2026-04-23·11 min read·

EU AI Act Art.49: Registration of High-Risk AI Systems — EUID, EU Database, and Pre-Placement Obligation (2026)

CE marking under Art.47 signals conformity. Union protection under Art.48 defines the post-market enforcement chain. But between conformity assessment completion and market placement, one final step is mandatory for most high-risk AI systems: registration in the EU database established under Art.71. Article 49 of the EU AI Act creates that obligation — and the EU Database Identification Number (EUID) it generates becomes the system's permanent regulatory identifier, linking the provider's conformity documentation to the market surveillance system.

For developers and providers, Art.49 is not a bureaucratic formality. It is the gate that controls the legal right to place a high-risk AI system on the EU market. Missing or incomplete registration is a formal non-compliance trigger under Art.48 — meaning market surveillance authorities can initiate corrective action, including withdrawal from the market, on that ground alone. Understanding what to register, when, and how, determines whether deployment is legally valid.

Art.49 in the High-Risk AI Compliance Chain

Art.49 sits at the intersection of pre-market compliance and post-market visibility. It transforms the provider's internal conformity documentation into a publicly accessible record — accountable to market surveillance authorities, deployers, and (for non-sensitive categories) the general public.

Phase	Article	Actor	Output
Pre-Market	Art.9	Provider	Risk management system established
Pre-Market	Art.43	Provider ± Notified Body	Conformity assessment complete
Pre-Market	Art.46	Provider	EU Declaration of Conformity (EU DoC) drawn up
Pre-Market	Art.47	Provider	CE marking affixed
Pre-Market	Art.49	Provider	Registration in EU database — EUID issued
Market Placement	Art.16(g)	Provider	System placed on market or put into service
Post-Market	Art.72	Provider	Post-market monitoring system operational
Post-Market	Art.48	MSA	Union protection mechanism, corrective actions

The EUID issued under Art.49 links all phases: it appears in the EU DoC (Art.46), on the CE marking documentation, in post-market monitoring reports (Art.72), and in serious incident notifications (Art.73). Once issued, it is the primary reference identifier across the entire lifecycle.

Who Must Register Under Art.49

Art.49 creates registration obligations across multiple actor types, depending on where the AI system originates and how it reaches end users.

Providers (Art.49(1))

Providers who intend to place a high-risk AI system listed in Annex III on the EU market or put it into service in the EU must register in the EU database before placement or commissioning. This is the primary obligation — no registration, no lawful market placement.

The obligation covers:

Providers established in the EU placing systems on the EU market
Non-EU providers placing systems on the EU market (typically fulfilled through their authorised representative — Art.49(3))
Providers updating an already-registered system with a substantial modification triggering a new conformity assessment under Art.43

Authorised Representatives (Art.49(3))

Non-EU providers must designate an authorised representative in the EU under Art.22. That representative has an explicit Art.49(3) registration obligation: they must register the system on behalf of the non-EU provider before the provider can place the system on the EU market.

This makes the authorised representative the regulatory point of entry for non-EU AI systems — and the entity whose identity appears in the EU database alongside the system's registration record.

Deployers of Public-Sector High-Risk AI (Art.49(4) and Art.49(6))

Where a deployer uses a high-risk AI system in the context of public services — and especially where the deployer has assumed provider obligations under Art.25 — they carry their own registration obligation. This applies particularly to:

Public authorities using Annex III AI systems in immigration, asylum, or border control
Deployers who have substantially modified a third-party system, triggering the Art.25 provider obligations
Operators of AI systems in the biometric categorisation or emotion recognition categories where the deployer takes on provider-equivalent duties

General-Purpose AI Models with Systemic Risk

General-purpose AI (GPAI) models classified as posing systemic risk under Art.51 are subject to separate obligations (Art.52-53) but are not covered by Art.49 registration. The EU database under Art.71 covers Annex III high-risk AI systems. GPAI models with systemic risk are notified directly to the Commission, not the public database.

