AI Act and ISO 42001 compliance cost for SMEs in 2026

·

When the director of a Spanish SME starts receiving questions from clients about the AI Act or ISO 42001, the first practical question is always the same: «How much is this going to cost me?». The honest answer is that it depends on several factors, but market ranges in 2026 are now stable enough to provide useful indicative figures. This article details them, explains what each cost item includes, and describes the factors that push the price up or down.

What is AI technical governance and why does it have its own cost?

The Regulation (EU) 2024/1689 on Artificial Intelligence — known as the AI Act — establishes differentiated obligations according to the risk level of the AI system. Most SMEs do not develop AI systems classified as high risk in the strict sense of the regulation (those listed in Annex III: credit, employment, critical infrastructure, justice…), but they do use tools that fall under the limited or minimal risk category. Even so, the AI Act imposes horizontal obligations on all AI deployers: from acceptable use policies to human oversight mechanisms and incident registers.

The standard ISO 42001:2023 — AI Management System — is the certifiable standard that provides the internal control framework to meet those obligations in an auditable way. It is not legally mandatory, but an increasing number of corporate clients and public procurement bodies require it as evidence of maturity. AI technical governance is, in short, the set of policies, controls, records, and processes an organisation needs to implement in order to operate AI responsibly, traceably, and in compliance with regulations.

This technical work is distinct from legal advice on the AI Act (which falls within the remit of legal consultancy) and also distinct from ISO 42001 certification itself (which is issued by an external accredited body such as AENOR, Bureau Veritas, or SGS). Technical governance is the internal preparation: system inventory, risk analysis, technical controls, documentation, and training.

Indicative price ranges in the Spanish market (2026)

The prices handled in the market for AI technical governance projects in SMEs with between 20 and 250 employees in Spain are structured at three levels according to scope:

Project level Typical scope Estimated duration Consulting fee range
Basic level AI system inventory, AI Act risk classification, acceptable use policy, senior management training 6–10 weeks €4,500 – €9,000
Intermediate level All of the above + documented technical controls, incident registers, human oversight procedure, Fundamental Rights Impact Assessment (FRIA) where applicable 3–5 months €12,000 – €22,000
ISO 42001 certification level Full implementation of the AI Management System + internal audit + preparation for external certification audit 6–10 months €18,000 – €40,000

Reference sources for these ranges: ISACA market reports (2025), ASTIC annual IT fee survey, and benchmarks published by specialist consulting firms in the US and EU (Oliver Wyman AI Governance Report 2025, PwC AI Regulations Survey 2025). The ranges exclude the external certification audit fee, which is independent and invoiced directly by the certification body.

On top of these consulting fees, where applicable, you must add the cost of the ISO 42001 certification audit. In the Spanish market, bodies such as AENOR, Bureau Veritas, or SGS charge between €3,000 and €8,000 for the initial Stage 1 and Stage 2 audit of an SME, plus annual surveillance costs. This varies according to the number of employees, the complexity of the scope, and the number of declared AI systems.

Factors that push the price up or down

Number and complexity of AI systems in use

The primary cost driver is the system inventory. An SME that only uses standard SaaS tools with integrated AI (Microsoft Copilot, a commercial chatbot, data analysis tools) has a much more limited scope than a company that has developed or customised its own models, or that uses AI in processes affecting people (candidate selection, internal credit scoring, fraud detection). The more systems there are, the more hours of analysis and inventory are required.

Risk level of systems under the AI Act

The AI Act classifies AI systems into four levels: unacceptable risk (prohibited), high risk (strict obligations), limited risk (transparency obligations), and minimal risk (no specific obligations). If any of the company's systems falls into the high-risk category under Annex III of the regulation, compliance costs multiply: extensive technical documentation must be produced, conformity assessments must be carried out, the system must be registered in the EU database, and periodic reviews are required.

Prior documentary maturity of the organisation

A company that already has an Information Security Management System (ISO 27001) or a Quality Management System (ISO 9001) in place starts with an advantage: it already has documentary structures, internal audit procedures, and a culture of internal control. The implementation effort for ISO 42001 is reduced because the frameworks are compatible and many controls are reusable. In companies with no prior certification, the project starts from scratch and costs increase.

Need for technology adaptations

Technical governance is not just paperwork. In many cases it requires implementing real controls in systems: logs of automated decision records, manual override mechanisms, bias filters, model drift controls, or integrations between platforms to achieve traceability. Each technical adaptation adds development hours that go beyond pure consulting fees. If the project requires engineering work, the overall budget can grow by 30% to 80% compared to the pure consulting cost.

