EU AI Act Conformity Assessment: How It Works
EU AI Act conformity assessment: two Article 43 routes, Annex VI self-assessment vs Annex VII notified body, CE marking, and the 2 December 2027 deadline.
Before a high-risk AI system can enter the EU market, its provider must prove — in writing, backed by documented evidence — that it meets every requirement in Chapter III Section 2 of Regulation (EU) 2024/1689. That proof process is the conformity assessment under Article 43. It is not a one-off audit and it does not belong to your deployer or your consultant. It is the provider's obligation, and it must be complete before first placement or putting into service.
The deadline for stand-alone Annex III systems is 2 December 2027 (deferred from August 2026 by the Digital Omnibus agreed in May 2026). For high-risk AI embedded in Annex I regulated products the date is 2 August 2028. That is breathing room, not a buffer: assembling the conformity pack — technical documentation, Declaration of Conformity, CE marking, and EU database registration — takes six to twelve months for most organisations.
What Conformity Assessment Actually Means
Conformity assessment is the EU's term for proving, before launch, that a high-risk AI system satisfies the obligations in Articles 9–15: the risk management system, data governance, technical documentation, record-keeping, transparency toward deployers, human oversight, and accuracy/robustness/cybersecurity. Article 43 is the procedural gateway — it says when and how that proof must be assembled and by whom.
Two things it is not. First, it is not the Fundamental Rights Impact Assessment under Article 27, which is a deployer obligation triggered for public bodies and companies deploying Annex III creditworthiness (point 5(b)) or life/health insurance (point 5(c)) systems. A deployer may have to run a FRIA; only providers conduct a conformity assessment. Second, it is not ISO/IEC 42001 certification. An ISO 42001 certificate supports your Article 17 quality management system and contributes evidence to the technical file, but it does not substitute for the Article 43 procedure and does not satisfy the CE marking requirement.
Two Routes Under Article 43
Article 43 offers two distinct paths. The applicable route depends on what your system does, not on its complexity or cost.
Annex VI Internal Control — the Default Route
For most high-risk systems, Annex VI internal control is the correct route. This covers all Annex III categories except point 1 (biometrics), provided you are applying the relevant harmonised standards in full. In practice, that means recruitment screening tools (Annex III point 4(a)), credit-scoring systems (point 5(b)), exam-proctoring software (point 3(c)), law enforcement risk-assessment tools (point 6), and the other Annex III categories all use the Annex VI self-assessment procedure.
Under Annex VI, you assess your own system against the Chapter III requirements, compile the Annex IV technical documentation, draw up the EU Declaration of Conformity under Article 47, and sign it. No notified body touches the file. The competent authority can audit you at any time, so the documentation must be audit-ready, not just checkmark-complete.
Annex VII Notified-Body Assessment — Required for Biometrics (and Product-Embedded Systems)
Annex VII third-party assessment is required in two situations.
The first is Annex III point 1 — biometrics (remote biometric identification systems, biometric categorisation systems, and emotion recognition systems where not prohibited): where harmonised standards are not fully applied, or where those standards do not fully cover the applicable requirements, providers of biometric systems must engage a notified body. The notified body reviews your quality management system (under Article 17) and your technical documentation, then issues a certificate. That certificate underpins your Declaration of Conformity.
The second situation is Annex I product-embedded AI. High-risk AI that functions as a safety component of a product covered by EU product legislation — medical devices (MDR 2017/745), machinery (Regulation (EU) 2023/1230), in vitro diagnostics (IVDR 2017/746), and the other Annex I sectors — follows those product laws' own conformity assessment procedures, which typically include notified-body involvement. The AI Act's Article 43(3) integrates the AI assessment into that existing product route. These systems fall under the 2 August 2028 deadline, not December 2027.
Notified bodies are designated by EU member state authorities under Articles 28–39. Designation under the AI Act is separate from designation under product law, though bodies may hold both.
The Five Steps to a Complete Conformity Pack
Step 1: Compile the Annex IV Technical Documentation (Article 11)
Article 11 requires providers to draw up technical documentation before placing a high-risk system on the market. The content is specified in Annex IV across nine areas: a general description of the system and its intended purpose; a description of the elements, development process, and design choices; monitoring, functioning, and control information; the risk management documentation; changes to the system over its lifecycle; a list of harmonised standards applied; the EU Declaration of Conformity; and post-market monitoring procedures.
