Think you can launch a high-risk AI in the EU without a compliance audit?
You can’t: conformity assessment is mandatory and fines reach 3% of global turnover or €15,000,000, with full enforcement on August 2, 2026.
This post explains the AI Act 2026 conformity assessment process step by step: how to classify high-risk systems, choose internal or notified-body routes, build a quality management system, compile technical documentation, run tests, fix non-conformities, and register the product.
Read on to know which path applies to your system and where delays and costs usually appear.

Core Breakdown of the AI Act 2026 Conformity Assessment Process

Conformity assessment is mandatory for all high-risk AI systems before they hit the EU market or go live (Article 43). Skip it or mess it up, and you’re looking at fines up to 3% of global annual turnover or €15,000,000, whichever hurts more. Full enforcement kicks in August 2, 2026. The AI Act splits high-risk systems into two buckets: Annex I covers AI embedded as a safety component in regulated products (think medical devices, machinery), and Annex III lists standalone high-risk AI like biometric identification, credit scoring, employment tools, and critical infrastructure management. Systems that only do narrow procedural tasks (basic document retrieval with no decision-making) might squeeze through the Article 6(3) exclusion and dodge high-risk classification, but you need to document why and keep that rationale on file.

You’ve got two conformity routes: internal assessment (Annex VI) or third-party assessment through a notified body (Annex VII). Internal works for most Annex III providers who stick to harmonised standards or common specifications. Third-party is mandatory for remote biometric ID systems (real-time and post-event) and whenever you’re not using harmonised standards or you pick an alternative compliance path. Notified-body audits dig into your quality management system, technical docs, and testing evidence. Certificates last up to five years with periodic surveillance, usually annual.

The conformity workflow follows a specific sequence:

1. Classify the system. Confirm it meets the Article 3(1) AI definition, figure out if it’s Annex I or Annex III, and check the Article 6(3) exclusion if relevant.

2. Pick your assessment path. Internal (Annex VI) or notified-body (Annex VII), based on system type and which standards you’re using.

3. Set up or align a Quality Management System (QMS). Build or map your existing QMS to Article 17 requirements. ISO 42001, ISO 9001, or ISO 27001 can help.

4. Compile technical documentation. Pull together the full technical file per Article 11 and Annex IV before you go to market.

5. Implement and test compliance requirements. Build and validate your risk management system, data governance, automatic logging, transparency, human oversight, and robustness controls (Articles 9–15).

6. Run the assessment. Do your internal review or bring in the notified body for external audit.

7. Fix non-conformities. Address findings with corrective actions, retest, update docs.

8. Issue declaration, affix CE marking, register. Draft the EU Declaration of Conformity (Article 47), slap on the CE marking (Article 48), and register the system in the EU database (Article 49) before market placement.

High-Risk AI Classification Under the AI Act 2026

High-risk classification decides whether your system goes through conformity assessment. Annex I grabs AI systems serving as safety components in products already regulated under EU law: medical devices, aviation gear, machinery, automotive systems. Annex III lists standalone high-risk AI used in sensitive contexts where mistakes or bias can cause real harm to health, safety, or fundamental rights. Article 6(3) offers a narrow out: if your AI only does limited prep work or procedural tasks without replacing human decisions, you might document it as out of scope. Keep that determination and the reasoning behind it on record.

Common high-risk use cases that trigger conformity assessment:

• Remote biometric identification for law enforcement or public surveillance (Annex III, point 1(a))
• AI managing critical infrastructure like energy grids, water supply (Annex III, point 2)
• Education and vocational training systems that decide access, evaluation, or outcomes (Annex III, point 3)
• Employment, worker management, self-employment access tools (CV sorting, promotion scoring, task allocation) (Annex III, point 4)
• Access to private services and public benefits (creditworthiness, insurance pricing) (Annex III, point 5)
• Law enforcement, migration, asylum, border control applications (risk profiling, evidence assessment) (Annex III, points 6–8)

Internal vs Third-Party Conformity Assessment Paths

Internal conformity assessment (Annex VI) is self-assessment by the provider. Works for most Annex III high-risk systems when you can show compliance with harmonised standards or common specs published by the European Commission. You run your own QMS audit, compile technical docs, handle testing and validation, and issue the Declaration of Conformity. It’s faster and cheaper, usually wrapping in three to six months once your docs and quality systems are ready.

Third-party conformity assessment (Annex VII) means bringing in an external notified body, an independent organization designated by a Member State to run AI Act audits. The notified body reviews your QMS, checks technical documentation, and might do on-site or remote inspections. Certificates from notified bodies last up to five years, with annual surveillance audits and the occasional surprise check. Notified-body designation goes live August 2, 2025, but early demand will likely swamp available capacity. Plan to engage auditors well ahead of time.

