EU AI Act Conformity Assessment: A Practical Guide
A step-by-step enterprise guide to the EU AI Act conformity assessment for high-risk AI — CE marking, notified bodies, and the procedure.
The EU AI Act conformity assessment is the moment abstract compliance becomes a gate on shipping. From 2 August 2026, a high-risk AI system cannot lawfully be placed on the EU market or put into service unless it has passed conformity assessment, carries CE marking, and is registered in the EU database. This is a product-compliance regime borrowed from the world of machinery and medical devices — and most AI teams have never run one. This guide walks through the procedure end to end, the way we run it on client engagements.
TL;DR / Key takeaways
- High-risk AI (Annex III) conformity assessment is mandatory from 2 August 2026; finish months earlier, because Annex IV documentation and testing are slow.
- For most Annex III systems the route is internal control (self-assessment) when harmonised standards apply; a notified body is required mainly for certain biometric systems and regulated-product safety components.
- The output chain is fixed: requirements → technical documentation → assessment → EU declaration of conformity → CE marking → EU database registration → post-market monitoring.
- The provider owns the assessment, not the deployer. Get the role mapping right first, especially across a supply chain.
- Non-conformity exposes you to fines up to EUR 15M or 3% of global turnover; prohibited practices reach EUR 35M or 7%.
Why this is a product-compliance problem, not a policy memo
The AI Act deliberately models high-risk AI on the EU's New Legislative Framework — the same machinery that governs CE-marked products like medical devices and lifts. That has a concrete consequence: conformity is something you demonstrate with evidence and declare under your own legal liability, not something you assert in a policy. The CE mark you eventually affix means the system conforms to all applicable Union legislation, so an AI system embedded in a regulated product has to reconcile the AI Act with its sectoral directive.
Before any of this matters, you must be certain the system is in scope. If you have not yet confirmed classification, start with our Annex III high-risk classification guide — the assessment procedure only applies to high-risk systems, and misclassifying a system either way is expensive.
Step 1 — Fix the actor roles before anything else
The single most common mistake we see is teams running an assessment for a system where they are not actually the provider. The Act assigns obligations by role:
| Role | Who they are | Conformity assessment duty |
|---|---|---|
| Provider | Develops the system or has it developed and places it on the market under its own name | Owns and runs the conformity assessment, signs the declaration, affixes CE marking |
| Deployer | Uses the system under its own authority in a professional context | No conformity assessment; has operational duties (human oversight, monitoring, logs) |
| Importer | Places a third-country provider's system on the EU market | Verifies the provider completed assessment; cannot place a non-conforming system |
| Distributor | Makes the system available without being provider/importer | Verifies CE marking and documentation exist |
A deployer can become a provider — for example, if you fine-tune or substantially modify a third-party model and put your name on it, or repurpose a system for a high-risk use. Map this honestly across your supply chain, because the duty travels with the role, not the org chart.
Step 2 — Implement the Section 2 requirements (the substance)
There is no point assessing conformity before the system actually conforms. The requirements in Chapter III, Section 2 are what you are being assessed against:
- Risk management system — a continuous, documented process across the lifecycle, not a one-off workshop.
- Data and data governance — training, validation, and test data quality, representativeness, and bias examination.
- Technical documentation — the Annex IV dossier (Step 3 below).
- Record-keeping / logging — automatic event logging for traceability.
- Transparency and information to deployers — clear instructions for use.
- Human oversight — measures that let a human meaningfully intervene.
- Accuracy, robustness, and cybersecurity — declared performance metrics and resilience.
Wrap these in a quality management system. This is also where ISO/IEC 42001, the AI management-system standard, earns its keep: it gives you the governance scaffolding — risk management, documentation control, monitoring — that maps almost one-to-one onto these requirements, so you are not building the machinery twice.
Step 3 — Compile the Annex IV technical documentation
The technical documentation is the spine of the assessment; without it the system simply cannot be lawfully placed on the market. It must be drawn up before market placement and kept current for ten years. At minimum it covers the system description and intended purpose, the development process and design choices, the data used, performance and accuracy metrics, the risk management results, and the post-market monitoring plan.
This is the most underestimated work item by far. We have delivered Annex IV dossiers for clients where the engineering was sound but the evidence was scattered across notebooks, wikis, and people's heads — assembling and structuring it took longer than building the controls. Do not start this in July 2026. Our technical documentation template gives you a structure to populate as you build, rather than reconstructing it retrospectively.
Step 4 — Choose and run the conformity procedure
Now the assessment itself. Two routes exist, and choosing correctly is a compliance decision, not a convenience one:
| Route | When it applies | What it requires |
|---|---|---|
| Internal control (Annex VI) | Most Annex III high-risk systems, where harmonised standards or common specifications are applied | Provider self-assesses against the requirements; no third party involved |
| Notified body (Annex VII) | Certain biometric systems; where harmonised standards are not applied; regulated-product safety components whose sectoral law mandates third-party assessment | Independent notified body examines the QMS and/or technical documentation and issues a certificate |
The practical lever here is harmonised standards. Where they exist and you apply them, you get a presumption of conformity and can typically self-assess. Where they do not yet exist or you deviate, your risk and burden rise — and for some categories a notified body becomes mandatory regardless. Identify the notified body capacity question early; designated bodies for AI are still a constrained resource.
