The EU Medical Device Regulation entered full application in May 2021. By the deadline, 20% of medical devices had achieved certification. Queues at notified bodies stretched 18 months. Audit costs tripled. The industry had five years to prepare. It was not enough.
The EU AI Act conformity assessment deadline arrives August 2, 2026. As of February 2026, 14 of 27 Member States have not designated a competent authority. The notified body designation system only went live six months ago. The first harmonised standard (prEN 18286 for quality management) has not exited public enquiry. The European Association of Medical Devices Notified Bodies has warned that a shortage of qualified assessors could “massively hinder” AI regulation [RAPS Euro Roundup, Oct 2025]. The structural conditions are the Medical Device Regulation repeated, with fewer assessors and less mature standards.
Article 43 defines the conformity assessment architecture. Two procedures. A decision tree governed by system category and standards application. A CE marking requirement without which market access is blocked. The compliance engineering starts with understanding which path applies and how long it takes.
EU AI Act conformity assessment (Article 43) requires providers of high-risk AI systems to demonstrate compliance before EU market placement. Most systems follow Annex VI internal control (self-certification). Biometric AI systems use Annex VII third-party assessment by a notified body. Both paths produce an EU Declaration of Conformity and require CE marking. Certificate validity is four years for standalone systems, five years for AI embedded in regulated products.
Which Conformity Assessment Procedure Applies Under Article 43?
Article 43 establishes two assessment paths. Which path applies depends on the system category and whether the provider has applied harmonised standards. Most organizations will self-certify. Biometric providers face mandatory external audit until standards finalize.
Annex VI: Internal Control (Self-Certification)
The lighter-weight path. The provider assesses their own compliance without external certification body involvement. Three verification steps are required. First: verify that the Quality Management System complies with Article 17 requirements. Second: examine the technical documentation per Annex IV to confirm it reflects actual system design and meets all Chapter 2 requirements (risk management, data governance, transparency, human oversight, accuracy, robustness, cybersecurity). Third: verify consistency between the documentation and the system as actually built and monitored.
The output is an EU Declaration of Conformity (self-issued) and a CE mark affixed to the system or its documentation. Both must be retained for 10 years and made available to national authorities on request. Annex VI is the default path for Annex III, points 2-8: critical infrastructure, education, employment, essential services, law enforcement profiling, migration, and justice. Expect 200-500 pages of technical documentation per system.
Annex VII: Third-Party Assessment (Notified Body)
The heavier path. A notified body conducts the entire assessment in three parts. Part 1: evaluate and approve the QMS. Part 2: review the technical documentation with full access to training data, validation datasets, and model parameters (via API or remote access). Part 3: conduct ongoing surveillance through periodic (typically annual) audits to verify the QMS remains effective. The notified body issues an EU Technical Documentation Assessment Certificate valid for a maximum of four years (Annex III systems) or five years (Annex I regulated products), renewable through reassessment.
Annex VII is mandatory for biometric AI systems (Annex III, point 1) when harmonised standards have not been fully applied. The provider also receives this assessment if common specifications were not applied, standards were published with restrictions, or the provider deviated from available standards. A special provision applies to law enforcement: when the system is intended for law enforcement, immigration, or asylum authorities, the market surveillance authority acts as the notified body.
Existing Product Safety Legislation (Annex I Systems)
AI systems embedded in products already covered by EU product safety law (medical devices under the MDR, machinery under the Machinery Regulation, vehicles, toys, radio equipment) follow the conformity assessment procedure of the existing law. Article 43(3) incorporates the AI Act Chapter 2 requirements into those existing assessments. The existing notified bodies under those directives handle the assessment, provided they meet AI Act-specific competency requirements [EU AI Act Art. 31]. This means a medical device notified body assessing an AI-powered diagnostic tool conducts a combined MDR and AI Act conformity assessment.
Seven dimensions separate the two primary procedures. The table below maps each one.
| Dimension | Annex VI (Internal Control) | Annex VII (Notified Body) |
|---|---|---|
| Who assesses | Provider self-certifies | Notified body conducts external audit |
| Default for | Annex III, points 2-8 (non-biometric) | Annex III, point 1 (biometrics) when standards not applied |
| Timeline | 3-6 months (with established QMS) | Additional 2-4 months for notified body review |
| Certificate | EU Declaration of Conformity (self-issued) | EU Technical Documentation Assessment Certificate + Declaration |
| Ongoing surveillance | Self-monitoring via post-market plan | Periodic audits by notified body |
| CE marking | Required | Required with notified body ID number |
Determine which conformity assessment procedure applies to each of your high-risk AI systems. Step 1: If covered by existing product legislation (Annex I), follow that procedure. Step 2: If biometric (Annex III, point 1) and harmonised standards not fully applied, use Annex VII. Step 3: All other Annex III categories, use Annex VI. Document the classification rationale as the first artifact in your conformity assessment evidence package.
