Skip to content
Confir.
Free trial
Blog

EU Declaration of Conformity for High-Risk AI: Article 47 and Annex V Explained

Template26 March 2026· 14 min read

EU Declaration of Conformity for high-risk AI: Article 47 and Annex V template, all 7 required fields, worked example, and 10-year retention rules.

Every high-risk AI provider must draw up a written EU Declaration of Conformity before placing a system on the EU market or putting it into service. Article 47 of Regulation (EU) 2024/1689 sets that obligation. Annex V defines exactly what the document must contain. This page explains the legal mechanics, provides a fill-in template with all seven required fields, walks through a worked example, and shows where CE marking and EU-database registration fit in the sequence.

What the Declaration of Conformity Is — and What It Does

The EU Declaration of Conformity (DoC) is the provider's formal written statement that a specific high-risk AI system complies with Regulation (EU) 2024/1689 and any other Union harmonisation law that applies to it. By drawing it up, the provider assumes sole responsibility for that compliance (Article 47(1)).

Three immediate consequences follow from signing:

  1. The DoC must be kept for 10 years after the system is placed on the market or put into service — long enough to cover the full post-market monitoring horizon (Article 47(2)).
  2. It must be made available to national competent authorities on request (Article 47(2)). This is not optional; failure to produce it on demand is itself a non-compliance event.
  3. A single DoC covers all applicable Union acts. If your high-risk AI system is also a medical device under MDR 2017/745, or a safety component under the Machinery Regulation (EU) 2023/1230, the DoC declares conformity with each applicable instrument in one document (Article 47(3)).

The DoC is not the same as the conformity assessment under Article 43 — that is the internal or third-party evaluation process that precedes and underpins the declaration. The DoC is the attestation that follows it.

Who Must Draw It Up

Only providers — organisations that place an AI system on the market or put it into service under their own name or trademark (Article 3(3)) — are required to draw up the DoC. Article 16(a) lists it as the first provider obligation.

Deployers do not draw up a DoC. They verify that the provider has done so before they deploy the system, and they monitor compliance status. Importers and distributors carry the same verification duty but equally do not produce the document themselves.

One exception worth flagging: a deployer who substantially modifies a high-risk system, or who changes its intended purpose, becomes a provider under Article 25 and then inherits all provider obligations, including drawing up a fresh DoC.

Where the DoC Sits in the Compliance Sequence

The order matters. Three acts are interlinked for high-risk AI under Section 2 of Chapter III:

  1. Conformity assessment (Article 43) — the evaluation that demonstrates the system meets Articles 9–15. Most Annex III categories use the internal self-assessment route (Annex VI); biometrics (Annex III point 1) generally require the notified-body route (Annex VII) where harmonised standards are not applied.
  2. Declaration of Conformity (Article 47) — the written attestation drawn up once conformity assessment is complete.
  3. CE marking (Article 48) — affixed only after the DoC is drawn up. CE marking is the outward signal on the product that the full cycle is done.
  4. EU-database registration (Article 49) — the system must be registered in the EU database for high-risk AI before or concurrent with market placement.

No CE marking without a DoC. No DoC without a conformity assessment. The sequence is not decorative; it is the legal architecture.

The Seven Required Fields: Annex V Content

Annex V of Regulation (EU) 2024/1689 specifies the information that every DoC must contain. There are seven required elements. Nothing else is mandated, though providers may add fields for operational clarity.

1. AI system name, type, and unique identifier The system must be identifiable unambiguously. Include the commercial name, the model version or release, and a unique identifier — typically a product code, serial number format, or version string. If you issue declarations across multiple versions, each version gets its own identifier so the document is version-specific.

2. Provider name and address; authorised representative if applicable Full legal name and registered address of the provider. If the provider is established outside the EU, it must appoint an authorised representative under Article 22, and that representative's name and address appear here alongside the provider's.

3. Statement that the DoC is issued under the provider's sole responsibility A verbatim declaration of exclusive responsibility. This is the sentence that makes the DoC legally significant — it binds the provider to the consequences of any inaccuracy.

4. Statement that the system conforms to Regulation (EU) 2024/1689 and, where applicable, other Union law Name the Regulation in full. If the system is also subject to other Union harmonisation legislation, list each applicable instrument in this field. Using only "the EU AI Act" without citing "Regulation (EU) 2024/1689" is imprecise and may be challenged.

5. References to harmonised standards or common specifications applied Cite the harmonised standards (once adopted under Article 40) or the common specifications issued by the Commission under Article 41 that the provider relied on to demonstrate conformity. If none apply — which is currently the common case because harmonised standards under the AI Act are still being developed — note the absence and identify the technical methods used in their place.

6. Where applicable: notified body name, identification number, and certificate reference Only required where the conformity assessment involved a notified body (Annex VII route). Include the body's official name, its four-digit identification number assigned by the Commission, and the certificate number it issued. Leave this field blank or mark it "N/A" where internal self-assessment (Annex VI) was used.

7. Place and date of issue; name, function, and signature of responsible person The declaration is a signed document. Include the place of signing, the date, the full name of the signatory, their function (e.g., Chief Compliance Officer, Legal Representative), and their signature — physical or electronic. An electronic signature must meet the requirements of Regulation (EU) No 910/2014 (eIDAS) to be legally equivalent.

