Skip to content

Conformity assessment and CE marking

Before a high-risk AI system can be placed on the EU market or put into service, the provider must complete a conformity assessment under Article 43, sign an EU declaration of conformity under Article 47, and affix the CE marking under Article 48. Annex III providers register the system in the EU database under Article 49(1) (except for Annex III point 2 critical infrastructure; Annex III points 1, 6 and 7 in law enforcement, migration, asylum and border-control management are registered in the non-public section under Article 49(4)). AI systems covered by Annex I product legislation are not subject to Article 49 EU-database registration merely because of Article 6(1); any registration or notification duties arise, if at all, under the relevant sectoral product law. For Annex I Section A products, the AI Act requirements integrate with the sectoral conformity-assessment procedure under Article 43(3) rather than running in parallel; Section B products are channelled through the sectoral act instead.

This page sits inside the high-risk regime — see High-risk AI systems for what triggers the regime in the first place.

Quick decision

  • Annex III standalone use case other than biometrics → Annex VI internal control under Article 43(2). Self-assess against Articles 8–15 and Article 17 QMS.
  • Annex III(1) biometrics → Annex VII notified-body assessment under Article 43(1) unless harmonised standards or common specifications cover the requirements and you apply them — then Annex VI internal control becomes available.
  • Annex I Section A product (product, or safety component, covered by Section A sectoral law that requires a third-party conformity assessment) → integrate AI Act requirements into the sectoral conformity-assessment procedure under Article 43(3). Annex I Section B → channelled through the sectoral act, not Article 43(3).
  • Substantial modification after placing on the market → new conformity assessment under Article 43(4). Pre-declared continuous-learning changes within Annex IV point 2(f) do not trigger re-assessment.
  • Successful assessment → EU declaration of conformity (Article 47), CE marking (Article 48), and — for Annex III systems other than the Annex III(2) critical-infrastructure carve-out — EU-database registration (Article 49) before market placement. Annex I products are outside Article 49; check the applicable sectoral product law for any separate registration or notification duty.

TL;DR

  • Two routes for Annex III systems: Annex VI (provider internal control, default) and Annex VII (notified-body assessment, mandatory for Annex III point 1 biometrics unless harmonised standards / common specifications cover the requirements).
  • Annex I Section A products integrate AI Act requirements into the sectoral conformity-assessment regime under Article 43(3) — no parallel AI Act assessment; Section B products are channelled through the sectoral act instead.
  • Article 47 EU declaration of conformity — kept for 10 years; content in Annex V.
  • Article 48 CE marking — visible, legible, indelible; followed by notified-body identification number where applicable; digital marking allowed for digital systems via machine-readable access.
  • Article 49 EU database registration — for Annex III systems (with the Annex III(2) carve-out for critical infrastructure); also required under Article 49(2) for Annex III systems that the provider has determined are not high-risk under Article 6(3).
  • Article 43(4) — substantial modification triggers a new conformity assessment; pre-declared continuous-learning changes (Annex IV point 2(f)) do not.

Digital Omnibus on AI (adopted June 2026)

Status: adopted June 2026, not yet in force

The Commission proposed the Digital Omnibus on AI on 19 November 2025; the European Parliament approved the agreed text on 16 June 2026 and the Council formally adopted it on 29 June 2026 (Procedure 2025/0359(COD)). On entry into force, it will amend Regulation (EU) 2024/1689 and will enter into force on the third day after publication in the Official Journal. See the EU AI Act hub for the full change set.

