137AI > Compliance & Conformity > EU AI Act Conformity Assessment
EU AI Act Conformity Assessment
Conformity assessment is the procedure by which providers of high-risk AI systems under the EU AI Act demonstrate that their systems meet the Act's requirements before placement on the EU market. The regime is the practical machinery that translates the Act's substantive obligations into verifiable conformance.
The conformity assessment regime is still being operationalized. Harmonized standards are under development through CEN-CENELEC JTC 21. Notified bodies are being designated unevenly across member states. The interpretation of specific requirements continues to evolve through guidance from the EU AI Office, member state competent authorities, and the practical experience of early conformity assessments. This page covers the machinery as it currently stands and the directions in which it is developing. The broader treatment of the EU AI Act as a regulatory framework appears in Regulatory Frameworks.
What Conformity Assessment Covers
Conformity assessment under the EU AI Act applies to high-risk AI systems as defined in Article 6 and Annex III of the Act. The high-risk categories include AI systems used as safety components of products covered by harmonization legislation listed in Annex I (machinery, toys, lifts, radio equipment, medical devices, and others), and AI systems in the Annex III stand-alone high-risk categories including biometric identification, critical infrastructure, education, employment, essential services, law enforcement, migration, and administration of justice.
Providers of high-risk AI systems must complete conformity assessment before placing the system on the market or putting it into service. The conformity assessment evaluates the system against the substantive requirements in Chapter III, Section 2 of the Act, which include risk management, data and data governance, technical documentation, record keeping, transparency and provision of information to deployers, human oversight, and accuracy, robustness, and cybersecurity.
The conformity assessment is not a one-time event. The Act requires post-market monitoring throughout the lifecycle of the system, with re-assessment triggered by substantial modifications to the system.
Article 43 Procedures
The Act provides two routes to conformity assessment depending on the high-risk category and the role of harmonized standards.
Internal control conformity assessment, described in Annex VI, allows providers to assess conformance themselves. The provider must establish a quality management system, prepare and maintain technical documentation, conduct the conformity assessment internally, and draw up the EU declaration of conformity. This route applies primarily to systems in the Annex III high-risk categories where the provider has applied harmonized standards covering all relevant requirements.
Third-party conformity assessment with notified body involvement, described in Annex VII, requires the provider to engage an accredited notified body. The notified body evaluates the quality management system, assesses the technical documentation, and where applicable conducts surveillance of the system in operation. This route applies to certain biometric high-risk categories and to cases where harmonized standards have not been applied or do not cover all requirements.
For AI systems that are safety components of products already covered by sector-specific harmonization legislation, conformity assessment is integrated into the existing sector-specific procedure. A medical device with AI components, for example, is assessed under the Medical Device Regulation framework with the AI Act requirements integrated into that procedure.
Article 11 Technical Documentation
Technical documentation is the central evidence base for conformity assessment. Article 11 and Annex IV specify what the documentation must include.
| Documentation Element | What It Must Contain |
|---|---|
| General system description | Intended purpose, provider, system version, instructions for use, deployer interfaces, hardware and software environment |
| Detailed system description | System development methodology, design specifications, system architecture, computational resources, lifecycle |
| Monitoring, functioning and control description | Capabilities and limitations, expected accuracy and performance metrics, foreseeable unintended outcomes, human oversight measures |
| Risk management system documentation | Risk identification methodology, risk assessment results, risk mitigation measures, residual risk analysis, post-market monitoring linkage |
| Description of design changes | Changes made through the system lifecycle, rationale, conformity implications of changes |
| Harmonized standards and conformance approach | Which harmonized standards have been applied, where deviations exist and why, alternative means of meeting requirements |
| EU declaration of conformity | Formal declaration that the system meets the Act's requirements, signed by an authorized representative of the provider |
| Post-market monitoring system description | Plan for collecting and analyzing data on system performance throughout the lifecycle, incident reporting procedures |
The technical documentation requirements closely parallel the voluntary model card and datasheet conventions developed in AI research and practice. Operators producing technical documentation for EU AI Act conformity assessment often build on existing model card and datasheet artifacts, with the regulatory artifacts going deeper in specific areas the voluntary conventions do not cover.
Harmonized Standards Development
Harmonized standards are voluntary technical specifications developed by European standardization organizations that, once cited in the Official Journal, provide a presumption of conformity with the corresponding regulatory requirements. For the EU AI Act, harmonized standards are being developed primarily through CEN-CENELEC Joint Technical Committee 21 (JTC 21) on Artificial Intelligence.
JTC 21 work covers risk management for AI, data quality for AI, transparency taxonomy, AI trustworthiness framework, AI quality management, conformity assessment, AI cybersecurity, and AI bias. The standards build on prior work including ISO/IEC 23053 on AI framework using machine learning, ISO/IEC 42001 on AI management systems, ISO/IEC 22989 on AI concepts and terminology, and ISO/IEC 38507 on governance implications of AI.
The harmonized standards landscape is incomplete as of 2026. Several core standards have been published or are in late-stage development; others are at earlier stages. Where harmonized standards do not yet exist, providers either wait for the standards to be published, apply ISO/IEC standards that have not yet been harmonized, or develop their own technical specifications and demonstrate conformance through notified body assessment.
The standards development pace is one of the substantial operational considerations for early EU AI Act conformity assessment. Operators preparing for conformity assessment monitor JTC 21 work and align their internal practices with the emerging standards as they become available.