Which Procedure Applies: The Decision Tree
The most common mistake in EU AI Act conformity assessment preparation is applying the wrong procedure. The decision tree is straightforward but contains a critical trap that affects every biometric AI provider as of February 2026.
The Decision Tree in Practice
Start with classification. If the system is not high-risk, Article 43 does not apply. If the system is covered by Annex I product safety legislation (medical devices, machinery, vehicles), follow the existing conformity assessment procedure for that product category. AI Act Chapter 2 requirements are incorporated into the existing assessment.
If the system is in Annex III, the category number determines the path. Point 1 (biometrics: remote biometric identification and emotion recognition) triggers a conditional choice. If the provider has fully applied harmonised standards or common specifications, the provider chooses between Annex VI and Annex VII. If standards are not fully applied, or do not exist, Annex VII (notified body) is mandatory. Points 2 through 8 (everything else: critical infrastructure, education, employment, essential services, law enforcement, migration, justice) use Annex VI internal control. No notified body involvement required.
The Harmonised Standards Trap
As of February 2026, no harmonised standards for the EU AI Act have been published in the Official Journal. The first standard to approach readiness is prEN 18286 (quality management system), which reached public enquiry in January 2026. The full suite of AI Act standards from CEN/CENELEC JTC 21 is expected in Q4 2026. CEN and CENELEC Boards adopted acceleration measures in October 2025, allowing direct publication after a positive enquiry vote. The timing remains tight.
The practical consequence: biometric AI system providers currently cannot apply harmonised standards. The lighter Annex VI path is locked. Until standards are finalized and cited in the Official Journal, every biometric AI system must go through Annex VII third-party assessment. This affects facial recognition, voice authentication, emotion recognition, and any system performing remote biometric identification.
The Substantial Modification Trigger
Article 43(4) addresses what happens after initial conformity assessment. A substantial modification triggers a new assessment, even if the system stays with the same deployer. This applies to architecture changes, use-case expansions, significant model retraining, and feature additions that change system behavior.
One important exception protects continuous-learning systems: changes predetermined by the provider at initial conformity assessment and documented in the technical documentation (Annex IV, point 2(f)) do not constitute substantial modifications. If you design your system to learn within documented parameters, document those parameters upfront. Post-hoc claims that a change was “predetermined” will not survive audit scrutiny.
Biometric AI providers are locked into Annex VII (third-party assessment) until harmonised standards publish. The timeline for standard publication is Q4 2026 at earliest, after the August 2, 2026 compliance deadline for high-risk systems. Plan for Annex VII. Do not wait for the lighter path to open.
For each high-risk AI system, run the decision tree and document four items: (1) the high-risk classification rationale citing Article 6, (2) the applicable Annex category (Annex I, Annex III point 1, or Annex III points 2-8), (3) the harmonised standards applicability status, and (4) the selected procedure (Annex VI or VII). Store this as the first document in your conformity assessment evidence package. Revisit quarterly as standards development progresses.
Are There Enough Notified Bodies for AI Act Assessment?
No. As of February 2026, the notified body network barely exists. Fourteen of 27 Member States have not designated a single authority. Organizations requiring Annex VII assessment face a structural bottleneck with no short-term resolution, and queue projections of 12-18 months mirror the Medical Device Regulation crisis.
Member State Readiness
Three Member States have designated both notifying and market surveillance authorities. Ten have pending legislative proposals or have appointed one authority. Fourteen have designated nothing [artificialintelligenceact.eu, National Implementation Plans]. The deadline for competent authority designation was August 2, 2025. It passed. The NANDO database (the EU registry of notified bodies) shows minimal AI Act designations. Without designated notifying authorities, conformity assessment bodies cannot apply for notified body status. Without notified bodies, Annex VII assessments cannot proceed.
The MDR Precedent
The Medical Device Regulation provides a cautionary parallel. Only 20% of devices achieved certification by the MDR deadline. Queues reached 18 months. Costs tripled during the rush period. The MDR had an established network of 37 notified bodies built over decades. The AI Act starts from near zero with fewer assessors, less mature standards, and a shorter runway.
By February 2026, organizations should expect 12-18 month minimum queues for third-party assessment [Modulos analysis, 2026]. Organizations starting conformity assessment preparations in June 2026 will likely not achieve market access until late 2027 or 2028. Consulting rates are expected to increase 50-70% as the August deadline approaches.
