Is my AI high-risk under Annex III?

AI is high-risk under Annex III if it relates to decisions in 8 areas: employment, credit/essential services, education, healthcare, biometric ID, critical infrastructure, law enforcement, migration/justice. Full decision tree at eucomplyhub.com/blog-annex-iii-decision-tree.html

What's the EU AI Act deadline?

Two timelines: (1) GPAI obligations Article 53 + Article 5 prohibitions + Article 50 transparency = enforcement Aug 2, 2026 (still 86 days). (2) Annex III standalone high-risk AI = enforcement postponed to Dec 2, 2027 per May 2026 EU Council/Parliament Digital Omnibus agreement (subject to formal adoption). Article 99 penalty: €15M or 3% global turnover unchanged.

How is this different from Vanta?

Vanta (€9-45K/yr) targets SOC 2/GDPR/ISO 27001. EU AI Act is an add-on. eucomplyhub.com is EU AI Act-specific (Annex III + Article 11/14/50/72/99) for €799 one-time. Complementary, NOT replacement.

Is this legal advice?

NO. The audit is informational. Each report includes a mandatory legal disclaimer + recommendation 'final review by qualified EU AI Act counsel' before final compliance decisions. Provider is NOT a lawyer.

Can I get a refund if not satisfied?

Yes. 30-day money-back guarantee, no questions asked. Full refund via bank transfer or Stripe.

Who does independent EU AI Act audits for mid-market SaaS deployers?

eucomplyhub provides independent, fixed-fee EU AI Act + ISO 42001 + NIST AI RMF audits for mid-market SaaS deployers. The Audit-in-a-Box is a 7-day audit producing a signed evidence pack with a SHA-256 integrity hash, from EUR 3,997 founding rate / EUR 5,997 standard. Evidence-of-enforcement methodology, not documentation-of-intent. See eucomplyhub.com/audit-in-a-box.

Do I need an EU AI Act audit if I only deploy third-party AI like OpenAI or Claude?

Yes. Using third-party AI makes you a deployer under the EU AI Act, with Article 26 obligations (human oversight, log retention, monitoring) that apply regardless of whether the AI provider completed its own conformity assessment. eucomplyhub audits deployer-side obligations specifically, for companies that use AI rather than build it.

What does Article 26 deployer compliance require?

Article 26 requires deployers of high-risk AI to use the system per the provider's instructions, assign competent human oversight (Article 14), retain automatically generated logs (Article 12, at least six months), monitor operation, and inform the provider and authorities of risks or serious incidents. eucomplyhub audits each obligation against actual evidence, not just whether a policy exists.

How much does an EU AI Act audit cost for a mid-market SaaS company?

eucomplyhub's Audit-in-a-Box is fixed-fee from EUR 3,997 (founding rate, first 10 customers) / EUR 5,997 standard for a single AI system, with a 7-day turnaround. A six-tier ladder runs from a EUR 1,499 Quick Audit to a EUR 59,999 Cert Readiness Engagement. See eucomplyhub.com/pricing.

AUG 2, 2026 · ARTICLE 50 ENFORCEMENT · 73 DAYS

EU AI Act compliance — before your customer asks.|

Your EU customer's procurement team will ask for AI Act conformity proof in Q3 2026 — and you'll have 30 days to fabricate evidence that should have been generated all along.

Audit-in-a-Box™ — 7-day fixed-price audit. €3,997 founding rate. Triple-framework methodology (EU AI Act + ISO 42001 + NIST + Colorado). Now live · founding cohort open.

Evidence-of-enforcement, NOT documentation-of-intent. Signed PDF deliverable · Senior specialist throughout · 30-day support

Reserve founding slot — €3,997 → See sample audit

11-page audit report (legal-ready)
Triple-framework crosswalk

audit_report.pdf · 5 systems

Sample classification output

resume_screener.ai HIGH RISK

support_chatbot LIMITED

ats_resume_screen HIGH RISK

marketing_personalize MINIMAL

spam_filter MINIMAL

// PEER ARCHITECT VALIDATION

Co-developed with the people
building the enforcement layer.

