EU AI Act Conformity Assessment: Step-by-Step Guide for High-Risk AI

Before any high-risk AI system can be legally placed on the EU market or put into service, its provider must complete a conformity assessment — a formal process demonstrating that the system meets all applicable requirements of the EU AI Act. Without it, there is no legal basis for deployment.

This guide walks through every step of the process: what it involves, who needs a third-party assessment, and how to execute the internal assessment path that applies to most enterprise AI systems.

What Is a Conformity Assessment?

A conformity assessment is a structured verification procedure that produces a legally binding conclusion: that your AI system complies with the EU AI Act. The outcome of a successful assessment is:

An EU Declaration of Conformity (Article 47) — a signed legal document
CE marking (Article 48) — affixed to the system or its documentation
EU AI Act database registration (Article 49) — completed before deployment

Think of it as the AI equivalent of product safety certification — except instead of a physical product, it applies to software that makes consequential decisions.

Internal vs Third-Party Assessment: Which Do You Need?

This is the first — and most commercially significant — question.

Third-Party Assessment (Notified Body Required)

A small subset of high-risk AI systems must be assessed by an accredited notified body — an independent third-party organisation designated by an EU Member State. Third-party assessment is mandatory for:

Biometric identification systems (Annex III, Category 1): Remote biometric identification systems, including real-time facial recognition
AI systems embedded in regulated products (Annex I): AI that is a safety component of medical devices, machinery, aircraft, vehicles, or toys — where the sector-specific legislation already requires notified body involvement

For these systems, the notified body reviews your technical documentation, may inspect your processes, and issues a certificate of conformity before you can affix CE marking.

Internal Conformity Assessment (Self-Assessment)

All other Annex III high-risk AI systems — Categories 2 through 8, covering employment, critical infrastructure, education, essential services, law enforcement, migration, and justice — can complete a self-assessment without involving a notified body.

This is the path that applies to the vast majority of enterprise AI systems, including recruitment AI, credit scoring, benefits eligibility, and most other commercial AI applications.

Internal assessment does not mean informal. It requires the same rigour as a third-party assessment — the difference is that you are both the subject and the assessor.

The Five Steps of Internal Conformity Assessment

Step 1: Complete All Annex IV Documentation

Every conformity assessment begins here. You cannot assess conformity if you have not first documented what you are assessing.

All 8 Annex IV items must be complete, accurate, and internally reviewed before you proceed:

General description of the AI system
Design specifications and development process
Training, validation, and testing data
Instructions for use
Risk management system
Human oversight measures
Accuracy, robustness, and cybersecurity
Quality management and post-market monitoring

Practical check: Assign each item to a named owner. Have a second person review each section for completeness. Any item that contains placeholder language, approximate figures, or “TBD” entries is not complete.

Step 2: Conduct the Internal Compliance Audit

With documentation complete, conduct a systematic audit verifying that your AI system actually complies with each applicable article of the Act. Work through each obligation:

Article	Obligation	Evidence to check
Article 9	Risk management system established and maintained	Risk register; mitigation test records; update history
Article 10	Data governance requirements met	Dataset documentation; bias audit report; GDPR alignment
Article 11 + Annex IV	Technical documentation complete	All 8 items reviewed and signed off
Article 12	Automatic logging operational	Log sample; retention policy documented
Article 13	Instructions for use provided to deployers	Instructions document; deployer acknowledgement
Article 14	Human oversight measures implemented	UI specification; override mechanism tested; stop function documented
Article 15	Accuracy, robustness, and cybersecurity measures in place	Test reports; penetration test; disaggregated performance data
Article 17	Quality management system established	QMS document; roles and responsibilities assigned

Rate each item: Compliant, Partially Compliant, or Non-Compliant. Record the evidence reference for each compliant item. Anything rated Partially Compliant or Non-Compliant must be remediated before you proceed to Step 3.

