2026-04-16·12 min read·

EU AI Act Art.32 EU Database of High-Risk AI Systems: Developer Guide (2026)

EU AI Act Article 32 establishes the registration obligation that closes the pre-market compliance chain. Having completed conformity assessment under Art.31, signed the EU Declaration of Conformity under Art.48, and affixed the CE marking under Art.49, providers of high-risk AI systems must now register their system in the EU database for high-risk AI systems before placing it on the EU market or putting it into service.

Art.32 is the final public gate: registration creates an official, auditable record of every high-risk AI system in EU circulation. The EU AI Office publishes the database as a publicly accessible resource — enabling citizens, market surveillance authorities, deployers, and researchers to verify that a system has completed the required compliance journey. Failing to register before market placement exposes providers to fines up to €15 million or 3 % of global annual turnover under Art.99(4)(b).

For developers, Art.32 is both an obligation and an architectural constraint. Registration requires specific data about the system, the provider, and the conformity assessment — data that must be produced during development and documented before launch. Getting this data structure right from day one avoids scrambling to reconstruct it at registration time.

Art.32 in the High-Risk AI Compliance Sequence

Art.32 is the final step in the pre-market chain. It cannot be completed until all preceding steps are done:

Step	Article	What It Requires	Art.32 Dependency
1. Implement requirements	Art.8–15	Technical, data, transparency, oversight, accuracy	Registration data derived from these
2. Quality management system	Art.17	Documented QMS operational	Annex VIII references QMS certificate number
3. Technical documentation	Art.11, Annex IV	Complete Annex IV documentation package	Registration references tech doc version
4. Conformity assessment	Art.31	Annex VI or Annex VII procedure complete	Art.32(3)(c): conformity assessment reference mandatory
5. Declaration of Conformity	Art.48	Provider signs EU Declaration	Art.32(3)(d): declaration reference mandatory
6. CE marking	Art.49	CE marking affixed	Art.32(3) triggered by CE marking completion
7. EU database registration	Art.32	Provider registers before market placement	Gate: system cannot be marketed until registered
8. Post-market obligations	Art.72–73	PMM system active, incident reporting live	Registration number used in incident reports

Art.32 also has a retroactive obligation: if a post-deployment change constitutes a substantial modification under Art.23, the Art.31 re-assessment, Art.48 re-declaration, and Art.32 re-registration must all be completed before the modified system re-enters the market.

Art.32(1)–(5): The Registration Obligations

Art.32(1): Provider Registration Before Market Placement

Providers shall, before placing on the market or putting into service a high-risk AI system listed in Annex III, register themselves and their system in the EU database referred to in Art.71.

The core obligation is absolute and time-locked: registration must happen before market placement. There is no grace period and no provisional placement pending registration. The sequence is register-first, market-second.

Art.32(1) requires two distinct registration acts:

Provider registration — the legal entity (name, registered address, contact, EU authorised representative if non-EU provider) is registered
System registration — the specific high-risk AI system (name, version, purpose, conformity data) is registered as a separate entry linked to the provider registration

For non-EU providers, the obligation to register rests on the EU authorised representative (Art.22) who acts on behalf of the provider. The authorised representative is jointly liable for registration completeness and accuracy.

Art.32(2): Deployer Registration for Certain Government AI Systems

Art.32(2) creates a distinct registration obligation for deployers that are public bodies, EU institutions, or agencies deploying high-risk AI systems in law enforcement, migration, asylum, or border management contexts:

Deployers that are public authorities, Union institutions, bodies, offices or agencies shall register in the EU database. They shall also register any high-risk AI system they use which has not already been registered by a provider.

This is the only situation where a deployer (not a provider) bears a primary registration obligation. Two scenarios trigger deployer registration:

Scenario A: The public body deploys a high-risk AI system that the provider has already registered → the deployer creates a separate deployer registration entry linked to the provider's system registration, describing their specific deployment context
Scenario B: The public body deploys a high-risk AI system that the provider has not registered (e.g., bespoke systems developed in-house for internal use) → the deployer performs the full registration as if acting as provider

For most commercial high-risk AI providers, Art.32(2) is relevant because public body customers have their own registration obligations. Providers should document their system's registration data in a machine-readable format that deployers can reference when fulfilling their Art.32(2) obligation.