The documentation must be detailed enough for a competent authority to assess compliance without asking the provider to explain it. That is a high bar. Incomplete documentation is the most common conformity failure in practice.
Step 2: Run the Assessment
For Annex VI systems, the provider's own compliance or legal team — or a specialist retained for the purpose — works through each of the Articles 9–15 requirements against the technical file. Every gap between the requirement and the documented evidence of compliance must be closed before the Declaration is signed.
For Annex VII systems, the notified body conducts its own assessment of the QMS and technical documentation. Providers should allow three to six months for a notified-body assessment, plus the time to prepare the documentation that goes in.
Step 3: Draw Up the EU Declaration of Conformity (Article 47, Content in Annex V)
Once the assessment is complete, the provider prepares the EU Declaration of Conformity. Article 47 requires the declaration; Annex V specifies its content: identification of the system and provider, a statement of conformity with Regulation (EU) 2024/1689 and any other applicable Union law, reference to the harmonised standards or specifications applied, the notified body's identification and certificate number (if Annex VII applies), the date and place of issue, and the authorised signatory's identity. The declaration must be kept for ten years after the last unit is placed on the market (Article 18).
Step 4: Affix CE Marking (Article 48)
After the Declaration of Conformity is in place, providers affix the CE marking to the system — or, where the system is software only, to its accompanying documentation or the interface through which it is accessed. Article 48 prohibits affixing CE marking before the conformity assessment procedure is complete and the Declaration is drawn up. Using the CE marking without that basis is itself an infringement.
For Annex I product-embedded systems, the CE marking rules of the applicable product law govern; the AI Act CE marking is integrated into that process.
Step 5: Register in the EU Database (Article 49)
Before or at market placement, providers of stand-alone Annex III systems must register the system in the EU database for high-risk AI systems established under Article 71. Article 49 contains the registration duty; Article 71 describes the database. Registration is public-facing for systems used by natural persons; some law-enforcement and migration systems have a restricted-access section.
Providers claiming the Article 6(3) exemption — that an Annex III system does not pose a significant risk of harm and is therefore not high-risk — must also register that determination in the database.
When Re-Assessment Is Required
A conformity assessment covers the system as described in the technical documentation at the time of assessment. Under Article 3(23), a substantial modification — one that changes the intended purpose or the performance, or that affects the basis on which the original assessment was made — triggers a new conformity assessment. Minor bug fixes, parameter tuning within validated ranges, and updates that do not affect the system's capabilities or risk profile generally do not require re-assessment, but providers must document the reasoning.
Post-market monitoring data under Article 72 feeds back into this calculation. If monitoring reveals that real-world performance diverges materially from the assessed performance, or that new risks have emerged, providers must review whether re-assessment is needed and update the technical documentation accordingly.
The Notified-Body Framework (Articles 28–39)
Notified bodies are designated by national authorities under Articles 28–39. Designation criteria include independence from providers, technical competence, impartiality, and adequate insurance. As of mid-2026, the AI Act notified-body network is still forming — providers of biometric systems should begin engaging candidate bodies early, since capacity constraints are expected before the December 2027 deadline.
What Conformity Assessment Does Not Cover
The Article 27 FRIA is a deployer obligation, separate from the provider's conformity assessment. A Declaration of Conformity does not discharge a deployer's FRIA duty. Public bodies and companies deploying Annex III point 5(b) creditworthiness or 5(c) life/health insurance systems run the FRIA independently, building on the technical documentation they receive from the provider under Article 13.
ISO/IEC 42001:2023 is not a substitute. The standard is voluntary, not a harmonised standard under the Act, and ISO body certification does not constitute the Article 43 procedure or authorise CE marking. A provider who holds ISO 42001 certification still needs to run the Annex VI or Annex VII assessment and draw up the Declaration.
Penalties
Failing to conduct the conformity assessment, drawing up a false Declaration, or affixing CE marking without completing the procedure falls in the Article 99(4) tier: up to €15,000,000 or 3% of total worldwide annual turnover, whichever is higher. Under Article 99(6), SMEs and start-ups pay the lower of the two figures — for a 40-person HR-tech firm with €4 million turnover, 3% is €120,000. Not trivial.
Providing incorrect or incomplete information to a notified body or competent authority is a separate offence: €7,500,000 or 1% (Article 99(5)). These penalty provisions have been in force since 2 August 2025.
