EU AI Act Annex V: Contents of the EU Declaration of Conformity
Annex V sets out the 7 required elements of the EU Declaration of Conformity (Article 47). Element guide, skeleton DoC, and 2 December 2027 deadline.
Annex V of Regulation (EU) 2024/1689 specifies exactly what the EU Declaration of Conformity for a high-risk AI system must contain. It is a short annex — seven numbered items — but each one carries legal weight. Get any element wrong and the declaration is defective, which means the system is not lawfully on the EU market.
This guide explains what each element requires, how Annex V fits into the broader conformity architecture, and what a compliant declaration looks like in practice.
What Annex V Is (and What It Is Not)
Annex V is the content specification for the EU Declaration of Conformity (DoC). It tells you what must be in the document.
The obligation to draw up a DoC sits in Article 47. Article 47(1) says that before placing a high-risk AI system on the market or putting it into service, the provider must draw up a written EU declaration of conformity and keep it available for national competent authorities for 10 years from the date the system is placed on the market. Article 47(2) adds that the declaration must be kept up to date, meaning it must be revised when the system undergoes a substantial modification. Article 47(3) confirms the structure of what the declaration must contain — cross-referencing Annex V.
Do not confuse Annex V with the technical documentation in Annex IV. They are related but distinct:
| Annex IV — Technical Documentation | Annex V — Declaration of Conformity | |
|---|---|---|
| Purpose | Detailed evidence record supporting conformity | Formal declaration that conformity has been established |
| Length | Can run to hundreds of pages across multiple documents | Typically 1–3 pages |
| Contents | System architecture, training data governance, risk management, testing results, post-market monitoring plan, instructions for use | Seven prescribed elements: system ID, provider identity, responsibility statement, conformity statement, standards references, notified body data (where applicable), signature block |
| Article reference | Article 11, with structure set out in Annex IV | Article 47, with structure set out in Annex V |
| Who accesses it | Held internally; disclosed to national competent authorities on request | Provided to authorities and deployers on request; referenced in the EU database at Article 49 registration |
| Machine-readable requirement | No explicit requirement, but good practice | Yes — Article 47(1) |
The Annex IV technical documentation is the evidence base. The Annex V DoC is the formal declaration that the evidence supports compliance. Both must exist. Neither substitutes for the other.
The Seven Required Elements
1. AI System Name, Type, and Identification
The DoC must identify the AI system precisely enough that there is no ambiguity about which system it covers. This typically means:
- Name: the commercial or product name (e.g., "CreditReady Risk Scoring Engine")
- Type: a description of the category of AI system (e.g., "machine learning-based creditworthiness assessment system")
- Version: the version number or release identifier, consistent with the version recorded in the Annex IV technical documentation
- Traceability reference: a product code, unique system identifier, or batch number — whatever removes any remaining doubt about which deployment the DoC covers
Where one DoC covers multiple AI systems — Article 47(1) permits a single declaration to cover more than one high-risk system — each system must be individually identified within the document.
The version link matters in practice. When the system undergoes a substantial modification — defined in Article 3(23) as a change that affects compliance with Chapter III requirements or alters the intended purpose — a new or revised DoC must be drawn up under Article 47(2). The version identifier is what distinguishes the updated declaration from the one it replaces.
2. Provider Name and Address
The DoC must state the full legal name and registered address of the provider — the entity that has developed or is placing the system on the EU market under its own name or trademark (see Article 3(3) for the definition of "provider" and Article 16 for the full list of provider obligations).
Where the provider is not established in the EU, the provider must appoint an authorised representative under Article 22. In that case, the DoC must include the name and registered address of the authorised representative established in the EU. The authorised representative assumes the provider's regulatory responsibilities in the EU market under Article 22(3).
3. Statement of Sole Responsibility
The DoC must include a declaration that it "is issued under the sole responsibility of the provider." This is a mandatory legal statement, not boilerplate. It confirms that the provider — not any third-party auditor, standards body, or notified body — is responsible for the accuracy of the conformity claim.
This element is particularly important when a notified body is involved. When a notified body (Article 43) has performed the conformity assessment and issued a certificate, that certificate is referenced in Element 6. But the DoC itself remains the provider's declaration: the provider takes sole responsibility for what it asserts in the document.
4. Statement of Conformity with Regulation (EU) 2024/1689
The core of the DoC is an unequivocal declaration that the identified AI system "is in conformity with this Regulation" — Regulation (EU) 2024/1689. This statement must not be hedged, conditional, or qualified.
Where the system is also governed by other Union legislation requiring a DoC — the Medical Device Regulation (MDR), the Radio Equipment Directive, the General Product Safety Regulation, for example — the conformity statement must extend to each applicable regulation. Article 47(4) expressly permits a single DoC to cover multiple Union acts, provided all applicable references are included.