Art.32(3): Registration Data Categories (Annex VIII)

Art.32(3) requires that registration data conform to Annex VIII of the EU AI Act. Annex VIII is divided into two parts:

Annex VIII, Part I — Provider Registration Data (mandatory fields):

Field Category	Specific Data Required	Notes
Provider identity	Name, registered address, EU authorised representative (if applicable)	Must match Art.48 Declaration signatory
Contact details	Email address, phone number	Must be reachable by market surveillance authorities
Member States	List of EU Member States where system is placed on market or put into service	Determines which national authorities have jurisdiction
AI system name	Commercial name and any trade name	As appears on CE marking documentation
AI system version	Version identifier of the registered version	Change tracking critical: new version may require re-registration
AI system description	General description of the system and its intended purpose	Plain-language, not technical documentation
Annex III category	Which Annex III point the system falls under	Determines non-public section classification
Intended purpose	Specific intended purpose as defined in Art.13(3)(a)	Must match instructions for use
Status	Placed on market / put into service / withdrawn / recalled	Lifecycle status tracking
Conformity assessment type	Route taken (Annex VI or Annex VII)	With notified body name and certificate number if Annex VII
Declaration of Conformity reference	Date and reference number of Art.48 declaration	Signed declaration must pre-exist registration
Instructions for use	Electronic copy or URL	Art.13(3) compliant instructions
Summary for public	Non-technical summary of capabilities and limitations	Publicly displayed in database

Annex VIII, Part II — Deployer Registration Data (for Art.32(2) cases):

Field	Content
Deployer identity	Name and registered address
Deployer contact	Email address, phone number
Provider system reference	Registration number of provider's system entry
Deployment context	Specific use case, geographic area, user population
Post-market monitoring plan	Reference to deployer's Art.72 PMM documentation

Art.32(4): Non-Public Section — Law Enforcement and Border Management

Art.32(4) creates a non-public section of the EU database for high-risk AI systems in sensitive operational contexts:

For high-risk AI systems referred to in points 1, 6, 7, and 8 of Annex III placed on the market or put into service by providers that are law enforcement, border management, immigration or asylum authorities, or by Union institutions, bodies, offices or agencies, the registration shall be in a secure non-public section of the EU database.

Systems that go into the non-public section:

Annex III Point	Category	Reason for Non-Public
Point 1	Biometric identification (where not prohibited)	Operational security: disclosure could defeat identification capability
Point 6	Law enforcement AI (crime prediction, evidence assessment, criminal profiling)	Operational security: disclosure could allow circumvention
Point 7	Migration, asylum, border control	Operational security + protection of enforcement procedures
Point 8	Justice administration and democratic process AI	Judicial independence and process integrity

Non-public registration data is accessible only to:

The European AI Office
Market surveillance authorities (national level) with jurisdiction over the deploying authority
The Commission
EU oversight bodies (e.g., European Parliament's LIBE Committee)

For commercial providers building systems that could be deployed in law enforcement or border management contexts, the registration route (public vs. non-public) depends on the actual deployer, not the system's inherent capabilities. A risk assessment tool sold commercially goes into the public database; the same tool licensed to a national police force goes into the non-public section.

Art.32(5): Update Obligation When Registration Information Changes

Art.32(5) creates a continuous maintenance obligation on providers and deployers:

Providers and deployers shall without undue delay update the information submitted in the registration in the EU database when there is a change to the information.

"Without undue delay" is not defined numerically in Art.32 — the implementing acts issued by the EU AI Office will specify notification windows. Based on analogous obligations in EU product safety law, expect 3–10 business days as the effective standard for material changes.

