EU AI Act Art.16 Provider Obligations: Complete Developer Compliance Guide 2026
Post #1 in the sota.io EU AI Act Art.16 Provider Obligations Series
If you build, train, or place high-risk AI systems on the EU market, Article 16 of the EU AI Act is your master compliance checklist. It enumerates every obligation that providers — the developers and companies who bring these systems to market — must fulfil before and after deployment.
With the August 2, 2026 deadline for all non-GPAI high-risk AI obligations now 53 days away, understanding Art.16 in depth is no longer optional. This post breaks down all provider obligations, maps them to the specific articles that govern each one, and provides actionable implementation guidance you can start using today.
What Is a "Provider" Under the EU AI Act?
Under Art.3(3), a provider is "a natural or legal person, public authority, agency or other body that develops an AI system or a general-purpose AI model and places it on the market or puts it into service under its own name or trademark, whether for payment or free of charge."
This definition covers:
- Software companies that build and sell AI-powered SaaS products falling under Annex III
- Enterprises that develop AI systems for internal use and deploy them across subsidiaries
- Open-source maintainers who place AI systems on the market (whether paid or free)
- Cloud service providers who host AI systems that qualify as high-risk
Contrast with deployers (Art.3(4)): companies that integrate third-party AI systems but didn't build them. Deployers have separate obligations under Art.26 — and importers under Art.25 — covered in a future series in this blog.
The Annex III High-Risk Threshold
Art.16 obligations apply only when your AI system is high-risk under Annex III. The eight regulated domains are:
- Biometric identification and categorisation of natural persons
- Management and operation of critical infrastructure
- Education and vocational training
- Employment, workers management and access to self-employment
- Access to and enjoyment of essential private services and public services and benefits
- Law enforcement
- Migration, asylum and border control management
- Administration of justice and democratic processes
If your system falls into one of these domains, all Art.16 obligations apply in full from August 2, 2026. Use the Art.6 self-classification framework — covered in earlier posts in this series — to determine whether your system qualifies.
Art.16 Provider Obligations: The Complete Map
Before diving into implementation, here is the full obligation map showing every Art.16 duty and the articles that govern the specifics:
Art.16 Provider Obligations (EU AI Act 2024/1689)
│
├── Obligation A: Technical Requirements Compliance
│ └── Governed by: Arts.9–15 (Chapter III, Section 2)
│ ├── Art.9 Risk management system
│ ├── Art.10 Data and data governance
│ ├── Art.11 Technical documentation
│ ├── Art.12 Record-keeping
│ ├── Art.13 Transparency & instructions for use
│ ├── Art.14 Human oversight
│ └── Art.15 Accuracy, robustness, cybersecurity
│
├── Obligation B: Quality Management System
│ └── Governed by: Art.17
│
├── Obligation C: Technical Documentation
│ └── Governed by: Art.11 + Annex IV
│
├── Obligation D: Record-Keeping (Logs)
│ └── Governed by: Art.12
│
├── Obligation E: Conformity Assessment
│ └── Governed by: Art.43
│
├── Obligation F: Registration
│ └── Governed by: Art.49
│
├── Obligation G: Corrective Actions
│ └── Governed by: Art.20
│
├── Obligation H: CE Marking
│ └── Governed by: Art.48
│
├── Obligation I: Instructions for Use
│ └── Governed by: Art.13
│
└── Obligation J: Cooperate with Authorities
└── Governed by: Arts.74–82 (Market Surveillance)
Obligation A: Comply with Technical Requirements (Arts.9–15)
The foundation of Art.16 is compliance with every technical requirement in Chapter III, Section 2. This is the largest block of work — seven articles covering the full engineering and operational lifecycle of a high-risk AI system.
Art.9 — Risk Management System
Your risk management system must be a continuous process across the system's entire lifecycle. It must identify and analyse known and reasonably foreseeable risks, estimate and evaluate emerging risks, and adopt risk management measures.
We covered the full Art.9 RMS implementation in the EU-AI-ACT-ART9-RISK-MANAGEMENT-SYSTEM-2026 series. The key integration point here: the RMS feeds directly into technical documentation (Art.11), conformity assessment (Art.43), and the QMS (Art.17).
