EU AI Act Article 17: Quality Management System Requirements for High-Risk AI

Article 17 of the EU AI Act requires providers of high-risk AI systems to put in place a quality management system (QMS). This is not a suggestion — it is a binding obligation. The QMS is the organisational backbone that ensures your AI system remains compliant throughout its lifecycle, not just at the point of market placement.

If you have ever worked with ISO 9001, the concept will be familiar. But the EU AI Act's QMS requirements go further, adding AI-specific elements that general quality management standards do not cover.

What Article 17 requires

Article 17(1) states that providers of high-risk AI systems shall put in place a quality management system that ensures compliance with the regulation. It must be documented in a systematic and orderly manner, in the form of written policies, procedures, and instructions.

The QMS must be proportionate to the size of the provider's organisation. A startup with one high-risk AI system does not need the same QMS infrastructure as a multinational — but it does need the same coverage of topics.

Required QMS components

Article 17(1) lists the specific areas your QMS must address:

• (a) Compliance strategy and regulatory communication. Procedures for ensuring compliance with the regulation, including communication with national competent authorities. You need a designated point of contact and a process for responding to regulatory requests.
• (b) Design, development, and testing. Techniques, procedures, and systematic actions for AI system design, design control, design verification, and validation — including examination, testing, and validation before, during, and after development.
• (c) Examination, test, and validation procedures. Specific procedures to be carried out at, before, or after development. This covers your testing strategy, acceptance criteria, and regression testing approach.
• (d) Technical specifications and standards. Which technical specifications are applied and, where harmonised standards are not applied in full, the means used to ensure compliance.
• (e) Data management systems. Systems and procedures for data management, including data acquisition, collection, analysis, labelling, storage, filtration, mining, aggregation, retention, and any other operation on data. This connects directly to your Article 10 data governance.
• (f) Risk management. The risk management system required under Article 9, integrated into your overall quality processes.
• (g) Post-market monitoring. Setting up and implementing a post-market monitoring system under Article 72, including plans for detecting and responding to issues after deployment.
• (h) Incident reporting. Procedures for reporting serious incidents and malfunctions under Article 73, including timelines, communication chains, and remediation processes.
• (i) Supply chain management. Handling communication with third parties — particularly in relation to supply chain management, including ensuring that third-party components meet quality requirements.
• (j) Record-keeping. Systems for documentation and record-keeping, including version control, change management, and audit trails.
• (k) Resource management. Human and computational resource management, including allocation of responsibilities and ensuring adequate competence.
• (l) Accountability framework. An accountability framework setting out the responsibilities of management and other staff in relation to all aspects of the QMS.

Overlap with ISO 9001 and ISO 42001

If your organisation already holds ISO 9001 (quality management) or ISO 42001 (AI management system) certification, you have a significant head start:

• ISO 9001 covers document control, management review, resource management, corrective actions, and internal audits. These map to Article 17 requirements (j), (k), and (l). You can extend your existing QMS rather than building from scratch.
• ISO 42001 is more directly aligned. It covers AI risk management, data governance, bias management, and AI lifecycle management. If you have ISO 42001, you likely cover 60-70% of Article 17 requirements. The gaps are typically in regulatory communication (a), incident reporting (h), and specific EU AI Act conformity procedures.
• Neither is sufficient alone. ISO standards are voluntary and generic. The EU AI Act requires AI-specific elements (bias monitoring, conformity assessment procedures, competent authority communication) that no existing ISO standard fully covers. Use your ISO framework as the structure, then add the missing AI Act components.

Documentation structure

A practical QMS documentation structure for EU AI Act compliance:

• Level 1 — QMS Policy. A top-level document stating your organisation's commitment to AI quality and compliance. Signed by management. Reviewed annually.
• Level 2 — Procedures. Documented procedures for each Article 17 requirement: design control, testing, data management, risk management, post-market monitoring, incident reporting, and supply chain management.
• Level 3 — Work Instructions. Step-by-step instructions for specific tasks: how to run bias tests, how to submit a serious incident report, how to conduct a conformity assessment, how to review and approve training data.
• Level 4 — Records. Evidence that procedures were followed: test reports, risk assessment outputs, design review minutes, incident logs, training records, audit reports.

Building your QMS

A practical timeline for building an Article 17 QMS:

• Weeks 1–2: Gap analysis. Compare your existing quality processes against Article 17 requirements. If you have ISO certification, map your existing procedures to the 12 components. Identify what's missing.
• Weeks 3–4: Core documentation. Write your QMS policy, define roles and responsibilities, and create the accountability framework. Use document generation to draft the foundational documents.
• Weeks 5–8: Procedures. Develop or adapt procedures for each QMS component. Prioritise risk management (Article 9), data governance (Article 10), and post-market monitoring (Article 72) — these are the most complex.
• Weeks 9–12: Implementation and testing. Roll out procedures, train staff, conduct a dry-run internal audit, and fix gaps. Your QMS should be operational before you submit your conformity assessment.

The high-risk deadline is 559 days away. A well-structured QMS typically takes 8–12 weeks to build from scratch, or 4–6 weeks if you have existing ISO certification to build on. Start now — the QMS underpins every other high-risk obligation.