Relevant to this page:

  • Annex III conformity-assessment obligations will apply from, once the Omnibus enters into force, 2 December 2027 (was 2 August 2026); Annex I from 2 August 2028 (was 2 August 2027) — fixed application dates replacing the Commission's proposed readiness-decision model.
  • Annex III non-high-risk registration will be retained but simplified — once in force, the Article 49(2) duty to register systems the provider has determined are not high-risk under Article 6(3) will stay, with Annex VIII Section B points 7 and 9 deleted.
  • Compliance will be simplified for SMEs (incl. start-ups) and small mid-caps (SMCs as defined in Commission Recommendation (EU) 2025/1099) — once in force, Article 11 technical documentation may be filed in simplified form and the Article 17 QMS will be proportionate to provider size.
  • Sectoral overlaps will be resolved through delegated acts — once in force, where Section A Annex I law gives an equivalent or higher level of protection, the Commission may limit the application of Articles 9-15 and 17-25 via delegated acts under the new Article 2(13) (due by 2 August 2027). On entry into force, the Machinery Directive 2006/42/EC will be deleted from Section A of Annex I and the Machinery Regulation (EU) 2023/1230 added to Section B (the sectoral track); the Commission will be empowered under that Regulation to add health-and-safety requirements for high-risk AI via delegated acts, applicable by 2 August 2028.

Primary source

Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 — EUR-Lex CELEX 32024R1689 · OJ L, 12.7.2024 · Articles 43, 44, 47, 48, 49, Annexes V, VI, VII, VIII.

Article 43 — conformity-assessment procedure

Article 43(1) — Annex III(1) biometrics

For high-risk AI systems listed in point 1 of Annex III, where, in demonstrating the compliance of a high-risk AI system with the requirements set out in Section 2, the provider has applied harmonised standards referred to in Article 40, or, where applicable, common specifications referred to in Article 41, the provider shall opt for one of the following conformity assessment procedures based on:

(a) the internal control referred to in Annex VI; or

(b) the assessment of the quality management system and the assessment of the technical documentation, with the involvement of a notified body, referred to in Annex VII.

In demonstrating the compliance of a high-risk AI system referred to in point 1 of Annex III with the requirements set out in Section 2, where the provider has not applied or has applied only in part harmonised standards referred to in Article 40, or where such harmonised standards do not exist and common specifications referred to in Article 41 are not available, the provider shall follow the conformity assessment procedure set out in Annex VII.

— Article 43(1), Regulation (EU) 2024/1689

The Annex III(1) biometrics route is structured around standards availability and application:

  • Provider applies harmonised standards / common specifications and they cover the Section 2 requirements → choice between Annex VI and Annex VII.
  • Harmonised standards / common specifications either don't exist, or aren't applied, or cover only part of the requirements → Annex VII is mandatory.

Article 43(2) — other Annex III high-risk systems

For high-risk AI systems referred to in points 2 to 8 of Annex III, providers shall follow the conformity assessment procedure based on internal control as referred to in Annex VI, which does not provide for the involvement of a notified body.

— Article 43(2), Regulation (EU) 2024/1689

For Annex III(2)–(8) — critical infrastructure, education, employment, essential services, law enforcement, migration / border, justice / democracy — the conformity assessment is Annex VI internal control. Article 43(2) does not provide a voluntary Annex VII alternative for these categories; notified-body involvement is reserved for Annex III(1) under Article 43(1).

Article 43(3) — Annex I Section A products

For high-risk AI systems covered by the Union harmonisation legislation listed in Section A of Annex I, the provider shall follow the relevant conformity assessment procedure as required under those legal acts. The requirements set out in Section 2 of this Chapter shall apply to those high-risk AI systems and shall be part of that assessment.

— Article 43(3), first sub-paragraph, Regulation (EU) 2024/1689

Article 43(3) further provides that notified bodies designated under the sectoral law that perform the AI-Act-integrated assessment must meet the requirements set out in Article 31(4), (5), (10) and (11). Under the adopted replacement text, once in force, Article 43(3) will let Section A Annex I notified bodies assess high-risk AI for 18 months from entry into force before designating under the AI Act, will preserve the manufacturer's choice of conformity-assessment procedure so a product is not forced into third-party assessment merely for embedding a high-risk AI, and will apply the Section A procedure where a system falls under both Section A Annex I and Annex III. For Section B sectoral regulations (e.g., civil aviation security, agricultural vehicles, marine equipment, motor vehicles type-approval), the replaced Article 2(2) will limit direct AI Act application to Article 6(1), the new Article 60a, and Articles 102-112, with Articles 57, 58 and 59 applying only where the high-risk requirements have been integrated into the relevant sectoral legislation — the substantive Section 2 obligations will be channelled into the sectoral acts via Articles 102-112 rather than directly applied.