This is useful for AI systems embedded in regulated products (Annex I systems): a medical imaging AI subject to both the EU AI Act and the MDR can consolidate both declarations of conformity into a single document.
5. References to Harmonised Standards or Common Specifications
If the provider used harmonised standards published in the Official Journal under the mandate to CEN/CENELEC (M/570), those standards must be cited by their full reference number and date of publication. Applying harmonised standards correctly gives a presumption of conformity with the AI Act requirements they cover.
For most AI systems today, the CEN/CENELEC harmonised standards are still in development. Where no applicable harmonised standard exists, the provider must reference any common specifications adopted by the European Commission, or set out the approach used to demonstrate conformity in the absence of such references. The description in Element 5 should be consistent with the methodology documented in the Annex IV technical documentation and the conformity assessment record under Article 43.
6. Notified Body Information (Where Applicable)
For a subset of high-risk AI systems — chiefly remote biometric identification systems — Article 43 requires the conformity assessment to be conducted by an accredited notified body rather than via the internal control pathway. Where a notified body is involved, the DoC must include:
- The notified body's full name
- Its EU identification number (the NANDO number assigned by the Commission)
- A description of the conformity assessment procedure performed (for example, "conformity assessment under Annex VII, Module D: Quality Assurance of the Production Process")
- The reference number of the certificate of conformity issued
For the majority of high-risk AI systems — those in Annex III categories other than real-time remote biometric identification in publicly accessible spaces — the internal control pathway under Annex VI applies. In those cases, Element 6 is not applicable and should be marked as such.
7. Place, Date, Name, Function, and Signature
The DoC must be signed by a natural person authorised to bind the provider. The signature block must include:
- Place: the city (and country) where the DoC is signed
- Date: the date of signature
- Name: the signatory's full name
- Function: the signatory's title or role within the provider organisation (for example, "Chief Executive Officer" or "Head of Regulatory Affairs")
- Capacity: an indication of on whose behalf the person is signing — i.e., the provider named in Element 2
- Signature: a handwritten signature or a qualified electronic signature under eIDAS
For an authorised representative signing on behalf of a non-EU provider, the capacity statement must make clear that the signatory acts as authorised representative for the named non-EU provider.
Where Annex V Sits in the Conformity Architecture
Understanding Annex V requires placing it in the broader sequence of provider obligations before market entry.
First, the provider conducts the conformity assessment under Article 43. For most high-risk AI systems this is internal control via Annex VI; for remote biometric identification systems in publicly accessible spaces it involves a notified body under Annex VII. The conformity assessment is what generates the evidence that the system meets the Chapter III Section 2 requirements (Articles 9–15).
Second, with the conformity assessment complete, the provider draws up the Annex V DoC under Article 47. The DoC is the formal output of a successful assessment. Drawing up the DoC before the assessment is complete would make the declaration false — providers cannot declare conformity they have not yet established.
Third, the provider applies the CE marking under Article 48. The CE mark may not be affixed to a high-risk AI system until the Annex V DoC has been drawn up and signed.
Fourth, the provider registers the system in the EU database under Article 49. Registration references the conformity assessment outcome and the existence of the DoC. Both must exist before registration is complete.
The Annex V DoC is therefore a mid-process document: it is the output of the conformity assessment and the prerequisite for CE marking and registration.
Illustrative Skeleton: DoC for a Fictitious High-Risk AI System
The following is a worked illustration of a compliant Annex V DoC. It covers all seven required elements for a fictitious Annex III, category 5 (access to essential services) creditworthiness scoring system. This is for illustrative purposes only and is not legal advice.
EU DECLARATION OF CONFORMITY
Issued pursuant to Article 47 of Regulation (EU) 2024/1689 (EU AI Act)
Element 1 — AI System Identification
System name: CreditReady Risk Scoring Engine System type: Machine learning-based creditworthiness assessment system for consumer credit applications Version: 4.2.1 Product reference: CRSE-421-EU
Element 2 — Provider
FinScale Solutions GmbH Goethestraße 12 60313 Frankfurt am Main, Germany
Element 3 — Sole Responsibility Statement
This EU declaration of conformity is issued under the sole responsibility of FinScale Solutions GmbH.
Element 4 — Conformity Statement
The high-risk AI system identified above is in conformity with Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 on artificial intelligence (EU AI Act).
Element 5 — Standards and Specifications
No harmonised standard applicable to this category of AI system has been published in the Official Journal of the European Union at the date of this declaration. Conformity with the requirements of Chapter III, Section 2 of Regulation (EU) 2024/1689 has been assessed under the internal control procedure set out in Annex VI to that Regulation. The assessment methodology, risk management documentation, testing records, and data governance evidence are set out in the technical documentation maintained under Article 11 and Annex IV, reference TD-CRSE-421-EU, version 4.2.1.