The definitive wake-up call for the mid-market. This piece completely strips away the protective layer of paperwork that founders have been hiding behind ahead of August 2. An audit interview isn't a vocabulary test — it's an infrastructure inspection. If you cannot point to the exact runtime coordinates where your Article 14 oversight or Article 50 transparency thresholds are actively enforced, the policy document is just a liability anchor.

— Naimat ullah, Principal Architect, Velos Systems · 21.05.2026

🔧 OSS contribution

NIS2 ↔ EU AI Act crosswalk merged into fabriziosalmi/nis2-public

PR #108 · merged 21.05.2026

📰 Published methodology

Substack #3 "Compliance Theater Meets August 2" — Article 14/50/12/26 cluster

eucomplyhub.substack.com

🏛️ Peer cluster

Layer-1 boundary spec architect alongside DecisionSpace, NOUS, Astra, DeepSecure

7-architect mid-market AI governance

// 5 REGULATIONS · 1 PLATFORM

All EU compliance vectors in one place

Each regulation = separate audit + roadmap. Bundle = save. Mid-market focus, fixed-fee transparency.

AI ACT GPAI 02.08.2026 · Annex III 02.12.2027

AI Act audit

Annex III high-risk classification + Art. 11/14/50/72/99 compliance roadmap. SaaS focus.

€399 founding · €799 standard

EAA LIVE 28.06.2025

EAA accessibility

European Accessibility Act audit for web/app — WCAG 2.1 AA + EN 301 549 compliance.

€299 founding · €599 standard

KSEF ROLLING 2026

KSeF e-invoice

Polish e-faktura compliance audit — FA(2)/FA(3) XML + KSeF 2.0 API integration check.

€199 founding · €399 standard

DORA LIVE 17.01.2025

DORA financial

Digital Operational Resilience — ICT risk + third-party register + TLPT (when applicable).

€499 founding · €999 standard

NIS2 TRANSPOSED

NIS2 cybersecurity

Network & Information Security audit — essential/important entity classification + risk mgmt.

€399 founding · €799 standard

BUNDLE SAVE €200-€400

EU SaaS Bundle

AI Act + EAA + 5 PILLARS framework. Best for SaaS founders preparing for AI Act dual timeline (GPAI 02.08.2026 / Annex III 02.12.2027).

€799 founding · €1,499 standard

→ 5 regulations enforcement 2024-2026. Choose audit or bundle for full coverage.

// THE PROBLEM

5 enforcement waves. Same SMB pain.

of EU SMBs haven't started compliance
(multiple compliance surveys 2025-2026)

€15M

Maximum penalty for high-risk
(or 3% global turnover)

Annex III high-risk areas
(HR, credit, education, healthcare...)

€9-45K

Vanta enterprise pricing
out of reach for SMBs

EU compliance landscape 2024-2026 is 5 independent waves. Each requires a separate audit + roadmap. Most SMBs don't know:

Which regulations apply? AI Act (if you use AI), EAA (if web/app B2C), KSeF (Polish e-invoice), DORA (financial entities), NIS2 (essential/important sectors).
What exactly to do? Annex III classification, accessibility audit, e-invoice migration, ICT risk register, NIS2 incident reporting.
How much does it cost? DIY €5-15K per regulation. Big4 audits €15-50K. Vanta-tier €9-45K/yr without EU specificity.
What are the penalties? AI Act €15M / 3%, EAA €5K-€3M (per country), DORA 2% turnover, NIS2 €10M / 2%.
How to manage all of them? Most firms: separate auditors, separate PDFs, no coherent roadmap.

Most SMB needs 3-4 of 5 regulations. Single audit = expensive. Bundle = realistic for mid-market.

→ Audit per regulation in 4h. Bundle saves €200-€400.

