You use AI day to day
ChatGPT, Copilot, Gemini, Claude, assistants built into your CRM, invoicing or customer support. Even if it's only for drafting, there are obligations around literacy, transparency and data control.
General application of the AI Act
2 August 2026
— days to go
Start with the Express Diagnosis (€350)
Who it applies to
If your company does any of these things, the AI Act applies to you.
The European AI Regulation has applied since 2 February 2025 (literacy and prohibited practices) and enters general application on 2 August 2026. Most obligations affect whoever uses AI in their professional activity, not only whoever develops it.
You have a customer-facing chatbot, assistant or AI
Website, WhatsApp, automated answering systems, assistants that recommend products. Article 50 requires you to tell customers they are interacting with an AI when it isn't obvious.
You make decisions about people with AI
CV screening, creditworthiness scoring, employee evaluation, insurance, biometrics, education. These are Annex III areas: high risk, with reinforced obligations.
You generate AI content and publish it
Images, videos, synthetic voices, deepfakes, voice-overs. There are labelling and disclosure obligations when the content could be misleading.
The 4 risk categories
What the AI Act requires of you depending on your AI system's risk
The Regulation classifies AI systems into four levels. Your obligations — and your exposure to penalties — depend on which one each use falls into. This is the basis of every diagnosis.
| Risk level | Examples | What it requires of you |
|---|---|---|
| Unacceptable risk Prohibited · art. 5 | Subliminal manipulation, social scoring, emotion recognition at work or in education, mass scraping of faces. | Prohibited since 2 February 2025. Fines of up to €35M or 7% of worldwide turnover. |
| High risk Annex III | Staff recruitment, employee evaluation, credit scoring, life or health insurance, biometrics, education, essential services, justice. | Risk management, data quality, technical documentation, human oversight, log keeping and conformity assessment. General application from 2 August 2026. |
| Transparency risk Art. 50 | Customer-facing chatbots, AI-generated content, deepfakes, synthetic voices. | Notify that there is interaction with an AI and label synthetic content. From 2 August 2026. |
| Minimal risk | AI for drafting, translating, summarising, basic filters or recommenders. | No specific product obligations, but staff AI literacy (art. 4) and data control in line with the GDPR are required. |
Not sure which category your systems fall into? That's exactly what the Express Diagnosis resolves.
Application timeline
Key AI Act dates
- 1 Aug 2024Regulation (EU) 2024/1689 enters into force.
- 2 Feb 2025AI literacy (art. 4) and prohibited practices (art. 5).
- 2 Aug 2025Obligations for general-purpose AI models (GPAI) and governance.
- 2 Aug 2026General application: transparency (art. 50) and high-risk systems under Annex III.
- 2 Aug 2027High risk embedded in products that are already regulated.
Why it matters
Real fines, a softer rule for SMEs.
The penalty regime (Articles 99-101 of the AI Act) provides for fines of up to €35M or 7% of worldwide turnover for using AI in prohibited practices, up to €15M or 3% for breaching general obligations, and up to €7.5M or 1% for incorrect information to the authorities. For freelancers and SMEs, Article 99(6) applies the lower amount, not the higher one — but the penalty is still proportional to turnover, and the risk is usually compounded by a GDPR breach that the AEPD penalises separately.
How we work
From diagnosis to a sustainable compliance system.
Mapping the AI systems in use, classifying them under Annex III, identifying the role (deployer or provider) and detecting prohibited or high-risk practices.
Analysing the applicable obligations and comparing them with the current situation: policies, training, transparency, data control, human oversight and evidence.
Internal AI-use policy, literacy plan, transparency templates for chatbots and synthetic content, provider register and a risk-assessment model.
Staff training session (AI literacy, art. 4), implementation of controls, provider review and internal sign-off of the policy.
Annual review, updates in response to regulatory changes, support for specific cases and response to incidents or requests from the AESIA or the AEPD.
Why with a forensic expert witness
The same professional who brings your AI into compliance can defend the evidence before the AESIA or a court.
Your AI Act compliance is signed off by Manuel Navarro Rajoy, DPD/DPO certified by the AEPD (registration A2025166DPD) and Forensic IT Expert Witness TIP 639 AEPEJU. It is not just documentation: if an AESIA or AEPD inspection, a formal request or litigation over an algorithmic decision arrives, you have the very expert who analysed your system preparing and ratifying the forensic evidence. That is the difference between an agency that fills in templates and a professional who upholds your compliance before whoever challenges it.
See forensic IT reports
Plans
Four models depending on the size of the organisation and actual AI use
The amounts are indicative and are finalised after the initial assessment. The final invoice depends on the number of AI systems involved, the risk level and how much prior documentation already exists.
VAT not included. First assessment free within 24 business hours.
Express Diagnosis
For freelancers and micro-businesses with light AI use
€350one-off payment
- Initial inventory of AI tools
- Risk classification (deployer / Annex III)
- Executive report with priorities
- Recommendations to start documenting
Basic Compliance
For SMEs that use AI regularly in their activity
€980 - €1,800one-off payment
- Full diagnosis and gap analysis
- Internal AI-use policy
- Transparency templates (chatbots, deepfakes, content)
- Training session for AI literacy
- Initial evidence folder
Comprehensive Compliance
For companies with extensive use or high-risk systems
€2,400 - €5,500one-off payment
- Everything in Basic Compliance
- Analysis of providers and integrations
- Impact assessment for high-risk systems
- Design of human oversight and log keeping
- Coordination with the DPO/CISO/Legal team
- Executive report for management
Ongoing Governance
Permanent maintenance and support
From €240per month (annual commitment)
- Half-yearly review of inventory and risks
- Policy updates in response to regulatory changes
- Support for specific cases by email/phone
- Response to incidents or AESIA/AEPD requests
- Annual staff training
Deliverables
Documentation that stands up to an inspection.
AI inventory
A list of systems, tools, providers, data processed, purpose and the company's role.
Internal policy
A document signed by staff covering usage rules, prohibited data, oversight and review.
Risk assessment
A per-system matrix with classification (prohibited, high risk, transparency, low risk) and obligations.
Transparency templates
Wording for chatbots, AI-generated content, deepfakes and notices to customers and workers.
Training plan
Materials and an attendance record to demonstrate the AI literacy required by Article 4.
Evidence folder
A file structure ready to hand over to an authority or auditor upon request.
Frequently asked questions
Frequently asked questions
What kind of projects need AI Act adaptation?
Especially those where AI is involved in sensitive processes, automated decisions, video surveillance or activities with significant impact on people and business.
Is the adaptation only documentary?
No. The documentary part is important, but must be aligned with controls, owners and real governance of the system.
Can it integrate with privacy and security?
Yes. In fact, AI Act, GDPR, cybersecurity and data management usually need to be coordinated so the system is sustainable.
Direct contact
If your company already uses AI, getting compliance in order now is worth more than reacting later.
Tell me which AI systems you use, in which processes and with what data. I prepare a free initial assessment within 24 business hours, with scope, plan and a fixed price before any work begins.
