How to Register GPAI Models in the EU AI Database: Step-by-Step Guide

1. Article 71 EU Database: What Must Be Registered, By Whom, and When

Article 71 establishes the EU database on high-risk AI systems and GPAI models — a publicly accessible registry managed by the European Commission under the supervision of the EU AI Office. The database serves three functions: enabling market surveillance by national authorities; providing transparency to the public; and maintaining a centralized record of declarations of conformity and technical documentation references.

Category	Who Must Register	Timing	Legal Basis
High-risk AI systems (Annex III)	Provider	Before placing on EU market	Art. 71(1), Art. 49
High-risk AI systems (certain Annex III)	Deployer (in public sector)	Before deployment	Art. 71(2)
GPAI models (standard)	Provider	Before making available in EU	Art. 71(1), Art. 53
Systemic risk GPAI models	Provider	Before making available in EU	Art. 71(1), Art. 55
High-risk AI systems already on market	Provider	Within 6 months of DB launch	Art. 71(8) transitional

Pre-market, not post-market: The pre-market registration requirement for high-risk AI systems is the EU AI Act's most operationally demanding compliance step. It means that a product team cannot begin selling an Annex III AI system in the EU until the system has completed conformity assessment, received a declaration of conformity, and been registered in the EU database. Building registration into the product launch checklist — not as an afterthought — is the only way to avoid launch delays.

2. High-Risk AI Systems: Mandatory Pre-Market Registration Before Placing on EU Market

For high-risk AI systems under Annex III, Article 49 establishes a mandatory pre-market compliance sequence that culminates in EU database registration. The sequence is strictly ordered and cannot be short-circuited:

1Complete risk management system (Article 9)
2Complete data and data governance measures (Article 10)
3Prepare technical documentation (Article 11, Annex IV)
4Implement logging and monitoring capabilities (Article 12)
5Establish transparency and instructions for use (Article 13)
6Implement human oversight measures (Article 14)
7Achieve accuracy, robustness, cybersecurity requirements (Article 15)
8Complete conformity assessment (Article 43)
9Draw up EU declaration of conformity (Article 47, Annex V)
10Affix CE marking (Article 48)
11REGISTER IN EU AI DATABASE (Article 71)
12Place on EU market / put into service

Step 11 — EU database registration — is a prerequisite for Step 12. Skipping registration and placing the system on the market constitutes an Article 99 infringement regardless of whether all preceding compliance steps are complete.

3. GPAI Models: Registration Requirements Under Articles 53 and 55

GPAI model registration requirements differ from high-risk AI system registration in scope and content. The EU AI database contains a dedicated GPAI section managed by the EU AI Office rather than national market surveillance authorities.

Standard GPAI Models (Article 53)

Standard GPAI model providers must register: model name and version; provider legal identity; intended use categories; training data summary reference; downstream provider documentation reference; and GPAI Code of Practice signatory status. Open-source GPAI providers qualify for a reduced registration form (Article 71(3)(a)) that omits downstream documentation fields.

Systemic Risk GPAI Models (Article 55)

Systemic risk GPAI providers must register all standard GPAI fields plus: confirmed compute threshold classification (above 10²⁵ FLOPs); adversarial testing methodology and results summary; incident reporting contact point; cybersecurity measures overview; and energy consumption data.

4. What Information Must Be Submitted: 15-Field Registration Form Breakdown

The EU AI database registration form for high-risk AI systems contains 15 mandatory fields derived from the Annex VIII requirements set out in the EU AI Act. Each field must be completed accurately — material inaccuracies trigger the €7.5 million / 1.5% penalty tier under Article 99(5).

Provider legal identity

Legal entity name, jurisdiction of incorporation, company registration number, EU authorised representative details (if provider is established outside the EU)

AI system name and version

Commercial name, internal version identifier, previous version registrations if this is an update

Intended purpose

Specific intended purpose as described in instructions for use; which Annex III category applies; sub-category within that Annex III listing

Risk classification

Confirmation that the system meets Annex III criteria; which specific paragraph and point of Annex III applies; any Article 6(2) exclusion claims

Conformity assessment type

Module A (internal control) or Module B/C (third-party notified body) as per Annex VII; conformity assessment date

Notified body details

If third-party assessment: notified body name, EU notification number, certificate number and expiry date

Declaration of conformity

Reference number, date of declaration, signatory; the declaration itself is not submitted but must be immediately available on request

