Skip to content
Confir.
Free trial
Blog

EU AI Act Article 47: EU Declaration of Conformity for High-Risk AI Systems

EU AI Act Guide23 May 2026· 16 min read· 3,106 words

Article 47 requires providers of high-risk AI systems to draw up an EU Declaration of Conformity (Annex V), retained 10 years. Deadline: 2 December 2027.

Article 47 of Regulation (EU) 2024/1689 requires every provider of a high-risk AI system to draw up a formal EU Declaration of Conformity — a signed, machine-readable document in which the provider declares, under their sole responsibility, that the system meets all applicable requirements of the EU AI Act — before the system is placed on the EU market or put into service.

What the EU Declaration of Conformity Is

The EU Declaration of Conformity (DoC) is a formal legal document, not a certificate issued by a third party. The provider draws it up themselves. By doing so, they assume personal legal responsibility for the system's compliance with the EU AI Act. Article 47(5) makes this explicit: drawing up the DoC is the act of assuming that responsibility.

The DoC is not a worksheet, a risk register, or a checklist. It is a concise, signed statement of a conclusion — the provider's formal assertion that the conformity assessment has been completed and the system meets the requirements. It must be machine-readable, kept for 10 years, and made available to national competent authorities on request.

Three documents get confused in practice — partly because the EU AI Act requires all three, and partly because they reference each other. Keeping them straight saves time and prevents regulatory gaps:

  • Technical documentation (Article 11 / Annex IV): the underlying evidence base — system architecture, risk management outputs, test results, data governance records. This is the detailed file a provider assembles throughout development.
  • Conformity assessment (Article 43): the procedure for verifying compliance. For most Annex III systems, this is an internal control process (Annex VI); for certain systems (those involving biometric identification or other enumerated cases), a notified body must be involved (Annex VII).
  • EU Declaration of Conformity (Article 47 / Annex V): the output document. Drawn up after the assessment is complete. Concise. Signed. Machine-readable.

A fourth document worth distinguishing is the instructions for use required under Article 13. The instructions are directed at deployers — they tell the deployer what the system does, its limitations, and the human oversight it requires. The DoC is directed at competent authorities — it tells them the provider has verified compliance and is assuming legal responsibility. Different audience, different purpose, both required.

The sequence matters. Article 47 comes after Article 43, and Article 48 (CE marking) comes after Article 47. Nothing can be skipped or reordered:

Article 43 (conformity assessment) → Article 47 (EU Declaration of Conformity) → Article 48 (CE marking) → Article 49 (registration in the EU database)

What Article 47 Requires: The Core Obligations

Drawing Up the DoC

Every provider of a high-risk AI system must draw up a written DoC before placing the system on the EU market or putting it into service. Article 47(1) is unqualified — there are no size exemptions for small providers, no transitional arrangements that allow trading without the DoC. If the system is high-risk under Article 6, the DoC is mandatory.

The DoC must be machine-readable. This is not merely a recommendation. Article 47(1) specifies it explicitly. A machine-readable DoC can be processed by automated systems — supporting the EU database, market surveillance functions, and cross-border regulatory data exchange. A PDF with properly tagged content or embedded metadata satisfies the requirement; an untagged scan of a paper document does not.

Contents: What Annex V Requires

Article 47(3) incorporates Annex V by reference. The DoC must contain all information set out there. Annex V specifies:

  1. Provider identity — full name and address of the provider (and, where applicable, their EU-authorised representative under Article 22).
  2. AI system identity — name, type, and any unambiguous reference (version number, batch number, serial number) allowing the system to be clearly identified. Where the DoC covers multiple systems, each must be listed individually.
  3. Statement of conformity — an explicit declaration that the AI system is in conformity with Regulation (EU) 2024/1689 and, where applicable, with any other Union legislation requiring a DoC.
  4. Standards and specifications applied — references by number and date to any harmonised standards or common specifications the provider has applied. Where none apply, a description of the measures taken to demonstrate conformity.
  5. Notified body information — where a notified body was involved under Article 43, its name, identification number, and the certificate number.
  6. Place, date, and signature — the place and date the DoC was drawn up; the name and function of the signatory; their signature. The signatory must have authority to legally bind the provider.
  7. Authorised representative — where the provider is not established in the EU, the name, address, and signature of their authorised representative under Article 22.