Art.10 — Data and Data Governance
Training, validation, and testing data must meet practices covering relevance, representativeness, freedom from errors, and completeness. You must have data governance practices covering the intended purpose, data collection process, data preparation operations, and bias detection and mitigation.
Art.11 — Technical Documentation
Technical documentation must be drawn up before market placement and kept up to date throughout the system's lifecycle. It must contain all the information specified in Annex IV — eight sections covering general description, design choices, training methodology, testing and validation results, capability limitations, human oversight measures, and more.
Art.12 — Record-Keeping
High-risk AI systems must be designed and built with capabilities enabling automatic recording of events (logs) throughout their lifetime. The provider must keep these logs — at minimum for 6 months after market placement — to the extent they are under the provider's control.
Art.13 — Transparency and Instructions for Use
High-risk AI systems must be sufficiently transparent to enable deployers to interpret outputs and use them appropriately. This requires detailed instructions for use that cover the system's intended purpose, capability limitations, performance levels, human oversight requirements, and contact details for the provider.
Art.14 — Human Oversight
Systems must be designed and built — including with appropriate human-machine interface tools — so that they can be effectively overseen by natural persons during operation. We covered the full Art.14 implementation in the EU-AI-ACT-ART14-HUMAN-OVERSIGHT-2026 series.
Art.15 — Accuracy, Robustness and Cybersecurity
High-risk AI systems must achieve an appropriate level of accuracy, robustness, and cybersecurity. Systems must be resilient against errors, faults, inconsistencies, and adversarial manipulation. The CRA-DUAL-COMPLIANCE series covers the overlap between Art.15 and CRA cybersecurity requirements.
Compliance Tracking for Arts.9–15
from dataclasses import dataclass, field
from enum import Enum
from typing import Optional
class ComplianceStatus(Enum):
NOT_STARTED = "not_started"
IN_PROGRESS = "in_progress"
COMPLETE = "complete"
VERIFIED = "verified" # Externally confirmed
@dataclass
class ArticleCompliance:
article: str
title: str
status: ComplianceStatus
owner: str
due_date: str
evidence_path: Optional[str] = None
gaps: list[str] = field(default_factory=list)
CHAPTER_III_COMPLIANCE = [
ArticleCompliance("Art.9", "Risk Management System",
ComplianceStatus.IN_PROGRESS, "ml-platform-team", "2026-07-15",
"docs/rms/risk-management-plan-v3.pdf"),
ArticleCompliance("Art.10", "Data Governance",
ComplianceStatus.COMPLETE, "data-team", "2026-06-30",
"docs/data/training-data-governance.md"),
ArticleCompliance("Art.11", "Technical Documentation",
ComplianceStatus.IN_PROGRESS, "compliance-team", "2026-07-20"),
ArticleCompliance("Art.12", "Record-Keeping",
ComplianceStatus.COMPLETE, "infra-team", "2026-06-15",
"infra/logging/audit-log-spec.yaml"),
ArticleCompliance("Art.13", "Transparency / Instructions for Use",
ComplianceStatus.COMPLETE, "product-team", "2026-06-30",
"docs/user-docs/instructions-for-use.md"),
ArticleCompliance("Art.14", "Human Oversight",
ComplianceStatus.IN_PROGRESS, "product-team", "2026-07-15"),
ArticleCompliance("Art.15", "Accuracy, Robustness, Cybersecurity",
ComplianceStatus.IN_PROGRESS, "security-team", "2026-07-25"),
]
def get_compliance_summary(items: list[ArticleCompliance]) -> dict:
by_status = {}
for item in items:
s = item.status.value
by_status.setdefault(s, []).append(item.article)
total = len(items)
complete = sum(1 for i in items if i.status in
[ComplianceStatus.COMPLETE, ComplianceStatus.VERIFIED])
return {
"completion_pct": round(complete / total * 100),
"by_status": by_status,
"critical_gaps": [i.article for i in items
if i.status == ComplianceStatus.NOT_STARTED]
}
Obligation B: Quality Management System (Art.17)
Art.16 requires providers to have a QMS in place in accordance with Art.17. The QMS is your organisational backbone — it documents how your company ensures ongoing compliance, not just that it has complied at a point in time.
