1. What is a Conformity Assessment?
A conformity assessment is the formal process through which providers of high-risk AI systems demonstrate that their systems meet the requirements set out in Chapter III, Section 2 of the EU AI Act (Regulation 2024/1689). It is a prerequisite for placing any high-risk AI system on the European market.
The assessment covers seven core requirement areas established in Articles 8 through 15 of the Act:
- Risk management system (Article 9) — Continuous identification and mitigation of risks throughout the AI system lifecycle
- Data governance (Article 10) — Training, validation, and testing data must meet quality criteria relevant to the intended purpose
- Technical documentation (Article 11) — Comprehensive documentation enabling assessment of compliance by authorities
- Record-keeping (Article 12) — Automatic logging capabilities to ensure traceability of the AI system's functioning
- Transparency (Article 13) — Instructions of use that enable deployers to interpret output and use the system appropriately
- Human oversight (Article 14) — Design enabling effective oversight by natural persons during use
- Accuracy, robustness, and cybersecurity (Article 15) — Appropriate levels of performance, resilience, and security
Key Principle
The conformity assessment is not a one-time checkbox exercise. It must reflect the actual state of the AI system at the time of market placement, and the provider must maintain compliance through post-market monitoring for the system's entire lifecycle.
2. Two Assessment Pathways: Annex VI vs Annex VII
The EU AI Act establishes two distinct conformity assessment procedures. Which one applies depends on the category of your high-risk AI system.
Annex VI: Internal Control (Self-Assessment)
Under Annex VI, the provider conducts the conformity assessment internally using their own quality management system. There is no requirement for third-party involvement. The provider verifies that their quality management system complies with Article 17, that the technical documentation meets Article 11 and Annex IV requirements, and that the AI system satisfies all applicable Chapter III requirements.
This is the default pathway for most high-risk AI systems listed in Annex III. It places the compliance burden and liability squarely on the provider.
Annex VII: Conformity Assessment Based on Assessment of Quality Management System and Technical Documentation
Under Annex VII, a notified body — an independent organization designated by an EU Member State — audits both the provider's quality management system and the technical documentation of the specific AI system. The notified body issues a certificate valid for up to five years, subject to periodic audits.
This pathway is mandatory for certain categories of high-risk AI systems, specifically:
- Real-time and post remote biometric identification systems (Annex III, point 1)
- AI systems used as safety components in critical infrastructure management and operation (under certain conditions)
- Any high-risk AI system where the provider has not applied harmonized standards or common specifications covering all relevant requirements
| Criterion | Annex VI (Self-Assessment) | Annex VII (Third-Party) |
|---|---|---|
| Assessor | Provider (internal) | Notified body (external) |
| Cost range | EUR 15,000 – 80,000 | EUR 50,000 – 250,000+ |
| Timeline | 3 – 6 months | 6 – 12 months |
| Certificate validity | N/A (self-declared) | Up to 5 years |
| Mandatory for | Most Annex III systems | Biometric ID, certain critical infrastructure |
| Periodic audits | Internal (ongoing) | Notified body (annual or biannual) |
3. Determining Your Pathway
Follow this decision tree to identify which conformity assessment pathway applies to your AI system:
Step 1: Is your AI system high-risk?
Check whether your system falls under Annex III categories or is a safety component of a product covered by Annex I EU harmonization legislation. If not high-risk, no conformity assessment is required under the AI Act.
Step 2: Does it involve biometric identification?
If your system performs real-time or post remote biometric identification (Annex III, point 1), you must use the Annex VII third-party pathway.
Step 3: Have you applied harmonized standards?
If you have applied harmonized standards or common specifications that cover all the applicable requirements, and these are listed in the Official Journal, you may use the Annex VI self-assessment pathway for most Annex III systems. If not, you must use Annex VII.
Step 4: Is it a safety component under Annex I legislation?
If your AI system is a safety component of a product already requiring third-party conformity assessment under Annex I legislation (e.g., medical devices, machinery), the existing sectoral third-party assessment applies alongside AI Act requirements.
