Annexo
Talk to us
For high-risk AI providers · before 2 August 2026

Your EU conformity
dossier, audit-ready.
From your code.

We read your repo, model registry, wiki, and monitoring, then produce one PDF across EU AI Act, GDPR, DORA, and NIS2 — structured, evidenced, and ready for your compliance officer to sign. In five business days.

Book a scoping callSee coverage
Done for you, not a dashboardAudit-ready, full provenance5 business days
Your stack
Repository
Model registry
Wiki & docs
Monitoring
Extract Draft Verify
Audit-ready dossier
EU AI Act
GDPR
DORA
NIS2
Coverage

One corpus, mapped to every framework that matters.

The four binding regulations sit at the centre. Around them, the standards your auditor, your insurer, and your board increasingly expect — all cross-referenced in one dossier.

EU AI ActAnnex IV · Arts. 9–15, 72binds Aug 2026
GDPRArt. 35 DPIAin force
DORAArts. 5–14 ICT-riskin force
NIS2Arts. 20–23transposed
Annexo
EU AI Act
ISO 42001
GDPR
NIST AI RMF
DORA
EDPB
NIS2
ENISA
The problem

Annex IV doesn’t exist as a template you fill in.

No regulator publishes a Word file labelled Annex IV. The regulation names the headings and leaves the structure, the evidence, the prose, and the cross-references to you — and the same is true of GDPR Art. 35, DORA Arts. 5–14, and NIS2 Arts. 20–23. So how do you actually produce one?

A

Build it in-house

200–350 hours of engineering + legal time. No structured Annex IV, no provenance trail, no audit-ready output.

B

Hire a Big-4

€150k+ and 12–16 weeks for a slide deck and a Word document — not a structured technical-documentation file.

C

Buy an AI-governance platform

€20–80k/year. Useful for inventory, but the platform doesn't write your Annex IV. You still type it into a dashboard, and no one verifies it.

A platform is a dashboard you fill in. Annexo does the work for you.

The workflow

Seven steps. Five days. You sign at the end.

Click a step to expand it. We do the work end to end and hand you an audit-ready dossier; your compliance officer reviews and signs.

Step 1 · Day 0 · 20 min

Connect

GitHub or GitLab deploy key. A scoped API token for your model registry. Viewer access to one wiki space and your monitoring dashboard. Read-only throughout — we never write to your systems.

Artefacts produced
Deploy keyRegistry tokenWiki viewerMonitoring viewer
The deliverable

One PDF.
Four regulations.
Your signature.

A combined PDF for human reading and machine-readable JSON for your GRC pipeline. A provenance pointer on every claim, all the way back to the source you control.

  • Part 01
    EU AI Act Annex IV
    30–60 pages · 13 sections · the flagship
  • Part 02opt.
    GDPR Article 35 DPIA
    8–15 pages · cites your DPIA
  • Part 03opt.
    DORA ICT-Risk
    10–20 pages · cites your ICT register
  • Part 04opt.
    NIS2 Cybersecurity
    8–15 pages · cites your controls catalogue
  • Combined
    Cover letter · Findings · Provenance
    Ready for your compliance officer to sign
Part 01 · flagship
EU AI Act — Annex IV
Your authorised signatory
Audit-ready
Theses

Why this matters now.

Thesis i

The AI Act is not a future problem.

Enforcement begins 2 August 2026, and Big-4 engagement queues are already filling for Q1 2026. Your dossier needs to be drafted now to be ready then.

Thesis ii

Done-for-you beats a dashboard.

A governance platform makes your team do the work inside a tool. Annexo does the work itself and hands you an audit-ready document — structured, evidenced, and ready to sign.

Thesis iii

You sign, because the regulation says you sign.

The AI Act (Art. 47 / Annex VI), GDPR (Art. 35), DORA, and NIS2 all make the provider or controller the signer. We make that signature defensible with structure and provenance; an independent legal review is available as an add-on.

days left
Until the AI Act applies in full
2 Aug 2026 · Art. 113
4regulations
Covered in one signed PDF
AI Act · GDPR · DORA · NIS2
€35Mor 7 %
Maximum AI Act fine
Whichever is higher · Art. 99
5business days
Median dossier turnaround
Scoping → audit-ready PDF

One 30-minute call. We agree the scope.

We confirm your Annex III category, the regulations in scope, and your four sources. You decide whether to proceed. No commitment until you sign the engagement letter.

Email ushello@annexo.eu
Annexo

EU conformity dossiers for high-risk AI systems.

Annexo is not a notified body. The atomic-rule corpus is candidate-stage pending expert legal review. This site is not legal advice.

© 2026 Annexo