EU AI Act Art.48 EU Declaration of Conformity: Provider Obligations — Developer Guide (2026)
EU AI Act Article 48 is where a high-risk AI system provider makes it official: by drawing up a written EU declaration of conformity (DoC), the provider formally asserts that the system complies with the Regulation and assumes sole responsibility for that claim. The DoC is not a bureaucratic formality — it is the legally binding document that authorises CE marking, enables EU database registration, and triggers the provider's liability exposure under the EU AI Liability Directive.
For SaaS developers building high-risk Annex III AI systems, Art.48 is the culmination of the conformity assessment process: after completing Art.43 assessment (either Annex VI internal control or Annex VII notified body), the provider draws up the DoC before placing the system on the market. For Track 1 systems (Annex VI self-certification), the DoC is drawn up based on the internal assessment. For Track 2 systems (Annex VII notified body), the DoC references the Art.44 certificate of conformity.
The practical stakes of Art.48 are high. A DoC that is incomplete, contains inaccurate statements, or covers a system version that has undergone substantial modification is not just a compliance gap — it is the primary document market surveillance authorities will examine first. Authorities have the right to request the DoC under Art.74, and a defective DoC is direct evidence of non-compliance.
Art.48 in the Conformity Chain
Art.48 occupies a central position in the conformity chain — downstream from assessment, upstream from market placement:
| Step | Article | Actor | Output |
|---|---|---|---|
| Risk Management | Art.9 | Provider | Risk management file |
| Technical Documentation | Annex IV | Provider | Technical documentation package |
| Quality Management System | Art.17 | Provider | QMS documentation |
| Conformity Assessment | Art.43 | Provider ± notified body | Assessment completion (Track 1 or Track 2) |
| Certificate of Conformity | Art.44 | Notified body | Certificate (Track 2 / Annex VII only) |
| EU Declaration of Conformity | Art.48 | Provider | Written DoC — prerequisite for CE marking |
| CE Marking | Art.49 | Provider | CE affixed to system or documentation |
| EU Database Registration | Art.32 | Provider | Public registration before market placement |
| Market Placement / Service Entry | Art.16 | Provider | System available to deployers |
The DoC is the bridge between the provider's internal compliance work and the public-facing market placement obligations. It cannot exist without a completed Art.43 assessment; everything after it (CE marking, EU database registration) depends on it.
Art.48(1): The Core Obligation
Art.48(1) establishes the provider's fundamental obligation: for each high-risk AI system, the provider shall draw up a written EU declaration of conformity before placing the system on the market or putting it into service. The DoC must be:
- Written — no oral declarations, no implicit conformity assertions
- Per-system — a single DoC cannot cover multiple AI systems unless they share an identical scope and intended purpose
- Kept at disposal — available to national competent authorities for 10 years after the system was placed on the market or put into service (Art.18 record-keeping obligation cross-reference)
- Kept up to date — the DoC must reflect the current version of the system; a system that has undergone substantial modification under Art.3(23) requires a new DoC
"Placing on the market" under the AI Act means making the system available on the EU market for the first time, whether for payment or free of charge. "Putting into service" covers deployment directly by the provider for a specific intended purpose without prior market placement (e.g., internal deployment of a high-risk AI system within a regulated process).
Provider identity: The DoC is drawn up by the legal entity that qualifies as the "provider" under Art.3(3) — the entity that develops or has an AI system developed and places it on the market or puts it into service under its own name or trademark, whether for payment or free of charge.
