EU AI Act Art.22 EU Database of High-Risk AI Systems: Developer Guide (2026)

EU AI Act Article 22 is the public transparency layer of the high-risk AI framework. Where Articles 9–21 govern what providers must build, document, test, and report internally, Art.22 requires them to register the system in a publicly accessible EU database before placing it on the market or putting it into service. The registration is not a formality — it is a gate that cannot be opened without completing the conformity assessment chain under Art.43, the declaration of conformity under Art.48, and the CE marking under Art.49.

For developers and engineering teams, Art.22 has three concrete implications: first, registration is a launch-blocking prerequisite (no registration, no lawful market placement); second, the registration record is public and persistent, creating long-term accountability for the system's stated intended purpose and Annex III category; third, the infrastructure hosting registration records — and the EU database itself — introduces a CLOUD Act jurisdictional consideration that EU-native providers can structurally avoid.

This guide covers Art.22(1)–(3) in full: the provider registration obligation, the mandatory registration content, deployer registration requirements for public authorities, the Art.22 prerequisite chain (Art.43 → Art.48 → Art.49 → Art.22), Art.71 database governance, the EU AI Office database operational timeline (2025 provisional, 2026 full operation), CLOUD Act jurisdiction risk for registration records and database infrastructure, Python implementation for AISystemRegistrationRecord, RegistrationChecker, DeployerUseRecord, and DatabaseSearchClient, and the 40-item Art.22 compliance checklist.

Art.22 in the High-Risk AI Compliance Chain

Art.22 occupies the market placement gate at the end of Chapter III Section 2:

Art.22 is a prerequisite-gated obligation: the registration cannot happen until Art.43 conformity assessment is complete, Art.48 declaration of conformity is issued, and Art.49 CE marking is affixed. This means Art.22 is the final compliance step before lawful market placement — not an optional transparency measure after launch.

Art.22(1): Provider Registration Obligation

Scope: What Triggers Registration

Art.22(1) requires providers of high-risk AI systems listed in Annex III to register themselves and their system in the EU database established under Art.71 before placing the system on the market or putting it into service in the EU.

The obligation applies to:

• Providers placing on the market: Any entity that places a high-risk AI system on the EU market, regardless of establishment location
• Providers putting into service: Any entity that puts a high-risk AI system into service in the EU under its own authority
• Third-country providers: Third-country providers must designate an EU authorised representative (Art.25) who then handles the registration on their behalf

The "Before" Requirement

Art.22(1) is unambiguous: registration must be completed before the system is placed on the market or put into service. This is not a post-launch filing — it is a launch gate.

Developer implications of the "before" requirement:

A CI/CD pipeline that auto-deploys a high-risk AI system into production without a registration checkpoint violates Art.22(1). For regulated AI products, the deployment pipeline must include:

1. Verification that Art.43 conformity assessment is complete
2. Verification that Art.48 declaration of conformity exists and is signed
3. Verification that Art.49 CE marking is affixed (where applicable)
4. Verification that Art.22(1) registration is complete and the registration ID is stored
5. Only then: authorisation for production deployment

This is not a legal department task alone — it requires engineering controls at the deployment gate.

What Counts as "Placing on the Market"

"Placing on the market" in EU product regulation means making a product available for the first time on the EU market. For AI systems, this typically means:

• First commercial API access grant to any EU customer
• First commercial license sale to any EU-based user
• First deployment of a provider-operated AI system accessible to EU users
• First delivery of an AI system integrated into a product sold to an EU customer

Internal development, testing, and conformity assessment activities are not market placement — they are pre-market activities that may proceed without registration. The registration gate activates at the transition from development to commercial deployment.

