EU AI Act Art.71: What to Register — Annex VIII Technical Documentation & Submission Workflow 2026
Post #1658 in the sota.io EU AI Act Compliance Series — EU-AI-ACT-ART71-DATABASE-REGISTRATION-2026 #2/5
The EU AI Act's August 2, 2026 deadline is 52 days away. In our previous post we covered who must register and when. Now comes the harder question: what exactly must you submit?
The answer is in Annex VIII of Regulation (EU) 2024/1689. This annex is short (a single page in the official text) but each of its twelve fields requires real documentation work. Providers who arrive at registration without these materials prepared will face delays — and a missed Art.71 registration deadline means your product cannot lawfully be placed on the EU market.
This post breaks down every Annex VIII field, what it actually requires in practice, and the submission workflow for the EU database portal.
What Annex VIII Actually Is
Annex VIII defines the minimum information that must be submitted by providers of high-risk AI systems listed in Annex III when registering in the EU database under Art.71(1). The Commission publishes the registration interface at the EU AI Act database portal.
Annex VIII is structured in two parts:
- Part I: Information required for all Annex III high-risk AI systems (excluding law enforcement / national security cases covered by Annex IX)
- Part II: Additional information specific to General Purpose AI (GPAI) models with systemic risk registering under Art.71(2)
This post focuses on Part I — the registration fields applicable to SaaS providers building or deploying high-risk AI systems under Annex III. GPAI-specific registration (Part II) is covered in post #3 of this series.
Annex VIII Part I: All 12 Registration Fields
Field 1: Provider Identity
What the regulation requires: Name, address, and contact details of the provider.
In practice: This is your company's legal registered name, registered address, and a designated compliance contact (email + phone). The contact details are published in the publicly accessible part of the database — use a role-based address (e.g., ai-compliance@yourcompany.com) rather than a personal email.
If your company is incorporated in an EU member state, enter the address from your commercial register. If you are a non-EU company, you must designate an authorized representative in the EU (Art.22) and their details appear in Field 3 below.
Documentation to prepare:
- Certified extract from commercial register (or equivalent)
- Written designation of compliance contact
Field 2: Third-Party Submission Details
What the regulation requires: Where the submission is made by another person on behalf of a provider — name, address, and contact details of that person.
In practice: This field applies when a law firm, compliance consultant, or third-party service provider is submitting the registration on your behalf. If your compliance team submits directly, leave this field empty (it is optional when you submit yourself).
If you use a compliance management platform or an EU authorized representative service that also handles database submissions, their details go here.
Field 3: Authorized Representative
What the regulation requires: If known, name, address, and contact details of the authorized representative.
In practice: Art.22 requires non-EU providers to designate an EU-based authorized representative before placing a high-risk AI system on the market. That representative's details must appear here.
EU-based providers do not need a separate authorized representative — your own details suffice for Fields 1 and 3. But if you are a US or UK company selling high-risk AI to EU customers, Field 3 is where your EU rep goes.
Documentation to prepare:
- Signed authorized representative agreement (Art.22)
- Representative's registered address in an EU member state
Field 4: System Identification
What the regulation requires: AI system trade name and any additional unambiguous reference allowing identification and traceability of the AI system.
In practice: This is your product's commercial name plus a version identifier. The "unambiguous reference" typically means a combination of:
- Product name (e.g., "CreditScore Pro")
- Version number or date of release (e.g., "v2.4.1" or "2026-Q1")
- A unique internal reference or SKU if applicable
The goal is that a national competent authority (NCA) or market surveillance body can trace exactly which deployed system corresponds to this registration entry. If you release major updates that change functionality covered by the registration, you will need to update this field and potentially re-submit documentation.
Versioning implications: The EU AI Act does not require a new registration for every minor update. But a "substantial modification" (as defined in Art.3(23) — a change that affects the AI system's compliance with the regulation or alters the intended purpose) requires a new conformity assessment and a new or updated registration.
Field 5: Intended Purpose
What the regulation requires: Description of the intended purpose of the AI system.
