The EU AI Act is now in staged application, and the dates moved in 2026. Prohibited-practice rules applied from 2 February 2025 and general-purpose AI (GPAI) model obligations from 2 August 2025. The Digital Omnibus political agreement reached on 7 May 2026 postpones the high-risk obligations for stand-alone Annex III systems to 2 December 2027 (and AI embedded in regulated products to 2 August 2028), while pulling content-transparency and watermarking duties to 2 December 2026. Those deferrals take legal effect only once the Omnibus is adopted and published in the Official Journal, expected before 2 August 2026, so 2 August 2026 remains an active deadline until then. This directory tracks firms that help enterprises classify systems, build documentation, and prepare for conformity assessment. No firm pays for placement.
Scoping is the work most buyers underestimate. The Act is risk-tiered: prohibited uses, high-risk systems (Annex III areas such as employment, credit, biometrics, and critical infrastructure), limited-risk systems with transparency duties, and minimal-risk. A defensible engagement starts with an AI inventory and a per-system risk classification, because the obligations, costs, and deadlines differ sharply by tier. Firms that begin with tooling before classification tend to over-engineer low-risk systems and under-document the high-risk ones that actually carry exposure.
Provider versus deployer status changes everything. Building or substantially modifying a high-risk system makes you a provider, with duties spanning a risk-management system, data governance, technical documentation, logging, human oversight, and conformity assessment. Merely using a third-party system makes you a deployer, with lighter but real obligations. GPAI model providers carry separate transparency and, for systemic-risk models, additional duties. Most enterprises are deployers of many systems and providers of a few; the consultancy's job is to draw that line cleanly. Compare related work in AI governance consulting, AI bias auditing services, and AI red teaming.
Evidence is the deliverable that matters. Conformity assessment, whether self-assessment or notified-body involvement, rests on technical documentation, data-governance records, and post-market monitoring that must be produced on demand. Big Four firms (PwC, Deloitte, KPMG, EY) are strongest where AI risk meets audit and board reporting; specialists such as Holistic AI, Credo AI, and Saidot bring deeper testing and governance tooling. For overlap with other regimes see CCPA/CPRA consulting and CSRD reporting services. To assess the underlying models, see the AI and machine learning category, best AI/ML for enterprise, and best AI/ML for financial services.
Tell us what you're evaluating and we'll send a tailored shortlist of vendors that actually fit — no vendor funding, no pay-to-play.
6,000+ vendors · 893 comparisons · 48 country guides · Independent & vendor-neutral