Guide
EU AI Act conformity assessment explained
Updated June 16, 2026 · By Max Langley, AI Audits EU
A conformity assessment is how you demonstrate that a high-risk AI system meets the EU AI Act's requirements before it goes on the market. Most systems are assessed through internal control, where the provider self-declares against documented evidence. Some, mainly certain biometric systems, need a notified body. Either way the result is a technical file, an EU declaration of conformity, CE marking, and registration in the EU database.
The two assessment routes
The first route is internal control. The provider checks the system against the Act's requirements using its own technical documentation and quality management system, then self-declares conformity. This covers most Annex III high-risk systems. The second route runs through an accredited notified body, an independent organisation that assesses the system. This applies to a narrower set of categories. Which route you take is set by the system's category, not by choice.
What the assessment produces
- • Technical documentation showing how the system meets each requirement.
- • An EU declaration of conformity signed by the provider.
- • CE marking on the system.
- • Registration of the system in the EU database before it is placed on the market.
How it differs from a FRIA and a DPIA
These are three different documents that can all apply to one system. A conformity assessment shows the system meets the AI Act's requirements. A fundamental rights impact assessment, required of certain deployers, examines the impact of using the system on people's rights. A GDPR data protection impact assessment covers personal-data risk. Completing one does not satisfy the others.
When you repeat it
A substantial modification triggers a fresh assessment. Retraining the model, changing its intended purpose, or altering it in a way that affects compliance all count. Routine updates that leave the system's behaviour and purpose unchanged generally do not. The safe habit is to treat any meaningful change as a prompt to revisit the technical file.
What is a conformity assessment under the EU AI Act?
It is the process of demonstrating that a high-risk AI system meets the Act's requirements before it is placed on the market. The output is technical documentation, an EU declaration of conformity, CE marking, and registration of the system in the EU database.
Internal control or notified body, which applies to me?
Most high-risk systems use internal control, where the provider assesses its own conformity against the documented requirements. Certain categories, mainly some biometric systems, require assessment by an accredited notified body. The route depends on the system's category, not on your preference.
Is a conformity assessment the same as a FRIA or a GDPR DPIA?
No. A conformity assessment shows the system meets the AI Act's requirements. A fundamental rights impact assessment, required of some deployers, looks at the impact of using the system. A GDPR data protection impact assessment covers personal-data risk. They can all apply to the same system and serve different purposes.
When do I have to repeat it?
After any substantial modification to the system. Retraining, changing the intended purpose, or altering the system in a way that affects compliance can require a fresh assessment. Routine updates that do not change the system's behaviour or purpose generally do not.
Sources
- Regulation (EU) 2024/1689 (the AI Act), Articles 43 and 47 to 49 and Annexes VI and VII, EUR-Lex, eur-lex.europa.eu.
- European Commission, Regulatory framework on artificial intelligence, digital-strategy.ec.europa.eu.
Preparing for conformity assessment?
We help you build the technical file and, where a notified body is required, prepare you and coordinate with one. Tell us what you run.
This guide is general information, not legal advice. Confirm your obligations with qualified counsel.