FAQEU

EU AI Act Conformity Assessment and Notified Bodies

Article 43 does not require every high-risk AI system to use a notified body. The route depends on whether the system is an Annex III point 1 system, an Annex III point 2-8 system, or an AI component of Annex I product legislation.

Use this FAQ to map the assessment route, assemble the technical documentation and quality-management evidence, and connect the outcome to the EU declaration of conformity, CE marking, and Article 49 registration.

Back to main artifactReview sources
Author
Sorena AI
Published
May 9, 2026
Updated
May 9, 2026
Questions
4

Structured answer sets in this page tree.

Primary sources
12

Cited legal and guidance references.

Publication metadata
Sorena AI
Published May 9, 2026
Updated May 9, 2026
Overview

EU AI Act conformity assessment is a pre-market or pre-service step for high-risk AI systems. Providers should first classify the system, then choose the Article 43 route: Annex VI internal control, Annex VII assessment with a notified body, or the conformity route required by applicable Annex I product legislation.

Search this module

Find a question or answer quickly

4 of 4 questions
Question 1

When does Article 43 require a notified body?

Article 43 uses different routes for different high-risk AI systems. For high-risk systems listed in point 1 of Annex III, the provider may use Annex VI internal control only when it demonstrates compliance by applying harmonised standards under Article 40 or, where applicable, common specifications under Article 41.

For that same Annex III point 1 category, Annex VII notified-body assessment is required when harmonised standards and common specifications are not available, when the provider has not applied the relevant harmonised standard or has applied only part of it, when available common specifications have not been applied, or when a harmonised standard has been published with a restriction for the restricted part.

For high-risk AI systems in points 2 to 8 of Annex III, Article 43 says providers follow Annex VI internal control, with no notified-body involvement. For high-risk AI systems covered by the Union harmonisation legislation listed in Section A of Annex I, the provider follows the conformity assessment required by that product law, and the AI Act Section 2 requirements become part of that assessment.

  • Start with the legal basis for high-risk classification: Annex III point 1, Annex III points 2-8, or Annex I Section A product legislation.
  • Record which harmonised standards or common specifications were applied in full, applied in part, unavailable, or published with restrictions.
  • Use Annex VII when Article 43 makes notified-body assessment mandatory for the route, not simply because the system is high risk.
  • Treat a substantial modification after an assessment as a trigger for a new conformity assessment unless the change was pre-determined in the initial technical documentation.
Citations
Question 2

What evidence supports Annex VI internal control?

Annex VI internal control is still a formal conformity assessment. The provider verifies that its quality management system complies with Article 17, examines the technical documentation to assess compliance with Chapter III Section 2 requirements, and verifies that design, development, and post-market monitoring are consistent with the technical documentation.

The evidence should therefore be more than a checklist. Article 11 requires technical documentation to be drawn up before placing the high-risk AI system on the market or putting it into service, kept up to date, and written so competent authorities and notified bodies can assess compliance. Annex IV lists expected content, including intended purpose, system versions, development methods, data requirements, human oversight, validation and testing, cybersecurity, risk management, standards used, the EU declaration of conformity, and post-market monitoring.

  • Maintain Article 17 quality-management records covering regulatory strategy, design control, development, validation, standards, data management, risk management, post-market monitoring, serious-incident reporting, authority communications, record keeping, resources, and accountability.
  • Keep Article 11 and Annex IV technical documentation current with the system version, intended purpose, interfaces, data, testing, human oversight, cybersecurity, risk management, standards, declaration of conformity, and post-market monitoring plan.
  • Retain the Article 18 evidence set for 10 years after the high-risk AI system is placed on the market or put into service.
  • Link release gates to the provider duties in Article 16: conformity assessment, EU declaration of conformity, CE marking, and Article 49 registration before market placement or service.
Citations
Question 3

What changes when Annex VII applies?

Annex VII adds notified-body review of both the provider's quality management system and the technical documentation for the AI system. The provider's application includes provider identity, the AI systems covered by the same quality management system, technical documentation for each system, quality-management documentation covering Article 17, procedures to keep the system adequate and effective, and a declaration that the same application was not lodged with another notified body.