How Confir Helps
Assembling the conformity pack manually means pulling together Article 11/Annex IV technical documentation, the Article 47/Annex V Declaration of Conformity, and the evidence behind Articles 9–15. Confir's rule-based engine — deterministic and reproducible by design — classifies your system (Articles 5 and 6, Annex III logic), derives your role, and generates the print-ready technical documentation pack and Declaration from your intake answers. Same inputs, same output, every time; the rule that fired is human-readable in the audit log.
Confir's AIRC module (Articles 5, 6, 43, 50) is the starting point for providers facing the December 2027 deadline. The gap-analysis view shows which Annex IV sections remain incomplete.
Frequently Asked Questions
What is conformity assessment under the EU AI Act?
Conformity assessment under Article 43 of Regulation (EU) 2024/1689 is the procedure by which a provider of a high-risk AI system proves, before placing the system on the market or putting it into service, that it meets the requirements in Chapter III Section 2 (Articles 9–15). The procedure results in a signed EU Declaration of Conformity (Article 47, content in Annex V), affixing of the CE marking (Article 48), and registration in the EU database (Article 49). It is a provider obligation and cannot be delegated to the deployer.
Which conformity assessment route applies to my system?
The two routes are set out in Article 43. Most Annex III systems — employment screening, credit scoring, education, law enforcement, migration, etc. — follow the Annex VI internal control route: the provider self-assesses against the requirements and draws up the Declaration without involving a notified body. Annex III point 1 biometric systems (where harmonised standards are not fully applied) and Annex I product-embedded AI systems must use the Annex VII notified-body route, which involves an independent assessment of the quality management system and technical documentation.
What is the difference between conformity assessment and the FRIA?
The conformity assessment (Article 43) is a provider obligation: prove your system meets the high-risk requirements before launch. The Fundamental Rights Impact Assessment (Article 27) is a deployer obligation: public-body deployers and companies deploying Annex III point 5(b) creditworthiness or 5(c) life/health insurance systems must assess the impact on fundamental rights before deployment. A provider's Declaration of Conformity does not satisfy the deployer's FRIA duty. The two processes are complementary: the FRIA can build on the provider's technical documentation (Article 27(4) permits this), but it must be conducted separately.
Does ISO/IEC 42001 certification replace Article 43 conformity assessment?
No. ISO/IEC 42001:2023 certification is voluntary and is not a harmonised standard under the EU AI Act. It supports the Article 17 quality management system and provides useful evidence for the Annex IV technical file, but it does not constitute the Article 43 procedure and does not authorise CE marking. A provider still needs to complete the Annex VI or Annex VII assessment and draw up the EU Declaration of Conformity under Article 47.
What triggers a re-assessment after the initial conformity is complete?
A substantial modification as defined in Article 3(23) — a change that affects the intended purpose, alters performance, or undermines the basis of the original assessment — requires a new conformity assessment. Providers must also review the assessment if post-market monitoring data (Article 72) reveals material divergence from assessed performance or the emergence of new risks. The decision not to re-assess must itself be documented.
What are the penalties for failing to complete conformity assessment?
Failing to conduct the required conformity assessment, issuing a false EU Declaration of Conformity, or affixing CE marking without completing the procedure triggers fines under Article 99(4): up to €15,000,000 or 3% of total worldwide annual turnover, whichever is higher. For SMEs and start-ups, Article 99(6) caps the fine at the lower of the two figures. Providing incorrect information to a notified body or authority is a separate offence under Article 99(5): up to €7,500,000 or 1%. Penalty provisions have been in force since 2 August 2025.
When must conformity assessment be completed?
For stand-alone high-risk AI systems listed in Annex III, the deadline is 2 December 2027 (deferred from August 2026 by the Digital Omnibus political agreement of May 2026). For high-risk AI embedded in Annex I regulated products, the deadline is 2 August 2028. Given that assembling the Annex IV technical documentation, running the assessment, and engaging a notified body (where required) typically takes six to twelve months, providers should begin the process now rather than treating December 2027 as a distant horizon.
Related guides
- Article 43 conformity assessment procedures
- high-risk AI compliance requirements
- Article 3 key definitions
- Article 6 risk classification tool
- EU AI Act compliance software
- 2026 compliance obligations checklist
Manage your EU AI Act compliance in one place
Confir automates risk classification, technical documentation, and audit trails for any company. No consultants. No 6-month projects. 7-day free trial.
Start free trial →