Retention: 10 Years

Article 47(1) requires the DoC to remain available to national competent authorities for 10 years after the system is placed on the market or put into service. For providers who release successive versions, the practical rule is: retain each version's DoC for 10 years from the date that version was last on the market.

The DoC must be kept up to date. Article 47(5) states this expressly. If the AI system undergoes a substantial modification that triggers a new conformity assessment under Article 43, the DoC must be updated to reflect the new assessment. A DoC that describes version 1.0 cannot be used to cover version 2.0 if that version introduced capabilities requiring fresh assessment. What constitutes a "substantial modification" is a judgment call that providers should document at the time — not retrospectively if a regulator comes asking.

Combined DoC for Multi-Regulation Systems

Article 47(4) allows a single DoC to cover all applicable Union legislation where a high-risk AI system is subject to other EU law that also requires a DoC — for example, a medical AI device subject to both the EU AI Act and the Medical Device Regulation (MDR), or an AI system in machinery subject to the Machinery Regulation.

The single DoC must contain all elements required by each applicable regulation. Nothing can be omitted simply because it appears in another section of the document. The simplification is administrative, not substantive.

Who Bears the Article 47 Obligation

Providers bear the obligation. The provider is the entity that develops a high-risk AI system and places it on the market or puts it into service under its own name or trademark — or that substantially modifies a system and thereby assumes provider status under Article 25. Drawing up the DoC is a provider obligation under Article 16(e).

Authorised representatives of non-EU providers must sign the DoC on the EU-established provider's behalf. Under Article 22, the authorised representative assumes legal responsibility for the DoC within the EU.

Importers (Article 23) and distributors (Article 24) must verify that a valid DoC exists and has been properly drawn up before they place the system on the EU market or make it available. They cannot supply a system that lacks a DoC.

Deployers (Article 26) are not required to draw up a DoC — the obligation falls on the provider. But deployers should request and review the DoC before putting a third-party high-risk system into service. The DoC confirms the scope of the system for which the provider has taken responsibility, the conformity assessment basis, and the standards applied. This matters for deployers' own due diligence and for any Article 27 Fundamental Rights Impact Assessment they may need to conduct.

The DoC in the Compliance Sequence

Understanding where Article 47 sits in the full compliance lifecycle prevents gaps and sequencing errors.

A provider deploying a stand-alone high-risk AI system (an Annex III system — say, a recruitment screening tool or a credit-scoring model) must complete the following before market placement:

  1. Risk management system (Article 9): identify and assess risks throughout the system's lifecycle.
  2. Data governance (Article 10): ensure training, validation, and testing data meets quality and governance standards.
  3. Technical documentation (Article 11 / Annex IV): assemble the full evidence file — architecture, development rationale, risk management records, test results, human oversight provisions.
  4. Logging (Article 12): ensure automatic logging of events during operation.
  5. Transparency (Article 13): produce instructions for use adequate for deployers.
  6. Human oversight (Article 14): build in mechanisms for human intervention.
  7. Quality management system (Article 17): maintain a QMS covering the full development and post-market lifecycle.
  8. Conformity assessment (Article 43): complete internal control (Annex VI) or involve a notified body (Annex VII where required).
  9. EU Declaration of Conformity (Article 47): draw up the DoC after the assessment is complete.
  10. CE marking (Article 48): affix the CE marking to the system or its documentation.
  11. Registration (Article 49): register the system in the EU database before market placement (for Annex III systems).

The DoC sits at step 9. It cannot be drawn up until the conformity assessment at step 8 is complete. The CE marking cannot be affixed until the DoC at step 9 is done. The sequence is statutory, not administrative preference.

Worked Example: Small Provider, Annex III Scope

Scenario: A 25-person fintech company in Warsaw — call them CreditLogic — has built a creditworthiness-assessment module that scores SME loan applications for a regional Polish bank. The bank deploys CreditLogic's module under a white-label agreement. CreditLogic places the module on the market under its own name.

