A compliance officer at a mid-sized insurer gets a deceptively simple question from the board: what is the EU AI Act going to cost us? A search online mostly turns up two extremes. On one side, vendors claiming their tool solves everything. On the other, consultancies that will only name a figure after three discovery calls. Writing a defensible budget request turns out to be harder than complying with the regulation itself.
Here is the direct answer, based on what the market actually charges as of mid 2026: a small organisation that only deploys AI (no high-risk use cases) should realistically expect 5,000 to 25,000 euros in year one. A mid-sized organisation with one or more candidate high-risk systems should budget 25,000 to 100,000 euros. A large enterprise, or a provider that places high-risk AI on the market itself, quickly reaches 100,000 to 500,000 euros or more, including conformity work and ongoing governance. On the other side of the ledger, subsidies such as the Dutch SLIM scheme can cover up to 60 percent of advisory and training costs for SMEs. Below is how those figures break down, so you can trace and defend them in front of your board.
The six cost categories every budget hits
Almost every AI Act budget decomposes into the same six categories. The proportions differ per organisation; the categories do not.
1. Inventory: knowing what is running
Everything starts with an AI inventory: which systems the organisation uses, who supplies them, who owns them internally. For a small organisation this is a matter of days of internal work. For a group with hundreds of applications and shadow IT it is a project of weeks to months. Budget 2,000 to 10,000 euros in internal hours or external support for an SME, and 15,000 to 50,000 euros for larger organisations. Why this register needs to exist regardless of your risk profile is covered in the analysis of the AI register and the inventory obligation.
2. Classification and legal assessment
Each system needs to be placed: prohibited practice, high-risk (Annex III or Annex I), transparency obligation under Article 50, or minimal risk. This is legal work that demands precision, especially now that the timelines diverge: the Article 50 transparency obligations apply from 2 August 2026, while the standalone high-risk obligations under Annex III have moved to 2 December 2027. A classification round at a specialised firm typically costs 3,000 to 15,000 euros, depending on the number of systems. An overview of the risk categories is available in the AI Act Explorer.
3. Assessments and the evidence file
Candidate high-risk systems require deeper work: gap analyses against the Chapter III requirements, preparation for the fundamental rights impact assessment (Article 27, also applying from 2 December 2027 for the relevant deployers), and alignment with existing DPIAs. Per system, 5,000 to 25,000 euros is a realistic range. Organisations combining this with a management-system approach should first get the difference between ISO 42001 certification and AI Act conformity straight: certifying the wrong thing means paying twice.
4. Training and AI literacy
Article 4 has required an adequate level of AI literacy for people working with AI systems since 2 February 2025. There is no dedicated fine attached to it, but it is the cheapest risk reduction in the entire package and the foundation under human oversight (Article 14). The market is wide: e-learnings and open courses run from 49 to 1,395 euros per person, depending on depth and certification. For a fifty-person organisation that means 2,500 to 25,000 euros, although platform licences such as those of LearnWize bring the per-seat cost down considerably at scale. More important than the price per seat is that training is role-specific and produces demonstrable evidence.
5. Tooling and governance software
AI governance platforms (registers, workflows, monitoring, evidence management) are almost always sold as annual licences. Entry prices of international vendors start around 10,000 to 20,000 euros per year; enterprise implementations run to 50,000 to 100,000 euros per year or more. An honest note: an SME with five AI systems is often well served by a structured register in existing tooling. Buying software before the inventory is finished is the most common budgeting mistake.
6. External advice
This is where the spread is largest and price transparency lowest. The big accounting and consulting firms work almost exclusively on bespoke quotes, with market hourly rates between 200 and 400 euros; full readiness programmes rarely come in under 75,000 euros. At the other end are specialised firms working with fixed prices. One example of that price transparency is the readiness sprint at 9,900 euros offered by Embed AI, which packages inventory, classification and a board-ready plan into a fixed scope. For a budget holder the difference matters: a fixed price is a number a board can approve, a bespoke quote is a negotiation.
Realistic totals per organisation type
- SME, deployer only (no high-risk): 5,000 to 25,000 euros in year one. Focus: inventory, Article 50 check for chatbots and generated content, baseline training.
- Mid-sized organisation with candidate high-risk systems (HR, healthcare, financial decisions): 25,000 to 100,000 euros. Focus: classification, gap assessments, governance structure, role-specific training.
- Large enterprise or provider of high-risk AI: 100,000 to 500,000 euros or more, spread over the run-up to 2 December 2027. Focus: conformity assessment, quality management system, technical documentation, ongoing monitoring.
- Recurring costs after year one: expect 20 to 40 percent of the initial investment per year for register maintenance, retraining and monitoring.
What doing nothing costs
The penalty framework is well known: up to 35 million euros or 7 percent of worldwide annual turnover for prohibited practices, up to 15 million euros or 3 percent for most other obligations, imposed via the supervisory authority. In the Netherlands, the implementing bill submitted by the government in April 2026 prepares the formal allocation of that supervision, with a coordinating role for the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) and a role for the RDI. For most organisations, however, the bill arrives from a different direction first: procurement teams demanding AI Act evidence in tenders, clients asking for contractual assurances, and the remediation costs when a system turns out to be high-risk after the fact and has to be documented retroactively. Fixing things afterwards is in practice two to three times more expensive than setting them up in advance, if only because design choices are locked in by then.
Subsidies: the line item almost everyone forgets
For Dutch SMEs, the SLIM scheme is the most concrete source of cover: a 60 percent subsidy on advisory and training programmes around learning and development, up to a maximum of 25,000 euros, with a minimum of 5,000 euros in eligible costs. An AI literacy programme or a learning-culture project around responsible AI use fits well, provided the application is framed around employee development rather than software purchases or standalone legal advice. In healthcare, sector training funds and programmes such as SectorplanPlus add to this, and many collective agreements include education funds that partially reimburse training costs. Including the subsidy side in the budget proposal can halve net training costs in some scenarios. That is exactly the kind of line that gets a budget request approved.
How to structure the budget request
For the compliance officer who has to put something on the table next week: start with the inventory as a separate, small first phase (it is always needed and gives the rest of the budget a factual basis), isolate the Article 50 obligations of 2 August 2026 as the urgent line item, and present high-risk preparation as a multi-year track towards 2 December 2027. Ask external parties for fixed prices or at least a capped quote, and show the SLIM subsidy explicitly in the overview. A budget built this way stops being a cost centre and becomes a phased plan with a deadline logic any board member can follow.