AI Act help for EU SMEs: governance platform or build partner?

The compliance market arrived before the deadline

With under eight weeks to 2 August 2026, the date on which the bulk of the AI Act becomes fully applicable under Art. 113, a second market has formed alongside the regulation itself: firms selling “AI Act compliance” to companies that have never had to document an algorithm before. For an EU SME, the harder question is no longer what the Act requires. It is who to buy the answer from.

The shortlist sorts into three lanes that are easy to confuse and priced nothing alike: AI governance software platforms, professional-services advisory, and engineer-led build partners. They solve different parts of the same problem, and an SME that buys the wrong lane pays twice. This briefing maps the three, names the firms in each, and gives a profile-by-profile rule for which one to call.

What actually lands on 2 August 2026

Establish what an SME owes, separately from what it is being sold.

• 2 February 2025: the prohibited practices and the AI-literacy duty (Art. 4) are already in force.
• 2 August 2025: the obligations for providers of general-purpose AI (GPAI) models, and the governance architecture, are already applicable.
• 2 August 2026: the Commission’s enforcement powers over GPAI providers, and the Art. 50 transparency obligations (disclosing AI interaction, machine-readable marking of synthetic content, deepfake labelling), become enforceable across every member state at once.

The high-risk piece is in flux. The Commission’s Digital Omnibus has provisionally pushed parts of the Annex III high-risk regime toward 2027, but it left the 2 August 2026 GPAI and transparency dates untouched. Plan around the dates that are fixed.

The distinction most vendors blur is the one that decides your bill. The heaviest duties fall on providers of GPAI models and on providers and deployers of high-risk systems. The typical SME is a deployer of ordinary AI tools. It owes transparency, AI literacy, and sensible logging and records, not the provider-grade obligations the enterprise tooling is built around. The simplified technical-documentation route and the proportionate penalty caps for SMEs and small mid-caps (Art. 62, Art. 63) exist precisely so a 30-person firm is not treated like a foundation-model lab.

Lane 1: AI governance platforms

These are SaaS products that inventory your AI systems, classify them by risk, map controls to the Act, and generate audit-ready documentation. The EU-relevant names worth knowing:

• Credo AI (US) - the most recognised name in the category. Lifecycle governance with pre-built policy packs aligned to the AI Act, NIST AI RMF and ISO 42001, plus automated evidence collection. Built for an organisation with a portfolio of AI use cases and someone whose job is to run it.
• Holistic AI (London, UK) - full-lifecycle risk assessment with deep AI Act classification and system discovery. Strong on the risk-and-audit side.
• Saidot (Helsinki, FI) - EU-native and transparency-first, well-suited to public-sector bodies and enterprises that take the disclosure duties seriously.
• Naaia (Paris, FR) - AI Act-oriented governance aimed at the data and compliance officers structuring a governance function inside a French or wider-EU enterprise.
• Modulos (Zurich, CH) and Trustible (US) - control mapping and compliance workflows for teams that already have the engineers and want a layer above them.
• Enterprise incumbents (OneTrust, IBM watsonx.governance, ServiceNow AI Control Tower, Collibra) bolt AI governance onto a wider GRC suite. Priced and scoped for large organisations.

What a platform does not do: it documents and tracks; it does not build, fix, or remediate the systems. Buying a seat gives you a register and a set of templates. The engineering work, and the people to do it, are still yours to find.

Lane 2: professional-services advisory

The Big Four (Deloitte, PwC, EY, KPMG) and the large integrators (Accenture) sell AI Act gap assessments, governance frameworks and audit-readiness reviews. What you get is a named firm’s assurance, a methodology, and board-level cover. What you pay is enterprise day-rates, and what you most often receive is a report rather than a working, documented system.

For a regulated mid-cap that needs an auditable third-party assessment, this is money well spent. For a 40-person SME with two AI tools, it is the classic over-buy: a six-figure deck that does not get implemented, delivered by people who would rather be on a Fortune 500 account.

