Article 43 — Conformity assessment (EU AI Act)

Article 43 of Regulation (EU) 2024/1689 — Conformity assessment. Official text, practical interpretation, key obligations and compliance implications.

Official Text Summary

Article 43 of Regulation (EU) 2024/1689 establishes the conformity assessment procedures that providers of high-risk AI systems must follow before placing a system on the market or putting it into service in the European Union.

For high-risk AI systems covered by the Union harmonisation legislation listed in Annex I — such as products subject to the Machinery Directive, the Medical Devices Regulation, or civil aviation safety rules — the conformity assessment procedure applicable under that sectoral legislation applies, supplemented by the requirements of Chapter 2 of Title III of the AI Act. Where the sectoral legislation does not require third-party involvement, the provider must follow the internal control procedure set out in Annex VI of the AI Act.

For high-risk AI systems listed in Annex III, Article 43 provides two routes. By default, providers follow the internal control procedure of Annex VI. However, where the system involves real-time or post-remote biometric identification of natural persons (other than those excluded by Article 6(3)), or where no harmonised standard covering all relevant requirements exists and no common specification has been adopted, the assessment must be conducted by a notified body in accordance with Annex VII.

Any high-risk AI system that undergoes a substantial modification after receiving an EU declaration of conformity or a certificate must be subject to a new conformity assessment. The article also confirms that notified bodies must be notified to the Commission and Member State authorities prior to conducting assessments, and that certificates issued remain valid unless withdrawn.

What This Means in Practice

For most providers of high-risk AI systems listed in Annex III — covering areas such as employment screening, education, credit scoring, critical infrastructure management, and administration of justice — Article 43 means that internal self-assessment is the default conformity route. The provider's quality management system, technical documentation, and conformity records must be in order before the declaration of conformity is signed and the CE marking is affixed. No external auditor is required unless the system falls within one of the categories that mandate notified body involvement.

For providers whose systems fall under Annex I sectoral legislation — for example, an AI system embedded in a class IIb medical device, or in safety-critical aviation equipment — the AI Act conformity assessment is layered on top of whatever sectoral procedure already applies. Practically, this means engaging the notified body already designated under the Medical Devices Regulation or the relevant aviation authority, ensuring that body is also competent to assess AI-specific requirements.

The most operationally significant trigger in Article 43 is the requirement to repeat conformity assessment after a substantial modification. Development teams and product managers must therefore embed a formal change-management gate into their AI development lifecycle: any update that alters the intended purpose, performance characteristics, or risk profile of the system must be evaluated against the definition of substantial modification before deployment.

Importers and distributors are not themselves responsible for conducting the conformity assessment, but they must verify that the provider has completed the procedure and that documentation is available. Deployers operating in regulated sectors should request confirmation of the applicable assessment route as part of vendor due diligence.

Key Obligations

• Select the correct assessment route: Providers must determine whether their high-risk AI system falls under Annex I sectoral legislation or Annex III, and apply the corresponding procedure (internal control under Annex VI, or notified body assessment under Annex VII where mandated).
• Conduct assessment before market placement: The conformity assessment must be completed, and the EU declaration of conformity signed, before the system is placed on the Union market or put into service — not retrospectively.
• Engage a notified body where required: Systems involving real-time remote biometric identification for law enforcement, or where no applicable harmonised standard exists and no common specification covers all requirements, require third-party assessment by an accredited notified body.
• Integrate AI assessment with sectoral procedures: For Annex I products, the AI-specific conformity assessment must be aligned with — and where possible integrated into — the existing sectoral conformity assessment, using the same notified body where competent.
• Reassess after substantial modification: Any substantial modification to a high-risk AI system that has already passed conformity assessment triggers a mandatory new assessment before the modified system can be deployed or marketed.
• Maintain documentation for post-market review: Providers must retain the technical documentation, quality management records, and declaration of conformity for ten years after the system is placed on the market, and make them available to national competent authorities on request.

Relationship to Other Articles

Article 43 cannot be read in isolation. It is the procedural expression of the substantive requirements set out in Articles 8 through 15 (Chapter 2 of Title III), which define the technical and governance standards that high-risk AI systems must satisfy — including risk management, data governance, transparency, human oversight, accuracy, and cybersecurity robustness. The definition of what constitutes a high-risk AI system — and therefore triggers Article 43 — is established by Article 6 read together with Annexes I and III.

The internal control procedure referenced in Article 43 is detailed in Annex VI, while the notified body procedure is set out in Annex VII. Article 44 governs the certificates issued by notified bodies following an Annex VII assessment, including conditions for suspension and withdrawal. Article 45 addresses notified body obligations during assessment. Article 47 covers the EU declaration of conformity that providers must draw up upon completing the procedure. Article 48 links conformity assessment completion to the right to affix the CE marking under Article 49.

For providers whose systems also qualify as general-purpose AI models with systemic risk, the interaction with Title VIII obligations must be considered alongside Article 43.

Compliance Timeline

Regulation (EU) 2024/1689 entered into force on 1 August 2024, twenty days after its publication in the Official Journal of the European Union on 12 July 2024.

Article 43 does not apply immediately across all high-risk AI systems. The phased application schedule established by Article 113 means that:

• 2 February 2025 — Prohibitions on unacceptable-risk AI practices (Title II) became applicable. Article 43 was not yet in effect.
• 2 August 2025 — General-purpose AI model obligations (Title VIII) became applicable. Conformity assessment obligations under Article 43 were still not yet in force for most high-risk systems.
• 2 August 2026 — Article 43 becomes fully applicable to providers of high-risk AI systems listed in Annex III (standalone high-risk AI systems in areas such as biometrics, employment, education, and critical infrastructure).
• 2 August 2027 — The deadline by which obligations, including conformity assessment, apply to high-risk AI systems embedded in Annex I products that are already governed by Union harmonisation legislation and were placed on the market before August 2026.

Providers should treat the August 2026 deadline as the operative compliance date for internal planning purposes, ensuring that quality management systems, technical documentation, and assessment procedures are operational well in advance.