Changes that trigger Art.32(5) update obligation:

Change Type	Update Requirement	Art.23 Intersection
Provider contact details changed	Update provider registration entry	No Art.23 impact
Provider name changed (rebranding)	Update provider registration entry	No Art.23 impact if provider legal entity unchanged
System version update (non-substantial modification)	Update system version field	No Art.31 re-assessment required
Substantial modification (Art.23)	Full re-registration required after new Art.31 + Art.48 + Art.49	Art.31 re-assessment mandatory first
System withdrawn from market	Update status field to "withdrawn"	No re-assessment required
System recalled	Update status field to "recalled"; notify market surveillance authorities	Parallel Art.20 recall obligation
New Member State deployment	Add to Member States field	No re-assessment required
Notified body certificate renewal	Update conformity assessment reference	No Art.31 re-assessment if no substantial modification

EU AI Office Database Architecture

The EU database is operated by the European AI Office, established by Commission Decision (EU) 2024/1789. The database is built on the existing EUDAMED (European Database on Medical Devices) infrastructure pattern — a centrally hosted, publicly accessible database with role-based access controls for confidential sections.

Database Architecture Components

EU AI Database (Art.71 / Art.32)
│
├── Public Section
│   ├── Provider Registry
│   │   ├── Provider Profile (legal entity, contact, EU rep)
│   │   └── Provider Compliance History
│   └── System Registry
│       ├── System Entry (name, version, purpose, Annex III category)
│       ├── Conformity Assessment Reference
│       ├── Declaration of Conformity Reference
│       ├── Public Summary (non-technical)
│       └── Status (active / withdrawn / recalled)
│
├── Non-Public Section (Art.32(4))
│   ├── Law enforcement systems (Annex III points 1, 6)
│   ├── Migration/border systems (Annex III point 7)
│   └── Justice/democratic process systems (Annex III point 8)
│       [Access: EU AI Office + national MSAs only]
│
└── Administrative Section
    ├── Market Surveillance Authority Access
    │   ├── Full technical documentation requests
    │   └── Conformity assessment documentation
    └── Notified Body Submissions
        └── QMS certificates and EU-Type Examination Certificates

Registration Workflow: Provider Perspective

Create EU AI Office account — provider registers as a legal entity, obtains provider ID
Complete Art.31 conformity assessment — documentation must exist before registration can begin
Sign Art.48 EU Declaration of Conformity — declaration reference number required for Annex VIII
Affix Art.49 CE marking — CE marking must be done before registration finalised
Submit Annex VIII Part I data — via EU AI Office portal (web form or API submission)
Receive system registration number — unique identifier assigned by EU AI Office
Affix registration number to system documentation, instructions for use, and commercial communications (Art.32(3) implementing regulation will specify exact placement requirements)
Monitor for update obligations — Art.32(5) continuous maintenance

The Art.31 → Art.48 → Art.49 → Art.32 Trigger Chain

Understanding the causal dependencies prevents the common mistake of attempting registration before prerequisites are satisfied:

Art.8–15 Requirements Implemented
        │
        ▼
Art.17 QMS Operational
        │
        ▼
Art.11 / Annex IV Technical Documentation Complete
        │
        ▼
Art.31 Conformity Assessment Procedure Complete
  (Annex VI internal control OR Annex VII notified body)
        │
        ▼
Art.48 EU Declaration of Conformity Signed
  (Provider legal representative signs; references Art.31 procedure)
        │
        ▼
Art.49 CE Marking Affixed
  (Affixed to system, packaging, or accompanying documentation)
        │
        ▼
Art.32 EU Database Registration
  (Annex VIII data submitted; registration number received)
        │
        ▼
Market Placement / Putting Into Service

Critical failure mode: Many providers attempt to start Art.32 registration in parallel with Art.31 assessment to save time. This fails because:

Annex VIII requires the conformity assessment type and notified body reference — impossible to fill without Art.31 completion
Annex VIII requires the Declaration of Conformity reference number — impossible without Art.48 signature
The EU AI Office portal validates these fields as mandatory at submission time

Practical sequencing for Art.31 Annex VI route (fastest path):

Week	Action
1–4	Complete technical documentation (Annex IV), run technical testing
5–6	Complete Internal Assessment Report (Art.31 Annex VI)
7	Sign EU Declaration of Conformity (Art.48)
7	Affix CE marking (Art.49)
8	Submit EU database registration (Art.32)
8	Market placement legally authorised

For Annex VII route (notified body), add 6–18 months for notified body queue and assessment before week 7.

