TREVAM
Buy — €149
EU AI Act Compliance — Buyer Edition (v1.6, May 2026)

EU AI Act Compliance Starter Kit — Buyer Edition

Documentation kit for teams that must produce EU AI Act compliance material.

For procurement responses, Article 50 transparency obligations, and customer due-diligence requests. Limited and Minimal risk scope. Self-serve digital download.

€149 one-time · no subscription
Review pricing and purchase Review full artifact list →
Limited / Minimal Risk AI systems Procurement + Article 50 documentation One-time purchase · No subscription Digital download

Not legal advice. General information and documentation structure only. Not a High-Risk conformity assessment. If your system is Annex III, consult specialist legal and compliance counsel.

Artifact Register showing 27 structured documentation items from the EU AI Act Compliance Starter Kit
Artifacts
27
Version
v1.6
Scope
Limited / Minimal
Immediate download
  • HTML/PDF reference package
  • 27 copyable documentation units
  • 9 separately editable templates
  • START_HERE guide
  • Optional AI-assisted companion

For Limited / Minimal Risk documentation work. Not legal advice.

Evidence context

Why this kit exists

The kit addresses a specific gap: procurement documentation requirements and Article 50 transparency obligations that apply even when a system is not High-Risk — in a market where most SMEs lack dedicated compliance capacity.

Signal Finding Source
Responsibility comprehension 68% of businesses struggle to understand their responsibilities under AI regulation AWS / Strand Partners (2025), n=15,000+ businesses, EU/UK/CH* 1
Regulatory uncertainty 44% say regulatory uncertainty hinders their ability to invest in AI AWS / Strand Partners (2025) 1
Expertise gap 70.89% cite lack of relevant expertise as a barrier (among enterprises that considered AI but did not use it) Eurostat — Use of AI in enterprises
SME readiness (EU) Only 19% report a clear strategy and sufficient resources; 40% feel partially or completely unprepared Qonto × Appinio (2025), n=1,600 senior decision-makers, FR/DE/IT/ES
Compliance cost anchor (High-Risk scenario) High-Risk administrative burden (Commission Impact Assessment): ~€6,000–€7,000. This kit does not cover High-Risk. For Limited/Minimal systems, documentation effort is lower but still procurement-relevant 2 European Commission Impact Assessment SWD(2021) 84 final
External specialist legal counsel Significant hourly cost depending on jurisdiction and seniority General market reference and counsel

1 Survey commissioned by AWS; fieldwork conducted by Strand Partners as an independent research firm.
2 The €6,000–€7,000 estimate refers to a high-risk scenario in the Commission Impact Assessment. It is included as a contextual upper-bound comparator, not a direct cost estimate for Limited/Minimal-risk systems.

Scope definition

Who this is for — and who it is not for

This is for you if

  • You must respond to a procurement or enterprise due-diligence request asking for EU AI Act posture, documentation, or auditability — even where the system is not High-Risk
  • You are operating a system that triggers Transparency Obligations (Article 50): interaction disclosure, content disclosure or marking
  • You need a documented baseline for intended purpose, provider vs deployer role clarity, and risk tier rationale
  • You need documentation that can be handed to a buyer, auditor, or legal reviewer
  • Evolving regulatory context. Regulatory timelines may evolve. Monitor official Commission communications for updates to implementation guidance and enforcement dates.

This is not for you if

  • Your system is High-Risk under Annex III — or you are unsure and need a legal determination. This kit does not replace a conformity assessment, QMS, or Notified Body engagement
  • You are a systemic-risk GPAI model provider — this kit covers downstream integration hygiene only, not provider-level obligations
  • You need contract drafting, negotiation, or jurisdiction-specific legal advice
  • You want ongoing consulting or implementation services — this is a self-serve kit
Risk tier What it means in practice Typical examples Kit coverage
Minimal risk No additional EU AI Act obligations; documentation may still be required contractually Internal analytics, non-decisive assistive tools Documented posture + procurement-facing pack; baseline structure
Limited risk Primarily transparency obligations (Article 50) in defined situations Customer-facing chat, content generation features Disclosure prompts, documentation structure, evidence-linked records
High risk (Annex III) Excluded Core obligations: risk management, data governance, technical file, oversight, robustness, post-market monitoring, conformity route Hiring screening, creditworthiness, education assessment, critical infrastructure Orientation only: Annex III mapping, conformity-route overview. Not a substitute for specialist compliance work.
Unacceptable risk Prohibited practices Prohibited manipulation/social scoring patterns Not covered
Procurement trigger

Procurement-ready documentation

This section can be forwarded directly to procurement or legal review.

