Self-audit vs hired audit for the EU AI Act: when each makes sense

# Self-audit vs hired audit for the EU AI Act: when each makes sense

I run a paid audit. I also publish a free checklist. So I am the wrong person to be objective about this, except for the part where the wrong choice costs you real money or real time and I would rather you make the right one.

This post lays out the decision the way I lay it out for prospects who ask. About a third of them end up doing the self-audit and never paying me. The other two-thirds pay for the audit. Both are correct answers for different teams.

The two paths in plain terms

Self-audit. You read Regulation (EU) 2024/1689 or our open-source checklist, classify your AI features yourself, write the disclosures yourself, produce your own audit trail, and file it. Cost: time only. Risk: you make a classification mistake nobody catches until a regulator does.

Hired audit. Someone with regulatory expertise walks your product, classifies each feature against Annex III, writes the documentation, ships the disclosure code, and hands you a PDF report with their name on it. Cost: typically 800 to 30,000 euros depending on the firm. Risk: you spend money you did not need to spend if your situation was simpler than you thought.

When self-audit is the right call

You should self-audit if four things are true:

1. You have minimal-risk AI only. Autocomplete, spam detection, search ranking, recommendation widgets with no significant impact on a user's life. No Annex III triggers. No chatbots with high stakes. The Act mostly leaves you alone.
2. You have time. A self-audit takes a focused founder or technical lead about 8 to 16 hours from start to finished file. If you have that time before your deadline, you can do it.
3. You are comfortable reading regulation. The AI Act is dense but readable. If "Article 50 transparency" and "Annex III(4) employment" do not make you nervous, you can navigate it. If they do, see the next section.
4. You do not need to show the file to a customer or investor. A self-audit is defensible to a regulator. It is sometimes harder to defend to a sophisticated enterprise customer who wants to see a third-party-signed compliance file as part of their procurement process.

If those four are true, our free open-source checklist is everything you need. Use it. Send a pull request if you spot a gap.

When a hired audit is the right call

You should pay for an audit if any of these are true:

1. You have any Annex III feature. High-risk classification triggers a conformity assessment, a technical file under Article 11, human oversight under Article 14, post-market monitoring, registration in the EU database. This is not 16 hours of work. Even if you can do it yourself, you probably should not. Mistakes here are 3 to 7 percent of turnover.
2. You sell to enterprises that ask for compliance proof. A self-audit you signed yourself is harder to defend in a procurement review than an audit signed by an independent party. Some prospects will ask. You want to be able to say yes.
3. You are short on time. If you have 30 days or fewer until your deadline and you have not started, an experienced auditor saves you the calendar. A 5-day delivered audit gives you 25 days of buffer.
4. You want a defensible decision trail. If you ever face a regulator, an investor question, a board review, or a customer dispute about EU AI Act compliance, an external audit report is much easier to point to than your own internal documentation.
5. You want to spend cycles on your product, not on regulation. Founder time is the most expensive time in the company. If you can spend 997 euros to buy back 16 hours of your own time, the math is obvious.

What 997 euros buys you

The Disclos audit is 997 euros, one time, no subscription. In 5 business days you get:

• A PDF compliance report keyed to Regulation (EU) 2024/1689, mapping each AI feature in your product to its risk category
• A Loom video walkthrough explaining each call we made and why
• Copy-paste Article 50 disclosure code, tailored to your product surfaces
• Internal compliance templates (record-keeping, incident reporting, human oversight policy, contact-point procedure)
• A refund guarantee: if your SaaS is not compliant by 2 August 2026 based on the work delivered, you get a full refund

We can do this for 997 euros because the underlying methodology is standardised. We are not reinventing a compliance practice for every SaaS. We are running the same proven 6-stage methodology, customised for your product.

What 997 euros does not buy you

It does not buy you:

• A full Annex III high-risk conformity assessment with notified body involvement. If you have a high-risk feature that requires third-party conformity assessment (most do not, but check Article 43), we will flag it and refer you to a notified body. That work is separate and costs significantly more.
• Ongoing post-market monitoring. The audit is point-in-time. Post-market monitoring is operational and ongoing. We can advise on the policy.
• Legal opinion. We are a compliance practice, not a law firm. For binding legal opinion on edge cases, you want a lawyer.

If you need any of those, the audit is a useful first step but not the only one.

The honest comparison

If your situation is simple, the self-audit is the right call. The free repo will get you there. If your situation is more complex or you want to be done with this and back to building, the 997 euro audit is the right call.

Wrong choice for either is mostly wasted money or wasted time. Right choice for either is mostly a regulatory file you do not have to think about anymore. Both are better than the third option, which is to hope the deadline does not really mean it.

2 August 2026 means it.

Last updated: 2026-06-04