Inferensys

Glossary

Conformity Assessment

The mandatory verification process by which a provider demonstrates that a high-risk AI system meets all applicable regulatory requirements prior to market placement, often involving a notified body.
Risk analyst performing AI risk assessment on laptop, risk matrices visible, casual office risk session.
REGULATORY VERIFICATION

What is Conformity Assessment?

The mandatory verification process by which a provider demonstrates that a high-risk AI system meets all applicable regulatory requirements prior to market placement, often involving a notified body.

Conformity assessment is the legally mandated procedure through which an AI provider verifies and demonstrates that a high-risk AI system strictly complies with all essential requirements of the EU AI Act before it can be placed on the market or put into service. This process is the gatekeeper for obtaining the CE marking, serving as a formal declaration of regulatory alignment.

The assessment can be based on internal controls or require third-party verification by an independent, accredited notified body, depending on the specific risk category. It involves a rigorous audit of the risk management system, technical documentation, and data governance criteria to ensure the system's safety and trustworthiness throughout its lifecycle.

REGULATORY VERIFICATION

Core Characteristics of Conformity Assessment

A conformity assessment is the mandatory, structured verification process proving a high-risk AI system meets all applicable regulatory requirements before market placement. It transforms abstract legal obligations into auditable technical evidence.

01

Third-Party vs. Self-Assessment

The EU AI Act distinguishes between internal control and notified body assessment paths based on risk severity.

  • Internal Control (Annex VI): For certain high-risk systems, the provider may self-declare conformity by compiling technical documentation and issuing a declaration themselves.
  • Notified Body Assessment (Annex VII): For systems listed in Annex III, point 1 (biometric categorization) and other high-criticality areas, an independent accredited third party must audit the quality management system and technical documentation.
  • Trigger: The involvement of a notified body is mandatory when harmonized standards are not applied or do not fully cover the system's requirements.
Annex VI
Self-Assessment Path
Annex VII
Notified Body Path
02

Quality Management System Audit

Providers must establish and maintain a documented Quality Management System (QMS) that governs the entire AI lifecycle. The conformity assessment verifies this system's adequacy.

  • Design Control: Procedures for system design, development, and verification.
  • Risk Management: Documented processes for identifying, estimating, and mitigating risks throughout the system's lifecycle.
  • Post-Market Monitoring: A structured plan for collecting and analyzing real-world performance data after deployment.
  • Incident Reporting: Clear protocols for notifying authorities of serious incidents or malfunctions.
  • Record Keeping: Traceable documentation of all QMS processes, decisions, and corrective actions.
03

Technical Documentation Examination

The core of any conformity assessment is the rigorous review of the technical documentation file that proves the system's compliance.

  • System Architecture: Detailed description of the AI model, algorithms, data flows, and integration points.
  • Data Governance: Evidence of training, validation, and testing dataset quality, provenance, and bias examination.
  • Accuracy & Robustness: Performance metrics, error rates, and results from adversarial testing.
  • Human Oversight: Built-in mechanisms that allow human operators to interpret, override, or halt the system.
  • Cybersecurity: Documentation of defenses against adversarial attacks, data poisoning, and unauthorized access.
04

Presumption of Conformity

A legal mechanism that streamlines the assessment process. If a high-risk AI system is designed and tested in full compliance with harmonized standards published in the Official Journal of the EU, it is automatically presumed to meet the corresponding essential requirements.

  • Efficiency: Reduces the burden of proof for providers by aligning with pre-approved technical specifications.
  • Standardization Request: The European Commission issues formal mandates to bodies like CEN/CENELEC to draft these standards.
  • Gap Analysis: If harmonized standards do not exist or are only partially applied, the provider must describe the alternative solutions adopted and the notified body must verify their adequacy directly.
05

Substantial Modification Trigger

A conformity assessment is not a one-time event. A substantial modification to the AI system after market placement invalidates the original certificate and triggers a new assessment.

  • Change in Intended Purpose: Any alteration to the system's defined use case or operational context.
  • Performance Alteration: A significant change to the model's accuracy, error rate, or behavior that could affect safety or fundamental rights.
  • Provider Responsibility: The original provider must continuously evaluate whether software updates, retraining, or integration changes constitute a substantial modification.
  • Continuous Compliance: This ensures the system's risk profile remains valid throughout its operational lifecycle.
06

CE Marking & Declaration of Conformity

The successful completion of the conformity assessment culminates in two formal legal instruments that permit market access.

  • EU Declaration of Conformity: A legally binding document signed by the provider stating the system meets all applicable regulations. It must be kept for 10 years and translated into the language of the member state where the system is placed.
  • CE Marking: A physical or digital mark affixed to the system or its packaging. It is the visible symbol of compliance, indicating the product can circulate freely within the European Economic Area.
  • Registration: Before placing the system on the market, the provider must register it in the EU's public database for high-risk AI systems.
CONFORMITY ASSESSMENT EXPLAINED

Frequently Asked Questions

Clear answers to the most common questions about the mandatory verification process for high-risk AI systems under the EU AI Act.

A conformity assessment is the mandatory verification process by which a provider demonstrates that a high-risk AI system meets all applicable regulatory requirements of the EU AI Act before it can be placed on the market or put into service. This structured evaluation examines the system's risk management system, technical documentation, data governance, transparency, human oversight mechanisms, and accuracy against the essential requirements. The assessment can be conducted internally by the provider using an internal control procedure or, for certain high-risk categories like remote biometric identification, must involve an independent notified body. Successful completion results in a declaration of conformity and the right to affix the CE marking, signifying legal compliance across the European single market. The process is not a one-time event; it triggers ongoing obligations for post-market monitoring and reassessment upon any substantial modification.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.