Registration Timeline: August 2026

The EU AI Act's Annex III high-risk AI provisions apply from 2 August 2026. This is the date by which:

All existing high-risk AI systems already on the market must complete retroactive compliance (Art.8–17 requirements, conformity assessment, and EU database registration)
New high-risk AI systems from this date must register before market placement

Timeline pressure for teams building Annex III AI systems in 2026:

Month	Milestone
April 2026	EU AI Office database portal opens for early registration submissions (Commission target)
May–June 2026	Registration queue builds; EU AI Office processing time estimated 5–15 business days
July 2026	Deadline to initiate registration for systems targeting August 2026 market entry
2 August 2026	Regulation fully applicable. Unregistered Annex III systems cannot be marketed.
Post-August 2026	New systems: register before market placement. Existing systems: retroactive registration complete.

For teams with Annex VII (notified body) systems, the 6–18 month notified body queue means Art.31 engagement should have started no later than February 2025 for August 2026 market entry.

CLOUD Act × Registration Data: The Jurisdiction Risk

EU database registration data itself is stored by the EU AI Office on EU infrastructure — the registration entry in the database is safe by definition. But the underlying documentation that registration references — and which must be produced on request by market surveillance authorities — is where CLOUD Act jurisdiction risk materialises.

What Registration References That Market Surveillance Authorities Can Demand

Under Art.21, market surveillance authorities can demand access to:

The full Annex IV technical documentation package (referenced in the registration)
The Art.31 Internal Assessment Report or Annex VII notified body certificate
The Art.48 EU Declaration of Conformity
The Art.17 QMS documentation
The Art.72 PMM plan and records
The Art.12 log records generated during operation

If this documentation is stored on US-headquartered cloud infrastructure — AWS, Azure, GCP, or any US-parent-controlled provider — the CLOUD Act (18 U.S.C. § 2523) allows US law enforcement to compel the US provider to produce the documentation regardless of where the data is physically stored.

The consequence: A market surveillance authority in Germany demands access to your Annex IV technical documentation. The documentation is stored on AWS (US parent). Simultaneously, US DOJ could have a separate CLOUD Act compulsion order for the same data. Two jurisdictions, two demand chains, two sets of disclosure obligations — with no EU judicial oversight of the US compulsion.

For high-risk AI developers: EU-native infrastructure (Hetzner, Scaleway, OVHcloud, sota.io) creates single-jurisdiction storage for all documentation referenced in the EU database registration. Market surveillance authority access is straightforward: EU law, EU courts, EU data. No CLOUD Act exposure.

This is particularly acute for systems in sensitive categories (healthcare, employment, education) where the technical documentation contains personal data about training set subjects — GDPR Article 46 transfer restrictions apply on top of CLOUD Act concerns.

Python Implementation

`HighRiskAIRegistrationRecord`: Annex VIII Data Model

from dataclasses import dataclass, field
from datetime import date
from enum import Enum
from typing import Optional
import json


class AnnexIIICategory(str, Enum):
    BIOMETRIC_ID = "annex_iii_point_1"
    CRITICAL_INFRA = "annex_iii_point_2"
    EDUCATION = "annex_iii_point_3"
    EMPLOYMENT = "annex_iii_point_4"
    ESSENTIAL_SERVICES = "annex_iii_point_5"
    LAW_ENFORCEMENT = "annex_iii_point_6"
    MIGRATION_BORDER = "annex_iii_point_7"
    JUSTICE_DEMOCRACY = "annex_iii_point_8"


class ConformityAssessmentRoute(str, Enum):
    ANNEX_VI_INTERNAL = "annex_vi_internal_control"
    ANNEX_VII_NOTIFIED_BODY = "annex_vii_notified_body"


class RegistrationSection(str, Enum):
    PUBLIC = "public"
    NON_PUBLIC = "non_public"