When to Choose Internal vs Third-Party

System type and compliance strategy drive the choice. Internal works for Annex III systems relying on harmonised standards. Third-party is required for all remote biometric ID systems (real-time or post-event), and whenever you’re not using harmonised standards, you lean on alternative compliance methods, or you want external certification to boost market credibility. Annex I systems fold conformity into their sectoral product-safety framework, which may already involve a notified body under existing law.

Quality Management System Requirements for AI Act 2026 Compliance

Article 17 says you need a documented, systematic Quality Management System ensuring regulatory compliance across the AI lifecycle. The QMS covers regulatory strategy, design and development controls (coding standards, version control, testing protocols, change management), data governance, risk management, post-market monitoring, resource planning, accountability structures, record-keeping, and communication with authorities. You can streamline compliance by lining up your QMS with established standards. ISO 42001 (AI management systems) maps closely to AI Act requirements. ISO 9001 (quality management) and ISO 27001 (information security) offer reusable processes for docs, training, and audit trails.

The QMS isn’t static. You maintain and update it as your system evolves, documenting whether each change is substantial (affecting compliance or intended purpose) or non-substantial (minor updates, patches, performance tuning). Substantial mods need a new conformity assessment. Essential QMS components:

• Regulatory strategy defining which AI Act obligations apply and how you meet them
• Design and development controls covering code versioning, testing, validation, peer review
• Data governance procedures for training, validation, and testing datasets (bias mitigation, statistical quality checks)
• Risk and change management distinguishing substantial from non-substantial changes
• Post-market monitoring plan with active performance tracking and feedback loops
• Accountability framework assigning roles, responsibilities, escalation paths
• Record-keeping and documentation controls ensuring traceability and retention (at least 10 years for declarations)

Technical Documentation Requirements Under the EU AI Act

Article 11 and Annex IV spell out the technical documentation you compile before placing a high-risk AI system on the market. The technical file is the single source of truth for assessors, auditors, and market-surveillance authorities. It describes the system’s intended purpose, provider identity, version history, architecture, datasets, data governance measures, bias assessments, risk-mitigation steps, validation and testing evidence, change logs, and post-market monitoring plans. Documentation sticks around for at least 10 years after market placement. Providers must maintain an AI system register tracking all high-risk systems under their responsibility.

The Annex IV checklist gets granular. You need to show how data was sourced, cleaned, validated. What assumptions and limitations apply. Which statistical methods caught bias. How the system was tested against accuracy, robustness, and cybersecurity requirements. Version control has to be explicit—each update, patch, or model retrain logged with an impact analysis. For systems using third-party components or pretrained models, the file documents dependencies, licenses, and compliance posture of upstream elements.

Testing, Validation, and Safety Evidence Required for Conformity

Articles 9 through 15 lay out the substantive requirements you implement and verify during conformity assessment. You demonstrate a working risk management system that identifies, evaluates, and mitigates risks over the AI lifecycle (Article 9). Data governance (Article 10) requires that training, validation, and test datasets are statistically representative, high-quality, and free from bias or errors that could lead to discriminatory outcomes. Automatic logging (Article 12) captures system events (inputs, outputs, decisions, anomalies) enabling traceability and post-market analysis. Transparency (Article 13) mandates clear instructions for use, explainability of how the system reaches decisions, and disclosure of AI involvement to end users. Human oversight (Article 14) ensures trained personnel can monitor, intervene, and override the system when necessary. Accuracy, robustness, and cybersecurity (Article 15) require resilient design, stress testing, and defenses against adversarial attacks, data poisoning, and model drift.

Testing procedures vary by system type but typically include performance benchmarking against defined thresholds, stress tests under edge-case scenarios, bias analysis across demographic groups, robustness checks for noisy or incomplete data, and cybersecurity threat simulations. Evidence must be documented, reproducible, and traceable to specific versions of code and datasets. Key testing categories:

• Performance validation against accuracy, precision, and recall targets for the intended use case
• Bias and fairness testing across protected characteristics and demographic segments
• Robustness evaluation under data quality degradation, input perturbation, and distribution shift
• Cybersecurity threat modeling and penetration testing, including adversarial example resilience
• Human-oversight verification confirming that operators can detect errors, halt operations, and correct outputs in real time

Declaration of Conformity, CE Marking, and EU Database Registration

After you wrap conformity assessment, you issue an EU Declaration of Conformity under Article 47. The declaration is a formal legal statement that your AI system complies with all applicable requirements. It includes the provider’s identity and contact info, system identifier and version, a clear statement of conformity, references to the harmonised standards or common specs applied, the date and place of issue, and the name and ID number of the notified body if third-party assessment was performed. The declaration lives for at least 10 years.

