EU AI Act · Article 9 · Risk management system

Article 9 of the EU AI Act: The Risk Management System

Article 9 is the backbone of high-risk compliance: a continuous, iterative risk-management system that runs across the entire lifecycle of the AI system — not a one-off document.

What Article 9 requires

Providers must identify and analyse known and foreseeable risks to health, safety and fundamental rights; estimate risks from intended use and reasonably foreseeable misuse; evaluate risks from post-market monitoring data; and adopt targeted risk-management measures. Residual risk must be judged acceptable, with testing against defined metrics.

Who it binds

Providers of high-risk AI systems. The risk-management system is usually the first artifact an auditor asks to see, and it feeds — and is fed by — post-market monitoring (Article 72).

Key points

  • Continuous and iterative — updated across the whole lifecycle.
  • Covers intended use and reasonably foreseeable misuse.
  • Feeds into, and is updated by, post-market monitoring.

FAQ

Is Article 9 a one-time document?

No. It requires a living, continuously updated risk-management process across the system's lifecycle, not a single document.

Related articles

See which articles apply to your systems

Run the free 2-minute checker — deterministic, no sign-up.

Run the free check