Art.17 requires the QMS to cover at minimum:
- Your policy on compliance with the AI Act
- Procedures for system design, development, and testing
- Data management procedures
- Your risk management system (linking Art.17 to Art.9)
- Post-market monitoring procedures (linking Art.17 to Art.72)
- Incident reporting procedures (linking Art.17 to Art.73)
- Change management and substantial modification processes
- Resource management
The QMS must be documented — oral practices don't count. Market surveillance authorities can request the QMS documentation during investigations.
# QMS Document Registry (Art.17 compliant)
qms:
version: "1.0"
effective_date: "2026-07-01"
scope: "High-Risk AI System: [System Name], Annex III Category [N]"
documents:
# Policy layer
- id: "QMS-POL-001"
title: "EU AI Act Compliance Policy"
article_ref: "Art.17(1)(a)"
owner: "CTO"
review_cycle: "annual"
current_version: "1.0"
# Process layer
- id: "QMS-PROC-001"
title: "AI System Development Lifecycle"
article_ref: "Art.17(1)(b)"
owner: "Engineering Lead"
- id: "QMS-PROC-002"
title: "Data Governance and Management"
article_ref: "Art.17(1)(c)"
owner: "Data Team Lead"
- id: "QMS-PROC-003"
title: "Risk Management Process"
article_ref: "Art.17(1)(d)" # links to Art.9
owner: "ML Platform Lead"
- id: "QMS-PROC-004"
title: "Post-Market Monitoring"
article_ref: "Art.17(1)(e)" # links to Art.72
owner: "ML Ops Lead"
- id: "QMS-PROC-005"
title: "Serious Incident Reporting"
article_ref: "Art.17(1)(f)" # links to Art.73
owner: "Compliance Officer"
- id: "QMS-PROC-006"
title: "Change Management and Substantial Modification"
article_ref: "Art.17(1)(g)" # links to Art.43(4)
owner: "Engineering Lead"
- id: "QMS-PROC-007"
title: "Corrective and Preventive Action"
article_ref: "Art.17(1)(h)" # links to Art.20
owner: "Quality Manager"
We covered the full Art.17 QMS implementation in the EU-AI-ACT-ART17-QUALITY-MANAGEMENT-SYSTEM-2026 series (5 posts, starting with foundations and ending with audit readiness).
Obligation C: Technical Documentation (Art.11 + Annex IV)
Art.16 requires providers to draw up technical documentation before market placement and keep it current throughout the system's lifecycle. The documentation must cover all eight sections specified in Annex IV.
The 8 Annex IV Sections
| Section | Contents |
|---|---|
| 1 | General description: intended purpose, name, version, type |
| 2 | Description of elements and development process |
| 3 | Information about monitoring, functioning and control |
| 4 | Description of appropriateness of performance metrics |
| 5 | Description of changes made through the lifecycle |
| 6 | Description of changes made by the provider and their performance impact |
| 7 | Assessment of the human oversight measures (Art.14) |
| 8 | Assessment of the technical documentation by a third party (if required by Art.43) |
# Annex IV documentation completeness checker
ANNEX_IV_SECTIONS = {
1: {
"title": "General description",
"required_fields": [
"intended_purpose", "system_name", "version_number",
"hardware_requirements", "deployment_regions"
]
},
2: {
"title": "Elements and development process",
"required_fields": [
"system_architecture", "training_methodology",
"training_dataset_description", "validation_results",
"test_results"
]
},
3: {
"title": "Monitoring, functioning and control",
"required_fields": [
"logging_specification", "monitoring_metrics",
"alert_thresholds", "operator_instructions"
]
},
4: {
"title": "Performance metrics appropriateness",
"required_fields": [
"metrics_selection_rationale", "benchmarks",
"expected_performance_levels"
]
},
5: {
"title": "Changes through lifecycle",
"required_fields": [
"change_log", "impact_assessments"
]
},
6: {
"title": "Changes made by provider",
"required_fields": [
"modification_log", "re_validation_results"
]
},
7: {
"title": "Human oversight assessment",
"required_fields": [
"oversight_mechanisms", "override_capabilities",
"operator_competency_requirements"
]
},
8: {
"title": "Third-party assessment (if applicable)",
"required_fields": [
"notified_body_name", "certificate_reference",
"assessment_date"
]
}
}
def check_annex_iv_completeness(documentation: dict) -> dict:
missing = {}
for section_num, section_spec in ANNEX_IV_SECTIONS.items():
section_data = documentation.get(section_num, {})
missing_fields = [
field for field in section_spec["required_fields"]
if not section_data.get(field)
]
if missing_fields:
missing[section_num] = {
"section_title": section_spec["title"],
"missing_fields": missing_fields
}
total_sections = len(ANNEX_IV_SECTIONS)
complete_sections = total_sections - len(missing)
return {
"complete": len(missing) == 0,
"completion_pct": round(complete_sections / total_sections * 100),
"missing_by_section": missing
}
Obligation D: Record-Keeping (Art.12)
Providers must keep the logs automatically generated by their high-risk AI system — to the extent those logs are under the provider's control — throughout the system's lifetime.
