Twelve months ago, a product team at a mid-size European software organization had deployed an AI-assisted candidate screening system β a tool that ranked applicants before a recruiter saw a single CV. They had solid accuracy benchmarks. They had no conformity assessment documentation, no declaration of conformity, no notified body engagement, and no entry in the EU AI database. After completing a structured conformity assessment process tied to Articles 43 through 49 of the EU AI Act, that same team identified three technical documentation gaps that had nothing to do with the model and everything to do with process design. The distance between those two states is not only regulatory risk β it is the difference between a system that can be defended under audit and one that cannot.
What the EU AI Act Generally Requires for Conformity Assessment
Article 43 of the EU AI Act states that providers of high-risk AI systems listed in Annex III must generally ensure their systems undergo a conformity assessment procedure before being placed on the market or put into service. The regulation distinguishes between two primary routes: internal control procedures (described in Annex VI) and assessments involving a notified body (described in Annex VII). The applicable route depends on the type of high-risk system and its intended use context.
This distinction is operationally significant. For most Annex III systems β including those used in employment, education, and access to essential private services β providers may carry out conformity assessment through internal control, meaning a documented self-assessment process. For systems in certain biometric and law enforcement categories, third-party review by a notified body is generally required. Article 43(1) establishes conformity assessment as a precondition for market access, not an optional governance step.
The Before-State: What Most Engineering Teams Have When They Start
Most engineering organizations deploying systems that could plausibly qualify as high-risk under the EU AI Act arrive at the conformity assessment question with significant documentation gaps. Enterprise AI adoption patterns tracked in the Enterprises' use of AI by technology 2025 statistical series published by Statistics Iceland confirm that AI deployment is broad and growing across European enterprises β but governance documentation typically lags well behind deployment velocity. What teams commonly have at the start:
Model performance benchmarks and accuracy metrics, but no formal risk management system aligned with Article 9
Git history and CI/CD logs, but no structured automatic logging architecture aligned with Article 12
Internal design reviews, but no technical documentation package meeting the Annex IV specification
Legal review of terms of service, but no declaration of conformity as generally required under Article 47
Closing these gaps is not a one-time documentation sprint. It is a structured process with a specific sequence and specific artifacts required at each stage.
Step 1 β Determine Whether Third-Party Assessment Applies
The first decision in the conformity assessment process is whether an internal control procedure is sufficient or whether a notified body must be involved. The regulation generally permits internal assessment for the majority of Annex III categories, but the exceptions matter. The table below summarizes the typical assessment routes by system category, as generally understood based on the regulation text:
Engineering teams should note that where a system has been substantially modified, a fresh conformity assessment may generally be required under Article 43(4). "Substantial modification" as defined in Article 3(23) covers changes affecting the system's intended purpose or safety properties β not only model updates. Organizations should consider establishing a documented change management policy that distinguishes routine updates from changes that may trigger reassessment.
Step 2 β Build the Technical Documentation Package
For either assessment route, the technical documentation package described in Annex IV of the EU AI Act is the foundational artifact. This package is not the same as a model card or a system design document β it is a specific compilation of evidence addressing the system's intended purpose, risk management processes, data governance, accuracy and robustness testing, human oversight mechanisms, and post-market monitoring plan.
The NIST AI Risk Management Framework 1.0 offers a useful structural parallel: its Govern, Map, Measure, and Manage functions map reasonably well onto the Annex IV documentation requirements. Teams that have already implemented a risk management framework may find that a significant portion of required content already exists in some form β but typically requires consolidation, gap analysis, and formal sign-off to meet the regulation's standard. Core elements of the Annex IV package include:
A description of the system's intended purpose, development lifecycle, and version history (Annex IV, Section 1)
Data governance procedures for training, validation, and testing datasets, as aligned with Article 10
Documentation of the risk management system under Article 9, including identified risks and mitigations
Technical measures enabling human oversight as described in Article 14, with evidence of implementation
Logging and automatic event recording architecture, aligned with Article 12 requirements
Accuracy, robustness, and cybersecurity testing evidence as required by Article 15
Step 3 β Conduct the Conformity Assessment
For systems following the internal control route under Annex VI, the provider must verify that the system meets all applicable requirements of Chapter III of the EU AI Act and that the technical documentation is complete and accurate. This process typically involves the following stages:
A structured review of the technical documentation package against the Annex IV checklist, with documented evidence for each element
Formal sign-off from a designated compliance function, with version-controlled records of the review
A gap analysis identifying requirements not yet fully satisfied, with references to the relevant regulatory articles
A documented remediation plan for open gaps, including timelines and responsible owners
A final sign-off confirming the system meets all applicable requirements and the documentation package is complete
For systems routed to a notified body under Annex VII, the process additionally involves submitting the technical documentation to the designated body and responding to requests for clarification or additional evidence. The EU AI Office maintains information on the designation of notified bodies across member states. As of mid-2026, the designation process is ongoing in several member states, which organizations should factor into their assessment timelines β particularly for systems in categories that require third-party review.
