AI Conformity Assessment Under the EU AI Act: A Practical Guide for High-Risk AI Compliance
.png)
DPO Conslting Rejoin Grant Thornton
The EU AI Act creates a risk-based framework for artificial intelligence. For organisations developing, deploying or integrating high-risk AI systems, one of the most important compliance obligations is the AI conformity assessment.
An AI conformity assessment is the process through which a provider demonstrates that a high-risk AI system complies with the mandatory requirements of the EU AI Act before it is placed on the market or put into service. It is not a simple checklist exercise. It requires evidence that the system has been designed, tested, documented, governed and monitored in accordance with the regulation.
For legal teams, CISOs, product leaders, compliance officers and executives, understanding conformity assessment is essential. It determines whether an AI system can lawfully enter the EU market, whether a CE marking can be affixed, whether a notified body must be involved, and how ongoing compliance must be maintained after deployment.
Under the EU AI Act, conformity assessment is the process of demonstrating that a high-risk AI system complies with the requirements set out for such systems. These requirements cover the full lifecycle of the AI system: design, data, development, validation, deployment, monitoring and corrective action.
In practical terms, a conformity assessment answers one central question: can the provider prove that the AI system is safe, robust, transparent, properly documented, subject to human oversight and controlled throughout its lifecycle?
This proof is not limited to a legal memo. It relies on technical documentation, a quality management system, risk management records, data governance evidence, testing results, logs, cybersecurity measures, instructions for use, post-market monitoring arrangements and, where relevant, the involvement of a notified body.
The conformity assessment is therefore both a legal and operational mechanism. It transforms AI Act requirements into evidence that can be reviewed by authorities, customers, auditors, notified bodies and market surveillance authorities.
Not every AI system requires a conformity assessment under the EU AI Act. The obligation applies to high-risk AI systems.
A system may be high-risk in two main situations.
First, an AI system may be high-risk where it is a product, or a safety component of a product, covered by EU harmonisation legislation listed in Annex I of the AI Act, and where that product requires third-party conformity assessment. This is relevant for sectors such as medical devices, machinery, toys, lifts, aviation, vehicles and other regulated product categories.
Second, an AI system may be high-risk where it falls within one of the use cases listed in Annex III. These areas include biometrics, critical infrastructure, education and vocational training, employment and worker management, access to essential private and public services, law enforcement, migration and border control, administration of justice and democratic processes.
However, classification must be handled carefully. Not every AI tool used in a sensitive organisation is automatically high-risk. The intended purpose of the system, its actual impact on individuals, and the scope of Article 6 must be assessed. In some Annex III cases, an exemption may be available where the system does not pose a significant risk of harm to health, safety or fundamental rights, but this position must be documented and is not available where the system performs profiling of natural persons.
Before preparing a conformity assessment, organisations should therefore confirm three points: whether the tool is an AI system, whether it is high-risk, and whether the organisation is acting as a provider, deployer, importer, distributor or product manufacturer.
The AI conformity assessment is the gateway to market access for high-risk AI systems. A provider cannot simply declare that a system is trustworthy. It must be able to demonstrate compliance with the AI Act requirements before the system is placed on the market or put into service.
For businesses, the assessment has several practical consequences. It forces teams to document how the system was designed, how risks were identified, how data was selected and controlled, how performance was tested, how human oversight works, and how incidents will be handled after deployment.
It also creates commercial consequences. Customers, procurement teams, investors and business partners will increasingly ask for evidence of AI Act readiness. For high-risk AI systems, a weak compliance file can delay product launch, block procurement, create contractual risk or trigger regulatory exposure.
A robust conformity assessment is therefore not only a regulatory obligation. It is also a trust asset.
To pass an AI conformity assessment, a high-risk AI system must satisfy the requirements of Chapter III, Section 2 of the AI Act.
The first requirement is risk management. Providers must establish a continuous risk management system that identifies, evaluates and mitigates risks to health, safety and fundamental rights. This is not a one-off pre-launch exercise. The system must operate across the lifecycle of the AI system.
The second requirement is data governance. Where data is used for training, validation or testing, providers must implement appropriate data governance and management practices. This includes attention to relevance, representativeness, errors, completeness, bias and the specific characteristics of the intended context of use.
The third requirement is technical documentation. The provider must maintain documentation that allows authorities and, where relevant, notified bodies to assess whether the system complies with the AI Act. This documentation should describe the system’s intended purpose, design, development process, data, models, testing, performance, risk management and oversight measures.
The fourth requirement is record-keeping. High-risk AI systems must enable logs that allow events to be traced, investigated and monitored, taking into account the intended purpose of the system.