Notified Body Designation and Capacity
Notified bodies are independent organizations designated by member states under the EU AI Act to perform third-party conformity assessment. The designation is based on accreditation against EN ISO/IEC 17065 (product certification bodies) or related standards, with EU AI Act-specific competence requirements.
Notified body designation is occurring unevenly across member states. As of 2026, the population of designated notified bodies for EU AI Act conformity assessment is small relative to the population of high-risk AI systems entering the market. The capacity constraint is one of the practical considerations operators encounter when planning conformity assessment timelines.
The notified body designation pattern parallels earlier experience with the Medical Device Regulation and the General Product Safety Regulation, where notified body capacity was a bottleneck during early implementation. The expectation is that notified body capacity will grow over time as the AI conformity assessment market matures.
The mutual recognition arrangements between EU notified bodies and equivalent bodies in third countries are being developed. Where these arrangements exist, conformity assessment performed in one jurisdiction may satisfy requirements in another. Where they do not, providers may need to complete separate conformity assessment processes for different markets.
EU Declaration of Conformity and CE Marking
The EU declaration of conformity is the formal statement by the provider that the high-risk AI system meets the Act's requirements. The declaration includes identification of the provider, identification of the system, reference to the harmonized standards applied, identification of any notified body involved in the conformity assessment, and the signature of an authorized representative.
The declaration must be kept available for member state authorities for ten years after the system has been placed on the market. The declaration is the formal artifact that supports market surveillance and enforcement.
CE marking applies to high-risk AI systems that have completed conformity assessment. The CE mark is affixed to the system, its packaging, or its accompanying documentation as appropriate. The CE mark indicates that the system has been assessed against all applicable EU regulations including the AI Act and any sectoral regulations that apply.
The combination of the declaration of conformity and CE marking is the formal evidence base that the system has completed the conformity assessment process. Market surveillance authorities can request the declaration and supporting technical documentation, and providers must produce them on request.
Post-Market Monitoring and Incident Reporting
Conformity assessment is not the end of regulatory engagement. The Act requires post-market monitoring throughout the system lifecycle, with several specific obligations.
Post-market monitoring requires the provider to systematically collect and analyze data on the system's performance in operation. The monitoring plan is part of the technical documentation prepared for conformity assessment and must be implemented after market placement.
Serious incident reporting under Article 73 requires providers to report serious incidents to the market surveillance authority of the member state where the incident occurred. Serious incidents include any incident leading to death or serious damage to health, serious property damage, serious damage to critical infrastructure, or serious infringement of fundamental rights. Reporting timelines are specified in the Act, with the most serious incidents requiring immediate notification.
Substantial modifications to the system trigger re-assessment. A substantial modification is one that affects the system's compliance with the Act's requirements or changes the intended purpose for which the system was assessed. The provider must determine whether a planned modification is substantial and complete re-assessment if it is.
Cooperation with market surveillance authorities is an ongoing obligation. Providers must respond to information requests, produce documentation on request, and cooperate with corrective action procedures when authorities identify conformance concerns.
Operational Considerations
Operators preparing for or undergoing EU AI Act conformity assessment encounter several recurring operational considerations.
Documentation production is substantial. The Article 11 technical documentation requirements are detailed, and producing documentation that satisfies an experienced notified body assessor or member state authority requires meaningful investment. Operators with mature AI development practices, model card and datasheet conventions already in place, and quality management systems with AI extensions find the documentation production more tractable than operators starting from scratch.
Risk management methodology choices matter. The Act requires a risk management system but does not prescribe a specific methodology. Operators select among ISO 31000-based approaches, NIST AI Risk Management Framework-based approaches, sector-specific methodologies, and combinations. The choice affects how risk management is documented and how its operation is demonstrated.
Harmonized standards selection is partly tactical. Where harmonized standards exist and provide presumption of conformity, applying them simplifies the conformity assessment. Where harmonized standards do not cover all relevant requirements, operators apply ISO/IEC standards or develop their own approaches and demonstrate conformance through alternative means.
Internal versus third-party assessment routing is a strategic decision. Internal control routing avoids notified body engagement but requires the operator to be confident in its own assessment. Third-party routing engages a notified body with associated cost and timeline but produces an external attestation that may have value beyond regulatory conformance.
Cross-jurisdiction conformity is a planning consideration. Operators planning to deploy in multiple jurisdictions consider how EU AI Act conformity assessment interacts with UK AI regulation, US sectoral requirements, and other jurisdictional frameworks. Some artifacts produced for EU conformity assessment have utility in other jurisdictions; others do not.
The Reframe
EU AI Act conformity assessment is the operational machinery that gives the Act its enforcement teeth. The regime is still being operationalized through harmonized standards development, notified body designation, and the accumulating experience of early conformity assessments. Operators preparing for the Act's full application encounter substantial documentation requirements, methodology choices, and interaction with notified bodies whose capacity is being built out. The work compounds with practice, both at the operator level as conformity assessment becomes routine and at the regime level as the standards and bodies mature. The conformity assessment machinery is one of the substantial compliance infrastructure projects the AI ecosystem currently has underway.
Related Coverage
Compliance & Conformity | Regulatory Frameworks | ISO/IEC 42001 AI Management Systems | AI Documentation as Compliance Evidence