How to Conduct an EU AI Act Conformity Assessment: Step-by-Step
A practical guide for high-risk AI providers on the two assessment paths, the step-by-step process, required documentation, and key August 2026 (postponed to 2 December 2027 under the AI Omnibus agreement) deadlines.
The August 2026 deadline (postponed to 2 December 2027 under the AI Omnibus agreement) is approaching. If you place a high-risk AI system on the EU market, you must complete a conformity assessment before your product can legally carry a CE marking. For many providers, this is the most operationally complex obligation in the entire EU AI Act.
This guide breaks the process into manageable steps. You will learn what a conformity assessment is, which path applies to your system, how to work through each requirement, and how to close out the process with proper documentation and registration.
What Is a Conformity Assessment Under the EU AI Act?
A conformity assessment is the formal procedure by which a provider demonstrates that a high-risk AI system meets all the mandatory requirements set out in Articles 9 through 15 of the EU AI Act (Regulation (EU) 2024/1689). It covers risk management, data governance, technical documentation, transparency, human oversight, accuracy, robustness, and cybersecurity.
Think of it as a structured audit of your AI system against a defined checklist — with legal consequences if you skip it.
Only providers of high-risk AI systems are required to complete one. Deployers, importers, and distributors have separate but lighter obligations.
Who Must Complete a Conformity Assessment?
Any provider that places a high-risk AI system on the EU market or puts it into service within the EU must complete a conformity assessment before market placement. This applies to:
- Companies established in the EU offering high-risk AI to EU users
- Companies established outside the EU whose systems are used in the EU
- Providers of AI systems embedded in products covered by EU harmonised legislation (see Annex I of the AI Act)
If you are a deployer — meaning you use a third-party AI system rather than develop it — conformity assessment responsibilities rest with the provider, though you still have due diligence and registration obligations.
Two Paths: Self-Assessment or Notified Body?
This is the first critical decision. The EU AI Act establishes two distinct paths under Article 43, and the route you take depends entirely on what your system does.
Path 1: Notified Body Assessment (Article 43(1))
You must engage an accredited third-party notified body if your system falls into either of these categories:
- Annex III, Section 1: AI systems used for biometric identification and categorisation of natural persons (remote biometric identification systems, emotion recognition in specific contexts)
- Annex I systems: AI used as a safety component in products governed by EU harmonised legislation listed in Annex I (medical devices, machinery, aviation, automotive, etc.) where that sector legislation already requires a third-party assessment
This path involves submitting your technical documentation to the notified body, undergoing a formal audit, and receiving a certificate of conformity before you can affix the CE marking.
Path 2: Internal Control Procedure (Article 43(2) + Annex VI)
All other high-risk systems listed in Annex III — including AI in education, employment, essential services, law enforcement (subject to conditions), migration, and administration of justice — may follow the internal control procedure defined in Annex VI.
Under this path, you conduct the assessment yourself, document your findings, and issue the EU Declaration of Conformity without involving an external body. This is the path most software-only AI providers will follow.
| System type | Assessment path |
|---|---|
| Annex III §1 — biometric identification | Notified body required |
| Annex I product safety components | Notified body required (if sector law requires it) |
| All other Annex III systems | Internal control (self-assessment) |
Step-by-Step: The Internal Control Procedure
If your system qualifies for self-assessment, here is how to work through it systematically. Each step maps to a specific article or annex of the EU AI Act.
Step 1 — Establish a Risk Management System (Article 9)
Set up a continuous risk management process that identifies, estimates, evaluates, and mitigates known and reasonably foreseeable risks posed by your system. This is not a one-time exercise — it must be maintained throughout the system's lifecycle.
Document the risks identified, the mitigation measures adopted, and the residual risks accepted. This documentation feeds directly into your technical file.
Step 2 — Implement Data Governance Practices (Article 10)
If your system involves training on data, you must demonstrate that your training, validation, and test datasets are relevant, representative, and free from errors that could produce discriminatory outputs. Document your data sources, curation methodology, and any known limitations.
Systems that do not involve model training (for example, a system using a pre-trained foundation model via API) still need to document the data used for fine-tuning or retrieval augmentation.
Step 3 — Prepare Technical Documentation (Article 11 + Annex IV)
Technical documentation is the centrepiece of the conformity assessment. Annex IV of the EU AI Act specifies exactly what it must contain: a general description of the system, its intended purpose, the development process, performance metrics, the risk management measures, and post-market monitoring plans.
This document must be ready before market placement and kept up to date throughout the system's operational life. It is the primary document you would produce for a market surveillance authority if audited.
Step 4 — Set Up Logging and Record-Keeping (Article 12)
Your system must be capable of automatically logging events to the extent technically feasible. Logs must allow reconstruction of circumstances that led to a risk materialising or an incident occurring. Retention periods depend on the context; for systems in areas such as law enforcement and migration, specific minimums apply.
Step 5 — Ensure Transparency Toward Deployers (Article 13)
Providers must supply deployers with clear instructions for use. These must cover the system's intended purpose, performance levels, known limitations, human oversight measures required, and maintenance needs. The instructions are a legally mandated document, not optional product documentation.
Step 6 — Design In Human Oversight (Article 14)
Your system must be designed to allow deployers to oversee, interrupt, or override its outputs. Document the specific oversight measures built into the system — this might include output confidence scores, mandatory review queues, or hard stops for certain decision types.
