--- title: "EU AI Act high-risk conformity assessment route selector" canonical_url: "https://www.sorena.io/artifacts/eu/artificial-intelligence-act/high-risk-conformity-route-selector-workflow" source_url: "https://www.sorena.io/artifacts/eu/artificial-intelligence-act/high-risk-conformity-route-selector-workflow" author: "Sorena AI" description: "Select the EU AI Act Article 43 conformity assessment route for a high-risk AI system, including Annex I product legislation, Annex III categories, notified body triggers, standards, declaration, CE marking, registration, and evidence." published_at: "2026-05-09" updated_at: "2026-05-09" keywords: - "EU AI Act" - "Article 43" - "high-risk AI conformity assessment" - "Annex III" - "Annex I" - "notified body" - "Annex VI" - "Annex VII" - "EU declaration of conformity" - "CE marking" - "EU database registration" - "high-risk AI" - "conformity assessment" --- **[SORENA](https://www.sorena.io/)** - AI-Powered GRC Platform [Home](https://www.sorena.io/) | [Solutions](https://www.sorena.io/solutions) | [Artifacts](https://www.sorena.io/artifacts) | [About Us](https://www.sorena.io/about-us) | [Contact](https://www.sorena.io/contact) | [Portal](https://app.sorena.io) --- # EU AI Act high-risk conformity assessment route selector Select the EU AI Act Article 43 conformity assessment route for a high-risk AI system, including Annex I product legislation, Annex III categories, notified body triggers, standards, declaration, CE marking, registration, and evidence. *Workflow* *EU AI Act* ## EU AI Act High-risk conformity route selector Choose the Article 43 conformity assessment path for a high-risk AI system before placing it on the EU market or putting it into service. Use the selector to separate Annex I product-law systems from Annex III systems, identify when a notified body is required, and collect the declaration, CE marking, registration, and technical evidence needed for the file. Article 43 is the routing point for EU AI Act high-risk conformity assessment. Start with the system's high-risk basis: an AI system or safety component in Annex I product legislation, an Annex III point 1 biometrics system, or another Annex III system. Then record whether harmonised standards or common specifications are fully applied, whether a notified body is involved, and which post-assessment outputs must be ready before market placement or use. ## 1. Classify the high-risk basis before choosing the assessment path Do not choose an assessment procedure until the high-risk basis is written down. The AI Act treats Annex I product-law systems differently from Annex III standalone use cases, and Article 43 routes them through different assessment mechanics. For Annex I, identify the sector legislation first. Section A includes New Legislative Framework legislation such as machinery, toys, radio equipment, pressure equipment, lifts, PPE, gas appliances, medical devices, and in vitro diagnostic medical devices. Article 43 then sends the provider through the conformity assessment procedure required by that sector law, with the AI Act Chapter III Section 2 requirements included in that assessment. For Annex III, record the exact point and use case. Annex III covers biometrics, critical infrastructure, education and vocational training, employment and workers' management, access to essential private and public services, law enforcement, migration and border control, and justice and democratic processes. - Annex I route: the AI system is itself a regulated product or a safety component of a product covered by Annex I Union harmonisation legislation. - Annex III point 1 route: biometrics systems have special Article 43 triggers for notified body involvement. - Annex III points 2 to 8 route: internal control under Annex VI is the default Article 43 procedure unless the Commission later changes that routing by delegated act. - Evidence to capture: intended purpose, product or use-case category, applicable Annex item, provider identity, affected Member States, and the source used for the classification. Sources for this answer: - [Regulation (EU) 2024/1689 - AI Act](https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32024R1689&ref=sorena.io) - Article 43 sets the conformity assessment route by high-risk category, while Annex I and Annex III define the product-law and use-case categories used by this selector. - [European Commission - Navigating the AI Act](https://digital-strategy.ec.europa.eu/en/faqs/navigating-ai-act?ref=sorena.io) - Commission FAQ explains that high-risk classification depends on intended purpose and can arise from Annex I product