aicomply.
aicomply.
Home
Understand OverviewLearning ModulesGlobal RegulationsEU AI Act TextGlossaryFAQ
Assess Overview1. Register2. Classify3. Requirements4. Comply5. Monitor
Implement OverviewPoliciesStandardsControlsProceduresTemplates
Resources
GitHubGet Started
STD-AI-010

AI Conformity Assessment Standard

Undergo conformity assessment before placing high-risk AI systems on the market.

Standards LibrarySTD-AI-010

2

Controls

0

Compliant

1

In Progress

1

Not Started

Overall Progress
25%
Controls
2 controls defined in this standard
CON-001highIn Progress

Conformity Assessment Procedure Selection

Select appropriate conformity assessment procedure

30%
CON-002criticalNot Started

EU Declaration of Conformity

Issue EU Declaration of Conformity and affix CE marking

Implementation Guidance
Detailed guidance for implementing this standard

AI Conformity Assessment Standard

Document Type: Standard
Standard ID: STD-AI-010
Standard Title: AI Conformity Assessment Standard
Version: 1.0
Effective Date: 2025-08-01
Next Review Date: 2026-08-01
Review Frequency: Annually or upon regulatory change
Parent Policy: POL-AI-001 - Artificial Intelligence Policy
Owner: Chief Legal Officer
Approved By: AI Governance Committee Chair
Status: Draft
Classification: Confidential

TABLE OF CONTENTS

  1. Document History
  2. Objective
  3. Scope and Applicability
  4. Control Standard
  5. Supporting Procedures
  6. Compliance
  7. Roles and Responsibilities
  8. Exceptions
  9. Enforcement
  10. Key Performance Indicators (KPIs)
  11. Training Requirements
  12. Definitions
  13. Link with AI Act and ISO42001

DOCUMENT HISTORY

VersionDateAuthorChangesApproval DateApproved By
0.12025-07-10Michael Brown, Chief Legal OfficerInitial draft--
0.22025-07-25Michael Brown, Chief Legal OfficerAdded Annex VI/VII details--
0.32025-08-01Michael Brown, Chief Legal OfficerIncorporated stakeholder feedback--
1.02025-08-01Michael Brown, Chief Legal OfficerFinal version approved - GRC restructured2025-07-25Jane Doe, AI Governance Committee Chair

OBJECTIVE

This standard defines requirements for conducting conformity assessment of high-risk AI systems before market placement, in compliance with EU AI Act Article 43 and Annexes VI & VII.

Primary Goals:

  • Conduct internal conformity assessment per Annex VI for Annex III points 2–8 high-risk AI systems (notified body involvement not available for these categories)
  • For Annex III point 1 (biometric) systems: select between Annex VI (internal control) and Annex VII (notified body QMS/technical documentation assessment) per Article 43(1); apply Annex VII where harmonised standards are not applied
  • Conduct conformity assessment per applicable Union harmonisation legislation for Annex I product safety AI systems, with Annex VII points 4.3–4.6 also applying per Article 43(3)
  • Prepare and issue EU Declaration of Conformity per Article 47
  • Affix CE marking per Article 48
  • Maintain conformity throughout AI system lifecycle

SCOPE AND APPLICABILITY

2.1 Mandatory Applicability

This standard is mandatory for:

  • All high-risk AI systems before market placement (EU AI Act Article 43)
  • All substantial modifications to high-risk AI systems
  • Providers placing high-risk AI systems on EU market

2.2 Conformity Assessment Procedures Covered

Per Article 43, there are three tracks:

  • Track 1 — Annex III points 2–8 systems: Annex VI internal control (self-assessment) only. Notified body involvement under Annex VII is not available for these high-risk AI categories (Article 43(2)).
  • Track 2 — Annex III point 1 (biometric) systems: Provider may choose Annex VI (internal control) or Annex VII (notified body QMS and technical documentation assessment). Annex VII is mandatory where harmonised standards do not exist, are not applied, or common specifications are not applied (Article 43(1)).
  • Track 3 — Annex I product safety systems: Conformity assessment follows the applicable Union harmonisation legislation listed in Annex I. Annex VII points 4.3–4.6 also apply (Article 43(3)).
  • EU Declaration of Conformity (Article 47)
  • CE marking (Article 48)

2.3 Out of Scope

  • Non-high-risk AI systems (no conformity assessment required)
  • Conformity assessment outside EU AI Act scope

CONTROL STANDARD

Control CA-001: Technical Documentation Preparation for Conformity Assessment

Control ID: CA-001
Control Name: Technical Documentation Preparation for Annex VI Assessment
Control Type: Preventive
Control Frequency: Per high-risk AI system
Risk Level: High

Control Objective

Prepare complete technical documentation per Annex IV for Annex VI internal control conformity assessment to ensure all required documentation is available for compliance verification.

Control Requirements

CR-001.1: Technical Documentation Completeness

Prepare complete technical documentation per Annex IV.

Documentation Requirements:

  • All Annex IV elements complete
  • Technical documentation current
  • Documentation reviewed and approved
  • Documentation available for authorities

Mandatory Actions:

  • Create technical documentation (per STD-AI-004)
  • Verify completeness against Annex IV checklist
  • Obtain technical review
  • Obtain legal review
  • Obtain final approval
  • Archive documentation

Annex IV Completeness Checklist:

Annex IV ElementRequiredStatusEvidence
System descriptionYESTechnical documentation
Intended purposeYESTechnical documentation
System architectureYESArchitecture documentation
Data governanceYESData documentation (STD-AI-003)
Risk managementYESRisk documentation (STD-AI-002)
Human oversightYESOversight documentation (STD-AI-007)
Accuracy/robustness/securityYESPerformance documentation (STD-AI-008)
Testing and validationYESTest documentation (STD-AI-009)
Instructions for useYESUser documentation (STD-AI-006)

Evidence Required:

  • Complete technical documentation package
  • Annex IV completeness checklist
  • Review records
  • Approval records
  • Archive records

Audit Verification:

  • Verify technical documentation prepared
  • Confirm Annex IV completeness verified
  • Check reviews conducted
  • Validate approval obtained

Control CA-002: Compliance Verification

Control ID: CA-002
Control Name: EU AI Act Compliance Verification
Control Type: Preventive
Control Frequency: Per conformity assessment
Risk Level: High

Control Objective

Verify AI system compliance with all EU AI Act requirements to ensure system meets all regulatory obligations before market placement.

