aicomply.
aicomply.
Home
Understand OverviewLearning ModulesGlobal RegulationsEU AI Act TextGlossaryFAQ
Assess Overview1. Register2. Classify3. Requirements4. Comply5. Monitor
Implement OverviewPoliciesStandardsControlsProceduresTemplates
Resources
GitHubGet Started
Understand/High-Risk AI Compliance/Chapter 8
Lesson15 minChapter 8 of 14

Conformity Assessment

Article 43 procedures for demonstrating compliance.

PreviousNextBack to Module

Conformity Assessment (Article 43)

Learning Objectives

By the end of this chapter, you will be able to:

  • Select the appropriate conformity assessment route for different AI system types
  • Execute internal control procedures per Annex VI requirements
  • Understand when third-party (notified body) assessment is required
  • Prepare complete EU declarations of conformity
  • Navigate substantial modification requirements
  • Apply CE marking correctly

Article 43 establishes the conformity assessment procedures that providers must complete before placing high-risk AI systems on the Union market or putting them into service. This gatekeeping mechanism ensures AI systems demonstrably meet all applicable requirements.

The Conformity Assessment Framework

Purpose and Legal Basis

The AI Act specifies different conformity assessment routes depending on the type of high-risk AI system:

  • Article 43(1) — For high-risk AI systems related to biometrics (Annex III, point 1): if the provider has applied harmonised standards under Article 40 or common specifications under Article 41, the provider may choose either the internal control procedure (Annex VI) or the conformity assessment procedure involving a notified body (Annex VII). If harmonised standards or common specifications have not been applied, the provider must use the notified body procedure (Annex VII).
  • Article 43(2) — For high-risk AI systems referred to in Annex III, points 2 to 8: providers shall follow the internal control procedure (Annex VI) only, with no notified body involvement required.
  • Article 43(3) — For high-risk AI systems covered by Annex I Union harmonisation legislation (sectoral legislation such as medical devices, machinery, etc.): the conformity assessment procedure under that sectoral legislation applies, and the AI Act requirements are assessed as part of that procedure.

Expert Insight

The conformity assessment is the provider's formal demonstration that they have met all Chapter III, Section 2 requirements. It's the checkpoint between development and market access.

Conformity Assessment Decision Tree

Annex III systems (most cases)

Assessment Route

Internal control (Annex VI)

Self-assessment by the providerArticle 43(2)
Biometric ID systems

Remote, real-time, public spaces

Assessment Route

Notified body (Annex VII)

Third-party assessment requiredArticle 43(2)
Annex I, Section A systems

Other EU law applies

Assessment Route

Per sectoral legislation + AI Act

Combined assessment approachArticle 43(3)
Annex I, Section B systems

Product integration

Assessment Route

Integrated with product conformity

Assessed as part of productArticle 43(4)
Systems using harmonised standards

Assessment Route

May use Annex VI procedures

Simplified internal controlArticle 43(2)

Internal Control Procedure (Annex VI)

When Internal Control Applies

Most high-risk AI systems in Annex III can use internal control procedures. This is a self-assessment by the provider—no third-party involvement required.

Annex VI: Three Substantive Steps

Annex VI sets out three substantive steps for the internal control procedure:

StepActionDocumentation
1Verify that the established quality management system is in compliance with Article 17QMS assessment records
2Examine the information contained in the technical documentation to assess whether the AI system meets the relevant requirements set out in Chapter III, Section 2Technical file verification checklist
3Verify that the design and development process of the AI system and its post-market monitoring as referred to in Article 72 is consistent with the technical documentationConsistency verification records

Following these three substantive verification steps, the provider then draws up the EU declaration of conformity (Article 47), affixes the CE marking (Article 48), and registers in the EU database (Article 49).