Article 48 says you affix CE marking to the system or, if that’s not physically possible, to the packaging or accompanying docs. The CE marking must be visible, legible, and indelible. When a notified body ran the assessment, the marking includes the notified body’s ID number. Article 49 mandates registration in the EU database before placing the system on the market. The registration captures system metadata, provider details, conformity evidence references, and any post-market monitoring updates. Compliance output sequence:

1. Complete the conformity assessment (internal or notified-body).
2. Draft and sign the EU Declaration of Conformity, referencing all applied standards and assessment results.
3. Affix CE marking with the notified-body ID if applicable.
4. Register the system and provider in the EU database before market placement.

Post-Market Monitoring, Serious Incident Reporting, and Lifecycle Compliance

Conformity assessment doesn’t stop at market placement. Article 72 requires you to run a post-market monitoring system that actively collects, documents, and analyses real-world performance data. Monitoring tracks whether the system keeps meeting accuracy, robustness, and safety requirements, and whether new risks pop up from deployment conditions, user behavior, or environmental changes. The post-market monitoring plan goes in the technical documentation and updates as the system evolves.

Article 73 puts a strict serious-incident reporting obligation on you. If you learn of a serious incident (any malfunction or performance failure that causes or could cause death, serious injury, or serious and irreversible disruption of critical infrastructure), you report it to the relevant Member State market-surveillance authority within 15 days of establishing a causal link or reasonable likelihood. You also maintain internal audit schedules, monitor for model drift and data quality degradation, track regulatory updates and new harmonised standards, and evaluate whether system updates or changes trigger the need for a new conformity assessment.

When Updates Trigger a New Conformity Assessment

Not every update needs reassessment. Substantial modifications (those that materially affect compliance with AI Act requirements or change the system’s intended purpose) demand a new conformity assessment before the modified system can be placed on the market or put into service. Routine model retraining, minor bug fixes, performance tuning, or patches that don’t alter core functionality or risk profile are considered non-substantial and can proceed under the existing QMS change-management process. You document each change, run an impact analysis, and keep evidence justifying the classification as substantial or non-substantial. When in doubt, check with a notified body or legal counsel before release.

Selecting and Working With a Notified Body for AI Act 2026 Compliance

Notified bodies are independent organizations authorized by Member States to run third-party conformity assessments under the AI Act. Article 31 sets designation criteria: notified bodies must be legally established in an EU Member State, show independence from the AI providers they assess, maintain professional secrecy and confidentiality, employ competent personnel with expertise in AI, data science, cybersecurity, and the relevant application domain, and carry adequate liability insurance. Designation goes operational August 2, 2025, but the number of notified bodies available early on will be limited. Check a body’s AI Act notification status in the official NANDO-equivalent listings before you engage.

The typical audit flow starts with a scoping discussion and formal application. The notified body reviews your technical docs, then runs a QMS audit (on-site or remote) evaluating design controls, data governance, risk management, and record-keeping. Next, they assess technical evidence: test results, validation data, bias analysis, and cybersecurity measures. Any findings or non-conformities get documented, and you implement corrective actions. Once satisfied, the notified body issues a certificate valid for up to five years, subject to periodic surveillance audits (typically annual) and possible surprise inspections. Key evaluation criteria when picking a notified body:

• Proven expertise in the relevant AI domain (biometrics, credit scoring, employment tools)
• Track record with similar conformity frameworks (medical devices, machinery, cybersecurity)
• Transparent fee structure and realistic timeline estimates
• Availability and capacity to meet your market-entry deadline
• Clear communication and responsiveness during pre-engagement discussions

Conformity Assessment Timeline and Preparation Roadmap for 2026

Start conformity-assessment prep 12 to 18 months before planned market placement or the August 2, 2026 enforcement deadline. Internal conformity assessment, once QMS and technical docs are ready, typically takes three to six months to run. Adding third-party notified-body involvement extends the timeline by another two to four months, depending on audit scheduling, complexity, and how fast you cycle corrective actions. Building a compliant QMS and technical file from scratch for a complex high-risk system can take six to 12 months or longer, especially when data governance, bias mitigation, and testing protocols aren’t yet mature.

Notified-body certificates last up to five years, but surveillance audits happen annually, and you maintain continuous compliance throughout. The 10-year retention requirement for declarations and technical docs means you need durable record-keeping infrastructure. Recommended phase timings:

Common Conformity Assessment Mistakes and How to Avoid Them

Treating conformity assessment as a paperwork exercise is the most common and expensive mistake. Assessors and auditors want evidence of implemented, effective processes: test logs, incident records, training materials, and change-control workflows. A polished compliance manual means nothing without corresponding operational proof. Weak data governance is another frequent gap. Providers underestimate Article 10 requirements, failing to document dataset provenance, statistical relevance, or bias-mitigation measures in enough detail. Missing or poorly defined change-management controls leave you unable to tell substantial from non-substantial modifications, leading to unintended breaches when updates go live without reassessment.

