EU AI Act Art.71: EU Database Registration Obligations for High-Risk AI — Developer Guide 2026

Post #1657 in the sota.io EU AI Act Compliance Series — EU-AI-ACT-ART71-DATABASE-REGISTRATION-2026 #1/5

The EU AI Act's August 2, 2026 deadline is 52 days away. While most developer attention has focused on technical documentation, risk management, and conformity assessments, there is one gate that many teams overlook until the last moment: registration in the EU database.

Article 71 of the EU AI Act (Regulation (EU) 2024/1689) establishes a mandatory, publicly accessible EU-wide database for high-risk AI systems. Registration is not optional, it is not post-launch paperwork, and it cannot be delegated to your legal team after deployment. Providers of high-risk AI systems listed in Annex III must register in this database before placing their system on the market or putting it into service in the EU.

This first post in our five-part Art.71 series covers the foundations: what the EU database is, exactly who must register and when, what the database contains, and the practical first steps your team needs to take in the next 52 days.

What Art.71 Establishes

Art. 71(1) gives the European Commission the mandate to set up and maintain a publicly accessible EU database containing information about high-risk AI systems and, separately, about General Purpose AI (GPAI) models with systemic risk. The database serves two purposes simultaneously:

1. Market transparency — buyers, deployers, and the public can verify that a high-risk AI system a company is selling has actually been through the required compliance steps.
2. Regulatory enforcement — national competent authorities (NCAs) can use the database as their primary reference when conducting market surveillance under Art.74.

The database is operated by the Commission via the European AI Office. Member States' NCAs have write access for enforcement annotations; the general public has read access to non-confidential fields.

There is also a restricted section of the database for law enforcement AI systems (Annex III, point 1 sub-cases falling under Title IX). If your system is used for law enforcement purposes, a different access regime applies and the registration is not publicly visible.

Who Must Register Under Art.71

High-Risk AI System Providers (Annex III)

The primary registration obligation sits with providers of high-risk AI systems listed in Annex III. Annex III covers eight areas:

If your SaaS product falls into any of these categories, you are likely a provider under Art.3(3) — and Art.71 applies directly to you.

A critical nuance: Art. 71 applies to Annex III systems only. High-risk AI systems listed in Annex I (safety components of products covered by other EU product safety legislation — medical devices, vehicles, aviation, lifts, toys etc.) follow sector-specific conformity assessment procedures and their registration is handled through the corresponding product legislation. If your AI system is embedded in a medical device, you register it via the EUDAMED database, not the Art. 71 EU AI database.

Deployers in the Public Sector (Art.71(4))

Art. 71 also requires certain deployers to register. This applies specifically when:

• The deployer is a public authority (or a private body acting on behalf of a public authority), and
• The system is in Annex III categories 6, 7, or 8 (law enforcement, migration/asylum, administration of justice)

For most commercial SaaS providers targeting enterprise customers, the registration obligation will fall on you as the provider. But if your product is sold to governments for law enforcement or border control use, you and your deployer-customers both have registration obligations.

Authorized Representatives

If you are a provider established outside the EU who places an AI system on the EU market, you must designate an authorized representative within the EU (Art.22). This representative must register on your behalf in the EU database. A non-EU provider without an authorized representative cannot lawfully place a high-risk AI system on the EU market.

When Must Registration Happen

The timing requirement in Art.71 is clear but often misread:

Registration must be completed before placing the system on the market or putting it into service.

This means registration is a pre-launch gate, not a post-launch formality. You cannot ship first and register later.

Timeline:

• August 2, 2026: Art.71 becomes applicable for high-risk AI systems in Annex III that are newly placed on the market after this date.
• August 2, 2027: Registration requirements extend to high-risk AI systems that were already on the market before August 2026 and are undergoing substantial modification (Art.111(3) transitional provisions).
• August 2, 2030: For certain large-scale IT systems in Annex X (Schengen Information System, Eurodac, etc.) which fall under Annex III, point 1, the deadline is 2030.

If you are building or selling a new high-risk AI SaaS product, your registration deadline is August 2, 2026. 52 days from today.

For products already on the market, the transitional provisions under Art.111 apply: you must register when you next make a substantial modification (a change that affects safety, risk level, or intended purpose).

What Information Must Be Submitted (Annex VIII)

The information required for registration in the EU database is specified in Annex VIII of the Regulation. Registration is not simply filing a form — it requires information you should already have from your technical documentation (Annex IV) and conformity assessment process.

Section A of Annex VIII (applies to all Annex III providers):

1. Provider identity: Name, address, and contact details of the provider (and authorized representative if outside EU)
2. Trade name: The commercial name under which the system is marketed
3. System identification: Description of intended purpose, countries of deployment, whether the system is high-risk under Art.6(1) (Annex I product safety) or Art.6(2) (Annex III stand-alone)
4. Categories: The specific Annex III point(s) that apply
5. Status: Whether the system is new, has undergone substantial modification, or is an existing system
6. Member State information: Where the system is to be placed on the market
7. Declaration of conformity: Reference number or copy
8. Certificate: Notified body certificate number if third-party conformity assessment was required
9. Instructions for use URL: Link to publicly accessible instructions
10. URL/contact for inquiries: How regulators and deployers can reach you

Section B of Annex VIII (additional for deployers with registration obligations):

1. Deployer identity: Name, address, and contact of the deploying organization
2. Use context: Specific use case within the Annex III category
3. Member States: Where deployed

Note what Annex VIII does not require: it does not require uploading your full technical documentation (Annex IV), your risk management system records, or your testing datasets. Those stay on your side and are produced to NCAs on request during market surveillance. The EU database receives a structured summary plus references.