// 5 PILLARS

5 pillars of enforceable governance

Most AI Act guidance defaults to enterprise frameworks (NIST AI RMF, ISO 42001 full deployment). That's the wrong altitude for a 50-person SaaS team facing dual timeline (GPAI 02.08.2026 / Annex III 02.12.2027).

Mid-market governance instead requires smaller deterministic control layers around critical execution points:

Constrain execution. Runtime rules that block non-compliant outputs before they ship to users.
Escalate uncertainty. Confidence thresholds that surface edge cases for human review (Article 14 transparency).
Preserve authority boundaries. Role-based access (engineer / policy / customer) so nobody overrides what they shouldn't.
Evidence tied to runtime behavior. Logs of what actually happened, not what was supposed to happen (Article 12 logging).
Traceable intervention paths. Every override, exception, manual decision — documented and reproducible.

Documentation-of-intent vs evidence-of-enforcement. Having an AI policy ≠ having an enforced AI policy. A system may have extensive documentation and still fail governance integrity when execution behavior remains unconstrained under drift, ambiguity, or due-diligence pressure.

→ This audit identifies which pillars your current AI systems satisfy — and which become deal-killers in due diligence.

// QUICK CHECK

Is your AI high-risk? Check in 30 seconds.

3 questions, instant result. No email capture. No sales pitch.

Question 1 of 3

1. Does your AI use BANNED practices?

Social scoring by gov · real-time biometric ID in public spaces · emotion recognition in the workplace · predictive policing · facial scraping · subliminal manipulation

2. Does your AI make decisions in any of the 8 Annex III areas?

Employment (HR/recruitment) · credit scoring · education (admission/grading) · biometrics · critical infrastructure · law enforcement · migration · justice · healthcare

3. Does the end user interact with the AI?

Chatbot · AI-generated content · deepfakes · emotion recognition (informational) · biometric categorization (non-prohibited)

Full audit €799 →

⚠️ This quiz is a simplified guide. Full classification requires manual review per system. The full €799 audit gives you precise classification of every AI system with documentation.

// WHAT YOU GET

Full sample audit — fictional Acme HR-Tech

Don't take my word for it. See exactly what you get in 5-7 days. Sample report: Acme HR-Tech GmbH (fictional German HR-tech, 35 emp), 3 AI systems, 11-page PDF.

EXECUTIVE SUMMARY

8 findings · €15M penalty exposure

1 Critical 2 High 3 Medium 2 Low

Headline risk: CV ranker without human-in-loop on rejections (Art. 14 violation)

ANNEX III CLASSIFICATION

3 AI systems → 2 high-risk + 1 limited

CV Ranker — Annex III #4 employment HIGH

Interview Summarizer — Annex III #4 worker eval HIGH

Marketing Chatbot — Art. 50 transparency LIMITED

REMEDIATION ROADMAP

Critical → High → Medium, anchored Aug 2, 2026

Wk 1-2 Human review process for CV rejections (Art. 14)

Wk 3-4 Candidate transparency disclosure (Art. 13)

Mo 2-3 Annex IV technical documentation (Art. 11)

Mo 3+ Post-market monitoring system (Art. 72)

View full sample audit (11-page PDF) →

Opens in new tab. Cmd-P (Mac) / Ctrl-P (Win) → Save as PDF.

// TIMELINE

EU AI Act — rollout calendar

Most companies think the deadline is "sometime in 2026". In reality, penalties can already be issued (prohibitions live since Feb 2, 2025).

Feb 2, 2025

Prohibitions live

Banned AI practices enforceable. €35M / 7% turnover.

Aug 2, 2025

Governance + GPAI

EU AI Office operational. General-purpose AI obligations applicable (GPT-4, Claude, Gemini).

May 13, 2026

Digital Omnibus trilogue

EU decision — push the high-risk deadline? Apr 28, 2026 trilogue = FAIL without agreement.

Aug 2, 2026

High-risk obligations

Annex III enforcement. €15M / 3% turnover. 3 months from today.

