EU AI Act Art.51: What High-Risk AI Providers Must Register in the EU Database Before August 2, 2026
Post #1482 in the sota.io EU AI Act Compliance Series
With 60 days until the August 2, 2026 EU AI Act deadline, most high-risk AI providers have focused on conformity assessment (Art.43), technical documentation (Art.11), and CE marking (Art.49). A step that frequently gets pushed to the end of the compliance sprint — and then missed — is registration in the EU AI database under Art.51.
Registration is not optional and it cannot be done retroactively after your system is already in service. Art.51 creates a specific legal sequencing requirement: register first, place on market second. This guide explains what Art.51 requires, who must register, what information the EU database needs (specified in Annex VIII), and how to complete registration in time.
What is Art.51? EU Database Registration for High-Risk AI
Article 51 of the EU AI Act establishes a centralised EU-wide database — commonly called the EUDB or EU AI Database — managed by the European Commission. It functions as a public registry of high-risk AI systems deployed across the EU, accessible to national competent authorities and, in large part, to the public.
Art.51(1) creates the core obligation: providers of high-risk AI systems listed in Annex III shall register themselves and their systems in the EUDB before placing the system on the market or putting it into service. Registration is a pre-market step — it must be completed before any EU customer can use the system.
Art.51(2) extends registration obligations to certain deployers: public-sector organisations that deploy high-risk AI systems under selected Annex III categories — including biometric identification systems and law enforcement applications — must register their use in the EUDB before first putting the system into service. This means if you are selling AI to government agencies for public-sector use cases in those categories, your public-authority customers have independent registration obligations.
Art.51(3) covers post-market updates: when a substantial modification to a registered high-risk AI system makes it effectively a new system, providers must update the registration accordingly. This connects directly to your internal change management process — every significant model update or scope expansion needs to be evaluated against the "substantial modification" threshold.
Who Must Register? Providers and the Annex III Test
The primary registration obligation falls on providers: entities that develop or commission the development of high-risk AI systems and place them on the market under their own name or trademark. If you are a SaaS company offering AI functionality that falls within Annex III, you are a provider.
Annex III categories relevant to SaaS products:
| Annex III Area | Category | Common SaaS Examples |
|---|---|---|
| Biometric identification | Identification and categorisation of persons | Remote ID verification with facial recognition |
| Critical infrastructure | AI in management of energy, water, transport networks | Predictive maintenance, automated incident response |
| Education and training | Assessment and evaluation of students | Automated exam proctoring, student performance scoring |
| Employment and workers management | Recruitment, task allocation, performance monitoring | CV screening tools, automated candidate shortlisting, productivity scoring |
| Essential private services | Credit scoring, insurance risk, banking | Loan approval automation, insurance underwriting AI |
| Law enforcement | Risk assessment tools | Profiling tools used by police or border agencies |
| Migration and asylum | Document verification, risk assessment | Border management AI, asylum case tools |
| Administration of justice | AI used in legal proceedings | Dispute resolution tools used in courts |
For most commercial SaaS providers, the practical categories to evaluate are employment and workers management and access to essential private services. If your product automates any part of hiring decisions, employee performance evaluation, credit assessment, or insurance underwriting, you are building within Annex III scope.
The test is the intended purpose and actual use of the system, not its technical sophistication. A rule-based scoring system that recommends hiring or rejection decisions falls under Annex III even if it uses no deep learning.
What Information Must Be Submitted? The Annex VIII Checklist
Annex VIII of the EU AI Act specifies the exact fields that providers must complete when registering a high-risk AI system in the EUDB. Think of Annex VIII as the registration form specification.
Provider Identity and Contact Details
- Provider's name, registered trade address, and contact details — the legal entity responsible for compliance
- If a Union representative was appointed under Art.22: their name, address, and contact details — required for providers established outside the EU
- Names and contact details of any persons responsible for placing on market — relevant if a separate distributor or deployer is named on the packaging
System Identification
- Trade name(s) and all versions of the AI system covered by the registration — version traceability is essential; regulators need to match an inspected deployment to a specific registered version
- General description of the AI system — its intended purpose, the tasks it performs, its capabilities, and significant limitations
- The Annex III category or categories the system falls under — you must explicitly identify which Annex III area applies
Conformity Assessment References
- The conformity assessment procedure used per Art.43 — this is either internal control (based on Annex VI) or third-party assessment involving a notified body (based on Annex VII)
- Notified body name and certificate reference — only required where a notified body was involved
- Reference to the EU declaration of conformity issued under Art.47 — the declaration must pre-exist the registration; you cannot register without a completed declaration
System Status
- Current deployment status — in service, withdrawn from the market, or recalled
- This field must be kept current; if you withdraw a product from the EU market, the registration must be updated
The Pre-Market Registration Sequence
Art.51 registration is the last compliance gate before market placement, not a standalone task. It depends on earlier steps being complete.
Step 1 — Technical documentation (Art.11 + Annex IV)
↓
Step 2 — Quality management system (Art.17)
↓
Step 3 — Conformity assessment (Art.43)
↓
Step 4 — EU Declaration of Conformity (Art.47)
↓
Step 5 — CE marking (Art.49)
↓
Step 6 — Register in EUDB (Art.51) ← You are here
↓
Step 7 — Place on market / put into service
If you are planning registration for August 2, work backwards from that date. Steps 1 through 5 must be complete before you can submit a valid registration. For most Annex III SaaS products following the internal control conformity assessment path (Annex VI), this sequence can be completed within 4 to 6 weeks if the underlying technical documentation is already drafted.