Article 43(4) — substantial modification

High-risk AI systems that have already been subject to a conformity assessment procedure shall undergo a new conformity assessment procedure in the event of a substantial modification, regardless of whether the modified system is intended to be further distributed or continues to be used by the current deployer.

For high-risk AI systems that continue to learn after being placed on the market or put into service, changes to the high-risk AI system and its performance that have been pre-determined by the provider at the moment of the initial conformity assessment and are part of the information contained in the technical documentation referred to in point 2(f) of Annex IV, shall not constitute a substantial modification.

— Article 43(4), Regulation (EU) 2024/1689

The Annex IV(2)(f) pre-declaration is the operative safe harbour for continuous-learning systems. Pre-declare the change envelope — drift bounds, retraining triggers, parameter update modalities — and updates that stay within the envelope do not trigger re-assessment. Changes outside the envelope, or material changes to intended purpose, are substantial modifications.

Annex VI — internal control

The Annex VI procedure has four operative elements:

  1. Verify QMS conforms to Article 17 — the QMS covers design, development, post-market processes, data management, record-keeping, accountability framework, and the substantive Articles 8–15 requirements.
  2. Verify technical documentation conforms to Article 11 and Annex IV — all Annex IV elements present, current, and traceable.
  3. Verify the design and development of the AI system and its post-market monitoring conform to the Articles 8–15 requirements taking into account intended purpose and state of the art.
  4. Draw up the EU declaration of conformity under Article 47, affix the CE marking under Article 48, and — for in-scope Annex III systems — register in the EU database under Article 49(1).

No notified body involvement. The provider assumes full responsibility for the assessment.

Annex VII — notified-body assessment

The Annex VII procedure has two operative parts, both involving the notified body (an accredited third-party conformity-assessment body — designated under Articles 28–39):

  • Section 3 — assessment of the QMS — the notified body audits the provider's QMS documentation against Article 17. On approval, the notified body issues a QMS-approval certificate; Article 44(2) sets validity at maximum five years for Annex I and maximum four years for Annex III systems, with periodic surveillance audits in between. Material changes to the QMS that may affect compliance must be notified to the notified body.
  • Section 4 — assessment of the technical documentation — the notified body examines the technical documentation drawn up under Article 11 and Annex IV for one or more representative samples of the high-risk AI system. Article 44(2) sets the validity periods for certificates issued by notified bodies: not exceeding five years for AI systems covered by Annex I, and not exceeding four years for AI systems covered by Annex III, in both cases extendable on the basis of a re-assessment.

The approved QMS is subject to ongoing surveillance under Annex VII point 5. Certificates can be suspended, withdrawn, or modified under Article 44(3) when the conditions for issuance are no longer met or when corrective action by the provider has not addressed identified non-conformities.

Article 44 — certificates issued by notified bodies

Article 44 governs the certificates issued by notified bodies under Annex VII. The certificates shall be drawn up in an official language of the Union easily accessible to the relevant national authorities and shall identify the high-risk AI system, the notified body, the validity period, and the conditions of issuance. Article 44(2) sets the validity period as not exceeding five years for Annex I systems and not exceeding four years for Annex III systems, extendable on the basis of a re-assessment. Article 44(3) governs suspension, withdrawal and changes to certificates. The accreditation, designation and operational requirements for notified bodies themselves live in Articles 28–39; the NANDO database is the public list.

