Artificial intelligence (AI) is transforming how businesses operate, but it’s also under increasing regulatory scrutiny. If your organisation deals with AI systems in Europe, the EU AI Act - effective from 2 February 2025, with high-risk systems fully regulated by 2 August 2026 - demands immediate attention. Non-compliance could mean fines up to €35 million or 7% of global turnover, and poor documentation can slash valuations by up to 15%.
Here’s what you need to know:
- AI Due Diligence: Evaluates risks like data governance, transparency, and human oversight during mergers and acquisitions (M&A). Missing documentation or compliance gaps can lead to significant valuation losses.
- EU AI Act: Introduces a four-tier risk framework (unacceptable, high-risk, limited-risk, minimal-risk) with strict requirements for high-risk AI systems, such as recruitment tools and credit scoring.
- Financial Stakes: High-risk system compliance can cost €180,000–€420,000 initially, with annual maintenance fees of €45,000–€95,000. However, well-documented systems can boost valuations by 1.5–2× forward revenue.
The Act applies to any AI system used in the EU, regardless of the provider’s location. With the August 2026 deadline looming, compliance isn’t optional - it’s now a key factor in deal-making and enterprise value.
| Aspect | AI Due Diligence | EU AI Act |
|---|---|---|
| Key Focus | Risk evaluation in M&A processes | Four-tier risk framework for AI systems |
| Valuation Impact | Poor compliance reduces valuation by 2%–15% | Compliance boosts valuation by 1.5–2× revenue |
| Costs | M&A fees: €80,000–€250,000 | High-risk compliance: €180,000–€420,000 upfront |
| Penalties | Valuation drops, deal failures | Fines up to €35M or 7% of global turnover |
The takeaway? AI compliance is no longer a back-office task - it’s a core business priority. By addressing risks early, you can protect your investments and even gain a competitive edge in the market.
EU AI Act Risk Framework and Compliance Costs Comparison
1. AI Due Diligence
AI due diligence now involves evaluating risks using the EU AI Act's four-tier risk classification: unacceptable, high-risk, limited-risk, and minimal-risk. A striking example occurred in Q1 2026 when a €90 million HR analytics company in Frankfurt was pulled from the market. Four bidders identified its recruitment screening model as falling under Annex III high-risk categories without adequate documentation. KPMG Frankfurt estimated that fixing these issues would cost €2.8 million over 18 months. This led three bidders to walk away, while the fourth slashed their offer by 22% 1. Below, we explore key areas like risk management, data governance, human oversight, and transparency.
Risk Management
Under Article 9 of the EU AI Act, companies must maintain a continuous, documented risk management process throughout the lifecycle of an AI system. This isn’t just a one-time compliance task 4. High-risk applications, such as CV screening or credit scoring, require firms to identify "reasonably foreseeable" risks and put mitigation measures in place. Gaps in documentation often lead to valuation discounts of 2%–5% 1. Establishing compliance programmes for a single high-risk AI system can cost between £150,000 and £350,000 upfront, with annual maintenance expenses ranging from £38,000 to £79,000 1. Effective risk management also hinges on solid data governance practices.
Data Governance
Article 10 of the EU AI Act requires that training and testing datasets for high-risk AI systems be relevant, representative, and sufficiently complete to avoid discriminatory outcomes 43. Failure to comply can result in fines of up to €20 million or 4% of global annual turnover 5. Buyers now expect proof that datasets meet these standards during due diligence. Additionally, high-risk systems must retain automatically generated logs for at least six months to ensure traceability 4.
Human Oversight
Article 14 mandates that high-risk AI systems incorporate mechanisms for human oversight, enabling operators to override automated outputs when necessary 43. This reduces "automation bias", where users overly trust machine-generated suggestions without critical review 3. A notable example comes from March 2026, when an Austrian consumer lender achieved an 8.2× forward revenue valuation - well above the 6.5× market average - by showcasing exceptional AI governance. Their efforts included live explainability dashboards and documented oversight controls. The lender invested €1.4 million in quarterly model card updates and external fairness audits 1.
"Meaningful oversight that can genuinely affect outcomes is required. This is not a rubber-stamp process" 4.
- Mohammed Cherifi, Founder & Principal Consultant at Hyperion Consulting
Transparency
Article 13 requires providers to give deployers clear instructions on capabilities, limitations, and accuracy metrics 43. For limited-risk AI systems, such as chatbots, Article 50 specifies that users must be informed they are interacting with AI 4. In M&A transactions, buyers now insist on clear documentation of known biases and potential misuse scenarios. Advisory fees for AI governance in M&A deals typically range from £67,000 to £208,000, with annual fairness audits costing between £29,000 and £100,000 1.
sbb-itb-6ca8558
2. EU AI Act
The EU AI Act is built around a structured risk framework, which is key to understanding compliance in AI due diligence. This framework divides AI systems into four risk levels, each with specific requirements. At the top is the "unacceptable risk" category, which bans systems like social scoring and workplace emotion recognition from 2 February 2025. Below this are "high-risk" AI systems, such as recruitment screening tools and credit scoring applications. These must meet compliance standards by 2 August 2026. "Limited-risk" systems, like customer service chatbots, only need to inform users they're interacting with AI, while "minimal-risk" systems, such as spam filters, face no mandatory requirements 4. This tiered approach provides clear guidance for due diligence by outlining compliance benchmarks for each risk level.
