High-Risk AI ObligationUp to €15 M / 3% if missed

EU Database Registration for High-Risk AI Systems

Name: Regumatrix
Author: Regumatrix

Before a high-risk Annex III AI system reaches market, its provider must register in the EU database. Public authority deployers must verify that registration before use — and register their own deployment too.

Why this matters

Registration is a provider obligation under Art 16(i). A missed registration is not a paperwork oversight — market surveillance authorities check the database as part of their standard verification process (Art 74(8)), and they can require a provider to halt sales until the system is properly registered.

Provider failure: Art 99(4)(a) — up to €15M or 3%

Deployer failure: Art 99(4)(e) — up to €15M or 3%

Not sure if your AI system must register?

Regumatrix checks your system against every Annex III domain, confirms your risk tier, and tells you exactly which registration obligations fire — in about 30 seconds.

Check in 30 seconds →

The two registration tracks

Registration under Art 49 works differently for providers and deployers. Both are mandatory but cover different aspects of the same system.

Track 1 — Provider

Art 49(1) — Before placing on the market or putting into service, the provider (or authorised representative) registers both themselves and the system.

Applies to all Annex III high-risk systems
Exception: Annex III §2 systems go to national DB
Must happen before launch, not after

Track 2 — Public Deployer

Art 49(3) — Before deploying, public authority deployers register themselves, select the provider's system, and register their intended use.

Applies to public authorities and EU institutions
Must verify provider system is already registered
Cannot deploy an unregistered system

The check-before-use rule for public deployers

Article 26(8) — hard stop

Public authority deployers must check that the high-risk AI system they plan to use is already registered in the EU database. If it is not registered, they must not use that system and must inform the provider or distributor.

This is not a best-effort check. It is a mandatory gate before any deployment.

What data goes into the database (Annex VIII)

Annex VIII lists three distinct sections depending on who is registering and what type of system it is.

Section A

High-risk systems — provider fields (13 data points)

1. Provider name, address, contact details2. Submitting person details (if different)3. Authorised representative details (if applicable)4. Trade name and unique identification reference5. Intended purpose + components and functions6. Basic description of data inputs and operating logic7. System status (on market / recalled)8. Notified body certificate number and expiry9. Scanned copy of certificate (if applicable)10. Member States where system is available11. Copy of EU declaration of conformity12. Electronic instructions for use13. URL for additional information (optional)

Note: Items 8, 9 and 12 do not apply to law enforcement / migration / border systems (Annex III §1, 6, 7).

Section C

Public authority deployer fields (5 data points)

1. Deployer name, address, contact details

2. Submitting person contact details

3. URL linking to the provider's EU database entry

4. Summary of the fundamental rights impact assessment (FRIA)

5. Summary of the GDPR data protection impact assessment (if conducted)

Special cases

Annex III §2 — biometric systems

High-risk AI systems in Annex III point 2 (remote biometric identification systems) are registered at national level, not in the central EU database (Art 49(5)). Public deployer registration under Art 49(3) also does not apply to these systems.

Annex III §1, 6, 7 — law enforcement / migration / border

These systems are registered in a secure non-public section of the EU database (Art 49(4)). Only the Commission and designated national authorities can access that section. A limited subset of Annex VIII fields applies.

About the EU database

The EU database is set up and maintained by the Commission (Art 71), which is also its data controller. The database is publicly accessible in a user-friendly, machine-readable format — except for the restricted law enforcement sections. Providers, prospective providers, and deployers receive technical and administrative support to register.

The database also holds entries for real-world testing registrations under Article 60, but those are accessible only to market surveillance authorities and the Commission (unless the provider consents to public access).

COM(2025) 836 — what changes

PROPOSAL — not yet enacted law

Art 49(2) deleted 836 Art 1 pt14

Currently, providers who self-assess their Annex III system as non-high-risk under Article 6(3) must still register in the EU database under Article 49(2). If 836 passes, Article 49(2) is deleted entirely. Those providers would only need to keep their written assessment internally and share it with national competent authorities on request.

What stays unchanged: Article 49(1) provider registration for genuinely high-risk systems is not affected. Article 49(3) public deployer registration is not affected. Only the non-high-risk Art 6(3) track disappears.

Common registration mistakes to check now

Registering only the company — not the specific AI system (Art 49(1) requires both)
Failing to update the database entry when the system is modified, recalled, or withdrawn (Annex VIII requires status to be kept up-to-date)
Assuming Annex III §2 biometric systems go into the central EU database — they go to national registries
Public deployers relying on a verbal assurance from the provider that the system "should be registered" — you must verify it yourself
Registering after launch rather than before market placement (Art 49(1) is unambiguous on timing)
Treating Art 49(2) as already deleted — COM(2025) 836 is still a proposal; current law still requires that registration

Check your registration obligations →

Frequently asked questions

When must a provider register in the EU database?

Before placing the high-risk AI system on the market or putting it into service — Article 49(1) is explicit on this. Registration is not a post-launch formality. Both the provider entity and the specific system must be registered.

Do all Annex III high-risk AI systems go into the EU database?

No. Systems in Annex III point 2 — biometric AI systems used for remote biometric identification — are registered at national level rather than in the central EU database (Article 49(5)). Systems in points 1, 6 and 7 (law enforcement, migration, border control) go into a secure non-public section of the EU database with restricted information.

What must a public authority deployer do before using a high-risk AI system?

Before deploying, a public authority deployer must check that the provider's system is already registered in the EU database. If it is not registered, the deployer must not use it and must notify the provider or distributor — Article 26(8). The deployer also registers its own intended use in the database under Article 49(3).

Does COM(2025) 836 remove all AI database registration requirements?

No. The 836 proposal only deletes Article 49(2) — the requirement that providers who self-assessed their system as non-high-risk under Article 6(3) must also register. Providers of genuinely high-risk Annex III systems under Article 49(1) still register. Public authority deployers under Article 49(3) still register. Nothing changes for them under 836.

What penalty applies if a provider fails to register a high-risk AI system?

Registration is a provider obligation under Article 16(i). Non-compliance is subject to fines under Article 99(4): up to €15,000,000 or 3% of total worldwide annual turnover, whichever is higher. For SMEs and start-ups, the lower of the two figures applies (Article 99(6)).

Related guides

AI Provider Obligations

Full Art 16 checklist — registration is one of 12 provider duties

Technical Documentation

The Annex IV package that must be ready before you register

Conformity Assessment

The CE marking step that feeds certificate data into the database

Fundamental Rights Impact Assessment

Results feed into deployer Section C registration

Not-High-Risk Derogation

The Art 6(3) claim whose Art 49(2) registration 836 deletes

COM(2025) 836 Overview

All 14 proposed changes in plain English

Know exactly what your AI system requires

Regumatrix analyses your system against every Annex III domain, confirms whether registration under Article 49(1) applies, names every obligation that fires, and calculates your fine exposure under Article 99 — returning a cited, 8-section report in about 30 seconds. No credit card required.

Run your free analysis →