In practice: This must match the intended purpose stated in your Annex IV technical documentation (Art.11). Write a clear, non-marketing-language description that covers:
- The specific task the AI performs
- The category of users (who operates it)
- The context of deployment (where/how it is used)
- The Annex III category it falls under (e.g., "employment decision support under Annex III, point 4")
Regulators will cross-reference Field 5 against your Annex IV technical documentation and your EU declaration of conformity (Field 10). Inconsistencies are a red flag during market surveillance.
Example (employment AI):
"Automated CV screening and candidate ranking tool intended for use by HR departments in enterprises with 50+ employees. The system processes CV text and LinkedIn profile data to generate a ranked shortlist of candidates. Intended purpose: employment decision support under Annex III, point 4(a)."
Field 6: System Status
What the regulation requires: Status of the AI system: on the market or in service; no longer on the market or in service; recalled.
In practice: This is a lifecycle status field. At initial registration, the status will be "on the market" or "in service." You must update this field when:
- You withdraw the system from the EU market
- A recall is initiated (whether voluntary or mandated by an NCA under Art.75)
- You stop making the system available in a specific member state
The database is intended to be a live, accurate record — not just a one-time filing. Failure to update the status when a product is withdrawn is a compliance violation. Assign a team member responsibility for keeping the registration current.
Field 7: Notified Body Certificate
What the regulation requires: Type, number, and expiry date of the certificate issued by a notified body and the name/identification number of that notified body (where applicable).
In practice: Not every Annex III system requires third-party conformity assessment by a notified body. The requirement depends on the specific Annex III category and whether a harmonised standard exists. In the absence of harmonised standards, many Annex III systems rely on internal conformity assessment procedures.
When Field 7 is required:
- Systems using biometric identification (Annex III, point 1) in certain deployment scenarios
- Systems embedded in products covered by Annex I product safety legislation where those regulations require NB assessment
- AI systems for which the provider has chosen the NB-certification route (even when the self-assessment route was available)
If your system went through NB conformity assessment, Field 7 must include:
- Certificate type (e.g., EU-type examination certificate, quality management system certificate)
- Certificate number (format varies by NB)
- Expiry date
- NB name and NANDO identification number
If no NB was involved, this field is marked as not applicable.
Field 8: Certificate Scan
What the regulation requires: A scanned copy of the NB certificate (where Field 7 applies).
In practice: Upload the PDF or scanned image of the certificate issued by the notified body. If Field 7 is not applicable (self-assessment route), no upload is required for Field 8.
Format considerations:
- Use PDF if the NB issued a digital certificate
- Scanned images must be legible at A4 size
- If the certificate is multi-page, include all pages as a single PDF
Field 9: Member States of Deployment
What the regulation requires: Member States in which the AI system has been or is intended to be placed on the market, put into service, or made available in the Union.
In practice: Select from the EU/EEA member states list. If you are offering a SaaS product available to any EU customer, you typically select all member states. If you have a geofenced product limited to specific markets, list only those.
This field has implications for NCA jurisdiction: each listed member state's NCA has standing to conduct market surveillance of your registered system.
Field 10: EU Declaration of Conformity
What the regulation requires: A copy of the EU declaration of conformity required by Art.47.
In practice: Art.47 requires providers of high-risk AI systems to draw up a written EU declaration of conformity (EU DoC) before placing the system on the market. The declaration must contain at minimum (Art.47(2)):
- Identification of the AI system (name, type, version)
- Provider name and address
- Statement that the EU DoC is issued under the sole responsibility of the provider
- Object of the declaration (the high-risk AI system)
- Statement that the system conforms to the EU AI Act and other applicable Union law
- References to harmonised standards applied (if any) or common specifications
- Place, date of issue, signature
The EU DoC is a legal document with provider liability attached. Do not issue it until your conformity assessment is genuinely complete. A false EU DoC is an infringement under Art.99.
Upload the signed PDF to Field 10. The document is publicly visible in the database.
Field 11: Electronic Instructions for Use
What the regulation requires: Electronic instructions for use (Art.13 instructions).
In practice: Art.13 requires providers to include instructions for use that allow deployers to understand and operate the system correctly. These must be in a language determined by the member state where the system is deployed (Art.13(4)).
For Field 11, you upload the electronic version of these instructions. If your product is available in multiple EU languages, upload all language versions (or a URL to a versioned documentation page).
