Do you work on pure equity?

I love working with ambitious founders, and I happily structure hybrid engagements — a reduced service fee combined with equity — when the fit is right. Pure-equity arrangements, however, aren't something I take on. A service fee is required on every project: it ensures focused delivery, protects both sides against misaligned timelines, and keeps the engagement sustainable the same way any senior technical hire is compensated. If you're an early-stage founder, let's talk — there's almost always a structure that works.

How much does a Fractional CTO cost in Europe?

Hourly consulting is €150/hour, day rate is €700/day. Ongoing Fractional CTO retainers start from about €2,100/month for a 2-3 days/month minimum and scale up with the cadence — a 1-day-a-week engagement typically lands between €5,000–€8,000 per month depending on scope. Partnership deals (reduced fee + equity) are available for aligned early-stage startups. All prices exclude VAT and French TVA applies where relevant; EU B2B clients with a valid intra-community VAT number benefit from reverse charge.

Fractional CTO vs full-time CTO — which should I hire?

Hire a full-time CTO when the role genuinely needs 40+ hours/week of executive tech leadership — usually post-Series A with 10+ engineers, a real product in market, and a 3-year roadmap. Hire a Fractional CTO when you need senior technical leadership but: you're pre-seed to Series A, your engineering team is under 10 people, you want to validate the product before committing to a cap-table-impacting hire, or you need a specific expertise (AI strategy, EU compliance, sovereign cloud) that a generalist full-time CTO wouldn't bring.

How does the Partnership model work?

It's a hybrid engagement: a reduced cash rate (typically 30-40% of my standard) combined with equity. The exact split is discussed case by case after we've talked through your stage, timeline, runway, and goals. The service-fee component is always present; it's what keeps the engagement focused and fair to both sides.

What's a typical engagement duration?

Consultations run 30 or 60 minutes. MVPs typically ship in 4-8 weeks. Fractional CTO engagements are usually 2-3 days per month minimum, with the cadence scaling up based on traction and fit. Shorter sprint engagements (1-2 weeks) are also possible for well-scoped prototypes.

Can you help with EU AI Act compliance?

Yes. I help companies classify their AI systems by risk tier (prohibited / high-risk / limited-risk / minimal-risk), implement the technical documentation and post-market monitoring required by Articles 9-15, align with GPAI obligations for foundation-model users, and produce the DPIA, Transfer Impact Assessments (Schrems II), and Article 28 DPAs needed. I also cross-walk with GDPR, NIS2, DORA (for financial services), and ISO/IEC 42001 / 23894. Sign-off always rests with your DPO or legal counsel; what I deliver is a defensible, documented compliance posture.

Can you help us migrate from OpenAI to sovereign infrastructure?

Yes — this is becoming a common request from European companies facing compliance pressure or customer procurement scrutiny. Typical path: audit current OpenAI/Anthropic usage, map workloads by quality/latency/cost sensitivity, select replacement targets (Mistral Large for most chat, self-hosted Llama-3 or Mixtral for sensitive data, Claude Sonnet via Bedrock EU where acceptable), build an eval harness that proves parity, migrate behind a feature flag, and cut over gradually. End state: zero prompt/response egress to non-EU jurisdictions, with an auditable trail.

Do you work with non-technical founders?

Yes — this is one of my most common engagements. Non-technical founders hire me to make the build vs buy decision, run the first hiring, set up the stack, ship the MVP, and represent the company technically with investors, partners, and early customers. I translate between product intent and engineering reality, and write everything in plain language so the founder stays in the loop without needing to code.

Do you work remote or on-site?

Remote-first, based in Paris. I'm open to on-site days in Paris and short on-site sprints across Europe for the right engagements. Most clients are 100% remote with weekly syncs and async daily updates.

How quickly can you start?

Usually within 1-2 weeks of signing. For urgent MVPs or discovery sprints I can often kick off within days, starting with a scoped 3-5 day discovery phase before we commit to the full build.

Yes. Mutual NDAs are standard. I can send you a clean one to start, or sign yours if the terms are reasonable. All client work, product ideas, and internal data stay strictly confidential — during and after the engagement.

Can you join as a technical co-founder?

Rarely, and only for startups I'm deeply aligned with — on mission, market, and long-term collaboration. Equity-heavy co-founder arrangements need mutual conviction on both sides and a realistic path to milestones. More often than not, the Partnership model (reduced service fee + equity) is a better fit for both of us: it gets you senior technical leadership without the co-founder commitment, and it keeps my focus across a handful of great projects rather than locked into one.

Can you work with US or Canadian clients?

Yes — North American clients are a regular part of the practice. Time-zone overlap with the US East Coast is 3-4 synchronous hours daily (your morning, my afternoon), and engagements typically run async-friendly with weekly syncs.

EU AI Act for founders: a 2026 readiness checklist

The EU AI Act (Regulation (EU) 2024/1689) entered into force on 1 August 2024 and is rolling out in phases through 2027. As of mid-2026, prohibited practices and General-Purpose AI (GPAI) provider obligations are already in force, and the high-risk system rules apply from 2 August 2026 — making this the year founders building AI products into the EU need to have their compliance posture in place.

