AI Act

AI Act Conformity Assessment: Step-by-Step Compliance Guide

113
days until AI Act conformity assessment deadline
2026-08-02
Intelligence Briefing

AI Act Conformity Assessment: Step-by-Step Compliance Guide Structured Intelligence Briefing

1. What the Regulation Requires and Who It Applies To

The EU AI Act (Regulation (EU) 2024/1689) establishes a risk-based framework for AI systems, with conformity assessment requirements tied to risk classification. Key obligations and scope are defined in Articles 8–15 (high-risk systems) and Annex III (risk categories).

Applicability
  • All AI systems placed on the EU market or used in the EU, regardless of provider location (Article 2).
  • High-risk AI systems (e.g., biometric identification, critical infrastructure management, employment screening) require mandatory conformity assessment (Article 43).
  • Limited-risk systems (e.g., chatbots, deepfakes) face transparency obligations (Article 52).
  • Minimal-risk systems (e.g., spam filters) are largely unregulated but may adopt voluntary codes of conduct.

Core Requirements for High-Risk AI (Articles 8–15)
  • Risk management system (Article 9): Continuous identification, evaluation, and mitigation of risks.
  • Data governance (Article 10): High-quality training, validation, and testing datasets, with documentation of data sources and biases.
  • Technical documentation (Article 11): Comprehensive records for authorities, including design choices, performance metrics, and post-market monitoring plans.
  • Transparency and user information (Article 13): Clear instructions, warnings, and human oversight mechanisms.
  • Accuracy, robustness, and cybersecurity (Article 15): Measures to ensure resilience against attacks and errors.

Conformity assessment (Article 43) involves:
  • Internal control (for most high-risk systems): Self-assessment by providers, with technical documentation reviewed by national authorities.
  • Third-party conformity assessment (for certain high-risk systems, e.g., Annex III Category 1): Involvement of notified bodies (designated by EU member states).
  • EU Declaration of Conformity: Mandatory for high-risk systems before market placement (Article 48).

2. Enforcement Precedents

As of the compliance deadlines (see [ai_office]), no AI Act-specific enforcement cases have been documented. However, GDPR enforcement actions (cited below) provide a precedent for how data-related AI violations may be penalized under overlapping frameworks:

| Country | Case ID | Authority | Fine | Relevance to AI Act | |-------------|-------------------|-----------------------------------|----------------|--------------------------------------------------| | France | ETid-1891 | CNIL | €150,000 | Data governance failures in AI systems | | Germany | ETid-27 | Baden-Württemberg DPA | €80,000 | Financial sector AI with inadequate transparency | | Belgium | ETid-1118 | APD | €20,000 | Public-sector AI with poor risk management | | Spain | ETid-3055 | AEPD | €10,000 | SME AI system with insufficient documentation | | Belgium | ETid-479 | APD | €1,500 | Minor AI-related data processing violation |

Key Takeaway: While no AI Act fines exist yet, data protection authorities (DPAs) are leveraging GDPR for AI-related violations, suggesting that non-compliance with AI Act data governance (Article 10) or transparency (Article 13) may trigger parallel enforcement.

3. Practical Compliance Steps

For Providers of High-Risk AI Systems
  • Classify your AI system (per [ai_office] Risk Classification guidance):
- Use Annex III to determine if your system is high-risk (e.g., medical devices, critical infrastructure). - Document the classification rationale for authorities.

  • Implement a risk management system (Article 9):
- Conduct risk assessments at all stages (design, training, deployment). - Establish post-market monitoring (Article 61) to track performance and incidents.

  • Ensure data governance (Article 10):
- Audit training datasets for bias, completeness, and relevance. - Maintain records of data sources, preprocessing steps, and validation results.

  • Prepare technical documentation (Article 11):
- Compile a dossier covering: - System architecture and algorithms. - Performance metrics (accuracy, robustness). - Human oversight procedures. - Align with harmonized standards (once published by the Commission).