Minimum retention is 6 months after each instance of use, unless other EU or national law requires longer retention (for example, GDPR or sector-specific regulations often require longer).
Art.12 Compliant Audit Logger
import hashlib
import json
from datetime import datetime, timezone
from typing import Optional
import logging
logger = logging.getLogger(__name__)
class Art12AuditLogger:
"""EU AI Act Art.12 compliant audit logger for high-risk AI systems."""
MINIMUM_RETENTION_DAYS = 183 # 6 months + buffer
def __init__(
self,
system_id: str,
system_version: str,
storage_backend, # Your storage implementation
retention_days: int = 183
):
if retention_days < self.MINIMUM_RETENTION_DAYS:
raise ValueError(
f"Art.12 requires at least {self.MINIMUM_RETENTION_DAYS} day "
f"retention. Configured: {retention_days}"
)
self.system_id = system_id
self.system_version = system_version
self.storage = storage_backend
self.retention_days = retention_days
def log_inference(
self,
input_hash: str, # SHA-256 of input — never raw PII
output_category: str, # High-level output classification
confidence_score: float,
human_reviewed: Optional[bool] = None,
deployer_id: Optional[str] = None,
session_id: Optional[str] = None,
) -> str:
"""Log a single inference event per Art.12."""
entry = {
"schema_version": "1.0",
"timestamp": datetime.now(timezone.utc).isoformat(),
"system_id": self.system_id,
"system_version": self.system_version,
"event_type": "inference",
"input_hash": input_hash,
"output_category": output_category,
"confidence_score": confidence_score,
"human_reviewed": human_reviewed,
"deployer_id": deployer_id,
"session_id": session_id,
}
# Generate deterministic log entry ID
entry_id = hashlib.sha256(
json.dumps(entry, sort_keys=True).encode()
).hexdigest()[:16]
entry["log_id"] = entry_id
self.storage.write(entry, retention_days=self.retention_days)
return entry_id
def log_human_override(
self,
inference_log_id: str,
override_reason: str,
operator_id: str,
) -> None:
"""Log when a human overrides or rejects the AI output."""
entry = {
"schema_version": "1.0",
"timestamp": datetime.now(timezone.utc).isoformat(),
"system_id": self.system_id,
"event_type": "human_override",
"referenced_inference_id": inference_log_id,
"override_reason": override_reason,
"operator_id": operator_id,
}
self.storage.write(entry, retention_days=self.retention_days)
Obligation E: Conformity Assessment (Art.43)
Before placing a high-risk AI system on the market, providers must complete a conformity assessment. Art.43 defines two pathways:
Third-party assessment (Notified Body required):
- Remote biometric identification systems
- Systems intended to be used in real-time biometric identification in publicly accessible spaces
Internal control procedure (self-assessment):
- All other Annex III high-risk AI systems — the majority of cases
For the internal control procedure (Annex VI of the AI Act), providers must:
- Check compliance with all technical requirements (Arts.9–15)
- Check compliance with the QMS (Art.17)
- Draw up the technical documentation (Annex IV)
- Draw up the EU Declaration of Conformity
- Affix the CE marking
The conformity assessment must be repeated after any substantial modification (Art.3(23)) of the system.