NON_PUBLIC_CATEGORIES = {
    AnnexIIICategory.BIOMETRIC_ID,
    AnnexIIICategory.LAW_ENFORCEMENT,
    AnnexIIICategory.MIGRATION_BORDER,
    AnnexIIICategory.JUSTICE_DEMOCRACY,
}


@dataclass
class ProviderRegistrationData:
    """Annex VIII Part I — Provider identity fields."""
    legal_name: str
    registered_address: str
    contact_email: str
    contact_phone: str
    eu_authorised_representative: Optional[str] = None  # Required for non-EU providers
    member_states_of_deployment: list[str] = field(default_factory=list)


@dataclass
class SystemRegistrationData:
    """Annex VIII Part I — System-specific registration fields."""
    commercial_name: str
    version_identifier: str
    annex_iii_category: AnnexIIICategory
    intended_purpose: str  # Must match Art.13(3)(a) instructions for use
    description: str  # Non-technical general description
    conformity_assessment_route: ConformityAssessmentRoute
    declaration_of_conformity_reference: str  # Art.48 declaration ref number
    declaration_date: date
    notified_body_name: Optional[str] = None  # Required for Annex VII route
    notified_body_certificate_number: Optional[str] = None
    instructions_for_use_url: Optional[str] = None
    public_summary: str = ""  # Non-technical summary displayed publicly


@dataclass
class HighRiskAIRegistrationRecord:
    """
    Complete EU database registration record for a high-risk AI system.
    Implements Annex VIII Part I + Art.32 registration lifecycle.
    """
    provider: ProviderRegistrationData
    system: SystemRegistrationData
    registration_date: Optional[date] = None
    registration_number: Optional[str] = None  # Assigned by EU AI Office after submission
    status: str = "pending_submission"  # pending_submission | submitted | active | withdrawn | recalled

    def registration_section(self) -> RegistrationSection:
        """Determine public vs non-public section based on Annex III category."""
        if self.system.annex_iii_category in NON_PUBLIC_CATEGORIES:
            return RegistrationSection.NON_PUBLIC
        return RegistrationSection.PUBLIC

    def prerequisites_complete(self) -> dict[str, bool]:
        """
        Verify Art.31 → Art.48 → Art.49 prerequisites before registration submission.
        All must be True before calling submit().
        """
        return {
            "art_31_conformity_assessment": (
                self.system.conformity_assessment_route is not None
                and (
                    self.system.conformity_assessment_route == ConformityAssessmentRoute.ANNEX_VI_INTERNAL
                    or (
                        self.system.notified_body_name is not None
                        and self.system.notified_body_certificate_number is not None
                    )
                )
            ),
            "art_48_declaration_of_conformity": bool(
                self.system.declaration_of_conformity_reference
                and self.system.declaration_date
            ),
            "art_49_ce_marking": True,  # Developer attests CE marking affixed; not machine-verifiable
            "provider_contact_complete": bool(
                self.provider.contact_email and self.provider.contact_phone
            ),
            "eu_rep_if_non_eu": (
                True  # Override with actual non-EU check in production
            ),
            "member_states_specified": len(self.provider.member_states_of_deployment) > 0,
            "public_summary_present": len(self.system.public_summary) >= 50,
        }

    def ready_for_submission(self) -> bool:
        return all(self.prerequisites_complete().values())

    def to_annex_viii_dict(self) -> dict:
        """Serialise to Annex VIII Part I registration data format."""
        return {
            "provider": {
                "legal_name": self.provider.legal_name,
                "registered_address": self.provider.registered_address,
                "contact_email": self.provider.contact_email,
                "contact_phone": self.provider.contact_phone,
                "eu_authorised_representative": self.provider.eu_authorised_representative,
                "member_states_of_deployment": self.provider.member_states_of_deployment,
            },
            "system": {
                "commercial_name": self.system.commercial_name,
                "version_identifier": self.system.version_identifier,
                "annex_iii_category": self.system.annex_iii_category.value,
                "intended_purpose": self.system.intended_purpose,
                "description": self.system.description,
                "conformity_assessment_route": self.system.conformity_assessment_route.value,
                "notified_body_name": self.system.notified_body_name,
                "notified_body_certificate_number": self.system.notified_body_certificate_number,
                "declaration_of_conformity_reference": self.system.declaration_of_conformity_reference,
                "declaration_date": self.system.declaration_date.isoformat(),
                "instructions_for_use_url": self.system.instructions_for_use_url,
                "public_summary": self.system.public_summary,
            },
            "registration_section": self.registration_section().value,
            "status": self.status,
        }