Article 47 — EU declaration of conformity

Article 47(1) requires the provider to draw up a written, machine-readable, physical or electronically signed EU declaration of conformity for each high-risk AI system and keep it at the disposal of the national competent authorities for 10 years after the high-risk AI system has been placed on the market or put into service. The declaration shall identify the high-risk AI system for which it has been drawn up. A copy of the EU declaration of conformity shall be submitted to the relevant national competent authorities upon request.

The declaration content is specified in Annex V and includes provider identity, system identification, statement of compliance with the Regulation and applicable Union law, references to any harmonised standards or common specifications applied, the notified-body certificate identification number where applicable, and signature and date. By drawing up the declaration, the provider assumes responsibility for the system's compliance.

Where the high-risk AI system is subject to other Union harmonisation legislation that also requires an EU declaration of conformity, a single EU declaration of conformity shall be drawn up in respect of all of that legislation, so that the declaration covers all applicable acts.

Article 48 — CE marking

Article 48(1) subjects the CE marking on high-risk AI systems to the general principles set out in Article 30 of Regulation (EC) No 765/2008. Article 48(2) allows a digital CE marking for digital high-risk AI systems only if it can easily be accessed via the interface from which the AI system is accessed or via an easily accessible machine-readable code or other electronic means. Article 48(3) requires the CE marking to be affixed visibly, legibly and indelibly on the high-risk AI system; where that is not possible or not warranted on account of the nature of the high-risk AI system, it shall be affixed to the packaging or to the accompanying documentation, as appropriate.

The CE marking is followed, where applicable, by the identification number of the notified body responsible for the conformity-assessment procedures under Article 43. The identification number is affixed by the notified body or, under its instructions, by the provider or the provider's authorised representative.

The CE marking attests that the high-risk AI system is in conformity with the Regulation. Affixing the marking on a system that does not comply is an Article 99 infringement.

Article 49 — registration in the EU database

Before placing on the market or putting into service a high-risk AI system listed in Annex III, with the exception of high-risk AI systems referred to in point 2 of Annex III, the provider or, where applicable, the authorised representative shall register themselves and their system in the EU database referred to in Article 71.

— Article 49(1), Regulation (EU) 2024/1689

Operative points:

  • Annex III(2) carve-out — high-risk AI systems used in critical infrastructure are not subject to Article 49(1) EU-database registration. Article 49(5) requires Annex III(2) systems to be registered at national level.
  • Article 49(2) — providers that have concluded under Article 6(3) that their Annex III system is not high-risk must still register themselves and the system (Annex VIII Section B fields) in the EU database. (The adopted Digital Omnibus on AI will retain this Article 49(2) duty but simplify it — once in force, Annex VIII Section B points 7 and 9 will be deleted.)
  • Article 49(3) — deployers that are public authorities, agencies or bodies of the Union (including those acting on their behalf) register themselves and select information about their use of the high-risk AI system in the EU database before deployment.
  • Article 49(4) — for high-risk AI systems referred to in Annex III points 1, 6 and 7 in the areas of law enforcement, migration, asylum and border-control management, the registration is in a non-public section of the EU database. Access is limited to the Commission and the Article 74(8) national authorities: the market-surveillance authorities designated for those systems, either the competent data-protection supervisory authority or another authority designated under the Directive (EU) 2016/680 conditions.

The Annex VIII content specifies the registration fields (provider identification, system identification, intended purpose, instructions for use, declaration-of-conformity reference). Annex VIII Section A governs registrations of high-risk Annex III systems; Annex VIII Section B governs the Article 49(2) non-high-risk determination registration (providers that have concluded under Article 6(3) that their Annex III system is not high-risk); Annex VIII Section C governs Article 49(3) public-authority deployer registrations.