legislation or Annex III use cases. ## 2. Apply the Article 43 route rules Once the high-risk basis is known, apply Article 43 without collapsing the categories. Annex III point 1 systems can use internal control under Annex VI only when the provider has applied harmonised standards, or common specifications where applicable, that cover the relevant requirements. Otherwise Article 43 requires the Annex VII procedure with assessment of the quality management system and technical documentation by a notified body. For Annex III point 1 systems, also use Annex VII when harmonised standards do not exist and common specifications are unavailable, when the provider has not applied the harmonised standard or has applied it only partly, when common specifications exist but are not applied, or when a harmonised standard is published with a restriction for the restricted part. For Annex III points 2 to 8, Article 43 points providers to the internal-control procedure in Annex VI. That still requires the provider to verify the quality management system, examine the technical documentation, and confirm that design, development, and post-market monitoring are consistent with the documentation. For Annex I Section A product-law systems, follow the conformity assessment procedure required by the relevant product legislation. If that legislation allows the manufacturer to opt out of third-party assessment because all relevant harmonised standards are applied, Article 43 allows that option only when harmonised standards or common specifications also cover all AI Act Chapter III Section 2 requirements. - Route A - Annex I Section A product law: use the sector conformity assessment and include AI Act high-risk requirements in that assessment. - Route B - Annex III point 1 with full standards or common specifications: provider may choose Annex VI internal control or Annex VII notified body assessment. - Route C - Annex III point 1 without full standards or common specifications: use Annex VII notified body assessment. - Route D - Annex III points 2 to 8: use Annex VI internal control unless a later delegated act makes Annex VII applicable. - Special authority rule: when an Annex VII system is intended for law enforcement, immigration or asylum authorities, or Union institutions, bodies, offices, or agencies, Article 43 assigns the relevant market surveillance authority to act as the notified body. Sources for this answer: - [Regulation (EU) 2024/1689 - AI Act](https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32024R1689&ref=sorena.io) - Article 43 paragraphs 1 to 3 provide the internal-control, notified-body, and Annex I product-law routes used in the selector. - [European Commission - AI Act regulatory framework](https://digital-strategy.ec.europa.eu/en/policies/regulatory-framework-ai?ref=sorena.io) - Commission overview summarizes the provider sequence: conformity assessment, possible notified body involvement, EU database registration, declaration of conformity, and CE marking. ## 3. Record standards, common specifications, and notified body triggers The standards decision is not a citation exercise. It changes whether Annex III point 1 can stay with internal control or must move to Annex VII. For every requirement relied on, record whether the provider applied an OJEU-referenced harmonised standard in full, applied it only in part, used a common specification, or adopted another technical solution. Harmonised standards and common specifications can create a presumption of conformity only to the extent that they cover the relevant AI Act requirements or obligations. If the provider does not comply with common specifications, Article 41 requires justification that the adopted technical solutions meet the requirements to at least an equivalent level. When Annex VII applies, the evidence package must be ready for a notified body review of both the quality management system and the technical documentation. Annex VII allows the notified body to request further evidence or tests, and in limited circumstances to access training, validation, and testing datasets or trained models where necessary for the assessment. - Standards record: standard or common specification used, OJEU reference status, covered requirement, full or partial application, and any restriction. - Notified body trigger record: Annex III point 1 trigger, standards gap, partial application, restricted standard, product-law requirement, or special public-authority route. - Annex VII submission record: quality management system documentation, Annex IV technical documentation, no-duplicate-application declaration, and the