The notified body examines whether the quality management system satisfies Article 17 and examines the technical documentation. Where needed, it may require further evidence or tests, carry out tests itself, and, after other reasonable means are insufficient, request access to training and trained models subject to applicable protection for intellectual property and trade secrets. If the system conforms, the notified body issues a Union technical documentation assessment certificate; if not, it refuses and gives reasons.

After approval, Annex VII creates an ongoing change and surveillance track. Intended changes to the approved quality management system, the covered system list, or an AI system change that could affect compliance or intended purpose must be brought to the notified body. The notified body carries out surveillance of the approved quality management system, including periodic audits.

  • Prepare one package for the quality management system and one for the AI system technical documentation.
  • Do not lodge the same Annex VII application with multiple notified bodies at the same time.
  • Plan how the provider will supply further evidence, testing, data-set access, or model access if the notified body requests it within the limits of Annex VII.
  • Track certificate conditions, supplements, refusal reasons, surveillance audit reports, and notified-body change decisions as controlled release records.
Citations
Question 4

What happens after a successful assessment?

The conformity assessment route should close into release evidence. Article 47 requires the provider to draw up a written, machine-readable, physical, or electronically signed EU declaration of conformity for each high-risk AI system, keep it available to national competent authorities for 10 years, identify the system, state conformity with the Section 2 requirements, include Annex V information, translate it for relevant national competent authorities, and keep it up to date.

Article 48 requires CE marking for high-risk AI systems. For digital high-risk AI systems, a digital CE marking can be used only when it is easily accessible through the system interface or through an accessible machine-readable code or other electronic means. Where a notified body was responsible for the Article 43 conformity assessment, its identification number follows the CE marking and is also indicated in promotional material that mentions CE conformity.

Article 49 registration is separate from CE marking and must be checked before release. Providers or authorised representatives register themselves and Annex III high-risk AI systems in the EU database before placing them on the market or putting them into service, except for point 2 of Annex III. Providers also register systems they concluded are not high risk under Article 6(3). Public authorities, Union institutions, bodies, offices, agencies, and persons acting on their behalf have deployer registration duties for covered Annex III systems before use.

  • Attach the Article 47 declaration to the system record and include Annex V content such as system identification, provider identity, responsibility statement, conformity statement, standards or common specifications, notified-body details where applicable, and signature information.
  • Confirm the CE mark location: interface, machine-readable code, packaging, or accompanying documentation, depending on the system form.
  • When a notified body was involved, include its identification number after the CE marking and in CE-conformity promotional material.
  • Submit and maintain Article 49 and Annex VIII registration information where the system or deployer falls within the registration rules.
Citations
Recommended next step

Map Article 43 to your product evidence

Sorena can help convert the Article 43 route, Annex VI or Annex VII evidence, EU declaration, CE marking, and Article 49 registration checks into a cited workflow for high-risk AI releases.

Research workflow
Open Research Copilot for EU AI Act

Ask source-linked questions about conformity assessment routes, notified-body triggers, technical documentation, declarations, CE marking, and registration.

Explore next step
Talk to Sorena
Talk through implementation

Review your high-risk AI assessment route, evidence gaps, and release approval steps with Sorena.

Explore next step
Primary sources

References and citations

AI Act Service Desk Article 49 registration
ai-act-service-desk.ec.europa.eu
Referenced sections
  • Official AI Act Service Desk article explaining Article 49 registration duties for providers and certain deployers.
"Registration"
Regulation (EU) 2024/1689 (EU AI Act Official Journal text)
eur-lex.europa.eu
Referenced sections
  • Primary legal source for Article 43 conformity assessment routes, Annex IV technical documentation, Annex V declarations, Annex VI internal control, Annex VII notified-body assessment, CE marking, and registration annexes.
"Conformity assessment"
Regulation (EU) 2024/1689 Annex IV
eur-lex.europa.eu
Referenced sections
  • Primary annex listing the technical-documentation content used to show high-risk AI system conformity.
"Technical documentation referred to"
Regulation (EU) 2024/1689 Annex VI and Annex VII
eur-lex.europa.eu
Referenced sections
  • Primary annex text defining internal control and notified-body assessment of the quality management system and technical documentation.
"Conformity based on an assessment"
Regulation (EU) 2024/1689 Annex VII
eur-lex.europa.eu
Referenced sections
  • Primary annex for notified-body assessment of quality management systems, technical documentation, certificates, changes, and surveillance.
"assessment of the technical documentation"
Regulation (EU) 2024/1689 Articles 34 and 35
eur-lex.europa.eu
Referenced sections
  • Primary legal text stating notified bodies verify conformity under Article 43 and that the Commission makes notified-body lists public.
"verify the conformity"
Regulation (EU) 2024/1689 Articles 47, 48 and 49
eur-lex.europa.eu
Referenced sections
  • Primary legal text for EU declarations of conformity, CE marking, notified-body identification numbers, and registration duties.
"EU declaration of conformity"
Related guides