# Conformity assessment state machine
from enum import Enum
from dataclasses import dataclass
class AssessmentType(Enum):
INTERNAL_CONTROL = "annex_vi" # Self-assessment
QMS_ASSESSMENT = "annex_vii" # QMS-based self-assessment
NOTIFIED_BODY = "notified_body" # Third-party (Art.43(3))
class AssessmentStatus(Enum):
NOT_STARTED = "not_started"
IN_PROGRESS = "in_progress"
COMPLETE = "complete"
EXPIRED = "expired" # After substantial modification
@dataclass
class ConformityAssessment:
system_id: str
version: str
assessment_type: AssessmentType
status: AssessmentStatus
started_date: Optional[str]
completed_date: Optional[str]
notified_body_id: Optional[str] # EU NB identification number
certificate_number: Optional[str]
annex_iii_category: int # 1-8
substantial_modification_triggers: list[str]
def requires_notified_body(self) -> bool:
"""Art.43(3): NB required for remote biometric ID systems."""
return self.assessment_type == AssessmentType.NOTIFIED_BODY
def is_valid(self) -> bool:
return self.status == AssessmentStatus.COMPLETE
def classify_assessment_pathway(
annex_iii_category: int,
use_case_flags: set[str]
) -> AssessmentType:
"""Determine whether NB assessment or self-assessment applies."""
nb_triggers = {
"remote_biometric_identification",
"real_time_biometric_public_space",
}
if nb_triggers.intersection(use_case_flags):
return AssessmentType.NOTIFIED_BODY
return AssessmentType.INTERNAL_CONTROL
Obligation F: Registration in the EU Database (Art.49)
Before placing a high-risk AI system on the market, providers must register themselves and their system in the EU database maintained by the Commission.
Required registration information:
- Provider name, address, and contact details
- AI system name, version, and description of intended purpose
- Country where the system is placed on the market
- The specific Annex III use case (which of the 8 domains)
- Status of the system (on market, withdrawn, recalled)
- EU Declaration of Conformity reference
The database is publicly accessible — any user, deployer, researcher, or regulator can look up your registered system. Registration is a public accountability mechanism, not just an administrative formality.
Programmatic Registration Preparation
# EU database registration data model
from dataclasses import dataclass
@dataclass
class EUDatabaseRegistration:
# Provider information
provider_name: str
provider_address: str
provider_contact_email: str
provider_eu_representative: Optional[str] # Required if non-EU provider
# System information
system_name: str
system_version: str
intended_purpose: str
annex_iii_category: int # 1-8
annex_iii_subcategory: str # Specific use case within the domain
# Market information
eu_member_states: list[str] # ISO codes: ["DE", "FR", "AT"]
placement_date: str # ISO 8601 date
# Compliance references
eu_doc_reference: str # EU Declaration of Conformity ref
notified_body_certificate: Optional[str] # If NB assessment was done
technical_doc_version: str
# Status
status: str = "placed_on_market" # or "withdrawn" | "recalled"
def validate(self) -> list[str]:
errors = []
if not self.provider_eu_representative and not self._is_eu_address():
errors.append(
"Non-EU providers must designate an EU representative (Art.24)"
)
if not 1 <= self.annex_iii_category <= 8:
errors.append("annex_iii_category must be between 1 and 8")
return errors
def _is_eu_address(self) -> bool:
EU_COUNTRY_CODES = {
"AT", "BE", "BG", "HR", "CY", "CZ", "DK", "EE", "FI",
"FR", "DE", "GR", "HU", "IE", "IT", "LV", "LT", "LU",
"MT", "NL", "PL", "PT", "RO", "SK", "SI", "ES", "SE"
}
return any(code in self.provider_address for code in EU_COUNTRY_CODES)
Obligation G: Corrective Actions (Art.20)
When a provider discovers their high-risk AI system does not conform with the AI Act, or presents an unacceptable risk to health, safety, or fundamental rights, they must:
- Immediately take corrective actions to bring it into conformity
- Withdraw or recall the system if corrective actions are insufficient
- Notify distributors and deployers who received the system
- Notify the relevant national competent authority (NCA) in each affected Member State
This creates an ongoing self-monitoring obligation that continues throughout the system's operational life. The corrective action duty is not a one-time pre-market check.