Practical Implication
In practice, approximately 80% of high-risk AI systems will qualify for the Annex VI self-assessment pathway — provided the provider applies relevant harmonized standards. The European Commission and CEN/CENELEC are developing these standards, with the first expected to be published in the Official Journal by mid-2026.
4. Step-by-Step: Self-Assessment (Annex VI)
The internal conformity assessment under Annex VI proceeds in six phases:
Phase 1: Establish Quality Management System
Implement a quality management system compliant with Article 17. This covers: compliance strategy, design and development procedures, testing and validation procedures, technical standards applied, data management procedures, record-keeping systems, incident reporting procedures, communication with authorities, and resource allocation.
Estimated: 4-8 weeksPhase 2: Prepare Technical Documentation
Create comprehensive technical documentation per Article 11 and Annex IV. Document the system description, design specifications, development process, risk management system, data governance measures, performance metrics, human oversight measures, and cybersecurity provisions.
Estimated: 4-8 weeksPhase 3: Verify Compliance Against Requirements
Systematically verify that the AI system meets each requirement in Articles 8-15. Document evidence of compliance for each requirement. Identify and remediate any gaps. This verification should be performed by personnel independent from the development team where possible.
Estimated: 2-4 weeksPhase 4: Conduct Testing and Validation
Execute the testing and validation procedures defined in your quality management system. Verify accuracy, robustness, and cybersecurity performance levels. Test under conditions reflecting real-world deployment. Document all test results and their assessment against defined thresholds.
Estimated: 2-4 weeksPhase 5: Draft EU Declaration of Conformity
Prepare the EU Declaration of Conformity per Article 47. The declaration must identify the AI system, state the provider's name and address, confirm compliance with applicable requirements, reference applied harmonized standards, and be signed by an authorized representative.
Estimated: 1 weekPhase 6: Affix CE Marking and Register
Affix the CE marking to the AI system or its documentation per Article 48. Register the system in the EU database per Article 49. The system may now be placed on the EU market.
Estimated: 1-2 weeks5. Step-by-Step: Third-Party Assessment (Annex VII)
The third-party conformity assessment under Annex VII involves the same provider preparation as Annex VI, plus engagement with a notified body. The notified body audits two elements: the quality management system and the technical documentation.
Phase 1: Select a Notified Body
Identify and engage a notified body designated for AI Act conformity assessment by an EU Member State. Check the NANDO database for designated bodies. Consider geographic proximity, sector expertise, capacity, and cost. Expect 2-4 month lead times as demand builds toward 2026 deadlines.
Estimated: 2-8 weeksPhase 2: Application and Gap Analysis
Submit your application including technical documentation and quality management system documentation. The notified body conducts a preliminary gap analysis and provides a detailed assessment plan. Remediate any critical gaps identified before the formal audit begins.
Estimated: 4-6 weeksPhase 3: Quality Management System Audit
The notified body audits your quality management system for compliance with Article 17. This includes on-site visits, documentation review, and interviews with key personnel. Non-conformities are categorized as major (blocking) or minor (must be resolved within a timeframe).
Estimated: 4-8 weeksPhase 4: Technical Documentation Assessment
The notified body evaluates the technical documentation of the specific AI system. They verify compliance with each requirement in Articles 8-15, review testing methodologies and results, assess risk management adequacy, and validate performance claims.
Estimated: 4-8 weeksPhase 5: Certificate Issuance
If the assessment is positive, the notified body issues an EU technical documentation assessment certificate and, where applicable, a quality management system approval certificate. Certificates are valid for up to 5 years. The notified body notifies the national authority.
Estimated: 2-4 weeksPhase 6: Ongoing Surveillance
The notified body conducts periodic audits (typically annual) to verify continued compliance. The provider must inform the notified body of any planned substantial modifications. The notified body may conduct unannounced audits based on risk assessment.
