Inferensys

Glossary

Conformity Assessment

The mandatory verification process by which a provider demonstrates that a high-risk AI system meets the essential requirements of the EU AI Act before CE marking and market placement.
Risk analyst performing AI risk assessment on laptop, risk matrices visible, casual office risk session.
REGULATORY VERIFICATION

What is Conformity Assessment?

The mandatory process by which a provider verifies that a high-risk AI system meets the essential requirements of the EU AI Act before affixing the CE marking and registering the system.

Conformity Assessment is the legally mandated verification procedure defined in the EU AI Act requiring a provider to demonstrate that a high-risk AI system complies with all applicable essential requirements. This process, which must be completed prior to CE marking and EU AI Act Database registration, involves rigorous evaluation of the system's risk management, data governance, technical documentation, transparency, and human oversight mechanisms to ensure the protection of health, safety, and fundamental rights.

The assessment can be performed internally by the provider via a self-assessment against harmonized standards, or externally by an independent Notified Body for systems with higher risk profiles. The outcome is a legally binding Declaration of Conformity, which must be included in the Technical Documentation File. Any Substantial Modification to the system's intended purpose or performance triggers a mandatory new conformity assessment to maintain valid registration status.

REGULATORY VERIFICATION

Core Characteristics of Conformity Assessment

The mandatory, structured process by which a provider demonstrates that a high-risk AI system meets the essential requirements of the EU AI Act before affixing the CE marking and registering the system.

01

Internal Control vs. Third-Party Audit

The conformity assessment route depends on the system's classification and the use of harmonized standards. For most high-risk systems, providers may conduct an internal control (self-assessment) based on Annex VI of the AI Act. However, systems in critical domains like biometrics or law enforcement require a Notified Body—an independent third-party organization—to audit the quality management system and technical documentation.

Annex VI & VII
Governing Annexes
02

Quality Management System Mandate

A certified Quality Management System (QMS) is a non-negotiable prerequisite for self-assessment. The QMS must document the provider's strategy for regulatory compliance, covering the entire lifecycle from design to decommissioning. Key elements include:

  • Design control and verification procedures
  • Risk management protocols
  • Post-market monitoring plans
  • Incident reporting workflows Without a certified QMS, the provider cannot legally conduct an internal conformity assessment.
03

Technical Documentation Scrutiny

The assessment hinges on a comprehensive Technical Documentation File that proves compliance. This dossier must include a general system description, detailed design specifications, model development methodology, and the results of the risk management process. The documentation must be sufficiently transparent to allow authorities to verify that the system meets mandatory requirements for accuracy, robustness, and cybersecurity, and must be kept for 10 years after market placement.

04

Presumption of Conformity

Providers can streamline the process by adhering to harmonized standards published in the Official Journal of the EU. Compliance with these standards grants a legal 'presumption of conformity' with the AI Act's essential requirements. This mechanism reduces the scope of the audit, allowing the provider to focus verification efforts only on areas not covered by the standard, significantly lowering the administrative burden of the assessment.

05

Declaration of Conformity

The final output of a successful assessment is a legally binding Declaration of Conformity. By signing this document, the provider formally assumes full responsibility for the system's compliance. The declaration must contain the system's unique identification, the provider's name and address, and a reference to the relevant harmonized standards. This document is a prerequisite for affixing the CE marking and registering the system in the EU database.

CONFORMITY ASSESSMENT

Frequently Asked Questions

Essential questions about the mandatory verification process for high-risk AI systems under the EU AI Act, covering procedures, documentation, and the path to CE marking.

A conformity assessment is the mandatory verification process by which a provider demonstrates that a high-risk AI system meets all essential requirements of the EU AI Act before it can be placed on the market or put into service. This process evaluates the system against harmonized standards covering risk management, data governance, transparency, human oversight, and accuracy. The assessment can be conducted internally by the provider through a self-assessment based on an audited quality management system, or externally by a Notified Body for systems involving biometric identification or safety components. Upon successful completion, the provider issues a Declaration of Conformity and affixes the CE marking, which serves as a regulatory passport across all EU member states. The conformity assessment is not a one-time event—any substantial modification to the system's intended purpose or performance characteristics triggers a new assessment obligation.

Prasad Kumkar

About the author

Prasad Kumkar

CEO & MD, Inference Systems

Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.

His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.