human oversight, can reduce enforcement exposure until full compliance is achieved.