CE marking status

Confirmation CE marking has been affixed; location on product or accompanying documentation

Member states of deployment

All EU member states where the system is placed on the market or put into service; updated as deployment expands

Serious incident history

Any serious incidents (Article 3(49) definition) reported in the 12 months prior to registration; incident report reference numbers

Technical documentation reference

Document reference or location where technical documentation (Annex IV) is held; not submitted to database but must be accessible

Post-market monitoring plan

Summary of post-market monitoring plan including data collection methodology, review frequency, serious incident reporting thresholds

Human oversight mechanisms

Description of human oversight capability implemented; who can intervene, how, and under what circumstances

Intended user categories

Whether intended for professional users, public authorities, individuals; any user qualification requirements

System lifecycle status

Active (on market), modified (update registration), withdrawn (removed from market); expected lifecycle timeline

5. EU AI Office vs National Authority Registration: Which Applies When

The EU AI database is centrally managed by the EU AI Office, but the registration authority for high-risk AI systems flows through national market surveillance authorities. Understanding the division of authority is essential for routing your registration correctly.

EU AI Office

›GPAI model registration (all categories)
›Systemic risk GPAI model registration and monitoring
›Coordination of enforcement across member states
›Maintenance of the GPAI Code of Practice register

National Market Surveillance Authorities

›High-risk AI system registration verification
›In-market compliance audits for registered systems
›Investigation and enforcement actions in their jurisdiction
›Registration challenges and appeals

Both (joint oversight)

›AI systems in public sector deployment (Article 71(2))
›Cross-border high-risk AI systems deployed in multiple member states
›Serious incident investigations involving registered systems

For most high-risk AI system providers, the practical registration process flows through the centralized EU AI database portal (managed by the EU AI Office) where the registration data is then accessible to all national market surveillance authorities. There is no separate national registration process — registration in the EU database satisfies the obligation across all EU member states simultaneously.

6. Registration Timeline: When the EU AI Database Goes Live

The EU AI database is targeted for operational launch in Q3 2026, with the EU AI Office confirming availability before the August 2, 2026 high-risk AI applicability date to allow pre-market registrations to be completed.

Q1–Q2 2026

Beta testing

EU AI Office runs closed beta with selected market participants. Registration form finalized. Technical documentation submission APIs tested. Member state national authority integrations verified.

Q3 2026 (pre-Aug 2)

Live — registration open

EU AI database opens for registration. Providers of high-risk AI systems planning to place systems on market from August 2, 2026 must complete registration before this date. Early registration encouraged to identify data quality issues before compliance deadlines.

August 2, 2026

Full applicability

High-risk AI Act obligations under Annex III become fully applicable. Any high-risk AI system placed on EU market from this date without completed registration is in breach of Article 71. National market surveillance authorities begin active registration compliance monitoring.

Q4 2026 (transitional)

Legacy system registration

Providers of high-risk AI systems already on the market before August 2, 2026 have six months from database launch to complete transitional registration under Article 71(8). After this window closes, legacy system non-registration becomes a full Article 99 infringement.

7. Updating Registrations: Substantial Modification Triggers

Article 3(23) defines substantial modification as a change that “affects the compliance of the AI system with this Regulation or results in a modification to the intended purpose.” This definition has significant operational implications: not every system update requires a registration update, but identifying which updates cross the substantial modification threshold requires systematic assessment.

Triggers Re-registration (Substantial)

✕New training data that changes output characteristics
✕Architecture change affecting accuracy or safety properties
✕Expansion to a new Annex III use case
✕Change in intended user category
✕Changes to conformity assessment evidence base
✕New deployment to additional member states

Does NOT Trigger Re-registration

✓UI/interface changes with no effect on AI output
✓Performance optimizations that don't change compliance
✓Bug fixes not affecting safety-critical functionality
✓Documentation updates
✓Infrastructure changes (hosting, deployment environment)
✓Security patches not affecting model behaviour

Practical guidance: Providers should establish a “substantial modification assessment” checkpoint in their ML/AI development pipeline. Every planned system change should be assessed against the Article 3(23) definition before deployment. TraceGov.ai's change impact assessment module automates this check — flag any system change and receive an assessment of whether EU database re-registration is triggered.