# Art.20 corrective action workflow
from enum import Enum
class NonConformityLevel(Enum):
MINOR = "minor" # Document and fix in next scheduled release
MAJOR = "major" # Stop new deployments, urgent fix
CRITICAL = "critical" # Immediate withdrawal and NCA notification
class Art20CorrectiveAction:
def __init__(self, system_id: str, nca_contacts: dict):
self.system_id = system_id
self.nca_contacts = nca_contacts # {member_state: contact_info}
def classify_non_conformity(
self,
finding_type: str,
affects_fundamental_rights: bool,
affects_health_safety: bool,
) -> NonConformityLevel:
if affects_fundamental_rights or affects_health_safety:
return NonConformityLevel.CRITICAL
if finding_type in ["data_bias", "accuracy_below_threshold", "oversight_gap"]:
return NonConformityLevel.MAJOR
return NonConformityLevel.MINOR
def create_action_plan(
self,
finding: str,
level: NonConformityLevel,
) -> dict:
base_plan = {
"finding": finding,
"level": level.value,
"system_id": self.system_id,
"actions": []
}
if level == NonConformityLevel.CRITICAL:
base_plan["actions"].extend([
{"action": "SUSPEND_NEW_DEPLOYMENTS", "deadline_hours": 0},
{"action": "NOTIFY_DEPLOYERS", "deadline_hours": 24},
{"action": "NOTIFY_ALL_NCAS", "deadline_hours": 24,
"contacts": self.nca_contacts},
{"action": "ASSESS_RECALL_NEED", "deadline_days": 3},
])
elif level == NonConformityLevel.MAJOR:
base_plan["actions"].extend([
{"action": "SUSPEND_NEW_DEPLOYMENTS", "deadline_hours": 0},
{"action": "DOCUMENT_NON_CONFORMITY", "deadline_days": 1},
{"action": "PREPARE_FIX", "deadline_days": 30},
{"action": "NOTIFY_DEPLOYERS_PREVENTIVE", "deadline_days": 7},
])
else:
base_plan["actions"].append(
{"action": "DOCUMENT_AND_SCHEDULE_FIX", "deadline_days": 90}
)
return base_plan
Obligation H: CE Marking (Art.48)
Art.48 requires providers to affix the CE marking to their high-risk AI system before placing it on the market. For pure software systems (no physical component), CE marking is displayed in:
- Product documentation and user interface
- Download pages and app store listings
- SaaS application footer or about page
- API documentation
The CE marking must be:
- Visible, legible, and indelible
- Followed by the identification number of the notified body if an NB assessment was performed
- Affixed before market placement — not as an afterthought
If a notified body was involved, the NB's identification number must appear immediately after the CE symbol.
Obligation I: Instructions for Use (Art.13)
Art.13 requires that high-risk AI systems be accompanied by instructions for use in an accessible format. These instructions must include:
- The system's identity and intended purpose
- The level and type of accuracy and robustness including for specific persons or groups
- Known or foreseeable circumstances under which the system may fail or produce inaccurate results
- The human oversight measures required
- The computational and hardware requirements
- The AI system's expected lifetime and maintenance needs
- Contact details for the provider
The instructions must be concise, complete, correct, and clear — and provided in a language that can be understood by deployers (the companies that use your system).
Obligation J: Cooperate with Market Surveillance Authorities (Arts.74–82)
Art.16 requires providers to cooperate with national competent authorities in all activities carried out to ensure compliance. This includes:
- Providing technical documentation on request (Art.74): NCAs can demand your technical file at any time
- Responding to non-conformity investigations: you must provide all information and documentation requested
- Allowing inspections: NCAs can inspect development and testing facilities
- Providing access to training data: in specific investigation contexts
- Designating a contact point: in each Member State where the system is deployed
If you are based outside the EU, you must designate an EU authorised representative (Art.24) who can fulfil these cooperation obligations on your behalf.