Step 7 — Validate Accuracy, Robustness, and Cybersecurity (Article 15)
Define the accuracy metrics relevant to your system, test against them, and document your results. Demonstrate robustness against errors, faults, and inconsistencies. Show that cybersecurity measures are in place proportionate to the risk.
Step 8 — Complete the Internal Control Check (Annex VI)
Once all the above steps are documented, formally record that you have verified compliance with each requirement. Annex VI requires you to check and document: that the technical documentation is complete, that the system design conforms to the documentation, and that the risk management system is operational.
Issuing the EU Declaration of Conformity (Article 47)
When the conformity assessment is complete, the provider must draw up a written EU Declaration of Conformity and keep it available for at least ten years after the system is placed on the market.
Under Article 47, the Declaration of Conformity must contain:
- The name and address of the provider
- A statement that the system is in conformity with the EU AI Act
- The name, address, and identification number of the notified body (if applicable)
- Reference to any harmonised standards applied
- The place and date of issue, the provider's signature or equivalent
The CE marking must be affixed to the system or its documentation after the DoC is issued. For software-only systems, the marking appears in the instructions for use and the technical documentation.
Registering in the EU Database (Article 49)
Before placing your high-risk AI system on the market, you must register it in the EU-wide database maintained by the European AI Office. Registration must occur prior to market placement — it is not a post-launch formality.
The registration covers key system information: the provider's identity, the system's intended purpose, the conformity assessment procedure followed, and the reference number of the EU Declaration of Conformity.
For systems intended for law enforcement or migration control, different access rules apply to the public-facing portion of the database.
Post-Market Monitoring Obligations (Article 72)
Conformity assessment is not the end of your obligations. Article 72 requires providers to establish and maintain a post-market monitoring system that actively collects, documents, and analyses data about system performance throughout its operational lifetime.
If incidents occur — meaning unintended malfunctions causing or capable of causing harm — providers must report serious incidents to market surveillance authorities. Post-market monitoring data also feeds back into your risk management system, making the whole process cyclical.
Timeline: Key Dates for Providers
| Milestone | Date |
|---|---|
| EU AI Act enters into force | August 2024 |
| Prohibited AI practices banned | February 2025 |
| GPAI model obligations apply | August 2025 |
| High-risk AI obligations fully apply | August 2026 (postponed to 2 December 2027 under the AI Omnibus agreement) |
| Annex I (product safety) systems | August 2027 |
Most high-risk AI system providers face the August 2026 deadline (postponed to 2 December 2027 under the AI Omnibus agreement). If you are embedding AI into a regulated product covered by Annex I sector legislation, you have until August 2027, but starting now is strongly advisable.
How DilAIg Supports the Conformity Assessment Process
Completing a conformity assessment manually means gathering evidence across eight distinct legal requirements, maintaining a living technical file, and producing several legally structured documents simultaneously.
DilAIg generates the four mandatory documents — Technical Documentation (Annex IV), EU Declaration of Conformity, FRIA, and Transparency Notice — directly from a guided 50-question audit. Instead of starting from blank templates, you answer questions about your system and receive production-ready documents aligned to the current text of the EU AI Act.
Start your conformity assessment with DilAIg →
Contact us if you have questions about your system →
FAQ: EU AI Act Conformity Assessment
Does every AI system need a conformity assessment?
No. Only high-risk AI systems as defined in Article 6 — systems listed in Annex III, or AI safety components in Annex I products — require a formal conformity assessment. Limited-risk systems (Article 50) have transparency obligations only, and minimal-risk systems have no mandatory obligations.
Can I self-certify my high-risk AI system?
Yes, in most cases. The internal control procedure under Article 43(2) and Annex VI allows providers to self-assess all Annex III systems except those in Section 1 (biometric identification). Only those systems, and AI safety components in Annex I products where sector law requires it, need a notified body.
What happens if I don't complete a conformity assessment?
Placing a high-risk AI system on the EU market without a valid conformity assessment is a serious infringement. National market surveillance authorities can prohibit market access. Fines under the EU AI Act can reach €15 million or 3% of global annual turnover, whichever is higher, for non-compliance with high-risk obligations.
How long does a conformity assessment take?
For the internal control path, the timeline depends entirely on how quickly you can gather evidence and produce the required documentation. With structured tooling, a well-organised team can complete the process in 4 to 8 weeks. Notified body assessments typically take longer, depending on body availability and documentation readiness.
Must I redo the conformity assessment if I update my system?
Yes, if the changes substantially affect compliance. Article 43 requires providers to reassess systems that undergo substantial modifications — which are modifications that could affect the system's compliance with the requirements or change its intended purpose.
Key Takeaways
- Conformity assessment is mandatory for all high-risk AI systems before EU market placement
- Two paths exist: notified body (biometric systems and Annex I product safety components) and internal control (all other Annex III systems)
- The internal control procedure covers eight requirements: Articles 9–15 plus the Annex VI checklist
- The EU Declaration of Conformity must be kept for at least ten years
- Registration in the EU database under Article 49 must happen before market placement, not after
- Post-market monitoring under Article 72 is an ongoing obligation, not a one-time task
- The primary deadline for most high-risk AI providers is August 2026 (postponed to 2 December 2027 under the AI Omnibus agreement)