The declaration must be drawn up in the official language(s) of the member states where the system is made available, or in a language accepted by those member states' authorities.

Fill-In Template

Use this template as the structural base. Fields in [square brackets] are to be completed by the provider.

EU DECLARATION OF CONFORMITY Issued under Article 47 of Regulation (EU) 2024/1689 (EU AI Act)

1. AI System Identification

  • Name: [Commercial name of the AI system]
  • Type: [e.g., automated decision-support system; biometric identification system; risk-scoring engine]
  • Unique Identifier: [Product code / version string, e.g., PRODID-2024-v3.1]
  • Intended Use: [Brief description matching the technical documentation]

2. Provider

  • Legal name: [Full registered company name]
  • Registered address: [Street, city, country]
  • Contact (for authority requests): [Email or postal address]

Authorised Representative (if provider is established outside the EU):

  • Name: [Full legal name]
  • Address: [Registered address within the EU]
  • Appointed under: Article 22, Regulation (EU) 2024/1689

3. Sole Responsibility Statement This EU Declaration of Conformity is issued under the sole responsibility of [provider name].

4. Conformity Statement The AI system identified above conforms to Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 on Artificial Intelligence (EU AI Act).

[If applicable, also list other Union harmonisation legislation, e.g.:]

  • Regulation (EU) 2017/745 (Medical Devices Regulation)
  • Regulation (EU) 2023/1230 (Machinery Regulation)

5. Harmonised Standards or Common Specifications Applied [List the reference numbers and dates of any harmonised standards applied, e.g., EN ISO/IEC XXXXX:202X]

[If no harmonised standards were applied:] No harmonised standards under Article 40 of Regulation (EU) 2024/1689 were applied. Conformity was demonstrated by [describe method, e.g., internal testing against the technical requirements in Articles 9–15; conformity assessment under Annex VI].

6. Notified Body (complete only if Annex VII route was used)

  • Name: [Official name of the notified body]
  • Identification number: [Four-digit number assigned by the Commission]
  • Certificate reference: [Certificate number and date of issue]

[If internal self-assessment under Annex VI was used, state: "Not applicable — conformity assessment conducted under Annex VI (internal control)."]

7. Authorised Signatory

  • Place of issue: [City, country]
  • Date of issue: [DD Month YYYY]
  • Name: [Full name of signatory]
  • Function: [Title / role, e.g., Chief Compliance Officer]
  • Signature: ___________________________

Worked Example: Credit-Scoring Engine

A regional fintech with 80 employees has built a credit-scoring model used by two partner banks to assess loan applications from private individuals. Under Annex III, point 5(b) — access to essential services, creditworthiness — this is a high-risk system. The company completes Annex VI internal self-assessment, then draws up the following DoC:

EU DECLARATION OF CONFORMITY

1. AI System Identification

  • Name: LendScore Pro
  • Type: Automated creditworthiness assessment system
  • Unique Identifier: LSP-EU-2025-v2.4
  • Intended Use: Assessing the creditworthiness of natural persons applying for consumer credit, as an input to human loan-officer decisions at authorised deployer institutions.

2. Provider

  • Legal name: CreditLogic GmbH
  • Registered address: Hauptstraße 12, 60313 Frankfurt am Main, Germany
  • Contact: compliance@creditlogic.de

3. Sole Responsibility Statement This EU Declaration of Conformity is issued under the sole responsibility of CreditLogic GmbH.

4. Conformity Statement LendScore Pro v2.4 conforms to Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 on Artificial Intelligence (EU AI Act).

5. Harmonised Standards or Common Specifications Applied No harmonised standards under Article 40 of Regulation (EU) 2024/1689 had been adopted as of the date of this declaration. Conformity was demonstrated through internal assessment against Articles 9–15 under the Annex VI procedure, with technical documentation prepared in accordance with Article 11 and Annex IV.

6. Notified Body Not applicable — conformity assessment conducted under Annex VI (internal control).

7. Authorised Signatory

  • Place of issue: Frankfurt am Main, Germany
  • Date of issue: 3 June 2025
  • Name: Petra Kaufmann
  • Function: Chief Compliance Officer
  • Signature: (signed)

A real DoC is typically one to three pages. Its legal weight comes from the underlying conformity assessment record, not from document length.

Retention, Format, and Machine-Readability

Article 47(2) requires the DoC to be kept for 10 years. Technically, the Regulation does not prescribe a specific file format, but the phrase "machine-readable" appears in the recitals — which in practice means that a PDF without embedded text is not ideal. Structuring the DoC as a tagged PDF or providing it in a structured data format alongside the signed copy gives authorities what they need to process requests efficiently and signals good-faith compliance.

The DoC must be updated whenever a substantial modification is made to the system. Article 3(23) defines substantial modification as a change not anticipated in the original conformity assessment that affects the system's compliance with the applicable requirements, or a change to the intended purpose. A version bump that falls within the scope of the original assessment does not require a new DoC; one that changes risk-relevant behaviour or intended purpose does.