Art.22(2): Mandatory Registration Content

The Eight Registration Data Fields

Art.22(2) specifies what information must be submitted to the EU database. The registration record is publicly accessible — this is the transparency mechanism of Art.22. The mandatory fields are:

1. System name: The commercial name or model name of the AI system
2. Provider identity: Name and registration number (or personal ID where applicable) of the provider, and where applicable the EU authorised representative
3. Conformity assessment body: The identification of any notified body that performed the third-party conformity assessment under Art.43(1)(b), and the certificate number issued
4. Declaration of conformity: A reference to the EU declaration of conformity issued under Art.48
5. Annex IV technical documentation summary: A summary of the information required under Annex IV — not the full documentation (which remains confidential), but a summary sufficient for transparency
6. Intended purpose: A description of the intended purpose as defined in Art.3(12), including the specific context of use and the categories of natural persons affected
7. Annex III category: The specific Annex III category under which the system is classified as high-risk
8. Post-market monitoring plan: A summary of the post-market monitoring plan under Art.72

Developer implications of mandatory content:

The registration content requirements impose documentation constraints with design consequences:

• Intended purpose must be specific: A vague intended purpose statement ("AI for business analytics") will not satisfy Art.22(2). The registration must identify the specific deployment context and affected persons. This means the product specification must be frozen before registration — scope creep after registration creates an Art.22(2) update obligation.

• Annex III category must be accurate: Misclassification in the public database (registering as a lower-risk Annex III category than the actual deployment) is a material non-conformity visible to market surveillance authorities, affected persons, and competitors.

• Technical documentation summary must be consistent: The Art.22(2)(e) summary must be consistent with the full Art.11 Annex IV documentation. Discrepancies between the public summary and the confidential documentation create audit exposure.

The Public Accessibility of Registration Records

Art.22(2) records are accessible to the public through the EU database. This has practical consequences:

• Competitors can see your registration: Market category classification, intended purpose, and notified body identification are publicly visible. This is a market transparency mechanism, not just a regulatory requirement.
• Affected persons can look up systems affecting them: A person subject to an AI-assisted employment screening decision (Annex III Category 4) can search the database to verify the system's registration and intended purpose.
• Market surveillance authorities start investigations from public data: MSAs use the database as a starting point for market surveillance. Gaps between the registered intended purpose and observed deployment are a direct enforcement trigger.

Art.22(3): Deployer Registration for Public Authorities

The Deployer Registration Obligation

Art.22(3) extends the registration obligation to deployers in a specific context: deployers that are public authorities, agencies, or bodies using high-risk AI systems listed in Annex III Categories 1, 2, 3, and 4 must register their use of the system in the EU database.

The four Annex III categories triggering deployer registration:

• Category 1: Biometric identification and categorisation (with exceptions under Art.22(4))
• Category 2: Critical infrastructure management
• Category 3: Education and vocational training (access, evaluation)
• Category 4: Employment, workers management, and access to self-employment

What Deployer Registration Must Include

The deployer registration under Art.22(3) must include:

1. Public authority identity: The name and registration number of the public authority
2. AI system reference: The registration ID of the provider's Art.22(1) registration record
3. Intended purpose in deployment: The specific intended purpose within the deployer's operational context (which may be narrower than the provider's registered intended purpose)
4. Geographic scope: The territory or population affected by the deployment
5. Start and end dates: The operational period of the high-risk AI deployment

Developer implications for infrastructure providers:

If you are building platforms, APIs, or infrastructure that public authorities use to deploy high-risk AI systems, Art.22(3) creates indirect requirements:

• Your API must expose a unique, stable system registration ID that the deploying authority can reference in its own registration
• Your system's registered intended purpose must be broad enough to cover the authority's specific use case
• Your post-market monitoring must generate data that authorities can use to satisfy their Art.72 post-market monitoring obligations
• Your terms of service must not limit deployers' ability to comply with Art.22(3)

The Art.22(4) Exception: Confidential Registrations

Art.22(4) provides a confidentiality exception for high-risk AI systems listed in Annex III Category 1 (biometric systems) where the registration would compromise law enforcement activities or classified information. In such cases, the system is registered in a non-public section of the EU database, accessible only to relevant national authorities and the Commission.

For developers building biometric AI systems for law enforcement customers, Art.22(4) does not eliminate the registration obligation — it limits public visibility of the registration record.