CreditLogic is the provider under Article 16. The module falls under Annex III, category 5 (AI systems used to evaluate the creditworthiness of natural persons or establish their credit score). It does not qualify for the Article 6(3) exemption — creditworthiness scoring for natural persons directly influences access to financial services and constitutes a significant risk of harm. The full high-risk stack applies.

After assembling Annex IV technical documentation and completing the internal conformity assessment under Article 43 (Annex VI internal control), CreditLogic's compliance lead draws up the DoC. The document contains:

  • CreditLogic sp. z o.o., Warsaw registered address
  • System name: "CreditLogic Scoring Engine," version 3.2, unique product identifier CL-SCO-32
  • Declaration: "The above-identified AI system is in conformity with Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 on artificial intelligence"
  • Reference to the internal control procedure under Annex VI (no notified body — not required for this category)
  • Where harmonised standards have been published and applied, their reference numbers and dates; otherwise a description of the internal technical methodology used to demonstrate conformity with Articles 9–15
  • Signature of CreditLogic's CEO, with name, function, Warsaw, and date
  • No authorised representative entry (CreditLogic is EU-established)

CreditLogic stores the DoC as a machine-readable PDF alongside the Annex IV file. They register the system in the EU database under Article 49, affix the CE marking under Article 48, and provide the bank deployer with a copy of the DoC and the instructions for use.

When CreditLogic releases version 4.0 with a significantly expanded features set — including a new income-estimation model — the compliance lead determines this is a substantial modification triggering a fresh conformity assessment under Article 43. A new DoC is drawn up for version 4.0. The version 3.2 DoC is retained for 10 years from its last market date.

The lesson for a 25-person team: the DoC itself is not the hard part. It is a three-to-five page document. The hard part is assembling the Annex IV technical documentation and completing the conformity assessment that gives the DoC its legal foundation. A DoC drawn up without a genuine underlying assessment is a false declaration — the risk there is not administrative, it is legal.

Translation and Language Requirements

Article 47 does not specify a language requirement for the DoC itself, but member states may require providers to make the DoC (and supporting documentation) available in their national language as a condition of market access. In practice, English is widely accepted for technical documentation across EU member states, but providers targeting Germany, France, Poland, or Spain should verify national requirements before placing the system on those markets. Building translation into the compliance process before market entry is cheaper than correcting it after a market surveillance request.

For providers supplying systems across multiple member states — a common position for EU-based SaaS companies — the practical approach is to prepare the DoC in English first, then commission translations for each market simultaneously, rather than sequentially. The core content does not change between language versions; only the presentation changes. Confirm each translated version is signed, dated, and stored in the same retention file as the original. If a market surveillance authority requests the document in its national language, you want to retrieve it in seconds, not weeks.

One further point on scope: where the AI system is placed on the market in a member state by a distributor or importer, those parties bear their own obligations under Articles 23 and 24 to verify that the DoC exists and is valid. A provider cannot rely on the distributor to flag a missing DoC — the obligation to draw it up and keep it available rests with the provider alone.

Penalties for Non-Compliance

Placing a high-risk AI system on the EU market without a valid DoC violates the provider obligations in Articles 16 and 47. Under Article 99 of the EU AI Act, this falls in the second penalty tier: up to €15,000,000 or 3% of total worldwide annual turnover, whichever is higher.

For companies with modest global turnover, the fixed sum dominates. For larger providers, 3% of global revenue can significantly exceed €15 million. Article 99(6) provides a proportionality protection for SMEs and start-ups: for them, the fine is the lower of the percentage or the fixed amount. This protection exists — but it is not a free pass. An invalid or absent DoC is still a violation.

The deadline for stand-alone high-risk AI systems (the Annex III list) is 2 December 2027 — pushed back from the original 2 August 2026 date under the Digital Omnibus agreement reached by the Parliament and Council in May 2026. High-risk AI systems that are safety components of Annex I regulated products face a further extended deadline of 2 August 2028. The extra time is for building genuine compliance, not for deferring the documentation work.

