EU AI Act Art.46: EU Declaration of Conformity — What Providers Must Declare, Sign, and Retain (2026)

The EU declaration of conformity (EU DoC) is the formal legal instrument through which a provider of a high-risk AI system asserts, under their own legal responsibility, that the system complies with all applicable requirements of the EU AI Act. Article 46 of the EU AI Act requires providers to draw up this declaration before placing the system on the market or putting it into service — not as a bureaucratic checkpoint, but as the mechanism that converts a completed conformity assessment into a legally attributable compliance statement that can be inspected by market surveillance authorities, referenced by deployers in due diligence, and cross-referenced in the EU AI database registration.

For developers building high-risk AI systems, the EU DoC is the output document of the entire pre-market compliance sequence. It links the provider's identity, the system's technical identity, the conformity assessment procedure that was applied, the harmonized standards and common specifications used, and — where applicable — the notified body certificates obtained. Once signed, it triggers the right to affix CE marking and the obligation to register the system in the EU AI database. Before it is signed, the system cannot legally enter the EU market.

What the EU Declaration of Conformity Is

The EU DoC is a written declaration prepared by the provider and signed by a person authorised to act on behalf of the provider's legal entity. It is not a certificate issued by a third party — unlike a notified body certificate, which is issued by an external conformity assessment body, the EU DoC is the provider's own declaration of their own compliance. This distinction matters: the provider bears sole legal responsibility for the accuracy of the EU DoC's contents. If the system does not in fact comply with the requirements cited in the declaration, the provider is liable for a non-compliant EU DoC, not just for the underlying technical deficiency.

The EU DoC must be drawn up for each high-risk AI system individually. A single EU DoC covering multiple AI systems is not permitted — each system requires its own declaration, reflecting its own conformity assessment, its own technical documentation, and its own applicable standards references.

Once drawn up, the EU DoC must be kept on file by the provider for a period of ten years after the AI system has been placed on the market or put into service. This retention period mirrors the technical documentation retention obligation and ensures that market surveillance authorities investigating systems that have been deployed in the field for several years retain access to the conformity documentation baseline.

Who Must Draw Up the EU DoC

The obligation to draw up the EU DoC falls on the provider — the natural or legal person who places the high-risk AI system on the market or puts it into service under their own name or trademark. This definition captures:

• Software companies and AI developers who build and market high-risk AI products commercially
• Organisations that develop high-risk AI systems for internal deployment under their own name or brand
• Distributors who substantially modify a high-risk AI system acquired from another provider — modification that changes the system's compliance status creates a new provider obligation, including drawing up a new EU DoC

For providers established outside the EU who place high-risk AI systems on the EU market, the EU DoC obligation flows through the authorised representative designated under Art.22 of the EU AI Act. The authorised representative acts on the provider's behalf and may sign the EU DoC where authorised to do so by the non-EU provider.

The EU DoC is signed by a natural person — specifically, a person authorised to bind the legal entity that is the provider. This is typically a director, officer, or compliance manager with appropriate delegated authority. The signature creates the legal attribution that makes the declaration enforceable: it is a commitment made by an identifiable individual on behalf of a specific legal entity, not an anonymous organisational filing.

Mandatory Content: What Annex V Requires

The EU AI Act specifies the required content of the EU DoC in Annex V. Every EU DoC for a high-risk AI system must contain all of the following elements:

Provider identification

The full name and registered address of the provider must be stated. For providers established outside the EU, the name and address of the EU authorised representative must also be included. This identification requirement serves the enforcement function: it establishes who bears responsibility for the declaration and who can be contacted by market surveillance authorities.

AI system identification

The EU DoC must identify the AI system with sufficient precision to be unambiguous. Required identifiers include:

• The name and type of the AI system
• The model number, version number, or other identifier
• Any batch or serial number if applicable
• The intended purpose as described in the technical documentation

The version identifier is particularly important for lifecycle management: as the system is updated or modified, the EU DoC version must track which version of the system was assessed and which conformity evidence supports that specific version.

Statement of sole responsibility

The EU DoC must contain an explicit statement that the provider bears sole responsibility for compliance with the EU AI Act requirements. This statement is not optional formality — it is the legal predicate for market surveillance enforcement. By signing a declaration that includes this statement, the provider formally accepts that they are the accountable party for the system's compliance in the EU market.

