Substantial modification is a regulatory trigger defined under the EU AI Act that occurs when a provider alters a high-risk AI system's intended purpose or significantly changes its performance, behavior, or risk profile beyond what was specified in the original technical documentation. Such a modification renders the existing CE marking and conformity assessment void, legally treating the altered system as a new product requiring fresh certification before it can remain on the market.
Glossary
Substantial Modification

What is Substantial Modification?
A substantial modification is a change to an AI system's intended purpose or a significant alteration to its performance characteristics that invalidates the original conformity assessment, requiring a new certification process.
The determination of what constitutes 'substantial' is evaluated against the system's original intended purpose and the risk parameters documented during the initial conformity assessment. Changes that materially affect the system's safety, accuracy, robustness, or interaction with human oversight mechanisms trigger this re-certification obligation. Providers must implement a rigorous change control process within their quality management system to continuously evaluate whether iterative updates cross the threshold into substantial modification, ensuring ongoing compliance with post-market monitoring requirements.
Key Characteristics of a Substantial Modification
Under the EU AI Act, a substantial modification is a change to a high-risk AI system that invalidates the original conformity assessment. It occurs when the system's intended purpose is altered or its risk profile is significantly affected by a performance change.
Change in Intended Purpose
The most definitive trigger for a substantial modification is a shift in the system's intended purpose—the specific use case for which the AI was originally assessed and certified.
- Example: A medical imaging model cleared for detecting bone fractures is repurposed to identify soft tissue anomalies.
- Regulatory Impact: The original CE marking is voided. The provider must conduct a new conformity assessment against the requirements relevant to the new medical application.
- Key Distinction: This differs from a simple software update that maintains the original diagnostic scope.
Significant Performance Alteration
A modification that materially changes the system's performance characteristics, even without altering the intended purpose, can be deemed substantial.
- Triggering Factors:
- A fundamental change to the underlying model architecture (e.g., switching from a convolutional neural network to a vision transformer).
- Retraining on a new, fundamentally different dataset that shifts the model's statistical behavior.
- A measurable degradation or unexpected improvement in accuracy, precision, or recall that alters the risk profile.
- Rationale: The original risk assessment and technical documentation no longer accurately describe the system's behavior.
Software Update vs. Modification
Not every software update constitutes a substantial modification. The distinction hinges on whether the update affects the system's compliance with essential requirements.
- Non-Substantial Updates:
- Security patches that do not alter the model's logic.
- Minor user interface improvements.
- Bug fixes that restore the system to its certified performance level.
- Substantial Modifications:
- Updates that introduce new input modalities (e.g., adding audio analysis to a text-only model).
- Changes that expand the target population or deployment context.
- Provider Obligation: Providers must maintain a rigorous change control process to classify each update.
Post-Market Monitoring Integration
The post-market monitoring system mandated by the AI Act is the primary mechanism for detecting whether a continuous learning system has undergone a substantial modification.
- Process:
- The provider must systematically collect and analyze real-world performance data.
- If a statistically significant drift in performance or an unintended shift in functionality is detected, it triggers a review.
- The provider must determine if the drift constitutes a substantial modification requiring a new conformity assessment.
- Documentation: The analysis and decision must be logged as part of the technical documentation to ensure auditability.
Provider vs. Deployer Responsibility
The legal burden for identifying and acting on a substantial modification falls primarily on the provider—the entity that places the system on the market.
- Provider Duties:
- Must implement a quality management system that governs design changes.
- Must notify the notified body if a change impacts conformity.
- Deployer Risk: If a deployer (professional user) modifies a system's intended purpose or fine-tunes it on proprietary data in a way that fundamentally alters its behavior, the deployer may legally become the new provider, inheriting all compliance obligations.
- Contractual Safeguards: Enterprise agreements must explicitly prohibit unauthorized modifications that could trigger this reclassification.
Continuous Learning Systems
Systems that continuously learn and adapt in production pose a unique challenge for the substantial modification framework.
- Regulatory Expectation: The AI Act requires that pre-trained models and their subsequent updates be clearly delineated.
- Pre-Defined Boundaries: Providers must define the acceptable performance envelope during the initial conformity assessment. Any learning that pushes the system outside this pre-approved boundary is a substantial modification.
- Governance Strategy: This necessitates a shift from static certification to a continuous compliance architecture where model updates are gated by automated validation checks against the original risk parameters.
Frequently Asked Questions
Clarifying the regulatory triggers and technical boundaries that require a new conformity assessment under the EU AI Act.
A substantial modification is a change to an AI system's intended purpose or a significant alteration to its performance characteristics that invalidates the original conformity assessment, requiring a new certification. The EU AI Act specifies that any modification occurring after the system is placed on the market or put into service, which goes beyond what was foreseen in the provider's initial risk management and technical documentation, constitutes a substantial change. This includes repurposing a low-risk system for a high-risk use case, fundamentally altering the underlying logic or algorithmic architecture, or materially degrading the system's accuracy, robustness, or cybersecurity posture. The determination is not based on the scale of the code change but on the impact on residual risk to health, safety, or fundamental rights. Providers must implement a documented change control procedure to continuously evaluate whether a planned update triggers this regulatory threshold.
Examples of Substantial vs. Non-Substantial Modifications
Distinguishing between a routine update and a legally significant change is critical for maintaining a valid CE marking. A substantial modification invalidates the original conformity assessment, requiring a new certification process.
Change in Intended Purpose
The most definitive trigger for a new conformity assessment. This occurs when a system is repurposed for a task fundamentally different from its original, certified use case.
