Conformity assessment and CE marking

Before placing a high‑risk AI system on the market or putting it into service, providers must complete a conformity assessment to verify compliance with Section 2 requirements (Art. 8–15). Successful assessment leads to an EU declaration of conformity (Art. 47) and CE marking (Art. 48).

Two routes

Route	What it means	When it applies
Internal control (Annex VI)	Provider self‑assesses against requirements; no third party required	Most Annex III high‑risk systems
Notified body assessment (Annex VII)	Accredited third party audits QMS and technical documentation	Biometric identification systems (Annex III, point 1); OR when provider chooses this route voluntarily

For AI systems that are safety components of products under existing EU legislation (e.g., medical devices, machinery), follow the conformity assessment procedure in that legislation — but include AI Act requirements in the assessment.

Which route applies to you

1. Is your system high‑risk under Annex III?
   • Yes → Is it a biometric identification system (point 1)? → Notified body (Annex VII)
   • Yes → Other Annex III use case? → Internal control (Annex VI)
2. Is your system a safety component under Annex I legislation?
   • Yes → Follow that legislation's conformity procedure, include AI Act requirements
3. Neither?
   • Not high‑risk, no conformity assessment required under the AI Act

What internal control requires (Annex VI)

The internal control procedure is a structured self‑assessment:

1. Verify QMS is in place (Art. 17)
   • Quality management system covering design, development, and post‑market processes
2. Verify technical documentation covers all Section 2 requirements
   • Risk management (Art. 9)
   • Data governance (Art. 10)
   • Technical documentation (Art. 11)
   • Record‑keeping and logging (Art. 12)
   • Transparency and user information (Art. 13)
   • Human oversight measures (Art. 14)
   • Accuracy, robustness, and cybersecurity (Art. 15)
3. Verify post‑market monitoring system is established
   • Processes for collecting and analyzing data after deployment
4. Sign EU declaration of conformity (Art. 47)
   • Written declaration that the system meets requirements
5. Affix CE marking (Art. 48)
   • Visible, legible, and indelible marking on the system or documentation

What notified body assessment requires (Annex VII)

The notified body route involves external audit and ongoing surveillance:

1. Submit QMS documentation for audit
   • Notified body reviews quality management system documentation
2. Submit technical documentation for assessment
   • Notified body verifies documentation addresses all Section 2 requirements
3. Notified body verifies compliance and issues certificate
   • QMS approval certificate valid for up to 5 years
4. Sign EU declaration of conformity (Art. 47)
5. Affix CE marking (Art. 48)
   • Include notified body identification number
6. Notified body conducts periodic surveillance
   • Ongoing audits to verify continued compliance

After assessment

Conformity assessment is not one‑and‑done. You must repeat or update the assessment when:

• Substantial modification to the system (Art. 3(23))
• Change in intended purpose that affects classification or requirements
• Significant changes to QMS that affect the basis for certification
• New version or update that affects compliance with Section 2 requirements

What counts as substantial modification

A substantial modification is a change that affects compliance with Section 2 requirements or changes the intended purpose. This includes changes to training data, model architecture, or deployment context that materially affect system behavior.

The post‑assessment flow

After conformity assessment is complete:

1. EU declaration of conformity — written statement kept for 10 years
2. CE marking — affixed before placing on market
3. EU database registration — register in the EU database (Art. 49)
4. Post‑market monitoring — continuous data collection and analysis
5. Substantial modification — triggers return to assessment when applicable

How Modulos supports conformity work

Modulos gives you a project structure that stays traceable across iterations:

• Requirements stay stable as the scoping anchor of what must be met
• Controls create consistent execution units and enforce review gates
• Evidence becomes a reusable library of artifacts linked to controls
• Exports create point‑in‑time packages you can share with stakeholders

Documentation required for conformity assessment

The AI Act mandates specific documentation to demonstrate compliance with Section 2 requirements. This isn't a single document — it's a set of artifacts that must stay consistent and current.

Artifact	AI Act basis	What it must contain
Technical documentation	Art. 11, Annex IV	System description; intended purpose; design specifications; development methodology; data governance practices; testing and validation results; traceability to requirements
Risk management documentation	Art. 9	Risk identification; analysis methodology; mitigation measures; residual risk assessment; acceptance criteria; continuous iteration records
Data governance records	Art. 10	Training/validation/test dataset documentation; relevance and representativeness assessment; bias examination; gap identification; data preparation steps
Human oversight specifications	Art. 14	Measures enabling oversight; operator instructions; intervention capabilities; interpretation guidance; escalation procedures
Accuracy and robustness records	Art. 15	Performance metrics; accuracy levels declared to deployers; robustness testing; cybersecurity measures; resilience to errors and inconsistencies
Instructions for use	Art. 13	Provider identity; system capabilities and limitations; intended purpose; performance metrics; known risks; human oversight requirements; maintenance specs
QMS documentation	Art. 17	Design and development procedures; quality control; resource management; data management; record‑keeping; corrective actions; third‑party coordination
Post‑market monitoring plan	Art. 72	Data collection approach; log analysis procedures; serious incident identification; corrective action triggers; update procedures
Automatically generated logs	Art. 12, 19	Event logs enabling traceability; format and retention policies; access controls

Where these live in Modulos

Artifact	Modulos location
System description + intended purpose	Project → Settings → AI System
Risk management	Project → Risks
Data governance	Project → Assets (datasets) + Evidence
Human oversight	Project → Controls
Test results	Project → Evidence + Testing
Instructions for use	Project → Exports
QMS	Organization‑level policies + Project → Controls
Post‑market monitoring	Project → Testing + Integrations
Logs	Project → Evidence + Integrations

Annex IV checklist

Annex IV provides detailed technical documentation requirements. Use it as a checklist when preparing for assessment — it specifies exactly what must be included for each Section 2 requirement.

Related pages

High‑risk AI systems

Two pathways to high‑risk and what obligations apply

Post‑market monitoring

How to keep evidence current after deployment

Governance operating model

How requirements, controls, evidence, and reviews work in Modulos

Disclaimer

This page is for general informational purposes and does not constitute legal advice.