Obligations

EU AI Act Conformity Assessment Explained (Article 43)

Updated 17 July 2026 7 min read

Before a high-risk AI system can be placed on the EU market, its provider must demonstrate it meets the Act's requirements through a conformity assessment. This is the gate between building a high-risk system and selling it — and getting the route wrong can mean withdrawing a product.

What a conformity assessment is

A conformity assessment (Article 43) is the formal process by which a provider shows that a high-risk AI system complies with the requirements in Chapter III, Section 2 — risk management, data governance, documentation, oversight, accuracy and the rest. It is carried out before the system is placed on the market and repeated after any substantial modification.

The two routes

The Act provides two procedures:

  • Internal control (Annex VI) — a self-assessment by the provider. This is the default route for most Annex III high-risk systems, where the provider verifies its quality management system and technical documentation against the requirements.
  • Notified body (Annex VII) — third-party assessment by an accredited body. This is required in specific cases, notably certain biometric systems where the provider has not applied harmonised standards or common specifications.

Most providers of Annex III systems use the internal-control route; the notified-body route applies in narrower, higher-scrutiny situations.

What follows a successful assessment

Passing the assessment is not the finish line. The provider must then:

  1. Draw up the EU declaration of conformity (Art. 47).
  2. Affix the CE marking (Art. 48) to signal conformity.
  3. Register the system in the EU database (Art. 49) before putting it into service.

Only after these steps can the high-risk system be lawfully placed on the EU market. Importers and distributors will check for exactly these before making it available.

When you must reassess

A conformity assessment is not once-and-done. A substantial modification to a high-risk system — a change to its intended purpose or that affects its compliance — triggers a new assessment. This is also the mechanism behind Article 25: a deployer who substantially modifies a high-risk system becomes its provider and inherits the assessment duty.

Frequently asked questions

Do all high-risk AI systems need a notified body?

No. Most Annex III high-risk systems use the internal-control (self-assessment) route under Annex VI. A notified body is required only in specific cases, such as certain biometric systems where harmonised standards weren't applied.

What is the difference between conformity assessment and CE marking?

The conformity assessment is the evaluation process; the CE marking is what you affix afterwards to signal that the system passed and conforms. The declaration of conformity and EU-database registration sit between them.

When do I need to reassess?

After any substantial modification — a change to the system's intended purpose or one that affects its compliance. Rebranding or substantially modifying someone else's high-risk system also makes you the provider, triggering a fresh assessment.

Find your risk class in 2 minutes

Free, no sign-up. Deterministic — not a chatbot.

Run the free check

Still have questions about how this applies to you? Talk to us — we're happy to help.