What Systems Must Be Registered (Annex III Scope)

Art.49 registration applies to all high-risk AI systems listed in Annex III — the positive list of use cases where high-risk classification applies by default. These cover eight domains:

Domain	Examples
1. Biometric identification and categorisation	Real-time and post-hoc remote biometric identification systems (with Art.5 prohibition carve-outs)
2. Critical infrastructure management	Safety components in water, gas, electricity, road traffic, railway AI
3. Education and vocational training	Exam assessment AI, admission scoring, educational monitoring
4. Employment and HR	CV screening, interview assessment, performance monitoring AI
5. Essential private and public services	Credit scoring, insurance pricing, public benefits eligibility AI
6. Law enforcement	Risk assessment, polygraph, crime prediction, evidence evaluation AI
7. Migration, asylum, border control	Document verification, risk assessment, return decision support AI
8. Administration of justice	Dispute resolution support AI, court scheduling AI

Exception: Certain law enforcement (Art.49(6)), national security, military, and intelligence systems are excluded from the public-facing EU database. These systems may be maintained in a restricted, non-public section of the database accessible only to competent authorities.

The EUID — EU Database Identification Number

When a provider completes registration in the EU database, the system assigns a unique EUID (EU Database Identification Number). This number serves as the system's permanent regulatory identifier across its entire lifecycle.

What the EUID Links

EUID → EU Declaration of Conformity (Art.46)
     → CE Marking Documentation (Art.47)
     → Technical Documentation (Art.11, Annexes IV/IX)
     → Post-Market Monitoring Reports (Art.72)
     → Serious Incident Notifications (Art.73)
     → Market Surveillance Authority Records (Art.74-81)

EUID Format and Persistence

The EUID format follows EU database system conventions — typically a structured alphanumeric identifier including the provider's registration code, system category code, and issuance sequence number. Once issued, the EUID does not change for the lifetime of the system unless a substantial modification under Art.6(3) triggers a new conformity assessment — at which point a new registration (and new EUID) is required.

EUID in the EU DoC

Under Art.46(1)(d), the EU Declaration of Conformity must include the EUID. This creates a direct dependency: the EU DoC cannot be completed and finalised until registration is done and the EUID is issued. This reinforces the sequential ordering: conformity assessment → technical documentation → EU DoC → registration → CE marking → market placement.

Registration Procedure Under Art.49

The EU database is administered by the European Commission (Art.71(1)). Registration follows a structured procedure.

Step 1: Prepare Registration Data

Before accessing the EU database, providers must assemble the information fields required for a complete registration record. Incomplete registration is treated as non-registration for enforcement purposes.

Mandatory Data Fields (Art.49(2) and Art.71(6)):

Field	Content
Provider identity	Name, registered address, contact details
System name	Trade name and version
System description	Intended purpose, use case, affected persons
Annex III classification	Which point(s) of Annex III apply
Conformity assessment type	Internal control (Annex VI) or Notified Body (Annexes VII/VIII/IX/X)
Notified Body details	If applicable: name, identification number, certificate reference
EU DoC reference	Unique identifier of the EU Declaration of Conformity
CE marking status	Confirmation that CE marking is or will be affixed
Post-market monitoring contact	Contact point for monitoring-related correspondence
AI system lifecycle status	Placed on market / put into service / withdrawn / recalled
Countries of market placement	EU Member States where the system is or will be placed
Authorised representative details	If provider is non-EU: name, address, contact details of EU representative

Step 2: Submit Registration

Registration is submitted through the EU database interface. Non-EU providers must submit through their authorised representative's account (Art.49(3)). The Commission processes the submission and assigns the EUID.

