RatedWithAI

RatedWithAI

Accessibility scanner

Home / Blog / EU AI Act Conformity Assessment Guide

EU AI Act Conformity Assessment Guide 2026: How to Classify and Certify Your AI System

The EU AI Act creates a risk-tiered compliance framework that determines whether you can self-assess your AI system or need a notified body, whether you need a CE mark, and what documentation you must maintain. If your company sells AI-powered products or services to anyone in the European Union, the August 2, 2026 deadline for Annex III high-risk compliance is approaching — and non-compliance carries fines of up to €35 million or 7% of global revenue.

This guide explains the four risk tiers, the step-by-step conformity assessment process, and what US and international companies must do to keep selling AI products in the EU.

Key deadline: Annex III high-risk AI system obligations (including conformity assessment) apply from August 2, 2026. If you build or deploy AI for hiring, credit scoring, biometric identification, critical infrastructure, education, essential services, law enforcement, migration management, or justice processes, you have months — not years — to complete assessment.

The Four Risk Tiers Explained

The AI Act sorts AI systems into four tiers based on the potential harm they can cause. Your tier determines everything else: documentation requirements, whether you need a CE mark, whether a notified body reviews your system, and what penalties apply for non-compliance.

Tier 1: Prohibited AI (Article 5)

These are outright banned in the EU. Examples include social scoring systems that evaluate trustworthiness based on behavior or socioeconomic status, real-time remote biometric identification in public spaces by law enforcement (with narrow exceptions), untargeted facial image scraping, emotion recognition in workplaces and schools, predictive policing based solely on profiling, and AI that exploits vulnerabilities of specific groups (age, disability, social/economic situation). The ban took effect February 2, 2025.

Tier 2: High-Risk AI (Articles 6, Annex I, Annex III)

These systems can significantly affect health, safety, or fundamental rights. They require full conformity assessment, CE marking, technical documentation, a quality management system, post-market monitoring, and registration in the EU database. Annex III lists eight categories: biometrics, critical infrastructure, education and vocational training, employment and worker management, essential private and public services, law enforcement, migration and border control, and justice and democratic processes. Annex I covers AI that is a safety component of products already regulated by EU product law (machinery, medical devices, vehicles, toys).

Tier 3: Limited-Risk AI (Article 50)

These systems have transparency obligations but no conformity assessment. Examples: chatbots and virtual assistants must disclose that the user is interacting with AI; emotion recognition systems must inform subjects; deep fakes and AI-generated media must be labeled as artificially produced; biometric categorization systems must inform individuals. No CE mark required.

Tier 4: Minimal-Risk AI

The vast majority of AI systems — spam filters, recommendation engines, inventory optimization, search ranking, game AI, internal business analytics. No mandatory requirements under the AI Act. The Commission encourages voluntary adoption of codes of conduct.

Practical takeaway: Most SaaS AI products are Tier 3 or Tier 4 — they need transparency labels or nothing at all. The systems that trigger full conformity assessment are those making decisions about people in high-stakes contexts: hiring, lending, housing, education admissions, healthcare triage, or biometric identification.

Step-by-Step Conformity Assessment Process

Step 1: Classify Your System

Start by determining whether your system falls into Annex III. The key question is not whether your AI is sophisticated — it's whether it makes or materially influences decisions about a person's access to employment, education, credit, housing, healthcare, public benefits, or the justice system. An AI-powered resume screening tool that filters candidates is high-risk. An AI-powered product recommendation engine is not.

For each Annex III category, check the sub-criteria. For example, AI in employment is high-risk if used for recruitment, selection, or evaluating performance. An AI tool that merely schedules interviews is likely not high-risk. Document your reasoning — if a regulator asks why you concluded your system is not high-risk, you need a defensible analysis.

Step 2: Choose the Assessment Pathway

For most Annex III systems, you can self-assess conformity under Annex VI. This means you compile the technical documentation, implement a quality management system, and self-declare that your system meets requirements. There's no external audit — but you must be able to produce the documentation on request from market surveillance authorities.

You must use a notified body (an accredited third-party assessor) if your system falls under Annex I — meaning it is a safety component of a product already regulated by EU harmonized legislation (medical devices, machinery, vehicles, etc.) — or if it involves remote biometric identification. In those cases, the notified body reviews your technical documentation and issues (or denies) an EU-type examination certificate.