Control Requirements

CR-002.1: Comprehensive Compliance Verification

Verify compliance with all applicable EU AI Act requirements.

Compliance Checklist:

RequirementArticleVerification MethodEvidence RequiredStatus
Risk Management SystemArticle 9Review risk management documentationRisk documentation (STD-AI-002)
Data GovernanceArticle 10Review data quality and bias assessmentsData documentation (STD-AI-003)
Technical DocumentationArticle 11Verify Annex IV completenessTechnical documentation (STD-AI-004)
Record-KeepingArticle 12Verify logging implementationLogging documentation (STD-AI-005)
TransparencyArticle 13Review instructions for useUser documentation (STD-AI-006)
Human OversightArticle 14Verify oversight measuresOversight documentation (STD-AI-007)
Accuracy/Robustness/SecurityArticle 15Review test resultsPerformance documentation (STD-AI-008)
Quality Management SystemArticle 17Verify QMS implementationQMS documentation (STD-AI-009)

Mandatory Actions:

  • Review all compliance evidence
  • Verify each requirement met
  • Document verification results
  • Address any gaps
  • Obtain compliance sign-off
  • Block market placement if non-compliant

Gap Analysis and Remediation:

Gap TypeSeverityRemediation RequiredTimeline
Missing documentationHighComplete documentationBefore assessment
Non-complianceCriticalRemediate non-complianceBefore market placement
Minor gapsMediumDocument and plan remediationPer remediation plan

Evidence Required:

  • Compliance Verification Checklist (CHK-AI-CA-001)
  • Verification records
  • Gap analysis (if applicable)
  • Remediation records
  • Compliance sign-off

Audit Verification:

  • Verify compliance verification conducted
  • Confirm all requirements checked
  • Check gaps identified and addressed
  • Validate compliance sign-off obtained
  • Verify market placement blocked if non-compliant

Control CA-003: Conformity Assessment Report

Control ID: CA-003
Control Name: Annex VI Conformity Assessment Report
Control Type: Preventive
Control Frequency: Per conformity assessment
Risk Level: High

Control Objective

Prepare conformity assessment report documenting compliance for Annex VI internal control procedure to provide evidence of conformity assessment completion.

Control Requirements

CR-003.1: Conformity Assessment Report Preparation

Prepare comprehensive conformity assessment report.

Report Contents:

SectionContentRequired
AI System IdentificationName, type, version, unique identifierYES
Intended PurposeDescription of intended purposeYES
Conformity Assessment ProcedureAnnex VI (Internal Control)YES
Technical Documentation SummarySummary of technical documentationYES
Compliance Verification ResultsResults of compliance verificationYES
Test Results SummarySummary of testing and validationYES
Risk Management SummarySummary of risk managementYES
Conclusion of ConformityStatement of conformityYES
Date and SignatureDate and authorized signatureYES

Mandatory Actions:

  • Compile assessment results
  • Prepare conformity assessment report
  • Review report for accuracy
  • Obtain approval
  • Archive report
  • Maintain for 10 years

Evidence Required:

  • Conformity Assessment Report (RPT-AI-CA-XXX)
  • Supporting documentation
  • Review records
  • Approval records
  • Archive records

Audit Verification:

  • Verify conformity assessment report prepared
  • Confirm all required sections included
  • Check report reviewed and approved
  • Validate report archived

Control CA-004: Notified Body Selection

Control ID: CA-004
Control Name: Notified Body Selection and Engagement
Control Type: Preventive
Control Frequency: Per Annex VII assessment
Risk Level: High

Control Objective

Select and engage qualified notified body for Annex VII conformity assessment to ensure competent third-party assessment for Annex I product safety AI systems.

Control Requirements

CR-004.1: Notified Body Selection Process

Select and engage qualified notified body.

Selection Criteria:

CriterionDescriptionWeightEvaluation
DesignationDesignated for AI Act conformity assessmentCriticalMust be designated
ExpertiseExpertise in relevant domainHighDomain expertise required
AvailabilityAvailability and timelineMediumTimeline acceptable
CostAssessment costMediumCost reasonable
ReputationReputation and track recordMediumGood reputation

Mandatory Actions:

  • Identify candidate notified bodies
  • Evaluate against criteria
  • Select notified body
  • Negotiate contract
  • Engage notified body
  • Document selection

Evidence Required:

  • Notified body evaluation
  • Selection justification
  • Contract with notified body
  • Engagement records

Audit Verification:

  • Verify notified body selected
  • Confirm notified body designated for AI Act
  • Check contract executed
  • Validate engagement documented

Control CA-005: QMS Assessment Preparation

Control ID: CA-005
Control Name: QMS Assessment Preparation for Annex VII
Control Type: Preventive
Control Frequency: Per Annex VII assessment
Risk Level: High

Control Objective

Prepare for notified body QMS assessment to ensure QMS is ready for third-party evaluation.

Control Requirements

CR-005.1: QMS Assessment Readiness

Ensure QMS fully implemented and ready for assessment.

