The conformity assessment is the gate every high-risk AI system must pass before it can be placed on the European market. It is the procedure by which a provider demonstrates that a high-risk system meets all of the EU AI Act’s requirements — from risk management and data governance to documentation, transparency, human oversight, and robustness. Because it must be completed before market entry, the conformity assessment is the point at which all of the preceding compliance work is brought together and verified.
What the assessment checks
A conformity assessment is not a single test but a verification that the high-risk system satisfies the full set of requirements the Act imposes. That means confirming a functioning risk-management system, appropriate data-governance practices, complete and up-to-date technical documentation, automatic logging, sufficient transparency for deployers, effective human oversight, and an appropriate level of accuracy, robustness, and cybersecurity. In effect, the assessment is where the provider proves that the system was built to the Act’s standard rather than merely claiming it was.
Two routes: internal control and notified body
The Act provides two main assessment routes. The first, internal control, is a self-assessment in which the provider itself verifies conformity against the requirements — the route available for most Annex III high-risk systems. The second involves an independent third party, a notified body, which examines the system and its documentation; this route applies to certain systems, notably some involving biometrics, and to systems regulated under existing product-safety law. Knowing which route applies is an early and important determination for any provider.
The role of harmonised standards
Conformity assessment is made more practicable by harmonised standards. When a provider builds and tests a system in line with the relevant European harmonised standards, it benefits from a presumption of conformity with the corresponding requirements. This is why standards matter so much in practice: they translate the Act’s high-level requirements into concrete, testable specifications, and following them is the most reliable way to demonstrate compliance during the assessment.
Technical documentation
At the heart of any conformity assessment is the technical documentation. The Act requires high-risk providers to compile detailed documentation — covering the system’s design, development, intended purpose, data, risk-management measures, and performance — sufficient to demonstrate conformity. This documentation is not a formality produced at the end; it is the evidentiary backbone of the assessment, and it must be kept current throughout the system’s life. Assembling it well in advance is one of the most demanding parts of the high-risk programme.
Declaration of conformity and CE marking
A system that passes its conformity assessment is recorded in an EU declaration of conformity — a formal statement by the provider that the system meets the Act’s requirements — and may then bear the CE marking. The CE marking signals, as it does for many other regulated products in Europe, that the product conforms to applicable EU law. For high-risk AI, it is the visible outcome of the entire compliance effort and a precondition for lawful placement on the market.
Registration in the EU database
Beyond the declaration and marking, providers of most high-risk systems must register the system in an EU database before placing it on the market. This registration supports transparency and oversight, giving authorities and, in part, the public visibility into the high-risk systems in use across the Union. It is a distinct step from the assessment itself, and overlooking it is a compliance gap even where the underlying assessment was sound.
Substantial modifications
A conformity assessment is tied to the system as assessed. If the provider later makes a substantial modification — a change that affects the system’s compliance or alters its intended purpose — a fresh assessment may be required. This has practical consequences for how AI systems are maintained and updated: significant changes cannot simply be shipped, because they may reopen the conformity question. Deployers, too, should be aware that modifying a system can shift responsibilities onto them.
Post-market obligations
Passing the conformity assessment is not the end of the provider’s duties. High-risk providers must operate a post-market monitoring system, watching how the system performs in the field and feeding what they learn back into the risk-management process. They must also report serious incidents. The conformity assessment certifies the system at the point of market entry; the post-market obligations ensure it continues to meet the standard as it operates in the real world.
Why timing is everything
Because the conformity assessment must be completed before a high-risk system is placed on the market, all of the underlying work — risk management, data governance, documentation, testing — has to be substantially finished beforehand. Providers who treat compliance as a post-launch activity discover that they cannot lawfully launch at all. This is the single strongest argument for beginning the high-risk programme early, well ahead of the relevant deadline in the Act’s timeline.
What organisations should do
The practical path begins with two determinations: confirming the system is high-risk, and identifying the applicable assessment route. From there, the provider builds the required management systems and technical documentation, aligns with harmonised standards where available, completes the assessment, issues the declaration of conformity, applies the CE marking, and registers the system — then maintains it all through post-market monitoring. Innopulse helps DACH providers structure this end-to-end, so the conformity assessment is the confirmation of work already done rather than a scramble before launch.
Conclusion
The conformity assessment is the market-entry gate for high-risk AI under the EU AI Act: the procedure that verifies a system meets every requirement, via internal control or a notified body, and culminates in a declaration of conformity, the CE marking, and registration. It rests on thorough technical documentation and is followed by ongoing post-market duties. Because it must be complete before launch, it is the clearest reason to start high-risk compliance early — the assessment can only certify work that has already been done.