Explore more topics

Are industry AI use cases high-risk under EU AI Act Annex III?
FAQ answer on when an industry AI use case falls under EU AI Act Annex III, how Article 6 classification works, when Article 6(3) can support a non-high-risk conclusion, and what evidence providers should keep.
EU AI Act AI System Classification Edge Cases FAQ
Answers for EU AI Act edge cases: AI system definition, inference versus simple rules, GPAI models, embedded products, territorial scope, roles, and classification evidence.
EU AI Act Applicability and Roles: Scope, Actor Map, and Evidence
Determine whether the EU AI Act applies to an AI system or GPAI model, map provider, deployer, importer, distributor, and product manufacturer roles, and record evidence for classification.
EU AI Act applicability test: scope, role, and risk classification
Stepwise EU AI Act applicability test for AI-system status, exclusions, territorial scope, operator role, prohibited uses, high-risk systems, GPAI models, transparency duties, and evidence records.
EU AI Act Article 5 Prohibited AI Practices Screening Guide
Screen AI systems against the EU AI Act Article 5 prohibitions, including manipulation, exploitation, social scoring, biometric and law-enforcement exceptions.
EU AI Act Article 50 transparency disclosures FAQ
Article 50 FAQ for EU AI Act transparency duties covering chatbot notices, synthetic content marking, biometric and emotion notices, deepfakes, public-interest text, timing, accessibility, and exceptions.
EU AI Act Article 50 transparency, labeling, and user disclosures
Source-grounded guide to EU AI Act Article 50 duties for user interaction notices, synthetic content marking, deepfake labels, emotion recognition notices, biometric categorisation notices, and related high-risk AI instructions for use.
EU AI Act Article 73 serious incident FAQ
FAQ on EU AI Act serious incident handling for high-risk AI systems, including Article 73 reporting, deployer escalation, corrective action, and GPAI systemic-risk distinctions.
EU AI Act Compliance Checklist by Risk Class
A practical EU AI Act checklist for classifying AI systems, assigning operator roles, screening prohibited practices, and collecting evidence for high-risk, GPAI, transparency, monitoring, and incident duties.
EU AI Act Compliance Program: roles, high-risk evidence, GPAI and incidents
Build an EU AI Act compliance program around provider, deployer, importer, distributor, high-risk, GPAI, transparency, monitoring, and incident evidence duties.
EU AI Act conformity assessment and notified bodies for high-risk AI
Grounded guide to EU AI Act high-risk AI conformity assessment routes, provider evidence, EU declaration of conformity, CE marking, and notified body involvement.
EU AI Act deadlines and compliance calendar | Article 113 dates
source-linked EU AI Act compliance calendar for Article 113 staged application dates, Article 111 transitions, GPAI, prohibited practices, AI literacy, and high-risk AI planning.
EU AI Act FAQ: scope, roles, high-risk AI, GPAI, FRIA, and dates
Grounded EU AI Act FAQ covering scope, provider and deployer roles, prohibited practices, high-risk classification, GPAI duties, transparency notices, FRIAs, EU database registration, serious incidents, and staged application dates.
EU AI Act FRIA FAQ: Article 27 Scope, Contents, and Notification
Source-grounded FAQ on when Article 27 requires a fundamental rights impact assessment, which deployers are covered, what the FRIA must contain, and how it relates to DPIAs and registration.
EU AI Act FRIA for high-risk AI systems: Article 27 scope and evidence
Source-grounded guide to EU AI Act Article 27 fundamental rights impact assessments: who must run a FRIA, Article 6(2) triggers, Annex III carveouts, DPIA overlap, notification, and registration evidence.
EU AI Act GPAI and Systemic-Risk Duties: Article 53 and 55 FAQ
FAQ on EU AI Act duties for general-purpose AI model providers, including Article 53 documentation, copyright and training-summary duties, Article 55 systemic-risk duties, serious incidents, cybersecurity, and staged enforcement.
EU AI Act GPAI evidence pack checklist for Article 53 and 55
