Varcoe.ai

← Blog

EU AI Act high-risk conformity — 95 days to 2 August 2026

€35M or 7% of global turnover penalties. What US firms with EU revenue need to do this quarter.

Published April 29, 2026 · By Quinnlan Varcoe

The deadline that just got real

On 2 August 2026, EU AI Act Article 43 high-risk conformity assessment requirements become mandatory for any AI system in the eight Annex III categories: biometric identification, critical infrastructure, education, employment, essential services, law enforcement, migration, and administration of justice.

Non-compliance penalties: €35 million or 7% of global annual turnover, whichever is higher. The EU AI Act applies extraterritorially — a US firm selling AI services to EU customers is in scope, even with no EU operations.

Who's actually affected

  • HR-tech and recruiting AI.Any AI used in hiring, firing, promotion, or task allocation falls under Annex III — including resume screening, interview AI, and performance scoring.
  • Education AI. Admissions, evaluation, proctoring, dropout prediction.
  • Credit + insurance underwriting AI. Creditworthiness assessment, life-and-health insurance pricing.
  • Biometric AI. Identification, categorization, emotion recognition (with significant restrictions).
  • Critical infrastructure operation AI. Including digital infrastructure (CDN routing, cybersecurity ML).
  • Healthcare AI. Already heavily regulated, but Annex III adds documentation requirements above MDR/IVDR baseline.

What conformity actually requires

Article 43 conformity assessment for high-risk AI systems requires:

  1. Risk management systemper Article 9 — iterative, documented, throughout the AI lifecycle.
  2. Data governanceper Article 10 — bias mitigation, training data quality, representative-sample documentation.
  3. Technical documentation per Article 11 + Annex IV.
  4. Record-keepingper Article 12 — automatic logging of high-risk system events.
  5. Transparency + user information per Article 13.
  6. Human oversight per Article 14.
  7. Accuracy, robustness, cybersecurity per Article 15.
  8. Quality management system per Article 17.
  9. CE marking + EU declaration of conformity.
  10. Post-market monitoring per Article 72.

The 95-day playbook

If you have an Annex III system in production today and you bill EU customers, here's the realistic 90-day path:

  • Week 1-2: Annex III classification audit. Determine which systems are in-scope, which sit on the edge, which are clearly out.
  • Week 3-4: Risk management system stand-up. Article 9 + 10 + 14 documentation.
  • Week 5-8:Technical documentation per Annex IV. Most firms already have ~50% of this written for SOC 2 / ISO 42001 / NIST AI RMF — we map and gap-fill.
  • Week 9-10: Quality management system per Article 17. For most US firms this is ISO 9001 + ISO 42001 with EU AI Act overlay.
  • Week 11-12: Conformity assessment by notified body (or self-assessment for some categories), CE marking, EU declaration of conformity, post-market monitoring program.
  • 2 August 2026: compliant.

What ISO 42001 buys you here

ISO 42001 (AI Management System) certification covers ~70% of EU AI Act Article 9-15 + 17 evidence. Companies pursuing both ISO 42001 and EU AI Act conformity at the same time save 30-40% versus running them separately.

Add NIST AI RMF and the matrix gets even tighter. Most of our AI consulting engagements run all three crosswalks in parallel. See ISO 42001 Certification and NIST AI RMF.

Cost

  • Annex III scoping audit: $30K-$80K fixed-fee.
  • Conformity assessment readiness: $80K-$250K depending on scope and existing posture.
  • Notified body fee (if external assessment required): €40K-€150K depending on category.
  • Inside the Modernization Partnership: bundled at no separate line item.

Related

AI Consulting HubEU NIS2 + DORA + AI Act ReadinessISO 42001 Certification

EU subsidiary or EU customers in your AI footprint?

Thirty minutes with Quinn. We'll classify your AI systems against Annex III, scope the conformity assessment work, and tell you whether you can hit 2 Aug 2026.

Schedule a callSee the pricing

Trusted by partners across the practice

DAS Health
Exhibit A Cyber
Ally
KIRO Group
Black Mirage
Kalles Group
Gridware
CQR
Archstone Security
Cyvergence
Sentinel Cyber
Cloud Underground
Seron Security
Hexen
Koru Risk Management
DAS Health
Exhibit A Cyber
Ally
KIRO Group
Black Mirage
Kalles Group
Gridware
CQR
Archstone Security
Cyvergence
Sentinel Cyber
Cloud Underground
Seron Security
Hexen
Koru Risk Management

Reviews

From the senior people
who’ve worked alongside Quinn.

The named companies beside each reviewer are their employers — not Varcoe partnerships. Each quote is a professional reference from someone who’s shipped work alongside Quinn directly.

The partnership model isn't marketing language with Quinn — it's how she actually works. Senior judgment, single accountable contact, and the rigor to integrate across IT, security, and AI under one roof.

Aaron Birnbaum

Managing Partner

Seron Security
Quinnlan brings more than expertise — she brings strategic alignment. The ability to scale operations without sacrificing depth is exactly what serious organizations need from a modernization partner.

Caroline Lombard

Threat Specialist

aws
I've worked with Quinnlan on incidents most teams couldn't navigate — Log4j among them. The technical depth and the calm under fire are real, and they're rare.

Justin Cox

Senior AWS Security Analyst

PayPal
One of the most seamless collaborations I've had in this industry. Composure under pressure, technical precision, and the kind of credibility that compounds — exactly the senior bench a modernization partnership needs.

Soufiane Jihadi

Senior Incident Response Consultant

Deloitte.

Original references collected on the legacy Varcoe site · LinkedIn endorsements available on request