    def to_json(self) -> str:
        return json.dumps(self.to_annex_viii_dict(), indent=2)

`RegistrationSubmissionManager`: Pre-Market Registration Workflow

from dataclasses import dataclass, field
from datetime import date, datetime
from typing import Optional
import logging

logger = logging.getLogger(__name__)


@dataclass
class SubmissionAttempt:
    timestamp: datetime
    outcome: str  # "submitted" | "rejected" | "validation_error"
    error_details: Optional[str] = None
    registration_number_received: Optional[str] = None


class RegistrationSubmissionManager:
    """
    Manages the Art.32 registration submission lifecycle.
    Enforces pre-market gate: market placement is blocked until registration active.
    """

    def __init__(self, record: "HighRiskAIRegistrationRecord"):
        self.record = record
        self.attempts: list[SubmissionAttempt] = []
        self._market_placement_authorised: bool = False

    def validate_submission_readiness(self) -> list[str]:
        """Return list of blocking issues. Empty list = ready to submit."""
        issues = []
        prereqs = self.record.prerequisites_complete()
        for prereq, satisfied in prereqs.items():
            if not satisfied:
                issues.append(f"MISSING PREREQUISITE: {prereq}")
        return issues

    def submit_to_eu_database(self, submission_api_client=None) -> bool:
        """
        Submit Annex VIII data to EU AI Office registration portal.
        In production: calls EU AI Office API with to_annex_viii_dict().
        Returns True if registration accepted and registration number received.
        """
        issues = self.validate_submission_readiness()
        if issues:
            logger.error("Registration submission blocked: %s", issues)
            self.attempts.append(SubmissionAttempt(
                timestamp=datetime.utcnow(),
                outcome="validation_error",
                error_details="; ".join(issues),
            ))
            return False

        try:
            # Production implementation:
            # response = submission_api_client.post(
            #     "/v1/registrations",
            #     json=self.record.to_annex_viii_dict(),
            # )
            # registration_number = response.json()["registration_number"]

            # Simulation for development:
            registration_number = f"EU-AI-{date.today().year}-{id(self.record):08x}"
            self.record.registration_number = registration_number
            self.record.registration_date = date.today()
            self.record.status = "active"
            self._market_placement_authorised = True

            logger.info(
                "Registration successful: %s → %s",
                self.record.system.commercial_name,
                registration_number,
            )
            self.attempts.append(SubmissionAttempt(
                timestamp=datetime.utcnow(),
                outcome="submitted",
                registration_number_received=registration_number,
            ))
            return True

        except Exception as exc:
            logger.error("Registration submission failed: %s", exc)
            self.attempts.append(SubmissionAttempt(
                timestamp=datetime.utcnow(),
                outcome="rejected",
                error_details=str(exc),
            ))
            return False

    def market_placement_gate_check(self) -> tuple[bool, str]:
        """
        Art.32 gate: call this before any market placement action.
        Returns (authorised: bool, reason: str).
        """
        if self._market_placement_authorised and self.record.status == "active":
            return True, f"Registration {self.record.registration_number} active — market placement authorised"
        if self.record.status == "withdrawn":
            return False, "System withdrawn from EU database — market placement prohibited"
        if self.record.status == "recalled":
            return False, "System recalled — market placement prohibited until registration reinstated"
        return False, f"Registration not active (status: {self.record.status}) — market placement prohibited until Art.32 registration complete"