Art.22 Prerequisite Chain: Art.43 → Art.48 → Art.49 → Art.22

Why Registration Cannot Happen First

The Art.22 registration is downstream of three prerequisites. Understanding this chain is critical for project planning:

Art.43: Conformity Assessment
     ↓ (assessment complete → certificate issued)
Art.48: Declaration of Conformity
     ↓ (DoC signed → references Art.43 certificate)
Art.49: CE Marking
     ↓ (CE marking affixed → references DoC)
Art.22: EU Database Registration
     ↓ (registration complete → lawful market placement)
Art.22 Registration ID stored → deployment gate cleared

Art.43: Conformity Assessment Prerequisite

Art.22(2)(c) requires the registration to identify any notified body that performed the conformity assessment and the certificate number. This means:

• For Annex III systems requiring third-party conformity assessment (Category 1 biometric systems, Law Enforcement Annex II systems): a notified body must have completed the assessment and issued a certificate before registration is possible
• For Annex III systems eligible for self-assessment (most Category 2–8 systems): the provider must have completed its own conformity assessment under Art.43(4) and documented the process before registration

Timeline implication: Third-party conformity assessment by accredited notified bodies takes 3–12 months depending on system complexity. This must be factored into product launch timelines.

Art.48: Declaration of Conformity Prerequisite

Art.22(2)(d) requires the registration to reference the EU declaration of conformity. The declaration must:

• Identify the AI system (name, version, serial number where applicable)
• State the provider's name and address
• Declare that the system is in conformity with the Regulation
• Reference the harmonised standards or other specifications applied
• Identify any notified body involved (where applicable)
• Be signed by the authorised representative
• Reference the applicable Annex III category

The declaration is the legal attestation that ties together the technical documentation, conformity assessment, and registration.

Art.49: CE Marking Prerequisite

For high-risk AI systems covered by Chapter III Section 2 (i.e., the Article 9–22 framework), Art.49 requires CE marking to be affixed before market placement. The CE marking:

• Must be affixed visibly, legibly, and indelibly to the system or its accompanying documentation
• Must be affixed only after conformity assessment is complete and declaration of conformity is issued
• Cannot be affixed to systems that have not completed the Chapter III Section 2 requirements

For software-only AI systems: CE marking is affixed to the accompanying documentation or the interface presented to users/deployers — not physically to hardware.

Art.22 × Art.71: EU Database Infrastructure Governance

Art.71: The Legal Basis for the EU Database

Art.71 establishes the EU database of high-risk AI systems. Key Art.71 provisions relevant to developers:

Art.71(1): The Commission establishes and maintains the EU database. The database is publicly accessible (with the Art.22(4) exception for law enforcement).

Art.71(2): The Commission is the data controller under GDPR for the personal data in the database.

Art.71(3): Providers and deployers (for Art.22(3) registrations) are responsible for the accuracy of the information they submit.

Art.71(4): The Commission may impose access restrictions on information that could compromise public security, safety, or proprietary information — but this is limited and does not eliminate the public nature of Art.22(2) registration records.

Database API Access for Developers

The EU AI Office is building a machine-readable database with API access. For developers building compliance tooling, the database API enables:

• Supply chain verification: Checking whether third-party AI components you integrate are registered as high-risk AI systems
• Deployer due diligence: Verifying provider registrations before using a high-risk AI system
• Competitive intelligence: Monitoring the market landscape for registered high-risk AI systems in your category
• Compliance monitoring: Verifying that your own registration records remain current and consistent with operational reality

Developer note: The Art.71 database API is provisionally available as of 2025 and is expected to reach full operational capability in August 2026, aligned with the Art.9–22 applicability date.

EU AI Office Database: Operational Timeline

Understanding the database timeline matters for launch planning:

Early registration advantage:

Providers can register in the provisional database before August 2026. Early registration:

• Establishes a registration record timeline showing proactive compliance
• Allows providers to test the registration process before the mandatory deadline
• Enables early identification of intended purpose and Annex III classification issues
• Gives marketing teams the ability to reference the registration in product communications

CLOUD Act × Art.22: Jurisdictional Risk for Registration Records

The Dual-Compellability Problem

Art.22 registration records are submitted to the EU AI Office database (EU infrastructure, Commission-controlled). However, providers must also maintain their own copies of registration records as part of their Art.11 technical documentation under the 10-year retention requirement of Art.11(3).

If those internal registration records — including the declaration of conformity referenced in Art.22(2)(d), the conformity assessment certificate referenced in Art.22(2)(c), and the Annex IV technical documentation summary — are stored on US cloud infrastructure, the CLOUD Act creates a parallel compellability pathway:

Registration Record stored on US cloud
     ↓ CLOUD Act 18 U.S.C. § 2713
US DOJ subpoena to US cloud provider
     ↓ (no EU MSA involvement, no Art.78 confidentiality protection)
Records disclosed to US law enforcement

This is structurally different from the EU MSA access pathway under Art.21, where Art.78 confidentiality protections apply and disclosure must go through EU regulatory channels.

