2026-04-23·12 min read·

EU AI Act Art.45: EU Database for High-Risk AI Systems — Registration Obligations, EUID, and Public Transparency (2026)

Article 45 of the EU AI Act creates the legal foundation for the EU database for high-risk AI systems — a centralised registration infrastructure operated by the European Commission that serves as the primary public accountability mechanism for high-risk AI systems placed on the EU market. The database operationalises the transparency principle at the system level: it is the instrument through which the existence, identity, and compliance status of high-risk AI systems become verifiable by regulators, deployers, affected persons, and the public before and after those systems reach the market.

For AI system providers, Art.45 creates a procedural obligation that sits between conformity assessment completion and market access. Registration is not optional, and the obligation falls on the provider before the product reaches the market — meaning a provider who completes conformity assessment but fails to register before market placement is in breach of the regulation even if the system itself is technically compliant. For deployers operating high-risk AI systems in specific regulated contexts, supplementary registration obligations apply independently of the provider's registration.

What the EU Database Is

The EU database for high-risk AI systems — referred to in implementation documents as the EUID (EU AI Database) — is maintained by the European Commission at the EU level. It functions as a single-entry point for registration of high-risk AI systems covered by Annex III of the EU AI Act, centralising information that was previously either not captured systematically or distributed across fragmented national registers.

The database serves three distinct functions. First, it provides market surveillance authorities across all Member States with a unified reference point for identifying high-risk AI systems subject to their oversight jurisdiction. A national authority in Germany investigating a high-risk AI system deployed in its territory can cross-reference the EUID to retrieve registration data, conformity information, and provider details without requiring a bilateral request to the provider or to authorities in the provider's country of establishment. Second, it enables deployers evaluating procurement decisions to verify that a provider has completed the registration obligation before entering into deployment contracts — registration status becomes a verifiable compliance signal in commercial due diligence. Third, it creates a public accountability layer: the publicly accessible portion of the database allows citizens, civil society organisations, and researchers to identify what high-risk AI systems are operating in specific domains, who operates them, and under what conformity framework.

The database is distinct from national market surveillance registries and from sector-specific databases (such as those maintained by financial regulators or healthcare authorities). It captures EU AI Act compliance information specifically, not sector authorisation data, and it does not replace sector-specific pre-market approval requirements that apply independently.

Who Must Register

The primary registration obligation falls on providers of high-risk AI systems listed in Annex III of the EU AI Act. A provider is the natural or legal person who places the AI system on the market or puts it into service under their own name or trademark. This definition captures software developers who market AI products commercially, organisations that develop and deploy AI internally for commercial purposes, and intermediaries who customise general-purpose AI systems and market the customised version under their own brand.

The provider obligation is comprehensive: every Annex III high-risk AI system must be registered before market placement or, for systems put into service without market placement, before the system is deployed. There is no de minimis exemption based on deployment scale, commercial volume, or organisation size.

Deployer registration obligations

For a specific category of high-risk AI systems, Art.45 extends a supplementary registration obligation to deployers. Deployers of high-risk AI systems listed in Annex III, points 1, 6, and 7 — covering biometric identification, AI systems in the administration of justice, and AI systems used in democratic processes and election infrastructure — must register their use of these systems in the database independently of the provider registration. This deployer-specific obligation reflects the heightened societal sensitivity of these categories: law enforcement and judicial uses of AI, and AI systems that interact with democratic processes, warrant independent transparency at the deployer level rather than being captured solely through provider registration.

The deployer registration requirement does not create a general obligation across all Annex III categories — it applies to these three specific high-sensitivity areas. A company deploying a high-risk AI system for credit scoring (Annex III, point 5) has no independent registration obligation; the system must be registered by the provider, but the deployer's identity does not need to appear independently in the database.

Authorised representatives for third-country providers

Providers established outside the EU who place high-risk AI systems on the EU market must designate an authorised representative within the EU. The authorised representative carries registration obligations on behalf of the provider: it is the authorised representative who must complete and maintain the EUID registration for high-risk AI systems marketed in the EU by non-EU providers. This extends the reach of the database to AI systems from all jurisdictions that enter the EU market, eliminating the enforcement gap that would otherwise exist for extraterritorial providers.

Registration Timing: Before Market Placement

The temporal requirement in Art.45 is unambiguous: registration must occur before the high-risk AI system is placed on the market or put into service. This sequencing is deliberate — the database is designed to be a pre-market instrument, not a post-deployment reporting mechanism.

