A
Build it in-house
200–350 hours of engineering and legal time pulled off the roadmap — months of calendar time, and still no structured Annex IV at the end.
Independent verification for high-stakes AI
Your AI makes decisions and takes actions no one fully watches. We connect to your agents and your stack and continuously prove how they actually behave — so you can put AI you don't fully control into production without it becoming an incident, a blocked launch, or a lost deal. Independent, third-party proof — because you can't sign your own homework, and the platform that built your agent can't either.
Unblock stalled launchesIncidents caught, not shippedVerified, not vouched for
Your stack
Repository
Model registry
AI agents
Wiki & docs
Monitoring
↓
Extract Draft Verify
↓
Assurance ↑
InsuredSoon
Underwritten
RatifiedPilot
Independent sign-off
DossierNow
Verified
Selected companies the team has worked with
Why launches stall
Your AI is done. The paperwork is why it isn't live.
No regulator ships a Word file labelled Annex IV. The regulation names the headings and leaves the structure, the evidence, the prose, and the cross-references to you — same with GDPR Art. 35, DORA Arts. 5–14, and NIS2 Arts. 20–23. Every way of producing it is slow — which is exactly why your model is sitting in review.
B
Hire a Big-4
€150k+ and 12–16 weeks — a full quarter — for a slide deck and a Word document, not the structured technical file the regulation asks for.
C
Buy an AI-governance platform
€20–80k/year, and it still doesn't write your Annex IV. Your team types it into a dashboard — more work, more delay — and no one verifies a line.
The fast path · Annexo
We write it, verify it, and get you out of review.
We read your stack and hand your board the one document it needs to clear the launch — one evidenced dossier across all four regulations, every claim traced back to your own systems. A platform is a dashboard you fill in; Annexo drafts it and verifies every line, so legal can sign in five business days instead of a quarter. Verification isn't the brake. It's what clears the runway.
Continuous agent monitoring
Don't vouch for your AI agents. Prove them.
Every other tool automates the paperwork and asks everyone to trust it. We connect to your live agents and continuously prove how they behave — guardrails, prompt-injection resistance, logging, Art. 50 disclosure — each mapped to the obligations it must meet, and watched for drift as your estate changes. That evidence is what lets you turn an agent on, and what lets you sell it to a regulated buyer.
Proof you can demonstrate — not trust you assert.
Open the live consoleAnnexo Fleet · live demoLive · watching for drift
Agents monitored
3
generative / agentic
Conformity posture
Largely current
fleet index 84/100
Open items
2
surfaced for review
AdvisorCopilotArt. 50drift
CreditGuardArt. 15current
CollectionsAIArt. 12review
+ 3 more systemsOpen the live console →
Five days to cleared
Seven steps. Five days. You sign, you ship.
Click any step. We do the work end to end and hand you an audit-ready dossier; your compliance officer reviews and signs — and you're clear to deploy.
Step 1 · Day 0 · 20 min
Connect
GitHub or GitLab deploy key. A scoped API token for your model registry. Viewer access to one wiki space and your monitoring dashboard. Read-only throughout — we never write to your systems.
Artefacts produced
Deploy keyRegistry tokenWiki viewerMonitoring viewer
The deliverable
One file.
Four regulations.
Ready to ship.
A combined PDF your signatory reviews and machine-readable JSON for your GRC pipeline — with a provenance pointer on every claim, back to the source you control, so sign-off is a formality, not a fact-finding mission.
- Part 01EU AI Act Annex IV30–60 pages · 13 sections · the flagship
- Part 02opt.GDPR Article 35 DPIA8–15 pages · cites your DPIA
- Part 03opt.DORA ICT-Risk10–20 pages · cites your ICT register
- Part 04opt.NIS2 Cybersecurity8–15 pages · cites your controls catalogue
- CombinedCover letter · Findings · ProvenanceReady for your compliance officer to sign
Coverage
Four regulations, covered in one pass — not four projects.
Four binding regulations, one cross-referenced file — so you're not running four separate compliance projects while the launch waits. Each maps to the exact articles you have to satisfy, and to the artifacts we hand you for them.