The Act has a broad reach, applying to any provider whose AI outputs are used within the EU, regardless of where the company is based. This means UK firms working with European clients must comply, even post-Brexit. The penalties for non-compliance are steep: breaches involving prohibited practices can lead to fines of up to €35 million or 7% of global annual turnover, while violations related to high-risk systems can result in fines of up to €15 million or 3% of turnover 4. These strict measures not only underline the importance of compliance but also influence how AI assets are valued during due diligence.
"The compliance story has stopped being about whether firms are covered and started being about how the gap between documented and undocumented AI assets shows up on the term sheet."
- The Industry Lens 1
Pros and Cons
When considering AI due diligence practices alongside the EU AI Act, it's clear that both bring distinct advantages and challenges to the table.
AI tools shine in their ability to automate complex tasks. For instance, they can handle bias testing using tools like Fairlearn or AIF360, ensure explainability with SHAP and LIME, and manage structured audit logging - all at scale 4. However, documenting a moderately complex AI system to meet Annex IV compliance standards can take between 40 and 80 hours 2. While time-consuming, this thorough documentation often translates into financial benefits, as well-documented systems can boost a company's valuation.
The EU AI Act simplifies risk management with its four-tier framework, clearly outlining which systems require full compliance and which face lighter obligations. For companies juggling multiple AI assets, this framework serves more as a guide than a hindrance. In fact, strong governance and compliance practices have evolved beyond being mere legal requirements - they’ve become valuable assets. Companies with robust compliance can see valuation premiums of 1.5 to 2 times their forward revenue 1.
On the flip side, the obstacles are just as tangible. Addressing compliance gaps can be costly. For example, in Q1 2026, a Frankfurt-based company abandoned a €90 million HR analytics carve-out after compliance issues in its recruitment screening model were flagged by all four bidders. The estimated €2.8 million remediation cost over 18 months led to a 22% drop in offer prices 1. For high-risk systems, enterprise compliance programmes can initially cost between €180,000 and €420,000, with yearly maintenance fees ranging from €45,000 to €95,000. Even SMEs face notable costs, spending approximately €6,000 to €7,000 per system 1.
AI due diligence tools have their own limitations. A common issue arises with Vendor Due Diligence (VDD) data synthesis, where platforms often treat VDD reports as unbiased inputs. This can overlook structural biases designed to present assets in a favourable light. For example, in Q4 2025, a UK private equity firm reduced its bid for a radiology software vendor from €180 million to €173 million after AI due diligence uncovered that post-market monitoring logs only accounted for 70% of deployed instances, breaching Article 72. This €7 million markdown highlights how documentation gaps can directly impact deal terms 1.
Ultimately, organisations must balance the efficiency and valuation benefits of automation and compliance with the financial and operational costs of remediation.
| Aspect | AI Due Diligence | EU AI Act |
|---|---|---|
| Key Benefit | Automates bias testing, explainability, and audit logging at scale | Provides clear risk tiers and a compliance roadmap |
| Valuation Impact | Can boost valuation by 1.5–2× forward revenue when well-documented | Protects enterprise value through compliance |
| Main Challenge | Blind spots in VDD data synthesis; gaps across workstreams | High remediation costs (e.g., €2.8M+ for complex systems) |
| Cost Range | Big Four M&A fees: €80,000–€250,000 per deal | Enterprise: €180,000–€420,000 initially; SME: €6,000–€7,000 |
| Penalty Risk | Deal collapse or 2–15% valuation reductions | Fines up to €35M or 7% of global turnover |
Conclusion
The gap between AI due diligence practices and compliance with the EU AI Act is no longer hypothetical - it's actively influencing deal terms, valuations, and operational risks across European markets. With the 2 August 2026 deadline for high-risk systems fast approaching, organisations need to shift their mindset. Compliance should be seen as more than a checkbox exercise; it's a strategic imperative. Strong governance programmes can boost valuation premiums, while gaps in documentation can significantly erode enterprise value 1.
To close these gaps, a structured approach is essential. This involves five key pillars: inventory and classification, technical documentation under Annex IV, continuous risk management, human oversight with immutable audit trails, and formal conformity assessment 3. Traditional due diligence processes, often fragmented across financial, legal, and ESG workstreams, fall short of delivering the comprehensive Technical File required by Article 11. In fact, manual documentation for each system can take anywhere from 40 to 80 hours 2.
AI-native platforms are stepping in to streamline this process. Tools like Axion Lab integrate vendor due diligence reports, financial models, and data room materials into a single workflow. By doing so, they can identify narrative inconsistencies and hidden contradictions that manual reviews might overlook. For private equity firms navigating the complexities of SFDR, CSRD, and the EU AI Act, these platforms offer both speed and precision - working at five to ten times the throughput of human efforts while ensuring expert oversight. Additionally, their ability to adapt to regulatory requirements means that compliance documentation improves with each use, making later engagements even more accurate.
The stakes are high. Penalties for non-compliance can reach £35 million (7% of global turnover) for prohibited practices and £15 million (3% of turnover) for high-risk violations 34. However, documented compliance efforts can act as mitigating factors, potentially reducing fines even if a breach occurs 3. As Mohammed Cherifi, Founder & Principal Consultant at Hyperion Consulting, emphasises:
"The August 2026 deadline is fixed in law. Fines scale with revenue, not organisation size. Every week of preparation now is worth multiple weeks of remediation in July 2026" 4.
For organisations still viewing AI governance as a distant concern, the reality is clear: the market has already moved. By April 2026, compliance with the AI Act became a standard consideration in deals, alongside GDPR and cybersecurity. Law firms have even begun including specific warranty schedules in their templates 1. The focus now is on building robust documentation quickly to protect enterprise value and ensure smooth operations.