In practice, this means that the registration obligation must be integrated into the product launch timeline, not treated as a post-launch administrative task. A provider whose conformity assessment under Art.43 is complete and who has signed the EU declaration of conformity under Art.47 must complete EUID registration before shipping or licensing the product. The correct operational sequence is:

Complete technical documentation (Art.11)
Implement quality management system (Art.17)
Complete conformity assessment (Art.43) — internal assessment or notified body review
Sign EU declaration of conformity (Art.47)
Affix CE marking (Art.48)
Register in EU database (Art.45) — before market placement
Place product on market or put into service

Step 6 is not optional and cannot be deferred to after market entry. A provider who places an unregistered Annex III system on the market has violated Art.45 regardless of whether the system itself meets all technical and conformity requirements.

Public vs. Non-Public Database Information

The EU database distinguishes between information accessible to the public and information accessible only to market surveillance authorities and the Commission. This two-tier architecture reflects the competing demands of transparency and commercial confidentiality.

Publicly accessible information

The public layer of the EUID includes:

Provider identity (name, registered address, contact information)
AI system trade name and version identifier
The category of high-risk AI system (the specific Annex III point applicable)
Member States in which the system is or has been placed on the market
The status of the EU declaration of conformity (present, updated, withdrawn)
Reference to the conformity assessment method used (internal assessment or notified body)
Where a notified body was involved: the notified body's name and certificate reference number
Summary description of the intended purpose and primary use-case

This public layer is designed to support deployer due diligence, civil society monitoring, and market surveillance coordination. It does not expose technical documentation contents, source code, model architectures, or commercially sensitive system specifications.

Non-public information accessible to authorities

Market surveillance authorities and the Commission can access an extended dataset that includes:

Complete technical documentation reference
Post-market monitoring data and serious incident reports
Details of conformity assessment procedures including notified body assessment findings
Information on remedial actions taken following non-conformity findings
Correspondence with market surveillance authorities regarding specific incidents

The authority-facing layer transforms the database into an active surveillance instrument: authorities can use it to cross-reference incident data across systems, identify patterns in non-conformities, and coordinate cross-border responses to systemic risks in specific AI categories.

Notified Body Obligations in the Database

Where a high-risk AI system has undergone conformity assessment involving a notified body under Art.43, the notified body itself carries obligations to the database. Notified bodies must register in the EUID, and each certificate of conformity issued by a notified body must reference the EUID entry for the AI system it covers.

The practical effect is bidirectional: the provider's EUID registration must reference the notified body certificate, and the notified body must maintain records in a format that allows cross-referencing. This creates an auditable linkage between the system registration, the conformity certificate, and the notified body that issued it — enabling market surveillance authorities to verify certificate validity without requiring direct contact with the notified body in every case.

Where a notified body suspends, restricts, or withdraws a certificate, the database entry for the affected AI system must be updated to reflect the change. Providers are responsible for keeping registration information current, including reflecting changes to certificate status that occur during the product lifecycle.

Art.45 × Art.43: Registration as Conformity Assessment Completion Signal

Art.45 registration and Art.43 conformity assessment are sequential rather than parallel: registration presupposes a completed conformity assessment. A provider who has initiated conformity assessment but not yet completed it cannot register the system in the EUID, because the registration data includes reference to the conformity assessment outcome.

This sequencing means that the database entry for a high-risk AI system functions as a proxy indicator of conformity assessment completion — a system that is registered and has a current EU declaration of conformity reference has, by definition, completed the applicable conformity procedure. Market surveillance authorities and deployers can use registration status as a first-level signal in compliance verification, with the understanding that registration alone does not guarantee substantive conformity of the underlying system.

For providers who conduct internal conformity assessment under Art.43(2) rather than using a notified body, the registration confirms that the provider has completed a self-certification process. For systems requiring notified body involvement — particularly AI systems in the biometric identification and critical infrastructure categories where third-party assessment is mandatory — the registration includes the notified body reference, providing an external verification anchor.

Art.45 × Art.47: Declaration of Conformity Cross-Reference

The EU declaration of conformity required under Art.47 and the EUID registration under Art.45 are legally linked documents. The declaration of conformity must reference the EUID registration identifier, and the EUID entry must reference the declaration of conformity. This cross-referencing requirement means that the two documents must be prepared in coordination: the provider cannot complete the declaration without having a database reference to include, and the registration data must be consistent with the declarations made in the conformity document.

Where a provider updates the EU declaration of conformity following a substantial modification of the AI system, the EUID registration must be updated correspondingly. The database is not a static snapshot — it tracks the lifecycle of the system, including version updates that trigger new conformity cycles.