  • Conduct conformity assessment (Article 43):
- For internal control systems: Self-assess and compile the EU Declaration of Conformity. - For third-party assessed systems: Engage a notified body (e.g., for Annex III Category 1 systems like biometric identification).

For Limited-Risk Systems
  • Implement transparency measures (Article 52), such as:
- Disclosing AI-generated content (e.g., deepfakes). - Providing user-friendly interfaces for opt-out mechanisms.

**4. Cross-B

Cross-Reference Intelligence
Article Citations Top Countries Most Co-Cited
Article 40 7 IT (3), AT (1), DE (1) GDPR Art. 46, GDPR Art. 5(2), GDPR Art. 24
Article 41 3 AT (3) GDPR Art. 57(1)(p), GDPR Art. 57(1)(q), GDPR Art. 70(1)(n)
Article 42 2 GB (1), IT (1) GDPR Art. 28, GDPR Art. 32, GDPR Art. 33
Article 43 1 GB (1) GDPR Art. 32, GDPR Art. 42
Regulatory Framework
AI Act: Implementation timeline — key dates for compliance
EU · ai_office · 2026-03-24 · aio-implementation-timeline
AI Act: Implementation timeline — key dates for compliance Category: Implementation Type: guidance Source: https://digital-strategy.ec.europa.eu/en/po
AI Act: Requirements for high-risk AI systems (Articles 8-15)
EU · ai_office · 2026-03-24 · aio-high-risk-requirements
AI Act: Requirements for high-risk AI systems (Articles 8-15) Category: High-Risk Requirements Type: guidance Source: https://digital-strategy.ec.euro
AI Act: Risk Classification — How to determine if your AI system is high-risk
EU · ai_office · 2026-03-24 · aio-risk-classification
AI Act: Risk Classification — How to determine if your AI system is high-risk Category: Risk Classification Type: guidance Source: https://digital-str
EU AI Act — Regulation (EU) 2024/1689 on Artificial Intelligence
EU · ai_office · 2026-03-24 · aio-ai-act-overview
EU AI Act — Regulation (EU) 2024/1689 on Artificial Intelligence Category: AI Act Type: legislation Source: https://eur-lex.europa.eu/eli/reg/2024/168
Enforcement & Case Law
ETid-1891: KG COM — FRANCE (€150,000)
FR cms_enforcement 2026-04-09
ETid-27: Company in the financial sector — GERMANY (€80,000)
DE cms_enforcement 2026-04-09
ETid-1118: Ambuce Rescue Team — BELGIUM (€20,000)
BE cms_enforcement 2026-04-09
ETid-3055: FREE TECHNOLOGIES EXCOM, S.L. — SPAIN (€10,000)
ES cms_enforcement 2026-04-09
ETid-479: Unknown — BELGIUM (€1,500)
BE cms_enforcement 2026-04-09
ETid-2395: DELSA ALQUILERES S.L. — SPAIN (€1,000)
ES cms_enforcement 2026-04-09
ETid-961: Private individual — AUSTRIA (€600)
AT cms_enforcement 2026-04-09
ETid-2794: Legal Person — CZECH REPUBLIC (€400)
CZ cms_enforcement 2026-04-09
Cross-Regulatory Overlap
ENISA: Multilayer Framework for Good Cybersecurity Practices for AI
EU · enisa · 2026-03-24 · enisa-multilayer-framework-for-good-cybersecurity-practices-for-ai
ENISA: Multilayer Framework for Good Cybersecurity Practices for AI ENISA: Multilayer Framework for Good Cybersecurity Practices for AI Source: https:
Sources (13)

Search the full intelligence database

Upgrade to Pro for unlimited briefings — €299/month
This is a research tool, not legal advice. Always verify sources and consult a qualified legal professional.
🇪🇺 100% European infrastructure · Helsinki 🇫🇮 · Berlin 🇩🇪 · Paris 🇫🇷 · Your data never leaves Europe