← Back to blog

The Real Cost of AI Act Readiness — And What You Can Do for Free

6 min read

I saw the €193k number and almost closed my laptop.

My co-founder had just sent me an article about AI Act readiness costs. Initial setup: €193,000 to €330,000. Annual maintenance: €71,400. We're a 45-person SaaS company. We use chatbots for customer support and some light automation. That's it.

Six figures to stay legal? We'd been planning to hire two engineers this quarter. Now we were staring at a choice between readiness and growth.

Then I actually read the study.

Here's What Nobody Tells You

That €193k-330k figure? It's for high-risk AI systems only. We're talking AI that makes consequential decisions about people — hiring algorithms, medical diagnosis tools, credit scoring systems, biometric identification.

Most SMEs don't build high-risk systems. Most of us use chatbots, generate marketing content, automate workflows, maybe do some basic personalization. That's limited-risk or minimal-risk territory.

And the obligations — along with the costs — are completely different.

What Costs What: The Actual Breakdown

Here's the table I wish someone had shown me on day one:

| Risk Level | What It Includes | Key Obligations | Realistic Cost Range | |----------------|---------------------|---------------------|--------------------------| | Prohibited | Social scoring, real-time biometric ID in public spaces, manipulative AI | Stop using it immediately | €0 (just stop) | | High-Risk | AI making important decisions about people (hiring, credit, medical, law enforcement) | Full readiness check, approved assessor, ongoing monitoring, detailed documentation | €50k-330k initial + €30k-70k/year | | Limited-Risk | Chatbots, AI-generated content, deepfakes, emotion recognition | Transparency disclosures, clear labeling, user notification | €0-5k (mostly internal work) | | Minimal-Risk | Spam filters, inventory management, AI-powered search, recommendation engines | No specific obligations beyond general law | €0 |

Look at that table. Really look at it.

If you're using Intercom's chatbot, you're limited-risk. If you're generating blog images with Midjourney, you're limited-risk. If you built a custom recommendation engine for your e-commerce site, you're minimal-risk.

The scary number doesn't apply to you.

What You Can Do for Free This Weekend

Here's what changed everything for me: realizing that I could get 80% ready with a spreadsheet and a Saturday morning.

No consultants. No law firm retainers. Just structured thinking and documentation.

The Weekend Readiness Checklist

Hour 1: System Inventory List every AI system your company uses or provides. Include:

  • Customer-facing chatbots (website, support, sales)
  • AI tools your team uses internally (writing assistants, image generators, automation)
  • Any AI features in your product
  • Marketing automation with AI components

Write down: What does it do? Who uses it? Did we build it or buy it?

That's it. You now have an AI system inventory. Most companies don't even have this.

Hour 2: Risk Classification For each system, ask:

  • Does it make consequential decisions about people? (Hiring, firing, credit, benefits, law enforcement, education access, essential services)
  • Or does it just... help with tasks?

If it's not making life-changing decisions about individuals, it's probably not high-risk. Write down your reasoning.

You've just done basic risk classification. Consultants charge thousands for this.

Hour 3: Transparency Check Do users know they're interacting with AI?

  • Is your chatbot labeled clearly? ("You're chatting with our AI assistant")
  • Is AI-generated content marked? (Images, videos, text)
  • Do you disclose when content is synthetic or created by AI?

If no, draft the disclosure language now. You'll need it by August 2, 2026 anyway.

Hour 4: Document Everything Create a simple document:

  • Date you did this review
  • Who was involved
  • Your system inventory
  • Your risk classification logic
  • Your disclosure plan
  • Next review date (put it in the calendar for 6 months from now)

This is your readiness documentation. It proves good-faith effort. It shows you're not ignoring the AI Act — you're actively working on it.

Total cost: One Saturday morning. Maybe €0 if you already have coffee at home.

What's Cheap (€0-5k)

Once you've done the free stuff, here's what you can handle without breaking the bank:

Transparency implementation (€0-1k) Adding chatbot disclosures to your website. Updating your AI-generated content with proper labels. This is dev time, not consultant fees. Most companies can do this internally.

