What is an AI conformity assessment?
- A conformity assessment shows a high-risk AI system meets the EU AI Act before it goes to market.
- Most Annex III systems use provider self-assessment; some require an independent notified body.
- Success leads to an EU declaration of conformity, CE marking where applicable, and EU database registration.
- Substantial modification of a system can trigger a fresh assessment.
- Current as of June 2026. This is general information, not legal advice.
What the assessment checks
The conformity assessment verifies that the high-risk system meets the Act's core requirements: that a risk management system exists, that data governance is in place, that technical documentation is complete, that logging, transparency, human oversight, accuracy, robustness, and cybersecurity measures are present. In effect, it confirms that the full set of high-risk obligations has been satisfied and documented.
The two routes
There are two main routes, depending on the type of system:
- Self-assessment (internal control): For most Annex III high-risk systems, the provider conducts the assessment itself, based on its technical documentation and quality processes. No external body is required, but the provider remains fully responsible.
- Notified body assessment: For certain systems, particularly some biometric systems and AI that is a safety component of products already subject to third-party assessment, an independent notified body must be involved.
What follows a successful assessment
Once the assessment is passed, the provider draws up an EU declaration of conformity, affixes the CE marking where applicable, and registers the system in the EU database before placing it on the market. The CE marking signals that the provider claims the system meets the applicable EU requirements.
When reassessment is needed
A conformity assessment is not necessarily permanent. If a high-risk system is substantially modified after it is placed on the market, it may need to be assessed again, because the change could affect its compliance. This is why keeping technical documentation and risk assessments current matters: it determines whether a change counts as substantial and triggers reassessment.
Why it matters commercially
The conformity assessment and the CE marking are how a high-risk system earns its place on the EU market. For a vendor, being able to show a completed assessment is increasingly part of winning enterprise trust. For an enterprise deploying a high-risk system, checking that the provider has completed its assessment is part of responsible procurement. Either way, the assessment is the moment the paperwork becomes a market permission.
Key terms
- Conformity assessment
- The formal process of showing a high-risk AI system meets the Act before going to market.
- Notified body
- An independent organisation designated to carry out conformity assessments for certain high-risk systems.
- CE marking
- The mark a provider affixes to signal a system meets the applicable EU requirements.
- Declaration of conformity
- The provider's signed statement that the system complies with the Act's requirements.
- EU database
- The public EU register of high-risk AI systems placed on the market.