Team size and scope of training

The AI Act requires that people who operate AI systems have adequate training. The larger the number of employees who use or supervise AI tools, the more training sessions are required. A team of 5 people using AI internally has very different training needs from a company with 80 users spread across multiple departments.

What a well-executed AI technical governance project includes

Regardless of the price range, a rigorous AI Act and ISO 42001 technical compliance project should cover these phases:

  1. Inventory and classification: Identify all AI systems in use or under development, classify their risk level under the AI Act, and determine whether the company acts as a provider, deployer, or both.
  2. Gap analysis: Compare the current state against the requirements of the AI Act and ISO 42001 to identify missing controls.
  3. Control design and implementation: Draft acceptable use policies, human oversight procedures, incident mechanisms, and decision records.
  4. Training and awareness: Train senior management and operational users on obligations, risks, and procedures.
  5. Internal audit and certification preparation: Verify the effectiveness of controls before the external audit if the goal is ISO 42001 certification.

Is ISO 42001 certification worth it for an SME?

The answer depends on the sector and client profile. In 2025 and 2026, demand for ISO 42001 certification is growing especially in three segments:

For companies outside these profiles, the basic or intermediate level — without formal certification — may be sufficient to comply with the legal obligations of the AI Act and to document commitment to clients. Formal certification is a commercial differentiator, not a universal requirement.

AI Act timelines: when do you need to be compliant?

The AI Act entered into force on 1 August 2024, but its application is phased:

Date What comes into application
2 February 2025 Prohibition of unacceptable risk systems (subliminal manipulation, mass social scoring, etc.)
2 August 2025 Obligations for general-purpose AI models (GPAI), including high-impact models such as those trained with more than 10^25 FLOPs
2 August 2026 Full application for high-risk AI systems (Annex III) and obligations for deployers
2 August 2027 Extension to high-risk AI systems already on the market before August 2026 (existing products)

For most SMEs, the critical milestone is August 2026. With a minimum six-month margin to implement controls, the window to start the project is open now. Basic-level projects can be completed in 6–10 weeks; ISO 42001 certification projects require between 6 and 10 months. Starting today means comfortably meeting the deadline.

The difference between AI Act legal compliance and ISO 42001 certification

It is a common mistake to confuse the two. The AI Act is positive European law: non-compliance carries sanctions of up to €35 million or 7% of global turnover, depending on the infringement. ISO 42001 is voluntary: no one can fine you for not being certified. What the standard provides is a structured framework that makes it easier to demonstrate compliance with the AI Act and other governance obligations to clients, auditors, and supervisory authorities.

In other words: you can comply with the AI Act without ISO 42001, but certification gives you the documentation that the regulator might ask for. At Summum IA we support companies on both paths: technical compliance with the regulation and, when the client decides, ISO 42001 certification with an accredited body of their choice.

Frequently asked questions

Does an SME that only uses ChatGPT or Copilot have obligations under the AI Act?

Yes, although they are lighter obligations. As a deployer of a general-purpose AI system, the SME must ensure that its employees receive adequate training, that use is within the provider's terms and conditions, and that a human oversight mechanism exists for relevant decisions. In addition, if the system is used in limited-risk contexts (for example, chatbots interacting with customers), there are transparency obligations: informing the user that they are interacting with AI.

How long does it take to recoup the cost of AI technical governance?

There is no universal formula, but the clearest return vectors are: avoiding sanctions (which in serious cases can be disproportionate for an SME), winning tenders where evidence of governance is required, and reducing reputational risk in the event of an AI incident (discriminatory decision, data leak from AI-processed data, etc.). In B2B sectors with large clients, ISO 42001 certification can be the factor that unlocks contracts that would otherwise be lost at the supplier qualification stage.

Does ISO 42001 certification also cover the protection of data processed by AI?

ISO 42001 covers AI system governance, not data protection in the broad sense. For personal data processed by AI, compliance with the GDPR remains necessary, and, where applicable, the privacy-by-design requirements that the AI Act imposes on high-risk systems. In comprehensive projects, it is common to address both layers in coordination: AI governance (ISO 42001 + AI Act) and data protection (GDPR + impact assessments). If your company needs to align both frameworks, the Summum Consultoría team can advise you on the GDPR legal side in parallel with the technical project.

Can I fund this project with public subsidies?

In 2025–2026 there are several applicable funding lines. The Kit Consulting programme from Red.es allows financing of between €12,000 and €24,000 in strategic consultancy for SMEs with between 10 and 249 employees (the maximum of €24,000 applies to the 100–249 employee segment), and AI governance falls within the eligible scope as advanced digital transformation consultancy. There are also regional calls in Castilla y León and the Canary Islands for digitalisation and technological innovation projects. Check with your grants manager how each call fits your company's profile before committing your own budget.