Information Updates and Lifecycle Management

Registration in the EUID is not a one-time event. Providers must keep their database entries current throughout the product lifecycle. The key update triggers are:

Version releases that constitute substantial modifications under Art.6: a substantially modified system requires a new or updated conformity assessment, which in turn requires an updated EUID entry
Changes to the EU declaration of conformity: any revision of the declaration must be reflected in the database
Notified body certificate changes: suspension, restriction, or withdrawal of a certificate requires immediate update of the corresponding EUID entry
Market withdrawal or product discontinuation: when a provider withdraws a system from the market, the database entry must be updated to reflect withdrawal status, and the date of withdrawal must be recorded
Changes to intended purpose or use-case: where a provider updates the documented intended purpose in a way that affects the applicable Annex III classification, the registration data must be revised accordingly

Failure to maintain current registration data is treated as an ongoing violation of Art.45, not a completed past violation. A provider who allows registration data to become inaccurate — for example by failing to update the certificate reference after a notified body review — remains in breach for as long as the inaccuracy persists.

Python Implementation: EUAIDatabaseRegistration

The following implementation demonstrates a structured approach to managing EU AI Act Art.45 registration data, tracking registration status, lifecycle events, and update obligations:

from dataclasses import dataclass, field
from datetime import date, datetime
from enum import Enum
from typing import Optional
import json
import hashlib


class RegistrationStatus(Enum):
    PENDING = "pending"
    REGISTERED = "registered"
    UPDATED = "updated"
    SUSPENDED = "suspended"
    WITHDRAWN = "withdrawn"


class ConformityAssessmentMethod(Enum):
    INTERNAL_ASSESSMENT = "internal_assessment"  # Art.43(2) — provider self-certification
    NOTIFIED_BODY = "notified_body"  # Art.43(1) — third-party assessment


class AnnexIIICategory(Enum):
    BIOMETRIC_IDENTIFICATION = "annex_iii_1"
    CRITICAL_INFRASTRUCTURE = "annex_iii_2"
    EDUCATION_TRAINING = "annex_iii_3"
    EMPLOYMENT_RECRUITMENT = "annex_iii_4"
    ESSENTIAL_SERVICES = "annex_iii_5"
    LAW_ENFORCEMENT = "annex_iii_6"
    MIGRATION_ASYLUM = "annex_iii_7_migration"
    JUSTICE_DEMOCRATIC = "annex_iii_7_justice"


DEPLOYER_REGISTRATION_REQUIRED = {
    AnnexIIICategory.BIOMETRIC_IDENTIFICATION,
    AnnexIIICategory.LAW_ENFORCEMENT,
    AnnexIIICategory.JUSTICE_DEMOCRATIC,
}


@dataclass
class NotifiedBodyReference:
    body_name: str
    body_identification_number: str
    certificate_number: str
    certificate_date: date
    certificate_status: str = "active"  # active, suspended, restricted, withdrawn
    certificate_expiry: Optional[date] = None


@dataclass
class EUDeclarationOfConformity:
    declaration_reference: str
    signing_date: date
    signatory_name: str
    signatory_title: str
    version: str = "1.0"


@dataclass
class ProviderInfo:
    legal_name: str
    registered_address: str
    country_of_establishment: str
    contact_email: str
    is_third_country_provider: bool = False
    authorised_representative_name: Optional[str] = None
    authorised_representative_address: Optional[str] = None


@dataclass
class AISystemRegistrationData:
    """Public-layer EUID registration data for a high-risk AI system."""
    # System identity
    system_name: str
    system_version: str
    intended_purpose_summary: str
    annex_iii_category: AnnexIIICategory

    # Provider
    provider: ProviderInfo

    # Conformity
    conformity_method: ConformityAssessmentMethod
    declaration_of_conformity: EUDeclarationOfConformity
    notified_body: Optional[NotifiedBodyReference] = None

    # Market deployment
    market_placement_date: Optional[date] = None
    member_states_deployed: list = field(default_factory=list)

