High-risk AI obligation · Article 43Up to €15M / 3% · 4 months away

EU AI Act Conformity Assessment Guide

Name: Regumatrix
Author: Regumatrix

Before placing a high-risk AI system on the EU market, you must complete a formal conformity assessment. Article 43 establishes three distinct pathways — and which one applies to your system depends on its Annex III category and whether you have applied harmonised standards. Getting this wrong is not a technicality: it is one of the most audited obligations in the entire Act.

Penalty: up to €15,000,000 or 3% of global annual turnover

Failing to complete the required conformity assessment before placing a high-risk AI system on the market or putting it into service violates Art 43, caught by Art 99(4). The ceiling is whichever is higher for large companies — €15 million or 3% of total worldwide annual turnover. For SMEs and startups, Art 99(6) instead applies the lower of the two figures.

A conformity assessment that uses the wrong procedure — for example, choosing Annex VI self-assessment for a biometric system when Annex VII notified body assessment was required — is treated the same as no assessment at all.

Not sure which conformity assessment pathway applies to your system?

Regumatrix checks your system against Annex III, returns your exact pathway, and identifies whether a notified body is required or self-assessment is sufficient — in about 30 seconds.

Check your system

Which pathway applies to your system?

The first step is identifying which of the three pathways under Art 43 applies. This is determined by your system's classification — not by your preference.

Biometric systemsArt 43(1) · Annex III point 1

Annex VI self-assessment OR Annex VII notified body — your choice, with conditions

If you have applied harmonised standards referenced in Art 40 — or, where applicable, common specifications under Art 41 — you may choose either Annex VI (internal control) or Annex VII (notified body assessment). You are not required to use a notified body.

However, Annex VII is mandatory if any of four conditions are met. See Section 2 below for the full list.

All other Annex III categoriesArt 43(2) · Annex III points 2–8

Annex VI self-assessment only — no notified body required

High-risk AI systems in Annex III categories 2 through 8 — education, employment and workers management, essential services (credit, insurance), law enforcement, migration and border control, justice and democratic processes, and critical infrastructure — must follow the internal control procedure in Annex VI. This is a self-assessment procedure. No notified body is involved.

This applies to the vast majority of enterprise high-risk AI deployments — HR screening tools, credit scoring, recidivism assessment, asylum processing systems. You conduct the assessment yourself.

AI in regulated productsArt 43(3) · Annex I Section A

Sector legislation conformity procedure — not Art 43 directly

If your AI system is embedded in a product covered by Annex I Section A harmonisation legislation — medical devices (MDR), in-vitro diagnostics (IVDR), machinery, radio equipment, and others — you follow the conformity procedure required by that sector legislation. The AI Act's Section 2 requirements still apply and must be part of that assessment, but the procedural framework is the sector law's.

Notified bodies designated under the relevant sector legislation are authorised to assess compliance with the AI Act's Section 2 requirements as part of the same assessment — they do not need separate AI Act designation to do this.

Annex VI — Internal control (self-assessment)

The Annex VI procedure is a three-step self-assessment. No third party is involved. The provider conducts the assessment and is responsible for its outcome.

Verify QMS compliance with Art 17

Verify that your established quality management system satisfies all requirements of Art 17. The QMS must cover the design, development, testing, monitoring and post-market dimensions of the AI system's lifecycle.

Examine technical documentation for Section 2 compliance

Examine the information contained in your technical documentation — structured in accordance with Art 11 and Annex IV — to assess compliance with every relevant requirement in Chapter III, Section 2 (Arts 9–15).

Verify design / development process and post-market monitoring

Verify that the actual design and development process of the AI system, and your post-market monitoring system under Art 72, are consistent with what is described in the technical documentation. The documentation must reflect reality — not just describe the ideal process.

Annex VII — Notified body assessment (when is it mandatory?)

For biometric identification systems (Annex III point 1), Art 43(1) requires you to use a notified body under Annex VII in any of these four situations:

No harmonised standards and no common specifications

Art 43(1)(a)

No applicable harmonised standards under Art 40 exist for your system's requirements, and no common specifications under Art 41 are available. You have no recognised standard to apply — the notified body provides the independent verification that the standard would otherwise give.

Harmonised standard not applied — or only partially applied

Art 43(1)(b)

You have not applied the relevant harmonised standard, or have only applied part of it. Partial application of a standard does not give you the presumption-of-conformity benefit that full application would. The notified body must assess what the standard left uncovered.