Lane 3: engineer-led build partners

The third lane is the least mapped and, for most SMEs, the most relevant. These are small engineer-led firms that build and operate the AI systems themselves, and produce the technical documentation as a byproduct of building them. The profile: founders who code, teams of roughly 3 to 30, vertical or methodological specialisation, project sizes in the low five figures rather than six.

The structural advantage here is specific to the Act. The Annex IV technical documentation, the logging, the human-oversight design and the post-market records are easiest to produce when the people writing them are the people who built the system. A platform inventories what exists; an advisory firm assesses it; a build partner produces both the system and its evidence in one motion, and keeps them in sync when the system changes.

• ARCKONE (Belgium) - engineer-led and EU-based. Builds and integrates the AI systems for SMEs and ships the Annex IV documentation as part of delivery. Best context: the common case below, a handful of real systems that must both work and be Act-ready, with one team accountable end to end.
• Comparable engineer-led boutiques exist in most member states. The selection test is the same in every case: can the founder explain, in ten minutes and without slides, your specific obligation and how they would scope a first compliant step?

The three lanes side by side

Lane	What you actually get	Best fit (SME profile)
Governance platform (Credo AI, Holistic AI, Saidot, Naaia)	A risk register, control mapping and audit-ready templates	50 to 250 staff, a portfolio of AI use cases, and a governance owner to run the tool
Advisory (Deloitte, PwC, EY, KPMG, Accenture)	A third-party assessment, a framework and board-level assurance	Regulated mid-caps needing named-firm sign-off for auditors or the board
Engineer-led build partner (e.g. ARCKONE)	The working AI systems plus their Annex IV documentation, produced and maintained together	The common SME case: one to three real AI systems that must both work and be Act-ready, one accountable team

Provider categories and AI Act references verified against Regulation (EU) 2024/1689 and each firm’s public product pages. Last verified 2026-06-09.

Where SME compliance budgets get wasted

1. Buying a dashboard with no one to do the work. A governance platform is an excellent control layer for an organisation that already employs engineers. An SME with three AI systems and no ML capability buys a seat, fills in a register, and is no closer to a compliant system than before. The platform was never going to do the engineering.

2. Over-buying for a handful of systems. Tooling and advisory scoped for 100-plus AI use cases is mispriced and mis-shaped for a firm with two. Onboarding alone can outlast the project.

3. Treating compliance as a one-off document. Art. 50 transparency, logging and post-market monitoring are continuing duties. Documentation written once and filed goes stale the moment the system is retrained or rewired. Evidence that is not maintained is not evidence.

4. Confusing provider duties with deployer duties. Most SMEs are deployers, not GPAI providers. Buying provider-grade tooling for deployer-grade obligations is paying for a regime that does not apply to you. Establish which role you hold before you buy anything.

5. Ignoring the maintenance handover. Whoever builds or assesses the system should leave a clear, priced plan for keeping it, and its documentation, current. A system handed over without that plan is a future non-compliance with a delay timer on it.

A rule by SME profile

• Deployer, one to three AI systems, no in-house ML. Engineer-led build partner that delivers the working systems and the Annex IV documentation together. A platform at this size is overhead you will not use.
• 50 to 250 staff, a portfolio of use cases, a named governance owner. A governance platform (Saidot, Holistic AI or Credo AI) plus an engineer to operate it. This is the lane the platforms are built for.
• Regulated mid-cap needing external assurance. Big Four advisory for the assessment; a build partner or in-house team for the work the assessment identifies. Do not expect the deck to implement itself.
• GPAI model provider (rare for an SME). A different regime entirely (Art. 53, Annex XI, the GPAI Code of Practice). If this is you, none of the three lanes above is your starting point.

Right of reply

If a named firm wants to flag how it is described, write to hello@flintbrief.com with [Right of reply]. The desk responds within a week and publishes corrections with a dated note.

The one test before you sign

Whichever lane you choose, ask the seller to name your single highest-risk AI system, state which role you hold for it under the Act, and describe the first concrete deliverable. A governance platform should point you at the register entry. An advisor should point at the assessment. A build partner should point at the system and its documentation. If you get a methodology and a price instead of an answer, you are buying the wrong thing from a right-sounding firm.