Common findings at this stage:

Logging is implemented but retention period is not formally documented
Override mechanism exists in the UI but is not described in the Instructions for Use
Risk register was completed during development but has not been updated since launch
Disaggregated accuracy data exists but has not been formally recorded in Annex IV documentation

Do not sign the Declaration until every item is rated Compliant. A Declaration signed with known open non-compliances is legally problematic.

Step 3: Resolve All Gaps

Every non-compliant or partially compliant finding from Step 2 must be closed before proceeding. Document each remediation:

What was non-compliant
What change was made
Who verified the change
Date resolved

This remediation log becomes part of your conformity assessment record and demonstrates due diligence to any regulator who later asks to see your process.

Step 4: Draw Up the EU Declaration of Conformity

The Declaration of Conformity is a formal legal document. Article 47 specifies its required content:

Mandatory elements:

Name and address of the provider (or authorised representative if non-EU)
AI system name, version, and description
Statement that the AI system is in conformity with this Regulation
Reference to applicable obligations under the EU AI Act
Reference to any harmonised standards applied (if available — EU harmonised AI standards are still being developed by CEN/CENELEC; reference ISO/IEC 42001:2023 in the interim if applicable)
Where applicable: notified body name, number, and certificate reference
Place and date of issue
Name, function, and signature of the authorised person

Format: No mandatory template — but it must be a formal document, not an internal email or spreadsheet entry. Keep it in letterhead format, dated and signed.

Who signs it: A senior person with authority to bind the company legally — typically the CEO, CTO, or EU Authorised Representative (for non-EU providers).

Language: Must be provided in a language accepted by the relevant market surveillance authority. Providing it in English plus the national language of the primary deployment market is best practice.

Step 5: Affix CE Marking and Register in the EU Database

CE Marking (Article 48)

CE marking signals to the market that the AI system has completed conformity assessment. For software-only AI systems:

The CE marking must appear on the system or its documentation — typically in the Instructions for Use, the deployer onboarding documentation, and any commercial materials describing the product
It must be visible, legible, and indelible — for a digital product, this means it should appear on every version of the documentation, not just an internal compliance file
The CE marking must not be affixed before the Declaration of Conformity is signed

EU AI Act Database Registration (Article 49)

Before placing the system on the market, register it in the EU Commission’s public AI database. Required information includes:

Provider identity and contact details
System name, version, and description
Intended purpose and Annex III category
Geographic scope of deployment
Declaration of Conformity details and date
CE marking reference

Registration generates a unique registration number that should be referenced in the Declaration of Conformity and included in the Instructions for Use provided to deployers.

What Counts as a “Substantial Modification”?

Once you have completed conformity assessment and deployed your system, any substantial modification requires a new conformity assessment procedure. The EU AI Act defines a substantial modification as a change that affects the system’s compliance with the applicable requirements, or alters the intended purpose.

Examples that require a new assessment:

Retraining the model on a materially different dataset
Changing the model architecture
Expanding the intended purpose to a new use case
Significantly changing the output format or the decisions it informs
Adding new users or deployers in a new sector

Examples that typically do not require a new assessment (but must be documented):

Minor performance improvements without change to intended purpose
Bug fixes that do not affect compliance-relevant behaviour
UI changes that do not affect the oversight mechanism

Maintain a change log for every release. For each entry, document whether the change constitutes a substantial modification and the reasoning behind that determination. This log is your evidence that you are managing conformity correctly across the product lifecycle.

How Long Does It Take?

The conformity assessment procedure itself — once all documentation is complete — typically takes 2–4 weeks for an organised team. The documentation phase (Steps 1 and 2) is where time is actually spent: 2–4 months for organisations starting from scratch.

Given that the August 2, 2026 deadline is the hard cutoff, and documentation typically requires 60–90 days, organisations that have not started should begin immediately.

Where to Start

If you haven’t completed your Annex IV documentation, the conformity assessment is not yet within reach. Start with a gap analysis.

Use our free Status Quo Assessment to check readiness across all 8 Annex IV items and get a personalised gap report delivered to your inbox. For a complete 16-page Annex IV Technical Documentation Roadmap with practical examples for every item, see our paid report.