Build a source-grounded evidence pack for EU AI Act GPAI model obligations: technical documentation, downstream information, copyright policy, training-content summary, and systemic-risk records where applicable.
EU AI Act GPAI Provider Obligations: Articles 53 and 55
Grounded guide to EU AI Act duties for general-purpose AI model providers: Article 53 documentation, copyright policy, training-content summary, downstream information, and Article 55 systemic-risk controls.
EU AI Act High-Risk AI Requirements: Articles 8-16 and 26
Map the EU AI Act requirements for high-risk AI systems: risk management, data governance, technical documentation, logs, transparency, human oversight, accuracy, robustness, cybersecurity, and deployer duties.
EU AI Act high-risk AI use cases by industry | Article 6 and Annex III guide
Industry-by-industry guide to EU AI Act high-risk classification under Article 6, Annex III, Annex I product safety routes, exclusions, and provider/deployer boundaries.
EU AI Act high-risk conformity assessment route selector
Select the EU AI Act Article 43 conformity assessment route for a high-risk AI system, including Annex I product legislation, Annex III categories, notified body triggers, standards, declaration, CE marking, registration, and evidence.
EU AI Act high-risk requirements checklist: Articles 8-15
Checklist for EU AI Act high-risk AI system requirements in Articles 8-15: risk management, data governance, documentation, logs, transparency, human oversight, accuracy, robustness, and cybersecurity.
EU AI Act penalties and fines: Article 99 tiers and GPAI exposure
EU AI Act penalties explained: Article 99 fine tiers, prohibited-practice exposure, incorrect information, SME caps, Member State rules, and GPAI model fines.
EU AI Act post-market monitoring and serious incident reporting
Grounded guide to EU AI Act Articles 72 and 73 for high-risk AI: monitoring plans, serious incident reporting, deployer escalation, corrective action, and GPAI distinctions.
EU AI Act post-market monitoring FAQ for high-risk AI systems
Answer to how providers and deployers should handle EU AI Act post-market monitoring for high-risk AI systems under Article 72, with serious-incident, log, corrective-action, and lifecycle-change triggers.
EU AI Act provider vs deployer role boundaries: Article 3 and Article 25 FAQ
FAQ on EU AI Act provider, deployer, operator, importer, distributor, authorised representative, product manufacturer, downstream provider, and GPAI model provider boundaries.
EU AI Act risk classification intake workflow
A grounded intake structure for classifying EU AI Act scope, prohibited practices, high-risk routes, Annex III use cases, GPAI model status, roles, and reassessment triggers.
EU AI Act serious incident reporting triage workflow: Article 73 and Article 55
Triage EU AI Act serious incidents by definition, actor, reporting route, deadline, deployer escalation, corrective action, and separate GPAI systemic-risk reporting.
EU AI Act Technical Documentation and Provider Evidence Templates
Build AI Act evidence templates for high-risk AI providers: Article 11 technical documentation, Annex IV fields, quality management, conformity, CE marking, registration, logs, and post-market monitoring.
EU AI Act technical documentation FAQ | Article 11 and Annex IV
What Article 11 and Annex IV require in high-risk AI technical documentation: system identity, intended purpose, architecture, data, testing, oversight, cybersecurity, conformity, and post-market monitoring.
EU AI Act Timeline and Phasing Roadmap: practical obligations and evidence guide
Practical EU AI Act guide to Timeline and Phasing Roadmap: scope, owners, evidence, edge cases, checklist steps, and external source-linked citations.
EU AI Act vs ISO/IEC 42001: legal duties, controls, and evidence limits
Compare the EU AI Act and ISO/IEC 42001 across legal status, risk classification, high-risk AI, GPAI, transparency, conformity, evidence, and assurance limits.
EU AI Act vs NIST AI RMF: legal duties, risk controls, and evidence boundaries
Compare the binding EU AI Act with the voluntary NIST AI RMF, including role classification, high-risk duties, GPAI, transparency, conformity evidence, and reuse limits.