EU AI Act Article 43: conformity assessment routes for high-risk AI

The two conformity assessment routes

Article 43(1) gives the choice of two routes for high-risk AI: (a) Annex VI internal control, where the provider self-assesses against the standards; or (b) Annex VII conformity assessment involving a notified body. Annex VI is available for most Annex III categories. Annex VII is required for high-risk systems in Annex III point 1 (biometric identification and categorisation) when harmonised standards do not yet exist or have not been fully applied.

Annex VI internal-control self-assessment

Annex VI route: the provider assesses its own compliance against the relevant harmonised standards, common specifications, or other technical specifications. Required documentation: technical documentation under Article 11, evidence of risk management system under Article 9, evidence of quality management system under Article 17, evidence of post-market monitoring under Article 72. The provider issues an EU declaration of conformity under Article 47 and affixes CE marking under Article 48. No external party signs off.

Annex VII notified-body assessment

Annex VII route requires a notified body (designated under Article 31) to assess the quality management system and the technical documentation. The notified body issues a certificate. For SaaS, this route is currently required mainly for biometric high-risk systems where harmonised standards are still being developed. Notified body queues are 9 to 18 months in 2026 due to capacity constraints; plan accordingly.

Which route applies to which Annex III category

Annex III point 1 (biometric): Annex VII notified body required where harmonised standards are not yet available. Most other points: Annex VI self-assessment is permitted. The current state of harmonised standards (under CEN-CENELEC JTC 21 development) means most non-biometric high-risk SaaS can use the self-assessment route. The European Commission can change this through delegated acts as standards mature.

Practical compliance approach

For Annex VI self-assessment, build the technical documentation package early. Required elements: system description, design specifications, risk management documentation, training data documentation, accuracy and robustness test results, human oversight specifications, post-market monitoring plan. Engage with a compliance advisor (like Disclos) to validate that your documentation meets Annex VI requirements before the EU declaration of conformity is signed. For Annex VII, start notified-body engagement 9 to 18 months ahead of any product launch in the EU.

Frequently asked questions

When does Article 43 take effect?

2 August 2026 for most Annex III high-risk systems. Annex II safety-component AI follows the underlying harmonised legislation timeline.

Can I always use self-assessment?

No - biometric high-risk systems under Annex III point 1 may require Annex VII notified body. Other Annex III categories generally permit Annex VI self-assessment.

How long do notified-body assessments take?

Currently 9 to 18 months due to capacity constraints. Engage early.

What is CE marking?

Required marking under Article 48 for high-risk AI after conformity assessment. Indicates the system complies with EU AI Act requirements.

Can a single audit cover multiple high-risk systems?

Yes if they share substantial design and quality management infrastructure. Each system needs its own technical documentation but the QMS and processes can be shared.

Sources

• https://eur-lex.europa.eu/eli/reg/2024/1689/oj