Determine the correct EU AI Act conformity assessment procedure for your AI system. Self-assessment (Annex VI) vs. third-party (Annex VII). For Annex I systems, find which product regulation procedure applies. Instant results.
Two routes to EU AI Act conformity for high-risk AI
The EU AI Act provides two conformity assessment procedures for high-risk AI systems. Which one applies depends on your AI system category.
Route A: Self-assessment (Annex VI internal control)
Applies to: Most Annex III standalone high-risk AI systems
Who does the assessment: The provider internally, against harmonised standards (EN ISO/IEC standards when published) or directly against the AI Act requirements (Art. 9-15, 17).
What it produces:
- Technical documentation (Art. 11 + Annex IV)
- Quality Management System (Art. 17)
- EU Declaration of Conformity (Art. 47)
- CE marking on the system or documentation (Art. 48)
- Registration in the EU AI database (Art. 71)
Timeline: No external bottleneck — the provider controls the pace. Most organisations should allow 6-12 months for thorough self-assessment given the documentation depth required.
Route B: Third-party assessment (Annex VII — notified body)
Mandatory for:
- Biometric identification and categorisation AI (Annex III point 1)
- Certain critical infrastructure AI where no harmonised standard covers the relevant safety component
What the notified body does: Reviews the technical documentation, conducts conformity assessment, issues an EU technical documentation assessment certificate (Annex VII). The provider then draws up the DoC and applies CE marking.
Timeline: Notified body queues are already constrained (2026) and will worsen as 2027 approaches. Engage your notified body as early as possible — 12-18 months lead time is advisable.
Route C: Integrated assessment (Annex I systems)
Applies to: AI embedded as a safety component in regulated products (medical devices, machinery, vehicles, aviation equipment, etc.)
How it works: AI Act conformity assessment is integrated into the existing product safety conformity assessment. No separate AI-only procedure. Your existing notified body (MDR, MDR, Machinery) handles the combined assessment if designated for AI Act conformity — otherwise coordination between two notified bodies may be required.
For Annex I details: Annex I obligations → | For Annex III details: Annex III obligations →
AI Act meets DORA and NIS2
Is your organisation subject to both the AI Act and DORA? The two regulations intersect on the operational resilience of financial AI systems. Our sister site regulation-dora.eu covers DORA in depth.
Explore regulation-dora.eu ↗Frequently Asked Questions
Yes. For most Annex III high-risk AI systems, the EU AI Act allows self-assessment (internal conformity check) against harmonised standards or the AI Act requirements directly (Annex VI). Third-party assessment by a notified body is only mandatory for biometric identification/categorisation systems and certain critical infrastructure systems. Providers may voluntarily opt for third-party assessment for any system.
Notified bodies are independent conformity assessment bodies designated by EU member states. For AI Act high-risk systems requiring third-party assessment, the notified body reviews technical documentation, conducts type examination, and issues EU technical documentation assessment certificates. Notified bodies must be designated specifically for AI Act conformity assessment — this is separate from (though may overlap with) their designation under sector legislation like MDR.
After completing conformity assessment, the AI provider must draw up an EU Declaration of Conformity (Art. 47) — a document asserting that the high-risk AI system meets all applicable requirements. The DoC must identify the provider, the system, the conformity assessment procedure followed, and be signed by an authorised representative. It must be kept for 10 years after last placement on the market.
Stay ahead of AI Act changes
Get compliance alerts when deadlines or obligations change.
No spam. One-click unsubscribe.