Estimated: Ongoing6. Documentation Requirements
Annex IV of the EU AI Act specifies the minimum content of technical documentation. This documentation is the foundation of both assessment pathways and must be maintained throughout the AI system's lifecycle.
| Documentation Element | Key Contents | Typical Volume |
|---|---|---|
| General description | Intended purpose, provider identity, system version, hardware/software requirements | 10-20 pages |
| System architecture | Detailed description of elements, development process, computational resources, third-party tools | 20-50 pages |
| Data governance | Training methodologies, data sets, data preparation, labeling, cleaning, bias detection | 15-40 pages |
| Testing and validation | Validation and testing procedures, metrics, test data, performance benchmarks | 20-60 pages |
| Risk management | Risk identification, analysis, evaluation, mitigation measures, residual risk assessment | 15-30 pages |
| Changes log | All modifications made throughout the system lifecycle with rationale | Ongoing |
Documentation Challenge
A typical high-risk AI system requires 100-250 pages of technical documentation across these categories. For organizations with multiple AI systems, manual documentation quickly becomes unmanageable. This is where automated documentation generation proves essential — see Section 12 on graph-based automation.
7. CE Marking and Declaration of Conformity
The CE marking is the visible indicator that an AI system has undergone conformity assessment and meets EU AI Act requirements. Article 48 governs its application.
For AI systems (which are often software-only), the CE marking is affixed to the accompanying documentation, instructions of use, or the digital product interface. Where CE marking is not physically possible, it must appear in the EU Declaration of Conformity and any accompanying materials.
The EU Declaration of Conformity (Article 47) must contain:
- AI system name, type, and any additional unambiguous reference
- Name and address of the provider (and authorized representative, where applicable)
- Statement that the declaration is issued under the sole responsibility of the provider
- Statement that the AI system complies with the EU AI Act and any other relevant Union legislation
- References to harmonized standards or common specifications applied
- Where applicable, the name and identification number of the notified body and reference to the certificate issued
- Place and date of issue, name and function of the signatory
Retention Requirement
The EU Declaration of Conformity and all supporting technical documentation must be kept for 10 years after the AI system has been placed on the market or put into service. National market surveillance authorities can request access to this documentation at any time during this period.
8. EU Database Registration
Article 49 requires providers of high-risk AI systems to register their systems in the EU database before placing them on the market or putting them into service. The database is established and maintained by the European Commission.
Registration information includes:
- Provider name, address, and contact details
- AI system trade name and any additional references
- Intended purpose description
- Status of the AI system (on the market, no longer on the market, recalled)
- Risk classification category
- Member States in which the AI system is or has been placed on the market
- URL to the EU Declaration of Conformity
Deployers of high-risk AI systems in the public sector (or private entities operating on behalf of public bodies) are also required to register their use in the EU database, ensuring public transparency about AI usage in governmental contexts.
9. Post-Market Monitoring
Article 72 requires providers to establish a post-market monitoring system proportionate to the nature of the AI system and its risks. This system must actively and systematically collect, document, and analyze data on the AI system's performance throughout its lifecycle.
Key post-market monitoring obligations include:
- Performance monitoring — Continuous tracking of accuracy, robustness, and bias metrics against declared thresholds
- Incident reporting — Serious incidents must be reported to market surveillance authorities within 15 days of the provider becoming aware (Article 73)
- Documentation updates — Technical documentation and risk assessments must reflect current system state
- Corrective actions — Immediate action when non-compliance or risks are identified, including withdrawal or recall if necessary
- Periodic re-assessment — Regular evaluation of whether the AI system still meets all requirements, especially after significant real-world feedback
Substantial Modification Trigger
A substantial modification to the AI system — defined as a change not foreseen by the provider in the initial conformity assessment that affects compliance or changes the intended purpose — triggers the need for a new conformity assessment. Organizations should establish clear internal criteria for distinguishing routine updates from substantial modifications.
10. Notified Body Selection
For organizations requiring Annex VII assessment, selecting the right notified body is a critical decision. Notified bodies are designated by EU Member State national authorities under Articles 28-39 and listed in the NANDO (New Approach Notified and Designated Organisations) database.
