Conformity assessment and CE marking

Before a high-risk AI system can be placed on the EU market or put into service, the provider must complete a conformity assessment under Article 43, sign an EU declaration of conformity under Article 47, and affix the CE marking under Article 48. Annex III providers register the system in the EU database under Article 49(1) (with carve-outs for Annex III point 2 critical infrastructure and the non-public section for Annex III points 1, 6, 7 in the areas of law enforcement, migration, asylum and border-control management). Annex I products are not subject to Article 49 EU-database registration — they follow the sectoral product law's registration regime. For Annex I products, the AI Act requirements integrate with the sectoral product law's conformity-assessment procedure rather than running in parallel.

This page sits inside the high-risk regime — see High-risk AI systems for what triggers the regime in the first place.

Quick decision

• Annex III standalone use case other than biometrics → Annex VI internal control under Article 43(2). Self-assess against Articles 8–15 and Article 17 QMS.
• Annex III(1) biometrics → Annex VII notified-body assessment under Article 43(1) unless harmonised standards or common specifications cover the requirements and you apply them — then Annex VI internal control becomes available.
• Annex I product (safety component of, or product covered by, sectoral law) → integrate AI Act requirements into the sectoral conformity-assessment procedure under Article 43(3).
• Substantial modification after placing on the market → new conformity assessment under Article 43(4). Pre-declared continuous-learning changes within Annex IV point 2(f) do not trigger re-assessment.
• Successful assessment → EU declaration of conformity (Article 47), CE marking (Article 48), and — for Annex III systems other than the Annex III(2) critical-infrastructure carve-out — EU-database registration (Article 49) before market placement. Annex I products follow sectoral product-law registration, not Article 49.

TL;DR

• Two routes for Annex III systems: Annex VI (provider internal control, default) and Annex VII (notified-body assessment, mandatory for Annex III point 1 biometrics unless harmonised standards / common specifications cover the requirements).
• Annex I products integrate AI Act requirements into the sectoral conformity-assessment regime — no parallel AI Act assessment.
• Article 47 EU declaration of conformity — kept for 10 years; content in Annex V.
• Article 48 CE marking — visible, legible, indelible; followed by notified-body identification number where applicable; digital marking allowed for digital systems via machine-readable access.
• Article 49 EU database registration — for Annex III systems (with the Annex III(2) carve-out for critical infrastructure); also required under Article 49(2) for Annex III systems that the provider has determined are not high-risk under Article 6(3).
• Article 43(4) — substantial modification triggers a new conformity assessment; pre-declared continuous-learning changes (Annex IV point 2(f)) do not.

AI Omnibus provisional agreement (May 2026)

Status: provisional political agreement, pending formal adoption

On 7 May 2026 the Council presidency and European Parliament negotiators reached a provisional political agreement on the Digital Omnibus on AI (originally proposed by the Commission on 19 November 2025, part of the 'Omnibus VII' simplification package). The deal must still be formally endorsed by the Council and the Parliament and undergo legal/linguistic revision before adoption. This framework page will be updated once the Omnibus is formally adopted. Until then, the existing EU AI Act text remains legally binding.

Relevant to this page (all conditional on formal adoption):

• Annex III conformity-assessment obligations would shift to 2 December 2027 (from 2 August 2026); Annex I would shift to 2 August 2028 (from 2 August 2027) — fixed application dates instead of the Commission's readiness-decision model.
• Annex III non-high-risk registration would be preserved — Article 49(2) registration for systems the provider has determined are not high-risk under Article 6(3) would remain (the Commission's proposal had removed it).
• Simplified compliance for Small Mid-Caps (SMCs) — the Article 11 documentation and Article 17 QMS burdens would be reduced for SMCs as defined in Commission Recommendation (EU) 2025/1099 (final scope subject to consolidated text).
• Sectoral overlaps would be resolved through implementing acts — where Annex I sectoral law contains AI-specific requirements similar to the AI Act's, the Commission would be empowered to limit the AI Act's direct application via implementing acts. The Machinery Regulation would be exempted from direct AI Act applicability; the Commission would be empowered under the Machinery Regulation to add health-and-safety requirements for high-risk AI systems via delegated acts.

Until adopted, the published 2024/1689 dates and procedures remain the binding reference.

Primary source

Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 — EUR-Lex CELEX 32024R1689 · OJ L, 12.7.2024 · Articles 43, 44, 47, 48, 49, Annexes V, VI, VII, VIII.