Art.48(2): Mandatory Content
Art.48(2) specifies the minimum elements that the EU declaration of conformity must contain. Every element is mandatory — an incomplete DoC is a non-compliant DoC.
| # | Element | What Is Required |
|---|---|---|
| 1 | Provider identity | Name and address of the provider, or — where applicable — their authorised representative established in the EU |
| 2 | Sole responsibility statement | Explicit declaration that the EU DoC is issued under the sole responsibility of the provider |
| 3 | System identification | Name, version, type, serial number (if applicable), and any other unambiguous information enabling unique identification of the AI system |
| 4 | Authorised representative | Name and address of the authorised representative, if Art.22 applies (provider not established in EU) |
| 5 | Compliance statement | Statement that the AI system is in conformity with this Regulation (Regulation (EU) 2024/1689) and, where applicable, with other relevant Union harmonisation legislation |
| 6 | Conformity assessment reference | Reference to the conformity assessment procedure followed: Annex VI (internal control) or Annex VII (notified body) |
| 7 | Harmonised standards | References to harmonised standards applied under Art.40, including standard identifiers and version numbers |
| 8 | Common specifications | References to common specifications applied under Art.41, if any |
| 9 | Notified body reference | If Annex VII assessment: name of notified body and its NANDO identification number |
| 10 | Art.44 certificate reference | If Annex VII assessment: reference number and issue date of the Art.44 certificate of conformity |
| 11 | Other Union legislation | References to other Union harmonisation legislation applied (e.g., MDR 2017/745, Machinery Regulation 2023/1230) |
| 12 | Place and date of issue | Location and date on which the declaration was drawn up |
| 13 | Authorised signatory | Name, function, and signature of the person authorised to sign the declaration on behalf of the provider |
Practical notes on mandatory content:
- System identification (Element 3) is the most operationally sensitive element. The version identifier must match the exact version that was assessed under Art.43. If a patch or model update changes the system after the DoC is drawn up, the provider must determine whether this constitutes a substantial modification under Art.3(23) — if so, a new DoC is required.
- Harmonised standards (Element 7) must include version numbers and publication dates, not just standard titles. Standards are periodically updated, and an outdated standard reference in the DoC signals to market surveillance that the system may not reflect current requirements.
- Sole responsibility statement (Element 2) is not boilerplate — it is an affirmative legal assumption of liability. Under the AI Liability Directive (AILD), this statement is direct evidence that the entity drawing up the DoC is the responsible party for harm attributable to non-compliance.
- Notified body reference (Element 9-10) applies only to Track 2 / Annex VII systems. Track 1 / Annex VI self-certification DoCs leave elements 9-10 as "not applicable."
Art.48(3): Simplified Declaration for Annex I Products
Art.48(3) addresses the case where a high-risk AI system is also a regulated product covered by Annex I Union harmonisation legislation — for example, a medical device covered by MDR 2017/745, a machinery safety component under Regulation 2023/1230, or an aviation system under EASA regulations.
Two options for Annex I product providers:
Option A — Single combined EU declaration of conformity: The provider may draw up a single document that serves as both the EU AI Act declaration of conformity and the declaration of conformity under the relevant Annex I legislation. The single document must contain all mandatory elements for both pieces of legislation. This reduces paperwork but requires careful structuring to ensure all elements are covered.
Option B — Separate declarations with cross-reference: The provider draws up separate declarations — one under the AI Act (Art.48) and one under the Annex I legislation (e.g., MDR Article 19 DoC) — with each referencing the other. This approach is cleaner administratively and reduces the risk that changes to one declaration's requirements invalidate the combined document.
| Consideration | Single Combined DoC | Separate DoCs with Cross-Reference |
|---|---|---|
| Administrative simplicity | High | Lower (two documents) |
| Risk of version mismatch | Higher (one update affects all) | Lower (independent versioning) |
| Regulatory change exposure | Higher | Lower |
| Notified body complexity | Requires alignment of NB scopes | Independent NB scope per legislation |
| Best for | Simple embedded AI systems | Complex multi-regulated systems |
Key design principle: Whichever option is chosen, the DoC must clearly identify all applicable legislation and the conformity assessment procedures followed under each. A DoC that references the AI Act but is silent on MDR compliance for a medical AI system is defective under both regimes.