Selection criteria to consider:
- Sector expertise — Prioritize bodies with experience in your specific AI application domain (healthcare, finance, transport)
- Capacity and timeline — As the August 2026 deadline approaches, notified body availability will tighten significantly. Early engagement is essential.
- Geographic considerations — While any EU-designated notified body can assess systems for the entire EU market, local bodies may offer practical advantages in language and site visit logistics
- Cost transparency — Request detailed fee schedules covering initial assessment, annual surveillance, re-assessment after modifications, and unannounced audits
- Track record — Given that AI Act notified body designations are new, look for organizations with track records in related domains (medical devices, machinery, cybersecurity)
Early Mover Advantage
The designation process for AI Act notified bodies is still ramping up across Member States. Organizations that begin the Annex VII process early will have access to more bodies with shorter lead times. By mid-2026, expect significant queuing and capacity constraints as the August 2026 deadline drives demand.
11. Timeline and Cost Considerations
Budgeting and scheduling for conformity assessment requires understanding the full scope of activities involved. The following estimates are based on industry benchmarks and early implementation experience.
| Phase | Annex VI Timeline | Annex VII Timeline | Estimated Cost |
|---|---|---|---|
| Preparation and documentation | 8-16 weeks | 8-16 weeks | EUR 10,000-50,000 |
| Internal verification/testing | 2-4 weeks | 2-4 weeks | EUR 5,000-20,000 |
| Notified body engagement | N/A | 8-20 weeks | EUR 30,000-150,000 |
| Remediation and re-assessment | 2-4 weeks | 4-8 weeks | EUR 5,000-30,000 |
| CE marking and registration | 1-2 weeks | 2-4 weeks | EUR 1,000-5,000 |
| Total | 13-26 weeks | 24-52 weeks | EUR 15,000-250,000+ |
These estimates assume a single AI system. Organizations with portfolios of high-risk AI systems should plan for economies of scale — the quality management system investment is largely one-time, while per-system documentation costs scale with system complexity.
12. Automating Documentation with Graph-Based Tools
The documentation burden of conformity assessment is substantial. For organizations with multiple high-risk AI systems, each requiring 100-250 pages of technical documentation plus ongoing updates, manual processes do not scale.
Traditional approaches to compliance documentation suffer from three fundamental problems:
- Fragmentation — Requirements, evidence, and decisions are scattered across documents, teams, and systems with no unified traceability
- Staleness — Documentation reflects the state at creation time, not the current state of the AI system
- Missing cross-references — Dependencies between requirements (e.g., how a data governance decision affects risk management) are not captured
Graph-based compliance intelligence addresses these challenges by modeling requirements, evidence, decisions, and AI system components as an interconnected knowledge graph rather than flat documents.
Quantamix Solutions Approach: TAMR+ Methodology
Our TraceGov.ai platform uses the TAMR+ (Trace-Augmented Multi-hop Reasoning) methodology — protected under Patent EP26162901.8 — to automate conformity assessment documentation. TAMR+ achieves 74% accuracy on the EU-RegQA benchmark, compared to 38.5% for conventional vector-based RAG approaches.
The system constructs a knowledge graph linking each EU AI Act requirement to the specific evidence, test results, and design decisions that satisfy it. When requirements change (e.g., new harmonized standards are published), the graph automatically identifies affected documentation sections and flags them for update.
For conformity assessment specifically, TAMR+ can generate draft technical documentation from existing system artifacts (code repositories, test suites, design documents), reducing the documentation preparation phase from 8-16 weeks to 2-4 weeks while improving traceability and auditability.
13. Frequently Asked Questions
What is the difference between Annex VI and Annex VII conformity assessment?▾
How much does a conformity assessment cost?▾
How long does the conformity assessment process take?▾
Do I need to re-do the conformity assessment if I update my AI system?▾
Related EU AI Act Guides
The Complete EU AI Act Compliance Guide 2025-2027
The definitive pillar guide covering timelines, classifications, penalties, and compliance roadmap
High-Risk AI Systems: Classification Guide
How to determine if your AI system is high-risk under Annex III
CE Marking for AI Systems in Europe
Detailed requirements for CE marking software-based AI systems