Article 43 — conformity-assessment procedure

Article 43(1) — Annex III(1) biometrics

For high-risk AI systems listed in point 1 of Annex III, where, in demonstrating the compliance of a high-risk AI system with the requirements set out in Section 2, the provider has applied harmonised standards referred to in Article 40, or, where applicable, common specifications referred to in Article 41, the provider shall opt for one of the following conformity assessment procedures based on:

(a) the internal control referred to in Annex VI; or

(b) the assessment of the quality management system and the assessment of the technical documentation, with the involvement of a notified body, referred to in Annex VII.

In demonstrating the compliance of a high-risk AI system referred to in point 1 of Annex III with the requirements set out in Section 2, where the provider has not applied or has applied only in part harmonised standards referred to in Article 40, or where such harmonised standards do not exist and common specifications referred to in Article 41 are not available, the provider shall follow the conformity assessment procedure set out in Annex VII.

— Article 43(1), Regulation (EU) 2024/1689

The Annex III(1) biometrics route is structured around standards availability and application:

• Provider applies harmonised standards / common specifications and they cover the Section 2 requirements → choice between Annex VI and Annex VII.
• Harmonised standards / common specifications either don't exist, or aren't applied, or cover only part of the requirements → Annex VII is mandatory.

Article 43(2) — other Annex III high-risk systems

For high-risk AI systems referred to in points 2 to 8 of Annex III, providers shall follow the conformity assessment procedure based on internal control as referred to in Annex VI, which does not provide for the involvement of a notified body.

— Article 43(2), Regulation (EU) 2024/1689

For Annex III(2)–(8) — critical infrastructure, education, employment, essential services, law enforcement, migration / border, justice / democracy — the conformity assessment is Annex VI internal control. Article 43(2) does not provide a voluntary Annex VII alternative for these categories; notified-body involvement is reserved for Annex III(1) under Article 43(1).

Article 43(3) — Annex I products

For high-risk AI systems covered by the Union harmonisation legislation listed in Section A of Annex I, the provider shall follow the relevant conformity assessment procedure as required under those legal acts. The requirements set out in Section 2 of this Chapter shall apply to those high-risk AI systems and shall be part of that assessment.

— Article 43(3), first sub-paragraph, Regulation (EU) 2024/1689

Article 43(3) further provides that notified bodies designated under the sectoral law that perform the AI-Act-integrated assessment must meet the requirements set out in Article 31(4), (5), (10) and (11). For Section B sectoral regulations (e.g., civil aviation security, agricultural vehicles, marine equipment, motor vehicles type-approval), Article 2(2) limits direct AI Act application to Articles 6(1), 102-109, and 112 — the substantive Section 2 obligations are channelled into the sectoral acts via Articles 102-109 rather than directly applied.

Article 43(4) — substantial modification

High-risk AI systems that have already been subject to a conformity assessment procedure shall undergo a new conformity assessment procedure in the event of a substantial modification, regardless of whether the modified system is intended to be further distributed or continues to be used by the current deployer.

For high-risk AI systems that continue to learn after being placed on the market or put into service, changes to the high-risk AI system and its performance that have been pre-determined by the provider at the moment of the initial conformity assessment and are part of the information contained in the technical documentation referred to in point 2(f) of Annex IV, shall not constitute a substantial modification.

— Article 43(4), Regulation (EU) 2024/1689

The Annex IV(2)(f) pre-declaration is the operative safe harbour for continuous-learning systems. Pre-declare the change envelope — drift bounds, retraining triggers, parameter update modalities — and updates that stay within the envelope do not trigger re-assessment. Changes outside the envelope, or material changes to intended purpose, are substantial modifications.

Annex VI — internal control

The Annex VI procedure has four operative elements:

1. Verify QMS conforms to Article 17 — the QMS covers design, development, post-market processes, data management, record-keeping, accountability framework, and the substantive Articles 8–15 requirements.
2. Verify technical documentation conforms to Article 11 and Annex IV — all Annex IV elements present, current, and traceable.
3. Verify the design and development of the AI system and its post-market monitoring conform to the Articles 8–15 requirements taking into account intended purpose and state of the art.
4. Draw up the EU declaration of conformity under Article 47, affix the CE marking under Article 48, and — for in-scope Annex III systems — register in the EU database under Article 49(1).

No notified body involvement. The provider assumes full responsibility for the assessment.

Annex VII — notified-body assessment

The Annex VII procedure has two operative parts, both involving the notified body (an accredited third-party conformity-assessment body — designated under Articles 28–39):

• Section 3 — assessment of the QMS — the notified body audits the provider's QMS documentation against Article 17. On approval, the notified body issues a QMS-approval certificate; Article 44(2) sets validity at maximum five years for Annex I and maximum four years for Annex III systems, with periodic surveillance audits in between. Material changes to the QMS that may affect compliance must be notified to the notified body.
• Section 4 — assessment of the technical documentation — the notified body examines the technical documentation drawn up under Article 11 and Annex IV for one or more representative samples of the high-risk AI system. Article 44(2) sets the validity periods for certificates issued by notified bodies: not exceeding five years for AI systems covered by Annex I, and not exceeding four years for AI systems covered by Annex III, in both cases extendable on the basis of a re-assessment.

