Article 8 — Compliance with the requirements (EU AI Act)

Article 8 of Regulation (EU) 2024/1689 — Compliance with the requirements. Official text, practical interpretation, key obligations and compliance implications.

Official Text Summary

Article 8 of Regulation (EU) 2024/1689, situated in Title III (High-Risk AI Systems), Chapter 2 (Requirements for High-Risk AI Systems), establishes the foundational compliance obligation for providers of high-risk AI systems. Under Article 8(1), such systems shall comply with all requirements set out in Articles 9 through 15 of the same Chapter, which cover risk management systems, data and data governance, technical documentation, record-keeping, transparency and provision of information to deployers, human oversight measures, and accuracy, robustness and cybersecurity standards.

Article 8(2) addresses the intersection of AI regulation with existing product safety legislation. Where a high-risk AI system is itself a safety component of a product, or constitutes the product itself, and that product falls within the scope of Union harmonisation legislation enumerated in Annex I to the Regulation, the AI system must comply with both the Chapter 2 requirements and the applicable Annex I legislation. In such cases, a single conformity assessment procedure may apply where Union harmonisation legislation so permits, ensuring that overlapping regulatory frameworks do not impose duplicative procedural burdens on providers.

The article thus performs two functions: it activates the full suite of technical and governance requirements for high-risk AI, and it establishes the coordination rule between the AI Act and pre-existing sectoral product legislation, preserving coherence across the Union's regulatory landscape for safety-critical technologies.

What This Means in Practice

Article 8 is the gateway provision of Chapter 2. It does not itself specify the content of individual requirements — those are detailed in Articles 9 through 15 — but it makes compliance with all of them a binding legal obligation for providers of high-risk AI systems before any such system can be placed on the market, put into service, or made available.

For AI-only product providers: If you develop and market a standalone high-risk AI system — for example, a recruitment screening tool falling under Annex III, Point 4, or a credit scoring system under Point 5 — you must satisfy the full Chapter 2 requirement set. This means establishing and maintaining a risk management system (Article 9), implementing appropriate data governance practices (Article 10), producing and maintaining technical documentation (Article 11), enabling automatic logging (Article 12), providing deployers with adequate instructions for use (Article 13), designing for meaningful human oversight (Article 14), and achieving validated levels of accuracy, robustness, and cybersecurity (Article 15).

For manufacturers embedding AI in regulated products: If your high-risk AI system is a component of a product already subject to machinery regulation, medical device legislation, or other Annex I frameworks, Article 8(2) requires dual compliance. In practice, this means working with notified bodies familiar with both regimes, and where harmonised standards covering AI requirements exist, leveraging them to establish a presumption of conformity and streamline assessment procedures.

For importers and distributors: While Article 8 places primary obligations on providers, importers and distributors must verify that providers have met these obligations before making systems available, as downstream liability exposure is linked to provider compliance status.

Key Obligations

• Full Chapter 2 compliance required: Providers must satisfy every requirement in Articles 9–15 — risk management, data governance, technical documentation, logging, transparency, human oversight, accuracy, robustness, and cybersecurity — as a cumulative and non-negotiable obligation before market placement.
• Pre-market compliance verification: Compliance must be established and demonstrable prior to placing the high-risk AI system on the market or putting it into service, not retrospectively.
• Dual compliance for Annex I products: Where a high-risk AI system is a safety component of or constitutes a product subject to Union harmonisation legislation listed in Annex I, the provider must comply with both the Chapter 2 requirements and the applicable sectoral legislation simultaneously.
• Integrated conformity assessment where available: Providers of Annex I products may use a single conformity assessment procedure where the applicable Union harmonisation legislation permits such integration, reducing procedural duplication.
• Ongoing compliance, not one-time certification: The requirements of Chapter 2 impose continuous obligations — risk management systems must be updated, logs must be maintained, and technical documentation must remain current throughout the system's lifecycle.
• Provider accountability even through third-party components: Where a high-risk AI system is built upon third-party models or infrastructure, the provider retains responsibility for ensuring the complete system satisfies all applicable Chapter 2 requirements.

Relationship to Other Articles

Article 8 is inseparable from Articles 9 through 15, which it activates and to which it expressly refers. It should also be read in conjunction with Article 6 and Annex III, which define which AI systems are classified as high-risk and therefore subject to the Chapter 2 regime that Article 8 mandates.

Article 16 (obligations of providers) operationalises Article 8 by specifying the procedural and administrative steps providers must take to demonstrate compliance, including drawing up technical documentation, undergoing conformity assessment, affixing the CE marking, and registering the system. Article 43 governs the conformity assessment procedures whose outcomes are required for compliance with Article 8.

For systems falling under Annex I product legislation, Article 8(2) must be read alongside the applicable sectoral acts — such as Regulation (EU) 2017/745 on medical devices or Directive 2006/42/EC on machinery — to determine how requirements interact and which conformity assessment route is available.

Article 9 of the EU AI Act is the most immediate downstream article, establishing the risk management system that forms the operational backbone of Chapter 2 compliance.

Compliance Timeline

The EU AI Act entered into force on 1 August 2024, twenty days after its publication in the Official Journal of the European Union. However, Article 8 and the broader Chapter 2 requirements do not apply immediately to all high-risk AI systems.

The Regulation applies in phases:

• 2 February 2025: Prohibitions on unacceptable-risk AI practices (Article 5) became applicable. Article 8 is not yet in effect at this date.
• 2 August 2025: Rules on general-purpose AI models (Title VIII) and governance provisions became applicable. Article 8 remains inapplicable.
• 2 August 2026: Article 8 and all Chapter 2 requirements become applicable to high-risk AI systems listed in Annex III (e.g., biometric identification, critical infrastructure, employment, education, access to services, law enforcement, migration, administration of justice).
• 2 August 2027: Article 8 and Chapter 2 requirements become applicable to high-risk AI systems that are safety components of products subject to the Annex I Union harmonisation legislation (e.g., medical devices, machinery, toys, civil aviation equipment), given those sectors' longer conformity assessment cycles.

Providers placing Annex III high-risk systems on the market after 2 August 2026 must be fully compliant with Articles 8–15 from that date. Providers of Annex I-embedded systems have until 2 August 2027, but should begin compliance work well in advance given the complexity of dual-regime assessment.