Most teams facing procurement pressure already understand the requirement — what they lack is the documentation a reviewer can file, attach, and audit. If any of the following applies, you are in the procurement-trigger segment.

  • An RFP asks for your EU AI Act risk tier and the rationale for it
  • The buyer requests technical documentation and instructions for use — including for non-high-risk systems
  • The contracting authority asks for a risk management record, audit or assessment rights, or a handover package that a third-party assessor can review
  • Documentation must be provided in a format procurement/legal can attach as an annex
  • Logs, change records, and operational controls must be evidenced at tender stage

Procurement handover mapping

Procurement ask What you provide from this kit Output you can attach
"Describe intended purpose and usage limits." Intended purpose framing + scope notes Intended purpose statement + limitations
"Confirm risk tier and why." Risk tier matrix + Annex III condensed list Risk tier rationale memo
"Provide documentation and instructions." Technical File outline + instructions prompts Technical File v1 + Instructions for use section
"Show risk management evidence." Risk Management Log template Risk log v1 (with owners and residual risk)
"Explain data governance." Data Governance Plan template Data governance plan v1
"Clarify provider vs deployer responsibilities." Dual role mapping table (RACI-style) Provider/deployer RACI excerpt
"How do you handle transparency obligations?" Article 50 Decision Record + 3 draft notice templates Transparency decision record + draft notices (Appendix E)
"Provide a risk tier classification document." Risk Tier Rationale Memo — structured for RFP attachment Risk Tier Rationale Memo (Appendix F)
"What is the intended purpose of your AI system?" Intended Purpose Statement with limitations and foreseeable misuse Intended Purpose Statement (Appendix G)
"Demonstrate AI literacy measures (Art. 4)." AI Literacy Evidence Log by role — training records AI Literacy Evidence Log (Appendix I)

This kit is a documentation structure and starting record. It does not replace contract review or legal qualification of risk tier. Procurement clauses and evidentiary standards vary by buyer.

Kit contents

What you actually get

The kit is delivered as a self-serve documentation pack (digital download). The core reference document is provided as HTML and PDF, both included, with all tables and outlines copyable directly into Word, Google Docs, Google Sheets, or internal wikis. Editable templates are provided as separate .docx and .xlsx files for attachment to procurement responses and internal records. Minor updates are delivered as refreshed download links via email.

