Article 17 of Regulation (EU) 2024/1689 — Quality management system. Official text, practical interpretation, key obligations and compliance implications.
Official Text Summary
Article 17 of Regulation (EU) 2024/1689 requires providers of high-risk AI systems to put in place a quality management system (QMS) before placing such systems on the market or putting them into service. The QMS must be documented in a systematic, orderly manner and must cover all stages of the AI system lifecycle.
The regulation specifies that the QMS must address, at a minimum: the provider's strategy for regulatory compliance, including conformity assessment procedures; the techniques, procedures, and systematic actions used for design, design control, and verification of the AI system; the data management procedures covering data acquisition, collection, analysis, labelling, storage, filtration, mining, aggregation, and retention; the risk management system as provided for in Article 9; the establishment and implementation of the post-market monitoring system in accordance with Article 72; procedures for incident reporting in line with Article 73; the handling of communication with competent authorities, notified bodies, and other relevant operators; systems and procedures for record-keeping; resource management including supply-chain related measures; and an accountability framework documenting responsibilities throughout the organisation.
Where providers are natural persons or micro-enterprises as defined in Commission Recommendation 2003/361/EC, the Commission is empowered to adopt implementing acts permitting simplified QMS arrangements, recognising the proportionality principle that runs through the regulation.
What This Means in Practice
For any organisation that develops or places a high-risk AI system on the EU market, Article 17 means that compliance cannot be a one-off exercise conducted at the point of release. It must be embedded in a living organisational system that governs the entire product lifecycle — from initial design decisions through deployment, monitoring, and eventual decommissioning.
In concrete terms, a provider must be able to demonstrate that documented procedures exist and are followed at each stage. A healthcare AI provider, for example, cannot simply train a model and submit it for conformity assessment. The organisation must show that data sourcing followed documented governance rules, that design choices were reviewed against risk criteria, that responsibilities for oversight are assigned and recorded, and that a mechanism exists to detect and report post-deployment incidents.
The QMS requirement means that compliance is as much an organisational and procedural challenge as a technical one. Companies that already operate under ISO 9001 or sector-specific management frameworks — such as ISO 13485 in medical devices — will find significant overlap, but will still need to map their existing systems explicitly against the AI Act's requirements rather than assume equivalence.
Smaller providers benefit from the proportionality provision: micro-enterprises may qualify for simplified arrangements under implementing acts issued by the Commission. However, this does not exempt them from the underlying substantive obligations; it may only affect the form in which those obligations are documented and managed.
Practically, providers should treat the QMS as the central spine from which all other compliance artefacts — technical documentation, risk registers, post-market monitoring plans, incident logs — are generated and governed.
Key Obligations
- Establish a documented quality management system prior to placing a high-risk AI system on the market or putting it into service, covering all lifecycle phases.
- Integrate the risk management procedures required by Article 9 into the QMS, ensuring that risk identification, evaluation, and mitigation are systematic and traceable.
- Document data management practices covering acquisition, labelling, processing, storage, and retention, consistent with the data governance requirements of Article 10.
- Maintain the technical documentation specified in Article 11 and Annex IV as a QMS output, keeping it current and accessible for conformity assessment and market surveillance purposes.
- Implement post-market monitoring and incident reporting procedures within the QMS framework, aligned with Articles 72 and 73 respectively.
- Define and document accountability structures, roles, and responsibilities across the organisation, including supply-chain oversight where third-party components contribute to the AI system.
Relationship to Other Articles
Article 17 functions as the organisational backbone of the high-risk AI system compliance regime established in Title III, Chapter 3. It draws its substantive content from multiple interlocking obligations: the risk management system of Article 9, the data and data governance requirements of Article 10, and the technical documentation regime of Article 11 all feed directly into what the QMS must cover and produce.
The QMS must also support the conformity assessment procedures in Articles 43 and 44, since the documentation it generates constitutes the primary evidence reviewed by notified bodies or self-assessment processes. Post-deployment obligations under Article 72 (post-market monitoring) and Article 73 (reporting of serious incidents) must be embedded within QMS procedures rather than managed as separate ad hoc activities.