Step 3: Receive and Record EUID

Once registration is confirmed, the EUID is issued. The provider must:

Record the EUID in the EU Declaration of Conformity (Art.46(1)(d))
Include the EUID in all technical documentation (Annex IV, section on certificates and authorisations)
Include the EUID in CE marking documentation
Update post-market monitoring records to reference the EUID

Step 4: Update Registration for Lifecycle Changes

Registration is not a one-time act. Providers must update registration records when:

The AI system undergoes a substantial modification (Art.6(3)) — new EUID required after new conformity assessment
The system is withdrawn from the market (Art.16(k))
The system is recalled (Art.79(1)(a))
The authorised representative changes (Art.22)
Contact details or provider identity changes

Step 5: Maintain Registration Accuracy

Market surveillance authorities (MSAs) cross-check registration data against technical documentation and EU DoCs during market surveillance activities (Art.74-80). Inaccurate or outdated registration data constitutes formal non-compliance under Art.48 — triggering the same corrective action pipeline as a defective CE marking.

Public vs. Restricted Information in the EU Database

Art.71 makes the EU database publicly accessible by default, but creates a restricted section for sensitive categories.

Public Information (Art.71(4))

The following data is accessible to any member of the public:

Provider identity and contact details
System name and description
Intended purpose and Annex III classification
CE marking and conformity assessment status
Countries of market placement
EUID

This public access is intentional: it enables deployers, affected persons, and civil society to identify which high-risk AI systems are authorised for the EU market — and to verify that a system claiming compliance is actually registered.

Restricted Information (Art.71(5) and Art.49(6))

The following data is not publicly accessible:

Technical documentation contents (protected as confidential business information under Art.78)
Internal testing and validation data
Law enforcement, national security, and military AI systems (maintained in a non-public section, accessible only to competent authorities)
Any other information marked as confidential by the provider where the Commission agrees

For law enforcement AI under Annex III, point 6 — including predictive policing systems, AI used in criminal investigations, and biometric identification for law enforcement purposes — registration is still required under Art.49, but the record is maintained in the restricted section. Market surveillance authorities and the Commission can access these records; the public cannot.

Cross-Border and Multi-Jurisdiction Considerations

When a provider places a high-risk AI system in multiple EU Member States, a single registration in the EU database covers all Member States — the EUID is Union-wide, not per-country. However, the registration record must list all countries of intended deployment.

This single-registration model has important implications:

Market surveillance cross-border coordination: Under Art.88, MSAs from different Member States can request information from each other about registered systems. The EUID is the cross-border reference identifier enabling this coordination.

Post-market monitoring scope: The provider's post-market monitoring obligation under Art.72 covers all countries listed in the registration. Data collected in one Member State must be considered for all markets.

Corrective action scope: A corrective action order by one MSA (Art.79) does not automatically apply Union-wide. However, under Art.82, if the Commission determines the national MSA measure is justified, a Union-wide equivalent measure may follow. The EUID is the reference for both the national and Union-level decisions.

While Art.49 primarily binds providers, deployers have connected obligations:

Verify registration before deployment: Deployers of Annex III high-risk AI systems should verify that the system is registered in the EU database before use — particularly for public-sector deployments where deployer accountability is higher. Deploying an unregistered system creates deployer-side risk in the event of an incident.

Report to provider if EUID is absent: If a provider supplies a high-risk AI system without a EUID, deployers should treat this as a potential non-compliance indicator and raise it with the provider before deployment.

Notify MSA in cases of provider non-compliance: Under Art.86, users and deployers have the right (and in some contexts the obligation) to report AI system non-compliance to national MSAs. An absent EUID is a reportable non-compliance indicator.

Deployer-side registration (Art.49(4)): Where a deployer has assumed provider obligations under Art.25 (e.g., by substantially modifying a third-party system), they must themselves register the modified system — they become the effective provider for registration purposes.

Python Implementation: EUIDRegistrationManager

from dataclasses import dataclass, field
from enum import Enum
from typing import Optional
import hashlib
import datetime

class AnnexIIICategory(Enum):
    BIOMETRIC = "annex_iii_1_biometric"
    CRITICAL_INFRASTRUCTURE = "annex_iii_2_critical_infra"
    EDUCATION = "annex_iii_3_education"
    EMPLOYMENT = "annex_iii_4_employment"
    ESSENTIAL_SERVICES = "annex_iii_5_essential_services"
    LAW_ENFORCEMENT = "annex_iii_6_law_enforcement"
    MIGRATION = "annex_iii_7_migration"
    JUSTICE = "annex_iii_8_justice"