Contents required in Art.13 instructions:
- Provider identity
- System capabilities and limitations
- Level of accuracy and any known bias risks
- Intended purpose and foreseeable misuse scenarios
- Required human oversight measures
- System lifecycle and maintenance information
- Input data format requirements
- Cybersecurity measures implemented
Exception: This field does not apply to AI systems placed on the market or in service to law enforcement or national security authorities (those fall under the restricted database section).
Field 12: Additional Information URL (Optional)
What the regulation requires: URL for additional information (optional).
In practice: This is an optional field where you can link to a dedicated compliance documentation page on your website. Useful for linking to:
- Your AI system's dedicated transparency page
- A FAQ for deployers
- Your full technical documentation summary (public version)
- Press releases or compliance announcements
While optional, using Field 12 is good practice for enterprise SaaS products. NCAs and potential deployers may check this URL when evaluating your product.
The Submission Workflow: Step by Step
Step 1: Access the EU AI Act Database Portal
The registration portal is hosted by the European Commission under the Digital Strategy section. Access requires an EU Login account (formerly ECAS — the Commission's single sign-on system).
- Create an EU Login account at eu-login.ec.europa.eu
- Navigate to the AI Act Database registration interface
- Select "Register as Provider" for Annex III systems
The portal uses a structured form that maps directly to the Annex VIII fields. The Commission provides guidance documents in all EU official languages.
Step 2: Prepare Your Documentation Package
Before accessing the portal, prepare all materials offline:
| Annex VIII Field | Required Document |
|---|---|
| Field 1 | Commercial register extract (certified) |
| Field 3 | Authorized representative agreement (non-EU providers) |
| Field 4 | Version identifier / SKU table |
| Field 5 | Intended purpose statement (from Annex IV documentation) |
| Field 7 | NB certificate reference (if applicable) |
| Field 8 | NB certificate PDF scan (if applicable) |
| Field 10 | Signed EU Declaration of Conformity (PDF) |
| Field 11 | Electronic instructions for use (PDF/URL) |
Step 3: Complete the Registration Form
Enter all required fields. The portal validates required fields before submission and will not allow partial registration.
Critical checks before submission:
- The intended purpose in Field 5 matches your Annex IV technical documentation word-for-word
- The system identification in Field 4 is consistent with your EU DoC (Field 10)
- The member states in Field 9 match the geographic scope stated in your EU DoC
Step 4: Receive Registration Number
Upon successful submission, the database assigns a unique EU registration number to your AI system. This registration number must appear on or with your AI system documentation and must be referenced in your CE marking declaration.
Operational implication: Store the registration number in your system's configuration metadata. If you offer an API, the registration number should be available in your API's /metadata or equivalent endpoint — deployers building systems on top of yours may need to reference it in their own compliance documentation.
Step 5: Maintain the Registration
Registration is not a one-time event. You must update the database entry when:
- The system is updated in a way that constitutes a "substantial modification" (Art.3(23))
- The deployment status changes (Field 6)
- Provider contact details change
- A corrective action or recall is initiated
- A notified body certificate is renewed or expires
Assign a process owner for database maintenance. Calendar a quarterly review of the registration entry against the current deployed system version.
Annex VIII vs. Annex IV: What Is Public, What Stays Internal
A common confusion: Annex IV contains the full technical documentation that providers must maintain (and make available to NCAs on request). Annex VIII defines the subset of that documentation that is registered in the public database.
| Documentation | Annex IV (private) | Annex VIII (database) |
|---|---|---|
| Full system architecture | ✓ Keep internally | ✗ Not submitted |
| Training data description | ✓ Keep internally | ✗ Not submitted |
| Full risk management records | ✓ Keep internally | ✗ Not submitted |
| Intended purpose description | ✓ Core of Annex IV | ✓ Field 5 (condensed version) |
| EU Declaration of Conformity | ✓ Filed with Annex IV | ✓ Field 10 (full document) |
| Electronic instructions for use | ✓ In Annex IV | ✓ Field 11 (full document) |
| NB certificate | ✓ In Annex IV | ✓ Fields 7 + 8 (if applicable) |
| Provider identity | ✓ In Annex IV | ✓ Fields 1–3 |
The public database is intentionally limited to market-facing information. Your full technical documentation (training methodology, proprietary architecture details, security implementation) stays in your internal Annex IV files and is only accessible to NCAs under Art.74 market surveillance powers.