The approved QMS is subject to ongoing surveillance under Annex VII point 5. Certificates can be suspended, withdrawn, or modified under Article 44(3) when the conditions for issuance are no longer met or when corrective action by the provider has not addressed identified non-conformities.

Article 44 — certificates issued by notified bodies

Article 44 governs the certificates issued by notified bodies under Annex VII. The certificates shall be drawn up in an official language of the Union easily accessible to the relevant national authorities and shall identify the high-risk AI system, the notified body, the validity period, and the conditions of issuance. Article 44(2) sets the validity period as not exceeding five years for Annex I systems and not exceeding four years for Annex III systems, extendable on the basis of a re-assessment. Article 44(3) governs suspension, withdrawal and changes to certificates. The accreditation, designation and operational requirements for notified bodies themselves live in Articles 28–39; the NANDO database is the public list.

Article 47 — EU declaration of conformity

Article 47(1) requires the provider to draw up a written, machine-readable, physical or electronically signed EU declaration of conformity for each high-risk AI system and keep it at the disposal of the national competent authorities for 10 years after the high-risk AI system has been placed on the market or put into service. The declaration shall identify the high-risk AI system for which it has been drawn up. A copy of the EU declaration of conformity shall be submitted to the relevant national competent authorities upon request.

The declaration content is specified in Annex V and includes provider identity, system identification, statement of compliance with the Regulation and applicable Union law, references to any harmonised standards or common specifications applied, the notified-body certificate identification number where applicable, and signature and date. By drawing up the declaration, the provider assumes responsibility for the system's compliance.

Where the high-risk AI system is subject to other Union harmonisation legislation that also requires an EU declaration of conformity, a single EU declaration of conformity shall be drawn up in respect of all of that legislation, so that the declaration covers all applicable acts.

Article 48 — CE marking

Article 48(1) subjects the CE marking on high-risk AI systems to the general principles set out in Article 30 of Regulation (EC) No 765/2008. Article 48(2) allows a digital CE marking for digital high-risk AI systems only if it can easily be accessed via the interface from which the AI system is accessed or via an easily accessible machine-readable code or other electronic means. Article 48(3) requires the CE marking to be affixed visibly, legibly and indelibly on the high-risk AI system; where that is not possible or not warranted on account of the nature of the high-risk AI system, it shall be affixed to the packaging or to the accompanying documentation, as appropriate.

The CE marking is followed, where applicable, by the identification number of the notified body responsible for the conformity-assessment procedures under Article 43. The identification number is affixed by the notified body or, under its instructions, by the provider or the provider's authorised representative.

The CE marking attests that the high-risk AI system is in conformity with the Regulation. Affixing the marking on a system that does not comply is an Article 99 infringement.

Article 49 — registration in the EU database

Before placing on the market or putting into service a high-risk AI system listed in Annex III, with the exception of high-risk AI systems referred to in point 2 of Annex III, the provider or, where applicable, the authorised representative shall register themselves and their system in the EU database referred to in Article 71.

— Article 49(1), Regulation (EU) 2024/1689

Operative points:

• Annex III(2) carve-out — high-risk AI systems used in critical infrastructure are not subject to Article 49(1) EU-database registration. Article 49(5) sets a national-level registration regime for Annex III(2) systems at the Member State competent authority.
• Article 49(2) — providers that have concluded under Article 6(3) that their Annex III system is not high-risk must still register themselves and the system (Annex VIII Section B fields) in the EU database. (The provisional Omnibus deal, if adopted, would preserve this — the Commission's proposal had removed the Article 49(2) duty.)
• Article 49(3) — deployers that are public authorities, agencies or bodies of the Union (including those acting on their behalf) register themselves and select information about their use of the high-risk AI system in the EU database before deployment.
• Article 49(4) — for high-risk AI systems referred to in Annex III points 1, 6 and 7 in the areas of law enforcement, migration, asylum and border-control management, the registration is in a non-public section of the EU database. Access is limited to the Commission and the Article 74(8) national authorities (the market-surveillance authorities and the national data-protection authorities).

The Annex VIII content specifies the registration fields (provider identification, system identification, intended purpose, instructions for use, declaration-of-conformity reference). Annex VIII Section A governs registrations of high-risk Annex III systems; Annex VIII Section B governs the Article 49(2) non-high-risk determination registration (providers that have concluded under Article 6(3) that their Annex III system is not high-risk); Annex VIII Section C governs Article 49(3) public-authority deployer registrations.