Step 3: Build the Technical Documentation File (Annex IV)

The technical documentation file is the heart of conformity assessment. It must include:

  • General description: Intended purpose, system architecture, how it works, versions, and how it relates to non-AI components.
  • Development documentation: Training datasets (source, selection, labeling methodology, data cleaning), design specifications of the model, optimization metrics, and any foreseeable misuse.
  • Monitoring and functioning: How the system is monitored during operation, how it reports serious incidents, its accuracy, robustness, and cybersecurity specifications.
  • Risk management system: Identified risks to health, safety, and fundamental rights, plus mitigation measures applied during development and deployment.
  • Data governance: Data collection practices, bias testing results, representativeness of training data, and data quality controls.
  • Record-keeping and transparency: Logging capabilities (event logs must be retained for at least six months unless otherwise specified), interpretability measures, and instructions for use.
  • Human oversight measures: How users can monitor operation, interpret outputs, and override or abandon decisions.
  • Accuracy, robustness, and cybersecurity: Performance metrics under expected conditions, stress-testing results, adversarial attack resilience, and error rates by demographic group.

Step 4: Implement the Quality Management System (Article 17)

The AI Act requires a documented quality management system (QMS) covering: regulatory compliance strategy, design and development processes, technical documentation control, data management procedures, risk management, testing and validation, post-market monitoring, incident reporting, and transparency to users. If your company already has ISO 9001, ISO 27001, or a similar QMS, you can extend it rather than building from scratch — but AI-specific processes (model versioning, training data provenance, bias monitoring) must be included.

Step 5: Register in the EU Database (Article 71)

Before placing your high-risk system on the EU market, you must register it in the EU database managed by the Commission. You'll provide your company name, the system's name and type, its intended purpose, the Annex III category, and a brief description of its functioning. Standalone high-risk systems (not part of a regulated product) are registered by the provider. For systems integrated into products, the product manufacturer registers the combined system.

Step 6: Affix the CE Mark and Draft the EU Declaration of Conformity

After completing assessment, you affix the CE mark to your AI system or its packaging/documentation (for software-only systems, it appears in the technical documentation and user interface). The CE mark for AI follows existing product marking rules — it is NOT a new "AI CE mark" but the same CE conformity marking that signals EU regulatory compliance. You then draft an EU declaration of conformity stating that your system meets all applicable AI Act requirements. Keep this declaration and the technical documentation for ten years after the system is placed on the market.

Step 7: Establish Post-Market Monitoring (Article 72)

Conformity doesn't end at launch. High-risk providers must monitor system performance in real-world use, evaluate compliance against documented metrics, and report serious incidents to the relevant national authority within specific timeframes: 15 days for breaches of fundamental rights obligations, and 2 days for incidents causing death or serious harm. You need logging infrastructure that can reconstruct decisions after the fact (event logs, input/output records, model version at time of decision).

Fundamental Rights Impact Assessment (Article 27)

Certain deployers (not providers) of high-risk AI must conduct an additional assessment before first use. This applies to:

  • Public sector bodies and agencies using high-risk AI
  • Operators of critical infrastructure (utilities, transport)
  • Deployers providing services covered by Union financial services law (banks, insurance, investment firms)

The FRIA must identify: the specific groups likely affected, the specific risks of harm to fundamental rights, the specific human oversight measures in place, and a description of the deployer's complaint-handling process. The deployer must notify the relevant market surveillance authority at least 90 days before first use, along with the results of the FRIA. This adds approximately 30-60 days to deployment timelines for affected organizations.

Penalties for Non-Compliance

  • Prohibited practices (Article 5 violations): Up to €35 million or 7% of global annual turnover (whichever is higher)
  • Non-compliance with high-risk obligations: Up to €15 million or 3% of global annual turnover
  • Supply of incorrect or misleading information: Up to €7.5 million or 1% of global annual turnover
  • SMEs and startups: Lower of the applicable percentage or the fixed amount (so €15M becomes the lower of 3% or €15M)