Art.48(4): Provider Responsibility
Art.48(4) contains the most consequential statement in the entire Article: by drawing up the EU declaration of conformity, the provider assumes responsibility for compliance with this Regulation.
This is not a procedural technicality — it is the mechanism by which the EU AI Act allocates legal responsibility. Before Art.48(4) existed as a concept, there was a compliance gap: a system could be assessed as compliant, certified, and CE-marked without any single entity explicitly taking legal ownership of that compliance assertion.
Art.48(4) closes that gap. The moment a provider draws up the DoC, they become the legally responsible entity for:
- Ongoing compliance of the AI system with the requirements of the AI Act
- Accuracy of all statements in the DoC (including system version, conformity assessment procedure, and harmonised standards referenced)
- Updating the DoC when the system changes in a way that affects the conformity assertion
- Drawing up a new DoC when substantial modification under Art.3(23) occurs
Consequences of a defective DoC under Art.48(4):
| Defect | Consequence |
|---|---|
| DoC missing mandatory element under Art.48(2) | Non-compliance with Art.48 — market surveillance authority can order correction or market withdrawal |
| DoC references incorrect system version | Misrepresentation of conformity — potential Art.99 administrative fine |
| DoC not updated after substantial modification | Provider in breach of Art.48 obligation — system on market without valid DoC |
| DoC drawn up without completed Art.43 assessment | Non-compliance — no valid conformity assessment basis |
| DoC signed by person without authority | Invalid declaration — sole responsibility cannot be assumed by an unauthorised signatory |
Art.48 Intersection Matrix
| Article | Relationship to Art.48 |
|---|---|
| Art.9 | Risk management file is prerequisite evidence supporting DoC conformity assertion |
| Art.11 / Annex IV | Technical documentation underpins the DoC — must be consistent with DoC version reference |
| Art.17 | QMS documented before DoC can be drawn up for Track 1 systems |
| Art.23 | Provider obligations include drawing up DoC and keeping it updated |
| Art.3(23) | Substantial modification — triggers requirement for new DoC (new version, new assessment) |
| Art.43 | Conformity assessment is the prerequisite: DoC drawn up after Art.43 completion |
| Art.44 | Track 2 only: DoC references the Art.44 certificate of conformity (Elements 9 + 10) |
| Art.49 | CE marking is affixed after DoC is drawn up — CE marking is illegal without valid DoC |
| Art.32 | EU database registration requires DoC reference — must be completed before market placement |
| Art.18 | Record-keeping: DoC must be retained for 10 years after market placement/service entry |
| Art.22 | Authorised representative: if provider not EU-established, Art.22 authorised rep's details appear in DoC |
| Art.48(3) | Annex I legislation: simplified or combined DoC option for embedded product systems |
| Art.74 | Market surveillance: national authorities can demand DoC access — provider must produce it within defined timeframes |
| Art.99 | Administrative fines: incorrect DoC is sanctionable — penalties up to €15M or 3% global turnover |
Drawing Up the DoC in Practice
Step-by-Step Process
Before drawing up the DoC, verify prerequisites:
- Art.9 risk management file is complete and signed off
- Annex IV technical documentation is complete, current, and version-matched to the system being declared
- Art.17 QMS is documented and operational
- Art.43 conformity assessment is complete:
- Track 1: Annex VI internal control procedure has been executed
- Track 2: Annex VII assessment with notified body is complete and Art.44 certificate has been issued
- Any applicable harmonised standards (Art.40) or common specifications (Art.41) have been applied and documented
Drawing up the DoC:
- Use the template structure required by Art.48(2) — populate all 13 elements
- Identify the exact system version (name + version number + date) that is being declared
- Reference the Art.43 procedure used: "Annex VI (Internal Control) as specified in Annex VI to Regulation (EU) 2024/1689"
- For Track 2 systems: add notified body name, NANDO number, certificate reference number, and issue date
- List all harmonised standards applied with their full identifiers (EN XXXX:YYYY)
- List any common specifications applied
- List any other Union harmonisation legislation the system is compliant with (MDR, Machinery, etc.)