Core reference documents
ArtifactFormatPurpose
Buyer Edition core document (v1.6, May 2026)HTML/PDFPrimary reference, templates, and filled examples
Evidence context table (sources + disclosure notes)Embedded tableInternal justification for documentation effort
EU AI Act overview: scope + rolesSectioned referenceProvider vs deployer framing; placing on market vs putting into service
Risk tier matrix (Minimal/Limited/High/Unacceptable)Embedded matrixTriage posture and internal alignment
Annex III condensed listEmbedded tableHigh-Risk screening
Conformity assessment overviewFlowchart + notesOrientation for High-Risk route (scope excluded from kit)
Systemic GPAI quick checkChecklist sectionRecords vendor/version/safeguards for GPAI integrations; covers downstream hygiene only
Documentation templates
ArtifactFormatTypical user
Technical File outline (living document structure)Copyable outlineEngineering / compliance
Risk Management Log (incl. residual risk fields)Copyable table (spreadsheet-ready)Compliance / ops
Data Governance Plan templateCopyable outlineData / engineering
Bias testing — what to record (methodology, results, GPAI provider reference)Guidance tableCompliance / ops
Article 50 Transparency Decision RecordCopyable templateCompliance / legal
Article 50 Draft Disclosure Notices — chatbot/conversational AI, deployer-side deepfake or public-interest text disclosure, and "unless obvious" exception documentation. Article 50(2) provider-side synthetic-content marking is a technical marking duty documented through the Article 50 Decision Record, not a substitute UI notice. Commission draft guidelines on Article 50 transparency obligations were published in May 2026. Review the included notices against the draft guidance and the final adopted guidance when available.Copyable noticesCompliance / product
Risk Tier Rationale Memo (RFP-attachable)Fillable memo templateCompliance / procurement
Intended Purpose Statement + LimitationsFillable templateEngineering / compliance
Change Log template (with re-assessment triggers)Copyable tableCompliance / ops
AI Literacy Evidence Log (Art. 4 — per role)Copyable logHR / compliance
Dual role mapping (provider + deployer RACI)RACI-style tableCompliance / ops
Regulatory stack check (GDPR, MDR/IVDR, NIS2, DSA, GPSR)TableLegal / privacy / security
Procurement + operational
ArtifactFormatPurpose
Enterprise Pre-Sale Checklist (RFP)ChecklistStandardises procurement responses and required attachments
0–30–60–90 implementation checklistChecklistStaged plan to produce, review, and maintain artifacts
Support-bot example (Limited Risk) — filled sampleExample tableIllustrates how to fill sections for a common use case
Scoring model example (High Risk) — orientation only, not a compliance templateExample tableIllustrates scope boundaries; not for use as self-assessment basis
Quick-reference timeline (2025–2027 dates)Embedded graphicInternal planning reference
Reference + glossary
ArtifactFormatPurpose
Glossary (19 plain-English terms)ListCommon vocabulary: provider/deployer, intended purpose, GPAI, etc.
Appendix A: public sources registerLink listSource register for traceability; primary EU sources
Update note (delivery policy)Policy blockVersion control expectation and 90-day update window
Optional companion (sidecar guide)

Optional AI-assisted completion companion — a guided sidecar for using approved AI workspaces to draft, evidence-check, red-team, and prepare outputs for human/legal/compliance review.

The companion does not determine risk tier, Article 50 applicability, legal sufficiency, or compliance status. It is a workflow guide, not an AI vendor integration. It is a sidecar guide and does not change the kit's 27 copyable documentation units or 9 separately editable templates.

Implementation sequence

0–30–60–90 day plan

A staged approach to producing a defensible baseline without expanding into High-Risk conformity claims.

  1. Day 0–30 — Establish posture and first-pass documentation

    • Inventory AI use and define intended purpose per system
    • Assign a preliminary risk tier with recorded rationale
    • Create Technical File v1, Risk Management Log v1 (including residual risk), and Data Governance Plan v1
    • Implement and document transparency notices where applicable (Article 50 contexts)

  2. Day 31–60 — Add operational controls and evidence linkage

    • Define oversight and escalation: stop/override procedures, human handoff where relevant
    • Add monitoring signals (drift/low-confidence patterns) and start a change log
    • Record vendor dependencies including GPAI provider/version/terms where applicable
    • Prepare procurement response structure using the Enterprise Pre-Sale Checklist

  3. Day 61–90 — Audit posture and maintenance routine

    • Expand risk scenarios and link mitigations to evidence (tests, logs, reviews)
    • Run an incident tabletop and document outcomes
    • Version the documentation set and retain prior versions for traceability
    • If High-Risk is identified: transition to a specialist High-Risk compliance program (outside this kit's scope)
Alternatives comparison

Why not alternatives

This kit covers the gap between "official guidance exists" and "procurement asks for artifacts."

