← All EU AI Act guides

Conformity Assessment For High-Risk AI Systems

Conformity assessment for high-risk AI systems

TL;DR — Under the EU AI Act, high-risk AI systems must undergo conformity assessment before deployment. Providers must demonstrate compliance with mandatory requirements including risk management, data quality, transparency, and human oversight. Assessment involves technical documentation, testing, and often third-party evaluation. Non-compliance risks substantial fines. Conformity assessment procedures vary by system type and risk level.


What are high-risk AI systems under the EU AI Act?

Under Regulation (EU) 2024/1689, high-risk AI systems are those that pose significant risk of harm to fundamental rights, safety, or legal interests. These include systems used in critical infrastructure, employment, education, law enforcement, migration, and essential services. The Act establishes a risk-based approach with defined Annex III categories. Providers must identify whether their systems meet these criteria before proceeding with conformity assessment obligations.

Which conformity assessment procedures apply to my AI system?

The EU AI Act establishes two primary conformity assessment routes for high-risk systems:

  • In-house assessment: Provider conducts full technical documentation and testing internally.
  • Third-party assessment: An independent notified body reviews compliance and issues a conformity assessment report.

The applicable procedure depends on the system type and risk profile. Most high-risk AI systems require third-party involvement. Technical documentation, risk management plans, and test results form the core of all assessments.

What mandatory requirements must high-risk AI systems meet?

High-risk systems under the EU AI Act must comply with:

  • Risk management system: Systematic identification and mitigation of foreseeable risks.
  • Data quality: Training, validation, and test data must be appropriate, representative, and documented.
  • Transparency and documentation: Technical documentation, instructions for use, and record-keeping.
  • Human oversight: Mechanisms ensuring human intervention and control.
  • Accuracy, robustness, and cybersecurity: Testing against identified risks and adversarial inputs.
  • Monitoring and logging: Post-deployment performance tracking and incident reporting.

What documentation is required for conformity assessment?

Regulation (EU) 2024/1689 requires comprehensive technical documentation including:

  • System description and intended purpose.
  • Risk management documentation and mitigation strategies.
  • Data sourcing, labelling, and quality assurance processes.
  • Model training, validation, and testing methodologies.
  • Performance metrics and accuracy assessments.
  • Human oversight procedures and fail-safe mechanisms.
  • Post-deployment monitoring and incident reporting protocols.
  • Instructions for use in plain language.

Documentation must be kept for at least five years after market exit. Notified bodies assess completeness and accuracy during third-party evaluation.

What are the timelines for conformity assessment?

The EU AI Act enters full application on 2 July 2026. High-risk AI systems must achieve conformity before that date or face market restrictions. Timelines vary based on assessment type:

  • In-house assessment: Typically 3–6 months, depending on system complexity.
  • Third-party assessment: Often 6–12 months, pending notified body availability and documentation quality.

Providers should initiate assessment processes immediately to meet the July 2026 deadline. Early engagement with notified bodies is advisable given anticipated demand.

What happens after successful conformity assessment?

Upon successful assessment, providers must:

  • Affix the EU conformity mark to the system or packaging.
  • Draw up a conformity declaration stating compliance with the EU AI Act.
  • Maintain technical documentation and assessment records.
  • Implement post-deployment monitoring and reporting procedures.
  • Notify competent authorities of serious incidents or non-compliance.
  • Apply for updates if the system or requirements materially change.

The conformity mark signals compliance but does not guarantee market acceptance in all jurisdictions. Ongoing monitoring and record retention remain mandatory throughout the system's lifecycle.

What are the consequences of non-compliance?

Regulation (EU) 2024/1689 establishes tiered administrative fines for violations:

  • Up to €20 million or 4% of global annual turnover for failure to comply with core requirements (risk management, transparency, documentation).
  • Up to €15 million or 3% of global annual turnover for incomplete or false documentation.
  • Up to €10 million or 2% of global annual turnover for other violations.

Penalties apply per infringement. Market bans, product recalls, and reputational damage are additional consequences. Competent authorities conduct audits and investigations.


Frequently asked questions

Q: Do all AI systems require conformity assessment?

A: No. Only high-risk AI systems listed in Annex III or posing documented high risk require conformity assessment. Lower-risk systems have lighter obligations (transparency, record-keeping). Prohibited systems cannot be deployed.

Q: Can I use an external consultant to prepare conformity documentation?

A: Yes. Many providers engage consultants, AI auditors, and legal advisors to prepare documentation. However, the provider remains legally responsible for accuracy and compliance. Final accountability lies with the provider, not the consultant.

Q: What if my AI system uses a third-party model?

A: Responsibility depends on your role. If you deploy a third-party model as-is, you may benefit from the provider's documentation. If you fine-tune, integrate, or modify it, you assume conformity obligations. Document the provenance and changes clearly.

Q: Are there exemptions for research or small providers?

A: The EU AI Act permits certain research activities outside its scope. Small providers face the same conformity obligations but may access support programmes. No blanket exemptions exist for company size.

Q: What should I do now, before July 2026?

A: Begin by identifying whether your systems are high-risk. Engage notified bodies to discuss assessment routes. Compile technical documentation, conduct internal risk assessments, and implement required safeguards. Plan for third-party involvement early to avoid last-minute delays.


Sources

[1] Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 September 2024 laying down harmonised rules on artificial intelligence and amending Directives 2000/85/EC and 2013/34/EU, and Regulation (EU) 2019/1020. Official Journal of the European Union. https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32024R