The Art.22 × CLOUD Act Exposure Matrix

EU-Native Infrastructure as Structural Mitigation

For providers who register high-risk AI systems and maintain their conformity documentation on EU-native infrastructure, the CLOUD Act compellability pathway does not exist. The EU AI Act's Art.78 confidentiality protections apply fully, and disclosure of internal documentation occurs only through EU regulatory channels with notice to the provider.

Concrete developer action: Deploy the conformity documentation management system — the internal tools that generate, store, and version-control declarations of conformity, Annex IV documentation, and conformity assessment certificates — on EU-native infrastructure. This is a defensible position under both EU AI Act and GDPR data governance frameworks.

Python Implementation

1. AISystemRegistrationRecord

from dataclasses import dataclass, field
from datetime import date
from typing import Optional
from enum import Enum

class AnnexIIICategory(Enum):
    CAT_1_BIOMETRIC = "1"
    CAT_2_CRITICAL_INFRA = "2"
    CAT_3_EDUCATION = "3"
    CAT_4_EMPLOYMENT = "4"
    CAT_5_ESSENTIAL_SERVICES = "5"
    CAT_6_LAW_ENFORCEMENT = "6"
    CAT_7_MIGRATION = "7"
    CAT_8_JUSTICE = "8"

class RegistrationStatus(Enum):
    DRAFT = "draft"
    SUBMITTED = "submitted"
    CONFIRMED = "confirmed"
    UPDATED = "updated"
    WITHDRAWN = "withdrawn"

@dataclass
class AISystemRegistrationRecord:
    """
    Art.22(2) EU database registration record for a high-risk AI system.
    Represents the mandatory fields submitted to the EU AI Office database.
    """
    # Art.22(2)(a): System identity
    system_name: str
    system_version: str
    
    # Art.22(2)(b): Provider identity
    provider_name: str
    provider_registration_number: str  # EU business registration
    eu_representative_name: Optional[str] = None  # Art.25 — required for third-country providers
    
    # Art.22(2)(c): Conformity assessment
    conformity_assessment_type: str = "self_assessment"  # or "third_party"
    notified_body_id: Optional[str] = None  # Required if third_party
    certificate_number: Optional[str] = None  # Required if third_party
    
    # Art.22(2)(d): Declaration of conformity
    doc_reference: str = ""  # EU DoC reference number
    doc_date: Optional[date] = None
    
    # Art.22(2)(e): Technical documentation summary
    annex_iv_summary: str = ""  # Public summary of Annex IV documentation
    
    # Art.22(2)(f): Intended purpose
    intended_purpose: str = ""  # Art.3(12) — specific context + affected persons
    affected_persons_categories: list = field(default_factory=list)
    
    # Art.22(2)(g): Annex III classification
    annex_iii_category: Optional[AnnexIIICategory] = None
    annex_iii_subcategory: str = ""
    
    # Art.22(2)(h): Post-market monitoring summary
    pms_summary: str = ""  # Summary of Art.72 PMS plan
    
    # Registration metadata
    registration_id: Optional[str] = None  # Assigned by EU AI Office upon submission
    registration_status: RegistrationStatus = RegistrationStatus.DRAFT
    registration_date: Optional[date] = None
    last_updated: Optional[date] = None
    
    def is_complete(self) -> tuple[bool, list[str]]:
        """
        Check whether all mandatory Art.22(2) fields are populated.
        Returns (is_complete, list_of_missing_fields).
        """
        missing = []
        if not self.system_name:
            missing.append("system_name (Art.22(2)(a))")
        if not self.provider_name or not self.provider_registration_number:
            missing.append("provider_identity (Art.22(2)(b))")
        if self.conformity_assessment_type == "third_party":
            if not self.notified_body_id:
                missing.append("notified_body_id (Art.22(2)(c))")
            if not self.certificate_number:
                missing.append("certificate_number (Art.22(2)(c))")
        if not self.doc_reference:
            missing.append("doc_reference (Art.22(2)(d))")
        if not self.annex_iv_summary:
            missing.append("annex_iv_summary (Art.22(2)(e))")
        if not self.intended_purpose:
            missing.append("intended_purpose (Art.22(2)(f))")
        if not self.annex_iii_category:
            missing.append("annex_iii_category (Art.22(2)(g))")
        if not self.pms_summary:
            missing.append("pms_summary (Art.22(2)(h))")
        return len(missing) == 0, missing