The EU Database Interface: What Developers Need to Know

The EU AI Office has been developing the database interface since 2024. Based on the Commission's published technical specifications and pilot programs:

• Registration is form-based: There will be a web portal where providers create an account and submit Annex VIII data. There is no API for bulk registration as of this writing, though one is planned for high-volume scenarios.
• Unique identifier: Each registered system receives a unique EU database registration number. This number must appear in your declaration of conformity and in your CE marking documentation.
• Updates are mandatory: If any of the registered information changes (address, substantial modification, withdrawal from market), you must update within a defined period. The Act specifies this must happen "without delay."
• Confidentiality: You can flag specific fields as commercially confidential. The Commission will then display redacted information to the public but maintain full data access for NCAs.

The database is expected to go live in stages. A pilot registration portal was made available to notified bodies and large providers in early 2026. The public-facing portal for providers is expected no later than August 2, 2026.

Action required today: Monitor the European AI Office portal for the registration portal launch. Early registration — weeks before the deadline — is strongly recommended. There will almost certainly be technical issues, backlogs, and helpdesk delays in the final days before August 2.

Registration vs. Conformity Assessment: Understanding the Sequence

A common developer misconception is to treat registration as part of the conformity assessment. They are sequential, not parallel:

1. Complete risk management system (Art.9)
   ↓
2. Prepare technical documentation (Annex IV)
   ↓
3. Conduct conformity assessment (Art.43)
   - For most Annex III: internal assessment (Annex VI)
   - For biometrics + critical infra: third-party notified body (Annex VII)
   ↓
4. Issue EU Declaration of Conformity (Art.47, Annex V)
   ↓
5. Affix CE marking (Art.48-49)
   ↓
6. Register in EU database (Art.71) ← you are here
   ↓
7. Place on market / put into service

Registration is step 6, not step 1. You cannot register before you have completed conformity assessment and issued a Declaration of Conformity, because the Annex VIII registration form requires the DoC reference number and, for notified-body-assessed systems, the certificate number.

This means teams that are just starting their technical documentation in June 2026 face a very tight timeline. You have approximately:

• 3-5 weeks for technical documentation + risk management records
• 1-3 weeks for conformity assessment
• 1 week for registration preparation and submission
• That gets you to August 2, 2026 — with no buffer

If you need a notified body assessment (biometric or critical infrastructure AI systems), add 6-8 weeks minimum for NB scheduling and audit. That time has already passed for the August deadline.

GPAI Model Registration (Art.71 Chapter V Cross-Reference)

Art. 71(2) also covers a separate section of the EU database for General Purpose AI models with systemic risk under Art.51(2). This section:

• Is maintained by the European AI Office (not just the national database)
• Requires GPAI model providers (OpenAI, Anthropic, Google, Mistral, Meta, etc.) to register model identity, capabilities, and compliance status
• Is not directly applicable to most SaaS developers unless you are training your own frontier GPAI model

However, if you are building on a GPAI API (which most SaaS AI developers are), the GPAI provider's registration status affects your Art.53 contractual protection rights. In our next posts we will cover how to verify your GPAI provider's database status and what that means for your own compliance documentation.

Practical First Steps: What to Do This Week

Given the 52-day deadline, here is a concrete action list for developers who have not yet started Art.71 preparations:

Week 1 (Now — June 11-18):

• Audit your product against Annex III: does your system fall into any of the eight areas?
• If yes: determine if you are a provider (you train/develop the AI), a deployer (you use a third-party AI API for end-users), or both
• Identify whether your system falls under Annex I (product safety law) instead — if so, use sector-specific registration
• Check if you have a physical EU presence, or need to designate an authorized representative

Week 2 (June 18-25):

• Verify your Declaration of Conformity draft is complete (Annex V format)
• Collect your Annex VIII required data points — create a registration prep spreadsheet
• Monitor EU AI Office portal for registration interface launch announcement

Week 3-4 (June 25 - July 9):

• Complete conformity assessment
• Finalize and sign Declaration of Conformity
• Begin registration portal submission as soon as the portal opens

Week 5-6 (July 9-31):

• Complete registration, receive EU database ID
• Update CE marking documentation with registration number
• Prepare for August 2 go-live

What Happens If You Do Not Register

Non-registration of a high-risk AI system is an infringement of the AI Act. Art.99 specifies the penalty regime:

• Failure to register: up to €10 million or 2% of global annual turnover, whichever is higher
• For SMEs: proportionality applies, but the 2% cap remains
• NCAs can additionally order market withdrawal — meaning you must stop selling and using your non-compliant system

Unlike GDPR enforcement where many companies gambled on low enforcement probability in early years, the EU AI Act's enforcement infrastructure is being built explicitly for digital-first market surveillance. NCAs will have access to the database from day one and can see gaps immediately.

Series Overview: What Comes Next

This is post #1 of our five-part Art.71 registration series:

The August 2, 2026 deadline applies to this entire series. Start with this post's checklist, and follow the remaining posts over the next four days to build your complete registration package.

Summary

Art.71 EU database registration is a pre-launch gate, not post-launch paperwork. Providers of high-risk AI systems listed in Annex III must register before placing on market. Registration requires a completed conformity assessment and Declaration of Conformity first. The deadline is August 2, 2026. With 52 days left, teams without a conformity assessment already in progress face an extremely tight timeline. This week, audit your Annex III scope, determine your registration pathway (provider, deployer, or authorized representative), and monitor the EU AI Office portal for the registration interface launch.

This post is part of the sota.io EU AI Act Compliance Series. sota.io provides EU-sovereign cloud infrastructure — your AI system's hosting jurisdiction is part of your compliance documentation. Learn more about EU-hosted AI deployment.