§ AI Act TOPICAL

AI Act conformity assessment under Annex VI

The internal-control procedure that covers most Annex III high-risk AI. Run it without a notified body. Here is how.

Summary

Annex VI is the internal-control conformity-assessment procedure. It is the default route for almost every Annex III high-risk system except biometric identification (§1, where Annex VII third-party assessment is required). The provider runs Annex VI itself — no notified body involvement — and is fully accountable for the result.

Annex VI has three steps: (1) confirm the quality management system (QMS) under Article 17 covers the system; (2) review the technical documentation under Annex IV against the requirements in Articles 9–15; (3) verify the design and development of the AI system corresponds to that documentation and to the QMS.

When the procedure is complete, the provider draws up the EU declaration of conformity (Article 47), affixes the CE marking (Article 48), and registers in the EU AI Database (Article 49). Only then can the system be placed on the EU market.

Who this applies to

Providers of high-risk AI systems falling under Annex III categories 2–8 (everything except biometric identification under §1).

Compliance deadline

2 August 2026 — high-risk AI system obligations apply. The Digital Omnibus (Council + Parliament agreed positions, March 2026) may shift this to 2 December 2027 for Annex III systems and 2 August 2028 for Annex I products. Until the amending regulation is published in the Official Journal, plan for 2 August 2026.

§ Key articles

What the law says

Article 43(2)

Annex VI is the default conformity-assessment route for Annex III §2–§8 systems.

Article 43(1)

Annex VII (notified-body) route for biometric ID under Annex III §1.

Article 43(3)

Integrated conformity assessment for Annex I products.

Annex VI

Internal-control procedure — content and steps.

Annex IV

Technical documentation contents.

Article 16

Provider obligations leading into conformity assessment.

Article 47

EU declaration of conformity.

Article 48

CE marking.

Article 49

EU AI Database registration.

§ Detail

In depth

When Annex VI applies

Yes: Annex III §2 critical infrastructure, §3 education, §4 employment, §5 essential services / creditworthiness / insurance, §6 law-enforcement, §7 migration, §8 justice — all default to Annex VI.
No: Annex III §1 biometric identification — must use Annex VII (notified-body) route under Article 43(1).
Integrated, not Annex VI: Annex I products — the sectoral conformity procedure absorbs the AI Act check under Article 43(3).

Step 1 — Quality management system

Confirm the Article 17 QMS covers the AI system. The QMS must include:

Strategy for regulatory compliance, including conformity-assessment and post-market surveillance procedures.
Techniques and procedures for design and development.
Examination, test, and validation procedures.
Technical specifications and applicable harmonised standards.
Systems and procedures for data management.
Risk management system per Article 9.
Post-market monitoring system per Article 72.
Incident-reporting procedures per Article 73.
Communication with authorities and notified bodies (where applicable).
Record-keeping and resource management.
Accountability framework defining management and staff responsibilities.

Many providers already have ISO 9001, ISO/IEC 42001, or sectoral QMS — the QMS does not have to be net-new but must be documented to cover the AI Act elements.

Step 2 — Technical documentation review

Compile the technical documentation under Annex IV and review it against Articles 9–15. Annex IV requires:

General description of the system, intended purpose, version, hardware/software requirements.
Detailed description of design, development, and operation: methodologies, training and test data, computational resources, validation procedures.
Information about the data — provenance, scope, characteristics, governance procedures.
Description of monitoring, functioning, and control measures — including known limitations.
Description of changes during the lifecycle and version control.
Standards applied and any reference to them.
Copy of the EU declaration of conformity (drawn up at end of Step 3).
Detailed description of the post-market monitoring system.

Step 3 — Design and development verification

Verify that the design and development of the system actually corresponds to the QMS and the technical documentation. This is internal — no notified body — but must be documented. The verification covers:

That the development followed the documented methodology.
That the data-governance procedures (Article 10) were applied to the actual training, validation, and test data.
That the risk-management system (Article 9) ran across the lifecycle.
That the system meets the accuracy, robustness, and cybersecurity targets in Article 15.
That logging (Article 12) and human-oversight measures (Article 14) are implemented as documented.
That instructions for use (Article 13) are produced and tested with representative deployer audiences.

Closing the procedure

Draw up the EU declaration of conformity (Article 47) — single declaration, multiple Union acts where applicable.
Affix the CE marking (Article 48) on the system or its documentation.
Register the system in the EU AI Database (Article 49) before placing on the market.
Notify the AI Office of any change in the QMS that affects the system (Article 17).

What auditors actually look for

Market surveillance authorities have signalled they will focus on:

Data governance evidence — whether bias testing was actually run, on what data, with what results.
The link between Article 9 risk management and Article 15 robustness — are residual risks documented and mitigated?
Whether instructions for use are realistic — can a representative deployer actually operate the system safely from them?
Logging coverage — whether automatically generated logs (Article 12) actually capture the events Article 26 deployers need.
Post-market monitoring — whether the plan exists on paper but does not run in practice.

§ Action items

Practical steps

Confirm the system is in Annex III §2–§8 — if §1 (biometric ID), Annex VII applies and a notified body is required.

Map your existing QMS (ISO 9001 / ISO/IEC 42001 / sectoral) to Article 17 elements; close any gaps.

Build the Annex IV technical documentation as a single living artifact, not eight disconnected sub-documents.

Run the Step 3 verification with the same rigour an external auditor would; document the verification itself.

Register in the EU AI Database (Article 49) before market placement — non-registration is enforceable independent of substantive non-compliance.

§ What Fontvera found

Documents in our corpus

ai_office EU Fetched 2026-04

EU AI Act — Regulation (EU) 2024/1689 on Artificial Intelligence

ai_office EU Fetched 2026-04

AI Act | Shaping Europe’s digital future

eiopa EU Fetched 2026-04

Opinion on Artificial Intelligence governance and risk management

eurlex EU Fetched 2026-04

EUR-Lex: 32025R0454 (2025-03-07)

eurlex EU Fetched 2026-04

Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence and amending Regulations (EC) No 300/2008, (EU) No 167/2013, (EU) No 168/2013, (EU) 2018/858, (EU) 2018/1139 and (EU) 2019/2144 and Directives 2014/90/EU, (EU) 2016/797 and (EU) 2020/1828 (Artificial Intelligence Act) (Text with EEA relevance)

ai_office EU Fetched 2026-04

AI Act Annex III: High-Risk Use Cases

ai_office EU Fetched 2026-04

AI Act Article 71: EU Database for High-Risk AI Systems

ai_office EU Fetched 2026-04

AI Act Article 57: AI Regulatory Sandboxes

§ Cross-references

Related Fontvera intelligence

Need a cross-border briefing on this?

Search Fontvera ↵ Run the AI Act diagnostic

AI Act enforcement

97 days

until 2026-08-02, when most AI Act provisions begin to apply.