Your AI works. Your documentation doesn't — not in the form regulators now require. We fix that, in 10 to 22 working days.
Request a free Gap Report →| Date | What's enforceable | Penalty | Who it affects | Articles |
|---|---|---|---|---|
|
In Force
Active (Feb 2025) + August 2nd, 2026 |
Prohibited AI practices banned outright. AI literacy obligations require staff working with AI to be competent in its use. Transparency obligations from August 2nd, 2026: chatbots must identify as AI, emotion recognition must notify users, AI-generated content must be labelled. | Up to €35M or 7% of global turnover, per infringement Art. 5 — highest tier · €15M / 3% per infringement for Art. 50 | Any organisation deploying AI that interacts with people, classifies or monitors individuals, or generates synthetic content. Sector-neutral. | Art. 4 Art. 5 Art. 50 |
| Upcoming December 2nd, 2027* | Full enforcement of high-risk AI obligations — conformity assessments, risk management systems, technical documentation, human oversight mechanisms, and EU database registration. | Up to €15M or 3% of global annual turnover, per infringement | Staffing agencies and employers using AI in CV screening, shortlisting, task allocation, performance scoring, or contract decisions (Annex III, point 4). Financial services carry parallel exposure under DORA and EBA AI guidelines. Education platforms and essential service providers also in scope. | Annex III Art. 9 Art. 11 Art. 13 Art. 14 Art. 26 |
* Reflects the AI Omnibus political agreement of 7 May 2026, pending Official Journal publication. August 2026 obligations are confirmed and unaffected.
You likely already have human review, data governance, and technical descriptions of your systems. What's usually missing is a single, coherent record of those facts in the form regulators now expect. That's the gap we close — not in your operations, but in your paper trail.
When we're done, you'll have one file per system: classification, risk register, oversight design, and transparency obligations — plus a prioritised action plan your team can execute independently. Where the same documentation covers GDPR, the Platform Work Directive, DORA, or Dutch labour law, we build it once and map it across.
Start with what we can see. Go deeper if you need to.
We give you a quick overview of what's publicly available about your AI systems.
If the snapshot raises questions, we can go further. You share some structured details about your systems, we combine that with our research, and you get a full readiness report — a real picture before deciding next steps.
Over 10 to 22 business days, depending on scope, we work alongside your team to build the documentation your regulators expect. By the end, you'll have everything you need.
A one-page snapshot of where you stand, compiled from publicly available information about your operations. It identifies the AI systems we can find, where they sit in the regulation, and your theoretical penalty exposure.
Delivered as a PDF within 48 hours of your request. No call required, no follow-up obligation. If the gap is not material, we move on — and so do you.
Request your Free Gap Report →For organisations that want more than a public-data snapshot. You answer a structured questionnaire about your AI systems; we combine your inputs with our sector knowledge and produce a detailed, multi-page readiness report.
Delivered within 48 hours of submission. The €3,000 fee credits toward a full engagement if you proceed within 30 days.
Order Expanded Gap Report →One team, one regulatory category. Hiring, customer service, or scheduling. Documentation, gap analysis, and a prioritised action plan across a defined set of systems.
AI across HR, operations, risk, and customer service — but no unified compliance picture yet. Cross-regime mapping included: one documentation set satisfies GDPR, labour law, and sector regulation.
AI woven across multiple divisions, vendors, and countries. Governance framework design, full cross-regime documentation, and a 90-day check-in included. One fixed-fee package.
Engagements start at €12,000. Scope is determined during your intake — not estimated from a table.
Maximum penalty per single infringement: up to 3% of worldwide annual turnover, or €15 million — whichever is higher. Multiple systems out of compliance compound.
It covers them. It doesn't cover you. The regulation draws a clear line between providers (Article 16) and deployers (Article 26). Your vendor's compliance satisfies their obligations — system design, technical documentation from the provider side, conformity marking. Your obligations as a deployer are separate: classification record, risk register, oversight design, transparency to affected persons, data governance decisions, logging, accuracy monitoring. These are about how your organisation uses the system, not about how the system was built. Your vendor can't document your oversight process, your training records, or your intervention logs — because those are yours, not theirs. The Gap Report identifies which obligations sit with you and which your vendor has already addressed.
Those frameworks do real work — and some of the evidence transfers. Your cybersecurity controls, your data governance processes, your model validation records are all relevant inputs. But they were built for a different regulatory question. ISO 27001 addresses information security management. Model risk frameworks (SR 11-7 style) address model validation and performance. Neither one addresses the AI Act's specific requirements: Annex III classification, Article 14 human oversight design with training records and intervention logs, Article 13 transparency to affected persons, or Article 9's fundamental-rights risk dimension. The gap isn't that your existing work is wrong — it's that the regulation asks questions your current frameworks weren't designed to answer.
Most organisations that say they have 3–4 AI systems discover they have 8–15 once someone looks systematically. The CV-screening tool is obvious. The chatbot is obvious. But the vendor-embedded scoring layer inside your ATS, the behavioural analytics in your workforce management platform, the GenAI pre-fill in your credit memo workflow — those tend not to surface until someone asks the right questions. Every Statement of Work includes a scope-band clause that handles exactly this. Additional systems identified during the engagement are documented and the scope adjusts cleanly — no surprise charges, no awkward conversations with anyone who approved the original budget.
