// Package 01
Quick Audit
5–30 employees · 1–3 AI systems
EUR 2,800
net · delivery 2 weeks
- AI inventory and risk classification
- 15-page audit report
- 5-point action plan
- Template internal AI policy
With the "Digital Omnibus", the EU is expected to postpone the obligations for high-risk systems (Annex III) to 2 December 2027. The prohibitions and the AI competence obligation, however, have applied since February 2025, and the transparency obligations apply from 2 August 2026. We review your AI landscape, classify every system, close the gaps and deliver an actionable roadmap. Fixed price, predictable delivery time.
The EU AI Act (Regulation (EU) 2024/1689) has been in force since August 2024, with obligations applying in stages. The prohibited practices (Art. 5) and the obligation to ensure AI competence of staff (Art. 4) have applied since February 2025. The GPAI and governance provisions since August 2025. The transparency obligations (Art. 50) apply from 2 August 2026. The extensive obligations for high-risk systems under Annex III — originally also slated for August 2026 — are expected to be postponed to 2 December 2027 by the "Digital Omnibus" (political agreement of 7 May 2026, formal adoption still pending).
The penalties are real: up to EUR 35m or 7% of worldwide group turnover for breaches of the prohibition rules, up to EUR 15m or 3% for high-risk breaches. This affects not only AI developers — companies that merely deploy AI systems also bear obligations.
Small and mid-sized companies in particular underestimate the situation — precisely because they do not "build" AI but only use it. Four patterns recur: no one knows how many AI accounts (ChatGPT, Claude, Copilot) are active internally. HR tools with AI components are classified as "just software" but are high-risk under Annex III. The training obligation under Art. 4 is not documented. And contracts with AI providers contain no clauses on disclosure and documentation obligations.
Complete capture of all AI systems in the house — developed in-house and bought externally, including the AI accounts of individual departments.
Classifying every system under the EU AI Act: prohibited (Art. 5), high-risk (Annex III), limited risk (transparency obligations Art. 50), minimal risk. A legal assessment, not an IT sorting exercise.
Which specific obligations apply to each class — risk management, data governance, technical documentation, human oversight, transparency, conformity assessment.
Which obligations are already met and where gaps exist, prioritized by urgency ahead of the cut-off date.
Implementation of the training obligation under Art. 4 — which employees need which training at which frequency, in a documentation-proof manner.
Responsibilities, escalation path, internal AI policy, ongoing maintenance of the AI inventory.
Concrete steps with a timeline and responsible owners — actionable along the staggered deadlines.
Comparable audits cost EUR 25,000 and upwards on the market. We deliver the same depth of review, AI-augmented and therefore at fixed prices that are affordable even for small companies. All prices are net plus 19% VAT. 50% on engagement, 50% on delivery.
5–30 employees · 1–3 AI systems
30–250 employees · 3–10 AI systems
250–1,000 employees · 10+ AI systems · high-risk industry
In-house training as a 90-min module: EUR 1,200 · AI provider due diligence per provider: EUR 600 · annual compliance update retainer: EUR 1,440 · implementation sparring per session: EUR 480. Each net.
Step 1 — Discovery call (30 minutes, free of charge). We clarify company size, AI systems in use, industry and the right package. You then receive a binding fixed-price offer.
Step 2 — Inventory and data request. Structured questionnaire plus a short conversation with your IT and business side. AI-augmented analysis, under attorney responsibility.
Step 3 — Audit and report. Risk classification, gap analysis, governance concept, action plan. Handed over as a report plus templates.
Step 4 — Handover meeting. We walk through the report with you and prioritize the steps up to the cut-off date.
The seven review steps produce six deliverable documents — not an opinion to lock away, but an immediately usable working basis with clear next steps. Typically after around ten working days.
A structured table of all AI systems in use: purpose, business area, provider, types of data processed and responsible owners — including the previously unapproved shadow AI.
Per system, your role (deployer or provider) and the risk class under the AI Act — prohibited, high-risk, transparency-subject or minimal, each with reasoning.
Which specific obligations apply per system and class — with statutory references (Art. 5, 26, 50, Annex III) and the point in time of applicability.
Target vs. actual per requirement, prioritized red/yellow/green — showing at a glance where there is acute need for action and what can wait.
Concrete steps with priority, deadline and responsible owners, aligned to the staggered cut-off dates 2026–2028.
Model AI policy, clauses for provider contracts, training-record template and a management memo for the leadership.
An anonymized sample audit (fictitious online retailer, around 60 employees) shows the structure, depth and result of an EASTKAP audit — from risk classification to action plan.
In a short conversation, we clarify which risk situation your company is in and which package fits. Book an appointment directly — or simply send us your company size and industry.
Daniel Wagner, Attorney at Law
Kiehlufer 9
12059 Berlin