EU AI Act Assessment

EU AI Act Assessment for SaaS and AI Builders

Find out whether your AI is high-risk, what the AI Act actually expects of you, and whether a FRIA is on the cards. A clear classification, an obligations map, and a roadmap your team can act on, not a compliance panic.

Not sure if you are even in scope? Take the 3-minute high-risk check →

What Makes an AI System High-Risk?

Under the EU AI Act, a system is high-risk based on what it is used for, not how automated it is. Annex III lists the categories, and the ones software teams hit most often are AI used in hiring and work, access to essential services such as credit and insurance, biometrics, education, and law enforcement. If your system is used for one of those purposes, it is high-risk, and a human reviewing the output does not change that.

That last point catches a lot of teams out. The instinct is to say "a person makes the final call, so the risk is low." That is a GDPR way of thinking about automated decisions, and it answers a different question than the one the AI Act asks. High-risk classification comes first, and human oversight is one of the obligations that follows, not a way around it.

Classification vs FRIA vs DPIA

Three pieces of work get tangled together here. They are related, and best run in sync, but they answer different questions.

  High-Risk Classification FRIA DPIA
What it answers Is this AI system high-risk under the EU AI Act, and are you the provider or the deployer? How could this high-risk AI affect people's fundamental rights, and what do you do about it? How does this processing affect people's data protection, and where are the privacy risks?
What triggers it A use that falls in an Annex III category. Classification is the first question, before anything else. A high-risk AI system, mandatory for some deployers and good practice for the rest. High-risk processing of personal data under the GDPR.
Comes from The EU AI Act. The EU AI Act. The GDPR (EU and UK).
How they connect Sets the scope for everything below. Reuses a large part of a DPIA, then adds the rights angles a DPIA misses. Often already owed, and covers a good chunk of the FRIA.
The efficient way to run these: a DPIA typically covers something in the region of a third of what a FRIA needs, particularly around data flows, purpose, and risks to the people involved. If you assess them in sync rather than as separate silos, you extend the DPIA to cover the fundamental-rights angles it was never designed to catch, and you do less work, not more. Conflating these regimes is where teams get caught out. Combining them is where they get ahead.

Signs Your AI Is In Scope

If any of these describe a feature you have shipped or are building, the AI Act is worth a proper look before it becomes someone else's question.

Classification First, Then the Work That Follows

The order matters. Get the classification right, and everything after it is scoped correctly. Get it wrong, and you either over-build or miss obligations that surface at the worst possible moment.

Step 1
Classify

Establish whether you are a provider or a deployer, and whether the system falls into an Annex III high-risk use. This is the question everything else hangs on.

Step 2
Map the Obligations

Turn the classification into a clear list of what the AI Act expects of you, from human oversight and transparency to records and working within the provider's instructions.

Step 3
Assess

Run a Fundamental Rights Impact Assessment where it is indicated, extending a DPIA you may already owe rather than starting from a blank page.

Step 4
Report & Risk Register

Findings documented in plain language, with each risk rated and owned, so it lives in something you can track rather than a one-off slide.

Step 5
Prioritized Roadmap

A sequenced plan of what to do and in what order, built to be delivered. If you want, I stay on to help deliver it.

Where It Leads
Ahead, Not Scrambling

The point is to have your paperwork ready before a customer or a regulator asks, not to assemble it under deadline once they do.

Deliverables You Can Actually Use

Where you need a formal legal opinion: this is practitioner work, not a law firm. I am CIPP/E certified and the assessment is a practical one. Where a matter needs a formal legal opinion, I have preferred partners across several jurisdictions and bring the right one in, so the practical work and the legal sign-off join up without you having to assemble the team yourself.

Three Ways to Run It

Start with a classification, or go straight to the assessment. Scope depends on the system and how much is in play.

High-Risk Classification Review
$825

Per use case. Complex systems by quote.

  • A clear read on whether your AI is high-risk
  • Your role confirmed: provider, deployer, or both
  • The obligations that would follow, in plain terms
  • A short memo and a call, fast turnaround
Start With a Classification →
FRIA
Starting at
$3,500

A full Fundamental Rights Impact Assessment.

  • Oversight, affected groups, and remedy
  • Non-discrimination and rights impacts
  • Report, risk register, and roadmap
  • Built on your DPIA where one exists
Talk Through Scope →

Need ongoing coverage rather than a one-off assessment? That is the Privacy Officer Advisory retainer. A 15-minute discovery call is the fastest way to a firm number.

Get a Read on Your Exposure for Free

Not ready for a full assessment? These free checks give you a picture in minutes, and a sensible starting point for a conversation.

Is Your AI High-Risk?

A few quick questions to see whether your AI lands in an Annex III high-risk category, and whether a FRIA is indicated.

Take the 3-minute check →
Do I Need a DPIA?

Eight quick questions that point you toward a DPIA, a PIA, a lighter risk assessment, or nothing urgent.

Take the 2-minute check →
SDLC Privacy Risk

For dev teams: where privacy and security risk sits across your development lifecycle.

Check your SDLC →

EU AI Act Questions, Answered

What makes an AI system high-risk under the EU AI Act?

The EU AI Act treats a system as high-risk based on what it is used for, not how automated it is. Annex III lists the categories, including AI used in hiring and work, access to essential services such as credit and insurance, biometrics, education, and law enforcement. If your system is used for one of those purposes, it is high-risk regardless of whether a human makes the final call.

What is the difference between a provider and a deployer?

A provider builds or substantially changes an AI system. A deployer uses one under its own authority. Many companies are both, and the obligations differ, so the first step in any AI Act assessment is confirming which role you are in for the system in question.

Does a human making the final decision keep my AI out of high-risk?

No. Human oversight is one of the obligations that apply to a high-risk system, not a way to avoid being classified as high-risk in the first place. If the use is listed in Annex III, a human reviewing or approving the output does not change the classification.

Is a FRIA mandatory?

Not always. A Fundamental Rights Impact Assessment is mandatory for certain deployers, mainly public bodies, private organizations providing public services, and some credit and insurance deployers. A private company running its own recruitment or product often falls outside that list, but a voluntary FRIA is usually the wiser move for a high-risk system, and it is far easier done ahead of a complaint than after one.

Can a FRIA reuse my DPIA?

Largely, yes. A DPIA typically covers a good part of what a FRIA needs, particularly around data flows, purpose, and risks to the people involved. You then extend it to the fundamental-rights angles a DPIA was never designed to catch, such as non-discrimination and the right to an effective remedy. Running the two in sync is less work than treating them as separate silos.

Do you only work with EU companies?

No. The EU AI Act reaches any company whose AI affects people in the EU, wherever the company is based. Most of the AI Act work I do is for SaaS and AI teams outside the EU whose products touch EU or UK users.

Do you provide legal advice or a legal opinion?

The assessment is practical practitioner work, not a legal opinion, and I am CIPP/E certified rather than a law firm. Where a matter needs a formal legal opinion, I have preferred partners across several jurisdictions and bring the right one in, so the practical assessment and the legal sign-off join up without you assembling the team yourself.

Want the longer read first? When "no automated decision" doesn't mean "not high risk" →

Read the Classification Correctly, Once

The discovery call is 15 minutes. No commitment, no pitch deck. We talk through what your AI does, where your users are, and whether you are looking at a classification review, a FRIA, or a combined assessment. If you would rather check your exposure first, the 3-minute high-risk check gives you a steer.

Assessments run by Ross Saunders, CIPP/E, with 15 years in privacy and cybersecurity and a background in software and SaaS leadership.

Last updated 9 July 2026