The EU AI Act high-risk readiness gap: the budget reality enterprises haven't sized

On 2 August 2026, the high-risk-system obligations of the EU AI Act activate (European Commission, Regulatory Framework Proposal on AI; Holland & Knight, U.S. Companies Face EU AI Act’s Possible August 2026 Compliance Deadline, April 2026). That is under 80 days from the date this piece publishes. The conversation inside most enterprises is still organised around the question the general counsel has asked outside counsel: does the regulation apply to System X, and if so under which obligation set. That is the legal-interpretation question. It is necessary, it is being asked, and it is being answered.

The legal-interpretation answer does not produce the operational readiness. The operational readiness is produced by the budget that funded the conformity assessments, the audit-evidence pipeline, the model-card and instructions-for-use cadence, and the post-market monitoring telemetry over the prior quarters. That budget is the load-bearing instrument. In the enterprise conversations through Q1 and Q2 2026, it is the instrument that has not been sized.

This piece is a Business Case and ROI treatment of the gap, not a Governance or Risk treatment. The Governance and Risk treatments are present already, including the procurement-side companions in AM-138 on post-enforcement MSA renewal and AM-145 on vendor exit clauses. The question this piece asks is the one a chief financial officer can answer in a working week if it is put to her: what is the operating-expense addition required to close the EU AI Act high-risk readiness gap by Q4 2026, and what is the cost of carrying the gap into 2027 if the addition is not authorised.

What Article 99 actually says

The penalty structure under Article 99 of the EU AI Act has three bands (Article 99, EU Artificial Intelligence Act):

• Up to €35 million or 7% of total worldwide annual turnover (whichever is higher) for non-compliance with the prohibited-AI-practices obligations under Article 5.
• Up to €15 million or 3% of total worldwide annual turnover for non-compliance with the operator obligations applicable to high-risk AI systems and to general-purpose AI models.
• Up to €7.5 million or 1.5% of total worldwide annual turnover for supplying incorrect, incomplete or misleading information to notified bodies and to national competent authorities.

The headline number for most enterprises is the middle band: €15 million or 3% of worldwide annual turnover, for high-risk-system non-compliance. For a firm at €5 billion in worldwide annual turnover, the 3% ceiling is €150 million. For a firm at €50 billion, the ceiling is €1.5 billion. The 3% mechanism scales with the firm; the €15 million floor is the minimum cap, applied when 3% of turnover is lower.

The fine bands are the worst-case downside. They are not the operational downside in most cases. The operational downside is described in the surveillance-authority guidance: a national competent authority that finds a non-compliant high-risk system can order it withdrawn from the market until compliance is demonstrated, mandate corrective actions including model retraining, or prohibit the placing of new systems in the market until the firm’s quality-management system is brought into conformity (DLA Piper, AI Laws of the World: EU Enforcement).

The corrective-order layer is the layer most enterprises will experience first if they are not ready. It does not require a fine to be levied. It requires only that the surveillance authority’s findings on the firm’s documentation, post-market monitoring, or technical artifact production are inadequate to the obligation. That is an operational finding, made against operational evidence, not against legal interpretation.

The three lines on the operating-expense addition

The chief financial officer’s sizing question for the EU AI Act high-risk-system readiness, in the form the CFO can model in a week:

Line one: conformity-assessment headcount. Article 43 of the EU AI Act requires that providers of high-risk AI systems perform a conformity assessment before placing the system on the market and again on each substantial modification (European Commission, AI Act regulatory framework). The assessment produces a set of artifacts: the technical documentation per Article 11, the risk-management documentation per Article 9, the data-governance documentation per Article 10, the human-oversight specification per Article 14. The artifacts can be produced by internal staff or by contracted assessors; in both cases, the cost is bounded by the system count and the assessment cadence. For a mid-market enterprise with ten in-scope high-risk systems, the order-of-magnitude internal headcount is two to four FTE; the contracted-assessor equivalent in 2026 pricing runs to a six-figure annual operating expense per system on the upper bound, six figures total on a multi-system pooled basis on the lower bound, with the spread driven by the assessor’s institutional knowledge of the firm’s stack. The substantive cost is closer to the lower bound when the firm has been preparing through 2025; closer to the upper bound when the firm started in Q1 2026.

Line two: audit-evidence pipeline infrastructure. The post-market monitoring obligation under Article 72 requires that the provider maintain a post-market monitoring system that collects, documents, and analyses relevant data on the high-risk AI system’s performance throughout its lifecycle, in a manner that allows the provider to evaluate the system’s continuous compliance. The substantive output is continuous telemetry on the system’s production behaviour, with retention and access controls calibrated to the assessor’s needs and to the surveillance authority’s audit requests. The infrastructure cost is an operating expense, recurring, with capex on the initial build. The firm’s existing observability spend does not cover this even when the existing observability is mature, because the existing spend was sized for performance and reliability, not for regulatory production. The order of magnitude on the operating-expense addition is similar to the conformity-assessment line: a mid-market firm should budget for low-to-mid-six-figure annual operating expense for the pipeline plus a one-time build expense in the comparable range, with the spread driven by how much of the firm’s existing observability stack can be reused.