Article 26 imposes duties on deployers that are distinct from but complementary to the QMS obligations on providers. Where providers and deployers overlap — for instance, where an organisation both develops and deploys a high-risk AI system internally — Article 17's QMS must be read alongside Article 26's deployer obligations to ensure full coverage.
Compliance Timeline
The EU AI Act entered into force on 1 August 2024, following publication in the Official Journal of the European Union. Application of its provisions is phased:
- February 2025 — Prohibitions on unacceptable-risk AI practices (Article 5) became applicable.
- August 2025 — Obligations relating to general-purpose AI models (Title VIII) became applicable.
- 2 August 2026 — Article 17 becomes applicable to providers of high-risk AI systems listed in Annex III (systems in areas such as biometrics, critical infrastructure, education, employment, essential services, law enforcement, migration, and administration of justice).
- 2 August 2027 — Article 17 becomes applicable to providers of high-risk AI systems governed by Annex I (AI components in products already subject to Union harmonisation legislation such as medical devices, machinery, and aviation equipment).
Providers whose systems are already on the market before these dates benefit from transitional arrangements under Article 111, which may defer full QMS compliance obligations subject to conditions relating to significant modifications and ongoing conformity assessment cycles. Organisations should begin QMS design and gap assessments well in advance of the applicable deadline to allow for internal validation, notified body engagement where required, and iterative refinement before the obligation applies.
Official AI Act Compliance Deadline Calendar
Updated · Sources: Regulation (EU) 2024/1689 and the 2026 Digital Omnibus on AI.
| Obligation | Applies to | Original date | New date | Status | Countdown | Legal basis |
|---|---|---|---|---|---|---|
| Prohibited Practices (Art. 5) | All providers and deployers | active | — | AI Act Art. 5 | ||
| GPAI Rules (Chapter 5) | GPAI model providers | active | — | AI Act Art. 51-56 | ||
| High-risk AI — Annex III (standalone) | Providers of standalone Annex III systems | deferred | — | AI Omnibus 2026 Art. 6(2) | ||
| High-risk AI — Annex I (embedded) | AI embedded in Annex I regulated products | deferred | — | AI Omnibus 2026 Art. 6(1) | ||
| AI-Generated Content Marking | Providers of generative GPAI systems | active | — | AI Act Art. 50(2) | ||
| Regulatory Sandboxes | National competent authorities | active | — | AI Act Art. 57 |
⬇ Download JSON · CC BY 4.0
AI Act meets DORA and NIS2
Is your organisation subject to both the AI Act and DORA? The two regulations intersect on the operational resilience of financial AI systems. Our sister site regulation-dora.eu covers DORA in depth.
Explore regulation-dora.eu ↗Frequently Asked Questions
Article 17 imposes the quality management system obligation exclusively on providers of high-risk AI systems as defined in Article 6 and Annex III of Regulation (EU) 2024/1689. Deployers are not subject to this specific obligation, though they carry separate duties under Article 26.
The QMS must cover at minimum: a strategy for regulatory compliance, design and development methodologies, data management procedures, risk management as required by Article 9, technical documentation per Article 11, logging and record-keeping, post-market monitoring per Article 72, incident reporting obligations, and human oversight arrangements.
Article 17 does not mandate any specific certification standard. However, compliance with recognised standards such as ISO 9001 or sector-specific equivalents may support demonstration of conformity, particularly where harmonised standards under Article 40 incorporate QMS requirements.
The QMS and technical documentation are closely linked. The QMS must generate and maintain the technical documentation required by Article 11 and Annex IV, and the documentation itself serves as primary evidence that the QMS is functioning correctly during conformity assessment.
Article 17 applies to providers of high-risk AI systems in Annex III from 2 August 2026, and to providers of high-risk AI systems covered by Annex I (sector-specific Union harmonisation legislation) from 2 August 2027, subject to transitional provisions in Article 111.
Stay ahead of AI Act changes
Get compliance alerts when deadlines or obligations change.
No spam. One-click unsubscribe.