EU AI Act high-risk AI systems Articles 8-15 requirements checklist

Article 8 is the umbrella requirement: the high-risk AI system must comply with the requirements in Section 2, taking account of its intended purpose and the generally acknowledged state of the art. The Article 9 risk management system should be used when checking that compliance.

Do not close this checklist with a generic policy sign-off. The useful output is a traceable evidence pack showing how each Article 9 to 15 control is implemented for this specific system, version, intended purpose, user context, and foreseeable misuse.

The risk management file should be a living system record, not a one-time risk register. Article 9 requires an established, implemented, documented, and maintained risk management system for the high-risk AI system.

For each risk, keep the hazard, affected right or safety interest, intended-use scenario, reasonably foreseeable misuse scenario, mitigation, residual risk decision, test evidence, and post-market monitoring trigger together.

For high-risk AI systems that train models with data, Article 10 requires training, validation, and testing data sets to meet quality criteria when those data sets are used. For systems that do not use training techniques, the Article 10 criteria apply to testing data sets.

The data evidence should show why the data is suitable for the intended purpose and where it can fail. It should also document bias examination, bias mitigation, data gaps, and the safeguards for any strictly necessary special-category personal data used for bias detection or correction.

Article 11 requires technical documentation before the high-risk AI system is placed on the market or put into service and requires it to be kept up to date. Annex IV gives the minimum documentation content.

Article 12 requires technical logging capability over the system lifetime so that relevant events can support traceability, post-market monitoring, and monitoring by deployers where applicable.

Article 13 is about information that lets deployers interpret the system output and use the high-risk AI system appropriately. Article 14 is about designing and providing the system so natural persons can oversee it during use.

The practical test is whether a trained deployer can understand the intended purpose, limitations, expected accuracy and robustness, foreseeable risk conditions, input-data requirements, output interpretation aids, maintenance needs, logs, and oversight controls without relying on undocumented engineering knowledge.

Article 15 requires high-risk AI systems to achieve an appropriate level of accuracy, robustness, and cybersecurity and to perform consistently throughout their lifecycle. This is not only a model-quality checkpoint; it covers system behaviour, operational environment, faults, feedback loops, and AI-specific attacks.

Close this part of the checklist only when the instructions for use declare accuracy levels and metrics, and the engineering evidence shows robustness and cybersecurity controls matched to the relevant circumstances and risks.

Articles 8 to 15 are the requirement baseline, but providers still need the Article 16 obligation package before placing a high-risk AI system on the market or putting it into service. Use this hand-off to avoid treating the checklist as the whole compliance file.

If any Article 8 to 15 evidence is missing, record the gap before starting conformity-assessment, declaration, CE marking or registration steps. If the system changes substantially later, the Commission overview indicates that the provider process returns to conformity assessment.