Less than you'd expect. Your internal time commitment across a full engagement is roughly 15–20 hours total: the intake questionnaire takes about 2 hours, one round of stakeholder interviews (CIO, CDO, CRO, legal — about an hour each), half a day to review the draft and flag factual corrections. Everything else — the research, the classification analysis, the cross-regime mapping, the remediation roadmap, the board briefing pack — is on our side. We designed the engagement to be lightweight for your team precisely because we know compliance work competes with everything else on their calendar.
You get a file per system that a supervisor can read in under an hour — classification record, gap analysis against Articles 9–15, and a clear status for each requirement: documented, partial, or absent. You get a prioritised remediation roadmap organised by system, by Article, and by owner — so your team knows what to do next, in what order, and who's responsible. You get a cross-framework map showing where the same evidence satisfies GDPR, labour law, and sector regulation. And you get a board-level briefing pack — 5–7 slides your CRO or GC can present to the supervisory board without needing us in the room. The deliverable is designed to make the person who commissioned the engagement look like she saw this coming and acted before it became urgent. You own all of it. No retainer required.
The numbers that matter for a budget conversation: the EC's own impact assessment estimates €52,227 per high-risk system per year in ongoing compliance cost. CEPS research puts quality management system setup at €193,000–€330,000. The penalty ceiling under Article 99 is 3% of worldwide annual turnover or €15 million per infringement, whichever is higher — and multiple non-compliant systems compound. Our engagement cost is a fraction of the first infringement, and a fraction of what the same work costs at a Big Four firm. If you need a one-paragraph justification for a procurement email, the Gap Report gives you the specifics — your systems, your exposure, your tier classification — in a format your CFO can read in five minutes.
We work from public information and your structured inputs — not from sitting in your teams' meetings or second-guessing their decisions. The engagement produces documentation, not judgment. What your CIO built, what your HR director deployed, what your vendor manager procured — those were the right decisions at the time, and the regulation doesn't say otherwise. What the regulation says is that those decisions now need to be documented in a specific form. Most internal resistance dissolves once stakeholders see that the deliverable makes their existing work visible, not questionable. The file we produce is evidence of good governance, not a critique of past decisions.
Supervisors don't start with the model or the algorithm. They start with the file. Show me the classification record for this system. Show me the oversight design and the risk register. Show me a case where a human intervened. If the file exists, is structured, and answers their questions, the inquiry is straightforward. If it doesn't, the inquiry has effectively concluded before the second question. The documentation we produce is built around those exact questions — so your team has the file ready before anyone asks for it.
You own the file. The action plan is designed for your team to execute independently — each remediation item has an owner placeholder, an effort estimate, and a sequencing recommendation. The 90-day check-in is included in Tier 3 and available for Tiers 1–2. After that, the file is yours to maintain. No retainer, no subscription, no dependency. If the regulatory landscape shifts materially, we publish our analysis publicly. Acting on it is yours to resource. If you need us again, you know where we are.
Law firms give you a legal opinion. Large advisory practices give you a methodology. Neither was built around the intersection of AI system architecture and EU regulation — which is where the compliance gap actually lives. At Nevant, the person you brief is the person who does the work. No junior consultants learning on your project, no partner-on-pitch / associate-in-the-work pyramid. Every engagement is senior-only, scoped to a fixed fee, and technically grounded — so you know the cost before you commit and the work doesn't expand to fill the engagement.
No. And neither can anyone else. Any practitioner offering a compliance guarantee is overclaiming — no external advisor can warrant that their work will be accepted by a specific supervisory authority, because that authority hasn't published the acceptance criteria yet. What we guarantee is the quality and completeness of the documentation we produce, that it tracks published guidance from the European AI Office, the Dutch AP, the Rijksinspectie Digitale Infrastructuur, and the Belgian BIPT, and that it's structured to withstand the questions a supervisor will actually ask. The compliance decision remains yours. We give you the evidence base to make it from.
Classification under Annex III is more straightforward than it appears. The regulation identifies eight categories of high-risk systems, including AI used in employment and HR management, credit scoring, access to essential services, and law enforcement. If your AI system makes or substantially influences a decision in any of these domains, it likely qualifies. The complication is that many systems sit at category boundaries — a workforce scheduling tool may or may not trigger Article 6 depending on how decisions are made and who they affect. The Gap-analyse resolves this for your specific systems: we classify each one against Annex III, flag edge cases, and give you a documented rationale a regulator can read.
Yes — and in the Netherlands this is often the most pressing practical question. Deploying or materially changing an AI system that affects working conditions typically triggers a consultation obligation under the WOR (Works Council Act), specifically Articles 25 and 27. Works councils are entitled to a full picture of the system's decision logic, its impact on employees, and the oversight arrangements in place. The documentation we produce is built to answer precisely those questions: it covers the system's function, the data it uses, the rights affected, the human oversight design, and the accuracy monitoring in place. It is structured to support the adviesaanvraag directly — so your works council has the technical and legal depth it needs without requiring a separate legal opinion.
What's in a free Gap Report?
The EU AI Act enforcement date is approaching — with a proposed extension under the Digital Omnibus that may move it to December 2027. Whichever date binds, the documentation work is unchanged and the runway is shorter than the calendar suggests. The Free Gap Report tells you where you stand, in writing, before you spend a euro or take a meeting.
Request your free Gap Report →