Step 4 β Compile and Sign the Declaration of Conformity
Article 47 of the EU AI Act generally requires that providers draw up a declaration of conformity before placing a high-risk AI system on the market or putting it into service. This document references all applicable requirements the system has been assessed against and confirms that conformity has been established. It must identify the system, the provider, any notified body involved, the applicable assessment procedure, and the basis for the conformity claim.
The declaration must be kept available for inspection by national supervisory authorities for at least ten years following the system's placement on the market β a requirement with direct implications for document retention policies and system lifecycle management. Article 48 further requires that the declaration reference any harmonized standards applied during the assessment. Where ISO/IEC 42001:2023 (the AI management system standard) has been implemented, it may provide a useful structural reference for the quality management and documentation components of the conformity assessment process.
Step 5 β Register the System in the EU AI Database
Article 49 of the EU AI Act generally requires that providers register their high-risk AI systems in the EU database before placing them on the market or putting them into service. This requirement applies to the Annex III categories listed in Article 49(1) and is intended to provide regulators and the public with transparency about AI systems deployed across the EU.
The registration covers basic identifying information: the system name and version, the provider's details, the intended purpose, and the geographic markets where the system is deployed. Deployers of third-party high-risk AI systems should also review Article 49(2), which creates separate registration obligations for deployers in specific system categories β a distinction relevant to organizations that deploy rather than develop the AI systems in their stack.
The After-State: What a Completed Conformity Assessment Demonstrates
An organization that has completed the conformity assessment process will have, at minimum:
A structured technical documentation package aligned with Annex IV, version-controlled and subject to periodic review
A signed declaration of conformity identifying the applicable assessment procedure and any notified body involvement
A registration record in the EU AI database
A documented post-market monitoring plan describing how system performance will be tracked after deployment
A change management process distinguishing routine model updates from substantial modifications that would trigger reassessment
As the EU AI Office guidance makes clear, the conformity assessment process is designed to produce durable operational evidence β not one-time paperwork. The practical effect is a set of governance artifacts that reduce organizational risk and provide a documented response to regulatory inquiries.
Post-Market Monitoring: Assessment Is Not a One-Time Event
Article 72 of the EU AI Act generally requires providers of high-risk AI systems to implement a post-market monitoring system that actively collects and reviews data on system performance throughout the operational lifetime of the system. The post-market monitoring plan is itself a required component of the technical documentation package under Annex IV, Section 9. For engineering teams, this typically involves:
Defining key performance indicators and drift thresholds that would trigger a reassessment of conformity
Establishing a logging and review cadence aligned with the Article 12 automatic recording requirements
Creating a process for reporting serious incidents to market surveillance authorities under Article 73
Scheduling periodic reviews of conformity assessment documentation as the system evolves and deployment context changes
The EU AI Act's conformity assessment framework does not operate in isolation. Organizations that have already built audit trail and human oversight capabilities β as addressed in earlier articles in this series on Articles 12 and 14 respectively β will find those components feed directly into the post-market monitoring infrastructure. Conformity assessment, in this sense, is the aggregation point for governance work that may already be underway across the engineering organization.
This article is for informational purposes only and does not constitute legal advice. Consult qualified legal counsel for guidance on your specific situation.
re-entry.ai provides governance tooling designed to help engineering teams build and maintain the documentation infrastructure that conformity assessment requires β including audit trail logging, human oversight controls, and policy enforcement at the AI code layer. Organizations working toward EU AI Act compliance may find it a practical starting point for the technical governance components of their conformity assessment process.