EU AI Act CE Marking for High-Risk AI: What Art.47 Declaration of Conformity and Art.48 CE Marking Require Before August 2, 2026

Post #1487 in the sota.io EU AI Act Compliance Series — EU-AI-ACT-CE-MARKING-2026 #1/5

The CE mark is the most visible symbol of EU product compliance. When you see it on a medical device, a piece of machinery, or a radio transmitter, it signals that the product meets the applicable EU legal requirements before it entered the market. Starting August 2, 2026, the same logic applies to high-risk AI systems under Regulation (EU) 2024/1689 — the EU AI Act.

For AI providers, CE marking is not simply a stamp you apply at the end of the compliance process. It is the final step in a legal sequence that begins with a conformity assessment, continues with drafting a formal EU Declaration of Conformity, and concludes with affixing the CE mark to your system. Each step has specific legal requirements, and skipping or mishandling any one of them exposes your organisation to market withdrawal, fines, and reputational damage.

This guide breaks down exactly what Art.47 (EU Declaration of Conformity), Art.48 (CE Marking), Annex V, and Art.43 (Conformity Assessment) require from high-risk AI providers before the August 2, 2026 deadline.

What Is the CE Mark in the Context of the EU AI Act?

Under the EU AI Act, the CE marking for high-risk AI systems follows the general principles established in Article 30 of Regulation (EC) No 765/2008 — the same regulation that governs CE marking across all EU harmonisation legislation. This means the CE mark on a high-risk AI system carries the same formal weight as on any other regulated product: it is a provider's declaration to the market and to authorities that the system meets all applicable requirements.

The EU AI Act does not invent a separate "AI Act CE mark." Instead, it slots high-risk AI systems into the existing CE marking framework and adds AI-specific requirements — most importantly, the obligation to conduct a conformity assessment under Art.43 before affixing the mark, and the obligation to draw up a formal Declaration of Conformity under Art.47.

The key regulatory sequence:

1. Complete a conformity assessment (Art.43)
2. Draw up a Declaration of Conformity (Art.47 + Annex V)
3. Affix the CE marking (Art.48)
4. Register in the EU AI database (Art.51)

You cannot do step 3 without completing steps 1 and 2. The CE mark is not a parallel track — it is the endpoint of the compliance process.

Art.47: The EU Declaration of Conformity

Article 47 of Regulation (EU) 2024/1689 is the core provision governing the EU Declaration of Conformity (DoC) for high-risk AI systems.

What Art.47 Requires

Art.47(1) requires providers to draw up a written EU Declaration of Conformity for each high-risk AI system and keep it up to date. The declaration must be available to national competent authorities for 10 years after the system is placed on the market or put into service.

Art.47(2) states that the DoC must confirm the system meets the requirements of Section 2 of the AI Act (the mandatory requirements for high-risk AI, covering risk management, data governance, technical documentation, transparency, human oversight, accuracy, robustness, and cybersecurity). The DoC must contain the information specified in Annex V and must be translated into any language required by national competent authorities of Member States where the system is placed on the market.

Art.47(3) addresses the scenario where a high-risk AI system also falls under other EU harmonisation legislation that requires a Declaration of Conformity. In this case, providers must draw up a single consolidated declaration covering all applicable legislation — you do not produce separate declarations for each directive or regulation.

Art.47(4) makes the legal consequence explicit: by drawing up the DoC, the provider assumes sole responsibility for compliance with the requirements of Section 2. This is not a technicality. Signing the DoC creates legal accountability.

Art.47(5) grants the Commission authority to update Annex V through delegated acts to reflect technical progress.

The Machine-Readable Requirement

A significant practical detail in Art.47(1): the DoC must be "written machine-readable, physical or electronically signed." This means a scanned paper document is not sufficient. You need either a properly signed electronic document or a machine-readable format. PDF/A with embedded metadata, XHTML, or structured XML formats all qualify — but an image-only PDF does not.

Annex V: What Your Declaration of Conformity Must Contain

Annex V of Regulation (EU) 2024/1689 specifies the eight required elements of the EU Declaration of Conformity for high-risk AI systems:

1. AI System Identification The name and type of the AI system and any additional unambiguous reference allowing identification and traceability. This typically includes the system's commercial name, version number, and — if applicable — the EU AI database registration number.

2. Provider Information The name and address of the provider or, where applicable, the authorised representative. For non-EU providers, this must be the authorised representative established in the EU under Art.22.

3. Responsibility Statement A declaration that the DoC is issued under the sole responsibility of the provider. This element gives the declaration its legal force — there is no collective or shared responsibility.

4. Compliance Confirmation A statement that the high-risk AI system conforms with Regulation (EU) 2024/1689 and, if applicable, with any other relevant Union law that also requires a DoC. If your system is also subject to the Medical Devices Regulation or the Machinery Regulation, those must be referenced here.

5. Data Protection Compliance For AI systems that process personal data, the DoC must include confirmation of compliance with GDPR (Regulation 2016/679), and where applicable, Regulation 2018/1725 (institutional data protection) and Directive 2016/680 (law enforcement data protection). This element recognises that many high-risk AI systems involve personal data processing.

