Service

EU AI Act readiness and gap assessment

Most companies start with a readiness assessment: we classify your system, tell you which obligations actually apply, and show you where you fall short, as a clear starting point before committing to full compliance work. Larger gap assessments and documentation are scoped from there. Independent throughout, and built so your legal counsel can act on it.

Step 1: Risk classification

The Act sorts systems into prohibited, high-risk, limited-risk, and minimal-risk tiers, and treats general-purpose AI models separately. Your obligations depend entirely on where you land. We classify your system and intended purpose so you are not over-building for minimal-risk or, worse, missing high-risk duties.

Step 2: Gap assessment

For high-risk systems we assess against the Act's core requirements:

• · Risk-management system across the lifecycle
• · Data and data-governance quality for training, validation, and testing
• · Technical documentation and automatic record-keeping (logging)
• · Transparency and instructions for deployers
• · Human oversight by design
• · Accuracy, robustness, and cybersecurity

If you provide a general-purpose AI model, we assess the separate GPAI obligations, including model documentation, copyright policy, and training-data transparency.

Step 3: What you receive

• 1. A risk-classification memo stating your tier and which obligations apply.
• 2. A gap report scoring you against each applicable requirement, in plain English.
• 3. A prioritised remediation roadmap, with the technical documentation the Act requires.
• 4. Coordination with an accredited notified body where your category legally requires third-party conformity assessment.

The data we need

A description of the system and its intended purpose, an overview of training and evaluation data, and any documentation you already have. We rarely need raw datasets. Everything is transferred securely, used only for the assessment, and retained no longer than necessary.