EU AI Act High-risk conformity route selector

Do not choose an assessment procedure until the high-risk basis is written down. The AI Act treats Annex I product-law systems differently from Annex III standalone use cases, and Article 43 routes them through different assessment mechanics.

For Annex I, identify the sector legislation first. Section A includes New Legislative Framework legislation such as machinery, toys, radio equipment, pressure equipment, lifts, PPE, gas appliances, medical devices, and in vitro diagnostic medical devices. Article 43 then sends the provider through the conformity assessment procedure required by that sector law, with the AI Act Chapter III Section 2 requirements included in that assessment.

For Annex III, record the exact point and use case. Annex III covers biometrics, critical infrastructure, education and vocational training, employment and workers' management, access to essential private and public services, law enforcement, migration and border control, and justice and democratic processes.

Once the high-risk basis is known, apply Article 43 without collapsing the categories. Annex III point 1 systems can use internal control under Annex VI only when the provider has applied harmonised standards, or common specifications where applicable, that cover the relevant requirements. Otherwise Article 43 requires the Annex VII procedure with assessment of the quality management system and technical documentation by a notified body.

For Annex III point 1 systems, also use Annex VII when harmonised standards do not exist and common specifications are unavailable, when the provider has not applied the harmonised standard or has applied it only partly, when common specifications exist but are not applied, or when a harmonised standard is published with a restriction for the restricted part.

For Annex III points 2 to 8, Article 43 points providers to the internal-control procedure in Annex VI. That still requires the provider to verify the quality management system, examine the technical documentation, and confirm that design, development, and post-market monitoring are consistent with the documentation.

For Annex I Section A product-law systems, follow the conformity assessment procedure required by the relevant product legislation. If that legislation allows the manufacturer to opt out of third-party assessment because all relevant harmonised standards are applied, Article 43 allows that option only when harmonised standards or common specifications also cover all AI Act Chapter III Section 2 requirements.

The standards decision is not a citation exercise. It changes whether Annex III point 1 can stay with internal control or must move to Annex VII. For every requirement relied on, record whether the provider applied an OJEU-referenced harmonised standard in full, applied it only in part, used a common specification, or adopted another technical solution.

Harmonised standards and common specifications can create a presumption of conformity only to the extent that they cover the relevant AI Act requirements or obligations. If the provider does not comply with common specifications, Article 41 requires justification that the adopted technical solutions meet the requirements to at least an equivalent level.

When Annex VII applies, the evidence package must be ready for a notified body review of both the quality management system and the technical documentation. Annex VII allows the notified body to request further evidence or tests, and in limited circumstances to access training, validation, and testing datasets or trained models where necessary for the assessment.

The selector is complete only when the post-assessment outputs are assigned. Article 47 requires a written, machine-readable, physical or electronically signed EU declaration of conformity for each high-risk AI system and requires the provider to keep it available to national competent authorities for 10 years after placement on the market or putting into service.

Article 48 requires CE marking for high-risk AI systems. Digital systems can use a digital CE marking if it is easily accessible through the interface, a machine-readable code, or another electronic means. Where a notified body is responsible for the Article 43 conformity assessment, the CE marking must be followed by that body's identification number.

Registration depends on the high-risk basis and actor. Article 49 requires providers or authorised representatives to register Annex III high-risk systems, except point 2 critical infrastructure systems, in the EU database before placing them on the market or putting them into service. Providers that classify an Annex III system as not high-risk under Article 6(3) must also register that conclusion. Public authorities and Union bodies deploying Annex III systems, except point 2, must register themselves and the use of the system. Article 49 routes point 2 critical infrastructure systems to national registration.