2. RegistrationChecker — Deployment Gate

from dataclasses import dataclass
from datetime import date
from typing import Optional

@dataclass
class ConformityPrerequisites:
    """
    Tracks the Art.43 → Art.48 → Art.49 → Art.22 prerequisite chain.
    All must be True before Art.22 registration is valid.
    """
    art43_conformity_assessment_complete: bool = False
    art43_assessment_date: Optional[date] = None
    art43_certificate_id: Optional[str] = None
    
    art48_declaration_of_conformity_issued: bool = False
    art48_doc_reference: Optional[str] = None
    art48_doc_date: Optional[date] = None
    
    art49_ce_marking_affixed: bool = False
    art49_marking_date: Optional[date] = None
    
    art22_registration_complete: bool = False
    art22_registration_id: Optional[str] = None
    art22_registration_date: Optional[date] = None

class RegistrationChecker:
    """
    Validates the complete Art.22 registration prerequisite chain.
    Use as a deployment gate in CI/CD pipelines.
    """
    
    def check_deployment_clearance(
        self,
        record: AISystemRegistrationRecord,
        prerequisites: ConformityPrerequisites,
    ) -> dict:
        """
        Returns deployment clearance status.
        All four prerequisite conditions must be met for lawful market placement.
        """
        issues = []
        
        # Gate 1: Art.43 conformity assessment
        if not prerequisites.art43_conformity_assessment_complete:
            issues.append(
                "BLOCKED: Art.43 conformity assessment not complete. "
                "Registration cannot proceed without completed assessment."
            )
        
        # Gate 2: Art.48 declaration of conformity
        if not prerequisites.art48_declaration_of_conformity_issued:
            issues.append(
                "BLOCKED: Art.48 declaration of conformity not issued. "
                "Declaration must be signed before registration."
            )
        
        # Gate 3: Art.49 CE marking
        if not prerequisites.art49_ce_marking_affixed:
            issues.append(
                "BLOCKED: Art.49 CE marking not affixed. "
                "CE marking required before market placement."
            )
        
        # Gate 4: Art.22 registration completeness
        is_complete, missing_fields = record.is_complete()
        if not is_complete:
            issues.append(
                f"BLOCKED: Registration record incomplete. "
                f"Missing fields: {missing_fields}"
            )
        
        # Gate 5: Registration status
        if record.registration_status not in (
            RegistrationStatus.CONFIRMED, RegistrationStatus.UPDATED
        ):
            issues.append(
                f"BLOCKED: Registration not confirmed by EU AI Office. "
                f"Current status: {record.registration_status.value}"
            )
        
        return {
            "deployment_cleared": len(issues) == 0,
            "issues": issues,
            "registration_id": record.registration_id,
            "checked_at": date.today().isoformat(),
        }

3. DeployerUseRecord (Art.22(3))

@dataclass
class DeployerUseRecord:
    """
    Art.22(3) deployer registration record for public authorities
    using Annex III Category 1/2/3/4 high-risk AI systems.
    """
    # Public authority identity
    authority_name: str
    authority_registration_number: str
    authority_country: str  # EU Member State
    
    # Reference to provider registration
    provider_registration_id: str  # Art.22(1) registration ID of the provider
    
    # Deployment-specific intended purpose
    deployment_intended_purpose: str  # Narrower than provider's registered purpose
    
    # Affected population
    geographic_scope: str  # Territory or population affected
    estimated_affected_persons: Optional[int] = None
    
    # Operational period
    deployment_start_date: Optional[date] = None
    deployment_end_date: Optional[date] = None  # None = indefinite
    
    # Annex III category of the deployed system
    annex_iii_category: Optional[AnnexIIICategory] = None
    
    # Art.22(4) exception flag
    law_enforcement_exception: bool = False  # True = non-public registration
    
    # Registration metadata
    use_registration_id: Optional[str] = None
    use_registration_date: Optional[date] = None
    
    def requires_public_registration(self) -> bool:
        """
        Art.22(4): Public authorities deploying biometric AI for law enforcement
        may register in non-public section. All others: public registration.
        """
        return not (
            self.annex_iii_category == AnnexIIICategory.CAT_1_BIOMETRIC
            and self.law_enforcement_exception
        )

