Real EU AI Act Compliance Cost for a 5-Person Startup (€30 to €80k Breakdown)

Concrete numbers for a 5-person startup deploying an AI system in the EU: a limited-risk chatbot or RAG assistant lands around €15k to €30k in first-year compliance cost. A high-risk system (hiring, credit scoring, education scoring, critical infrastructure) lands at €50k to €80k+ with a third-party conformity assessment. Minimal-risk systems (spam filters, recommenders) carry near-zero direct compliance cost. Prohibited systems should not exist. Full line-item budget below.

I am writing this from the engineering side. We have done the technical documentation and risk-management workstreams for clients who needed to ship AI features into the EU. Numbers below are ranges from Wavect's engagement history plus published auditor fee schedules. Talk to a lawyer for legal certainty. Talk to me for the implementation reality.

What does the EU AI Act actually classify your system as?

Before any number makes sense, classify your system. The Act defines four tiers:

• Prohibited. Social scoring, real-time biometric ID in public, manipulative dark-pattern AI, emotion recognition at work or school. Cost of compliance: do not build it.
• High-risk. Annex III list: hiring decisions, credit scoring, education scoring, law enforcement, critical infrastructure, medical devices, biometrics. Full conformity regime applies.
• Limited-risk. Chatbots, generative content, emotion or biometric categorization where allowed. Transparency obligations, lighter documentation.
• Minimal-risk. Spam filters, recommendation engines for media, basic ML in games. No specific obligations beyond GDPR.

Most early-stage SaaS startups land in limited-risk or minimal-risk. The big cost jump happens at high-risk.

How much does EU AI Act compliance cost line-by-line?

Budget table for a 5-person startup. Limited-risk column assumes a customer-facing chatbot or RAG product. High-risk column assumes a hiring or credit-scoring system requiring third-party conformity assessment.

What does the legal review actually deliver?

A lawyer specializing in EU tech law writes a memo classifying your system under the Act, mapping the obligations, and flagging GDPR overlaps. Expect 8 to 20 hours of senior lawyer time at €300 to €600/hour in DACH. Cheap lawyers will quote €1,500 and produce a templated document that does not survive an enforcement query. Pay for the senior.

What goes into the technical documentation?

Annex IV of the Act lists 9 categories of required documentation: general description, design specifications, monitoring and control, validation and testing, post-market monitoring plan, and so on. We typically produce this as a versioned document in the client repo, kept in sync with the codebase. The first version takes 40 to 80 engineering hours plus 10 to 20 hours of senior review. Maintenance after that is roughly 4 to 8 hours per release.

What does data governance actually require?

For high-risk systems the Act demands datasets that are relevant, representative, free of errors, and complete. In practice this means: documented data sources, documented preprocessing, documented quality checks, documented bias evaluation. We bake this into the SDLC using model cards and dataset cards, plus a quarterly bias audit on production data. The setup cost is in the table; the ongoing cost is engineering time we treat as part of the feature budget.

When do you need a third-party conformity assessment?

High-risk systems on Annex III where the provider cannot use a harmonized standard fully, or where the Act explicitly requires a notified body. Conformity assessment fees from notified bodies in DACH range widely. We have seen quotes from €8,000 for a tightly scoped system to €25,000 or more for complex ones. Plan 8 to 14 weeks of calendar time for the assessment, not 2.

"Compliance is architecture, not paperwork. Build it into the SDLC and the audit becomes a sign-off."

What about post-market monitoring?

The Act requires ongoing monitoring of system performance and incident reporting. For most startups this means: logging structured model inputs and outputs with privacy controls, an alerting pipeline for drift and anomalies, a documented incident-response process, and a serious-incident notification path to the national authority. We typically wire this through the same observability stack the team already uses (Sentry, Grafana, Datadog) plus a small custom layer. One-time setup as in the table, ongoing cost is operational.

What does internal training cover?

Everyone who designs, builds, or operates the AI system needs to understand its obligations and limits. For a 5-person team we usually run a half-day workshop plus a 10 to 20-page handbook tailored to the product, then refresh annually. Cheap, high-leverage. Skip it and the first regulator query exposes the gap.

What is the ongoing annual cost after year one?

Roughly 30 to 50 percent of the first-year cost as recurring cost. So a limited-risk system runs €5k to €15k per year ongoing, a high-risk system €15k to €35k per year. Plus reassessment fees if you make substantial changes to the system, which is broadly defined and tends to apply more often than founders expect.

What if you build with AI agents or RAG?

The classification still depends on the use case, not the architecture. A RAG assistant for internal knowledge search is usually minimal or limited-risk. A multi-step AI agent that takes actions on behalf of users (booking, purchasing, sending communications) needs to be classified by what those actions affect. An agent triggering hiring decisions is high-risk regardless of how cleverly the prompt is written. We discuss this with every client during scoping under our AI service.