Conformity Assessment Checklist

1.1AI system risk classification completed (FORM-AI-CLS-001)

1.2System confirmed as high-risk

1.3Conformity assessment path determined (internal vs. third-party). Note: Art. 43(2) mandates internal control (Annex VI) for Annex III points 2-8; for Annex III point 1, Art. 43(1) provides a choice but defaults to third-party (Annex VII) when harmonised standards are not applied.

1.4Technical documentation prepared per Annex IV

1.5All development phase requirements completed

1.6Risk assessment completed (FORM-AI-RM-001)

1.7Testing and validation completed

2.1.1Risk management system established

2.1.2Risk management system documented

2.1.3System maintained throughout AI lifecycle

2.1.4System includes iterative process

2.2.1Known and foreseeable risks identified

2.2.2Risks to health assessed

2.2.3Risks to safety assessed

2.2.4Risks to fundamental rights assessed

2.2.5Risks from intended use assessed

2.2.6Risks from reasonably foreseeable misuse assessed

2.2.7Post-market monitoring data considered

2.3.1Risk mitigation measures implemented

2.3.2Residual risks are acceptable

2.3.3Residual risks communicated to deployers

2.3.4Measures proportionate to risks

2.4.1Testing procedures defined for risk management

2.4.2Testing conducted at appropriate development stages

2.4.3Testing against clearly defined metrics

2.4.4Real-world testing conducted where appropriate

3.1.1Data governance and management practices established

3.1.2Design choices for data documented

3.1.3Data collection processes documented

3.1.4Data preparation operations documented

3.2.1Training datasets clearly identified

3.2.2Validation datasets clearly identified

3.2.3Testing datasets clearly identified

3.2.4Data provenance documented

3.2.5Data labeling procedures documented

3.3.1Data is relevant to intended purpose

3.3.2Data is sufficiently representative

3.3.3Data is free from errors to the extent possible

3.3.4Data is complete for intended purpose

3.3.5Appropriate statistical properties for target group

3.4.1Possible biases in datasets examined

3.4.2Biases affecting health, safety, fundamental rights identified

3.4.3Appropriate bias mitigation measures applied

3.5.1Personal data processing complies with GDPR

3.5.2Special category data processing justified

3.5.3DPIA completed where required

4.1.1Intended purpose described

4.1.2Provider name and contact provided

4.1.3System version/release identified

4.1.4Interaction with hardware/software described

4.1.5Forms of AI system distribution described

4.2.1System architecture described

4.2.2Main components described

4.2.3Development process described

4.2.4Computational resources documented

4.2.5Third-party tools/components identified

4.3.1AI methods and algorithms described

4.3.2Design specifications documented

4.3.3Key design choices explained

4.3.4Trade-offs documented

4.3.5Main classification choices documented

4.4.1Capabilities clearly described

4.4.2Limitations clearly described

4.4.3Accuracy levels documented

4.4.4Foreseeable unintended outcomes documented

4.4.5Potential risks to health/safety/fundamental rights documented

4.5.1Validation procedures documented

4.5.2Testing procedures documented

4.5.3Metrics used documented

4.5.4Test results documented

4.5.5Performance against target groups documented

4.6.1Risk management system documented

4.6.2Identified risks documented

4.6.3Mitigation measures documented

4.7.1Substantial changes documented

4.7.2Change impact assessments documented

5.1.1Automatic logging capability implemented

5.1.2Events recorded throughout system operation

5.1.3Recording period identification of use documented

5.1.4Monitoring of operation enabled

5.2.1Date/time of system use logged

5.2.2Reference database (input data) logged

5.2.3Input data that led to match logged

5.2.4Identity of natural persons involved in verification logged

5.3.1Logs secured against tampering

5.3.2Logs retained for appropriate period

5.3.3Logs accessible to competent authorities

6.1.1System designed for transparency

6.1.2Operation sufficiently transparent for deployers

6.1.3Deployers can interpret output

6.1.4Deployers can use output appropriately

6.2.1Instructions for use provided

6.2.2Provider identity included

6.2.3Intended purpose described

6.2.4Performance levels documented

6.2.5Known circumstances affecting performance documented

6.2.6Human oversight measures described

6.2.7Expected lifetime documented

6.2.8Maintenance requirements documented

7.1.1System designed for human oversight

7.1.2Human oversight proportionate to risks

7.1.3Oversight during period of use enabled

7.2.1Persons can fully understand system capabilities

7.2.2Persons can fully understand system limitations

7.2.3Persons can detect automation bias

7.2.4Persons can correctly interpret output

7.2.5Persons can decide not to use or disregard output

7.2.6Persons can intervene on operation

7.2.7Persons can stop system via "stop" button

7.3.1If system has high autonomy, measures identified for risk

7.3.2Measures proportionate to automation level

8.1.1Appropriate level of accuracy achieved

8.1.2Accuracy levels declared in instructions

8.1.3Accuracy metrics appropriate for intended purpose

8.2.1Appropriate level of robustness achieved

8.2.2Resilience to errors, faults, inconsistencies

8.2.3Robustness through technical redundancy

8.2.4Fail-safe mechanisms implemented

8.3.1Appropriate level of cybersecurity achieved

8.3.2Resilient against unauthorized third-party access

8.3.3Resilient against adversarial manipulation

8.3.4Protection against data poisoning

8.3.5Protection against model manipulation

8.3.6Protection against input manipulation

9.1QMS established

9.2QMS documented

9.3QMS implemented

9.4QMS maintained

9.5Strategy for regulatory compliance documented

9.6Design, verification, validation procedures documented

9.7Systems and procedures for data management documented

9.8Risk management system documented

9.9Post-market monitoring documented

9.10Procedures for incident reporting documented

9.11Communication with competent authorities documented

9.12Resource management documented

9.13Accountability framework documented

10.1Post-market monitoring system established

10.2System proportionate to AI technology

10.3Data actively collected

10.4Data reviewed and analyzed

10.5Compliance with requirements evaluated

10.6System integrated into QMS

10.7Post-market monitoring plan documented

10.8Plan included in technical documentation

11.1Declaration prepared in required format

11.2Provider name and address included

11.3AI system identification included

11.4Statement of conformity included

11.5Reference to standards/specifications made

11.6Notified body details included (if applicable)

11.7Declaration dated

11.8Declaration signed by authorized representative

11.9Declaration kept for 10 years

11.10Translation available in required languages

12.1CE marking affixed (if required)

12.2Marking visible, legible, indelible

12.3Marking accompanied by notified body number (if applicable)

12.4Marking affixed before placing on market

13.1AI system registered in EU database

13.2Registration completed before placing on market

13.3Required information provided

13.4Registration kept up to date

13.5Registration reference documented