Mitigation Strategies
Organizations requiring Annex VII: begin immediately. Select a notified body early. Prepare documentation in parallel with the application process. Organizations eligible for Annex VI: self-certify, but prepare your evidence to Annex VII standards. The European Commission retains delegated authority [EU AI Act Art. 43(6)] to extend mandatory third-party assessment to any Annex III category if internal control proves insufficient. Building to the higher standard protects against regulatory escalation.
All organizations: use existing certifications as your foundation. ISO 42001, ISO 9001, or ISO 27001 infrastructure provides a reusable QMS base. Time savings estimated at 30-40% on QMS establishment. The investment in existing certifications pays a direct dividend in AI Act preparation.
The notified body bottleneck is the most underestimated risk in EU AI Act compliance. Organizations plan for documentation and testing timelines. Few plan for a 12-18 month queue to get their documentation reviewed. Start the assessment process before the documentation is complete. Notified bodies accept applications during preparation.
If your systems require Annex VII assessment: check the NANDO database today for designated notified bodies in your jurisdiction. Contact at minimum two bodies for availability and timeline quotes. Expect 12-18 month queues. If eligible for Annex VI: build your evidence to Annex VII standards. The Commission’s delegated authority to extend third-party requirements means the lighter path is not guaranteed to remain available.
Market Access: Declaration, CE Marking, and EU Database Registration
Conformity assessment produces three deliverables. Without all three, the system cannot legally access the EU market after August 2, 2026. Authorities enforce with fines up to EUR 30 million or 6% of global revenue.
EU Declaration of Conformity
Article 47 requires a written, machine-readable, physically or electronically signed declaration for each high-risk AI system. Required content per Annex V: system identification (name, type, unique reference), provider identification (name, address), a sole responsibility statement, a conformity statement affirming compliance with the AI Act and applicable EU law, a GDPR compliance statement where personal data is processed, references to harmonised standards or common specifications applied, notified body details (if applicable), and the signatory’s name, function, and signature.
The declaration must be translated into the languages of Member States where the system is marketed. It must be retained for 10 years after market placement. It must be updated when the system undergoes substantial modification. Where the AI system is also subject to other EU law requiring a declaration (medical devices, machinery), a single combined declaration covering all applicable laws is permissible.
CE Marking
The CE mark must be affixed visibly, legibly, and indelibly to the high-risk AI system [EU AI Act Art. 48]. For software-based AI, this means the CE mark appears in the user interface, documentation, or packaging. Where Annex VII (third-party assessment) was used, the CE marking includes the notified body’s identification number. Where the AI system is also subject to other EU legislation requiring CE marking, the mark indicates compliance with all applicable laws.
Without a CE mark after August 2, 2026, a high-risk AI system cannot legally be sold in the EU. Market surveillance authorities have the power to force product withdrawal. The penalties for non-compliance with CE marking requirements are severe.
EU Database Registration
Article 49 requires providers to register themselves and their systems in the EU database before market placement. Public sector deployers must register before putting the system into service. Required information per Annex VIII includes provider contact details, system name and purpose, description of data used, system status, and certification details. High-risk AI systems in law enforcement, migration, asylum, and border control are registered in a secure, non-public section accessible only to the Commission and designated national authorities.
- EU Declaration of Conformity drafted per Annex V with all mandatory content fields
- Declaration translated into required Member State languages
- CE mark placement determined: user interface, packaging, or documentation
- Notified body identification number included on CE mark (if Annex VII was used)
- EU database registration completed before market placement
- Post-market monitoring system activated per Article 72
- Incident reporting procedures established per Article 73 (15-day window)
- 10-year document retention policy in place
Create a three-gate completion checklist. Gate 1: Declaration drafted per Annex V with all mandatory content fields completed, reviewed by legal, and signed by an authorized representative. Gate 2: CE mark placement determined and applied, with notified body ID if applicable. Gate 3: EU database registration completed before any market placement or service deployment. Assign a single owner responsible for all three gates. No system ships without sign-off on all three.
Preparation Checklist: Six Phases to Assessment
End-to-end conformity assessment preparation takes 8-12 months from scratch. Organizations with existing ISO frameworks reduce this to 5-8 months. The phases below map to the timeline remaining before August 2, 2026.
Phase 1-2: Classification, Scoping, and QMS (Months 1-5)
Build a complete AI system inventory including third-party tools and shadow AI. Classify each system against Article 6. Determine the applicable procedure via the decision tree above. Establish a Quality Management System per Article 17 covering: regulatory compliance strategy, design and development processes, data management, risk management, change management (critical: distinguish “substantial” from minor modifications), incident reporting, record-keeping, and accountability framework. Build on existing ISO 42001, ISO 9001, or ISO 27001 infrastructure for 30-40% time savings.
