Securiti Tops DSPM Ratings in GigaOm Report


Conformity Assessments Under the EU AI Act

Published May 8, 2024

Listen to the content

On 13 March 2024, the European Parliament formally adopted the European Union Artificial Intelligence Act (EU AI Act), which aims to ensure the protection of fundamental rights while simultaneously boosting innovation. To achieve this objective, the EU AI Act introduces, among other things, the obligations of conformity assessment and fundamental rights impact assessment. This blog provides an overview of these assessments and covers important aspects, including the entities responsible for carrying out these assessments, what should be included in these assessments, and when they should be carried out.

Conformity Assessment


Conformity assessment is the process of demonstrating whether the requirements set out in the EU AI Act (Chapter III, Section 2) relating to high-risk AI systems have been fulfilled.

These requirements are as follows:

  • Establishing, implementing, documenting, and maintaining a risk management system to address the risks posed by a high-risk AI system;
  • Implementing effective data governance (bias mitigation, etc.), which involves training, validating, and testing data sets;
  • Maintaining requisite up-to-date technical documentation in a clear and comprehensive manner;
  • Ensuring that high-risk AI systems technically allow for the automatic recording of events (logs) over the lifetime of the system;
  • Development and design of high-risk AI systems in such a way as to ensure that their operation is sufficiently transparent to enable deployers to interpret a system’s output and use it appropriately and to facilitate both providers and deployers in achieving compliance with their relevant obligations;
  • Development and design of high-risk AI systems in a manner that they can have proper human oversight during the period in which they are in use;
  • Development and design of high-risk AI systems in a manner that they maintain an appropriate level of accuracy, robustness and cybersecurity throughout their lifecycle.

Further, where a product contains an AI system that is also subject to the requirements of the EU harmonization legislation listed in Annex I - Section A of the Act, the providers shall be responsible for ensuring that their product is fully compliant with all applicable requirements under the applicable harmonization legislation. The EU harmonization laws create common standards for different products across the internal market. The EU harmonization laws listed in Annex I - Section A include laws on machinery, lifts, toys, personal protective equipment, medical devices, etc.

For an understanding of high-risk AI systems, please refer to Navigating the Future: How the EU AI Act Shapes AI Governance.

When Should a Conformity Assessment be Conducted?

A conformity assessment should be performed before a high-risk AI system is placed on the market or put into service.

Further, whenever a change occurs that may affect the compliance of a high-risk AI system with the EU AI Act or when the system's intended purpose changes, that AI system should undergo a new conformity assessment.

Who Needs to Conduct a Conformity Assessment?

Entity When is a Conformity Assessment Required?
Providers They place on the market or put into service a high-risk AI system.
Distributors, Importers, Deployers or other Third Parties They put their name or trademark on a high-risk AI system already placed on the market or put into service;

They make a substantial modification to a high-risk AI system in such a way that it remains a high-risk AI system; or

They modify the intended purpose of an AI system that has not been classified as high-risk in such a way that the AI system becomes high-risk.

Product Manufactures In the case of high-risk AI systems that are safety components of products covered by the EU harmonization legislation, the system is placed on the market or put into service under the name or trademark of the product manufacturer.


Types of Conformity Assessment

Conformity assessment procedures can be based on the following:

  • Internal control, without the involvement of a notified body; or
  • Assessment of the quality management system (QMS) and the technical documentation, with the involvement of a notified body.

Conformity Assessment based on Internal Control (Self Assessment)

As part of the conformity assessment procedure based on internal control, the provider is required to do this self-assessment to:

  • Verify that the established QMS for the high-risk AI system is in compliance with the requirements of Article 17 of the EU AI Act. These requirements include regulatory compliance, technical specifications, quality controls and testing, data management, risk management, monitoring, reporting, etc.;
  • Examine the information contained in the technical documentation in order to assess the compliance of the AI system with the relevant essential requirements for high-risk AI systems (Chapter III, Section 2 of the AI Act), as listed above; and
  • Verify that the AI system's design and development process and post-market monitoring, as referred to in Article 72, are consistent with the technical documentation.

Conformity Assessment based on Assessment of the Quality Management System and the Technical Documentation with the Involvement of a Notified Body

This conformity assessment procedure involves a notified body. A notified body is a conformity assessment body notified in accordance with the EU AI Act and other relevant EU harmonization legislation, which performs third-party conformity assessment activities, including testing, certification, and inspection.