How to operationalise conformity assessment in Modulos

The conformity-assessment regime maps onto these MFF-1 / OFF-1 requirements:

Requirement	Description	OJ Article
ORF-8	Quality Management System (org)	Article 17
MRF-3	Technical Documentation	Article 11 + Annex IV
ORF-9, MRF-9	Conformity Assessment	Article 43 + Annex VI / VII
MRF-42	Choice for Handling Sectoral Requirements	Article 43(3) Section A integration
MRF-41	Disclosure of Contact Information	Article 16(b)
MRF-37	EU Representative	Article 22
MRF-116	EU Representative Registration	Article 22(3) / Article 49
MRF-53	Public Deployer Registration	Article 49(3) (public-authority deployers)
ORF-12	Duty of Information (org)	Article 20
ORF-13	Cooperation with Competent Authorities (org)	Article 21

Operating rules:

• Conformity-assessment route selection (MRF-9, ORF-9) — the Annex VI / Annex VII / sectoral choice is captured as a scoping decision; the rationale and the standards / common-specifications application status are recorded as control-level evidence.
• Annex IV technical documentation (MRF-3) is assembled as evidence linked to MFF-1 controls. Modulos serves as the evidence library that backs each Annex IV element; building the Annex IV document itself remains the provider's authoring task. Point-in-time project, control, and evidence exports support the documentation pack.
• Article 17 QMS (ORF-8) lives on OFF-1. The QMS documents are linked as control-level evidence; there is no dedicated QMS workflow surface.
• Article 47 EU declaration of conformity is recorded as control-level evidence on MRF-9. The declaration content (Annex V) is the provider's authoring task; the artefact lives in Modulos as a versioned evidence record.
• Article 48 CE marking is the provider's physical / digital affixing action; Modulos records the affixing attestation as control-level evidence on MRF-9.
• Article 49 EU-database registration is the provider's submission to the EU database (not via Modulos). The registration confirmation is recorded as control-level evidence on MRF-116 (EU representative registration) or MRF-53 (public-authority deployer registration), as applicable.
• Article 43(4) substantial-modification re-assessment triggers a fresh conformity-assessment evidence cycle on MRF-9. The Annex IV(2)(f) pre-declaration of continuous-learning bounds is recorded once on MRF-3 and serves as the safe-harbour reference for in-envelope changes.

Cross-framework mapping (preview)

EU AI Act	Adjacent provision
Article 43 conformity-assessment routes	Modular conformity-assessment framework under Decision 768/2008/EC; sectoral conformity-assessment procedures under Annex I sectoral acts
Article 44 certificates; Articles 28–39 notified-body designation	Regulation (EC) No 765/2008 accreditation framework
Article 47 EU declaration of conformity	Article 30 Regulation (EC) No 765/2008 (CE marking general principles); sectoral declaration regimes (MDR, machinery, etc.)
Article 48 CE marking	Article 30 Regulation (EC) No 765/2008; sectoral CE-marking regimes
Article 49 EU-database registration	(No direct GDPR equivalent; product-registration regimes under sectoral acts)
Article 17 QMS	ISO 9001; ISO 42001
Annex IV technical documentation	ISO 42001 documented information; ISO 13485 medical-device technical-file conventions

Related pages

High-risk AI systems

Article 6 routing; Articles 8–15 substantive obligations

Post-market monitoring

Article 72 PMM plan; Article 73 serious-incident reporting

Roles and responsibilities

Article 16 provider duties; Article 22 authorised representative

Operationalizing in Modulos

OFF-1 + MFF-1, Annex IV evidence patterns, route-selection rationale

Source attribution

Regulation (EU) 2024/1689 — Articles 17, 28–39, 30, 43, 44, 47, 48, 49, 71 and Annexes IV, V, VI, VII, VIII — is published in the Official Journal of the European Union L of 12 July 2024 (CELEX 32024R1689). Blockquotes on this page may be partial extracts of the cited Article; consult the EUR-Lex source for the complete OJ-published text including all triggers, sub-paragraphs and cross-references. Regulation (EC) No 765/2008 (general principles of the CE marking, accreditation framework) is referenced via Articles 30 and 48. The AI Omnibus consolidated text, when published, will supersede where it amends.

See it in Modulos

Modulos turns the Annex IV technical documentation into an evidence library you assemble once and refresh on substantial modification — with a clear route-selection rationale traceable to Article 43.

Request a demo

Disclaimer

This page is for general informational purposes and does not constitute legal advice.