Conformity assessment reference

The EU DoC must state which conformity assessment procedure was applied to the system under Art.43 of the EU AI Act. The two main options are:

• Internal control assessment (Annex VI procedure): used for high-risk AI systems that do not fall within the category of biometric identification and categorisation systems, and where no harmonized standards cover all applicable requirements
• Notified body conformity assessment (Annex VII procedure): used when required by the applicable Annex III category or chosen voluntarily by the provider

Where a notified body was involved, the EU DoC must include the name and identification number of the notified body and the certificate number and date of issue of any certificates obtained. This cross-reference allows market surveillance authorities to verify that the certificate cited in the EU DoC actually exists in the NANDO (New Approach Notified and Designated Organisations) database.

Harmonized standards and common specifications

Where the provider has applied harmonized standards published in the Official Journal of the EU, the EU DoC must list each standard by its reference number and title. Compliance with a harmonized standard creates a presumption of conformity with the corresponding EU AI Act requirements — the EU DoC captures which standards were relied upon to establish this presumption.

Where common specifications adopted by the European Commission under Art.41 of the EU AI Act were applied, the EU DoC must reference these as well. Common specifications fill gaps not covered by harmonized standards and carry the same presumption of conformity effect.

If neither harmonized standards nor common specifications were applied, and the provider relied on alternative technical solutions to demonstrate conformity, the EU DoC must note this and the technical documentation must explain the alternative approach.

Technical documentation reference

The EU DoC must include a reference to the technical documentation that was compiled under Art.11 and Annex IV of the EU AI Act. This is not a document number that appears in any registry — it is an internal reference that allows market surveillance authorities who obtain access to the provider's technical documentation to verify that the documentation they are reviewing corresponds to the system identified in the EU DoC.

Declaration text, place, date, and signature

The EU DoC must include the place and date of issue, the identity and function of the person signing, and their signature. The signature must be by a person with authority to bind the provider legally. The date of the EU DoC should correspond to the completion of the conformity assessment — it is the date on which the provider concluded that the system is compliant and accepted responsibility for that conclusion.

Timing: Where the EU DoC Fits in the Compliance Sequence

The EU DoC is signed after the conformity assessment is completed and before the system is placed on the market or put into service. This positions it as the final pre-market legal instrument in the compliance sequence. The correct ordering is:

1. Compile technical documentation (Art.11 + Annex IV)
2. Implement quality management system (Art.17)
3. Complete conformity assessment (Art.43) — internal control or notified body review
4. Obtain notified body certificate (if applicable, Art.44)
5. Draw up and sign EU declaration of conformity (Art.46) — this step
6. Register in the EU AI database (Art.45) — EU DoC reference must be included in registration
7. Affix CE marking (Art.48) — cannot affix CE marking before EU DoC exists
8. Place product on market or put into service

Steps 5, 6, and 7 are mutually dependent: the EU DoC must exist before the EUID registration can be completed (the registration entry must cross-reference the EU DoC), and both must exist before CE marking can be applied. Steps 6 and 7 can be performed in either order once step 5 is complete, but step 5 is a prerequisite for both.

Update Obligations: When the EU DoC Must Be Revised

The EU DoC is not a static document — it must be updated when circumstances change in ways that affect its accuracy or continued validity.

Substantial modification

When a high-risk AI system is substantially modified — meaning a change that triggers a new conformity assessment obligation under Art.43 — the provider must draw up a new or revised EU DoC reflecting the new conformity assessment. The original EU DoC cannot continue to serve as the compliance basis for the modified system; the modification creates a new compliance question that requires a new conformity assessment answer, and the EU DoC must capture that answer.

Notified body certificate changes

If a certificate issued by a notified body and referenced in the EU DoC is suspended, restricted, or withdrawn, the EU DoC must be updated to reflect the change. An EU DoC that references a suspended certificate is inaccurate on its face — it implies conformity support that no longer exists. The provider has an obligation to maintain the accuracy of the EU DoC throughout the period it remains in effect.

Provider information changes

Changes to the provider's legal identity — a corporate restructuring, address change, or transfer of product to a different legal entity — require corresponding updates to the EU DoC's provider identification section. The EU DoC must accurately identify the current legal entity bearing responsibility for the system's compliance.

Languages

The EU DoC must be drawn up in the official languages of the Member States in which the high-risk AI system is placed on the market or put into service, or in a language accepted by those Member States. For products marketed across multiple EU Member States, this typically means maintaining translations of the EU DoC in multiple languages.

In practice, many providers maintain the EU DoC in English as a working language and prepare translations for Member States where language requirements apply specifically. Some Member States accept English-language EU DoCs; others require a translation into their official language as a condition of market access. Providers should verify language requirements for each target market.