Technical documentation supporting the DoC must be retained for the same 10-year period (Article 18). The DoC is the declaration; the technical documentation file — assembled under Article 11 and Annex IV — is the evidence base authorities will examine.

Multiple Union Acts: One Document

When a high-risk AI system is also subject to other Union harmonisation legislation, Article 47(3) permits — and regulators expect — a single DoC to cover all applicable instruments. A surgical-robotics system that is both a medical device (MDR 2017/745) and an AI system classified under Article 6(1) of the EU AI Act needs one DoC, not two separate instruments. Field 4 of the template is where those additional acts are listed.

This matters for the conformity-assessment route too: high-risk AI that is a safety component of an Annex I product uses the integrated conformity-assessment procedure under Article 43(3) and faces the 2 August 2028 deadline, whereas stand-alone Annex III high-risk AI uses the standard Article 43 route with the 2 December 2027 deadline (under the Digital Omnibus agreed in May 2026).

How Confir Helps

Confir generates the Article 47 / Annex V Declaration of Conformity directly from the conformity record your team builds during the assessment. The engine is deterministic and rule-based: it maps your system's classification, the conformity-assessment route taken, any notified-body details, and the responsible signatory into the seven Annex V fields and produces a structured, print-ready document. No drafting from scratch; no risk of a field being omitted. The DoC is version-controlled alongside your Article 11 / Annex IV technical documentation pack, so updates on substantial modification are tracked.

Frequently Asked Questions

Does the DoC replace the conformity assessment? No. The conformity assessment under Article 43 is the evaluation process; the Declaration of Conformity under Article 47 is the written attestation issued once that process is complete. You cannot sign a DoC without a completed conformity assessment to underpin it. In practice, the conformity assessment record is the document auditors read; the DoC is the summary cover sheet that points to it.

Can a deployer be required to produce a DoC? A deployer who does not modify the system has no obligation to draw up a DoC — that duty stays with the provider. The deployer's obligation is to verify that a valid DoC exists before deployment. However, if the deployer substantially modifies the system or changes its intended purpose, Article 25 converts the deployer into a provider, and the full provider stack — including Article 47 — applies.

When does the DoC obligation apply? Has the deadline changed? The DoC obligation applies as part of the high-risk AI obligations that providers must meet before market placement. Under the Digital Omnibus agreed in May 2026, the application date for stand-alone high-risk Annex III systems is 2 December 2027; for high-risk AI embedded in Annex I regulated products, it is 2 August 2028. The original 2 August 2026 date for these requirements has been deferred. However, providers with systems already assessed and approaching the market in 2026 should complete the DoC as part of their readiness, not wait for the formal application date.

What happens if the harmonised standards for AI are not yet adopted? As of mid-2026, no harmonised standards have been formally adopted under Article 40. Field 5 of the DoC should describe the alternative methods used — reference to Article 41 common specifications (if any apply) or a description of the internal testing and evaluation methods. The absence of harmonised standards does not delay the obligation; it shifts the burden to documenting the testing approach in more detail in the technical file.

What is the penalty for providing a false or incomplete DoC? Supplying incorrect, incomplete, or misleading information to notified bodies or competent authorities — which includes a false Declaration of Conformity — falls under Article 99(5): up to €7,500,000 or 1% of total worldwide annual turnover, whichever is higher. Failure to conduct conformity assessment at all, or to implement the underlying risk management and technical documentation requirements, is a heavier obligation breach under Article 99(4): up to €15,000,000 or 3% of total worldwide annual turnover. For SMEs and start-ups, Article 99(6) caps the fine at the lower of the percentage or the fixed amount.

Is a machine-readable format required? The Regulation does not specify a mandatory file format. Recital language and practical guidance from the AI Office favour machine-readable output (structured data or tagged PDF) to facilitate authority requests and future EU-database integration. A scanned image of a paper document is not ideal; a tagged PDF or a structured JSON/XML output alongside the signed PDF is the safer practice.

Must the DoC be translated? The DoC must be drawn up in the official language(s) of the member states where the system is made available, or in a language the relevant authorities accept. Providers placing a system across multiple member states should confirm the language requirements with each national competent authority or, as a practical default, provide an English-language version plus translations for the key markets.

Related guides

Manage your EU AI Act compliance in one place

Confir automates risk classification, technical documentation, and audit trails for any company. No consultants. No 6-month projects. 7-day free trial.

Start free trial →

Related guides

Template

AI Use Policy Template for EU AI Act Compliance

EU AI Act AI use policy template: 12 sections covering Art 5 prohibitions, Art 6 risk classification, Art 14 oversight, and Art 73 incident timelines.

Template

Annex IV Technical Documentation Template for Credit-Scoring AI

Worked Annex IV template for credit-scoring AI under EU AI Act Annex III point 5(b). All 9 content areas with credit-scoring examples. Deadline 2 Dec 2027.

Template

AI Inventory Template: Field-by-Field Guide for EU AI Act Compliance

EU AI Act AI inventory template — every field explained: role, risk tier, Annex III category, GPAI dependency, and key dates. Deadline 2 Dec 2027.