Preparation Activities:

ActivityDescriptionRequiredEvidence
QMS ImplementationEnsure QMS fully implementedYESQMS documentation (STD-AI-009)
Internal QMS AuditConduct internal QMS auditYESInternal audit report
Nonconformity RemediationAddress any nonconformitiesYESRemediation records
QMS DocumentationPrepare QMS documentation packageYESQMS documentation package
Notified Body BriefingBrief notified body on QMSYESBriefing records

Mandatory Actions:

  • Review QMS implementation
  • Conduct pre-assessment audit
  • Remediate findings
  • Compile QMS documentation package
  • Schedule notified body assessment
  • Brief notified body

Evidence Required:

  • QMS documentation package
  • Internal audit report
  • Remediation records
  • Assessment schedule
  • Briefing records

Audit Verification:

  • Verify QMS fully implemented
  • Confirm internal audit conducted
  • Check findings remediated
  • Validate documentation package prepared

Control CA-006: Technical Documentation Assessment Preparation

Control ID: CA-006
Control Name: Technical Documentation Preparation for Annex VII
Control Type: Preventive
Control Frequency: Per Annex VII assessment
Risk Level: High

Control Objective

Prepare technical documentation for notified body review to ensure complete and accurate documentation is available for Annex VII assessment.

Control Requirements

CR-006.1: Technical Documentation Readiness

Ensure technical documentation complete and ready for notified body review.

Preparation Activities:

ActivityDescriptionRequiredEvidence
Documentation CompletenessEnsure technical documentation completeYESTechnical documentation (STD-AI-004)
Internal Documentation ReviewConduct internal documentation reviewYESInternal review records
Gap RemediationAddress any gapsYESGap remediation records
Documentation PackagePrepare documentation packageYESDocumentation package
Submission to Notified BodySubmit to notified bodyYESSubmission records

Mandatory Actions:

  • Review technical documentation
  • Verify completeness
  • Address gaps
  • Compile documentation package
  • Submit to notified body
  • Track submission

Evidence Required:

  • Technical documentation package
  • Internal review records
  • Submission records

Audit Verification:

  • Verify technical documentation complete
  • Confirm internal review conducted
  • Check gaps addressed
  • Validate documentation submitted

Control CA-007: Notified Body Assessment Support

Control ID: CA-007
Control Name: Notified Body Assessment Support and Response
Control Type: Preventive
Control Frequency: Per Annex VII assessment
Risk Level: High

Control Objective

Support notified body during assessment and respond to findings to ensure successful Annex VII conformity assessment.

Control Requirements

CR-007.1: Notified Body Assessment Support

Support notified body during assessment process.

Assessment Process:

StepDescriptionSupport Required
QMS ReviewNotified body reviews QMSProvide QMS documentation, answer questions
Technical Documentation ReviewNotified body reviews technical documentationProvide documentation, clarify questions
On-Site AssessmentNotified body may conduct on-site assessmentFacilitate on-site visit, provide access
Additional InformationNotified body may request additional informationProvide requested information promptly
Assessment ReportNotified body issues assessment reportReview report, respond to findings
CertificateNotified body issues certificate (if compliant)Obtain and archive certificate

Mandatory Actions:

  • Provide requested information
  • Support on-site assessment
  • Address notified body findings
  • Obtain assessment report
  • Obtain certificate (if compliant)
  • Archive assessment records

Findings Response:

Finding TypeSeverityResponse RequiredTimeline
Major NonconformityCriticalImmediate remediationBefore certificate
Minor NonconformityMediumRemediation planPer plan
ObservationLowDocument and monitorOngoing

Evidence Required:

  • Notified body assessment report
  • Findings and responses
  • EU-type examination certificate (if applicable)
  • Correspondence with notified body
  • Archive records

Audit Verification:

  • Verify notified body supported
  • Confirm findings addressed
  • Check certificate obtained (if compliant)
  • Validate records archived

Control CA-008: EU Declaration of Conformity Preparation

Control ID: CA-008
Control Name: EU Declaration of Conformity Preparation
Control Type: Preventive
Control Frequency: Per high-risk AI system, per substantial modification
Risk Level: High

Control Objective

Prepare EU Declaration of Conformity with all required elements per Article 47 to provide formal declaration of compliance.

Control Requirements

CR-008.1: Declaration Preparation

Prepare EU Declaration of Conformity with all required elements.

Required Elements (Article 47(1)):

ElementContentRequiredSource
AI System IdentificationName, type, versionYESTechnical documentation
Provider InformationName, addressYESCompany information
Declaration Statement"This declaration of conformity is issued under the sole responsibility of the provider"YESStandard text
Object of DeclarationAI system description and intended purposeYESTechnical documentation
Conformity Statement"The object of the declaration described above is in conformity with Regulation (EU) 2024/1689"YESStandard text
Harmonized StandardsReferences to harmonized standards appliedIf applicableStandards documentation
Common SpecificationsReferences (if no harmonized standards)If applicableSpecifications documentation
Notified Body DetailsName, number, certificate number (if Annex VII)If Annex VIINotified body certificate
Additional InformationAny other relevant informationIf applicableAs needed
Place and DateWhere and when issuedYESDeclaration location and date
SignatureName and function of signatoryYESAuthorized signatory

Mandatory Actions:

  • Complete declaration template
  • Verify all required elements included
  • Review for accuracy
  • Obtain legal review
  • Obtain authorized signature
  • Date declaration

Evidence Required:

  • EU Declaration of Conformity (DOC-AI-CONFORM-XXX)
  • Declaration template
  • Review records
  • Signature authorization

Audit Verification:

  • Verify declaration prepared
  • Confirm all required elements included
  • Check legal review conducted
  • Validate signature obtained

Control CA-009: EU Declaration of Conformity Review and Approval

Control ID: CA-009
Control Name: EU Declaration of Conformity Review and Approval
Control Type: Preventive
Control Frequency: Per declaration
Risk Level: High

Control Objective

Review and approve EU Declaration of Conformity before issuance to ensure accuracy, completeness, and legal compliance.

Control Requirements

CR-009.1: Declaration Review and Approval Process

Conduct comprehensive review and obtain approval.