How to operationalise conformity assessment in Modulos

The conformity-assessment regime maps onto these MFF-1 / OFF-1 requirements:

RequirementDescriptionOJ Article
ORF-8Art. 17 — Quality management system (org)Article 17
MRF-3Technical DocumentationArticle 11 + Annex IV
ORF-9, MRF-9Art. 43 — Conformity assessmentArticle 43 + Annex VI / VII
MRF-42Art. 8 — Choice for handling sectoral requirements (app)Article 43(3) Section A integration
MRF-41Disclosure of Contact InformationArticle 16(b)
MRF-37EU RepresentativeArticle 22
MRF-116EU Representative RegistrationArticle 22(3) / Article 49
MRF-53Public Deployer RegistrationArticle 49(3) (public-authority deployers)
ORF-12Duty of Information (org)Article 20
ORF-13Cooperation with Competent Authorities (org)Article 21

Operating rules:

  • Conformity-assessment route selection (MRF-9, ORF-9) — the Annex VI / Annex VII / sectoral choice is captured as a scoping decision; the rationale and the standards / common-specifications application status are recorded as control-level evidence.
  • Annex IV technical documentation (MRF-3) is assembled as evidence linked to MFF-1 controls. Modulos serves as the evidence library that backs each Annex IV element; building the Annex IV document itself remains the provider's authoring task. Point-in-time project, control, and evidence exports support the documentation pack.
  • Article 17 QMS (ORF-8) lives on OFF-1. The QMS documents are linked as control-level evidence; there is no dedicated QMS workflow surface.
  • Article 47 EU declaration of conformity is recorded as control-level evidence on MRF-9. The declaration content (Annex V) is the provider's authoring task; the artefact lives in Modulos as a versioned evidence record.
  • Article 48 CE marking is the provider's physical / digital affixing action; Modulos records the affixing attestation as control-level evidence on MRF-9.
  • Article 49 EU-database registration is the provider's submission to the EU database (not via Modulos). The registration confirmation is recorded as control-level evidence on MRF-116 (EU representative registration) or MRF-53 (public-authority deployer registration), as applicable.
  • Article 43(4) substantial-modification re-assessment triggers a fresh conformity-assessment evidence cycle on MRF-9. The Annex IV(2)(f) pre-declaration of continuous-learning bounds is recorded once on MRF-3 and serves as the safe-harbour reference for in-envelope changes.

Cross-framework mapping (preview)

EU AI ActAdjacent provision
Article 43 conformity-assessment routesModular conformity-assessment framework under Decision 768/2008/EC; sectoral conformity-assessment procedures under Annex I sectoral acts
Article 44 certificates; Articles 28–39 notified-body designationRegulation (EC) No 765/2008 accreditation framework
Article 47 EU declaration of conformityArticle 30 Regulation (EC) No 765/2008 (CE marking general principles); sectoral declaration regimes (MDR, machinery, etc.)
Article 48 CE markingArticle 30 Regulation (EC) No 765/2008; sectoral CE-marking regimes
Article 49 EU-database registration(No direct GDPR equivalent; any product registration/notification duties depend on the relevant sectoral act)
Article 17 QMSISO 9001; ISO 42001
Annex IV technical documentationISO 42001 documented information; ISO 13485 medical-device technical-file conventions

Source attribution

Regulation (EU) 2024/1689 — Articles 17, 28–39, 30, 43, 44, 47, 48, 49, 71 and Annexes IV, V, VI, VII, VIII — is published in the Official Journal of the European Union L of 12 July 2024 (CELEX 32024R1689). Blockquotes on this page may be partial extracts of the cited Article; consult the EUR-Lex source for the complete OJ-published text including all triggers, sub-paragraphs and cross-references. Regulation (EC) No 765/2008 (general principles of the CE marking, accreditation framework) is referenced via Articles 30 and 48. The Digital Omnibus on AI (adopted June 2026, not yet in force) will amend Regulation (EU) 2024/1689 on entry into force; once published and in force, its OJ text will supersede the 2024 text where amended.

Disclaimer

This page is for general informational purposes and does not constitute legal advice.