Step 5 — Declare conformity and affix CE marking
On a successful assessment, the provider:
- Draws up the written EU declaration of conformity, taking legal responsibility for compliance.
- Affixes the CE marking to the system, its documentation, or packaging — visibly and legibly.
- Reconciles the CE mark with any other Union legislation the product falls under, so a single mark covers all applicable regimes.
The declaration is not paperwork theatre — it is the legal instrument by which your organisation assumes liability. Sign it with the same seriousness you would a financial attestation.
Step 6 — Register, then monitor for life
Before market placement, register the system in the EU high-risk AI database. After it ships, the obligations continue:
- Post-market monitoring — a documented plan to collect and analyse real-world performance.
- Serious-incident reporting to authorities within the prescribed timelines.
- Substantial-modification control — a substantial change to intended purpose or compliance triggers a new conformity assessment. Continuous-learning behaviour that was pre-determined in the technical documentation does not, which is exactly why disciplined versioning matters.
This is where many programmes quietly fail: they treat CE marking as a finish line rather than a checkpoint. Conformity is a state you maintain, not an event you complete.
A realistic timeline
Working backwards from 2 August 2026, the documentation and testing dominate the critical path:
| Phase | Indicative effort |
|---|---|
| Classification and role mapping | Weeks |
| Implementing Section 2 requirements + QMS | Months |
| Compiling Annex IV documentation | Months (parallel) |
| Running the assessment (+ notified body lead time if applicable) | Weeks to months |
| Declaration, CE marking, registration | Weeks |
If a notified body is in scope, add their queue time on top — which is why role and route decisions belong at the very start. For the full cross-functional view, pair this with our August 2026 readiness checklist.
Where teams get it wrong
- Starting from documentation, not requirements. You cannot document conformity into existence.
- Assuming self-assessment by default. Confirm whether your category forces a notified body before you plan.
- Forgetting the provider/deployer line. Fine-tuning or rebranding a model can quietly make you the provider.
- Treating CE marking as the end. Post-market monitoring and substantial-modification rules run for the system's life.
The conformity assessment rewards organisations that treat AI as a regulated product engineering discipline. The ones who built risk management, logging, and documentation into delivery from the start will assess in weeks; the ones reconstructing evidence after the fact will not make the date.
FAQ
What is a conformity assessment under the EU AI Act? It is the formal procedure by which a provider demonstrates that a high-risk AI system meets the requirements of Chapter III, Section 2 of the EU AI Act before it is placed on the market. The procedure ends with an EU declaration of conformity, CE marking, and registration in the EU database. For most Annex III systems it is a self-assessment based on internal control; some categories require a notified body.
When must high-risk AI systems complete conformity assessment? High-risk obligations under Annex III apply from 2 August 2026. From that date, a high-risk AI system placed on the EU market or put into service must have completed its conformity assessment, carry CE marking, and be registered in the EU database. Plan to finish the assessment well before that, because technical documentation and testing take months.
Do we need a notified body, or can we self-assess? Most Annex III high-risk systems use the internal-control route (self-assessment) when harmonised standards or common specifications are applied. A notified body is required mainly for certain biometric systems and where a system is a safety component covered by sectoral product legislation that already mandates third-party assessment. The provider, not the deployer, runs the assessment.
What does CE marking an AI system actually involve? After a successful conformity assessment, the provider draws up a written EU declaration of conformity, affixes the CE marking to the system or its documentation and packaging, and registers the system in the EU high-risk AI database. The CE mark signals conformity with all applicable Union legislation, not only the AI Act, so existing product directives must be reconciled.
What are the penalties for placing a non-conforming high-risk AI system on the market? Non-compliance with the high-risk requirements can attract fines up to EUR 15 million or 3% of total worldwide annual turnover, whichever is higher. Engaging in prohibited AI practices is sanctioned more severely, up to EUR 35 million or 7% of turnover. Supplying incorrect information to authorities or notified bodies carries its own penalty tier.
How does ISO/IEC 42001 relate to the conformity assessment? ISO/IEC 42001 is the AI management-system standard. It does not replace the conformity assessment, but a certified AI management system gives you the governance backbone — risk management, documentation control, post-market monitoring, human oversight — that the Act's requirements demand. In practice it makes assembling and maintaining the conformity evidence far less painful.
What happens when we substantially modify a high-risk AI system after CE marking? A substantial modification that changes the intended purpose or affects compliance with the requirements triggers a new conformity assessment for the modified system. Continuous-learning systems whose behaviour was pre-determined in the technical documentation are not automatically treated as substantially modified. Version control and a clear change-management process are essential to track this.
Running a high-risk AI system through conformity assessment before August 2026 is a cross-functional engineering programme, not a checkbox. If you want senior architects who have assembled Annex IV dossiers and run these procedures end to end, see our AI and data platform engineering services.
Topics