Conformity assessment for high-risk AI systems — 2026-06-16
Conformity assessment for high-risk AI systems — 2026-06-16
TL;DR — The EU AI Act requires high-risk AI system providers to demonstrate compliance through conformity assessment before placing systems on the market. This involves technical documentation, risk management procedures, testing, performance monitoring, and either third-party notified body review or internal quality assurance depending on the risk category. Providers must maintain records, ensure transparency with users, and post-market surveillance systems. Non-compliance carries significant penalties.
What triggers conformity assessment under the EU AI Act?
The EU AI Act requires conformity assessment for all AI systems classified as "high-risk." These include systems that pose significant risks to fundamental rights, safety, or health—such as biometric identification, critical infrastructure management, education and employment, and law enforcement applications. Before placing or putting into service any high-risk system, providers must complete a full conformity assessment process.
Which conformity assessment routes are available?
High-risk AI systems may follow one of two routes:
- Third-party conformity assessment — An independent notified body (appointed by member states) reviews the system's documentation, testing, and risk management.
- Internal quality assurance — For certain lower-complexity high-risk systems, providers may conduct in-house assessment if they meet enhanced quality management requirements.
The specific route depends on the system's risk profile and intended use.
What must be included in technical documentation?
Technical documentation must detail:
- System architecture, training data, and algorithms
- Intended purpose and foreseeable misuse scenarios
- Risk management procedures and mitigation measures
- Testing and validation results
- Performance metrics across different population groups
- Human oversight and override mechanisms
- User instructions and transparency information
- Post-market monitoring plans
Documentation must be complete, accurate, and available in an official EU language.
What are the ongoing obligations after conformity assessment?
Compliance does not end at assessment. Providers must:
- Conduct post-market surveillance to detect risks or performance degradation
- Monitor for biases or discriminatory outcomes
- Maintain quality management systems throughout the product lifecycle
- Report incidents to authorities if high-risk systems cause harm
- Update documentation when material changes occur
- Retain records for inspection by regulators
These obligations ensure systems remain compliant and safe throughout their operational life.
Are there recent updates to conformity assessment procedures?
Yes. Following simplification measures announced in June 2026, certain aspects of conformity assessment have been streamlined to reduce unnecessary administrative burden on providers while maintaining oversight. Details on implementation timelines and affected categories should be monitored through EU regulatory guidance.
Frequently asked questions
Q: Do all AI systems need conformity assessment?
A: No. Only high-risk systems (as defined in the Act) require full conformity assessment. Prohibited and limited-risk systems have different requirements.
Q: What happens if I place a high-risk system on the market without conformity assessment?
A: This is a serious violation. The EU AI Act provides for substantial administrative fines (up to 6% of global annual turnover for large providers) and the system may be withdrawn from the market.
Q: Can I self-certify high-risk systems?
A: Most high-risk systems require third-party notified body review. Internal quality assurance is permitted only for specific lower-risk categories within the high-risk classification and must meet strict conditions detailed in the Act.
Q: How long is conformity assessment valid?
A: Assessment is not time-limited, but systems must be continuously monitored. Material changes to system design, training data, or use case require re-assessment.
Q: What is a notified body?
A: A notified body is an independent third-party organization designated by an EU member state to assess compliance. Lists of notified bodies are published by member states and the European Commission.
Sources
- Regulation (EU) 2024/1689 (EU AI Act)
- Press release - Artificial intelligence: press conference on simplification measures
This article is informational and does not constitute legal advice. Consult qualified counsel for your specific situation.