Common specifications exist but you have not applied them

Art 43(1)(c)

Common specifications under Art 41 are available but you have chosen not to apply them. If you deviate from available common specifications, the burden of demonstrating equivalent compliance shifts to independent assessment.

Harmonised standard published with a restriction — on the restricted part only

Art 43(1)(d)

A relevant harmonised standard exists but was published with a restriction on part of it. For that restricted part, the presumption of conformity does not attach. Annex VII applies only to the restricted portion — the rest can be self-assessed using Annex VI.

What Annex VII requires in practice

The Annex VII procedure has two parallel stages that both require notified body involvement:

Stage 1 — QMS assessment: The notified body assesses your quality management system against Art 17. If satisfactory, it issues a QMS approval and then conducts ongoing surveillance including periodic audits.
Stage 2 — Technical documentation assessment: A separate application for assessment of the technical documentation is lodged with the notified body. The notified body examines the documentation (which must include Annex IV elements), may request further evidence or additional tests, and if compliance is confirmed, issues a Union technical documentation assessment certificate. The certificate is valid for up to 4 years for Annex III systems (Art 44(2)).

Note: the notified body may, where necessary and after all other verification means are exhausted, request access to the training data, trained model, and model parameters — subject to existing intellectual property and trade secret protections.

Certificate validity and renewal — Article 44

Annex III systems

4 years

Maximum certificate validity for high-risk AI systems covered by Annex III, per Art 44(2). Renewable for further 4-year periods on request, based on reassessment.

Annex I products

5 years

Maximum certificate validity for AI systems covered by Annex I (product safety legislation), per Art 44(2). Renewable for further 5-year periods on request.

A notified body may suspend or withdraw a certificate at any time if the system no longer meets Section 2 requirements — unless the provider remedies the non-compliance within a deadline set by the notified body. An appeal procedure must be available against notified body decisions under Art 44(3).

When a change triggers a new conformity assessment — Article 43(4)

Art 43(4) requires a new conformity assessment whenever a high-risk AI system undergoes a substantial modification — even if the system is not being put back on the market and simply continues to be used by the current deployer.

Substantial modification → new assessment required

Any change to a high-risk AI system that was not pre-determined and documented at the time of the original conformity assessment constitutes a substantial modification. Examples: retraining the model on new data outside the documented scope, adding new output categories, changing the intended purpose, or deploying in a context the original assessment did not cover.

Continuous-learning changes → not a substantial modification

For AI systems that continue to learn after deployment, changes that were pre-determined by the provider at the time of the initial assessment and are documented in the technical documentation (Annex IV point 2(f)) are not treated as substantial modifications. The scope of anticipated change must have been defined and assessed upfront — undocumented or unanticipated drift requires a new assessment.

PROPOSAL — not yet enacted lawCOM(2025) 836 — Digital Omnibus proposals

COM(2025) 836 proposes two changes affecting conformity assessment procedures. Neither is in force. If enacted, they would apply from the amended Act's entry into application.

1 — Single application procedure for notified bodies — new Art 28(8)

If 836 is enacted, what would change: conformity assessment bodies seeking designation under both the AI Act and Annex I Section A legislation (for example, a body that wants to be designated for both the AI Act and the Medical Devices Regulation) would be entitled to submit a single application and undergo a single assessment procedure to obtain both designations simultaneously.

This benefit would also be available to notified bodies already designated under Annex I legislation when they apply for AI Act designation — they would not need to go through a separate full designation process. The single procedure must avoid unnecessary duplications, build on existing Annex I designation procedures, and ensure compliance with all relevant requirements.

Why it matters: Currently, a body wanting to be designated as a notified body for both AI Act and MDR assessments must apply to and be assessed by two separate authorities under two separate procedures. 836 would remove that duplication and accelerate the growth of notified body capacity in Europe — which is currently a bottleneck for Annex I biometric AI systems.

2 — Art 43(3) clarification for Annex I + Annex III dual classification

If 836 is enacted, the existing Art 43(3) would be replaced with a cleaner version that explicitly:

Requires QMS assessment under Art 17 and Annex VII to form part of the Annex I conformity procedure — a requirement currently implied but not stated in the same terms
Confirms that where a system is both covered by Annex I and falls within an Annex III category, the provider follows the Annex I procedure (removing current ambiguity)
Gives notified bodies already designated under Annex I legislation an 18-month window from the Act's entry into application to apply for AI Act designation

Conformity assessment grey areas — is your approach sound?

