Securiti AI Recognized as a Customers’ Choice For DSPM By Gartner Peer Insights


Article 43 of the EU’s AI Act: Conformity Assessment

Published July 4, 2024 / Updated July 8, 2024

Article 43 of the AI Act elaborates on the essential details related to conformity assessment.

For the high-risk AI systems, as mentioned in point 1 of Annex III, in cases where the provider has applied harmonized standards per Article 40 or common specifications per Article 41 to demonstrate compliance with the necessary requirements of this Regulation, the provider must opt for one of the following conformity assessment procedures based on:

  • The internal control, as referenced in Annex VI; or
  • The quality management system and technical documentation, assessed with the necessary involvement of the notified body.

To demonstrate compliance with the high-risk AI systems requirements established per this Regulation, the provider must follow the conformity assessment procedures described in Annex VII where:

  • Harmonized standards referenced in Article 40 do not exist, and common specifications referenced in Article 41 are not available;
  • The provider has not applied or only applied certain parts of the harmonized standard;
  • The common specifications referenced in Article 41 are available, but the provider has not applied them;
  • One or more harmonized standards, as referenced in Article 40, have been published with a restriction, and only on the part of the standard that was restricted.

For purposes of a conformity standard procedure, as referenced in Annex VII, the provider can choose any of the notified bodies. However, if the high-risk AI system is to be used by law enforcement, immigration, asylum authorities, or any Union institutions, bodies, offices, or agencies, the market surveillance authority, as referred to in Article 74, will act as the notified body.

For high-risk AI systems referred to in points 2 to 8 of Annex III, the providers must follow the conformity assessment procedure based on the internal control referenced in Annex VI, where a notified body is not involved.

Similarly, for high-risk AI systems covered by the Union harmonization legislation, as referenced in section A of Annex I, the provider must follow the relevant conformity assessment procedure required under those legal acts. Other relevant requirements established per this Regulation and Annex VII will also apply and be part of the assessment. For such assessments, notified bodies that will have been notified under those legal acts will be entitled to control the conformity of the high-risk AI systems with the relevant requirements established per this Regulation, provided that the notified bodies comply with the requirements established under Article 31 while also being assessed for their compliance within the context of the notification procedure per those legal acts.

In cases where a legal act in Annex I enables a product manufacturer to opt-out from a third-party assessment, provided that the manufacturer has applied all harmonized standards covering the relevant requirements, the manufacturer may use that option only if it has also applied the harmonized standards or the common specifications as referenced in Article 41.

In case of a substantial modification, high-risk AI systems that have already been subjected to a conformity assessment procedure must undergo a new conformity assessment procedure, regardless of whether the modified systems are intended for further distribution or will continue to be used by the current deployer.

In the case of high-risk AI systems that continue to learn after being placed on the market or put in service, changes to the high-risk AI system and its performance that were pre-determined by the provider at the time of the initial conformity assessment and are part of the technical documentation referenced in Annex IV, will not be considered a substantial modification.

The Commission can adopt delegated acts as per Article 97 to update Annexes VI and VII to account for technical progress.  It also has the authority to adopt delegated acts under Article 97 to modify paragraphs 1 and 2 of this Article, thereby extending the conformity assessment procedure outlined in Annex VII (or parts of it) to high-risk AI systems listed in points 2 to 8 of Annex III.

The effectiveness of such a procedure must be taken into account based on internal control referred to in Annex VI in preventing or mitigating the risks to health, safety, and protection of fundamental rights posed by such systems while also taking into account the availability of adequate capacities and resources by notified bodies.


Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox


More Stories that May Interest You