Starting too late is a timeline trap. Beginning only six months before the deadline leaves no margin for corrective actions, notified-body scheduling delays, or surprise technical issues. Ignoring post-market monitoring obligations creates compliance drift. Systems that passed initial assessment may fall out of conformity as real-world conditions shift. Poor traceability and missing compliance matrices make audits slow and painful. Without a clear map linking each Article and Annex IV requirement to specific evidence, you waste time hunting for docs and risk failing to show coverage. Key mistakes to dodge:

• Producing compliance docs without corresponding operational evidence (logs, test results, training records)
• Underestimating the depth and rigor of Article 10 data-governance and bias-assessment requirements
• Lack of robust change-management processes to classify modifications and trigger reassessment when necessary
• Starting prep only six months before market placement or enforcement deadlines
• Failing to implement and maintain a post-market monitoring system with active data collection and analysis
• Missing a compliance matrix that maps every AI Act requirement to supporting evidence and documentation

Final Words

Classify the system, pick the internal or notified‑body route, then build your QMS, assemble the technical file, run tests, and prepare for audit and CE marking. Register in the EU database before placing the product on the market.

Remember: remote biometric ID always needs third‑party assessment, enforcement starts August 2, 2026, and fines can reach 3% of global turnover or €15M. Keep records for ten years and run continuous post‑market monitoring.

ai act 2026 conformity assessment process explained — start early, follow the steps, and you’ll reduce risk while keeping market access on track.

FAQ

Q: What triggers a conformity assessment and when is it mandatory under the AI Act 2026?

A: A conformity assessment is triggered when an AI system is classified as high-risk under Annex I or Annex III; it is mandatory before placing such systems on the EU market per Article 43.

Q: How does high-risk classification under the AI Act work?

A: High-risk classification under the AI Act assigns systems listed in Annex I or Annex III based on intended use, with a narrow Article 6(3) exception for limited‑scope cases that may avoid high‑risk status.

Q: Which AI use cases are typical high-risk examples?

A: Typical high‑risk examples include biometric identification, credit scoring, education and employment assessments, critical infrastructure control, medical devices, law‑enforcement profiling, and migration or border management tools.

Q: What conformity assessment routes exist and how do they differ?

A: Two routes exist: Annex VI internal provider-led assessment for many cases, and Annex VII notified‑body third‑party assessment when standards aren’t met, alternative compliance is chosen, or specific triggers apply.

Q: Does remote biometric identification always require third‑party assessment?

A: Remote biometric identification always requires a notified‑body third‑party conformity assessment and cannot use the internal provider assessment route.

Q: What must a compliant Quality Management System include for AI Act conformity?

A: A compliant QMS must cover regulatory strategy, design and development controls, code versioning, data governance, risk and change management, post‑market monitoring, accountability, resourcing, and record‑keeping.

Q: Which standards help align a QMS with the AI Act?

A: ISO 42001, ISO 9001, and ISO 27001 can be leveraged to align processes like risk management, quality controls, and information security with Article 17 QMS requirements.

Q: What technical documentation is required and how long must it be retained?

A: Required technical documentation (Article 11, Annex IV) includes system description, intended purpose, datasets, bias evaluations, testing results, change history and post‑market plans; it must be retained for 10 years.

Q: What testing, validation, and safety evidence does the Act demand?

A: The Act requires evidence of risk management, data governance, logging, transparency, human oversight, accuracy, robustness and cybersecurity via stress tests, bias analysis, performance thresholds and threat‑mitigation results.

Q: How do Declaration of Conformity, CE marking, and EU database registration work?

A: The Declaration of Conformity (Article 47) documents compliance, CE marking (Article 48) labels market readiness, and registration in the EU database (Article 49) must occur before placing the high‑risk AI system on the market.

Q: What are post‑market monitoring and serious‑incident reporting obligations?

A: Post‑market monitoring (Article 72) requires ongoing audits, model‑drift checks and record updates; serious incidents must be reported within 15 days under Article 73, with corrective actions tracked.

Q: When do updates trigger a new conformity assessment?

A: Substantial updates that change intended purpose, safety performance, or core models typically trigger a new conformity assessment; minor patches or routine maintenance usually do not.

Q: How do I choose and work with a notified body for AI conformity?

A: Choose a notified body with proven independence, AI/data science and cybersecurity expertise, liability coverage and confidentiality safeguards; expect application, document review, QMS and technical audits, then certification with surveillance.