Technical Documentation Examination

The provider must verify their technical documentation (per Annex IV) demonstrates:

RequirementDocumentation Evidence
Risk management (Art. 9)Risk assessment reports, mitigation records
Data governance (Art. 10)Data specifications, quality reports
Technical documentation (Art. 11)Complete Annex IV file
Record-keeping (Art. 12)Logging specifications, retention policy
Transparency (Art. 13)Instructions for use, labelling
Human oversight (Art. 14)Oversight procedures, interface design
Accuracy, robustness, security (Art. 15)Test reports, validation results

Quality Management System Review

Before issuing a declaration, verify the QMS (Article 17) addresses:

  • Regulatory compliance strategy
  • Design and development procedures
  • Quality control techniques
  • Examination, test, and validation procedures
  • Technical specifications and standards
  • Data management systems
  • Risk management implementation
  • Post-market monitoring system
  • Incident reporting procedures
  • Resource management

Compliance Note

Internal control is not a rubber stamp. The provider takes full legal responsibility for the accuracy of their self-assessment. Inadequate internal control processes are a common enforcement target.

Third-Party Assessment (Annex VII)

When Notified Body Assessment Is Required

Article 43(1) governs third-party assessment for biometric systems (Annex III, point 1). Where harmonised standards or common specifications have NOT been applied, the notified body procedure (Annex VII) is required. Where they have been applied, the provider may choose between internal control (Annex VI) and notified body (Annex VII). This applies to:

  • Remote biometric identification systems
  • Biometric categorisation systems
  • Emotion recognition systems

Note: Article 43(2) covers Annex III systems in points 2–8 (all other high-risk AI systems outside biometrics), for which internal control (Annex VI) is the only procedure — no notified body involvement is required.

The Notified Body Process

PhaseActivitiesTypical Duration
1. ApplicationSubmit technical documentation, identify system2-4 weeks
2. Documentation ReviewNotified body examines Annex IV file4-8 weeks
3. Assessment PlanningDetermine audit scope and testing requirements2 weeks
4. On-Site AuditQuality management system assessment1-2 weeks
5. Technical TestingVerify accuracy, robustness, security claims2-6 weeks
6. Report & DecisionNotified body issues assessment report2-4 weeks
7. Certificate IssuanceIf successful, conformity certificate issued1-2 weeks

Notified Body Requirements

Notified bodies must be:

RequirementDescriptionReference
DesignatedBy Member State national authorityArticle 28
CompetentTechnical expertise in AI systems assessedArticle 31
IndependentNo conflicts of interest with assessed providersArticle 31
AccreditedMeet ISO/IEC 17065 or equivalentArticle 31
NotifiedListed in NANDO databaseArticle 30

Third-Party Assessment Outcomes

OutcomeResultNext Steps
PositiveConformity certificate issuedAffix CE marking, register, market
ConditionalCertificate with conditionsAddress conditions, resubmit evidence
NegativeAssessment failedRemediate issues, request reassessment
SuspendedExisting certificate suspendedAddress findings, request reinstatement
WithdrawnCertificate cancelledCannot place on market until new assessment

EU Declaration of Conformity (Article 47)

Required Content (Annex V)

The declaration must contain:

ElementDescriptionExample
System identificationName, type, unique product ID"AI Recruit Pro v3.2, Type HR-100, ID: AIR-2024-001"
Provider detailsName, address, contactFull legal entity details
Responsibility statementProvider assumes responsibilityStandard Article 47 wording
Compliance statementDeclares compliance with AI ActReference to specific articles
Harmonised standardsStandards applied (if any)EN ISO XXXX:2025
Common specificationsSpecs applied (if no standards)Commission implementing acts
Notified bodyIf third-party assessmentName, ID number, certificate reference
Date and signatureLegal representative signatureDated, authorised signatory

Declaration Template Structure

EU DECLARATION OF CONFORMITY
(Regulation (EU) 2024/1689)