chosen notified body or relevant authority. - Alternative-solution record: technical solution, requirement covered, test evidence, risk-management link, and justification for equivalence where common specifications are not followed. Sources for this answer: - [Regulation (EU) 2024/1689 - AI Act](https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32024R1689&ref=sorena.io) - Articles 40 and 41 explain presumption of conformity through harmonised standards and common specifications; Annex VII defines notified body review of the quality system and technical documentation. - [European Commission - Standardisation of the AI Act](https://digital-strategy.ec.europa.eu/en/policies/ai-act-standardisation?ref=sorena.io) - Commission standardisation page explains that harmonised standards are voluntary but, when referenced in the Official Journal, provide legal certainty and a presumption of compliance. ## 4. Close the route with declaration, CE marking, registration, and evidence The selector is complete only when the post-assessment outputs are assigned. Article 47 requires a written, machine-readable, physical or electronically signed EU declaration of conformity for each high-risk AI system and requires the provider to keep it available to national competent authorities for 10 years after placement on the market or putting into service. Article 48 requires CE marking for high-risk AI systems. Digital systems can use a digital CE marking if it is easily accessible through the interface, a machine-readable code, or another electronic means. Where a notified body is responsible for the Article 43 conformity assessment, the CE marking must be followed by that body's identification number. Registration depends on the high-risk basis and actor. Article 49 requires providers or authorised representatives to register Annex III high-risk systems, except point 2 critical infrastructure systems, in the EU database before placing them on the market or putting them into service. Providers that classify an Annex III system as not high-risk under Article 6(3) must also register that conclusion. Public authorities and Union bodies deploying Annex III systems, except point 2, must register themselves and the use of the system. Article 49 routes point 2 critical infrastructure systems to national registration. - EU declaration record: system name and type, provider details, sole-responsibility statement, AI Act conformity statement, applicable data-protection statement, standards or common specifications, notified body and certificate details where applicable, place, date, signer, and signature. - CE marking record: marking location, digital access method where relevant, notified body identification number where applicable, and whether other Union law also requires CE marking. - Registration record: provider or deployer registration obligation, EU database or national registration path, Annex III exception check, certificate details where applicable, EU declaration copy, instructions for use, Member States, and status of the system. - Reassessment record: substantial modification, intended-purpose change, standards or common-specification change, notified body certificate supplement, and post-market monitoring evidence. Sources for this answer: - [Regulation (EU) 2024/1689 - AI Act](https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32024R1689&ref=sorena.io) - Articles 47 to 49 and Annexes V and VIII support the declaration of conformity, CE marking, registration, and evidence fields listed here. - [AI Act Service Desk - Article 49 registration](https://ai-act-service-desk.ec.europa.eu/en/ai-act/article-49?ref=sorena.io) - Official AI Act Service Desk article explains registration before placing Annex III high-risk systems on the market or putting them into service, including EU database and non-public registration cases. - [European Commission - AI Act regulatory framework](https://digital-strategy.ec.europa.eu/en/policies/regulatory-framework-ai?ref=sorena.io) - Commission overview confirms that, after conformity assessment and registration of standalone systems, a declaration of conformity is signed and the system bears CE marking before market placement. *Recommended next step* *Placement: before sources* ## Use this selector before locking a high-risk AI release plan Sorena can help translate the Article 43 route, standards position, notified body trigger, declaration, CE marking, registration, and Annex IV evidence into a maintained compliance file. - [Open Research Copilot for EU AI Act](/solutions/research-copilot.md): Ask source-linked questions about Article 43, Annex I