- Have an authorised signatory (with delegated authority documented in the QMS) sign the declaration
- Record place and date
After drawing up the DoC:
- Affix CE marking per Art.49
- Register in EU database per Art.32 (before market placement)
- File DoC with technical documentation and QMS (Art.18 retention: 10 years)
- Establish version control — DoC version number should track system version number
Common Mistakes to Avoid
| Mistake | Why It Matters |
|---|---|
| DoC version not pinned to exact system version | Next system update may not be covered — DoC becomes invalid for the deployed version |
| Harmonised standards listed without version numbers | Auditors cannot verify which standard version was applied — presumption of conformity (Art.40) may not apply |
| Signatory lacks documented authority | DoC's "sole responsibility" assertion may be legally invalid |
| DoC not updated after patch release | If patch is substantial modification under Art.3(23), current DoC is a misrepresentation |
| DoC kept only as email attachment | Art.18 requires structured retention for 10 years accessible to competent authorities |
| Missing Annex I legislation reference | For embedded AI systems, omitting the relevant Annex I legislation reference leaves compliance chain incomplete |
CLOUD Act × Art.48 Declaration of Conformity
The EU declaration of conformity is a foundational compliance document. It is, in one sense, the most important document in a provider's AI Act compliance file — it is the public-facing conformity assertion, the document that market surveillance authorities request first, and the document that the EU AI Liability Directive and national product liability laws will reference in enforcement proceedings.
When this document — and the underlying technical documentation, QMS records, conformity assessment reports, and Art.44 certificates that support it — is stored on infrastructure subject to US jurisdiction, it becomes potentially subject to the CLOUD Act (18 U.S.C. § 2713).
The dual-access scenario for Art.48 records:
| Document | EU AI Act Regime | CLOUD Act Risk (US-hosted) |
|---|---|---|
| Art.48 EU Declaration of Conformity | Art.74: authorities can demand disclosure | Compellable by US authorities (CLOUD Act) |
| Annex IV Technical Documentation | Art.74: authorities can demand access | Compellable if stored on US cloud |
| Art.43 conformity assessment records | Art.74: market surveillance access | Compellable if stored on US cloud |
| Art.44 certificate of conformity | Provider must retain; authorities can request | Compellable if stored on US cloud |
| Art.17 QMS records | Market surveillance access (Art.74) | Compellable if stored on US cloud |
Conflict of law scenario: A US authority issues a CLOUD Act order compelling disclosure of a provider's technical documentation (Annex IV) stored on a US-owned cloud infrastructure. Simultaneously, an EU market surveillance authority has requested access under Art.74 as part of a conformity assessment proceeding. The provider must comply with both — but the US compelled disclosure may include information that the EU authority's proceeding has not yet considered, creating an asymmetric disclosure situation with potential litigation consequences in both jurisdictions.
EU-native PaaS infrastructure eliminates the CLOUD Act vector. When the provider's Art.48 DoC, supporting Annex IV documentation, QMS records, and Art.43 assessment records are stored on EU-incorporated, EU-operated infrastructure without US-law connections, only EU authorities have access rights — the legal access regime is singular. This is directly relevant to providers building AI systems for regulated markets (finance, healthcare, critical infrastructure) where documentation confidentiality during regulatory proceedings has material consequences.
For providers subject to Art.48 — which means all high-risk AI system providers — infrastructure jurisdiction for compliance records is an active compliance consideration, not a theoretical one.