    # Registration metadata
    registration_id: Optional[str] = None
    registration_date: Optional[date] = None
    status: RegistrationStatus = RegistrationStatus.PENDING
    lifecycle_events: list = field(default_factory=list)

    def generate_registration_id(self) -> str:
        """Generate a deterministic registration ID for reference purposes."""
        components = f"{self.provider.legal_name}:{self.system_name}:{self.system_version}"
        return f"EUID-{hashlib.sha256(components.encode()).hexdigest()[:12].upper()}"

    def requires_deployer_registration(self) -> bool:
        """Check if deployers must independently register use of this system."""
        return self.annex_iii_category in DEPLOYER_REGISTRATION_REQUIRED

    def validate_pre_registration(self) -> list[str]:
        """Validate that prerequisites for EUID registration are met."""
        issues = []

        if self.conformity_method == ConformityAssessmentMethod.NOTIFIED_BODY:
            if self.notified_body is None:
                issues.append("Notified body reference required for notified body conformity assessment method")
            elif self.notified_body.certificate_status != "active":
                issues.append(f"Notified body certificate status is '{self.notified_body.certificate_status}' — only active certificates support registration")

        if self.provider.is_third_country_provider:
            if not self.provider.authorised_representative_name:
                issues.append("Third-country providers must designate an EU authorised representative for registration")

        if not self.declaration_of_conformity.declaration_reference:
            issues.append("EU declaration of conformity reference required before registration")

        return issues

    def register(self) -> dict:
        """Complete EUID registration if prerequisites are met."""
        validation_issues = self.validate_pre_registration()
        if validation_issues:
            return {
                "success": False,
                "errors": validation_issues,
                "registration_id": None,
            }

        self.registration_id = self.generate_registration_id()
        self.registration_date = date.today()
        self.status = RegistrationStatus.REGISTERED

        self.lifecycle_events.append({
            "event": "initial_registration",
            "date": str(date.today()),
            "registration_id": self.registration_id,
        })

        return {
            "success": True,
            "registration_id": self.registration_id,
            "registration_date": str(self.registration_date),
            "deployer_registration_required": self.requires_deployer_registration(),
            "public_data_summary": self.get_public_data(),
        }

    def update_registration(self, reason: str, updated_version: Optional[str] = None) -> dict:
        """Update EUID registration following a lifecycle event."""
        if self.status not in (RegistrationStatus.REGISTERED, RegistrationStatus.UPDATED):
            return {
                "success": False,
                "error": f"Cannot update registration in status '{self.status.value}'",
            }

        if updated_version:
            self.system_version = updated_version

        self.status = RegistrationStatus.UPDATED
        self.lifecycle_events.append({
            "event": "registration_update",
            "date": str(date.today()),
            "reason": reason,
            "updated_version": updated_version,
        })

        return {
            "success": True,
            "registration_id": self.registration_id,
            "update_date": str(date.today()),
            "reason": reason,
        }

    def withdraw_registration(self, withdrawal_date: date, reason: str) -> dict:
        """Mark system as withdrawn from the market in EUID."""
        self.status = RegistrationStatus.WITHDRAWN
        self.lifecycle_events.append({
            "event": "market_withdrawal",
            "date": str(withdrawal_date),
            "reason": reason,
        })
        return {
            "success": True,
            "registration_id": self.registration_id,
            "withdrawal_date": str(withdrawal_date),
            "status": "withdrawn",
        }

    def get_public_data(self) -> dict:
        """Return public-layer data visible in the EUID public interface."""
        public_data = {
            "registration_id": self.registration_id,
            "system_name": self.system_name,
            "system_version": self.system_version,
            "intended_purpose": self.intended_purpose_summary,
            "annex_iii_category": self.annex_iii_category.value,
            "provider_name": self.provider.legal_name,
            "provider_country": self.provider.country_of_establishment,
            "conformity_method": self.conformity_method.value,
            "declaration_reference": self.declaration_of_conformity.declaration_reference,
            "declaration_date": str(self.declaration_of_conformity.signing_date),
            "member_states": self.member_states_deployed,
            "registration_status": self.status.value,
        }

        if self.notified_body:
            public_data["notified_body"] = {
                "name": self.notified_body.body_name,
                "identification_number": self.notified_body.body_identification_number,
                "certificate_number": self.notified_body.certificate_number,
                "certificate_status": self.notified_body.certificate_status,
            }

        if self.provider.is_third_country_provider and self.provider.authorised_representative_name:
            public_data["authorised_representative"] = self.provider.authorised_representative_name

        return public_data

    def check_update_obligations(self) -> list[str]:
        """Identify pending update obligations based on current registration data."""
        obligations = []

        if self.notified_body and self.notified_body.certificate_status != "active":
            obligations.append(
                f"Certificate status changed to '{self.notified_body.certificate_status}' — "
                "EUID registration must be updated immediately"
            )

        if self.notified_body and self.notified_body.certificate_expiry:
            days_to_expiry = (self.notified_body.certificate_expiry - date.today()).days
            if days_to_expiry <= 90:
                obligations.append(
                    f"Notified body certificate expires in {days_to_expiry} days — "
                    "plan renewal or update registration to reflect renewed certificate"
                )