Basic templates and tools (€0-500) Readiness checklists, disclosure templates, risk classification frameworks. (Shameless plug: Act-Ready provides these. But honestly, you could build your own with a weekend of research.)

One-time consulting session (€1k-5k) A single session with someone who actually understands the AI Act. Not a retainer. Not a six-month engagement. Just: "Review my risk classification, tell me if I'm missing anything obvious, answer my top 10 questions."

For most SMEs using off-the-shelf AI tools, this is the entire bill.

What's Genuinely Expensive (€50k+)

Let's be honest about when costs actually get serious:

Full readiness check for high-risk systems (€50k-150k) If you're building or deploying high-risk AI — the kind that makes consequential decisions about people — you need an external readiness check by an approved assessor. This isn't optional. And it's not cheap.

It includes:

  • Detailed technical documentation review
  • Risk management system assessment
  • Data governance evaluation
  • Human oversight measures verification
  • Bias testing and validation

This is specialized, time-intensive work. The price reflects that.

Ongoing monitoring infrastructure (€30k-70k/year) High-risk systems need continuous monitoring after launch. Performance tracking, incident logging, bias detection, regular audits. You're essentially running a readiness operations function.

Major system modifications If you need to rebuild parts of your AI system to meet readiness requirements (better logging, explainability features, bias mitigation), engineering costs add up fast.

When you need this:

  • You're deploying AI that screens job candidates
  • You're building AI that influences credit decisions
  • You're using AI for medical diagnosis or treatment recommendations
  • You're deploying biometric systems
  • You're building AI for law enforcement or critical infrastructure

If that's not you, these costs don't apply.

The Philosophy That Changed How We Think About This

Here's what finally killed my panic: Act-Ready's approach to readiness.

We don't sell the fantasy that every company needs a full enterprise readiness program. Most don't.

Our philosophy:

  • DIY the simple stuff (inventory, transparency, basic risk classification)
  • Use tools and templates for the standardizable middle layer (documentation, disclosure language, checklists)
  • Get expert help only where legally required (readiness checks for high-risk systems, complex edge cases)

It's like doing your taxes. You can handle a simple return yourself. You use TurboTax for moderate complexity. You hire a CPA when you're dealing with international assets and business entities.

Same logic applies here.

The Mindset Shift That Matters Most

The most expensive mistake isn't spending too much on readiness.

It's doing nothing because you think you can't afford to do anything.

Here's the reality: the EU AI Act has teeth, but enforcement will be practical. Regulators can tell the difference between "didn't try" and "tried imperfectly with good faith."

They're looking for:

  • Prohibited AI systems still in use (social scoring, manipulative AI, real-time biometric surveillance)
  • High-risk systems with zero readiness efforts
  • Companies that received warnings and ignored them

They're not hunting for:

  • Companies that documented their systems and made honest risk classifications
  • Chatbot disclosure language that's 90% right instead of 100% perfect
  • SMEs actively working on readiness with limited resources

Document your good-faith effort. That's the insurance policy.

Start with the free weekend checklist. Add transparency disclosures before August 2, 2026. Review and improve every six months.

If you're limited-risk or minimal-risk — which most SMEs are — that might be the entire program.

If you discover you're actually high-risk, then yes, budget for the expensive stuff. But at least you'll know. And you'll have six months of documented readiness work to show regulators you're taking this seriously.

What to Do Right Now

You can't afford to ignore the AI Act. But you can definitely afford to start.

This weekend: Download the Weekend Readiness Checklist. Spend four hours doing the inventory, risk classification, and transparency review. Document it.

This month: Implement chatbot disclosures if you have them. Add labels to AI-generated content. Review your draft with your team or a legal advisor.

This quarter: If you identified high-risk systems, start budgeting for external readiness checks. If you didn't, celebrate — you just saved €200k.

The scary number doesn't apply to most of us. But the August 2, 2026 deadline applies to everyone.

Start free. Start now. Start with what you can control.

Download the Weekend Readiness Checklist → [Link to Act-Ready resource]

This document supports readiness preparation. It does not constitute legal advice.

Ready to find out if this applies to you?

The AI Act assessment takes 3 minutes. No signup. You'll see your classification instantly.

Take the assessment

Or stay in the loop

Get updates when rules change. No spam.