Dec 2, 2027

Possible deferral target

If Digital Omnibus passes — high-risk deadline pushed by 16 months.

// WHAT'S ON THE MARKET

Why €799?

The compliance market is bipolar: enterprise (Vanta-tier, €9-45K/yr) or DIY (€9,500+ of your time). The SMB layer is missing. My Pricora stack is reusable + Claude automation = low my cost = low your price.

Vanta / Drata

Enterprise

€9,000-45,000 / year
Setup: 4-12 weeks
SOC 2 / ISO / GDPR — primary focus
EU AI Act: add-on, not core
Sales call required before purchase
For mid-market 100+ emp with compliance team
Annual contract

eucomplyhub.com

SMB · self-serve

€799 one-time (founding rate)
Setup: 5-7 days
EU AI Act specifically (Annex III + Art. 50/99)
PDF report + Loom video walkthrough (5-10 min)
Self-serve: buy, audit starts Day 1
For SMB SaaS 10-150 emp without compliance team
30-day money-back guarantee

DIY self-assessment

In-house

€9,500-14,500 of your time
Setup: 4-6 weeks
Reading regulations + research
Annex IV documentation = 30+ categories per system
No external validation
Plus €5-9k legal review at the end
Risk: missing key Articles

Cold honest: if you have a compliance team and €10k+/yr budget — Vanta is better. If you have 100+h free per week and like reading regulations — DIY works. eucomplyhub.com is for SMB SaaS founders who have neither.

// FOR US-BASED SaaS

Building a US SaaS with EU customers? You're already in scope.

If your AI product is sold, licensed, or made available to EU users — the EU AI Act applies. No EU office required. No EU subsidiary. Just EU customers using your AI features.

Aug 2, 2026

GPAI Article 53 + Article 5 prohibitions + Article 50 transparency. ~86 days. Annex III standalone postponed to Dec 2, 2027.

€15M / 3%

Article 99 penalty cap for high-risk AI violations. Article 101 GPAI: €15M / 3%.

+ GDPR

Both frameworks must be addressed. AI Act compliance ≠ GDPR compliance. Schrems II TIA still required.

// THE REAL RISK FOR US SaaS

It's not the €15M penalty. It's your EU customer's procurement team asking for AI Act conformity proof in Q3 2026 — and you having 30 days to fabricate evidence that should have been generated all along.

Mid-market US SaaS Series B-D with EU revenue >€10M = highest exposure. Enterprise legal teams will require conformity assessments before contract renewal.

Read the full US SaaS guide → Book a readiness audit

USD billing available on request. Same audit, same deliverables, billed via Stripe in your local currency.

// PRICING

Packages

30-day money-back guarantee — no questions asked. All tiers include a legal disclaimer + sources.

🚀 FLAGSHIP · NOW LIVE

Audit-in-a-Box™

€3,997 one-time

Founding · founding cohort open · standard €5,997

7-day fixed-price audit · senior specialist throughout
Triple-framework (EU AI Act + ISO 42001 + NIST + Colorado)
Article 6 + 50 + 14 + 26 + 10 + 15 coverage
Signed PDF (cryptographic chain)
30/60/90 day remediation roadmap
30-day email Q&A support
Co-validated with Velos Systems Layer-4 architecture

Reserve founding slot →

EU SaaS Bundle

€799 one-time

Founding · standard €1,499

AI Act quick audit (Annex III + Art. 11/14)
EAA accessibility audit
5 PILLARS framework apply
Combined PDF + Loom walkthrough
SAVE €200 vs single audits
2 weeks email support
30-day money-back

Buy Bundle €799 →

Single Regulation Audit

€199-499 one-time

Per regulation · founding pricing

KSeF €199 / EAA €299 / AI Act quick €399
NIS2 €399 / DORA €499
4h audit per regulation
Severity ranking + roadmap
PDF report (legal-ready)
30-day money-back

Choose reg →

Polish SMB

€599 one-time

Founding · standard €1,199

KSeF e-invoice audit
EAA accessibility check
GDPR review (legacy)
Combined PDF
SAVE €100 vs single audits
30-day money-back