The most common errors in conformity assessment are procedural, not technical. These patterns suggest your approach may not withstand scrutiny:

Using Annex VI self-assessment for a biometric system when no applicable harmonised standards exist — Annex VII was required
Completing the conformity assessment once, prior to market placement, then making substantive undocumented changes to the model without reassessing
Treating pre-existing ISO 27001 or ISO 9001 certifications as satisfying the Art 17 QMS requirement without verifying they actually cover all the Art 17 elements
Certificate expiry not tracked — 4-year Annex III certificates that lapsed without renewal while the system continued in service
Assuming that because your system is used for HR or credit scoring (Annex III points 2–8) you never need a notified body — correct today, but the Commission has delegated-act powers to extend Annex VII to these categories if self-assessment proves insufficient

Check your compliance posture — 3 free analyses

Frequently asked questions

Do all high-risk AI systems need a notified body for conformity assessment?

No. Article 43(2) states that high-risk AI systems in Annex III categories 2 to 8 — covering education, employment, essential services (credit, insurance), law enforcement, migration, justice, and critical infrastructure — must follow the internal control procedure in Annex VI. This is a self-assessment: no notified body is required. A notified body is only relevant for (1) Annex III point 1 systems (biometric identification) under Article 43(1), where it is required if harmonised standards have not been applied in full, and (2) AI systems covered by Annex I legislation such as medical devices, where the sector law determines whether a notified body is involved.

When is a notified body mandatory for a biometric AI system?

Under Article 43(1), a notified body (Annex VII) is mandatory for Annex III point 1 (biometric) systems in four situations: (a) no applicable harmonised standards exist and no common specifications are available; (b) the provider has not applied, or has applied only part of, the relevant harmonised standard; (c) applicable common specifications exist but the provider has not applied them; (d) a relevant harmonised standard was published with a restriction, and solely on the restricted part. If a provider applies harmonised standards in full, they may self-assess using Annex VI internal control instead.

How long is a conformity assessment certificate valid?

Under Article 44(2), certificates issued by notified bodies under Annex VII are valid for a period of not more than four years for AI systems covered by Annex III, and not more than five years for AI systems covered by Annex I (product safety legislation). At the provider's request, validity may be extended for further periods based on reassessment — up to four years per extension for Annex III systems, up to five years for Annex I systems. A notified body may also suspend or withdraw a certificate if the system no longer meets Section 2 requirements.

What is the difference between the Annex VI and Annex VII conformity assessment procedures?

Annex VI (internal control) is a self-assessment procedure: the provider verifies that its quality management system complies with Article 17, examines its technical documentation for compliance with Section 2 requirements, and verifies that the design and development process and post-market monitoring are consistent with the technical documentation. No third party is involved. Annex VII is a third-party assessment by a notified body: it has two stages — a quality management system assessment (the notified body assesses whether the QMS satisfies Article 17) and a technical documentation assessment (producing a Union technical documentation assessment certificate). The notified body then carries out ongoing QMS surveillance including periodic audits.

Does a system that continues to learn after deployment need a new conformity assessment when it changes?

Under Article 43(4), a new conformity assessment is required whenever a high-risk AI system undergoes a 'substantial modification', regardless of whether the modified system will be further distributed or continues to be used by the current deployer. However, the same paragraph contains an explicit carve-out for continuous-learning systems: changes to the system and its performance that were pre-determined by the provider at the time of the initial conformity assessment, and are documented in the technical documentation under Annex IV point 2(f), are not treated as substantial modifications. The key requirement is that the scope of potential changes was documented and assessed upfront — undocumented or unanticipated changes still require a new assessment.

Related guides

Technical Documentation (Article 11)

What Annex IV requires — 17+ elements your tech docs must cover

Risk Management System (Article 9)

The four-step iterative process that informs the conformity assessment

Biometric AI Compliance

Full Annex III point 1 obligations — the one category that can require a notified body

Healthcare AI & Medical Devices

Annex I pathway in practice — MDR/IVDR + AI Act conformity

AI Provider Obligations

Complete checklist — conformity assessment in the broader context

COM(2025) 836 — What Changes

Full summary of all proposed amendments, including the single application procedure

Find out which conformity assessment pathway your system needs

Regumatrix analyses your system against Annex III, identifies your exact pathway — Annex VI self-assessment or Annex VII notified body — and generates an 8-section cited compliance report covering your conformity obligations, fine exposure under Art 99(4), and all applicable Section 2 requirements. No credit card. Results in about 30 seconds.

Start free — 3 analyses included No credit card · Results in ~30 seconds