Review Checklist:

CheckDescriptionRequiredStatus
CompletenessAll required elements presentYES
AccuracyInformation accurate and currentYES
Consistency with Technical DocumentationConsistent with technical documentationYES
Consistency with Conformity AssessmentConsistent with conformity assessmentYES
Legal ComplianceLegally compliantYES
Proper SignatureProperly signedYES

Approval Authority:

  • Legal review required
  • Executive approval required (CEO or authorized delegate)

Mandatory Actions:

  • Conduct legal review
  • Verify accuracy
  • Obtain executive approval
  • Sign declaration
  • Date declaration
  • Archive declaration

Evidence Required:

  • Review checklist
  • Legal approval
  • Executive approval
  • Signed declaration
  • Archive records

Audit Verification:

  • Verify review conducted
  • Confirm legal approval obtained
  • Check executive approval obtained
  • Validate declaration signed and dated

Control CA-010: EU Declaration of Conformity Availability

Control ID: CA-010
Control Name: EU Declaration of Conformity Retention and Availability
Control Type: Preventive
Control Frequency: Continuous, 10-year retention
Risk Level: Medium

Control Objective

Keep EU Declaration of Conformity available per Article 47(2) to ensure availability to competent authorities for 10 years.

Control Requirements

CR-010.1: Declaration Availability Management

Maintain declaration availability per regulatory requirements.

Availability Requirements:

RequirementSpecificationImplementation
Retention Period10 yearsArchive for 10 years
LanguageAvailable in language(s) required by Member State(s)Provide translations if needed
Authority RequestsProvided upon requestRespond promptly to requests
UpdatesKept up to dateUpdate when AI system changes

Mandatory Actions:

  • Store declaration securely
  • Maintain for 10 years
  • Provide translations if needed
  • Update when AI system changes
  • Respond to authority requests
  • Document availability

Evidence Required:

  • Declaration storage records
  • Retention compliance
  • Translation records (if applicable)
  • Authority request responses
  • Update records

Audit Verification:

  • Verify declaration stored securely
  • Confirm 10-year retention maintained
  • Check translations provided (if needed)
  • Validate authority requests responded to

Control CA-011: CE Marking Affixing

Control ID: CA-011
Control Name: CE Marking Affixing and Display
Control Type: Preventive
Control Frequency: Per high-risk AI system
Risk Level: High

Control Objective

Affix CE marking to high-risk AI system per Article 48 to indicate EU conformity.

Control Requirements

CR-011.1: CE Marking Affixing

Affix CE marking per Article 48 requirements.

CE Marking Requirements (Article 48(1)):

RequirementSpecificationImplementation
VisibilityVisible, legible, and indelibleEnsure proper display
TimingAffixed before placing on marketAffix before market placement
Physical ProductsAffixed to AI system or packagingAffix to product/packaging
SoftwareAffixed to instructions for useInclude in instructions for use
Additional MarkingsMay be accompanied by pictogram or other markingIf applicable

Mandatory Actions:

  • Determine where to affix CE marking
  • Design CE marking display
  • Affix CE marking
  • Verify visibility and legibility
  • Document CE marking
  • Verify before market placement

CE Marking Placement:

AI System TypePlacement LocationVerification
Physical ProductProduct or packagingVisual inspection
SoftwareInstructions for useDocumentation review
Cloud ServiceInstructions for use, websiteDocumentation review

Evidence Required:

  • CE marking placement documentation
  • CE marking images
  • Instructions for use with CE marking
  • Verification records

Audit Verification:

  • Verify CE marking affixed
  • Confirm visibility and legibility
  • Check placement appropriate
  • Validate documented

Control CA-012: CE Marking Compliance

Control ID: CA-012
Control Name: CE Marking Rules Compliance
Control Type: Preventive
Control Frequency: Per CE marking
Risk Level: High

Control Objective

Ensure CE marking complies with all rules per Article 48(2-5) to maintain regulatory compliance.

Control Requirements

CR-012.1: CE Marking Rules Compliance

Ensure CE marking complies with all regulatory rules.

CE Marking Rules (Article 48(2-5)):

RuleDescriptionCompliance Requirement
Conformity IndicationCE marking indicates conformity with EU AI ActOnly affix if compliant
Provider ResponsibilityCE marking affixed under provider's responsibilityEnsure provider responsibility clear
Non-Compliant SystemsCE marking not affixed if AI system not compliantVerify compliance before affixing
Other MarkingsOther markings allowed if not confused with CE markingAvoid confusing markings
Authority EvidenceNational authorities may request evidence of conformityPrepare evidence package

Mandatory Actions:

  • Verify conformity before affixing CE marking
  • Ensure provider responsibility clear
  • Avoid confusing markings
  • Prepare evidence for authorities
  • Monitor CE marking compliance

Evidence Required:

  • Conformity verification
  • CE marking authorization
  • Evidence package for authorities

Audit Verification:

  • Verify conformity verified before affixing
  • Confirm provider responsibility clear
  • Check no confusing markings
  • Validate evidence package prepared

Control CA-013: Conformity Assessment Maintenance

Control ID: CA-013
Control Name: Ongoing Conformity Maintenance and Monitoring
Control Type: Detective
Control Frequency: Continuous
Risk Level: Medium

Control Objective

Maintain conformity throughout AI system lifecycle and reassess when substantial modifications occur to ensure ongoing compliance.

Control Requirements

CR-013.1: Ongoing Compliance Monitoring

Monitor ongoing compliance with EU AI Act requirements.

Monitoring Activities:

ActivityDescriptionFrequencyEvidence
Substantial Modification MonitoringMonitor for substantial modificationsContinuousModification tracking
Regulatory Change MonitoringMonitor regulatory changesQuarterlyRegulatory update log
Conformity Assessment ValidityMonitor conformity assessment validityAnnuallyValidity tracking
Certificate ValidityMonitor certificate validity (if Annex VII)AnnuallyCertificate tracking
CE Marking IntegrityMonitor CE marking integrityAnnuallyCE marking verification

Mandatory Actions:

  • Establish compliance monitoring process
  • Track modifications
  • Track regulatory updates
  • Verify certificate validity
  • Verify CE marking
  • Report compliance status

CR-013.2: Substantial Modification Assessment

Reassess conformity when substantial modifications occur.