Python Implementation
1. DeclarationOfConformity — Complete DoC Record
from dataclasses import dataclass, field
from datetime import date
from enum import Enum
from typing import Optional
import json
class ConformityAssessmentTrack(Enum):
TRACK_1_ANNEX_VI = "annex_vi_internal_control"
TRACK_2_ANNEX_VII = "annex_vii_notified_body"
class DoCStat(Enum):
DRAFT = "draft"
VALID = "valid"
SUPERSEDED = "superseded" # replaced by new DoC after substantial modification
WITHDRAWN = "withdrawn" # system withdrawn from market
@dataclass
class NotifiedBodyReference:
name: str
nando_number: str
certificate_reference_number: str
certificate_issue_date: date
@dataclass
class HarmonisedStandard:
identifier: str # e.g., "EN ISO/IEC 27001:2022"
title: str
date_applied: date
@dataclass
class DeclarationOfConformity:
# Art.48(2)(a): Provider identity
provider_name: str
provider_address: str
# Art.48(2)(b): Sole responsibility statement
sole_responsibility_confirmed: bool # must be True
# Art.48(2)(c): System identification
system_name: str
system_version: str
system_type: str
serial_number: Optional[str]
# Art.48(2)(e): Conformity statement
regulation_reference: str = "Regulation (EU) 2024/1689"
# Art.48(2)(f): Conformity assessment procedure
assessment_track: ConformityAssessmentTrack = ConformityAssessmentTrack.TRACK_1_ANNEX_VI
# Art.48(2)(g): Harmonised standards
harmonised_standards: list[HarmonisedStandard] = field(default_factory=list)
# Art.48(2)(h): Common specifications
common_specifications: list[str] = field(default_factory=list)
# Art.48(2)(i)+(j): Notified body reference (Track 2 only)
notified_body: Optional[NotifiedBodyReference] = None
# Art.48(2)(k): Other Union legislation
other_union_legislation: list[str] = field(default_factory=list)
# Art.48(2)(l): Place and date of issue
place_of_issue: str = ""
date_of_issue: date = field(default_factory=date.today)
# Art.48(2)(m): Authorised signatory
signatory_name: str = ""
signatory_function: str = ""
signatory_date: Optional[date] = None
# Art.48(4): Compliance with Art.48(3) simplified declaration
annex_i_legislation: Optional[str] = None # e.g., "Regulation (EU) 2017/745 (MDR)"
simplified_declaration: bool = False
full_doc_location: Optional[str] = None # URL or path for simplified declarations
# Document status tracking
doc_version: str = "1.0"
status: DoCStat = DoCStat.DRAFT
superseded_by: Optional[str] = None # reference to replacement DoC
def validate_mandatory_elements(self) -> list[str]:
"""Validate all Art.48(2) mandatory elements are present."""
errors = []
if not self.provider_name or not self.provider_address:
errors.append("Art.48(2)(a): Provider name and address required")
if not self.sole_responsibility_confirmed:
errors.append("Art.48(2)(b): Sole responsibility statement must be confirmed")
if not self.system_name or not self.system_version:
errors.append("Art.48(2)(c): System name and version required for unique identification")
if not self.regulation_reference:
errors.append("Art.48(2)(e): Regulation reference required in compliance statement")
if self.assessment_track == ConformityAssessmentTrack.TRACK_2_ANNEX_VII:
if not self.notified_body:
errors.append("Art.48(2)(i)+(j): Notified body reference required for Track 2")
if not self.place_of_issue:
errors.append("Art.48(2)(l): Place of issue required")
if not self.signatory_name or not self.signatory_function:
errors.append("Art.48(2)(m): Authorised signatory name and function required")
if self.simplified_declaration and not self.full_doc_location:
errors.append("Art.48(3): Simplified declaration must reference location of full DoC")
return errors
def is_valid(self) -> bool:
return len(self.validate_mandatory_elements()) == 0
def to_dict(self) -> dict:
return {
"provider": {"name": self.provider_name, "address": self.provider_address},
"sole_responsibility": self.sole_responsibility_confirmed,
"system": {
"name": self.system_name,
"version": self.system_version,
