Conformity Assessment

Conformity assessment is the formal evaluation process that determines whether a high-risk AI system complies with all applicable EU AI Act requirements. This process must be completed before the system can be placed on the EU market or put into service. Conformity assessment is not merely a documentation review—it requires demonstrating that technical requirements are actually implemented and that governance mechanisms actually function.

Conformity assessment is the gateway to lawful market placement. Without completing this process, organizations cannot apply CE marking or issue the required EU Declaration of Conformity. For high-risk AI systems under Annex III, conformity assessment becomes mandatory in August 2026. The process examines compliance across all applicable requirements: risk management (Article 9), data governance (Article 10), technical documentation (Annex IV), record-keeping (Article 12), transparency (Article 13), human oversight (Article 14), and accuracy, robustness, and cybersecurity (Article 15).

Most high-risk AI systems follow the internal conformity assessment procedure specified in Annex VI. Under this procedure, the provider evaluates their own system against the requirements, documents the assessment, and issues their Declaration of Conformity. This self-assessment must be rigorous and evidenced—providers cannot simply assert compliance. However, certain high-risk systems require assessment by a Notified Body. This includes remote biometric identification systems intended for law enforcement and AI systems used as safety components in products already requiring third-party assessment under other EU regulations. The Notified Body reviews the quality management system, examines technical documentation, and may conduct testing before issuing their conformity certificate.

Whether internal or external, conformity assessment evaluates: completeness and accuracy of Annex IV technical documentation, implementation of the risk management system with evidence of operation, data governance practices with documentation of training data provenance, human oversight mechanisms with evidence they actually function, and testing and validation results demonstrating accuracy and robustness. Organizations should treat conformity assessment as an ongoing readiness state rather than a point-in-time exercise.