product-law systems, Annex III use cases, notified body triggers, and high-risk AI evidence. - [Review an AI Act conformity route](/contact.md): Check whether your system belongs on the Annex I, Annex III point 1, or Annex III points 2 to 8 assessment path before release planning. ## Primary sources - [Regulation (EU) 2024/1689 - AI Act](https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32024R1689&ref=sorena.io) - Primary legal source for Article 43 conformity assessment routes, Annex I and Annex III high-risk categories, Articles 40 and 41 standards and common specifications, Article 47 declaration, Article 48 CE marking, Article 49 registration, and Annex IV to VIII evidence fields. - Quote: "For high-risk AI systems listed in point 1 of Annex III" - [European Commission - AI Act regulatory framework](https://digital-strategy.ec.europa.eu/en/policies/regulatory-framework-ai?ref=sorena.io) - Commission overview supports the practical sequence from high-risk conformity assessment through possible notified body involvement, EU database registration, declaration of conformity, and CE marking. - Quote: "It needs to undergo the conformity assessment and comply with AI requirements." - [European Commission - Navigating the AI Act](https://digital-strategy.ec.europa.eu/en/faqs/navigating-ai-act?ref=sorena.io) - Commission FAQ supports the high-risk classification split between Annex I product-law systems and Annex III use cases, plus the need to repeat assessment after substantial modification. - Quote: "The risk classification is based on the intended purpose of the AI system" - [European Commission - Standardisation of the AI Act](https://digital-strategy.ec.europa.eu/en/policies/ai-act-standardisation?ref=sorena.io) - Commission standardisation page supports the role of harmonised standards, OJEU references, voluntary use of standards, and presumption of compliance for providers applying referenced standards. - Quote: "harmonised standards referenced in the Official Journal of the EU provide legal certainty" - [AI Act Service Desk - Article 49 registration](https://ai-act-service-desk.ec.europa.eu/en/ai-act/article-49?ref=sorena.io) - Official Article 49 page supports the registration obligations for Annex III high-risk systems, not-high-risk Article 6(3) conclusions, certain public deployers, restricted registration, and national registration for Annex III point 2 systems. - Quote: "High-risk AI systems referred to in point 2 of Annex III shall be registered at national level." ## Related Topic Guides - [Are industry AI use cases high-risk under EU AI Act Annex III?](/artifacts/eu/artificial-intelligence-act/faq/annex-iii-industry-use-cases.md): FAQ answer on when an industry AI use case falls under EU AI Act Annex III, how Article 6 classification works, when Article 6(3) can support a non-high-risk conclusion, and what evidence providers should keep. - [EU AI Act AI System Classification Edge Cases FAQ](/artifacts/eu/artificial-intelligence-act/faq/ai-system-classification-edge-cases.md): Answers for EU AI Act edge cases: AI system definition, inference versus simple rules, GPAI models, embedded products, territorial scope, roles, and classification evidence. - [EU AI Act Applicability and Roles: Scope, Actor Map, and Evidence](/artifacts/eu/artificial-intelligence-act/applicability-and-roles.md): Determine whether the EU AI Act applies to an AI system or GPAI model, map provider, deployer, importer, distributor, and product manufacturer roles, and record evidence for classification. - [EU AI Act applicability test: scope, role, and risk classification](/artifacts/eu/artificial-intelligence-act/applicability-test.md): Stepwise EU AI Act applicability test for AI-system status, exclusions, territorial scope, operator role, prohibited uses, high-risk systems, GPAI models, transparency duties, and evidence records. - [EU AI Act Article 5 Prohibited AI Practices Screening Guide](/artifacts/eu/artificial-intelligence-act/prohibited-ai-practices.md): Screen AI systems against the EU AI Act Article 5 prohibitions, including manipulation, exploitation, social scoring, biometric and law-enforcement exceptions. - [EU AI Act Article 50 transparency disclosures FAQ](/artifacts/eu/artificial-intelligence-act/faq/article-50-transparency-disclosures.md): Article 50 FAQ for EU AI Act transparency duties covering chatbot notices, synthetic content marking, biometric and emotion notices, deepfakes, public-interest text, timing, accessibility, and exceptions. - [EU AI Act Article 50 transparency, labeling, and user disclosures](/artifacts/eu/artificial-intelligence-act/transparency-labeling-and-user-disclosures.md): Source-grounded