High-Risk AI ObligationUp to €15 M / 3% for non-complianceDeadline: 2 Aug 2026 — 4 months away

Quality Management System for AI Systems (Article 17)

Name: Regumatrix
Author: Regumatrix

Every provider of a high-risk AI system must have a documented Quality Management System in place before placing that system on the market. Art 17 sets out 13 mandatory elements — from regulatory strategy to serious incident reporting. This guide explains what each element requires and how proportionality rules reduce the burden for smaller organisations.

Non-compliance consequences

Failing to have a compliant QMS is an infringement of Art 16(c) (provider obligations), carrying fines under Art 99(4):

Up to €15,000,000 fine, OR
3% of total worldwide annual turnover (whichever is higher)
For SMEs: the lower of the two figures applies — not the higher

Does your AI system trigger the QMS obligation?

Regumatrix checks your system against Article 6, Annex III, and every other AI Act article — and tells you exactly which obligations apply in about 30 seconds.

Check my AI system — 3 free analyses

What is the Article 17 QMS?

Under Article 17(1), the QMS is a systematic, documented set of policies, procedures and instructions. It is not an IT system or a certification — it is a governance framework that covers how you design, develop, test, monitor and maintain your AI system throughout its lifecycle. The QMS must be in place before you place the system on the market or put it into service.

The 13 Required QMS Elements

All 13 of the following elements are mandatory under Article 17(1)(a)–(m). The depth of each element scales with your organisation's size (see proportionality below).

Regulatory compliance strategy

How you will stay compliant with the AI Act, including procedures for managing modifications to the system and for completing conformity assessment procedures.

Design, design control and design verification

Techniques and systematic procedures for verifying that the system design meets the requirements set out in Section 2 of the AI Act.

Development, quality control and quality assurance

Procedures for controlling quality throughout the development lifecycle — covering how defects are identified, tracked and resolved.

Examination, test and validation procedures

The tests you run before, during and after development — and how often. This must address pre-deployment validation as well as ongoing performance checks.

Technical specifications and standards

Which harmonised standards or common specifications you apply. Where a standard is not applied in full, document how compliance with the missing requirements is otherwise achieved.

Data management systems and procedures

Covers the full data lifecycle: acquisition, collection, analysis, labelling, storage, filtration, mining, aggregation, retention — all operations on data used to build or operate the system.

Risk management system

The iterative risk management process required by Art 9. This element integrates the risk management system into the QMS documentation.

Post-market monitoring

Set-up, implementation and maintenance of the post-market monitoring system required by Article 72.

Serious incident reporting procedures

Procedures for reporting serious incidents to national competent authorities under Article 73.

Communication procedures

How you communicate with national competent authorities, notified bodies, other operators, customers and other interested parties — including authorities that provide or support access to data.

Record-keeping systems

Systems and procedures for keeping all relevant documentation and information. These records must be available to national competent authorities for 10 years under Article 18.

Resource management

How you manage the resources needed to build and maintain the AI system — including security-of-supply measures to prevent dependency on a single input source.

Accountability framework

Sets out the responsibilities of management and other staff for each of the 13 QMS elements. Who is responsible for data management? Who signs off test results? This must be documented.

Proportionality, Carve-Outs and Special Rules

SME / Start-up proportionality (Art 17(2))

The QMS must be proportionate to the size of the provider's organisation. A 5-person start-up does not need the same volume of documentation as a multinational. The level of rigour required to ensure compliance with the AI Act's substantive requirements still applies — only the depth and formality of documentation scales with size.

Sectoral QMS integration (Art 17(3))

If you already have a QMS under sectoral Union law — for example, a medical device manufacturer subject to MDR Regulation 2017/745, or a machinery manufacturer subject to the Machinery Regulation — you may include the Article 17 elements as part of that existing QMS. You do not need a separate document.

Financial institution internal governance carve-out (Art 17(4))

Banks, investment firms and other financial institutions subject to governance requirements under Union financial services law satisfy the Article 17 QMS obligation by complying with those governance requirements — with one important exception. Elements (g), (h) and (i) — the risk management system, post-market monitoring, and serious incident reporting — must still be addressed specifically for the high-risk AI system.

SME simplified QMS (Art 63(1))

Article 63(1) already provides that SMEs including start-ups may comply with the QMS requirement in a simplified manner for certain elements. The Commission will publish guidelines specifying which elements qualify for simplified compliance.