class ConformityAssessmentType(Enum):
    INTERNAL_CONTROL = "annex_vi"
    QUALITY_MANAGEMENT = "annex_ix"
    TECHNICAL_DOCUMENTATION = "annex_vii"
    NOTIFIED_BODY_ASSESSMENT = "annex_viii"

class RegistrationStatus(Enum):
    DRAFT = "draft"
    SUBMITTED = "submitted"
    REGISTERED = "registered"
    UPDATED = "updated"
    WITHDRAWN = "withdrawn"
    RECALLED = "recalled"

@dataclass
class ProviderRecord:
    name: str
    registered_address: str
    contact_email: str
    eu_established: bool
    authorised_representative_name: Optional[str] = None
    authorised_representative_address: Optional[str] = None

@dataclass
class AISystemRegistration:
    system_name: str
    system_version: str
    intended_purpose: str
    annex_iii_categories: list[AnnexIIICategory]
    conformity_assessment_type: ConformityAssessmentType
    eu_doc_reference: str
    member_states: list[str]
    provider: ProviderRecord
    notified_body_id: Optional[str] = None
    notified_body_certificate: Optional[str] = None
    euid: Optional[str] = None
    registration_status: RegistrationStatus = RegistrationStatus.DRAFT
    registration_date: Optional[datetime.date] = None
    last_updated: Optional[datetime.date] = None
    law_enforcement_restricted: bool = False

class EUIDRegistrationManager:
    """Manages Art.49 EU database registration and EUID lifecycle."""

    def validate_registration_data(self, reg: AISystemRegistration) -> list[str]:
        gaps = []
        if not reg.system_name:
            gaps.append("System name required (Art.49(2))")
        if not reg.intended_purpose:
            gaps.append("Intended purpose required (Art.49(2))")
        if not reg.annex_iii_categories:
            gaps.append("At least one Annex III category required (Art.49(1))")
        if not reg.eu_doc_reference:
            gaps.append("EU DoC reference required (Art.49(2) + Art.46(1)(d))")
        if not reg.member_states:
            gaps.append("At least one Member State of deployment required")
        if not reg.provider.eu_established:
            if not reg.provider.authorised_representative_name:
                gaps.append("Non-EU provider must designate authorised representative (Art.49(3))")
        if reg.conformity_assessment_type == ConformityAssessmentType.NOTIFIED_BODY_ASSESSMENT:
            if not reg.notified_body_id:
                gaps.append("Notified Body ID required for third-party assessment (Art.49(2))")
            if not reg.notified_body_certificate:
                gaps.append("Notified Body certificate reference required (Art.49(2))")
        return gaps

    def generate_euid(self, reg: AISystemRegistration) -> str:
        """Simulate EUID assignment (real EUID issued by EU database system)."""
        base = f"{reg.provider.name}:{reg.system_name}:{reg.system_version}"
        category_code = reg.annex_iii_categories[0].value[:6].upper()
        hash_fragment = hashlib.sha256(base.encode()).hexdigest()[:8].upper()
        year = datetime.date.today().year
        return f"EU-AIDB-{category_code}-{year}-{hash_fragment}"

    def submit_registration(self, reg: AISystemRegistration) -> dict:
        gaps = self.validate_registration_data(reg)
        if gaps:
            return {"status": "rejected", "gaps": gaps}
        euid = self.generate_euid(reg)
        reg.euid = euid
        reg.registration_status = RegistrationStatus.REGISTERED
        reg.registration_date = datetime.date.today()
        reg.last_updated = datetime.date.today()
        return {
            "status": "registered",
            "euid": euid,
            "registration_date": str(reg.registration_date),
            "restricted": reg.law_enforcement_restricted,
            "action": (
                "Update EU DoC with EUID per Art.46(1)(d). "
                "Include EUID in CE marking documentation. "
                "Reference EUID in post-market monitoring (Art.72)."
            ),
        }