EU DoC and the EU AI Database (Art.45)

The EU AI database registration entry for a high-risk AI system must include a cross-reference to the EU declaration of conformity. The EUID registration form requires the EU DoC reference number (an internal identifier assigned by the provider) and the date of issue. This creates a bidirectional link: the EU DoC's technical documentation reference traces back to the assessment evidence, while the EUID database entry traces forward to the publicly accessible compliance signal.

This cross-referencing requirement means the EU DoC must exist — and must have an assigned reference identifier — before the EUID registration can be completed. Providers who attempt to register in the EUID before drawing up the EU DoC will find the registration form incomplete.

The EUID registration creates the public accountability layer; the EU DoC creates the legal accountability layer. Together, they operationalise the EU AI Act's transparency framework for high-risk AI systems: a market surveillance authority who finds a system in the EUID can retrieve the EU DoC reference, obtain the EU DoC from the provider, and verify that the conformity assessment cited in the EU DoC matches the evidence in the technical documentation.

EU DoC and CE Marking (Art.48)

CE marking on a high-risk AI system — the marking that signals EU conformity on the product — cannot be applied until the EU declaration of conformity has been drawn up. The CE marking requirement in Art.48 of the EU AI Act is explicit: CE marking may be affixed only after the EU DoC has been drawn up.

This sequencing means that CE marking is the visual signifier that a complete conformity process — assessment completed, EU DoC signed, registration pending or completed — has occurred. CE marking applied before the EU DoC exists constitutes improper use of CE marking and is a distinct violation of the EU AI Act, separate from any substantive non-compliance with technical requirements.

EU DoC During Regulatory Sandbox Participation (Art.44)

AI systems under development within a regulatory sandbox established under Art.44 of the EU AI Act are not required to have a completed EU DoC while sandbox testing is ongoing. The sandbox framework temporarily suspends market-facing compliance obligations — including the EU DoC requirement — for the duration of sandbox participation, provided the system remains within the sandbox and is not placed on the market or put into service commercially.

The EU DoC obligation activates when the provider exits the sandbox with intent to place the system on the market. At that point, the provider must complete the full compliance sequence: conformity assessment, EU DoC, EUID registration, CE marking — before commercial deployment.

Python Implementation

from dataclasses import dataclass, field
from datetime import date
from typing import Optional
from enum import Enum


class ConformityAssessmentProcedure(Enum):
    INTERNAL_CONTROL = "Annex VI — Internal control"
    NOTIFIED_BODY = "Annex VII — Notified body conformity assessment"


@dataclass
class NotifiedBodyCertificate:
    notified_body_name: str
    notified_body_id_number: str  # EU identification number
    certificate_number: str
    certificate_date: date
    certificate_valid_until: Optional[date] = None  # None = indefinite


@dataclass
class EUDeclarationOfConformity:
    # Provider identification
    provider_name: str
    provider_address: str
    provider_registration_number: Optional[str] = None
    authorised_representative_name: Optional[str] = None  # for non-EU providers
    authorised_representative_address: Optional[str] = None

    # AI system identification
    system_name: str = ""
    system_type: str = ""
    system_version: str = ""
    system_batch_serial: Optional[str] = None
    intended_purpose: str = ""

    # Conformity assessment
    assessment_procedure: ConformityAssessmentProcedure = ConformityAssessmentProcedure.INTERNAL_CONTROL
    notified_body_certificates: list[NotifiedBodyCertificate] = field(default_factory=list)

    # Standards and specifications
    harmonized_standards: list[str] = field(default_factory=list)
    common_specifications: list[str] = field(default_factory=list)
    alternative_technical_solutions: Optional[str] = None  # if no standards applied

    # Documentation reference
    technical_documentation_reference: str = ""

    # Signature
    place_of_issue: str = ""
    date_of_issue: Optional[date] = None
    signatory_name: str = ""
    signatory_function: str = ""

    # Lifecycle metadata
    doc_reference_id: str = ""  # internal ID for EUID cross-reference
    languages_available: list[str] = field(default_factory=list)

    def validate(self) -> list[str]:
        errors = []
        required_fields = [
            ("provider_name", self.provider_name),
            ("provider_address", self.provider_address),
            ("system_name", self.system_name),
            ("system_type", self.system_type),
            ("system_version", self.system_version),
            ("intended_purpose", self.intended_purpose),
            ("technical_documentation_reference", self.technical_documentation_reference),
            ("place_of_issue", self.place_of_issue),
            ("signatory_name", self.signatory_name),
            ("signatory_function", self.signatory_function),
            ("doc_reference_id", self.doc_reference_id),
        ]
        for field_name, value in required_fields:
            if not value:
                errors.append(f"Required field missing: {field_name}")