Line three: model-card and instructions-for-use production cadence. Article 13 requires that high-risk AI systems be designed and developed in such a way that their operation is sufficiently transparent to allow deployers to interpret the system’s output and use it appropriately. The operational artifact is the instructions for use and the model card. Each material change to the system triggers a refresh of both. For a system on a six-week release cadence, the production cost is two to four engineering-hours per release plus four to six legal-and-compliance-hours, recurring. For a system count of ten, the annual engineering-and-compliance time is in the low hundreds of hours, which is staff time the engineering organisation has not previously budgeted to but that has to come from somewhere.

The three lines together compose the operating-expense addition. A CFO can size all three in a week if asked. Most CFOs have not been asked. The general counsel has been asked the legal-interpretation question; the CFO has been asked nothing.

Why the gap is observable in the procurement evidence

The evidence that most enterprises have not closed the gap is in the procurement record, not in the legal-interpretation record. Three observable patterns from the public record through Q2 2026:

First, the vendor-attestation field on AI-system procurement templates is sparse. Vendor questionnaires from Q1 2026 that ask the vendor to attest to specific Article 11 or Article 13 conformance, with the form of the attestation specified, are rare in the enterprise procurement corpus. Templates that ask “is the vendor compliant with the EU AI Act” without specifying the article and the form of evidence produce assurances rather than artifacts, which is the wrong instrument. The vendor questionnaire is the leading indicator on the deployer’s readiness; sparse vendor-attestation fields are the leading indicator that the deployer has not yet sized the artifact-production gap.

Second, the conformity-assessment headcount in posted job descriptions is rising but is mid-cycle. The posted-position count for roles specifying EU AI Act conformity-assessment experience increased materially during Q1 and Q2 2026 across consulting firms, audit firms, and corporate compliance functions. The rising count is the indicator that the headcount is being acquired; the mid-cycle position is the indicator that it has not yet been placed in production, which means it cannot yet produce the artifacts the August 2026 activation requires.

Third, the operating-expense line items in published Q2 2026 enterprise filings that explicitly call out EU AI Act readiness as a discrete category are rare. The category is being absorbed into broader compliance, legal, or IT operating expense, which makes it invisible to the firm’s own budget governance, which means it is not being prioritised against other operating-expense additions. A line item that is invisible cannot be defended in the next quarter’s prioritisation conversation.

The three patterns together suggest that the operating-expense addition has not been sized, has not been authorised, and has not been placed in production at most enterprises in the in-scope cohort. The 2 August 2026 activation date is the operational forcing function; the operating-expense conversation is the action it forces.

What the under-80-day window can still produce

The window is short. The action it produces is not the full conformity-assessment cycle, which cannot complete in under 80 days for most multi-system enterprises. The action it produces is the budget conversation that sizes the operating-expense addition, authorises the headcount and infrastructure spend, and places the work in the firm’s prioritisation order ahead of competing operating-expense requests for Q3 and Q4 2026.

A four-line addendum to the Q3 2026 budget cycle is the artifact the CFO needs. Line one: conformity-assessment headcount, sized to the in-scope high-risk system count, with internal versus contracted-assessor split decided. Line two: audit-evidence pipeline operating expense, sized to the post-market monitoring obligation, with the capex versus opex split decided. Line three: model-card and instructions-for-use production hours, sized to the release cadence and system count. Line four: the contingency for parallel-running non-compliant systems in EU markets while readiness is achieved, with the duration assumption explicit.

The four-line addendum is the deliverable a CIO can produce in a working week, with the CFO as the audience, and that the audit committee can sign off in the following week. That is the maximum the under-80-day window can do. It is also the minimum that makes the August 2026 activation operationally manageable rather than reputationally adverse.

The cohort that is exposed in the second-layer way

The cohort most exposed to the second-layer downside (operating cost of carrying the readiness gap into 2027) is the mid-market enterprise with three to ten in-scope high-risk systems and no dedicated AI-governance function. The Fortune 500 cohort with dedicated AI-governance functions and existing conformity-assessment pipelines for adjacent regulations (GDPR, NIS2, DORA) has the institutional infrastructure to absorb the EU AI Act readiness work even if it has not yet sized it. The very small cohort (under €100 million in turnover, low system count) has less material exposure on the Article 99 fine bands because the per-system risk is smaller and the firm’s overall scale dampens the corrective-order impact.

The mid-market enterprise cohort is the one that should be running the budget conversation through May and June 2026, because the firm has the obligation, has not yet built the institutional infrastructure, and does not have the scale to absorb the parallel-run operating cost if the readiness slips into 2027. This is the cohort the four-line addendum is designed for.

Related reading

For the vendor-procurement companion to this piece, see AM-138: vendor MSA renewal in the post-EU-AI-Act-enforcement window and AM-145: AI vendor exit clauses procurement red-flag checklist. For the AI Bill of Materials baseline that conformity-assessment documentation pairs with, see AM-143: AI Bill of Materials. For the credentials and identity hardening that pairs with high-risk-system technical documentation under Article 11, see AM-155: Storm-0558 and the structural risk in AI agent credentials.