A conformity assessment under the EU AI Act is the process by which a provider of a high-risk AI system demonstrates that the system meets all applicable requirements before it can be placed on the EU market or put into service. This process is modeled on the EU’s existing product safety framework (the New Legislative Framework) and results in a declaration of conformity and CE marking.

Types of Assessment

The EU AI Act provides for two conformity assessment routes. Internal conformity assessment allows the provider to self-assess compliance based on internal quality management systems and technical documentation. This applies to most high-risk AI systems. Third-party conformity assessment requires evaluation by a notified body (an independent organization designated by a member state). This is required for high-risk AI systems used as safety components of products already subject to third-party assessment, and for remote biometric identification systems.

Requirements Assessed

The conformity assessment evaluates compliance with Chapter 2 requirements for high-risk AI systems: risk management system, data governance and training data quality, technical documentation, record-keeping and logging, transparency and provision of information to deployers, human oversight measures, accuracy, robustness, and cybersecurity.

Documentation

Providers must maintain technical documentation covering the system’s intended purpose, design and development methodology, training data descriptions, testing and validation results, risk management measures, and post-market monitoring plans. This documentation must be kept for 10 years after the AI system is placed on the market.

Ongoing Obligations

Conformity assessment is not a one-time event. Providers must have a quality management system and post-market monitoring system in place. Substantial modifications to a high-risk AI system trigger a new conformity assessment. Providers must also register their high-risk AI systems in the EU database before placing them on the market.

Sources

  • European Parliament and Council. (2024). Regulation (EU) 2024/1689 (EU AI Act), Articles 9–17, 43. Official Journal of the European Union. (Primary legal source; Articles 9–17 define requirements for high-risk AI, Article 43 defines conformity assessment procedures.)
  • European Commission. (2022). Guide to the AI Act conformity assessment procedures. (Practical guidance on internal vs. third-party assessment routes and notified body requirements.)
  • ISO/IEC 42001:2023. Artificial Intelligence — Management System. (International standard for AI management systems; accepted as evidence of conformity in the EU AI Act framework.)