This post is a practical walkthrough: what the Act covers, what is in force when, what classifies as high-risk, and a readiness checklist that gets you to a defensible posture without burning weeks on legal review you do not yet need.

The phased timeline

The Act applies in phases. The dates that matter:

1 August 2024: Regulation entered into force
2 February 2025: Prohibited AI practices banned (Article 5); AI literacy obligations begin (Article 4)
2 August 2025: GPAI provider obligations apply (Articles 53-55); governance bodies established
2 August 2026: High-risk AI system obligations apply (Articles 8-25); transparency obligations for limited-risk systems (Article 50)
2 August 2027: High-risk obligations extend to AI used as a safety component in regulated products (Annex I)

For most product teams in 2026, the practical question is: does your system fall under the high-risk classification, and if so, are you ready for the 2 August 2026 application date? The answer determines the scope of your readiness work.

Risk categories

The Act defines four risk categories. Your obligations scale with category:

Prohibited practices (Article 5)

These are banned outright. Examples: AI systems that deploy subliminal manipulation causing harm; social scoring by public authorities; real-time remote biometric identification in publicly accessible spaces (with narrow exceptions); emotion recognition in workplaces and education; untargeted scraping of facial images for facial-recognition databases. If your product does any of these, the Act does not allow you to operate it in the EU regardless of any safeguards you add.

High-risk (Annex III)

AI systems used in eight specifically-listed areas, including: biometric categorisation; critical infrastructure (water, energy, transport); education and vocational training (admissions, evaluation); employment (recruitment, performance evaluation); access to essential services (credit scoring, insurance pricing, public benefits); law enforcement (risk assessment, evidence assessment); migration and border control; administration of justice and democratic processes. Most B2B SaaS products are not in this list. Most credit / insurance / HR-tech products are.

Limited-risk (Article 50 transparency obligations)

AI systems that interact with people, generate synthetic content, perform emotion recognition, or do biometric categorisation outside the prohibited cases. These have transparency obligations: users must know they are interacting with AI, AI-generated content must be marked, deepfakes must be labelled.

Minimal-risk

Everything else. No specific obligations under the Act, though general principles (and other regulations like GDPR) still apply. Most spam filters, recommender systems, and routine business AI tools fall here.

How to classify your system

A practical classification process:

Read Article 5 carefully. If your product touches any of the prohibited practices, you have an existential decision to make about EU operation.
Check Annex III against your product. The list is specific. If you are not in one of the eight areas, you are not high-risk under Annex III. The risk category does not depend on how "AI-heavy" the product feels — only on whether it falls in the listed areas.
Check Annex I (regulated products). If your AI is a safety component in a product already regulated under listed Union harmonisation legislation (medical devices, machinery, toys, etc.), the high-risk classification applies via Annex I rather than Annex III.
If neither Annex applies, check Article 50. Determine whether the limited-risk transparency obligations apply (chatbots, generative AI, deepfakes, etc.).
If none of the above applies, you are minimal-risk. Document the reasoning anyway — regulators may ask, and a five-page memo prepared in advance is much cheaper than a scramble during enforcement.

High-risk system obligations (the big one)

If your system is high-risk under Annex III or Annex I, the obligations from 2 August 2026 are substantial. The core articles:

Article 9 — Risk management. Continuous risk-management process across the system's lifecycle.
Article 10 — Data governance. Training, validation, and test data sets must meet quality criteria, with attention to representativeness and bias.
Article 11 — Technical documentation. Documentation set out in Annex IV, kept current.
Article 12 — Record-keeping. Automatic logging of events sufficient to reconstruct what happened (the article that motivates the audit-log architecture in our CARAG paper).
Article 13 — Transparency to deployers. Clear instructions for use, capabilities, limitations, expected accuracy.
Article 14 — Human oversight. Effective oversight measures throughout the lifecycle, including the ability for a human to intervene or override.
Article 15 — Accuracy, robustness, cybersecurity. Appropriate levels for the intended use, with resilience against errors and attacks.
Articles 16-25 — Provider obligations. Quality management, conformity assessment, EU declaration of conformity, CE marking, registration in the EU database, post-market monitoring.

GPAI provider obligations

If you train and place on the EU market a general-purpose AI model — typically a foundation LLM, image generator, or similar — you are a GPAI provider under Articles 53-55 (in force since 2 August 2025). Obligations include: maintain technical documentation, publish a sufficiently-detailed summary of training content, comply with EU copyright law in training data, implement an authoritative copyright-opt-out mechanism. Models with "systemic risk" (very large) have additional obligations including model evaluations, incident reporting, and cybersecurity protections.

Most product teams are not GPAI providers — you are deployers using GPAI models from OpenAI / Anthropic / Mistral / Meta. Your obligations as a deployer depend on whether your downstream system is high-risk. The model providers carry the GPAI obligations themselves.

