v2.4.0 | Report Errata
docs governance docs governance

FTE per System

Resource estimation for a single medium-complexity high-risk system typically requires approximately 0.5 FTE for the AI System Assessor (classification, risk assessment, AISDP compilation, conformity assessment), 0.3 FTE for the Technical SME (engineering evidence, technical queries, testing), 0.1 FTE for the Legal and Regulatory Advisor (legal review, cross-regulatory coordination, Declaration review), and 0.1 FTE for the AI Governance Lead (governance decisions, gate approvals, Declaration signing).

These estimates cover the initial AISDP preparation period (20–28 weeks). Ongoing compliance requires approximately 0.2 FTE for the Assessor (PMM review, AISDP updates, annual re-assessment), 0.1 FTE for the Technical SME (monitoring support, change assessment), and smaller allocations for legal and governance oversight.

Factors that increase effort include GPAI model integration with limited disclosures (add 3–6 weeks), brownfield systems with limited documentation (add 4–10 weeks), biometric identification requiring notified body assessment (add 6–12 weeks), and multi-jurisdiction deployment (add 2–4 weeks). Factors that decrease effort include well-documented explainable models (reduce Phase 3 by 1–2 weeks) and reusable artefacts from comparable systems (reduce total effort by 20–30%).

Key outputs

  • Per-role FTE estimates for initial preparation and ongoing compliance
  • Effort adjustment factors (increasing and decreasing)
  • Basis for programme budgeting
  • Cross-cutting resource planning

Duration: 20–28 Weeks

Total elapsed time from initiation to production deployment is typically 20 to 28 weeks for a medium-complexity high-risk system with cooperative stakeholders. Phases overlap: risk assessment informs architecture, which informs development, which begins before risk assessment is fully complete. The timeline assumes the organisation has established foundational infrastructure (version control, CI/CD, monitoring) before commencing the system-specific workflow.

Where foundational infrastructure must be built concurrently, add 8 to 16 weeks; this investment benefits all subsequent systems. The timeline also assumes that stakeholders (Business Owner, Technical SME, Legal counsel) are available when needed; stakeholder availability bottlenecks are one of the most common causes of timeline overrun.

For brownfield systems, the timeline depends on the gap assessment results. A system with substantial existing documentation may require 12 to 16 weeks of remediation; a system with minimal documentation may require 24 to 36 weeks.

Key outputs

  • 20–28 week baseline for medium-complexity greenfield systems
  • Adjustment factors for infrastructure build, brownfield, and stakeholder availability
  • Phase overlap enabling parallel execution
  • Basis for deployment timeline planning

Cost: €150K–400K Initial; €50K–150K Annual

The fully loaded cost (personnel, tooling, infrastructure, external support) for preparing an AISDP for a medium-complexity high-risk system ranges from EUR 150,000 to EUR 400,000 for initial preparation, with annual ongoing compliance costs of EUR 50,000 to EUR 150,000. These figures vary widely by jurisdiction, organisation size, and system complexity.

The initial cost includes personnel time (the largest component), tooling licences (GRC platforms, monitoring infrastructure, testing frameworks), external support (legal counsel, notified body fees where applicable, translation), and infrastructure (evidence repository, monitoring stack, CI/CD enhancements). Annual ongoing costs include PMM operation, quarterly governance reviews, annual re-assessment, regulatory monitoring, evidence currency maintenance, and operator training refreshers.

The AI Governance Lead validates these estimates against the organisation’s specific circumstances during Phase 1. For organisations with existing GRC infrastructure, monitoring capabilities, and compliance teams, the incremental cost may fall at the lower end. For organisations building compliance capability from scratch, the cost may exceed the upper estimate.

Key outputs

  • EUR 150K–400K initial preparation cost range
  • EUR 50K–150K annual ongoing compliance cost range
  • Cost components identified (personnel, tooling, external, infrastructure)
  • AI Governance Lead validation during Phase 1

Multi-Jurisdiction Incremental Costs

Multi-jurisdiction deployment adds incremental costs per jurisdiction: translation of Instructions for Use and the Declaration of Conformity (EUR 10,000–30,000 initial per five-language deployment, EUR 3,000–10,000 annual), regulatory monitoring (scaling with the number of jurisdictions tracked), local legal counsel for jurisdiction-specific guidance review, incident response capability across time zones and languages, and deployer support varying by jurisdiction.

The AI Governance Lead estimates incremental costs per jurisdiction and factors them into the deployment business case. A phased rollout strategy (deploying to a small number of member states first, then expanding) manages cost exposure while building operational maturity.

The total multi-jurisdiction premium for a five-state deployment typically adds 15–25% to the base compliance cost. Organisations deploying across ten or more states should budget for a dedicated multi-jurisdiction coordination function.

Key outputs

  • Per-jurisdiction incremental cost estimation
  • 15–25% premium for five-state deployment
  • Phased rollout as cost management strategy
  • Dedicated coordination function for 10+ state deployments
On This Page