Definition: Conformity Assessment (EU AI Act)
Conformity assessment is the procedure required under the EU AI Act by which a provider verifies, documents, and demonstrates that a high-risk AI system meets the Regulation’s binding requirements before it is placed on the EU market or put into service.
Core characteristics of conformity assessment
The assessment is the provider’s own legal responsibility, not something a customer or deployer arranges after purchase. It must be completed, and its outcome documented, before the system reaches the market or goes live in production.
- Confirms that risk management, data governance, technical documentation, logging, and human oversight requirements are actually met
- Follows one of two routes: internal control under Annex VI, or third-party review under Annex VII
- Produces an EU declaration of conformity and is the legal precondition for CE marking
- Must be repeated whenever a substantial modification changes the system’s intended purpose or risk profile
Conformity assessment vs. CE marking
Conformity assessment is the process; CE marking is its visible outcome. A provider may affix the CE mark only after the assessment confirms the system meets all applicable requirements and the EU declaration of conformity has been signed. Mittelstand providers sometimes treat the CE mark as paperwork rather than evidence, but market surveillance authorities such as BSI can request the underlying technical file at any time. Applying the CE mark without a completed assessment is itself a violation of the EU AI Act, independent of whether the system actually performs safely.
Importance of conformity assessment in enterprise AI
Conformity assessment is the gate that decides whether a high-risk AI system can legally reach production in the EU, making it one of the most consequential AI compliance milestones a provider faces. Vision Compliance’s 2026 EU AI Act Readiness Report found that 78% of organizations had taken no meaningful compliance steps toward the requirement, and 61% had no process at all for generating the technical documentation the assessment depends on.
Methods and procedures for conformity assessment
Two structured routes cover nearly all high-risk AI systems, plus a documentation shortcut for standards-aligned providers.
Internal control assessment (Annex VI)
Most high-risk systems listed in Annex III (points 2 to 8) follow this self-assessment route, which does not involve a notified body.
- Establish and document a quality management system covering the AI system’s full lifecycle
- Compile technical documentation under Article 11, including design choices, training data, and test results
- Verify compliance internally, sign the EU declaration of conformity, and register the system in the EU database before market placement
Third-party assessment via notified body (Annex VII)
Remote biometric identification systems (Annex III point 1) and high-risk AI embedded as a safety component in a regulated product, such as machinery or medical devices already subject to third-party certification, require an independent notified body. The provider submits its quality management system and technical documentation to a body chosen from the EU’s official list; the notified body audits the documentation, tests the system where necessary, and issues a certificate before CE marking is permitted.
Harmonised standards and presumption of conformity
Article 40 grants a presumption of conformity to systems built against European harmonised standards, but most of those standards were still in draft through 2026, so providers largely document compliance directly against the Regulation’s text. Organizations already certified to ISO 42001 typically reuse most of that management system, records, and risk assessments directly inside the technical file, shortening the assessment considerably.
Important KPIs for conformity assessment
Tracking assessment progress requires indicators distinct from general compliance metrics.
Documentation and process coverage
- AI system inventory: percentage of marketed systems with completed risk classification
- Conformity assessment coverage: percentage of Annex III high-risk systems with a signed declaration of conformity
- EU database registration: percentage of assessed systems registered before market placement
- Technical file completeness: percentage of files containing every Article 11 element
Notified body engagement
For providers whose systems fall under Annex VII, tracking notified body engagement is a strategic KPI in its own right. Bitkom’s 2026 AI study found that affected German companies run an average of 1.5 high-risk AI systems each, yet 29% of respondents could not say how many high-risk systems they actually operate, a gap that makes it impossible to plan notified body capacity in advance.
Assessment quality
Internal audit teams should track how often technical documentation is returned for rework during self-assessment or notified body review. A high rework rate signals that documentation is being written to satisfy an internal checklist rather than the Article 11 requirements a supervisory authority will actually test against.
Risk factors and controls for conformity assessment
Choosing the wrong assessment route
The most common error is applying internal control (Annex VI) to a system that is actually a safety component of an Annex I regulated product, which instead requires notified body review under Annex VII.
- Confirm whether the system is a standalone Annex III use case or embedded in a regulated product
- Re-verify the classification whenever the product’s own certification module changes
- Document the routing decision with legal sign-off, not just an engineering judgment call
Notified body capacity bottleneck
Designation of notified bodies for AI Act assessments has lagged behind demand; through 2026 only a small number were fully accredited, creating queues for the systems that genuinely require Annex VII review. Providers that need third-party assessment should apply well ahead of any internal launch date rather than waiting until a deadline forces the issue, since notified body lead times are outside the provider’s control.