Extraterritorial reach

The Act applies to providers and deployers established outside the EU when the output of their AI system is used in the EU (Article 2). A US-incorporated SaaS whose AI feature is used by EU customers is in scope, even though the company is not in the EU. This is the same extraterritorial structure as GDPR. Non-EU companies serving EU users should not assume the Act does not apply to them.

Penalties

Article 99 sets the penalty ceiling at the higher of €35M or 7% of global annual turnover for prohibited-practice violations, scaling down to lower tiers for other violations. The structure mirrors GDPR penalties. Enforcement is by the relevant national supervisory authority of each Member State, with EU-level coordination via the AI Board and the AI Office at the European Commission.

A practical 2026 readiness checklist

For founders building or shipping AI products into the EU in 2026, this is the realistic order of work:

Phase 1 — classification (1-2 weeks)

Map every AI feature in your product
Run each one through the classification process above
Document the classification reasoning per feature, with the Article 5 / Annex III / Annex I / Article 50 cross-reference
Get the document reviewed by a qualified counsel or your DPO if you have one

Phase 2 — minimal-risk and limited-risk readiness (2-4 weeks)

For limited-risk systems: implement Article 50 transparency. Users interacting with AI must be informed; AI-generated content must be marked.
For all systems: implement Article 4 AI literacy measures for staff using or developing AI.
For all systems: ensure the GDPR posture is also in order — see our GDPR + LLMs guide.

Phase 3 — high-risk readiness (8-16 weeks)

Only if your classification puts you in Annex III or Annex I. The work is substantial:

Establish a risk management process (Article 9)
Document data governance: training, validation, test data quality (Article 10)
Build out technical documentation per Annex IV (Article 11)
Implement automatic event logging sufficient to reconstruct decisions (Article 12)
Document transparency to deployers — capabilities, limitations, expected accuracy (Article 13)
Design and validate human-oversight measures (Article 14)
Demonstrate accuracy, robustness, and cybersecurity for the intended use (Article 15)
Conformity assessment per Articles 43-49 (third-party body required for some categories)
EU declaration of conformity, CE marking, registration in the EU database
Post-market monitoring and incident-reporting workflows

Phase 3 is real work. Most high-risk products underestimate it. Start no later than 12 weeks before the 2 August 2026 application date for any system already in production.

How this interacts with GDPR

The AI Act and GDPR are complementary, not redundant. GDPR governs personal data; the AI Act governs AI systems. Most production AI products fall under both. The overlap to watch:

Article 22 GDPR + AI Act high-risk. Automated decision-making with legal effect under Article 22 GDPR almost always overlaps with high-risk AI under Annex III.
DPIA + Fundamental Rights Impact Assessment. The AI Act introduces a fundamental rights impact assessment (FRIA) for some deployers of high-risk systems. It can be combined with the GDPR DPIA but is not identical.
Audit log obligations. Article 12 AI Act and Article 30 GDPR (records of processing) both motivate a log infrastructure, with overlapping but not identical requirements.

Common founder misconceptions

"Our AI feature is too small to be high-risk." Risk classification depends on the use case, not the size of the feature. A small AI feature in HR-tech can be high-risk; a large AI feature in unrelated B2B SaaS may be minimal-risk.
"We use OpenAI / Claude so we are covered." The model provider's GPAI compliance does not cover your obligations as a deployer. If your downstream system is high-risk, you carry the deployer obligations regardless of whose model you use.
"We are not based in the EU so the Act does not apply." Article 2 extraterritoriality. If your output is used in the EU, the Act applies to you.
"We will worry about it after we have product-market fit." Deferring is reasonable for minimal-risk systems. For high-risk systems shipping to EU users in 2026, deferring is operationally infeasible — the documentation and process work is too substantial to compress to days.
"The penalties are too high to actually be enforced." The early GDPR years showed the same skepticism. By 2024 GDPR fines were in the €1B+ aggregate range. The AI Act follows the same enforcement model.

Where to look for authoritative guidance

For the latest authoritative position, the sources to track:

European Commission — AI Office publications and guidelines
EUR-Lex — full text of Regulation (EU) 2024/1689
CNIL (France), ICO (UK), Garante (Italy), AEPD (Spain), CNPD (Luxembourg), and other national supervisory authorities — sector-specific guidance
European Data Protection Board (EDPB) — joint GDPR + AI Act guidance
Standards bodies — CEN-CENELEC harmonised standards under preparation for the Act

The regulatory landscape is moving. Treat any blog post (including this one) as a starting point, not a substitute for current authoritative sources or qualified counsel.

Bottom line

The EU AI Act is in active rollout, and 2 August 2026 is the operationally important date for most product teams. The work needed is proportional to your risk classification: minimal-risk products need a documentation memo; limited-risk products need transparency mechanisms; high-risk products need a substantial compliance posture covering risk management, documentation, logging, oversight, and conformity assessment. Insightrix Sovereign AI structures EU AI Act-aligned deployments; the CARAG research paper demonstrates the kind of architecture Article 12 record-keeping motivates. For binding guidance, consult a qualified counsel or your supervisory authority.

Editorial content. Informational only — not legal, financial, or professional advice.