Phase 3-4: Documentation and Testing (Months 3-7)
Compile Annex IV technical documentation. Expect 200-500 pages per system covering system description, architecture, data governance, risk management, testing results, and the post-market monitoring plan. Execute the Article 9 risk management system. Implement Article 14 human oversight measures. Test against prior defined metrics [EU AI Act Art. 9(8)]. Establish the Article 72 post-market monitoring plan.
Phase 5-6: Assessment Execution and Market Access (Months 6-12)
For Annex VI: systematic internal verification across the three required steps. For Annex VII: submit QMS and technical documentation applications to the notified body, provide dataset and model access, address any non-conformities identified, receive the EU Technical Documentation Assessment Certificate. Both paths conclude with: issue the EU Declaration of Conformity, affix CE marking, complete EU database registration, and activate post-market monitoring and incident reporting operations.
The investment case is straightforward. Mid-size companies spend EUR 2-5 million on preparation. The penalty for non-compliance is up to EUR 15 million or 3% of global turnover. Large enterprises spend EUR 8-15 million. The penalty ceiling for prohibited practices reaches EUR 35 million or 7%. Preparation costs less than a single enforcement action.
Build a 12-month project plan with the six phases above. Assign executive sponsorship with budget authority. This is a board-level risk, not a project management exercise. Key decisions for month 1: Which systems are in scope? Which procedure applies? What existing certifications accelerate preparation? Present these answers at the next board meeting with a budget request tied to penalty exposure. Do not wait for harmonised standards. Build on the regulation text. Adjust when standards publish.
Conformity assessment is where governance meets engineering meets legal obligation. The organizations best positioned are those with existing quality management infrastructure, whether from ISO 42001, ISO 9001, or medical device certification experience. The organizations most exposed are those building high-risk AI without a systematic quality framework, treating compliance as a documentation project instead of an engineering discipline. The notified body bottleneck is real, the standards delay is structural, and the penalties are enforceable. Start the classification exercise this month.
Frequently Asked Questions
What is EU AI Act conformity assessment?
Article 43 defines the mandatory procedures providers of high-risk AI systems must complete to prove compliance before EU market placement. Two paths exist: Annex VI internal control (self-certification for most categories) and Annex VII third-party audit by a notified body (mandatory for biometrics when standards are not applied).
Which AI systems require third-party conformity assessment?
Biometric AI systems (Annex III, point 1) require Annex VII third-party assessment when harmonised standards are not fully applied. As of February 2026, no harmonised standards have been published, making Annex VII mandatory for all biometric systems until standards finalize.
What is the difference between Annex VI and Annex VII?
Annex VI (internal control) allows providers to self-certify through internal QMS verification and documentation review. Annex VII requires external audit by a notified body with full access to training data, validation datasets, and model parameters. Both produce a CE mark and EU Declaration of Conformity.
Do I need a CE mark for my AI system?
After August 2, 2026, high-risk AI systems without CE marking cannot legally be sold or deployed in the EU. The CE mark confirms the system has undergone conformity assessment and meets all applicable requirements. Without it, authorities enforce market withdrawal.
How long does conformity assessment take?
Internal assessment (Annex VI) takes 3-6 months with an established QMS. Third-party assessment (Annex VII) adds 2-4 months for notified body review, plus current queue times of 12-18 months. End-to-end preparation from scratch takes 8-12 months before the assessment itself begins.
What triggers a new conformity assessment?
A substantial modification to a previously assessed system triggers full reassessment. This includes architecture changes, use-case expansion, significant model retraining, and feature additions that alter system behavior. Changes predetermined and documented at initial assessment are exempt.
Are there enough notified bodies for AI Act conformity assessment?
No. As of February 2026, most Member States have not designated notified bodies. The European Association of Medical Devices Notified Bodies has warned of capacity shortages. Industry projections indicate 12-18 month queues, mirroring the Medical Device Regulation bottleneck where only 20% of devices achieved certification by deadline.
How does ISO 42001 relate to conformity assessment?
ISO 42001 certification supports the QMS requirements under Article 17 and accelerates preparation by 30-40%. It demonstrates governance maturity. It is not equivalent to conformity assessment and does not replace CE marking, the EU Declaration of Conformity, or EU database registration.
Get The Authority Brief
Weekly compliance intelligence for security leaders. Frameworks decoded. Audit strategies explained. Regulatory updates analyzed.
