Article 17: Quality Management System | EU AI Act

Article 17 of the AI Act provides useful information about organizations' obligations to have an appropriate quality management system in place.

Per this Article, providers of high-risk AI systems must have a quality management system in place. This system must be systematically documented through written policies, procedures, and instructions and must include at least the following aspects:

• A strategy for regulatory compliance that includes compliance with the necessary conformity assessment procedures and procedures for the management of any recommended modifications to high-risk AI systems;
• Appropriate techniques, procedures, and actions to be used for the design  design control and verification of the high-risk AI system;
• Appropriate techniques, procedures, and systemic actions to be used for the development, quality assurance and control of high-risk AI systems;
• A mechanism to examine, test, and validate procedures before, during, and after the development of high-risk AI systems;
• Technical specifications, standards that are to be applied, and, where relevant harmonized standards are not applied in full or do not cover all relevant requirements established in Section 2, the means to be used to ensure that high-risk AI systems being used do comply with such requirements;
• Appropriate systems and procedures for data management, including data acquisition, data collection, data analysis, data labeling, data storage, data filtration, data mining, data aggregation, data retention, and other relevant operation  performed before the high-risk AI system is put on the market;
• The risk management system, as discussed in Article 9;
• The establishment, implementation, and maintenance of a post-market monitoring system per the requirements set forth under Article 72;
• Necessary procedures per Article 73 related to the reporting of a serious incident;
• Measures to handle communication with national competent authorities and other relevant authorities, providing access to data, notified bodies, operators, and customers or other interested parties;
• Systems and procedures necessary for record-keeping of all relevant documentation;
• Resource management;
• An accountability framework stating the responsibilities of management and other staff.

All of the aforementioned aspects must be adopted proportionate to the size of the provider’s organization while still ensuring compliance of high-risk AI systems with the AI Act. Additionally, providers of high-risk AI systems subject to quality management system obligations under the relevant sectoral Union laws may integrate the aspects discussed above into their quality management systems.

Lastly, financial institutions subject to internal governance, arrangements, or process requirements under Union financial services law can fulfill the requirement for a quality management system, with some exceptions, by adhering to the internal governance rules of the Union financial services laws. Harmonized standards mentioned in Article 40 should be considered in this context.