EU AI Act Provider Obligations: A Practical Checklist
EU AI Act Article 16 lists 13 provider obligations: QMS, Annex IV file, conformity assessment, DoC, CE marking, registration. Deadline 2 December 2027.
Article 16 of Regulation (EU) 2024/1689 is the master list of provider obligations — it does not define requirements itself but points outward to a dozen others. Miss any of them and the fine ceiling is €15 million or 3% of worldwide annual turnover, whichever is higher (Article 99(4)). Stand-alone high-risk AI systems must comply from 2 December 2027 under the Digital Omnibus agreed in May 2026; Annex I product-embedded systems from 2 August 2028. That is not a reason to wait — the documentation alone takes months to assemble properly.
This checklist walks through each Article 16 obligation in sequence and flags the decisions that trip up first-time providers.
Who Is a Provider?
Under Article 3, a provider is any natural or legal person that develops a high-risk AI system — or has one developed — and places it on the market under its own name or trademark. A SaaS company shipping a recruitment screener is a provider. So is an in-house team that builds a creditworthiness model and deploys it internally.
Article 25 can shift the provider role onto a party that was originally a deployer or distributor — if you put your name on a third-party system, substantially modify it, or change its intended purpose, you step into the provider's shoes with all the obligations that follow.
The Article 16 Checklist
Article 16 lists the provider's obligations by reference. Below is each item, with the underlying article expanded.
1. Ensure the system meets Section 2 requirements (Articles 8–15)
Before placing a high-risk system on the market, you must verify it meets the substantive requirements in Chapter III, Section 2: a risk management system (Article 9); data governance (Article 10); technical documentation (Article 11); automatic log generation (Article 12); transparency to deployers, including instructions for use (Article 13); human oversight design (Article 14); and adequate accuracy, robustness, and cybersecurity (Article 15). Article 8 is the chapeau that ties them together.
Documenting each requirement as you build is the only workable approach. Assembling evidence after the fact rarely survives a market surveillance inspection.
2. Affix your name, trademark, and contact details (Article 16(b))
Every high-risk AI system must carry the provider's name (or trademark) and a contact address. This applies to the system and all technical documentation — regulators use it to identify who is responsible when something goes wrong.
3. Establish a Quality Management System — Article 17
Your QMS must span the full development lifecycle: design specifications, development methodology, testing and validation, risk management, change management, post-market monitoring, and incident reporting. Article 17(1) lists the required elements. ISO/IEC 42001 maps closely to this structure and is a useful reference. For companies with fewer than 250 employees, Article 17(3) permits simplified documentation — but simplified does not mean absent.
4. Prepare technical documentation — Article 11 / Annex IV
Technical documentation is the backbone of the compliance file. Annex IV specifies the required contents: a general system description and intended purpose; a detailed description of the architecture, algorithms, and data; monitoring and control information; the conformity assessment procedure; the Declaration of Conformity; and post-market monitoring data once the system is live. This documentation must be retained for ten years after market placement (Article 18) and must be available in an EU official language upon request from a market surveillance authority.
5. Keep automatically generated logs — Article 19
Where the system automatically generates logs, you must retain them for at least six months — longer where other Union law requires it. Routine data-deletion cycles that wipe logs before six months are a recurring gap in market surveillance inspections.
6. Conduct the conformity assessment — Article 43
Before market placement, you must complete a conformity assessment. For most Annex III categories this is an internal self-assessment (Annex VI route): check the system against each requirement, document the evidence, record the outcome. Annex III point 1 — biometric identification, biometric categorisation, and emotion recognition where it is not already prohibited — generally requires the Annex VII notified-body route instead.
The assessment is not a one-time archive exercise. It must be repeated whenever a substantial modification (Article 3(23)) affects the system's risk profile or intended purpose.