The fifth requirement is transparency and instructions for use. Deployers must receive clear information allowing them to understand the system’s capabilities, limitations, expected performance, human oversight measures and conditions of use.
The sixth requirement is human oversight. The system must be designed so that natural persons can effectively oversee its operation, understand its outputs where appropriate, detect anomalies, intervene or stop the system when necessary.
The final requirement is accuracy, robustness and cybersecurity. The system must achieve an appropriate level of performance, resist errors and malicious attempts to alter its use or outputs, and remain reliable throughout its lifecycle.
Article 43 of the AI Act defines the conformity assessment procedures for high-risk AI systems. This is where many summaries of the regulation become inaccurate, because the applicable procedure depends on the type of high-risk AI system.
For high-risk AI systems listed in point 1 of Annex III, which concerns biometrics, the provider may use internal control or a conformity assessment involving a notified body, depending on whether harmonised standards or common specifications have been applied. Where harmonised standards do not exist, are not fully applied, or are restricted, the notified body route may be required.
For high-risk AI systems listed in points 2 to 8 of Annex III, the general route is the internal control procedure under Annex VI. This means that, for many standalone high-risk AI systems, the provider conducts the conformity assessment internally, without the involvement of a notified body.
For high-risk AI systems covered by EU harmonisation legislation listed in Annex I, the conformity assessment follows the relevant sectoral product procedure. In that case, AI Act requirements are integrated into the existing product conformity assessment framework, and notified bodies involved under that sectoral legislation may assess compliance with the AI-specific requirements.
This distinction is critical. Organisations should not assume that every high-risk AI system requires an external notified body. They should also not assume that internal control means a light or informal process. Internal control still requires a complete compliance file, a quality management system, technical documentation, risk management evidence and a defensible EU declaration of conformity.
The internal control procedure is the most common conformity assessment route for many high-risk AI systems under Annex III.
Under this procedure, the provider verifies internally that the AI system complies with the AI Act. The provider must examine the technical documentation, ensure that the quality management system is in place, verify that the design and development process matches the documentation, and confirm that the system satisfies the applicable requirements.
If the outcome is positive, the provider draws up an EU declaration of conformity and affixes the CE marking where required.
The fact that the provider performs the assessment internally should not be misunderstood. Internal control is not self-certification without evidence. It is a structured legal and technical assessment that must withstand regulatory scrutiny. If the documentation is weak, the risk management process superficial or the testing incomplete, the internal conformity assessment will not be robust.
A notified body is an independent conformity assessment body designated under EU rules. Its role is to review the quality management system and technical documentation where the AI Act or relevant product legislation requires its involvement.
This route is particularly relevant for certain biometric systems under Annex III point 1 and for AI systems integrated into products already subject to third-party conformity assessment under sectoral product legislation.
The notified body may review the provider’s quality management system, technical documentation, testing evidence and compliance processes. If the system complies, it issues the relevant certificate, which supports the provider’s EU declaration of conformity and CE marking.
For providers, this route requires additional planning. Engaging a notified body may affect project timelines, documentation standards, testing strategy, product release planning and regulatory budget. It should therefore be anticipated early in the development lifecycle.
The technical documentation is one of the most important deliverables of the AI conformity assessment. It is the evidence base that allows a third party to understand how the system works, what it is intended to do, what risks it creates and how those risks are controlled.
A strong technical file should explain the intended purpose of the system, its architecture, the development process, the data used, the performance metrics, the validation strategy, the risk management process, the human oversight measures, the logging capabilities, the cybersecurity controls and the post-market monitoring plan.
For many organisations, the main challenge will not be understanding that documentation is required. It will be collecting evidence from multiple teams: product, data science, legal, privacy, cybersecurity, quality, engineering, procurement and business owners.
This is why conformity assessment should be embedded into AI governance from the beginning. Reconstructing the technical file after development is often more costly, less accurate and less defensible.
The AI Act requires providers of high-risk AI systems to establish a quality management system. This system is the organisational backbone of AI compliance.
It should cover the strategy for regulatory compliance, design controls, development procedures, testing, validation, data management, risk management, post-market monitoring, incident handling, corrective actions, documentation control and supplier management.
In practice, the quality management system connects AI Act compliance with existing governance frameworks such as ISO 9001, ISO/IEC 27001, ISO/IEC 42001, product safety frameworks, cybersecurity governance and GDPR compliance.
For organisations already operating in regulated sectors, the goal should not be to create a parallel AI compliance bureaucracy. The goal should be to integrate AI Act requirements into existing quality, privacy, security and product governance processes.
Once the conformity assessment is completed successfully, the provider must draw up an EU declaration of conformity. This declaration states that the high-risk AI system complies with the applicable AI Act requirements.