Alternative Where it fits What it does not give you (in procurement terms)
External legal counsel High-Risk systems; bespoke legal interpretation; contract negotiation A self-serve documentation structure you can iterate internally between reviews
Commission guidance only Authoritative understanding of the regulation A buyer-oriented handover pack and artifact templates that map to procurement asks
ISO/IEC 42001 or NIST AI RMF Governance frameworks for AI risk management EU AI Act Article 50-oriented prompts and procurement-oriented annex packaging
Procurement clause templates alone Understanding buyer expectations A converted internal documentation set; templates require translation into operational artifacts
Do nothing / defer Only defensible if genuinely out of scope and no procurement pressure exists A handover pack when procurement asks for documentation — and some obligations (Art. 4) already apply
Common objections

Addressed directly

Objection Response
"We are Minimal Risk, so there is nothing to do." Minimal risk reduces EU AI Act-specific obligations. It does not remove buyer-side documentation demands. Procurement can require technical documentation, risk records, and handover artifacts as a contractual condition — including for non-high-risk systems.
"We will wait until August 2026." Some obligations already apply, including AI literacy measures (Art. 4, in force Feb 2025). Procurement cycles and customer diligence requests operate on their own timelines. Documentation produced under deadline pressure tends to be inconsistent and difficult to review.
"We will use ISO 42001 or NIST AI RMF instead." Those frameworks are appropriate for governance posture. They do not map 1:1 to EU AI Act transparency contexts and do not produce a procurement-facing artifact pack by default. They can complement this kit; they do not substitute for it in an EU regulatory or procurement context.
"We will hire a lawyer." For High-Risk systems, specialist counsel is the correct route. For Limited/Minimal contexts, legal review is typically more efficient — and less costly — when a structured documentation set already exists. This kit is designed to provide that structure.
"Our vendor provides the AI model, so they handle compliance." Vendor compliance does not remove your obligations as deployer or provider in your own context. You still need an intended purpose statement, transparency approach, operational controls, and a record of vendor/version/safety settings for downstream use.
"We are not EU-based." The EU AI Act can apply based on placing a system on the EU market, putting it into service in the EU, or where outputs are used in the EU. If you sell into the EU or serve EU users, procurement may still require EU AI Act posture documentation.
Pricing

Single price · No tiers · No subscription

€149 one-time purchase · digital download
  • Buyer Edition documentation pack (Kit v1.6, May 2026) — includes the HTML/PDF reference package, 27 copyable documentation units, 9 separately editable templates (.docx/.xlsx), START_HERE guidance, and an optional AI-assisted completion companion
  • Optional AI-assisted completion companion — a guided sidecar for using approved AI workspaces to draft, evidence-check, red-team, and prepare outputs for human/legal/compliance review. The companion does not determine risk tier, Article 50 applicability, legal sufficiency, or compliance status. It is a workflow guide, not an AI vendor integration.
  • All templates and examples (copyable, format-agnostic)
  • Minor updates for 90 days via email — refreshed download links
  • Procurement Handover mapping and RFP checklist
  • No subscription, no recurring charges
  • Single-organisation license (no redistribution)
Purchase and download — €149

Gumroad acts as merchant of record for payment processing, tax handling, and refund execution. Trevam is the content licensor and supplier of the digital product. VAT may apply depending on jurisdiction.

Refund policy. Consumers have a 14-day statutory right of withdrawal for distance contracts. The digital-content waiver exception under TRLGDCU Article 103(m) / Directive 2011/83/EU Article 16(m) is not currently applied at this checkout, so the statutory withdrawal right is preserved for Consumers. Outside the 14-day period, discretionary refunds may be granted for download failure, duplicate purchase, or material defect. Business Customers do not have a statutory withdrawal right. Gumroad handles refund processing as merchant of record. Full terms at Refund policy.

Trust signals

Basis and controls

  • Primary legal anchor. Regulation (EU) 2024/1689 (EU AI Act) is treated as the source text, with terminology aligned to provider/deployer roles, risk tiers, and transparency duties.
  • Procurement anchor. The kit's procurement framing aligns with documented public procurement expectations — documentation, handover, audit/assessment concepts — rather than generic AI governance narratives.
  • Evidence context disclosed. AWS/Strand survey is explicitly disclosed as AWS-commissioned with independent fieldwork by Strand Partners. Qonto × Appinio and Eurostat signals are included to reflect SME capacity constraints.
  • Scope controls are explicit. High-Risk (Annex III) is an exclusion, not a covered category. Systemic-risk GPAI model provider obligations are out of scope.
  • Versioning posture. Kit version and update note are included to support document control and audit trails. Current version: v1.6, May 2026.
  • No data dependency. This kit does not require access to your systems or data. It is a documentation pack you operate internally.
  • Not legal advice. Stated in the product, CTA, FAQ, and footer. No claim of guaranteed compliance anywhere.
FAQ

Frequently asked questions

  • Does this kit make us compliant with the EU AI Act?