        return obligations


@dataclass
class DeployerRegistration:
    """Deployer registration for high-risk AI systems requiring independent deployer entry."""
    system_registration_id: str  # References provider's EUID entry
    deployer_name: str
    deployer_address: str
    deployer_country: str
    use_context_description: str
    deployment_start_date: date
    annex_iii_category: AnnexIIICategory
    registration_id: Optional[str] = None

    def is_registration_required(self) -> bool:
        return self.annex_iii_category in DEPLOYER_REGISTRATION_REQUIRED

    def register(self) -> dict:
        if not self.is_registration_required():
            return {
                "success": False,
                "error": f"Deployer registration not required for category {self.annex_iii_category.value}",
            }
        components = f"{self.deployer_name}:{self.system_registration_id}:{self.deployment_start_date}"
        self.registration_id = f"EUID-D-{hashlib.sha256(components.encode()).hexdigest()[:12].upper()}"
        return {
            "success": True,
            "deployer_registration_id": self.registration_id,
            "system_registration_id": self.system_registration_id,
            "registration_date": str(date.today()),
        }

Art.45 Compliance Checklist (18 Items)

The following checklist covers the full registration compliance scope under Art.45, structured by phase:

Pre-Registration (6 items)

Confirm AI system falls within Annex III scope and identify the applicable Annex III category
Complete conformity assessment (Art.43) — either internal assessment or notified body review — before initiating registration
Obtain signed EU declaration of conformity (Art.47) with reference number for inclusion in EUID entry
If notified body assessment was conducted: collect notified body identification number, certificate number, and certificate date
If provider is established outside EU: designate EU authorised representative with authority to register in EUID on provider's behalf
Prepare intended purpose summary suitable for public database entry (non-confidential, accurate, not misleading)

Registration Execution (4 items)

Register system in EUID before market placement or putting into service — registration cannot be deferred to post-launch
Ensure registration data includes cross-reference to EU declaration of conformity and, where applicable, notified body certificate
Record EUID registration identifier and include it in EU declaration of conformity (Art.47 cross-reference requirement)
If system falls under Annex III categories 1, 6, or 7 (biometric, law enforcement, justice/democracy): notify deployers of their independent registration obligation

Deployer-Specific Obligations (3 items — applies to Annex III categories 1, 6, 7 only)

Verify provider's EUID registration status before deployment commencement
Complete deployer-specific registration in EUID referencing provider's registration ID
Record deployer registration identifier for internal compliance documentation

Lifecycle Management (5 items)

Establish internal process for monitoring notified body certificate status — update EUID immediately upon certificate suspension, restriction, or withdrawal
Define trigger conditions for registration updates: substantial modifications (new conformity cycle → new registration update), declaration revisions, certificate changes, market withdrawals
Set calendar review points (at minimum: annually and at each product version release) to verify registration data currency
On market withdrawal: update EUID entry to reflect withdrawn status and record withdrawal date
Maintain audit trail of all EUID registration events (initial registration, updates, withdrawals) in internal compliance records aligned with Art.17 quality management system

Art.45 × Art.44 (Regulatory Sandboxes): Registration Exemption for Sandbox Participants

AI systems developed and tested exclusively within the Art.44 regulatory sandbox framework are exempt from Art.45 registration obligations for the duration of sandbox participation. The registration obligation activates when the system exits the sandbox and proceeds toward market placement.

This exemption is consistent with the overall sandbox design: sandbox participation suspends market-facing compliance obligations, including the registration requirement that is specifically triggered by market placement intent. A sandbox participant who has not yet decided whether to proceed to market deployment has no current Art.45 obligation — that obligation crystallises when the decision to place the system on the market is made and the conformity assessment process is initiated.

On sandbox exit with intent to market, the provider must complete the full registration sequence: conformity assessment, EU declaration of conformity, EUID registration — all before the first commercial deployment.

Summary

EU AI Act Art.45 establishes the EU database for high-risk AI systems as both a regulatory accountability tool and a market transparency instrument. The key practical obligations are: register before market placement (not after), maintain registration data throughout the product lifecycle, and for systems in biometric identification, law enforcement, and justice categories, notify deployers of their independent registration obligations. The EUID entry must cross-reference the EU declaration of conformity, and where a notified body was involved, the certificate reference must be included and kept current as certificate status changes.

The database is the EU AI Act's primary mechanism for creating verifiable, public accountability for high-risk AI systems — making Art.45 compliance not just a regulatory requirement but a trust signal in commercial relationships with deployers and regulated entities across the EU single market.