1. AI System: [Name, type, version, unique identifier]

2. Provider: [Legal name, registered address, contact]

3. This declaration of conformity is issued under the sole
   responsibility of the provider.

4. Object of declaration: [Description of AI system and
   intended purpose]

5. The AI system described above is in conformity with
   Regulation (EU) 2024/1689.

6. References to relevant harmonised standards used:
   [List standards or "None applied"]

7. Where applicable, the notified body:
   [Name, number] performed [assessment type] and
   issued certificate [number]

8. Signed for and on behalf of: [Provider name]

   [Place, Date]
   [Name, Function]
   [Signature]

CE Marking Requirements

Affixing the CE Marking

Article 48 requirements:

RequirementSpecification
VisibilityClearly visible
LegibilityEasily readable
PermanenceIndelibly affixed
LocationOn AI system or packaging/accompanying document
SizeMinimum 5mm height (proportionally scaled)
FormatStandard CE logo per Annex

CE Marking for Digital AI Systems

For AI systems without physical components:

  • Include in user interface
  • Display in documentation
  • Show in digital labelling/metadata
  • Reference in instructions for use

💡 Practical Note: Many AI systems are purely software. The CE marking appears in the product documentation, interface, and packaging (if any physical media exists).

Substantial Modifications (Article 43(4))

Definition of Substantial Modification

A modification is "substantial" if it affects compliance with:

  • Any Chapter III, Section 2 requirement
  • The intended purpose as originally assessed
  • The risk classification of the system

Modification Assessment Framework

Modification TypeExamplesReassessment Required?
Performance improvementModel retraining on similar dataLikely no—document change
New functionalityAdditional use casesYes—may change risk profile
Architecture changeNew model architectureYes—reassess Article 15
Training data changeDifferent data sources/demographicsYes—reassess Article 10
Intended purpose changeNew deployment contextYes—full reassessment
Bug fixesError correctionsUsually no—document only

Post-Modification Process

If substantial modification occurs:

  1. Assess Impact — Determine which requirements affected
  2. Update Documentation — Revise technical documentation
  3. Re-verify Compliance — Conduct new conformity assessment
  4. Update Declaration — Issue new EU declaration
  5. Update Registration — Notify EU database of changes
  6. Inform Deployers — Communicate changes to users

Compliance Note

Continuous learning AI systems may trigger substantial modification obligations through operational changes. Design monitoring processes to detect when retraining crosses the substantial modification threshold.

Integration with Sectoral Legislation

Annex I, Section A Systems

For AI systems covered by EU legislation listed in Annex I, Section A:

  • Follow that legislation's conformity assessment procedure
  • Additionally verify AI Act Chapter III, Section 2 requirements
  • Single assessment may cover both frameworks

Annex I, Section B Systems (Products)

For AI embedded in products (e.g., machinery, medical devices):

  • AI assessment integrates with product conformity assessment
  • Notified body for product may assess AI requirements
  • Single declaration covers both product and AI compliance

Compliance Checklist: Conformity Assessment

Pre-Assessment:

  • Determine applicable conformity route
  • Complete all Chapter III, Section 2 requirements
  • Prepare complete Annex IV technical documentation
  • Verify QMS is operational and documented
  • Identify applicable harmonised standards

Internal Control (Annex VI):

  • Conduct systematic documentation review
  • Verify compliance with each Article 8-15 requirement
  • Document internal assessment process
  • Prepare EU declaration of conformity
  • Affix CE marking appropriately

Third-Party Assessment (Annex VII):

  • Select appropriate notified body
  • Submit application and documentation
  • Support on-site audit activities
  • Address any findings or conditions
  • Obtain and retain conformity certificate

Post-Assessment:

  • Register in EU database
  • Implement post-market monitoring
  • Monitor for substantial modifications
  • Maintain records for 10 years minimum

What You Learned

Key concepts from this chapter

Most Annex III high-risk AI systems use internal control (self-assessment) procedures

Remote biometric identification systems require third-party notified body assessment

The EU declaration of conformity is a legally binding statement of compliance

CE marking is mandatory before market placement and indicates compliance

Substantial modifications trigger reassessment obligations

Chapter Complete

High-Risk AI Compliance

8/14

chapters

Accuracy, Robustness, and CybersecurityProvider Obligations