        if self.date_of_issue is None:
            errors.append("date_of_issue is required")

        if (self.assessment_procedure == ConformityAssessmentProcedure.NOTIFIED_BODY
                and not self.notified_body_certificates):
            errors.append(
                "Notified body assessment procedure selected but no certificates provided"
            )

        if (not self.harmonized_standards
                and not self.common_specifications
                and not self.alternative_technical_solutions):
            errors.append(
                "Must specify harmonized standards, common specifications, "
                "or alternative technical solutions"
            )

        if not self.languages_available:
            errors.append("Must specify languages in which EU DoC is available")

        return errors

    def is_complete(self) -> bool:
        return len(self.validate()) == 0

    def requires_update_on_certificate_change(self) -> bool:
        return (
            self.assessment_procedure == ConformityAssessmentProcedure.NOTIFIED_BODY
            and len(self.notified_body_certificates) > 0
        )

15-Item EU DoC Compliance Checklist

Drawing Up the EU DoC (5 items)

• Confirm AI system is within Annex III scope and that conformity assessment has been fully completed before drawing up the EU DoC
• Include all mandatory Annex V content elements: provider identification, system identification (name, type, version), sole responsibility statement, conformity assessment procedure reference, standards/specifications, technical documentation reference, and signatory details
• If notified body assessment was conducted: include notified body name, EU identification number, certificate number, and certificate date for each certificate obtained
• Assign an internal EU DoC reference ID (alphanumeric identifier) — this ID is required in the EUID database registration cross-reference
• Have the EU DoC signed by a person with documented legal authority to bind the provider entity (verify delegation of authority exists and is on file)

Timing and Sequencing (3 items)

• Confirm EU DoC is drawn up after conformity assessment completion and before any EUID registration or CE marking activities
• Complete EUID database registration (Art.45) after EU DoC is available — include EU DoC reference ID in the EUID entry
• Do not affix CE marking (Art.48) until EU DoC has been drawn up and EU DoC reference ID is available

Language and Retention (3 items)

• Prepare EU DoC in the official languages of each EU Member State where the system will be placed on the market (or in languages accepted by those Member States)
• Establish a document retention system that will preserve the EU DoC for 10 years after market placement or first putting into service
• Store EU DoC in a location accessible to market surveillance authorities upon request — physical or electronic access must be possible within a reasonable timeframe

Lifecycle Management (4 items)

• Define trigger conditions for EU DoC update: substantial modifications (new conformity assessment → revised EU DoC), notified body certificate suspension/restriction/withdrawal, provider name/address changes, transfer of product to new legal entity
• If notified body certificates are referenced: monitor certificate status in NANDO database and update EU DoC if certificate status changes
• On substantial modification: draw up a new EU DoC, update EUID registration cross-reference, and determine whether CE marking must be re-examined
• Maintain a version history of EU DoC revisions internally (original + each revised version with effective dates) so that the conformity evidence for each version of the AI system remains traceable

Summary

EU AI Act Art.46 requires providers of high-risk AI systems to draw up an EU declaration of conformity before market placement — a formal legal declaration, signed under sole responsibility, that identifies the provider and system, states the conformity assessment procedure applied, references the standards and specifications relied upon, and points back to the technical documentation. The EU DoC is the legal instrument that converts a completed conformity process into a market-access enabler: it is a prerequisite for EUID registration, a prerequisite for CE marking, and a document that must be retained for ten years and kept current as the system evolves.

For developers and compliance teams, the practical priority is sequencing: complete the conformity assessment, then draw up the EU DoC, then register in the EUID, then apply CE marking — in that order, before the system ships. Getting the sequence right avoids the situation of a system that is technically compliant but procedurally in breach because the documentation obligations were completed out of order.

See Also

• EU AI Act Art.45: EU Database for High-Risk AI Systems — EUID registration must cross-reference the EU DoC reference ID; registration requires EU DoC to be drawn up first
• EU AI Act Art.44: AI Regulatory Sandboxes — EU DoC obligation is suspended during sandbox participation; activates when exiting sandbox with market intent
• EU AI Act Art.43: GPAI Models with Systemic Risk — Obligations and Evaluation — GPAI model systemic risk evaluation is a distinct track from the high-risk AI system EU DoC obligation
• EU AI Act Art.42: Transparency Obligations for Certain AI Systems — transparency obligations for certain AI systems (chatbot disclosure, deepfake labeling) apply in parallel with the EU DoC obligation for systems that are both high-risk and transparency-subject