- Example: A medical imaging AI cleared for detecting bone fractures is repurposed to diagnose early-stage tumors.
- Example: A hiring-screening algorithm originally designed for entry-level roles is applied to C-suite executive selection.
- Regulatory Impact: The original risk classification and technical documentation are void. A full re-assessment against the new intended purpose is mandatory.
Significant Performance Alteration
A modification to the model's architecture, training data, or inference logic that materially changes its output accuracy, reliability, or error profile.
- Example: Retraining a credit-scoring model on a new demographic dataset that shifts the approval rate by 15%.
- Example: Swapping the underlying model architecture from a decision tree to a deep neural network, even if the task remains the same.
- Key Metric: A change is 'significant' if it introduces new risks or materially worsens existing ones for health, safety, or fundamental rights.
Non-Substantial: Bug Fixes & Patches
Routine software maintenance that restores the system to its certified performance specification without altering its core logic or intended function.
- Example: Patching a memory leak that caused latency spikes, returning response times to the documented baseline.
- Example: Updating a library dependency to fix a security vulnerability without changing the model's inference code.
- Regulatory Impact: These are part of standard post-market monitoring and quality management. No new conformity assessment is required, but all changes must be logged in the technical documentation.
Non-Substantial: Input Data Refinement
Updating the system to handle previously unseen but functionally identical input formats, provided the core decision logic remains untouched.
- Example: Updating a document-parsing AI to accept a new version of a PDF standard where the semantic content extraction is unchanged.
- Example: Expanding the vocabulary of a chatbot to include new slang terms without altering its underlying safety classifiers or dialogue policy.
- Boundary Condition: This becomes substantial if the new data format introduces novel biases or requires a fundamental change to the feature extraction pipeline.
Non-Substantial: User Interface Overhaul
A cosmetic or workflow change to the graphical user interface that does not affect the underlying AI model's decision-making process.
- Example: Redesigning the dashboard layout for a predictive maintenance system while the anomaly detection algorithm remains identical.
- Example: Adding a dark mode or reorganizing menu buttons in a radiology AI viewer.
- Crucial Distinction: If the UI change alters how a human overseer interprets or overrides the AI's output, it may be deemed substantial because it impacts the human oversight mechanism.
The 'Software Update' Gray Zone
Continuous learning systems pose a unique challenge. An update that autonomously refines a model's weights based on real-world data can inadvertently become a substantial modification.
- Risk Scenario: An AI chatbot continuously fine-tuned on user interactions drifts from its safety-aligned baseline, developing toxic outputs.
- Compliance Strategy: Providers must define a pre-determined change control plan in their Quality Management System. Any update that exceeds pre-authorized performance boundaries automatically triggers a new conformity assessment.
- Documentation: The burden of proof is on the provider to demonstrate why an update is not substantial.
Substantial Modification vs. Continuous Learning vs. Bug Fixes
A comparative analysis of post-deployment AI system changes to determine whether a new conformity assessment is triggered under the EU AI Act.
| Feature | Substantial Modification | Continuous Learning | Bug Fixes |
|---|---|---|---|
Triggers New Conformity Assessment | |||
Changes Intended Purpose | |||
Alters Core Algorithmic Logic | |||
Pre-Defined in Initial Technical Documentation | |||
Requires Notified Body Re-Engagement | |||
Resets CE Marking Validity | |||
Subject to Post-Market Monitoring Plan | |||
Corrects Non-Compliant Behavior |
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Understanding Substantial Modification requires familiarity with the broader regulatory architecture of the EU AI Act. These concepts define the boundaries of provider responsibility and the triggers for re-certification.
Conformity Assessment
The mandatory verification process by which a provider demonstrates that a high-risk AI system meets all applicable regulatory requirements prior to market placement. A Substantial Modification invalidates the original assessment, forcing a new one. This process often involves a notified body for high-risk systems and examines the technical documentation, risk management system, and quality management system.
Intended Purpose
The use for which an AI system is intended by the provider, including the specific context and conditions of use. A change to the intended purpose is the primary trigger for a Substantial Modification. This is distinct from reasonably foreseeable misuse, which the provider must also assess but does not automatically trigger re-certification unless it becomes the de facto use case.
Provider Obligations
The comprehensive set of legal duties placed on the entity that develops and places a high-risk AI system on the market. These include:
- Establishing a risk management system
- Compiling technical documentation
- Implementing a quality management system
- Conducting post-market monitoring A Substantial Modification re-triggers the entire chain of provider obligations as if the system were new.
Post-Market Monitoring
The continuous, systematic process by which a provider collects and analyzes real-world data on the performance of a deployed AI system. This is the primary mechanism for detecting whether iterative updates have crossed the threshold into a Substantial Modification. Providers must document how they distinguish between routine maintenance and a change that alters the system's performance characteristics or intended purpose.
Technical Documentation
The comprehensive dossier a provider must compile to demonstrate a high-risk AI system's design, development, and compliance. A Substantial Modification requires a complete revision of this documentation, including updated descriptions of:
- System architecture and design specifications
- Training methodologies and datasets
- Performance metrics and validation results
- Risk management decisions
Serious Incident Reporting
The mandatory obligation for providers to immediately notify market surveillance authorities of any malfunction or failure of an AI system that leads to death or serious damage. A Substantial Modification that introduces new failure modes without a fresh conformity assessment creates significant liability exposure, as the original certification is no longer a valid defense.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us