Documentation and Record-Keeping ( Article 18)

The QMS documentation must be kept available to national competent authorities for 10 years from when the high-risk AI system was placed on the market or put into service. This includes:

✓The technical documentation (Article 11 + Annex IV)
✓The QMS documentation itself
✓Documentation of changes approved by notified bodies, where applicable
✓Decisions and documents issued by notified bodies, where applicable
✓The EU declaration of conformity (Article 47)

PROPOSAL — not yet enacted lawCOM(2025) 836 — Digital Omnibus

What COM(2025) 836 would change for QMS

If adopted, 836 makes two targeted changes to the QMS obligations:

Art 17(2) explicit SME/SMC mention: Article 17(2) is amended to state proportionality applies "in particular, if the provider is an SMC or an SME, including a start-up." This codifies a principle that was already implicit but removes any ambiguity about whether micro-entities qualify.
Art 63(1) extended simplified QMS: The simplified QMS option (previously available only to microenterprises) is extended to all SMEs including start-ups. The Commission must develop guidelines on which specific QMS elements may be fulfilled in simplified manner, without reducing the required level of protection.

836 is a legislative proposal — not in force. These provisions apply only if the proposal is adopted by the European Parliament and Council.

Common grey-area signals — check your situation

⚠You have an ISO 9001 QMS but have not checked whether it covers elements (g), (h) and (i)
⚠Your AI system is integrated into a medical device and you assume the MDR QMS is sufficient without adding the AI Act elements
⚠You are a financial institution and believe your internal governance fully covers the QMS — but have not documented the AI-specific elements (g)/(h)/(i)
⚠Your QMS documentation exists but has not been kept up-to-date after a substantial modification to the AI system
⚠You are working towards the 2 August 2026 deadline but do not have a confirmed QMS completion date in your roadmap

Check my compliance status — 3 free analyses

Frequently Asked Questions

Is a QMS mandatory for all AI providers?+

No. A QMS under Article 17 is only required for providers of high-risk AI systems. If your AI system is not classified as high-risk under Article 6 and Annex III, no QMS obligation applies. Providers of limited-risk or minimal-risk AI have no equivalent obligation, though voluntary codes of conduct may encourage similar practices.

Can a small startup meet the Article 17 QMS requirement?+

Yes, with proportionality. Article 17(2) allows the QMS to be proportionate to the size of the organisation. Under COM(2025) 836, this is made explicit for SMEs and SMCs, and the Commission must develop guidelines on which QMS elements may be fulfilled in a simplified manner for SMEs including start-ups. The level of protection required must still be met — it is the format and scope of documentation that can be lighter, not the substance.

Does the QMS need to be certified by an external body?+

Not necessarily. For Annex III high-risk AI systems (categories 2–8) using the internal control route under Annex VI, no external QMS certification is required. However, for Annex III §1 (biometrics) or Annex I (MDR/IVDR etc.) systems that use the Annex VII route involving a notified body, that body will assess compliance with the QMS requirements as part of the conformity assessment. The QMS must be documented regardless of route.

We already have an ISO 9001 QMS. Does that satisfy Article 17?+

Partially. ISO 9001 covers broad quality management principles, but Article 17(1) requires specific AI-focused elements including the risk management system (Article 9), post-market monitoring (Article 72), and serious incident reporting procedures (Article 73). You would need to extend your existing QMS to include those AI-specific elements. The good news is that Article 17(3) explicitly allows you to integrate the Article 17 elements into an existing sectoral QMS — you do not need to create a separate document.

We are a bank. Do we need a separate AI QMS?+

No, if you already comply with internal governance obligations under Union financial services law. Article 17(4) provides that financial institutions subject to governance/process requirements under Union financial services law satisfy the QMS obligation by complying with those requirements — with one exception: Article 17(1) points (g), (h) and (i) — the risk management system, post-market monitoring setup, and serious incident reporting procedures — must still be addressed specifically for the AI system.

Related Compliance Guides

Risk Management System (Article 9)

The iterative risk management process that feeds directly into QMS element (g).

Technical Documentation (Article 11)

The mandatory documentation file you keep alongside your QMS.

Conformity Assessment (Article 43)

Self-assessment vs notified body — and how the QMS is assessed.

Post-Market Monitoring (Arts 72–73)

How to set up the monitoring system required by QMS element (h).

Provider Obligations Checklist

All provider obligations under Art 16, including the QMS requirement.

EU AI Act for SMEs & Start-ups

Proportionality rules, simplified forms, and sandbox access for smaller organisations.

No changes are proposed under COM(2025) 837 for this topic.

Know exactly what your QMS must cover

Regumatrix analyses your AI system and returns your risk tier, the exact obligations that apply — including whether Article 17 applies and which of the 13 elements are mandatory for your situation — your fine exposure under Article 99, and an 8-section cited compliance report. Takes about 30 seconds. No credit card required.

Start free analysis