Substantial Modification Triggers:

TriggerDescriptionAssessment Required
Compliance ImpactChange affecting complianceYES
Intended Purpose ChangeChange to intended purposeYES
Risk Profile ChangeChange to risk profileYES
Technical Specification ChangeChange to technical specificationsYES
Regulatory InterpretationRegulatory interpretation changesYES

Mandatory Actions:

  • Assess if modification is substantial
  • If substantial, initiate new conformity assessment
  • Update technical documentation
  • Update EU Declaration of Conformity
  • Update CE marking if needed
  • Document modification assessment

Evidence Required:

  • Compliance monitoring records
  • Modification tracking
  • Regulatory update log
  • Certificate validity tracking
  • Modification assessment records
  • New conformity assessment (if needed)
  • Updated documentation

Audit Verification:

  • Verify compliance monitoring established
  • Confirm modifications tracked
  • Check substantial modifications reassessed
  • Validate documentation updated

SUPPORTING PROCEDURES

This standard is implemented through the following detailed procedures:

Procedure PROC-AI-CA-001: Conformity Assessment Planning Procedure

Purpose: Define step-by-step process for planning conformity assessment
Owner: Chief Legal Officer
Implements: Controls CA-001, CA-002, CA-003, CA-004

Procedure Steps:

  1. Determine conformity assessment procedure (Annex VI or VII)
  2. Prepare technical documentation - Control CA-001
  3. Verify compliance - Control CA-002
  4. Prepare conformity assessment report (Annex VI) - Control CA-003
  5. Select notified body (Annex VII) - Control CA-004

Outputs:

  • Conformity assessment plan
  • Technical documentation
  • Compliance verification
  • Conformity assessment report (Annex VI)
  • Notified body selection (Annex VII)

Procedure PROC-AI-CA-002: Internal Control Procedure (Annex VI)

Purpose: Define process for Annex VI internal control assessment
Owner: Chief Legal Officer
Implements: Controls CA-001, CA-002, CA-003

Procedure Steps:

  1. Prepare technical documentation - Control CA-001
  2. Verify compliance - Control CA-002
  3. Prepare conformity assessment report - Control CA-003
  4. Obtain approval
  5. Archive records

Outputs:

  • Technical documentation
  • Compliance verification
  • Conformity assessment report

Procedure PROC-AI-CA-003: EU Declaration of Conformity Procedure

Purpose: Define process for preparing and issuing EU Declaration of Conformity
Owner: Chief Legal Officer
Implements: Controls CA-008, CA-009, CA-010

Procedure Steps:

  1. Prepare declaration - Control CA-008
  2. Review and approve - Control CA-009
  3. Sign and date
  4. Archive declaration - Control CA-010
  5. Maintain availability

Outputs:

  • EU Declaration of Conformity
  • Review records
  • Approval records
  • Archive records

COMPLIANCE

5.1 Compliance Monitoring

Monitoring Approach: Continuous automated monitoring supplemented by monthly manual reviews and quarterly comprehensive audits.

Compliance Metrics:

MetricTargetMeasurement MethodFrequencyOwner
Conformity Assessment Completion100%% of high-risk AI assessed before market placementMonthlyChief Legal Officer
EU Declaration of Conformity Coverage100%% of high-risk AI with declarationMonthlyChief Legal Officer
CE Marking Compliance100%% of high-risk AI with proper CE markingMonthlyChief Legal Officer
Assessment Timeliness< 90 daysAverage days to complete assessmentPer assessmentChief Legal Officer
Substantial Modification Reassessment100%% of substantial modifications reassessedMonthlyChief Legal Officer
Notified Body Findings0 major# of major findings from notified bodyPer assessmentChief Legal Officer

Monitoring Tools:

  • Conformity Assessment Dashboard
  • Compliance Reports
  • Monthly compliance reports
  • Quarterly AI Governance Committee reviews

5.2 Internal Audit Requirements

Audit Frequency: Annually (minimum)

Audit Scope:

  • Conformity assessment completion
  • Technical documentation completeness
  • Compliance verification quality
  • EU Declaration of Conformity accuracy
  • CE marking compliance
  • Conformity maintenance
  • Controls effectiveness (CA-001 through CA-013)

Audit Activities:

  • Review 100% of high-risk AI for conformity assessment
  • Sample 20% of conformity assessments for quality review
  • Test compliance verification process
  • Review EU Declarations of Conformity
  • Test CE marking compliance
  • Review conformity maintenance

Audit Outputs:

  • Annual Conformity Assessment Audit Report
  • Findings and recommendations
  • Corrective action plans for deficiencies

5.3 External Audit / Regulatory Inspection

Preparation:

  • Maintain audit-ready conformity assessment documentation at all times
  • Designate Chief Legal Officer and Legal as regulatory liaisons
  • Prepare standard response procedures for authority requests

Provide to Auditors/Regulators:

  • Conformity assessment reports
  • Technical documentation
  • EU Declarations of Conformity
  • CE marking documentation
  • Notified body certificates (if applicable)
  • Internal audit reports
  • Evidence of controls execution

Authority Request Response:

  • Acknowledge request within 1 business day
  • Provide requested documentation within 5 business days
  • Coordinate through Legal and Chief Legal Officer
  • Document all interactions with authorities

ROLES AND RESPONSIBILITIES

6.1 RACI Matrix

ActivityChief Legal OfficerAI Act Program ManagerAI System OwnerQuality DirectorCTOExecutive Management
Conformity Assessment PlanningR/ARCICI
Technical Documentation PreparationRCAIRI
Compliance VerificationR/ARCCCI
Conformity Assessment ReportRRCICI
Notified Body SelectionR/ARIIII
QMS Assessment PreparationRCIR/AII
EU Declaration PreparationR/ARCIII
EU Declaration ApprovalRCIIIA
CE MarkingRRAIII
Conformity MaintenanceR/ARAIII