7. Issue the EU Declaration of Conformity — Article 47
Once the conformity assessment is complete, you draw up the Declaration of Conformity (DoC) under Article 47. It identifies the system and provider, states that Regulation (EU) 2024/1689 requirements are met, references the conformity assessment procedure, and carries the provider's signature (Annex V specifies the required contents). Issuing a DoC for a non-conforming system attracts the Article 99(5) tier: up to €7.5 million or 1%.
8. Apply CE marking — Article 48
After a valid conformity assessment and DoC, affix the CE marking to the system, or where impractical, to its packaging or accompanying documentation. Article 48 requires it to follow the general principles of Regulation (EU) 765/2008. It cannot be applied before the conformity assessment is complete — it is the visible signal that the provider claims conformity.
9. Register in the EU database — Article 49
High-risk AI systems must be registered before market placement. Article 49 sets out the obligation; Article 71 establishes the database itself. Registration is public. Annex VIII specifies the required information: provider identity, intended purpose, risk category, conformity assessment status, and DoC reference. A system claiming the Article 6(3) exemption must still register — the exemption is not a registration waiver.
10. Take corrective action when a non-conforming system is on the market — Article 20
If you learn that a deployed system does not conform to requirements, you must act without delay: take corrective measures, withdraw, or recall as necessary, and notify deployers. Where the non-conformity risks fundamental rights, notify the relevant market surveillance authority. A documented corrective-action procedure — built from your Article 72 monitoring and deployer-feedback channels — is both required and good practice.
11. Demonstrate conformity on request
Article 16(j) requires providers to demonstrate conformity whenever a national competent authority asks. The authority can request any document in the technical file, access to the QMS, and evidence of the conformity assessment — non-negotiable and typically expected within ten working days.
12. Accessibility — Article 16(k)
Where Union or national law requires accessibility for persons with disabilities, accompanying documentation and instructions for use must comply. Build this into the QMS design checklist from the start.
13. Appoint an authorised representative if outside the EU — Article 22
Providers established outside the EU must designate an authorised representative before market placement. The representative is established in the EU, named in the DoC, holds the technical documentation, and is the single contact point for market surveillance authorities. The mandate must be in writing — this is not a formality.
The Article 6(3) Exemption: Worth Documenting Carefully
Not every system in an Annex III area is high-risk. Under Article 6(3), a system escapes classification if it satisfies any one condition: narrow procedural task; improving a previously completed human activity; detecting decision patterns without replacing human assessment; or preparatory work for a human decision. Any system that profiles natural persons is always high-risk regardless.
The exemption requires full documentation and Article 49 registration. It is a lighter path through the framework, not an exit from it.
Post-Market Obligations: Articles 72 and 73
Compliance does not end at market placement. Article 72 requires providers to monitor the system's performance in real-world conditions — collecting data, detecting performance drift, and identifying risks that did not surface during pre-market testing. Article 73 governs serious incident reporting: where a high-risk system causes or contributes to death, personal injury, damage to critical infrastructure, or a serious breach of fundamental rights, the provider reports to the market surveillance authority of the member state where the incident occurred. The post-market monitoring plan is part of Annex IV — it must exist before launch.
The Role-Shift Under Article 25
Article 25 is the rule that catches companies at the boundary of provider and deployer. A deployer that affixes its name to a high-risk system, substantially modifies it (Article 3(23)), or changes its intended purpose steps into the provider role — and inherits the full Article 16 checklist. Companies wrapping third-party AI services in a proprietary interface and marketing the result under their own brand frequently trigger this without realising it.
Penalties and the Proportionality Cap
Violations of provider obligations fall under Article 99(4): up to €15 million or 3% of total worldwide annual turnover, whichever is higher. Under Article 99(6), for smaller companies and start-ups the fine is the lower of the two figures — 3% of €2 million turnover is €60,000, well below €15 million. The cap does not reduce the obligation; it reduces exposure if you do not comply. Supplying misleading information to authorities or notified bodies is the separate Article 99(5) tier: up to €7.5 million or 1%.