What Happens If Your Registration Is Incomplete
Under Art.99, infringements related to Art.71 registration carry administrative fines. Specifically:
- Placing a high-risk AI system on the EU market without completing registration: fine of up to EUR 15 million or 3% of total worldwide annual turnover (whichever is higher)
- Inaccurate or misleading information in the registration: treated as an infringement of the accuracy/documentation requirements
NCAs also have the power under Art.74(4) to require immediate withdrawal or recall of unregistered systems. In practice, enforcement in 2026 will focus first on systems that pose immediate safety risks, but the registration gate is hard: the database entry is verifiable at the point of market entry.
Infrastructure Considerations for Registered High-Risk AI
Once registered, your system is on the radar of every NCA in the member states you listed in Field 9. Market surveillance under Art.74 can include requests to access your Annex IV documentation, testing the system, and inspecting your training data infrastructure.
The CLOUD Act problem at the documentation layer: Your Annex IV documentation — including logs, monitoring data, and risk management records — is your primary defense during an NCA audit. If this documentation is stored on infrastructure subject to the US CLOUD Act (AWS, Azure, Google Cloud, regardless of their EU regions), a parallel US legal request could theoretically access your compliance documentation without the NCA's knowledge.
The EU AI Act itself does not explicitly mandate where Annex IV documentation must be stored. But Art.12 (logging obligations) and Art.72 (post-market monitoring) together create a framework where documentation must be readily accessible to EU authorities — and the question of who else can access it sits at the intersection of data governance and competition law.
For providers registering high-risk AI systems under Art.71 and building documentation infrastructure from scratch in 2026: EU-native hosting (no US parent company, no CLOUD Act exposure) removes an entire category of jurisdictional risk. This is particularly relevant for healthcare, finance, and employment AI where the data subject rights under GDPR interact with the AI Act's transparency obligations.
Key Takeaways
- Annex VIII Part I has 12 fields; Fields 1, 4, 5, 6, 9, 10, and 11 are required for all Annex III systems
- The EU Declaration of Conformity (Field 10) must be signed before registration — it is a pre-condition, not a deliverable you prepare after registration
- Field 5 (intended purpose) must match your Annex IV technical documentation exactly — inconsistencies are the primary cause of NCA scrutiny
- Registration is a pre-launch gate: you must register before placing the system on the market, not after
- The registration number assigned by the database must be referenced in your CE marking documentation
- Plan for ongoing maintenance: Field 6 (status) and substantial modification triggers mean this is not a file-and-forget process
Next in this series (Post #3): GPAI model registration under Art.71(2) — the separate Part II fields, what qualifies as systemic risk for registration purposes, and how downstream SaaS providers building on GPAI APIs should approach their own registration obligations.
See Also
- EU AI Act Art.71: EU Database Registration Obligations for High-Risk AI — Developer Guide 2026 — Post #1 in this series: who must register, the August deadline, and the registration pathway decision tree
- EUDB Registration and Conformity Assessment: How Art.51 and Art.43 Are Connected — Field 10 (Declaration of Conformity) requires a completed Art.43 assessment; this post explains the legal sequencing and documentation mapping
- EU AI Act Art.43 Conformity Assessment Routes: Notified Body vs Self-Assessment for SaaS Providers — Which Art.43 route applies to your system determines what evidence you must assemble before submitting Fields 8–12
- EU AI Act EUDB Registration Checklist: 28-Item Pre-Registration Package — The complete pre-registration checklist cross-referenced against Annex VIII fields
- EU AI Act Art.51: What High-Risk AI Providers Must Register in the EU Database — The Art.51 statutory basis and GPAI Part II registration obligations covered in Post #3 of this series
EU-Native Hosting
Ready to move to EU-sovereign infrastructure?
sota.io is a German-hosted PaaS — no CLOUD Act exposure, no US jurisdiction, full GDPR compliance by design. Deploy your first app in minutes.