The provider shall submit an application to a notified body for the assessment of the QMS for its high-risk AI system as per the requirements of Article 17 of the EU AI Act. The application of the provider shall contain details of, amongst other things, the list of AI systems covered under the same QMS, the technical documentation of those AI systems, the documentation concerning the QMS, and a description of the procedures in place to ensure that the QMS remains adequate and effective. Any changes to an approved QMS system shall be brought to the attention of the notified body. The approved QMS shall be subject to surveillance by the notified body.

Further, the provider shall also submit an application to a notified body for the assessment of the technical documentation related to the AI system. The application shall include the technical documentation necessary for the notified body to assess the compliance of the AI system with the relevant essential requirements for high-risk AI systems (Chapter III, Section 2 of the AI Act). The notified body shall be granted full access to the training, validation, and testing datasets used. The notified body may also require the provider to supply further evidence or carry out further tests and may directly carry out adequate tests. In exceptional circumstances, the notified body, upon a reasoned request, shall also be granted access to the training and trained models of the AI system.

Where the AI system is in conformity with the requirements for high-risk AI systems, an EU technical documentation assessment certificate shall be issued by the notified body. Any change to the AI system that could affect the compliance of the AI system with the EU AI Act’s requirements or its intended purpose shall be approved by the same notified body.

For assessment purposes, providers shall be required to allow the notified body to access the premises where the design, development, and testing of the AI systems is taking place and share with it all necessary information. The notified body shall carry out periodic audits to make sure that the provider maintains and applies the QMS and shall provide the provider with an audit report. In the context of those audits, the notified body may carry out additional tests of the AI systems for which an EU technical documentation assessment certificate was issued.

For the purposes of this type of conformity assessment, the provider may choose any of the notified bodies. However, where the high-risk AI system is intended to be put into service by law enforcement, immigration or asylum authorities or by EU institutions, bodies, offices or agencies, the applicable market surveillance authority shall act as a notified body.

What Type of Conformity Assessment Should Be Carried Out?

Type of High-Risk AI System Type of Conformity Assessment Required
High-risk AI systems, as referred to in Annex III, except those used in biometrics.

These are AI systems listed in any of the following areas:

  • Critical infrastructure;
  • Educational and vocational training;
  • Employment, workers management, and access to self-employment;
  • Access to and enjoyment of essential private services and essential public services and benefits;
  • Law enforcement;
  • Migration, asylum, and border control management; and
  • Administration of justice and democratic processes.

For more details on these AI systems, please refer to Navigating the Future: How the EU AI Act Shapes AI Governance.

Conformity Assessment based on internal control.
High-risk AI systems used in biometrics, where the provider has applied harmonized standards or common specifications in demonstrating the compliance of a high-risk AI system with the requirements listed above. Either of the two procedures (at the option of the provider).
High-risk AI systems used in biometrics, however:

  • harmonized standards do not exist, and common specifications are not available;
  • the provider has not applied or has applied only in part the harmonized standards;
  • the common specifications exist, but the provider has not applied them; or
  • one or more of the harmonized standards have been published with a restriction and only on the part of the standard that was restricted.
Conformity Assessment based on the assessment of the QMS and the technical documentation, with the involvement of a notified body.
High-risk AI systems to which the laws listed in Annex I, section A (List of Union harmonization legislation based on the New Legislative Framework) apply. The relevant conformity assessment as required under the applicable harmonization law.

Deviation from the Conformity Assessment Procedure

The EU AI Act outlines specific scenarios where deviation from the normal conformity assessment procedure is permissible, and a high-risk AI system may be introduced to the market or put into operation even before the assessment process is completed. This exemption applies solely to cases involving public security, safeguarding life and health, environmental conservation, and protecting critical industrial and infrastructural assets.

How Securiti Can Help

Securiti is the pioneer of the Data + AI Command Center, a centralized platform that enables the safe use of data and GenAI. It provides unified data intelligence, controls, and orchestration across hybrid multicloud environments. The Data + AI Command Center provides organizations access to a cluster of individual modules and solutions designed to ensure compliance with major data and AI-related regulations.

The Compliance Management Platform is one such solution that seamlessly automates compliance via standard controls and tests.

With it, organizations can access a built-in library of compliance standards customized to their unique needs, leverage predefined tests for multiple frameworks, identify and address compliance issues efficiently with targeted guidance, tracking, and auto-remediation, and generate comprehensive reports for documentation and stakeholder information purposes, among other benefits.

Request a demo today and learn more about Securiti can help your organization comply with the various requirements of the EU’s AI Act.

Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox


More Stories that May Interest You