If you are starting from scratch in June 2026, focus first on finalising your technical documentation under Art.11. The Annex VIII fields — particularly the system description, capability limitations, and conformity assessment reference — are derived directly from your technical documentation. Building them in parallel reduces rework.
Common Registration Mistakes
Treating Annex III as Narrower Than It Is
SaaS teams frequently assume their AI is not Annex III because the technology is not cutting-edge or because the system is "just a recommendation engine." Under the EU AI Act, the classification depends on the use domain and the consequential impact, not the complexity of the model. A linear model that auto-rejects job applications is a high-risk AI system under Annex III.
Review your product's intended purpose against each Annex III category. Pay particular attention to features marketed to HR, legal, financial services, or public sector customers.
Registering Before the Declaration of Conformity is Issued
Annex VIII requires the declaration of conformity reference as a mandatory field. You cannot complete registration without a valid declaration. Attempting to register with a placeholder or anticipated reference number creates documentation gaps that are visible to NCAs during market surveillance.
Not Tracking Versions in Registration
Each version of your AI system that differs in a material way from the registered version may require a registration update. The EUDB is designed to enable regulators to trace a deployed system back to a specific registered configuration. If you deploy v2.4 to production but registered v2.0, the registration is non-compliant.
Build version registration into your software release process now. Define internally what "material difference" means — model architecture change, new Annex III category, change in intended purpose — so the decision is not made ad hoc at each release.
Missing the Authorised Representative Requirement
If your company is incorporated outside the EU and you are deploying Annex III systems to EU customers, you must appoint an EU-based authorised representative under Art.22 before registration. The authorised representative's name and contact details are required fields in Annex VIII registration. Attempting to register without this information will block completion.
Failing to Update for Substantial Modifications
Art.51(3) requires updated registration when a substantial modification results in a system that should be treated as a new high-risk AI system. The AI Act defines "substantial modification" as a change that affects the compliance of the system or its intended purpose significantly.
Establish an internal review gate for AI system changes that asks: "Does this modification change the system's intended purpose, its Annex III category, or its conformity assessment conclusion?" If yes, trigger a re-registration workflow before the update is deployed.
Infrastructure and Market Surveillance Exposure
Once registered in the EUDB, your system is visible to national competent authorities (NCAs) across all EU member states under the market surveillance provisions that take effect on August 2, 2026. An NCA can initiate an Art.74 inspection based on information in the EUDB — for example, if your system description reveals a potential risk that warrants investigation.
During a market surveillance inspection, an NCA will verify that your deployed system matches your EUDB registration. They will request access to technical documentation, test logs, and conformity assessment records. The ability to provide this documentation quickly and completely — without involving non-EU legal processes — is a compliance advantage.
Infrastructure jurisdiction is directly relevant here. If your AI training data, model artefacts, and compliance evidence are stored on EU-native infrastructure with no US parent company, all of that material stays within EU legal frameworks. There is no CLOUD Act ambiguity about whether a US government subpoena could compel disclosure of evidence that an NCA considers confidential to the inspection process.
EU-native managed PaaS — like sota.io, running on Hetzner Germany with no US ownership — eliminates this jurisdictional overlap. When an NCA requests documentation under an Art.74 inspection, you provide it under clear EU legal procedures, without competing obligations to foreign jurisdictions.
60-Day Registration Action Plan
| Weeks | Action |
|---|---|
| June 3–17 | Audit product portfolio against Annex III. Identify all systems that require registration. |
| June 17 – July 1 | Finalise technical documentation (Art.11, Annex IV). Confirm conformity assessment procedure choice (Art.43). |
| July 1–15 | Complete conformity assessment. Issue EU Declaration of Conformity (Art.47). Affix CE marking (Art.49). |
| July 15–28 | Submit EUDB registration via the Commission portal. Complete all Annex VIII fields. Obtain EUDB registration number. |
| July 28 – August 2 | Final audit: verify deployed system version matches registration. Update internal compliance documentation. |
The most common delay in this sequence is technical documentation — specifically the gap analysis under Annex IV Section 2 (design specifications and system architecture). If you have not yet started your Annex IV documentation, begin this week.
What Is Next in This Series
This post covered the Art.51 registration framework: what it requires, who must comply, and the Annex VIII fields. The next post in this series goes deeper into the specific Annex VIII fields — how to prepare each registration field from your existing technical documentation, common field interpretation questions, and how the EUDB portal maps to your internal documentation structure.
Series: EU AI Act EUDB Registration 2026
- Post 1 (this post): Art.51 overview — who must register and what
- Post 2: Annex VIII field-by-field guide — step-by-step registration preparation
- Post 3: EUDB registration vs. conformity assessment — how Art.51 + Art.43 connect
- Post 4: Provider vs. deployer registration — who registers what
- Post 5: Registration finale — complete checklist and common rejection reasons
Related posts in this series:
- NCA Inspection Readiness: Art.74 Market Surveillance Guide
- Art.11 Technical Documentation Gaps for NCA Inspection
- Conformity Assessment Routes: Art.43 Internal Control vs. Notified Body
Deploy your AI compliance infrastructure on sota.io — EU-native managed PaaS, Hetzner Germany, no US parent company, no CLOUD Act exposure.
EU-Native Hosting
Ready to move to EU-sovereign infrastructure?
sota.io is a German-hosted PaaS — no CLOUD Act exposure, no US jurisdiction, full GDPR compliance by design. Deploy your first app in minutes.