6. Standards and Common Specifications Citations of the applicable harmonised standards applied or, if harmonised standards were not applied, the common technical specifications or other technical solutions used to demonstrate conformity. If you used CEN/CENELEC harmonised standards under the EU AI Act, reference them here with their full designation and publication date.

7. Notified Body Details (Where Applicable) Where a notified body was involved in the conformity assessment procedure under Art.43, the DoC must include the notified body's name, identification number, description of the conformity assessment procedure performed, and identification of the certificate issued by the notified body.

8. Documentation and Signature The place and date of issue of the DoC, the name and function of the signatory, indication of on whose behalf the person signs, and the signature itself.

Practical Drafting Note

Annex V does not specify a particular form or template — the EU has not issued an official template as of mid-2026. Several Member States and industry associations have published draft templates, but the legally operative requirement is that all eight Annex V elements are present and accurate. Whichever format you use, the document must be machine-readable (see Art.47(1) above).

CE Marking vs. Declaration of Conformity: The Distinction

These two instruments are closely related but legally distinct:

The CE mark is the visible external symbol; the Declaration of Conformity is the underlying legal document that justifies the mark. You cannot legally affix the CE mark without a valid DoC in place.

Art.43: Conformity Assessment — The Step Before CE Marking

Before drawing up the DoC and affixing the CE mark, providers must complete the conformity assessment required by Art.43. The assessment procedure varies depending on which Annex III category your system falls under.

Internal Control (Annex VI) — The Default Path

For most high-risk AI systems — specifically those listed in Annex III points 2 to 8 — the required procedure is the internal control procedure set out in Annex VI. This is a self-assessment pathway: no notified body involvement is required. You assess your own system against the Section 2 requirements, document your findings, and draw up the DoC.

The Annex III points 2-8 categories include: educational and vocational training, employment and HR management, essential private services and public services and benefits, law enforcement (with the special rule noted below), migration and border control, administration of justice, and democratic processes.

Notified Body Involvement (Annex VII) — When Required

For high-risk AI systems listed in Annex III point 1 (biometric systems, including remote biometric identification), the default is still internal control — unless one of four conditions triggers mandatory Annex VII involvement:

• Harmonised standards covering the system's requirements do not exist or the provider has not applied them fully
• Common technical specifications exist but were not applied
• The applicable harmonised standards were published with restrictions by the Commission

Under Annex VII, a notified body assesses your quality management system and, where relevant, your technical documentation. The notified body issues a certificate, which must then be referenced in your Annex V DoC under element 7.

The Law Enforcement Special Rule

For AI systems used by law enforcement, immigration, asylum, or EU institution authorities that fall under specific Annex III categories, Art.43 designates the market surveillance authority itself to act as the notified body for the Annex VII procedure. This is a structural carve-out recognising the sensitivity of these use cases.

Substantial Modification

If your high-risk AI system undergoes a substantial modification after the initial conformity assessment, you must conduct a new assessment for the modified version before it is re-placed on the market. Art.43 specifies an exception: changes to a system's performance parameters that were explicitly anticipated and documented in the original technical documentation do not require a new assessment.

Art.48: CE Marking — How, Where, and When

Article 48 sets out the practical requirements for affixing the CE mark on high-risk AI systems.

Affixing Requirements

Art.48(3) requires the CE marking to be affixed visibly, legibly, and indelibly on the high-risk AI system. If the nature of the system makes this impracticable — for instance, a software-only AI system delivered via API — the CE marking may be placed on the packaging or accompanying documentation.

Art.48(2) addresses digital delivery specifically: for high-risk AI systems provided digitally, a digital CE marking is acceptable only if it can be easily accessed via the interface through which the system is accessed, or via an easily accessible machine-readable code or other electronic means. A CE mark buried in a terms-of-service PDF does not satisfy this requirement.

Notified Body Number

Art.48(4) requires that where a notified body was involved in the conformity assessment, its identification number must appear alongside the CE marking. The number is affixed either by the notified body itself or, under its instructions, by the provider or the provider's authorised representative. The notified body number must also appear in any promotional materials that reference CE marking compliance.

Multiple CE Marks

Art.48(5) covers the scenario of overlapping regulation: if a high-risk AI system also falls under other EU law that requires CE marking (for instance, a medical AI device subject to Regulation (EU) 2017/745), the CE mark must indicate that the system fulfils the requirements of all applicable laws. In practice, this typically means listing all applicable regulations in the accompanying documentation referenced by the CE mark.

Annex III: Which High-Risk AI Systems Need CE Marking?