The provider must also affix the CE marking to the high-risk AI system. For digital AI systems, the AI Act allows the use of a digital CE marking, provided that it is easily accessible.
Where a notified body has been involved, the CE marking must include the identification number of the notified body where applicable. Where the AI system is also subject to other EU legislation requiring CE marking, the CE marking must reflect compliance with the relevant applicable rules.
This stage should not be treated as a formality. The EU declaration of conformity and CE marking are the visible outcome of the compliance process. They should only be issued when the underlying evidence is complete and reliable.
AI systems evolve. Models may be retrained, datasets updated, functionalities extended, interfaces changed or use cases expanded. Under the AI Act, a high-risk AI system that has already undergone a conformity assessment must undergo a new conformity assessment if it is substantially modified.
A substantial modification may include a change affecting the intended purpose, performance, risk profile or compliance with the AI Act. However, changes that were predetermined by the provider at the time of the initial conformity assessment and documented in the technical documentation may not constitute a substantial modification, particularly for systems designed to continue learning after deployment.
This makes change management essential. Providers should define, before launch, which updates are expected, how they will be tested, how they will be documented and when a new conformity assessment will be triggered.
Without a clear change management process, organisations risk deploying updates that invalidate their initial assessment.
Conformity does not end when the AI system is placed on the market or put into service. Providers of high-risk AI systems must establish a post-market monitoring system.
This system should actively and systematically collect, document and analyse relevant data on the performance of the AI system throughout its lifetime. The purpose is to confirm that the system continues to comply with the AI Act and to detect risks, anomalies, performance degradation, bias, misuse or unexpected behaviour.
The post-market monitoring plan must form part of the technical documentation. It should define what will be monitored, which indicators will be used, how often reviews will occur, who is responsible, what thresholds trigger escalation, and how corrective actions will be implemented.
For AI systems integrated into products already subject to sectoral post-market monitoring obligations, the AI Act allows alignment with existing systems, provided that the level of protection remains equivalent.
The AI Act also requires providers of high-risk AI systems to report serious incidents to the competent market surveillance authorities.
A serious incident may involve death, serious harm to health, serious and irreversible disruption of critical infrastructure, infringement of fundamental rights or serious harm to property or the environment, depending on the circumstances.
The general deadline is immediate reporting once a causal link, or reasonable likelihood of such a link, has been established, and in any event no later than 15 days after the provider or, where applicable, the deployer becomes aware of the serious incident. Shorter deadlines apply in certain cases, including widespread infringements and death.
This requirement should be integrated into the organisation’s incident response framework. AI incident reporting should connect with cybersecurity incident response, product safety reporting, data breach procedures, legal escalation and crisis management.
A practical AI conformity assessment should start well before market launch.
The first step is to confirm whether the system is in scope of the AI Act and whether it qualifies as high-risk. This requires analysing the intended purpose, the role of the organisation, the relevant Annex I or Annex III category, and any possible exemption.
The second step is to identify the applicable conformity assessment route under Article 43. The organisation must determine whether the internal control procedure applies, whether a notified body is required, or whether the system falls within an existing product conformity framework.
The third step is to build the compliance file. This includes the technical documentation, risk management records, quality management system evidence, data governance documentation, testing evidence, instructions for use, human oversight measures, logging strategy, cybersecurity evidence and post-market monitoring plan.
The fourth step is to close gaps before the final assessment. This may require additional testing, better documentation, stronger oversight, changes to training data, more precise instructions for use, improved logging, or updated vendor contracts.
The fifth step is to complete the conformity assessment, draw up the EU declaration of conformity and affix the CE marking where applicable.
Finally, the provider must maintain continuous compliance through monitoring, incident reporting, corrective actions and reassessment where substantial modifications occur.
The first challenge is classification. Many organisations are unsure whether their AI system is high-risk, whether they are a provider or deployer, and whether an Annex III exemption can be relied upon. This uncertainty can delay projects and create inconsistent internal decisions.
The second challenge is documentation. AI development teams often work iteratively, while conformity assessment requires structured evidence. If documentation is not built into the development process, reconstructing it later can be difficult.
The third challenge is data governance. High-risk AI systems require evidence that training, validation and testing data have been managed appropriately. This is particularly complex where data comes from third parties, public sources, legacy systems or sensitive contexts.
The fourth challenge is human oversight. Many organisations describe human review in general terms, but the AI Act requires meaningful oversight. The organisation must define who oversees the system, what they can understand, when they intervene and how their intervention is documented.
The fifth challenge is lifecycle control. AI systems change over time. Without post-market monitoring and change management, the system may drift away from its original compliance position.