guide to EU AI Act Article 50 duties for user interaction notices, synthetic content marking, deepfake labels, emotion recognition notices, biometric categorisation notices, and related high-risk AI instructions for use. - [EU AI Act Article 73 serious incident FAQ](/artifacts/eu/artificial-intelligence-act/faq/serious-incidents.md): FAQ on EU AI Act serious incident handling for high-risk AI systems, including Article 73 reporting, deployer escalation, corrective action, and GPAI systemic-risk distinctions. - [EU AI Act Compliance Checklist by Risk Class](/artifacts/eu/artificial-intelligence-act/checklist.md): A practical EU AI Act checklist for classifying AI systems, assigning operator roles, screening prohibited practices, and collecting evidence for high-risk, GPAI, transparency, monitoring, and incident duties. - [EU AI Act Compliance Program: roles, high-risk evidence, GPAI and incidents](/artifacts/eu/artificial-intelligence-act/compliance.md): Build an EU AI Act compliance program around provider, deployer, importer, distributor, high-risk, GPAI, transparency, monitoring, and incident evidence duties. - [EU AI Act conformity assessment and notified bodies for high-risk AI](/artifacts/eu/artificial-intelligence-act/conformity-assessment-and-notified-bodies.md): Grounded guide to EU AI Act high-risk AI conformity assessment routes, provider evidence, EU declaration of conformity, CE marking, and notified body involvement. - [EU AI Act deadlines and compliance calendar | Article 113 dates](/artifacts/eu/artificial-intelligence-act/deadlines-and-compliance-calendar.md): source-linked EU AI Act compliance calendar for Article 113 staged application dates, Article 111 transitions, GPAI, prohibited practices, AI literacy, and high-risk AI planning. - [EU AI Act FAQ: scope, roles, high-risk AI, GPAI, FRIA, and dates](/artifacts/eu/artificial-intelligence-act/faq.md): Grounded EU AI Act FAQ covering scope, provider and deployer roles, prohibited practices, high-risk classification, GPAI duties, transparency notices, FRIAs, EU database registration, serious incidents, and staged application dates. - [EU AI Act FRIA FAQ: Article 27 Scope, Contents, and Notification](/artifacts/eu/artificial-intelligence-act/faq/fria.md): Source-grounded FAQ on when Article 27 requires a fundamental rights impact assessment, which deployers are covered, what the FRIA must contain, and how it relates to DPIAs and registration. - [EU AI Act FRIA for high-risk AI systems: Article 27 scope and evidence](/artifacts/eu/artificial-intelligence-act/fria-and-high-risk-impact-assessments.md): Source-grounded guide to EU AI Act Article 27 fundamental rights impact assessments: who must run a FRIA, Article 6(2) triggers, Annex III carveouts, DPIA overlap, notification, and registration evidence. - [EU AI Act GPAI and Systemic-Risk Duties: Article 53 and 55 FAQ](/artifacts/eu/artificial-intelligence-act/faq/gpai-and-systemic-risk-duties.md): FAQ on EU AI Act duties for general-purpose AI model providers, including Article 53 documentation, copyright and training-summary duties, Article 55 systemic-risk duties, serious incidents, cybersecurity, and staged enforcement. - [EU AI Act GPAI evidence pack checklist for Article 53 and 55](/artifacts/eu/artificial-intelligence-act/gpai-evidence-pack-workflow.md): Build a source-grounded evidence pack for EU AI Act GPAI model obligations: technical documentation, downstream information, copyright policy, training-content summary, and systemic-risk records where applicable. - [EU AI Act GPAI Provider Obligations: Articles 53 and 55](/artifacts/eu/artificial-intelligence-act/gpai-and-foundation-model-obligations.md): Grounded guide to EU AI Act duties for general-purpose AI model providers: Article 53 documentation, copyright policy, training-content summary, downstream information, and Article 55 systemic-risk controls. - [EU AI Act High-Risk AI Requirements: Articles 8-16 and 26](/artifacts/eu/artificial-intelligence-act/requirements.md): Map the EU AI Act requirements for high-risk AI systems: risk management, data governance, technical documentation, logs, transparency, human oversight, accuracy, robustness, cybersecurity, and deployer duties. - [EU AI Act high-risk AI use cases by industry | Article 6 and Annex III guide](/artifacts/eu/artificial-intelligence-act/high-risk-ai-use-cases-by-industry.md): Industry-by-industry guide to EU AI Act high-risk classification under Article 6, Annex III, Annex I product safety routes, exclusions, and provider/deployer boundaries. - [EU AI Act high-risk requirements