4. DatabaseSearchClient

import json
from typing import Optional

class DatabaseSearchClient:
    """
    Client for the EU AI Office database API (Art.71).
    Enables supply chain verification, deployer due diligence,
    and compliance monitoring.
    """
    
    def __init__(self, api_base_url: str, api_key: Optional[str] = None):
        """
        api_base_url: EU AI Office database API endpoint
        api_key: Optional API key for authenticated access (rate limits differ)
        """
        self.api_base_url = api_base_url
        self.api_key = api_key
    
    def search_by_provider(self, provider_name: str) -> list[dict]:
        """
        Returns all registered high-risk AI systems for a given provider.
        Use for supply chain due diligence.
        """
        # Implementation: GET /v1/registrations?provider_name={provider_name}
        raise NotImplementedError("Implement against EU AI Office API when available")
    
    def get_by_registration_id(self, registration_id: str) -> Optional[dict]:
        """
        Returns the full public registration record for a given registration ID.
        Use to verify that an Art.22(1) registration is current and confirmed.
        """
        # Implementation: GET /v1/registrations/{registration_id}
        raise NotImplementedError("Implement against EU AI Office API when available")
    
    def search_by_annex_iii_category(
        self, category: AnnexIIICategory
    ) -> list[dict]:
        """
        Returns all registered high-risk AI systems in a given Annex III category.
        Use for competitive intelligence and market surveillance input.
        """
        # Implementation: GET /v1/registrations?category={category.value}
        raise NotImplementedError("Implement against EU AI Office API when available")
    
    def verify_registration_consistency(
        self,
        registration_id: str,
        expected_intended_purpose: str,
        expected_category: AnnexIIICategory,
    ) -> dict:
        """
        Checks whether the public registration record matches the expected
        intended purpose and category. Use for ongoing compliance monitoring.
        """
        record = self.get_by_registration_id(registration_id)
        if not record:
            return {
                "consistent": False,
                "issue": f"Registration ID {registration_id} not found in database",
            }
        
        issues = []
        if record.get("intended_purpose") != expected_intended_purpose:
            issues.append(
                f"Intended purpose mismatch: "
                f"registered='{record['intended_purpose']}' "
                f"vs expected='{expected_intended_purpose}'"
            )
        if record.get("annex_iii_category") != expected_category.value:
            issues.append(
                f"Category mismatch: "
                f"registered='{record['annex_iii_category']}' "
                f"vs expected='{expected_category.value}'"
            )
        
        return {
            "consistent": len(issues) == 0,
            "issues": issues,
            "registration_id": registration_id,
        }

Enforcement Exposure

Art.22 Violations and the Fine Framework

Art.22 violations fall under the EU AI Act's graduated fine structure:

The 3% + 3% dual exposure scenario:

A provider that fails to register a high-risk AI system AND has a supply chain partner (importer or distributor) that independently places the unregistered system on the market creates a scenario where both are subject to separate enforcement actions — each up to 3% of their respective global turnover.

The Continuing Violation Issue

Art.22 non-compliance is not a one-time violation at the moment of market placement — it is a continuing violation for as long as the unregistered system remains on the market. A provider who placed a high-risk AI system on the market in September 2026 without registration, and continues to operate it without registration through December 2026, has four months of continuing violation exposure.

Market surveillance authority escalation path:

1. MSA identifies gap between registered systems and market-active systems (database sweep against known products)
2. MSA issues correction notice under Art.79 — provider has limited time to register or withdraw
3. If provider fails to comply: MSA issues enforcement decision with fine
4. If fine unpaid: Art.79 cross-border enforcement coordination (Art.79(5))

Art.22 Compliance Checklist (40 Items)