CE marking is required for all high-risk AI systems placed on the EU market or put into service in the EU. Annex III of Regulation (EU) 2024/1689 lists eight categories of high-risk AI use cases:

1. Biometric systems — real-time and post-remote biometric identification, biometric categorisation, emotion recognition in professional and educational settings
2. Critical infrastructure — AI systems used in safety components of critical digital, water, gas, heating, electricity infrastructure
3. Education and vocational training — systems that determine access to education or assess learning outcomes with significant effect
4. Employment and HR — recruitment, selection, promotion, termination, task allocation, monitoring of performance and behaviour
5. Essential services — credit scoring, life/health insurance risk assessment, emergency service dispatch
6. Law enforcement — risk assessment of individuals, lie detection, evidence reliability assessment, profiling, crime prediction
7. Migration and border management — risk assessment of persons, document authenticity, asylum application examination
8. Administration of justice and democratic processes — AI used by courts to research law and facts, AI in electoral campaigns

If your system falls into one of these categories and is not explicitly excluded by Art.6(3) (the general-purpose AI carve-outs) or falls under the Annex I product safety exemptions, you need CE marking by August 2, 2026.

Common Errors Providers Make

Confusing the DoC with technical documentation. The DoC (Art.47 + Annex V) is a separate document from the technical documentation required by Art.11 + Annex IV. Your technical documentation is the evidence; the DoC is the formal declaration that you have reviewed that evidence and declare conformity. They are not the same document and must not be merged.

Signing before the assessment is complete. The DoC must reflect a completed conformity assessment. Signing a DoC as a planning document — before the Art.43 procedure is finished — creates legal exposure if an authority requests documentation. The date on the DoC is the date you sign it; the assessment must be complete by then.

Using a non-machine-readable format. Art.47(1) requires a machine-readable DoC. Scanned paper, image-only PDFs, and photo attachments do not qualify. Use structured electronic formats with embedded metadata or digitally signed PDFs with text layers.

Omitting the notified body number where required. If a notified body was involved in your Annex VII assessment, its identification number must appear both in the DoC (Annex V element 7) and alongside the CE mark (Art.48(4)). Omitting it from either location is a non-compliance finding.

Applying CE marking to general-purpose AI with no high-risk deployment. CE marking under the EU AI Act applies only to systems that fall within the Annex III categories. Applying a CE mark to a general-purpose AI model or a low-risk chatbot is a misuse of the mark and may constitute a conformity claim that cannot be substantiated.

Failing to update the DoC after substantial modifications. The DoC must be kept up to date (Art.47(1)). If your system undergoes a substantial modification that triggers a new conformity assessment under Art.43, the DoC must be updated to reflect the new assessment before the modified system is re-deployed.

August 2026 Roadmap: CE Marking in 59 Days

With the August 2, 2026 deadline 59 days away, here is a practical sequence for providers who have not yet completed CE marking:

Days 1-14: Confirm Annex III scope Determine definitively which of your AI systems fall within Annex III categories. Document the analysis. If scope is ambiguous, obtain a legal opinion now — a wrong call made in June costs less to correct than one made after August 2.

Days 14-30: Complete conformity assessment For most providers (Annex III points 2-8), this means completing the internal control procedure (Annex VI): reviewing your risk management system, technical documentation, data governance practices, human oversight mechanisms, and accuracy/robustness testing against Section 2 requirements. For Annex III point 1 providers who need notified body involvement, initiate contact with an accredited notified body immediately — assessment slots are limited.

Days 30-40: Draft the Declaration of Conformity Using the eight Annex V elements as a checklist, draft your DoC. Ensure you have a machine-readable format, that all element fields are complete and accurate, and that the signatory has appropriate authority. If you need a consolidated DoC covering multiple EU laws, coordinate with your legal team on the merged format.

Days 40-50: Affix CE marking Implement CE marking on your system, packaging, and documentation. For digital systems, implement the digital CE marking requirement — the mark must be accessible via the product interface or a machine-readable code. Include the notified body number if applicable.

Days 50-55: Register in the EU AI database Complete your Art.51 EUDB registration with the DoC reference included in your registration record.

Days 55-59: Internal audit Verify that all documentation is current, consistent, and accessible to competent authorities. Check that your DoC date, conformity assessment date, and EUDB registration entry are mutually consistent.

Conclusion: CE Marking as a Public Compliance Signal

The CE marking on a high-risk AI system is not a formality. It is the public commitment by the provider that the system has been assessed, documented, and declared conformant with Regulation (EU) 2024/1689 before it enters the EU market. When an NCA opens a market surveillance investigation, the CE mark and the underlying DoC are the first documents they will request.

Getting this right before August 2, 2026 means completing the Art.43 conformity assessment in full, drafting a legally compliant Art.47 + Annex V Declaration of Conformity in machine-readable form, and affixing the CE mark according to Art.48's visibility and notified body number requirements.

The next post in this series covers the notified body selection process under Art.43 and Art.49 in depth: which bodies are accredited for EU AI Act assessments, what the Annex VII procedure looks like in practice, and how to scope a notified body engagement to avoid over-assessment.

This post is part of the sota.io EU-AI-ACT-CE-MARKING-2026 series. Sources: Regulation (EU) 2024/1689 — Art.43, Art.47, Art.48, Art.22, Annex III, Annex V, Annex VI, Annex VII.