EU AI Actphasing in
Reg. (EU) 2024/1689 · Annex IV · Arts. 9–15
Annex IV technical fileRisk-management systemData governanceHuman oversightAccuracy & robustness
GDPRin force
Reg. (EU) 2016/679 · Art. 35 · Art. 30
Data-protection impact assessmentRecords of processingLawful-basis mapping
DORAin force
Reg. (EU) 2022/2554 · Arts. 5–14
ICT risk-management frameworkIncident classificationThird-party ICT register
NIS2transposed
Dir. (EU) 2022/2555 · Arts. 20–23
Cyber risk-management measuresManagement accountabilityIncident notification
One cross-referenced fileMapped
Annexo
↓
EU AI Act
2024/1689
GDPR
2016/679
DORA
2022/2554
NIS2
2022/2555
ISO 42001NIST AI RMFEDPBENISA
Binding regulationAligned standard
What the dossier covers
Every obligation documented — so review can't stall on a gap.
These are the EU AI Act's obligations for high-risk systems — Articles 9 to 15, the Annex IV technical file, and Article 72 post-market monitoring. Your dossier documents each one with a provenance pointer back to your own systems, so a reviewer checks a claim in seconds instead of sending it back for evidence.
EU AI Act · Chapter IIIDocumented
Risk managementArt. 9
Data governanceArt. 10
Technical docsArt. 11 · Annex IV
TransparencyArt. 13
Human oversightArt. 14
Accuracy & robustnessArt. 15
CybersecurityArt. 15
Article references are to Regulation (EU) 2024/1689 — the EU AI Act. Each area is drafted and verified against the binding text.
Reads from the stack you already run — read-only, no rebuild
GitHubGitLabOpenAIAnthropicLangChainCrewAIGoogle CloudDockerKubernetesPythonPyTorchTensorFlowHugging FaceMLflowJupyterDatadogGrafanaConfluence
Ways to work with Annexo
Hand it over, or watch it yourself.
The same verified engine and provenance trail, two ways — a done-for-you dossier that gets your launch unblocked, and continuous monitoring that keeps it clear as you ship. You choose how much you hand over, and where the responsibility sits.
Available now
Done-for-you
Dossier
We produce your signed EU conformity dossier — Annex IV, plus GDPR, DORA and NIS2 — from your code and documents, so your launch isn't waiting on it. Audit-ready in five business days.
We do the work; you sign as the provider. We're not a notified body, so the legal responsibility stays with you — and we make that signature defensible with structure and provenance on every claim.
- One signed PDF + machine-readable JSON
- Verified rule by rule against the regulation
- A provenance pointer on every claim
- Independent legal review available as an add-on
In development
Continuous
Fleet
Connect your repositories. Annexo inventories every AI system you ship, classifies each against the Act's risk tiers, and gives you a per-model breakdown you can drill into — model type, inputs, GDPR exposure, and exactly how the classification was reached.
Scan continuously, not once. A system's purpose, data and audience drift over time — responsible operators re-check on a cadence, not because compliance forces them to, but because it's how a serious company runs.
- Repo-wide model inventory
- Risk distribution across your whole fleet
- A per-model template — drill into any decision
- Re-scans as your systems change
Example fleet — 6,004 models · 5,982 minimal-risk · 5 high-risk · drill into any onePreview the live dashboard
Now / next
Today the dossier. Next, the guarantee.
Right now Annexo delivers the done-for-you dossier. Next we're building two layers on top — independent ratification, then an insurance-backed guarantee — so “verified” also means “underwritten.” We're opening a limited pilot.
Available now
Dossier
The done-for-you EU conformity dossier — Annex IV plus GDPR, DORA and NIS2. Audit-ready in five business days.
Pilot · 2026
Ratified
An independent EU AI Act specialist reviews and signs off your dossier — an assurance opinion your board and buyers can stand behind.
In development
Insured
An insurance-backed guarantee wrapped around the ratified dossier — so procurement's “who's liable if it's wrong?” finally has an answer.
Help shape the pilot.
We're opening a limited pilot for the ratified and insured tiers. Register your interest — no commitment, and it helps us build the right thing.
Ratification is an independent assurance opinion, not a regulatory certification or notified-body approval. Insurance cover is in development with risk partners and not yet available. Pilot places are limited.
✓independent
Third-party verified
never self-issued
4regulations
Covered in one signed file
AI Act · GDPR · DORA · NIS2
12–16weeks saved
A quarter back on your roadmap
vs. a Big-4 engagement
5business days
From first call to audit-ready
Scoping → audit-ready PDF
One 30-minute call, and your launch is moving again.
We confirm your Annex III category, the regulations in scope, and your four sources — then you decide. No commitment until you sign the engagement letter, and five business days later your dossier is audit-ready.