checklist: Articles 8-15](/artifacts/eu/artificial-intelligence-act/high-risk-requirements-checklist.md): Checklist for EU AI Act high-risk AI system requirements in Articles 8-15: risk management, data governance, documentation, logs, transparency, human oversight, accuracy, robustness, and cybersecurity. - [EU AI Act penalties and fines: Article 99 tiers and GPAI exposure](/artifacts/eu/artificial-intelligence-act/penalties-and-fines.md): EU AI Act penalties explained: Article 99 fine tiers, prohibited-practice exposure, incorrect information, SME caps, Member State rules, and GPAI model fines. - [EU AI Act post-market monitoring and serious incident reporting](/artifacts/eu/artificial-intelligence-act/post-market-monitoring-and-serious-incidents.md): Grounded guide to EU AI Act Articles 72 and 73 for high-risk AI: monitoring plans, serious incident reporting, deployer escalation, corrective action, and GPAI distinctions. - [EU AI Act post-market monitoring FAQ for high-risk AI systems](/artifacts/eu/artificial-intelligence-act/faq/post-market-monitoring.md): Answer to how providers and deployers should handle EU AI Act post-market monitoring for high-risk AI systems under Article 72, with serious-incident, log, corrective-action, and lifecycle-change triggers. - [EU AI Act provider vs deployer role boundaries: Article 3 and Article 25 FAQ](/artifacts/eu/artificial-intelligence-act/faq/provider-and-deployer-role-boundaries.md): FAQ on EU AI Act provider, deployer, operator, importer, distributor, authorised representative, product manufacturer, downstream provider, and GPAI model provider boundaries. - [EU AI Act risk classification intake workflow](/artifacts/eu/artificial-intelligence-act/risk-classification-intake-workflow.md): A grounded intake structure for classifying EU AI Act scope, prohibited practices, high-risk routes, Annex III use cases, GPAI model status, roles, and reassessment triggers. - [EU AI Act serious incident reporting triage workflow: Article 73 and Article 55](/artifacts/eu/artificial-intelligence-act/serious-incident-reporting-triage-workflow.md): Triage EU AI Act serious incidents by definition, actor, reporting route, deadline, deployer escalation, corrective action, and separate GPAI systemic-risk reporting. - [EU AI Act Technical Documentation and Provider Evidence Templates](/artifacts/eu/artificial-intelligence-act/technical-documentation-and-provider-evidence-templates.md): Build AI Act evidence templates for high-risk AI providers: Article 11 technical documentation, Annex IV fields, quality management, conformity, CE marking, registration, logs, and post-market monitoring. - [EU AI Act technical documentation FAQ | Article 11 and Annex IV](/artifacts/eu/artificial-intelligence-act/faq/technical-documentation.md): What Article 11 and Annex IV require in high-risk AI technical documentation: system identity, intended purpose, architecture, data, testing, oversight, cybersecurity, conformity, and post-market monitoring. - [EU AI Act Timeline and Phasing Roadmap: practical obligations and evidence guide](/artifacts/eu/artificial-intelligence-act/timeline-and-phasing-roadmap.md): Practical EU AI Act guide to Timeline and Phasing Roadmap: scope, owners, evidence, edge cases, checklist steps, and external source-linked citations. - [EU AI Act vs ISO/IEC 42001: legal duties, controls, and evidence limits](/artifacts/eu/artificial-intelligence-act/eu-ai-act-vs-iso-42001.md): Compare the EU AI Act and ISO/IEC 42001 across legal status, risk classification, high-risk AI, GPAI, transparency, conformity, evidence, and assurance limits. - [EU AI Act vs NIST AI RMF: legal duties, risk controls, and evidence boundaries](/artifacts/eu/artificial-intelligence-act/eu-ai-act-vs-nist-ai-rmf.md): Compare the binding EU AI Act with the voluntary NIST AI RMF, including role classification, high-risk duties, GPAI, transparency, conformity evidence, and reuse limits. - [FAQ: EU AI Act conformity assessment procedures and notified body selection](/artifacts/eu/artificial-intelligence-act/faq/conformity-assessment-and-notified-bodies.md): source-linked FAQ on EU AI Act Article 43 conformity assessment routes, Annex VI internal control, Annex VII notified-body review, CE marking, declarations, and registration. --- [Privacy Policy](https://www.sorena.io/privacy) | [Terms of Use](https://www.sorena.io/terms-of-use) | [DMCA](https://www.sorena.io/dmca) | [About Us](https://www.sorena.io/about-us) (c) 2026 Sorena AB (559573-7338). All rights reserved. Source: https://www.sorena.io/artifacts/eu/artificial-intelligence-act/high-risk-conformity-route-selector-workflow