8. Penalties for Non-Registration: Article 99 Enforcement

Article 99 of the EU AI Act establishes the penalty framework for EU AI Act infringements. Non-registration is explicitly addressed in Article 99(4) — it is not a minor procedural oversight but a substantive infringement in its own right.

Article 99(3)

Non-registration of high-risk AI system (pre-market)

€15 million / 3% global turnover

Whichever is higher. No minimum threshold. Applies per system per infringement period.

Article 99(3)

Non-registration of GPAI model

€15 million / 3% global turnover

Same tier as high-risk AI system non-registration

Article 99(5)

Material inaccuracy in registration information

€7.5 million / 1.5% global turnover

Whichever is higher. Triggered by knowingly submitting incorrect information in any of the 15 required fields.

Article 99(4)

Failure to update registration after substantial modification

€15 million / 3% global turnover

Placing a substantially modified system on market without re-registration is treated as placing an unregistered system.

The EU AI Office has confirmed in its 2026 enforcement priorities that active monitoring of EU database registration compliance — including cross-referencing the database against commercial AI product registries and app stores — will begin immediately upon database launch. Organizations cannot assume that non-registration will go undetected in a world where EU AI Office investigators can compare the database against publicly marketed AI products.

9. TraceGov.ai Registration Automation Module

TraceGov.ai includes a dedicated EU AI database registration automation module that addresses the three most common registration failure points: missing prerequisite documentation, incorrect field population, and failure to detect substantial modification triggers.

Pre-registration readiness check

Verifies that all 11 prerequisite compliance steps (risk management, data governance, conformity assessment, declaration of conformity, CE marking) are complete before initiating registration. Prevents submission failures and rejection by the EU AI Office.

Auto-population from TRACE Score evidence package

Pulls data from the organization's compliance evidence repository to populate all 15 registration fields. Cross-validates populated data against EU AI Act article requirements before submission. Estimated time to complete a registration: under 30 minutes versus 4–6 hours manually.

Substantial modification monitoring

Monitors AI system change logs and flags any change that may trigger the Article 3(23) substantial modification threshold. Generates a modification assessment report recommending whether re-registration is required. Integrates with CI/CD pipelines via webhook.

Registration calendar and deadline alerts

Tracks registration deadlines for all AI systems in portfolio: pre-market launch dates, transitional registration windows for legacy systems, substantial modification re-registration deadlines. Automated alerts 60, 30, and 7 days before each deadline.

10. FAQ

When does the EU AI database go live for registration?+

The EU AI database is scheduled to become operational in Q3 2026, before the August 2, 2026 high-risk AI applicability date. Providers of high-risk AI systems already on the market before this date have six months from database launch to complete transitional registration.

Which organizations must register in the EU AI database?+

Three categories must register: (1) providers of high-risk AI systems under Annex III — mandatory pre-market; (2) providers of standard GPAI models under Article 53; (3) providers of systemic risk GPAI models under Article 55 with enhanced information requirements. Public sector deployers of certain Annex III systems also carry a registration obligation.

What information must be submitted in the registration form?+

The registration form contains 15 mandatory fields: provider legal identity, system name/version, intended purpose, risk classification, conformity assessment type, notified body details (if applicable), declaration of conformity reference, CE marking status, member states of deployment, serious incident history, technical documentation reference, post-market monitoring plan, human oversight mechanisms, intended user categories, and system lifecycle status.

What triggers a registration update obligation?+

Article 3(23) defines substantial modification as a change affecting compliance or modifying intended purpose. Triggers include: new training data changing output characteristics; architecture changes affecting accuracy or safety; expansion to new Annex III use case; change in intended user category. Cosmetic, infrastructure, and non-compliance-affecting changes do not trigger re-registration.

What are the penalties for non-registration under Article 99?+

Article 99(4) imposes fines of up to €15 million or 3% of global annual turnover (whichever is higher) for non-registration of high-risk AI systems and GPAI models. Material inaccuracies in registration information trigger the lower Article 99(5) tier: €7.5 million / 1.5% of global annual turnover.

Related Resources

→GPAI Compliance Guide →Foundation Model Providers: EU Obligations →GPAI Code of Practice EU 2025 →EU AI Act Compliance Guide

Automate Your EU AI Database Registration

TraceGov.ai's registration automation module checks prerequisites, populates all 15 registration fields from your compliance evidence, and monitors your portfolio for substantial modification triggers — so you register on time, every time.

Get Registration-Ready with TraceGov.ai →