Article 49 — Registration (EU AI Act)

Article 49 of Regulation (EU) 2024/1689 — Registration. Official text, practical interpretation, key obligations and compliance implications.

Official Text Summary

Article 49 of Regulation (EU) 2024/1689 establishes a mandatory registration regime for high-risk AI systems before they may be placed on the Union market or put into service. The article imposes a primary obligation on providers: prior to market placement, they must register themselves and their high-risk AI systems in the EU database established under Article 71. Providers that are established outside the Union must ensure that their authorised representative completes this registration on their behalf.

For the specific category of high-risk AI systems covered by Annex III, point 8 — systems used for biometric categorisation and emotion recognition deployed by law enforcement, border management, immigration, and asylum authorities — the obligation extends to deployers as well. These deployers must register their use of such systems before deployment.

The information to be submitted during registration is defined in Annex VIII, Parts I and II, and must be kept accurate and up to date. Where updates occur — for instance, following a substantial modification — the registered entry must be revised accordingly. Systems used exclusively by Union institutions, bodies, offices, or agencies are registered in a dedicated, restricted section of the database, ensuring that sensitive operational information is appropriately protected while maintaining accountability. The article thereby creates a structured, lifecycle-aware transparency mechanism that enables market surveillance authorities and the public to identify and monitor high-risk AI deployments across the Single Market.

What This Means in Practice

Article 49 requires any business that develops or brings to market a high-risk AI system within the scope of Annex III to complete a registration step that is functionally comparable to a product filing with a regulator. In practice, this means that before launch, a provider's legal or compliance team must:

1. Create or update an account on the EU AI Act database portal (operated by the European Commission under Article 71).
2. Submit structured information per Annex VIII — covering company identity, system description, intended purpose, risk management summary, conformity declaration reference, and any notified body certificate number.
3. Obtain a registration number that must subsequently appear in the EU declaration of conformity and accompany the system's documentation.

For non-EU providers, the authorised representative established in the Union is the point of contact responsible for submitting the registration. This mirrors the model used in other EU product-safety frameworks.

For deployers operating high-risk biometric or emotion-recognition systems in law enforcement or border management contexts (Annex III, point 8), a separate deployer-side registration is mandatory before the system is activated in an operational environment.

A practical example: a company providing an AI-powered creditworthiness scoring tool (Annex III, point 5b) must register the system in the EU database, obtain its registration number, include that number in the declaration of conformity, and update the entry if the model undergoes a substantial modification — such as a significant change to training data or output logic — that is validated through the conformity assessment process.

Registration is not a one-off administrative step; it is a living record that tracks the system through its commercial life.

Key Obligations

• Pre-market registration: Providers must register themselves and their high-risk AI systems in the EU database under Article 71 before the system is placed on the market or put into service in the Union.
• Authorised representative as registrant: Where the provider is established outside the EU, the authorised representative established in a Member State must complete and submit the registration.
• Deployer registration for point 8 systems: Deployers of Annex III, point 8 high-risk AI systems (biometric categorisation, emotion recognition) in law enforcement and border contexts must register their intended use before deployment.
• Annex VIII information requirements: Registrations must contain all information specified in Annex VIII, Parts I and II, including system identity, capabilities, limitations, conformity documentation, and certificate references.
• Ongoing accuracy obligation: Registered information must be kept current; any substantial modification that triggers a new conformity assessment requires a corresponding update to the registration entry.
• Restricted entries for sensitive public-authority use: Systems used exclusively by law enforcement, border management, immigration, and asylum authorities under Annex III points 1–7 are registered in a non-public section of the database, balancing transparency with operational security.

Relationship to Other Articles

Article 49 sits at the intersection of several core obligations and cannot be read in isolation.

Article 71 establishes and governs the EU database in which registrations are recorded; it defines the Commission's responsibilities as administrator and the public accessibility rules that Article 49 cross-references.

Annex VIII specifies the exact information fields that must be submitted, making it operationally inseparable from the registration process.

Article 47 (EU declaration of conformity) and Article 48 (CE marking) precede registration logically: the declaration of conformity reference number must be available at the time of registration, and the registration number feeds back into the declaration. Together, Articles 47, 48, and 49 form the final compliance gate before market access.

Article 43 (conformity assessment) feeds into registration because the notified body certificate obtained there is a mandatory data field in Annex VIII where third-party assessment is required.

Article 111 (transitional provisions) governs how registration timelines interact with systems already on the market before the obligations come into force, and should be consulted alongside Article 49 for any legacy system analysis.

Compliance Timeline

The EU AI Act entered into force on 1 August 2024, twenty days after publication in the Official Journal. However, Article 49 registration obligations do not apply immediately upon entry into force; they follow the Act's phased application schedule:

• 2 February 2025 — Prohibited AI practices (Article 5) became enforceable. No direct impact on Article 49, but relevant for scoping exercises.
• 2 August 2025 — GPAI model obligations (Title VIII) and governance framework became applicable. Registration under Article 49 is not triggered at this stage for GPAI models that are not separately classified as high-risk.
• 2 August 2026 — Registration obligations under Article 49 apply to high-risk AI systems covered by Annex III, points 1 to 7. This is the primary compliance deadline for most enterprise AI providers.
• 2 August 2027 — Registration obligations extend to high-risk AI systems governed by Annex II (harmonised product-safety legislation), such as medical devices and machinery.

Providers and deployers should plan registration workflows — including Annex VIII data collection, EU database portal access, and authorised representative arrangements — well ahead of the August 2026 deadline to avoid last-minute bottlenecks. Systems placed on the market before these dates under prior frameworks benefit from transitional arrangements under Article 111, but providers are strongly advised to assess whether those arrangements apply to their specific product category.