    def trigger_update(self, change_type: str, change_description: str) -> dict:
        """
        Art.32(5) update obligation handler.
        Returns action required: "update_only" or "full_re_registration".
        """
        SUBSTANTIAL_MODIFICATION_TRIGGERS = {
            "model_architecture_change",
            "intended_purpose_change",
            "training_data_fundamental_change",
            "risk_level_increase",
        }

        action = (
            "full_re_registration"
            if change_type in SUBSTANTIAL_MODIFICATION_TRIGGERS
            else "update_registration_entry"
        )

        return {
            "change_type": change_type,
            "description": change_description,
            "action_required": action,
            "art_23_triggered": action == "full_re_registration",
            "art_31_reassessment_required": action == "full_re_registration",
            "deadline": "without_undue_delay",
        }

`DatabaseQueryTracker`: Registration Status and Compliance Monitoring

from dataclasses import dataclass, field
from datetime import date, timedelta
from typing import Optional


@dataclass
class RegistrationStatusSnapshot:
    system_name: str
    registration_number: str
    status: str
    registration_date: date
    last_update: date
    section: str  # "public" | "non_public"
    member_states: list[str]
    version: str


class DatabaseQueryTracker:
    """
    Tracks registration status queries and compliance monitoring obligations.
    Useful for providers managing multiple registered systems or
    deployers verifying provider registration before procurement.
    """

    def __init__(self):
        self._tracked_systems: dict[str, RegistrationStatusSnapshot] = {}
        self._query_log: list[dict] = []

    def register_system_for_tracking(self, snapshot: RegistrationStatusSnapshot) -> None:
        self._tracked_systems[snapshot.registration_number] = snapshot
        self._log_query("system_registered_for_tracking", snapshot.registration_number)

    def verify_provider_registration(self, registration_number: str) -> dict:
        """
        Deployer due-diligence check before procurement.
        Verifies provider registration status in EU database.
        In production: queries EU AI Office public API.
        """
        self._log_query("provider_registration_verify", registration_number)
        snapshot = self._tracked_systems.get(registration_number)
        if not snapshot:
            return {
                "registration_number": registration_number,
                "verified": False,
                "reason": "Registration number not found in EU database",
            }
        return {
            "registration_number": registration_number,
            "verified": snapshot.status == "active",
            "status": snapshot.status,
            "system_name": snapshot.system_name,
            "registration_date": snapshot.registration_date.isoformat(),
            "member_states_covered": snapshot.member_states,
            "database_section": snapshot.section,
        }

    def check_update_obligation_due(self, registration_number: str, last_reviewed: date) -> dict:
        """
        Art.32(5): Check whether any pending update obligation exists.
        In production: compares internal change log against registration data.
        """
        snapshot = self._tracked_systems.get(registration_number)
        if not snapshot:
            return {"error": f"System {registration_number} not tracked"}

        days_since_update = (date.today() - last_reviewed).days
        return {
            "registration_number": registration_number,
            "last_registration_update": snapshot.last_update.isoformat(),
            "days_since_internal_review": days_since_update,
            "review_recommended": days_since_update > 90,
            "status": snapshot.status,
        }

    def list_registrations_by_status(self, status: str) -> list[RegistrationStatusSnapshot]:
        return [s for s in self._tracked_systems.values() if s.status == status]

    def compliance_dashboard(self) -> dict:
        systems = list(self._tracked_systems.values())
        return {
            "total_tracked": len(systems),
            "active": sum(1 for s in systems if s.status == "active"),
            "withdrawn": sum(1 for s in systems if s.status == "withdrawn"),
            "recalled": sum(1 for s in systems if s.status == "recalled"),
            "pending": sum(1 for s in systems if s.status == "pending_submission"),
            "public_section": sum(1 for s in systems if s.section == "public"),
            "non_public_section": sum(1 for s in systems if s.section == "non_public"),
        }

    def _log_query(self, query_type: str, reference: str) -> None:
        self._query_log.append({
            "timestamp": date.today().isoformat(),
            "query_type": query_type,
            "reference": reference,
        })

Art.32 Compliance Checklist (40 Items)

Prerequisites Verification (8 items)