Pre-Registration Prerequisites

• 1. Art.9 risk management system complete and documented
• 2. Art.10 training data governance documented
• 3. Art.11 Annex IV technical documentation complete (all 8 sections)
• 4. Art.12 automatic event logging implemented and tested
• 5. Art.13 instructions for use drafted and reviewed
• 6. Art.14 human oversight controls implemented
• 7. Art.15 accuracy and robustness testing complete
• 8. Art.17 quality management system operational
• 9. Art.43 conformity assessment scope confirmed (self-assessment vs third-party)
• 10. Art.43 conformity assessment completed (or notified body engaged if third-party)
• 11. Art.43 certificate obtained (if third-party assessment) — certificate number recorded
• 12. Art.48 declaration of conformity drafted, reviewed, and signed
• 13. Art.48 DoC references harmonised standards applied
• 14. Art.49 CE marking affixed to system or accompanying documentation
• 15. EU authorised representative designated if provider is third-country (Art.25)

Registration Content (Art.22(2))

• 16. System name finalised and consistent across all documentation
• 17. Provider identity information complete (name + registration number)
• 18. EU representative information included if applicable (Art.22(2)(b))
• 19. Notified body ID and certificate number recorded if third-party assessment (Art.22(2)(c))
• 20. DoC reference recorded and consistent with Art.48 declaration (Art.22(2)(d))
• 21. Annex IV technical documentation summary written — public-facing version (Art.22(2)(e))
• 22. Annex IV summary reviewed for trade secret disclosures (Art.78 check)
• 23. Intended purpose statement specific: context + affected persons (Art.22(2)(f))
• 24. Intended purpose reviewed against Art.3(12) definition
• 25. Annex III category confirmed and documented (Art.22(2)(g))
• 26. Annex III subcategory identified (e.g., Category 4(a) recruitment systems)
• 27. Post-market monitoring plan summary written for Art.22(2)(h) registration field
• 28. All registration fields validated for accuracy and completeness

Deployer Registration (Art.22(3))

• 29. Deployer registration obligation assessed — is the deployer a public authority?
• 30. Annex III category confirmed as Category 1/2/3/4 (triggers Art.22(3))
• 31. Art.22(4) exception assessed — is this a law enforcement biometric case?
• 32. DeployerUseRecord populated with all mandatory fields
• 33. Deployment intended purpose consistent with provider's registered intended purpose
• 34. Geographic scope and affected persons documented

Infrastructure and Ongoing Compliance

• 35. Registration infrastructure on EU-native hosting (CLOUD Act risk mitigation)
• 36. Internal registration records stored with Art.11(3) 10-year retention
• 37. Registration ID stored in deployment system — deployment gate references registration
• 38. CI/CD pipeline deployment gate checks registration status before production deploy
• 39. Registration update process defined for material changes (intended purpose, Annex III category, new version)
• 40. Annual registration review scheduled to verify consistency with operational reality

What to Do Now

For Providers

Immediate (before August 2026):

1. Confirm Annex III classification for all AI systems you develop or deploy
2. Initiate Art.43 conformity assessment process — third-party assessments take 3–12 months
3. Draft Art.48 declaration of conformity and Art.11 Annex IV technical documentation
4. Register early in the provisional EU AI Office database if your system is ready

Engineering tasks:

1. Add RegistrationChecker to your CI/CD pipeline as a deployment gate
2. Create AISystemRegistrationRecord instances for all Annex III systems in development
3. Implement Art.11 Annex IV documentation management on EU-native infrastructure
4. Store registration_id in your system configuration and deployment metadata

For Deployers (Public Authorities)

Before deploying any Annex III Category 1/2/3/4 system:

1. Verify the provider's Art.22(1) registration exists and is confirmed
2. Complete your Art.22(3) deployer registration before operational use
3. Document the specific intended purpose within your operational context
4. Establish a monitoring process to verify provider registration remains current

For Infrastructure Providers

Building platforms for high-risk AI deployments:

1. Expose a stable system registration ID in your API that deployer customers can reference
2. Ensure your terms of service permit customers to comply with Art.22(3)
3. Maintain deployment metadata (start/end dates, affected populations) to support deployer registration
4. Consider offering registration compliance tooling as a value-added service for regulated customers

See Also

• EU AI Act Art.21 Cooperation with Competent Authorities: Developer Guide
• EU AI Act Art.20 Corrective Actions & Duty of Information: Developer Guide
• EU AI Act Art.17 Quality Management System: Developer Guide
• EU AI Act Art.12 Logging & Record-Keeping: Developer Guide
• EU AI Act Art.9 Risk Management System: Developer Guide