Article 71 — EU database for high-risk AI systems (EU AI Act)

Article 71 of Regulation (EU) 2024/1689 — EU database for high-risk AI systems. Official text, practical interpretation, key obligations and compliance implications.

Official Text Summary

Article 71 of Regulation (EU) 2024/1689 establishes the EU database for high-risk AI systems, placing the responsibility for its set-up and maintenance on the European Commission. The database is designed to serve as a centralised, publicly accessible repository that increases transparency regarding high-risk AI systems before they are placed on the EU market or put into service.

Under Article 71, providers of high-risk AI systems falling within the scope of Annex III are required to register their systems in the database prior to market placement or putting into service. In specific cases, deployers of Annex III systems are also subject to registration requirements. The information to be submitted is defined in Annex VIII and covers essential identification and technical details of the system, its intended purpose, the conformity assessment approach taken, and references to the EU declaration of conformity.

The article establishes two distinct sections within the database: a publicly accessible section for the majority of high-risk AI systems, and a restricted section accessible only to relevant market surveillance authorities, the Commission, and the AI Office, covering systems deployed by public authorities in sensitive domains such as law enforcement, border management, immigration, and asylum. This dual-track structure balances the public interest in transparency against legitimate confidentiality concerns in sensitive public-sector operations. The Commission is tasked with ensuring the database is functional, user-friendly, and interoperable with other relevant national and EU-level registries.

What This Means in Practice

For providers of high-risk AI systems covered by Annex III, the most immediate practical consequence of Article 71 is the mandatory registration step that must be completed before any commercial or operational deployment. Registration is not an afterthought — it is a gating obligation that must be satisfied upstream of market entry, meaning compliance processes must be structured to complete registration as part of the pre-launch checklist.

Providers must create an account on the EU database platform managed by the Commission and submit the prescribed information in Annex VIII. This includes a structured description of the AI system, its intended purpose, the conformity assessment procedure that was followed, a reference to the EU declaration of conformity and, where applicable, the EU type-examination certificate issued by a notified body. Post-market monitoring plan references are also required.

For example, a provider developing an AI-powered CV-screening tool used in recruitment (an Annex III, Title IV category) must register the system in the public section of the database before making it available to HR departments across EU member states. Conversely, a national police force deploying an AI system for real-time facial recognition in public spaces would register in the restricted section, with access limited to supervisory authorities.

Deployers of certain Annex III high-risk AI systems — particularly those operating in the public sector or deploying systems with significant societal impact — must also verify that the systems they put into service are appropriately registered and may themselves have supplementary registration duties depending on the system category. Organisations should map their AI portfolios against Annex III categories and build registration workflows into their broader AI governance procedures.

Key Obligations

• Provider registration before market placement: Providers of Annex III high-risk AI systems must register the system in the EU database before placing it on the market or putting it into service within the EU.
• Submission of Annex VIII information: Registration requires complete and accurate submission of all information fields prescribed in Annex VIII, including system description, intended purpose, conformity assessment details, and declaration of conformity references.
• Deployer registration in specified cases: Deployers of certain Annex III high-risk AI systems (particularly public-sector deployers) bear their own registration obligations and must enter the relevant information prior to putting the system into service.
• Restricted-section registration for sensitive domains: AI systems used by public authorities in law enforcement, border control, immigration, and asylum must be registered in the non-public, restricted section of the database rather than the general public section, with access controlled accordingly.
• Keeping registration information up to date: Providers and deployers must ensure that registered information remains accurate and current throughout the system's lifecycle, updating entries when relevant changes occur (e.g., substantial modifications triggering a new conformity assessment).
• Commission maintenance and interoperability: The European Commission is obliged to establish, maintain, and keep the database operational, user-friendly, and interoperable with other relevant registries, ensuring its long-term accessibility to the public and competent authorities.

Relationship to Other Articles

Article 71 operates as the practical instrument through which the documentation and transparency obligations established elsewhere in the Regulation are made publicly visible. It connects closely to Article 48 (EU declaration of conformity) and Article 47 (authorised representatives), since the declaration of conformity reference is a mandatory database field. The conformity assessment procedures set out in Articles 43 and 44 feed directly into what providers must disclose at registration.

Article 71 also works in tandem with Article 49 (registration obligations as a standalone article in Title VI), which cross-references the database as the mechanism for fulfilling those duties. The Annex VIII information requirements are inseparable from the technical documentation obligations in Annex IV (Articles 11 and 12). For post-market oversight, Article 71 supports the market surveillance framework in Articles 74 and 75, as national authorities and the AI Office can use database entries as a starting point for monitoring and enforcement activities. Finally, Article 78 (confidentiality) governs how sensitive information submitted to the database, particularly in the restricted section, must be handled by competent authorities.

Compliance Timeline

The EU AI Act entered into force on 1 August 2024, triggering the phased application schedule set out in Article 113.

• 1 August 2024 — Regulation enters into force; the Commission begins preparatory work to establish the EU database infrastructure.
• 2 February 2025 — Prohibited AI practices (Article 5) become applicable; no Article 71 registration obligations yet active.
• 2 August 2025 — GPAI model obligations and governance provisions (Title III, Chapter III and Title V) become applicable; Article 71 database not yet operative for these categories.
• 2 August 2026 — Article 71 registration obligations become applicable for providers and deployers of Annex III high-risk AI systems (excluding those already covered by Union harmonisation legislation listed in Annex I). This is the primary activation date for the EU database for the majority of in-scope systems.
• 2 August 2027 — High-risk AI systems covered by Annex I product safety legislation (e.g., medical devices, machinery) that were already on the market before 2 August 2024 must comply with all applicable obligations including registration, provided they have undergone a substantial modification.

Organisations developing or deploying Annex III AI systems should treat the August 2026 deadline as the firm operational target for database registration readiness, building registration workflows into their compliance programmes well in advance.