1. Confirmed system is in Annex III scope (not excluded by Art.6(3) or Art.6(4))
2. Art.31 conformity assessment procedure completed (Annex VI or Annex VII)
3. Art.48 EU Declaration of Conformity signed by legal representative
4. Art.49 CE marking affixed to system, packaging, or accompanying documentation
5. Art.17 QMS operational with documented procedures
6. Art.11 / Annex IV technical documentation complete and version-controlled
7. Art.13(3) instructions for use complete
8. Art.72 post-market monitoring plan drafted

Provider Registration Data — Annex VIII Part I (10 items)

9. Provider legal name matches Art.48 Declaration of Conformity signatory
10. Provider registered address current and accurate
11. Contact email monitored and responsive to EU AI Office communications
12. Contact phone number current
13. EU authorised representative designated and registered if provider is non-EU
14. All EU Member States where system will be marketed/deployed listed
15. Annex III category correctly identified (point 1–8)
16. Registration section determined: public (points 2–5) or non-public (points 1, 6–8)
17. Version identifier of the registered system version documented
18. Intended purpose stated exactly as in Art.13(3)(a) instructions for use

System Registration Data (8 items)

19. Commercial name of system as it appears on CE marking documentation
20. Non-technical description of capabilities accurate and complete
21. Conformity assessment route specified (Annex VI or Annex VII)
22. If Annex VII: notified body name and certificate number entered
23. Art.48 Declaration of Conformity reference number and date entered
24. Instructions for use URL current and publicly accessible
25. Public summary written (non-technical, ≥50 words, suitable for public transparency)
26. System registration record validated via prerequisites_complete() — all True

Submission and Activation (6 items)

27. EU AI Office registration portal account created
28. Annex VIII Part I data submitted via portal or API
29. Registration number received from EU AI Office
30. Registration status confirmed as "active" in EU database
31. Registration number added to instructions for use and commercial documentation
32. market_placement_gate_check() returns authorised before market placement proceeds

Deployer Registration (if Art.32(2) applies) (3 items)

33. Confirmed whether deployer is a public body / EU institution triggering Art.32(2)
34. If Art.32(2): deployer registration entry created in EU database
35. Provider registration number referenced in deployer registration

Ongoing Obligations (5 items)

36. Art.32(5) update workflow implemented: change events trigger trigger_update() review
37. Internal change log maintained to detect Art.32(5) update triggers
38. System withdrawal procedure documented: update status to "withdrawn" without undue delay
39. Substantial modification detection integrated with CI/CD pipeline → blocks deployment if Art.23 triggered without re-registration
40. Annual Art.32 compliance review scheduled: verify all registration fields current

What to Do Now

If you are building an Annex III high-risk AI system for August 2026 market entry: Start the Art.31 conformity assessment now. Art.32 registration requires Art.31 completion, Art.48 signature, and Art.49 CE marking — all of which take weeks for Annex VI (internal control) or months for Annex VII (notified body). Registration itself takes 5–15 business days at EU AI Office. Add buffer for portal onboarding and data validation errors: plan for 10 weeks total from Art.31 start to registration active.

If you are using third-party high-risk AI systems as a deployer: Before procurement, verify provider registration in the EU database. The DatabaseQueryTracker.verify_provider_registration() method provides the structure for integrating EU AI Office API queries into procurement due diligence. An unregistered system cannot be legally deployed in the EU from August 2026.

If you are a public body deploying high-risk AI: Review Art.32(2) — your own registration obligations apply alongside the provider's. For systems in law enforcement, border management, or migration contexts, your registration goes into the non-public section, but the obligation to register still applies.

If you need to store registration-referenced documentation: Evaluate infrastructure jurisdiction before selecting a storage provider for Annex IV technical documentation, QMS records, and Art.31 assessment reports. These are the documents market surveillance authorities request after finding a system in the EU database. Storing them on EU-native infrastructure (German GmbH operator, EU data centers, no US parent) eliminates CLOUD Act dual-jurisdiction exposure and simplifies Art.21 cooperation with national market surveillance authorities.