    No. It provides general information and a documentation structure. Compliance depends on your system, your context, and your legal interpretation. This is not legal advice.

    No warranty of regulatory compliance is given or implied.

  • Is this for High-Risk (Annex III) systems?

    No. If you are High-Risk, you need a full compliance program and specialist review. The kit can be used only as orientation and to structure early documentation — it does not replace a QMS, Notified Body engagement, or conformity assessment.

  • Do you provide legal review, consulting, or implementation support?

    No. This is a self-serve documentation pack.

  • Does it cover Article 50 transparency obligations?

    It covers the documentation structure and decision prompts needed to implement and record transparency obligations in Limited-risk contexts — including a Decision Record, three draft notice templates, and the "unless obvious" exception. Commission draft guidelines on Article 50 transparency obligations were published in May 2026. Review the included notices against the draft guidance and the final adopted guidance when available. It does not provide jurisdiction-specific legal determinations. Buyers remain responsible for monitoring European Commission guidance and relevant national authority interpretations.

  • Can I use AI to help complete the kit?

    Yes. The kit includes an optional AI-assisted completion companion for approved AI workspaces. It helps structure drafting, evidence-gap checks, red-team review, and handover into the editable templates. It does not determine risk tier, Article 50 applicability, legal sufficiency, or compliance status.

  • What formats do I receive?

    Digital documents containing copyable tables, checklists, and examples. Compatible with Word, Google Docs, Google Sheets, and internal wikis.

  • What if we integrate a large GPAI model (API or hosted)?

    The kit includes a GPAI quick check and record prompts: vendor, version, terms, enabled safeguards, and your downstream safeguards (transparency, oversight, logging, prohibited uses). It covers downstream integration hygiene — not provider-level obligations for systemic-risk GPAI models.

  • How does this interact with GDPR, MDR/IVDR, NIS2, or DSA?

    The kit includes a regulatory stack check to flag overlaps with other EU frameworks. It does not replace sector-specific compliance work.

  • What are the risks of inaccurate documentation?

    Art. 99(5) of the AI Act makes providing incorrect, incomplete, or misleading information to authorities a distinct infringement, subject to fines up to €7.5M or 1% of global annual turnover (Art. 99(5) tier — distinct from the Art. 99(4) transparency tier of €15M/3%). The obligation is not only to document, but to document accurately. This kit provides structure and templates; the accuracy of the content entered is the operator's responsibility.

  • Are updates included?

    Minor updates for 90 days are delivered via email with refreshed download links, per the kit update policy. For regulated contexts, retain prior PDF versions for audit trail purposes.

  • Can I share this with my team?

    Yes. The license covers use by a single individual or one organisation, including internal sharing with employees or contractors working under your control.

  • Can I use this for client work (agency or consultant)?

    The base licence does not authorise use of the kit to produce deliverables for external clients, nor repeated multi-client reuse. Client deliverables, consultant use, agency use, law/compliance firm use, or repeated multi-client reuse require an extended licence. Contact hello@trevam.com.

  • Does this kit cover "AI agents"?

    The term "AI agent" is widely used in the market but is not a primary legal category under the EU AI Act. The Act assigns obligations based on role (provider, deployer, importer, distributor) and risk tier — not on whether a system is marketed as an "agent." If you deploy or procure systems described as AI agents, the kit helps you map the applicable obligations to your actual role and context.

Purchase and download — €149

If you are preparing a procurement response, a customer due-diligence pack, or an internal EU AI Act documentation baseline for Limited/Minimal risk systems.

Purchase and download — EU AI Act Kit (Buyer Edition) — €149

Not legal advice. If your system is High-Risk (Annex III), use this kit only to structure early documentation and then engage specialist counsel for the full conformity route.