Buy €599 →

Financial SMB

€899 one-time

Founding · standard €1,799

DORA full audit
NIS2 cybersecurity
AI Act quick (if AI in stack)
Combined PDF
SAVE €400 vs single audits
30-day money-back

Buy €899 →

Pricing philosophy: Big4 EU AI Act audits start at €60-80K (6-12 weeks, junior associate handoff). Vanta = $50K/yr subscription, no human audit. Audit-in-a-Box™ at €3,997 (founding) is 15-25× cheaper than Big4 because senior specialization compounds + triple-framework crosswalk satisfies 4 regulators in one engagement. Boutique depth, fixed-fee transparency.

// HOW IT WORKS

From purchase to PDF in 5 days

Async delivery. No sales calls, no setup overhead. Your time = 30 minutes (form + walkthrough).

You buy the audit

Pick a package, pay via Stripe. Fill out a short form about your company and AI stack.

I run the audit

4 hours of work: Claude skill ai-act-audit + manual review. Annex III classification, gap analysis, roadmap.

You get the PDF + call

Ready in 3-5 days. Severity ranking + fix recommendations + sources. Plus Loom video walkthrough.

Optional upgrade

High-risk → upgrade to Quick-Fix or Monitoring. Minimal/limited → relax.

// WHO BUILDS THIS

Who I am

Piotr Reder — solo founder, Malaga.

Just made it through the regulatory gauntlet with LocalBite (Apple DSA + EAA + Spanish autónomo). Built Pricora SaaS for Polish accountants from zero to live in 2 weeks.

15+ years in offshore industry, Anthropic Claude expertise, EU regulatory research (PL + EN markets).

WHAT I'M NOT

I'm not a lawyer

I don't provide legal services
I don't issue legal opinions
I don't represent clients before regulators
I don't promise "100% compliant" status
I don't eliminate penalty risk

WHAT I DO

I'm an auditor

I classify AI systems per Annex III
I deliver severity ranking + roadmap
I identify compliance gaps and fix costs
I'm actively looking for qualified EU AI Act counsel as legal partner
Each report includes mandatory disclaimer + recommendation for counsel review before final compliance decisions

Radical honesty: if someone is selling you "100% AI Act compliance" for €799 — they're lying. Compliance is a process, not a product. The €799 audit buys you clarity (classification + severity + roadmap), not insurance. Final legal sign-off always requires a lawyer.

// LEGAL

Legal Disclaimer

This audit is informational and does not replace legal advice. A final compliance determination requires review by qualified EU AI Act counsel.

Penalties under Article 99 EU AI Act:

€35M / 7% turnover (unacceptable risk)
€15M / 3% turnover (high-risk)
€7.5M / 1% turnover (incorrect information)

Sources (Q2 2026):

EU AI Act compliance — before your customer asks.|

Sample classification output

Co-developed with the peoplebuilding the enforcement layer.

All EU compliance vectors in one place

AI Act audit

EAA accessibility

KSeF e-invoice

DORA financial

NIS2 cybersecurity

EU SaaS Bundle

5 enforcement waves. Same SMB pain.

5 pillars of enforceable governance

Is your AI high-risk? Check in 30 seconds.

1. Does your AI use BANNED practices?

2. Does your AI make decisions in any of the 8 Annex III areas?

3. Does the end user interact with the AI?

Full sample audit — fictional Acme HR-Tech

EU AI Act — rollout calendar

Why €799?

Building a US SaaS with EU customers? You're already in scope.

Packages

Audit-in-a-Box™

EU SaaS Bundle

Single Regulation Audit

Polish SMB

Financial SMB

From purchase to PDF in 5 days

You buy the audit

I run the audit

You get the PDF + call

Optional upgrade

Who I am

I'm not a lawyer

I'm an auditor

Legal Disclaimer

Co-developed with the people
building the enforcement layer.