AI conformity assessment should not be managed in isolation. Most high-risk AI systems process personal data, confidential information or sensitive business data. Many also rely on cloud infrastructure, APIs, third-party models, data pipelines and complex supply chains.
This means AI Act compliance should be aligned with GDPR, cybersecurity, product safety, procurement and vendor risk management.
A DPIA may be required where the AI system processes personal data in a way that creates high risks for individuals. Cybersecurity controls may need to address model integrity, adversarial attacks, data poisoning, access control, logging and resilience. Vendor contracts may need to allocate responsibility for data, documentation, model updates, incident notification and audit support.
An integrated approach avoids duplication and creates a stronger compliance position.
DPO Consulting helps organisations prepare for AI conformity assessment under the EU AI Act by translating regulatory requirements into practical governance, documentation and operational controls.
Our support may include AI system qualification, high-risk classification, Article 43 route analysis, gap assessment, technical documentation review, quality management system support, data governance assessment, human oversight documentation, post-market monitoring design, incident reporting procedures, vendor review and GDPR alignment.
We also support organisations in preparing AI Act readiness roadmaps, training legal, compliance, product and technical teams, and coordinating with notified bodies where third-party assessment is required.
The objective is not only to pass a conformity assessment. It is to build AI systems that are legally sound, technically robust, operationally controlled and trusted by customers, users and regulators.
AI conformity assessment is one of the central compliance mechanisms of the EU AI Act. For high-risk AI systems, it determines whether the system can be lawfully placed on the EU market or put into service.
The process requires much more than a final legal review. It requires early classification, robust documentation, risk management, data governance, a quality management system, human oversight, cybersecurity, post-market monitoring and clear change control.
Organisations that prepare early will be better positioned to meet regulatory deadlines, reassure customers, support procurement, and deploy AI systems with confidence. Under the EU AI Act, conformity assessment should be seen not only as a regulatory hurdle, but as a structured way to prove that high-risk AI is safe, accountable and trustworthy.
An AI conformity assessment is the process through which a provider demonstrates that a high-risk AI system complies with the mandatory requirements of the EU AI Act. It is required before the system is placed on the market or put into service.
Only high-risk AI systems require a conformity assessment under the AI Act. These include certain AI systems listed in Annex III and certain AI systems that are products or safety components of products covered by EU harmonisation legislation listed in Annex I.
No. Many Annex III high-risk AI systems follow the internal control procedure without the involvement of a notified body. A notified body may be required for certain biometric systems or where the AI system is integrated into a product subject to sectoral third-party conformity assessment.
The internal control procedure is a conformity assessment route where the provider verifies compliance internally, based on technical documentation, quality management, risk management and evidence of compliance with the AI Act requirements. It does not involve a notified body, but it must be fully documented and defensible.
Key documents include the technical documentation, quality management system evidence, risk management file, data governance records, testing and validation evidence, instructions for use, human oversight documentation, logging strategy, cybersecurity evidence and post-market monitoring plan.
A new conformity assessment is required when a high-risk AI system that has already been assessed undergoes a substantial modification. Changes that were predetermined and documented in the initial technical documentation may not constitute a substantial modification.
After a successful conformity assessment, the provider draws up an EU declaration of conformity and affixes the CE marking to the high-risk AI system. For digital systems, the CE marking may be digital if it is easily accessible.
No. Providers of high-risk AI systems must maintain post-market monitoring and report serious incidents where required. Compliance must be maintained throughout the lifecycle of the AI system.
Businesses should start by building an AI inventory, classifying systems under the AI Act, identifying provider and deployer roles, determining the Article 43 procedure, preparing technical documentation, strengthening data governance, designing human oversight, and integrating post-market monitoring into their AI governance framework.
Investing in GDPR compliance efforts can weigh heavily on large corporations as well as smaller to medium-sized enterprises (SMEs). Turning to an external resource or support can relieve the burden of an internal audit on businesses across the board and alleviate the strain on company finances, technological capabilities, and expertise.
External auditors and expert partners like DPO Consulting are well-positioned to help organizations effectively tackle the complex nature of GDPR audits. These trained professionals act as an extension of your team, helping to streamline audit processes, identify areas of improvement, implement necessary changes, and secure compliance with GDPR.
Entrusting the right partner provides the advantage of impartiality and adherence to industry standards and unlocks a wealth of resources such as industry-specific insights, resulting in unbiased assessments and compliance success. Working with DPO Consulting translates to valuable time saved and takes away the burden from in-house staff, while considerably reducing company costs.
GDPR and Compliance
Outsourced DPO & Representation
Training & Support
.svg)
.png)
.png)