How Confir Helps

For providers who have completed the Confir assessment workflow, the Annex V Declaration of Conformity is generated automatically from the data already collected. The rule-based engine maps the completed assessment answers to each of the Annex V fields — provider identity, system identification, standards references, notified body details if applicable, and signatory information — and outputs a machine-readable document ready for signature. The same deterministic logic that derives the risk tier and the role (Provider / Deployer under Articles 6 and 16) also ensures the DoC references the correct Articles and assessment basis.

The generated DoC is exported as part of the Conformity Package alongside the Annex IV technical documentation. Providers can assign the authorised signatory, record the place and date of signature, and store the signed version in the immutable audit log — so that when a national competent authority requests a copy under Article 47(2), the signed document is retrievable in seconds, not hours of searching through email attachments.

Related guides

Frequently Asked Questions

What is the difference between the EU Declaration of Conformity and the conformity assessment?

The conformity assessment (Article 43) is the procedure — a systematic review of technical documentation, testing, and evidence against the requirements in Articles 9–15. The EU Declaration of Conformity (Article 47) is the document the provider draws up after that procedure is complete. It is a formal statement of the conclusion: the provider declares, under their sole responsibility, that the system is compliant. The DoC cannot be drawn up without first completing the assessment. One is the work; the other is the signed record of what the work found.

What must the EU Declaration of Conformity contain under Annex V?

Annex V requires: the provider's full name and address; the AI system's name, type, and a unique identifier; an explicit conformity statement citing Regulation (EU) 2024/1689; references to harmonised standards or common specifications applied (or a description of measures used where none exist); notified body details and certificate number where applicable; and the signatory's name, function, signature, and the place and date of signing. For non-EU providers, the authorised representative's details must also appear. If the DoC covers multiple systems, each must be individually identified.

Who must sign the EU Declaration of Conformity?

A person with authority to legally bind the provider — typically a director, CEO, or a compliance officer with documented delegated authority. For providers not established in the EU, the authorised representative (Article 22) must sign. The signatory's name and function must appear on the document alongside the signature, place, and date.

How long must the DoC be retained, and in what format?

Article 47(1) requires the DoC to be kept available to national competent authorities for 10 years after the system is placed on the market or put into service. It must be machine-readable — a properly tagged digital document, not an untagged image scan. For systems with multiple versions, retain each version's DoC for 10 years from that version's last market date.

Can a single DoC cover multiple EU regulations?

Yes. Article 47(4) explicitly permits a combined DoC for systems subject to other Union law that also requires a declaration of conformity — for example, a medical AI device covered by both the EU AI Act and the Medical Device Regulation. The combined DoC must contain all information required by each applicable regulation. Nothing is waived simply because the document spans multiple legal bases.

What is the penalty for placing a high-risk AI system on the market without a valid DoC?

Under Article 99 of the EU AI Act, failing to draw up or maintain a valid EU Declaration of Conformity falls in the second penalty tier: up to €15,000,000 or 3% of total worldwide annual turnover, whichever is higher. For SMEs and start-ups, Article 99(6) caps the fine at the lower of the two figures. The compliance deadline for stand-alone Annex III systems is 2 December 2027.

Last reviewed June 2026. Cites Regulation (EU) 2024/1689 (EU AI Act).

Manage your EU AI Act compliance in one place

Confir automates risk classification, technical documentation, and audit trails for any company. No consultants. No 6-month projects. 7-day free trial.

Start free trial →

Related guides

Annex Guide

EU AI Act Annex V: Contents of the EU Declaration of Conformity

Annex V sets out the 7 required elements of the EU Declaration of Conformity (Article 47). Element guide, skeleton DoC, and 2 December 2027 deadline.

Guide

GPAI Compliance Under the EU AI Act: What You Actually Have to Do

GPAI model obligations apply from 2 Aug 2025. Art 53 baseline, Art 55 systemic risk, and what downstream providers owe instead. Clear split by role.

Guide

EU AI Act and Open-Source AI Models: How the Regulation Treats Open-Source AI

How the EU AI Act treats open-source AI: two distinct carve-outs under Article 2 and Article 53(2), where they stop, and what open-source cannot exempt.