    def update_for_substantial_modification(self, reg: AISystemRegistration, new_eu_doc_ref: str) -> dict:
        """Substantial modification (Art.6(3)) requires new registration and EUID."""
        old_euid = reg.euid
        reg.eu_doc_reference = new_eu_doc_ref
        reg.euid = None
        reg.registration_status = RegistrationStatus.DRAFT
        result = self.submit_registration(reg)
        result["previous_euid"] = old_euid
        result["note"] = "New EUID issued after substantial modification per Art.6(3) and Art.49(1)."
        return result

    def withdraw_registration(self, reg: AISystemRegistration, reason: str) -> dict:
        reg.registration_status = RegistrationStatus.WITHDRAWN
        reg.last_updated = datetime.date.today()
        return {
            "euid": reg.euid,
            "status": "withdrawn",
            "reason": reason,
            "date": str(reg.last_updated),
            "note": "EU database record marked as withdrawn. CE marking must be removed per Art.47 obligations.",
        }

    def check_public_access(self, reg: AISystemRegistration) -> dict:
        public_fields = ["system_name", "intended_purpose", "annex_iii_categories",
                        "member_states", "euid", "registration_status"]
        restricted = reg.law_enforcement_restricted
        return {
            "publicly_accessible": not restricted,
            "public_fields": public_fields if not restricted else [],
            "restricted_reason": (
                "Law enforcement Annex III point 6 system — restricted section per Art.49(6)" 
                if restricted else None
            ),
        }

Art.49 Registration Compliance Checklist

Use this checklist before placing any Annex III high-risk AI system on the EU market:

#	Requirement	Art. Reference	Status
1	Annex III classification confirmed for this system	Art.49(1)	☐
2	Conformity assessment completed (Annex VI/VII/VIII/IX/X)	Art.43	☐
3	EU Declaration of Conformity (EU DoC) drawn up	Art.46	☐
4	CE marking affixed (if Annex III, points 1-8 apply)	Art.47	☐
5	All mandatory registration data fields prepared	Art.49(2) + Art.71(6)	☐
6	Non-EU provider: authorised representative designated and submitting	Art.49(3)	☐
7	Registration submitted to EU database before market placement	Art.49(1)	☐
8	EUID received and recorded in EU DoC	Art.46(1)(d)	☐
9	EUID included in technical documentation	Annex IV	☐
10	Law enforcement system: confirmed restricted section (non-public)	Art.49(6)	☐
11	Post-market monitoring plan references EUID	Art.72	☐
12	Substantial modification procedure: new registration triggered	Art.6(3)	☐
13	Registration updated for lifecycle changes (withdrawal, recall, rep change)	Art.49	☐
14	Deployer verified EUID in EU database before use (public sector)	Art.49(4)	☐

What Art.49 Means in Practice

Art.49 completes the pre-market compliance sequence and opens the post-market accountability chain. The EUID it generates is not just a registration number — it is the regulatory thread that runs through conformity assessment records, EU declarations, CE markings, post-market monitoring data, and market surveillance enforcement actions.

The most common Art.49 non-compliance pattern is procedural sequencing: providers who treat registration as something to handle after market placement rather than before. Under Art.48(1), formal non-compliance with Art.49 — including late registration or registration after deployment — is grounds for corrective action by market surveillance authorities. The corrective measure can include withdrawal from the market until registration is completed.

For SaaS and cloud AI providers deploying Annex III systems across multiple Member States, the single-registration model is operationally straightforward. One EUID covers the entire EU deployment. But the data accuracy obligation — updating registration for lifecycle changes, authorised representative changes, and substantial modifications — requires building registration maintenance into the AI system's operational governance framework, not treating it as a one-time compliance checkbox.

The next step in the EU AI Act enforcement framework is Art.50 — transparency obligations for certain AI systems that interact with natural persons, including chatbots, emotion recognition systems, and AI-generated content. Art.50 applies regardless of Annex III classification, reaching categories of AI systems that may not require conformity assessment but still carry disclosure obligations when they interact with end users.