RACI Legend:

  • R = Responsible (does the work)
  • A = Accountable (ultimately answerable)
  • C = Consulted (provides input)
  • I = Informed (kept up-to-date)

6.2 Role Descriptions

Chief Legal Officer

  • Primary Responsibility: Owns conformity assessment framework, ensures compliance
  • Key Activities:
    • Oversees conformity assessment process
    • Ensures regulatory compliance
    • Approves EU Declarations of Conformity
    • Reports to management
  • Required Competencies: EU AI Act Article 43-48, conformity assessment, regulatory compliance

AI Act Program Manager

  • Primary Responsibility: Manages conformity assessment process
  • Key Activities:
    • Coordinates conformity assessments
    • Manages assessment timelines
    • Tracks compliance status
    • Reports metrics
  • Required Competencies: Conformity assessment procedures, project management

AI System Owner

  • Primary Responsibility: Accountable for conformity of their AI system
  • Key Activities:
    • Provides technical information
    • Supports assessment
    • Ensures CE marking affixed
    • Monitors for modifications
  • Required Competencies: AI system knowledge, conformity assessment awareness

Quality Director

  • Primary Responsibility: Ensures QMS ready for Annex VII assessment
  • Key Activities:
    • Prepares QMS for assessment
    • Supports notified body assessment
  • Required Competencies: QMS management, Annex VII requirements

CTO

  • Primary Responsibility: Ensures technical documentation ready
  • Key Activities:
    • Prepares technical documentation
    • Supports assessment
  • Required Competencies: Technical documentation, Annex IV requirements

Executive Management

  • Primary Responsibility: Signs EU Declaration of Conformity
  • Key Activities:
    • Reviews and approves declarations
    • Signs declarations
  • Required Competencies: Executive authority, regulatory awareness

EXCEPTIONS

7.1 Exception Philosophy

Conformity assessment is a mandatory regulatory requirement for high-risk AI systems before market placement. Exceptions are granted restrictively and only where compensating controls adequately mitigate risks.

7.2 Allowed Exceptions

The following exceptions may be granted with proper justification and approval:

Exception TypeJustification RequiredMaximum DurationApproval AuthorityCompensating Controls
Extended Assessment TimelineResource constraints prevent timely assessment30 daysChief Legal Officer + AI Governance CommitteeInterim compliance measures; Accelerated plan

7.3 Prohibited Exceptions

The following exceptions cannot be granted under any circumstances:

Skipping conformity assessment for high-risk AI - Mandatory per Article 43, no exceptions
Placing high-risk AI on market without assessment - Illegal, no exceptions
Skipping EU Declaration of Conformity - Mandatory per Article 47, no exceptions
Skipping CE marking - Mandatory per Article 48, no exceptions
Skipping substantial modification reassessment - Required for ongoing compliance

7.4 Exception Request Process

Step 1: Submit Exception Request

  • Complete Exception Request Form (FORM-AI-EXCEPTION-001)
  • Include business justification
  • Propose compensating controls
  • Specify duration requested
  • Attach risk assessment

Step 2: Risk Assessment

  • Chief Legal Officer assesses risk of granting exception
  • Evaluates adequacy of compensating controls
  • Documents residual risk

Step 3: Approval

  • Route to appropriate approval authority based on exception type
  • Chief Legal Officer approval: Minor exceptions
  • Chief Legal Officer + AI Governance Committee: Significant exceptions
  • AI Governance Committee: Critical exceptions

Step 4: Documentation and Monitoring

  • Document exception in Exception Register
  • Assign exception owner
  • Set review date
  • Monitor compensating controls
  • Report exceptions quarterly to AI Governance Committee

Step 5: Exception Review and Closure

  • Review exception at specified review date
  • Assess if exception still needed
  • Close exception when normal assessment completed
  • Document lessons learned

ENFORCEMENT

8.1 Non-Compliance Consequences

ViolationSeverityConsequenceRemediation Required
Placing high-risk AI on market without assessmentCriticalImmediate removal from market; Legal investigationComplete assessment immediately; Root cause analysis
Missing EU Declaration of ConformityCriticalImmediate suspension; Compliance gap assessmentPrepare declaration within 5 business days
Missing CE markingCriticalImmediate correction; Compliance gap assessmentAffix CE marking within 5 business days
Incomplete conformity assessmentHighEscalation to AI Governance CommitteeComplete assessment within 10 business days
Substantial modification not reassessedHighEscalation to managementReassess within 10 business days

8.2 Escalation Procedures

Level 1: Chief Legal Officer

  • Minor procedural violations
  • Documentation deficiencies
  • Timeline delays < 5 days
  • Action: Written warning, corrective action required

Level 2: Chief Legal Officer + AI Governance Committee

  • Repeated violations
  • Incomplete assessments
  • Missing declarations
  • Action: Formal review, corrective action plan, management notification

Level 3: AI Governance Committee

  • Placing AI on market without assessment
  • Missing CE marking
  • Critical compliance failures
  • Action: Immediate market removal, investigation, disciplinary action

Level 4: Executive Management + Legal

  • Potential regulatory enforcement action
  • Significant legal liability
  • Reputational risk
  • Action: Executive crisis management, legal strategy, regulatory engagement

8.3 Immediate Escalation Triggers

Escalate immediately to AI Governance Committee + Legal if:

  • ⚠️ High-risk AI system placed on market without conformity assessment
  • ⚠️ Missing EU Declaration of Conformity
  • ⚠️ Missing CE marking
  • ⚠️ Regulatory inquiry or inspection related to conformity assessment
  • ⚠️ Notified body finding of major nonconformity

8.4 Disciplinary Actions

Individuals responsible for conformity assessment violations may be subject to:

  • Verbal or written warning
  • Mandatory retraining
  • Performance improvement plan
  • Reassignment of responsibilities
  • Suspension (with pay during investigation)
  • Termination (for egregious violations, e.g., knowingly placing AI on market without assessment)

Factors Considered:

  • Intent (knowing violation vs. honest mistake)
  • Severity of violation
  • Impact (actual or potential)
  • Cooperation with remediation
  • Prior violation history

KEY PERFORMANCE INDICATORS (KPIs)

9.1 Conformity Assessment KPIs

KPI IDKPI NameDefinitionTargetMeasurement MethodFrequencyOwnerReporting To
KPI-CA-001Conformity Assessment Completion% of high-risk AI assessed before market placement100%(# assessed / # high-risk AI) × 100Per systemChief Legal OfficerAI Governance Committee
KPI-CA-002EU Declaration of Conformity Coverage% of high-risk AI with declaration100%(# with declaration / # high-risk AI) × 100MonthlyChief Legal OfficerManagement
KPI-CA-003CE Marking Compliance% of high-risk AI with proper CE marking100%(# with CE marking / # high-risk AI) × 100MonthlyChief Legal OfficerManagement
KPI-CA-004Assessment TimelinessAverage days to complete assessment< 90 daysΣ (assessment days) / # assessmentsPer assessmentChief Legal OfficerManagement
KPI-CA-005Substantial Modification Reassessment% of substantial modifications reassessed100%(# reassessed / # substantial modifications) × 100MonthlyChief Legal OfficerAI Governance Committee
KPI-CA-006Notified Body FindingsNumber of major findings from notified body0Count of major findingsPer assessmentChief Legal OfficerAI Governance Committee
KPI-CA-007Declaration Accuracy% of declarations with no errors100%(# error-free / # total declarations) × 100Per declarationChief Legal OfficerManagement
KPI-CA-008Technical Documentation Completeness% of assessments with complete documentation100%(# complete / # assessments) × 100Per assessmentChief Legal OfficerManagement

9.2 KPI Dashboards and Reporting

Real-Time Dashboard (Chief Legal Officer access)

  • Current conformity assessment status
  • Declaration status
  • CE marking status
  • Assessment timelines
  • Compliance status

Monthly Management Report

  • KPI-CA-001, 002, 003, 004, 005, 007, 008
  • Trend analysis (vs. previous month)
  • Issues and risks
  • Planned actions

Quarterly AI Governance Committee Report

  • All KPIs
  • Conformity assessment effectiveness assessment
  • Notified body findings review
  • Internal audit findings (if conducted)
  • Exception register review

Annual Executive Report

  • Full-year KPI performance
  • Conformity assessment maturity assessment
  • Strategic recommendations
  • Regulatory outlook

9.3 KPI Thresholds and Alerts

KPIGreen (Good)Yellow (Warning)Red (Critical)Alert Action
Conformity Assessment Completion100%95-99%< 95%Red: Immediate escalation to AI Governance Committee Chair
EU Declaration of Conformity Coverage100%95-99%< 95%Red: Immediate escalation to AI Governance Committee
CE Marking Compliance100%95-99%< 95%Red: Immediate escalation to AI Governance Committee
Assessment Timeliness< 90 days90-120 days> 120 daysRed: Escalate to AI Governance Committee
Notified Body Findings01-2> 2Red: Immediate escalation to AI Governance Committee

TRAINING REQUIREMENTS

10.1 Training Program Overview

All personnel involved in conformity assessment must complete role-specific training to ensure competency in EU AI Act Article 43-48 requirements, conformity assessment procedures, and regulatory compliance.

10.2 Role-Based Training Requirements

RoleTraining CourseDurationContentFrequencyAssessment Required
Chief Legal OfficerConformity Assessment Expert Training20 hoursEU AI Act Article 43-48; Annex VI/VII; Declaration; CE markingInitial + annuallyYes - Written exam (≥90%)
AI Act Program ManagerConformity Assessment Management Training16 hoursConformity assessment procedures; Planning; CoordinationInitial + annuallyYes - Written exam (≥90%)
Legal StaffConformity Assessment Legal Training12 hoursLegal requirements; Declaration; ComplianceInitial + annuallyYes - Written exam (≥90%)
AI System OwnersConformity Assessment Overview4 hoursConformity assessment requirements; Responsibilities; SupportAt onboarding + annuallyYes - Knowledge check (≥80%)
All AI Development StaffConformity Assessment Awareness2 hoursConformity assessment basics; Requirements; AwarenessAt onboarding + annuallyYes - Knowledge check (≥80%)

10.3 Training Content by Topic

EU AI Act Article 43-48 Requirements

  • Conformity assessment (Article 43)
  • Certificates (Article 44)
  • EU Declaration of Conformity (Article 47)
  • CE marking (Article 48)
  • Compliance obligations

Annex VI - Internal Control

  • Self-assessment procedure
  • Technical documentation requirements
  • Compliance verification
  • Conformity assessment report

Annex VII - QMS + Technical Documentation

  • Notified body assessment
  • QMS assessment preparation
  • Technical documentation assessment
  • Certificate process

EU Declaration of Conformity

  • Declaration requirements
  • Declaration preparation
  • Declaration review and approval
  • Declaration availability

CE Marking

  • CE marking requirements
  • CE marking affixing
  • CE marking rules
  • CE marking compliance

10.4 Training Delivery Methods

Initial Training:

  • Instructor-led classroom or virtual training
  • Includes interactive exercises and case studies
  • Hands-on practice with declaration templates
  • Group discussions of complex scenarios

Annual Refresher:

  • E-learning modules for core content review
  • Live update sessions for regulatory changes
  • Case study reviews of recent conformity assessments
  • Knowledge assessment

On-the-Job Training:

  • Mentoring for new conformity assessment staff
  • Job shadowing during conformity assessments
  • Supervised conformity assessment for first 3 AI systems

Just-in-Time Training:

  • Quick reference guides and job aids
  • Video tutorials on specific topics
  • Help desk support from experienced staff

10.5 Training Effectiveness Measurement

Assessment Methods:

  • Written exams for knowledge retention
  • Practical exercises for skill application
  • On-the-job observations for competency validation
  • Feedback surveys for training quality

Competency Validation:

  • Chief Legal Officers: Must demonstrate ability to conduct conformity assessment for 1 sample AI system with 100% compliance before independent work
  • All staff: Must pass knowledge assessments with minimum required scores

Training Metrics:

MetricTargetFrequency
Training completion rate100%Quarterly
Assessment pass rate (first attempt)≥ 90%Per training
Training effectiveness score (survey)≥ 4.0/5.0Per training
Time to competency (Chief Legal Officers)< 45 daysPer person

10.6 Training Records

Records Maintained:

  • Training attendance records
  • Assessment scores
  • Competency validations
  • Refresher training completion
  • Individual training transcripts

Retention: 10 years (to align with EU AI Act documentation retention)

Access: HR, Chief Legal Officer, Internal Audit, Competent Authorities (upon request)

DEFINITIONS

TermDefinitionSource
Conformity AssessmentProcess demonstrating AI system meets EU AI Act requirementsEU AI Act Article 43
Internal ControlSelf-assessment procedure (Annex VI)EU AI Act Annex VI
Notified BodyThird-party organization designated to conduct conformity assessmentsEU AI Act Article 44
EU Declaration of ConformityDocument declaring AI system complianceEU AI Act Article 47
CE MarkingMarking indicating EU conformityEU AI Act Article 48
Substantial ModificationChange affecting compliance or intended purposeEU AI Act Article 43
Annex III High-Risk AIAI systems listed in Annex III as high-riskEU AI Act Annex III
Annex I Product Safety AIAI systems that are safety components of products listed in Annex IEU AI Act Annex I
EU-Type Examination CertificateCertificate issued by notified body (Annex VII)EU AI Act Article 44

LINK WITH AI ACT AND ISO42001

12.1 EU AI Act Regulatory Mapping

This standard implements the following EU AI Act requirements:

EU AI Act ProvisionArticleRequirement SummaryImplemented By (Controls)
Conformity AssessmentArticle 43Conformity assessment before market placementAll controls (CA-001 through CA-013)
Annex VI - Internal ControlAnnex VISelf-assessment procedureCA-001, CA-002, CA-003
Annex VII - QMS + Technical DocumentationAnnex VIINotified body assessmentCA-004, CA-005, CA-006, CA-007
EU Declaration of ConformityArticle 47Declaration requirementsCA-008, CA-009, CA-010
CE MarkingArticle 48CE marking requirementsCA-011, CA-012
Conformity MaintenanceArticle 43Ongoing conformity maintenanceCA-013

12.2 ISO/IEC 42001:2023 Alignment

This standard aligns with ISO/IEC 42001:2023 as follows:

ISO 42001 ClauseRequirementImplementation in This Standard
Clause 4.4: AI management systemEstablish AI management systemConformity assessment verifies QMS
Clause 9.2: Internal auditConduct internal auditsInternal audits support conformity assessment
Clause 9.3: Management reviewConduct management reviewsManagement review supports conformity

12.3 Relationship to Other Standards

This conformity assessment standard integrates with other AI Act standards:

Related StandardIntegration PointRationale
STD-AI-001: ClassificationClassification determines if conformity assessment requiredHigh-risk AI requires conformity assessment
STD-AI-002: Risk ManagementRisk management evidence in conformity assessmentConformity assessment verifies risk management
STD-AI-003: Data GovernanceData governance evidence in conformity assessmentConformity assessment verifies data governance
STD-AI-004: Technical DocumentationTechnical documentation required for conformity assessmentTechnical documentation is conformity assessment input
STD-AI-009: Quality ManagementQMS required for Annex VII assessmentQMS is Annex VII assessment component

12.4 References and Related Documents

EU AI Act (Regulation (EU) 2024/1689):

  • Article 43: Conformity Assessment
  • Article 44: Certificates
  • Article 47: EU Declaration of Conformity
  • Article 48: CE Marking
  • Annex VI: Internal Control Procedure
  • Annex VII: Assessment Based on Quality Management System and Technical Documentation Assessment

ISO/IEC Standards:

  • ISO/IEC 42001:2023: Information technology — Artificial intelligence — Management system

Internal Documents:

  • POL-AI-001: Artificial Intelligence Policy (parent policy)
  • STD-AI-001: AI System Classification Standard
  • STD-AI-002: AI Risk Management Standard
  • STD-AI-003: AI Data Governance Standard
  • STD-AI-004: AI Technical Documentation Standard
  • STD-AI-009: AI Quality Management Standard
  • PROC-AI-CA-001, -002, -003: Conformity assessment procedures

APPROVAL AND AUTHORIZATION

RoleNameTitleSignatureDate
Prepared ByMichael BrownChief Legal Officer_________________________
Reviewed BySarah JohnsonAI Act Program Manager_________________________
Reviewed ByDavid LeeChief Technology Officer_________________________
Reviewed ByJane DoeChief Strategy & Risk Officer_________________________
Approved ByJane DoeAI Governance Committee Chair_________________________

Effective Date: 2025-08-01
Next Review Date: 2026-08-01
Review Frequency: Annually or upon regulatory change

END OF STANDARD STD-AI-010

This standard is a living document. Feedback and improvement suggestions should be directed to the Chief Legal Officer.

Standard Details

Standard ID

STD-AI-010

Version

1.0

Status

draft

Owner

Legal

Effective Date

2025-08-01

Applicability

High-risk AI systems

EU AI Act References
Articles 43-48Annex VIAnnex VII
ISO 42001 Mapping
Clause 9.1Clause 9.2
Related Resources
Implementation GuidesEU AI Act Full Text

Previous

Quality Management

Next

Registration