The Provider Compliance Stack
All obligations form an integrated compliance architecture:
┌────────────────────────────────────────────────────────────────────┐
│ Art.16 Provider Compliance Stack │
├────────────────────────────────────────────────────────────────────┤
│ Market-Facing Layer │
│ ├── CE Marking (Art.48) │
│ ├── EU Database Registration (Art.49) │
│ └── Instructions for Use (Art.13) │
├────────────────────────────────────────────────────────────────────┤
│ Conformity Layer │
│ ├── Conformity Assessment (Art.43 + Annex VI/VII) │
│ ├── EU Declaration of Conformity │
│ └── Notified Body (Art.43(3) — biometric/critical infra only) │
├────────────────────────────────────────────────────────────────────┤
│ Organisational Layer │
│ ├── Quality Management System (Art.17) │
│ ├── Technical Documentation (Art.11 + Annex IV) │
│ └── Record-Keeping / Logs (Art.12) │
├────────────────────────────────────────────────────────────────────┤
│ Ongoing Monitoring Layer │
│ ├── Post-Market Monitoring (Art.72) │
│ ├── Serious Incident Reporting (Art.73) │
│ └── Corrective Actions (Art.20) │
├────────────────────────────────────────────────────────────────────┤
│ Technical Foundation (Arts.9–15) │
│ ├── Art.9 RMS Art.10 Data Art.11 Docs Art.12 Logs │
│ └── Art.13 Trans Art.14 Oversight Art.15 Accuracy+Security │
└────────────────────────────────────────────────────────────────────┘
Compliance Timeline: 53 Days to August 2026
| Timeline | Priority Actions |
|---|---|
| Now – Week 2 | Gap assessment against each Art.16 obligation. Which are complete? Which have gaps? |
| Week 3–4 | Complete technical documentation (Annex IV all 8 sections). Finalise Art.9 RMS. |
| Week 5–6 | Run conformity assessment (Annex VI self-assessment procedure). Fix any gaps found. |
| Week 7 | Register in EU database (Art.49). Prepare CE marking materials. |
| Week 8 | Buffer: address remaining gaps. Final QMS review. |
Art.16 Master Compliance Checklist
Use this before the August 2, 2026 deadline:
Technical Requirements (Arts.9–15)
- Art.9: Risk management system documented and operational
- Art.10: Training data governance policy in place and documented
- Art.11: Technical documentation complete (all Annex IV sections)
- Art.12: Automated logging with minimum 6-month retention configured
- Art.13: Instructions for use prepared for deployers (accessible format)
- Art.14: Human oversight mechanisms designed, implemented, and tested
- Art.15: Accuracy benchmarks met; cybersecurity testing complete
Organisational Requirements
- Art.17: Quality management system documented with all required procedures
- Art.43: Conformity assessment completed (self-assessment or NB)
Market-Facing Requirements
- Art.48: CE marking prepared for documentation, UI, and packaging
- Art.49: Registered in EU AI database before first market placement
- Art.13: Instructions for use distributed to all deployers
Ongoing Obligations
- Art.20: Corrective action procedure defined, tested, and staff-trained
- Art.72: Post-market monitoring plan in place
- Art.73: Serious incident reporting pipeline operational
- Arts.74–82: Contact point for NCAs designated per Member State
What's Next in This Series
This post mapped every Art.16 obligation to its governing article. In the next four posts we go deeper on the most complex individual obligations:
- Post #2: Drafting a complete Annex IV technical documentation package — section by section
- Post #3: Running the Art.43 conformity assessment — the internal control procedure step by step
- Post #4: EU database registration (Art.49) and ongoing market surveillance cooperation
- Post #5: Art.16 all-in-one compliance checklist and 8-week sprint template
The August 2, 2026 deadline is 53 days away. Every week of preparation now is one week fewer of emergency remediation later.
See Also
- EU AI Act Art.17 Quality Management System: Foundations for High-Risk AI Providers — Art.16(g) requires a QMS; Art.17 defines exactly what that QMS must contain — the two articles form a provider obligation pair
- EU AI Act Art.9 Risk Management System: Identification Methodology — Art.16(a) delegates to Art.9 for risk management; this is the deep-dive on building the RMS that satisfies Art.16's first obligation
- EU AI Act Art.43 Conformity Assessment: Cloud Act, Notified Body, and Auditor Guide 2026 — Art.16(e) requires conformity assessment before market placement; Art.43 defines the two routes (internal control vs. NB)
- EU AI Act Art.14 Human Oversight: Foundations for High-Risk AI — Art.16(a) cross-references Art.14; human oversight is one of the 11 Art.16 obligations with the most implementation complexity
- EU AI Act Art.72 Post-Market Monitoring Plan for High-Risk AI — Art.16(j) requires a post-market monitoring system; Art.72 specifies what that plan must include and how it feeds back into Art.9
This post is part of the sota.io EU AI Act Developer Series — practical, implementation-focused guides for developers building compliant AI systems in the EU. All article references are to Regulation (EU) 2024/1689 (the EU AI Act).
EU-Native Hosting
Ready to move to EU-sovereign infrastructure?
sota.io is a German-hosted PaaS — no CLOUD Act exposure, no US jurisdiction, full GDPR compliance by design. Deploy your first app in minutes.