Element 6 — Notified Body
Not applicable. The conformity assessment for this system was conducted under the internal control pathway (Annex VI). No notified body was involved.
Element 7 — Signature
Frankfurt am Main, Germany, 2 December 2027
Signed by: Dr. Katharina Vogt Function: Chief Executive Officer, FinScale Solutions GmbH On behalf of: FinScale Solutions GmbH
[Signature]
End of EU Declaration of Conformity — Document reference DoC-CRSE-421-EU
The Penalty Exposure for a Missing or Defective DoC
Failing to draw up the Annex V DoC — or drawing up a defective one that omits required elements, contains false information, or is not kept updated — constitutes non-compliance with Article 47, which is part of the provider obligations in Article 16(e). Under Article 99(4), this carries a maximum fine of €15,000,000 or 3% of total worldwide annual turnover, whichever is higher.
For companies (particularly smaller ones), Article 99(6) provides that fines are capped at the lower of the percentage figure or the fixed amount — a genuine proportionality protection, but not a reason to treat the DoC as optional.
The application deadline for stand-alone high-risk Annex III AI systems is 2 December 2027, under the Digital Omnibus agreed in May 2026, which deferred the original August 2026 date. For high-risk AI systems embedded in Annex I regulated products, the obligation applies from 2 August 2028. That timeline is longer than it looks: getting to a valid DoC requires completing the full conformity assessment first, which means the risk management system (Article 9), technical documentation (Article 11), and all Chapter III Section 2 requirements must be in place before the declaration is signed.
How Confir Generates the Annex V Declaration
When providers complete their compliance assessment in Confir, the Article 47 / Annex V Declaration of Conformity is generated directly from the assessment record. Provider details (Element 2) are drawn from the organisation profile. System identification data (Element 1) carries over from the system record created during the Article 6 classification. Standards references (Element 5) are populated from the conformity assessment methodology the provider confirms during the assessment workflow.
The sole responsibility statement (Element 3) and the conformity declaration (Element 4) are pre-drafted to the statutory wording — the provider's signatory reviews and confirms them before the document is finalised. Where a notified body was involved, structured fields capture the body's name, NANDO number, assessment procedure, and certificate reference for Element 6.
The generated DoC is output as a machine-readable PDF as required by Article 47(1), included in Confir's Datasheet export alongside the Annex IV technical documentation summary. All prior versions are retained with timestamps to support the 10-year retention obligation. The engine is rule-based and deterministic: the same completed assessment produces the same declaration, with no ambiguity about which fields are required.
Practical Issues That Make Declarations Defective
A DoC that passes a quick visual check can still be legally defective. Four recurring problems are worth flagging explicitly.
Signing before the conformity assessment is complete. The DoC is a declaration that conformity has been established. Providers who draft and sign it in advance — to meet a procurement deadline or demonstrate compliance readiness — and then complete the assessment later produce a false document. The correct sequence is firm: assessment first, declaration second.
Failing to update after a substantial modification. Article 47(2) requires revision when the system undergoes a substantial modification. In practice, model updates, changes to intended use, and integration into new deployment contexts can all cross the Article 3(23) threshold for substantial modification. Many providers maintain a single DoC through multiple product generations and never revise it — which means the declaration ceases to accurately describe the system under assessment.
Using an authorised representative's address in Element 2 without clarifying the relationship. If the provider is not EU-established and an authorised representative signs the DoC under Article 22, the document must identify both the non-EU provider (whose system it is) and the EU-based authorised representative (who signs on its behalf). Omitting the non-EU provider name, or presenting the representative as the provider, creates a material inaccuracy in Element 2.
Missing or placeholder Element 5. Where no harmonised standard applies, Element 5 must describe the methodology used in lieu. A DoC that simply states "no applicable standard" without explaining the conformity assessment approach taken leaves the mandatory field substantively empty. The description should cross-reference the Annex VI internal control procedure and the Article 11 / Annex IV technical documentation package that supports it.
None of these defects require bad faith to occur. They are mostly the result of treating the DoC as a form-filling exercise rather than a legal instrument. For a provider, the simplest safeguard is a structured checklist mapped to the seven elements, reviewed by someone with legal responsibility for the system's compliance status — not only the product team.
Related guides
- Article 47 Declaration requirements
- conformity assessment procedures
- compliance checklist for providers
- Annex IV technical documentation
Manage your EU AI Act compliance in one place
Confir automates risk classification, technical documentation, and audit trails for any company. No consultants. No 6-month projects. 7-day free trial.
Start free trial →