Article 16 — Obligations of providers of high-risk AI systems (EU AI Act)

Article 16 of Regulation (EU) 2024/1689 — Obligations of providers of high-risk AI systems. Official text, practical interpretation, key obligations and compliance implications.

Official Text Summary

Article 16 of Regulation (EU) 2024/1689 (the EU AI Act) establishes the comprehensive set of obligations that providers of high-risk AI systems must fulfil before placing their systems on the market or putting them into service. The article functions as the central anchor for provider responsibilities within Title III, Chapter 3.

Under Article 16, providers must ensure that their high-risk AI systems comply with all requirements laid down in Chapter 2 of Title III, covering risk management (Article 9), data and data governance (Article 10), technical documentation (Article 11), record-keeping (Article 12), transparency and information provision (Article 13), human oversight (Article 14), and accuracy, robustness and cybersecurity (Article 15).

Beyond compliance with Chapter 2, Article 16 imposes specific administrative and procedural obligations. Providers must establish a quality management system in accordance with Article 17, draw up technical documentation as specified in Annex IV, and where applicable undergo a conformity assessment procedure before affixing the CE marking. They must register their systems in the EU database established under Article 71 where required, cooperate with national competent authorities upon request, and retain all relevant documentation for a period of ten years following the system's placement on the market or entry into service. Providers established outside the EU must appoint an authorised representative within the Union pursuant to Article 22.

What This Means in Practice

For organisations developing or commissioning high-risk AI systems, Article 16 translates into a structured pre-market compliance programme that must be completed before any deployment or commercial release.

Developers and vendors building AI systems that fall within the high-risk categories defined in Annex III — covering areas such as biometric identification, critical infrastructure, education, employment, essential services, law enforcement, migration, and administration of justice — must treat Article 16 as their primary compliance checklist. Before launch, they must have a documented quality management system in place, completed a conformity assessment (self-assessed or third-party, depending on the category), affixed the CE marking, and registered the product in the EU AI Act database.

A concrete example: a software company offering an AI-powered CV screening tool to HR departments falls under Annex III, point 4 (employment and workers management). Before placing this tool on the market, the company must document its risk management process, demonstrate the quality of its training data, provide technical documentation enabling regulators to assess compliance, implement human oversight mechanisms, and register the system. If the company is based outside the EU, it must designate an EU-based authorised representative.

Ongoing obligations persist after deployment. Providers must maintain records, monitor post-market performance under Article 72, report serious incidents under Article 73, and update technical documentation when the system undergoes substantial modifications. Compliance is not a one-time event but a continuous operational responsibility.

Providers working within regulated product sectors — such as medical devices or machinery — must additionally satisfy the sector-specific conformity requirements that interact with the AI Act under Annex I.

Key Obligations

• Ensure Chapter 2 compliance: Verify that the high-risk AI system meets all technical and governance requirements (Articles 8–15) prior to market placement, including risk management, data governance, transparency, human oversight, and robustness.
• Establish a quality management system: Implement a documented QMS in accordance with Article 17, covering policies, procedures, conformity assessment, post-market monitoring, and incident reporting workflows.
• Draw up and maintain technical documentation: Prepare and keep up to date the technical documentation specified in Annex IV, demonstrating compliance to national competent authorities and notified bodies upon request.
• Undergo conformity assessment and affix CE marking: Complete the applicable conformity assessment procedure (self-assessment or third-party) and affix the CE marking before placing the system on the market or putting it into service in the EU.
• Register in the EU database: Enter the system in the EU-wide database for high-risk AI systems established under Article 71, where registration is mandatory for the relevant category.
• Retain records for ten years and cooperate with authorities: Keep all technical documentation, conformity declarations, and applicable logs for at least ten years; respond to information requests from national supervisory and market surveillance authorities; appoint an EU authorised representative if the provider is not established in the Union.

Relationship to Other Articles

Article 16 cannot be read in isolation. It is the gateway obligation that activates and references virtually all other provider-facing requirements in Title III.

The substantive technical requirements that Article 16 requires providers to satisfy are found in Articles 8 through 15 (Chapter 2). The quality management system it mandates is elaborated in Article 17. Technical documentation specifications appear in Annex IV, referenced by Article 11. The conformity assessment procedures triggered by Article 16 are detailed in Article 43, with conformity declaration rules in Article 47 and CE marking rules in Article 48.

Post-market surveillance obligations that extend Article 16's reach beyond initial placement are set out in Article 72, with serious incident reporting in Article 73. Authorised representatives — required for non-EU providers under Article 16 — are governed by Article 22. Circumstances in which importers and distributors assume provider obligations are specified in Article 24. Finally, the EU database registration requirement connects to Article 71. National competent authorities enforcing Article 16 obligations operate under the framework established in Articles 70 and 74.

Compliance Timeline

The EU AI Act entered into force on 1 August 2024, twenty days after publication in the Official Journal. However, its provisions apply in a phased manner:

• 2 February 2025: Prohibitions on unacceptable-risk AI practices (Article 5) became enforceable.
• 2 August 2025: Obligations relating to general-purpose AI models (Title VIII, Articles 51–56) became applicable.
• 2 August 2026: Article 16 obligations become enforceable for high-risk AI systems listed in Annex III (standalone AI systems in areas such as employment, education, essential services, biometrics, and law enforcement).
• 2 August 2027: Article 16 obligations become enforceable for high-risk AI systems covered by Annex I (safety components of products already regulated by existing EU sectoral legislation, such as medical devices, machinery, and civil aviation).

Providers should not wait until these enforcement dates to begin preparation. Building a quality management system, compiling technical documentation, and completing conformity assessments are resource-intensive processes. Organisations placing Annex III systems on the market are advised to be operationally compliant by mid-2026 at the latest, with gap analyses and remediation programmes initiated no later than early 2025.