Practical Compliance Checklist for US Companies

  • Determine if you're a "provider" — If you develop AI systems and place them on the EU market under your own name/trademark (even if you're US-based), the AI Act applies. Providing access to EU users through an API or SaaS product counts as "placing on the market."
  • Audit your AI inventory against Annex III — List every AI-powered feature. Flag any that make or influence decisions about hiring, credit, education, housing, healthcare, public benefits, law enforcement, migration, or justice.
  • Build the technical documentation file — Start now. Documentation retrofits (reconstructing training data lineage and design decisions months or years later) are painful, error-prone, and often incomplete. Implement model cards and data sheets as ongoing practice.
  • Stand up logging infrastructure — Event logs must persist for at least six months. Inputs, model version, confidence scores, and human overrides should be reconstructable.
  • Test for bias and accuracy by demographic subgroup — Document results. The AI Act expects bias testing, not just aggregate performance.
  • Designate an EU authorized representative — If you're a non-EU provider, Article 22 requires appointing an EU representative to handle compliance communications before placing high-risk systems on the EU market.
  • Implement corrective action protocols — Define how you'll respond to issues found post-launch: patch, rollback, notify authorities. The Act requires documented corrective action authority.
  • Budget for ongoing compliance — Registration, monitoring, documentation maintenance, and potential notified body fees continue for the system's lifetime. Treat compliance as a product cost center, not a one-time launch fee.

Common Misconceptions

"The AI Act only applies to EU companies."

Wrong. The AI Act applies extraterritorially — if your system is used within the EU, the AI Act applies regardless of where you're headquartered. US providers placing AI products on the EU market must comply, and must appoint an EU authorized representative. Even providers outside the EU whose systems' output is used in the EU fall under the Act's scope.

"If we're just a SaaS, the AI Act doesn't apply to us."

The relevant question is what your AI does, not your business model. A SaaS hiring platform using AI to screen resumes is a high-risk system under Annex III. A SaaS inventory optimizer is minimal-risk. What matters is whether the AI influences decisions about people in protected contexts.

"Open-source AI models are exempt."

Partially true. Models released under open-source licenses that allow modification are exempt from some (not all) general-purpose AI model obligations. However, if an open-source model is used in a high-risk system, the provider of that high-risk system (not necessarily the model developer) must comply fully. General-purpose AI models with systemic risk (the largest frontier models) face additional obligations regardless of whether they are open source.

Frequently Asked Questions

Our AI product is still in development. Do we need to comply now?

The August 2, 2026 deadline applies to systems placed on the market after that date. If you launch your product in September 2026, you must comply before launch. Systems already on the market before August 2, 2026 have until August 2, 2027, to comply (a transition period for existing providers). If you're still in development and plan to launch after August 2026, bake compliance into your roadmap now — retrofitting technical documentation is significantly harder than building it alongside development.

What's the difference between AI Act conformity assessment and CE marking under existing product safety law?

They are related but distinct assessments. CE marking under existing EU product law (e.g., Machinery Directive, Medical Device Regulation) confirms safety in the physical product sense. The AI Act adds a parallel assessment specifically for the AI components of those products. If your product is already CE-marked under another directive and contains AI, you'll likely need to extend your conformity assessment to cover the AI Act requirements. For Annex I systems, a single conformity assessment can cover both — but the documentation must address AI-specific items.

We use a third-party AI API (OpenAI, Anthropic, Google). Who is responsible for conformity assessment?

It depends on how you use it. If you build a product that wraps a foundation model API and uses it to make high-risk decisions (e.g., resume screening, credit assessment), you are the provider of the high-risk system and must comply. The foundation model provider has separate obligations under the general-purpose AI model provisions (Articles 51-55), but those don't transfer the high-risk system obligations to them. Downstream providers building high-risk applications bear the responsibility.

How do regulators find out if a system isn't compliant?

The AI Act establishes a network of national market surveillance authorities in each EU member state, coordinated at the EU level by the European AI Office. They can investigate based on: (1) consumer complaints, (2) mandatory incident reports from providers, (3) targeted audits based on risk indicators, (4) referrals from other authorities, (5) the EU database registration (or absence of it). If you're marketing a high-risk system in the EU and haven't registered, that's a visible compliance gap.

Start With the Classification Decision

The most expensive compliance mistake is building a high-risk system without realizing it's high-risk. If your AI influences decisions about who gets a job, a loan, an apartment, a school admission, or a benefit, the EU AI Act treats it as high-risk — regardless of your size, your country, or your development methodology.

Run the classification analysis first. Everything else — documentation, assessment pathway, CE marking, registration — follows from that decision. And if you're uncertain, treat the system as high-risk and document why you're being conservative. Regulators respond better to over-compliance with documented reasoning than to aggressive exemptions that backfire.