EU AI Act Conformity Assessment: Do You Need One and How Does It Work?

A conformity assessment is the process by which a provider of a high-risk AI system formally verifies that their system complies with the requirements of the EU AI Act before placing it on the market. It is one of the most significant compliance obligations for high-risk AI providers — and one of the least understood.

Who needs a conformity assessment?

Only providers of high-risk AI systems are required to conduct a conformity assessment. If your system is limited risk or minimal risk, no conformity assessment is required.

High-risk systems are those that fall under Annex III of the EU AI Act (biometrics, critical infrastructure, education, employment, essential services, law enforcement, migration, justice) or that serve as a safety component of a product covered by existing EU harmonization legislation.

Do you need a third party to do it?

This depends on the type of high-risk system:

Self-assessment (most high-risk systems)

For the majority of Annex III high-risk AI systems, providers can conduct the conformity assessment themselves — an internal process following the procedures in Annex VI of the regulation. This is called an internal production control procedure. You document your compliance, verify your system meets the requirements, and sign the EU Declaration of Conformity yourself.

Third-party assessment (specific cases)

A third-party conformity assessment by a notified body is required in two situations:

• AI systems intended to be used for real-time remote biometric identification of natural persons (the limited law enforcement exceptions to the prohibition)
• High-risk AI systems that are safety components of products already covered by EU harmonization legislation that requires third-party assessment (medical devices, machinery, vehicles)

For most SaaS companies building Annex III high-risk AI (HR tools, credit scoring, educational AI), self-assessment is sufficient.

What does the conformity assessment involve?

A self-assessment conformity assessment involves verifying compliance with the high-risk system requirements set out in Articles 9 through 15 and Article 17:

• Article 9 — Risk management system. An ongoing, iterative process of identifying, estimating, evaluating, and mitigating risks. Must be documented and updated throughout the system lifecycle.
• Article 10 — Data governance. Training, validation, and testing data must meet quality criteria. Data practices must be documented.
• Article 11 — Technical documentation. Full Annex IV documentation must be prepared before market placement and kept up to date.
• Article 12 — Logging. Automatic logging of events during operation must be technically possible.
• Article 13 — Transparency. Users must receive instructions for use that allow them to interpret outputs and exercise appropriate oversight.
• Article 14 — Human oversight. The system must be designed to allow effective human oversight during use.
• Article 15 — Accuracy, robustness, and cybersecurity. The system must perform consistently at the accuracy levels declared and be resilient to attempts to alter its behaviour.
• Article 17 — Quality management system. Providers must implement a quality management system covering all aspects of the system lifecycle.

The output: EU Declaration of Conformity and CE marking

When a conformity assessment is complete, the provider must:

• Draw up an EU Declaration of Conformity — a formal statement that the system complies with the EU AI Act
• Affix the CE marking to the system (or its documentation/packaging)
• Register the system in the EU database of high-risk AI systems

The EU Declaration of Conformity must be kept for 10 years after the system is placed on the market. If the system changes significantly, a new conformity assessment must be conducted.

When must the conformity assessment be done?

Before the high-risk AI system is placed on the EU market or put into service in the EU. For systems already on the market when the regulation takes effect, the deadline is August 2, 2026. After that date, any new high-risk AI system entering the EU market must have a completed conformity assessment.

How ActReady helps

ActReady generates the core documentation required for a self-assessment conformity assessment: Annex IV technical documentation, Article 9 risk management plans, Article 14 human oversight plans, and the full compliance documentation package. The platform also tracks your progress against each conformity assessment requirement so you can see exactly what is done and what remains. Start with a free classification at getactready.com/classify to confirm whether your system is high-risk and therefore subject to the conformity assessment requirement.