Skip to main content
GeraCompliance/Guides/Conformity Assessment
EU AI Act

EU AI Act Conformity Assessment: Step-by-Step Guide

Last updated June 2026 · 8 min read

Quick Answer

A conformity assessment is how a provider proves a high-risk AI system meets the EU AI Act before it goes to market. Most Annex III systems use self-assessment (internal control, Annex VI); certain biometric and Annex I product-embedded systems need a notified body (Annex VII). Passing lets you sign the EU declaration of conformity and affix the CE marking. Expect 9–18 months end-to-end because the documentation behind the assessment is the long pole.

What Conformity Assessment Actually Checks

Conformity assessment is the gate every high-risk AI system must pass before it can be placed on the EU market. It is not a single test but a structured verification that the system satisfies the seven requirement areas of Chapter III, Section 2: a functioning risk management system, data and data-governance quality, technical documentation, record-keeping and logging, transparency and instructions for use, human oversight, and accuracy, robustness and cybersecurity. If any pillar is missing, the assessment fails.

First, Confirm You Are High-Risk

Conformity assessment applies only to high-risk systems. Before investing in it, classify your system. If it falls in Annex III (employment, education, essential services, law enforcement, etc.) or is a safety component of an Annex I regulated product, you are in scope. If it is limited-risk (a chatbot) or minimal-risk (a spam filter), you have transparency duties at most and do not need a conformity assessment. Our free risk classifier and high-risk definition guide settle this quickly.

Choose Your Route: Internal Control vs Notified Body

The EU AI Act offers two assessment routes. Internal control (Annex VI) is self-assessment: the provider verifies its own quality management system and technical documentation against the requirements, with no external auditor. This is the default for the great majority of Annex III high-risk systems. Third-party assessment by a notified body (Annex VII) is required in narrower cases — principally certain biometric identification and categorisation systems, and high-risk AI built into products that already undergo third-party conformity assessment under Annex I harmonised legislation. Identify your route early, because the notified-body path adds time, cost, and an external audit.

The Step-by-Step Process

Step 1 — Build the quality management system. Article 17 requires a documented QMS covering your compliance strategy, design and development controls, testing, data management, post-market monitoring, and incident reporting. The conformity assessment verifies this exists and works.

Step 2 — Compile the technical documentation. Assemble the Annex IV technical file: system description, development process, monitoring and control, risk management, and validation results. This is the evidence base the assessment examines.

Step 3 — Run the assessment. Under internal control, verify the QMS and technical documentation against each Chapter III requirement and record the results. Under the notified-body route, submit the documentation and undergo the external audit, which may include examination of the system itself.

Step 4 — Draw up the EU declaration of conformity. Sign the declaration (Article 47) stating the system meets the requirements, referencing any harmonised standards or common specifications applied. Keep it for ten years.

Step 5 — Affix the CE marking. Apply the CE mark to the system, its documentation, or its packaging (electronically for digitally supplied AI). Where a notified body was involved, include its identification number.

Step 6 — Register in the EU database. Before placing the system on the market, register it (and yourself as provider) in the EU AI database for high-risk systems.

Keep It Current

Conformity is not a one-off. Post-market monitoring must continue throughout the system's life, serious incidents must be reported, and any substantial modification — a change to intended purpose or to the basis of compliance — triggers a fresh conformity assessment. Building monitoring and change-control into your QMS from day one avoids expensive re-assessment surprises.

GeraCompliance provides the QMS and conformity-assessment templates and a guided compliance checklist that walks through each step above. For a deadline-driven build, the AI Act sprint produces an assessment-ready documentation set in days.

Frequently Asked Questions

What is a conformity assessment under the EU AI Act?

A conformity assessment is the process by which a provider demonstrates that a high-risk AI system meets the requirements of Chapter III, Section 2 of the EU AI Act before placing it on the market. It verifies the risk management system, data governance, technical documentation, transparency, human oversight, accuracy, robustness, and cybersecurity. Passing it allows the provider to draw up an EU declaration of conformity and affix the CE marking.

Do I need a notified body for my AI conformity assessment?

For most Annex III high-risk systems, no — providers self-assess via the "internal control" procedure in Annex VI. A notified body (third-party assessment under Annex VII) is required mainly for certain biometric systems and for high-risk AI embedded in products already subject to third-party assessment under EU harmonised legislation in Annex I.

What is the EU declaration of conformity?

The EU declaration of conformity is a signed legal statement, drawn up by the provider, declaring that the high-risk AI system meets the EU AI Act's requirements. It must name the system, the provider, reference the standards applied, and be kept for ten years after the system is placed on the market and made available to authorities on request.

What is CE marking for AI systems?

CE marking is the visible mark a provider affixes to a high-risk AI system (or its documentation and packaging) once it passes conformity assessment, signalling compliance with the EU AI Act. For AI systems supplied digitally, the CE mark may appear electronically. It must be affixed before the system is placed on the EU market.

When do I need to repeat the conformity assessment?

A new conformity assessment is required whenever a high-risk AI system undergoes a substantial modification — a change to its intended purpose or to its compliance with the requirements that was not foreseen in the initial assessment. Routine updates that the provider pre-planned and documented as part of the original assessment generally do not trigger a fresh assessment.

How long does an AI Act conformity assessment take?

The assessment itself is relatively quick once the underlying documentation exists, but building that documentation — the risk management system, Annex IV technical file, data governance evidence, and testing results — typically takes several months. Plan 9 to 18 months end-to-end for a mature high-risk system from a standing start, longer if a notified body is involved.

Get assessment-ready faster

Start with the free QMS and conformity templates, or let our sprint build the whole documentation set for you.

Browse Templates →Get Expert Help

Related Guides & Tools

Annex IV Documentation·What Is High-Risk AI?·AI Governance·GeraClinic