How Confir Helps
Working through the Article 16 checklist across multiple systems produces a substantial documentation burden. Confir structures the full provider obligation stack — classifying each system under Articles 5 and 6, deriving the applicable role, and driving a structured assessment across AIRC (risk classification), AITR (data and technical robustness), AITO (transparency and oversight), and AIGM (governance and post-market monitoring). For provider-role systems it generates the Article 11 / Annex IV technical documentation pack and the Article 47 / Annex V Declaration of Conformity. The engine is rule-based and deterministic: same inputs, same output, every time.
Frequently Asked Questions
What is the difference between a provider and a deployer under the EU AI Act? A provider (Article 16) develops a high-risk AI system and places it on the market under its own name — bearing the full obligation stack: QMS, technical documentation, conformity assessment, DoC, CE marking, and registration. A deployer (Article 26) uses a third-party system professionally; its obligations are lighter — follow the instructions, keep logs for six months (Article 26), and monitor performance. Most companies that buy AI tools are deployers; SaaS companies shipping AI features to customers are typically providers.
When do provider obligations apply under the Digital Omnibus timeline? Stand-alone Annex III high-risk systems must comply from 2 December 2027; high-risk AI embedded in regulated products (Annex I — medical devices, machinery) from 2 August 2028. Both dates replaced the original 2 August 2026 deadline under the political agreement of May 2026. Penalties under Article 99 have applied since 2 August 2025.
Do I need a notified body for the conformity assessment? For most Annex III categories, no. Article 43 permits internal self-assessment (Annex VI): you check the system against each requirement, document the evidence, and record the outcome. The Annex VII notified-body route applies primarily to Annex III point 1 — biometric identification systems, biometric categorisation, and emotion recognition (where that is not already prohibited under Article 5). The applicable route depends on the Annex III point, not a general rule.
What does the EU Declaration of Conformity (DoC) actually state? Drawn up under Article 47 in accordance with Annex V, the DoC identifies the system and its intended purpose, names the provider and any authorised representative, states that Regulation (EU) 2024/1689 requirements are met, and references the conformity assessment procedure used. It is a legal document — market surveillance authorities can demand it at any time. Issuing a DoC for a non-conforming system attracts Article 99(5): up to €7.5 million or 1%.
What is the Article 6(3) exemption and when can I rely on it? A system in an Annex III area is not high-risk if it satisfies any one of four conditions: narrow procedural task; improving a previously completed human activity; detecting decision patterns without replacing human assessment; or preparatory work. Any system that profiles natural persons is excluded — it stays high-risk regardless. Claiming the exemption requires full documentation and Article 49 registration. The exemption does not waive the registration duty.
What happens under Article 25 if I build on a third-party AI system? Article 25 shifts the provider role onto you if you affix your own name or trademark to a third-party high-risk system, substantially modify it (Article 3(23)), or change its intended purpose. The full Article 16 stack — QMS, technical documentation, conformity assessment, DoC, CE marking, registration — follows. Companies that wrap third-party AI services in a proprietary interface and market the result under their own brand frequently trigger this rule without realising it.
What fine exposure does a provider face for non-compliance? Breaches of Article 16 and the Articles 8–15 requirements it references fall under Article 99(4): up to €15 million or 3% of worldwide annual turnover, whichever is higher. Under Article 99(6), companies and start-ups pay the lower of the two figures — for a company with €2 million turnover, 3% is €60,000. Supplying misleading information to authorities or notified bodies is Article 99(5): up to €7.5 million or 1%.
Related guides
- Articles 6-11 risk classification framework
- Article 3 definitions and terminology
- EU AI Act fundamentals explained
- SaaS provider compliance requirements
Manage your EU AI Act compliance in one place
Confir automates risk classification, technical documentation, and audit trails for any company. No consultants. No 6-month projects. 7-day free trial.
Start free trial →