Vendor documentation gaps
Many Mittelstand providers embed a purchased foundation model or third-party component inside their own high-risk system. If that vendor cannot supply the model documentation Article 11 requires, the provider inherits the compliance gap and cannot complete its own assessment, regardless of how well its own code is documented. Procurement contracts for embedded AI components should now require conformity documentation as a standard deliverable, with AI liability allocated explicitly if the vendor’s documentation proves incomplete.
Practical example
A 140-employee HR-tech software vendor near Munich builds a candidate-ranking module that its customers use to pre-sort job applications, an Annex III employment use case. Before the Act, the module shipped with a feature changelog but no risk documentation and no formal quality management system. The team ran an internal control assessment under Annex VI: a cross-functional group mapped the ranking logic’s training data and scoring criteria, documented human override points for recruiters, and built the technical file structure required by Article 11.
- Quality management system covering the module’s design, testing, and update process
- Technical documentation package covering training data sources and scoring logic
- EU declaration of conformity signed and the system registered in the EU database
- Customer-facing conformity summary distributed to HR teams using the module
Current developments and effects
Three developments are reshaping how providers plan their conformity assessment work.
Digital Omnibus pushes the Annex III deadline to December 2027
The European Commission’s Digital Omnibus package, adopted in May 2026, postponed the compliance deadline for Annex III high-risk systems from August 2, 2026 to December 2027, citing unfinished harmonised standards and insufficient notified body capacity.
- Annex III high-risk obligations, including conformity assessment, now apply from December 2027
- Annex I high-risk products integrated into other regulated goods move to August 2028
- Article 50 transparency duties and Article 4 AI literacy obligations remain unaffected by the postponement
Notified body designation gathers pace
Regulators are accelerating the accreditation of notified bodies for Annex VII assessments, but capacity remains concentrated among a handful of organizations. Providers of remote biometric identification systems should expect longer lead times than the general market average until designation broadens.
German market surveillance under BSI
Germany’s BSI has confirmed it will act as the national market surveillance authority monitoring conformity assessment and CE marking compliance from August 2026, independent of the Annex III deadline extension. Providers should expect spot checks on technical documentation even while the broader enforcement grace period runs.
Conclusion
Conformity assessment converts the EU AI Act’s abstract requirements into a concrete, auditable procedure that a provider must complete before a high-risk system reaches the market. The Digital Omnibus extension to December 2027 buys planning time, not an exemption, since technical documentation, quality management, and human oversight still have to be built either way. Mittelstand providers that start the internal control process now, rather than waiting for the deadline, avoid both a compliance scramble and the notified body queues forming around the systems that require third-party review. Treating the assessment as a design discipline rather than a paperwork exercise is what makes the resulting CE mark defensible under audit.
Frequently Asked Questions
What triggers a conformity assessment under the EU AI Act?
A conformity assessment is triggered whenever a provider places a high-risk AI system on the EU market or puts it into service. This covers the eight use case categories in Annex III, such as employment, credit scoring, and biometric identification, as well as AI systems embedded as safety components in products already regulated under EU product law, such as machinery or medical devices.
Do we need a notified body, or can we self-assess?
Most Annex III systems (points 2 to 8) qualify for internal control under Annex VI, where the provider assesses its own compliance without external review. Only remote biometric identification systems and AI embedded in regulated products that already require third-party certification need a notified body under Annex VII.
What does a conformity assessment cost and how long does it take for a Mittelstand company?
Internal control assessments cost primarily internal time: documentation, quality management setup, and legal review, typically running several weeks to a few months depending on system complexity. Notified body assessments add external fees and audit scheduling, which can extend the timeline to several months given current capacity constraints. Companies already holding ISO 42001 certification generally complete internal control assessments faster because much of the documentation already exists.
Does the Digital Omnibus mean we can ignore conformity assessment until 2027?
No. The December 2027 deadline applies specifically to Annex III high-risk obligations; Article 50 transparency duties and Article 4 AI literacy requirements still apply on the original schedule. Providers that wait until the new deadline to start documentation work will face the same notified body queues and internal capacity constraints that the extension was meant to relieve.
How does conformity assessment relate to a DPIA?
A DPIA assesses privacy risk to individuals under GDPR Article 35, while conformity assessment verifies that an AI system meets the EU AI Act’s safety, documentation, and oversight requirements. The two run in parallel for systems that process personal data and qualify as high-risk, and much of the risk documentation, data flow maps, human oversight design, can be reused across both processes rather than built twice.
Do we need our own IT team to run a conformity assessment?
No. Most Mittelstand providers combine internal product and legal staff with an external partner for technical documentation and quality management setup. Companies like Superkind that build custom AI agents connected to enterprise systems already document data flows, access controls, and human override points as part of the underlying build, which gives a conformity assessment a ready-made evidence base rather than a blank page. Effective AI governance structures make this a repeatable process rather than a one-off project for each new system.