"type": self.system_type,
"serial_number": self.serial_number,
},
"regulation": self.regulation_reference,
"assessment_track": self.assessment_track.value,
"harmonised_standards": [
{"id": s.identifier, "title": s.title, "applied": str(s.date_applied)}
for s in self.harmonised_standards
],
"notified_body": {
"name": self.notified_body.name,
"nando": self.notified_body.nando_number,
"certificate_ref": self.notified_body.certificate_reference_number,
"certificate_date": str(self.notified_body.certificate_issue_date),
} if self.notified_body else None,
"other_legislation": self.other_union_legislation,
"issue": {"place": self.place_of_issue, "date": str(self.date_of_issue)},
"signatory": {
"name": self.signatory_name,
"function": self.signatory_function,
"date": str(self.signatory_date) if self.signatory_date else None,
},
"doc_version": self.doc_version,
"status": self.status.value,
}
def export_json(self, path: str) -> None:
with open(path, "w") as f:
json.dump(self.to_dict(), f, indent=2, default=str)
2. ConformityChainValidator — Validating the Full Art.43→Art.44→Art.48→Art.49 Chain
from dataclasses import dataclass
from enum import Enum
from typing import Optional
from datetime import date
class ChainValidationStatus(Enum):
COMPLETE = "complete"
INCOMPLETE = "incomplete"
BROKEN = "broken"
@dataclass
class ConformityChainState:
system_version: str
art9_risk_file_present: bool = False
annex_iv_doc_present: bool = False
art17_qms_present: bool = False
art43_assessment_complete: bool = False
art43_track: Optional[str] = None # "annex_vi" or "annex_vii"
art44_certificate_present: bool = False # only relevant for Track 2
art44_certificate_valid: bool = False # only relevant for Track 2
art48_doc_drawn_up: bool = False
art48_doc_valid: bool = False
art49_ce_marking_affixed: bool = False
art32_database_registered: bool = False
registration_date: Optional[date] = None
class ConformityChainValidator:
"""
Validates the full AI Act conformity chain against Art.43→Art.44→Art.48→Art.49→Art.32.
Identifies which step is blocking market placement.
"""
def __init__(self, state: ConformityChainState):
self.state = state
def validate(self) -> dict:
issues = []
warnings = []
# Prerequisites for DoC (Art.48)
if not self.state.art9_risk_file_present:
issues.append("Art.9: Risk management file missing — prerequisite for conformity assessment")
if not self.state.annex_iv_doc_present:
issues.append("Annex IV: Technical documentation missing — prerequisite for conformity assessment")
if not self.state.art17_qms_present:
issues.append("Art.17: QMS documentation missing — prerequisite for conformity assessment")
# Art.43 assessment
if not self.state.art43_assessment_complete:
issues.append("Art.43: Conformity assessment not complete — DoC cannot be drawn up")
elif self.state.art43_track == "annex_vii":
if not self.state.art44_certificate_present:
issues.append("Art.44: Track 2 assessment requires Art.44 certificate — not present")
elif not self.state.art44_certificate_valid:
issues.append("Art.44: Art.44 certificate present but invalid/expired")
# Art.48 DoC
if not self.state.art48_doc_drawn_up:
issues.append("Art.48: EU Declaration of Conformity not drawn up — CE marking and market placement blocked")
elif not self.state.art48_doc_valid:
issues.append("Art.48: DoC drawn up but missing mandatory elements under Art.48(2)")
# Post-DoC obligations
if self.state.art48_doc_valid:
if not self.state.art49_ce_marking_affixed:
warnings.append("Art.49: DoC valid but CE marking not yet affixed — complete before market placement")
if not self.state.art32_database_registered:
warnings.append("Art.32: DoC valid but EU database registration not completed — required before market placement")
status = ChainValidationStatus.COMPLETE if not issues else (
ChainValidationStatus.BROKEN if any("Art.43" in i or "Art.48" in i for i in issues)
else ChainValidationStatus.INCOMPLETE
)
return {
"system_version": self.state.system_version,
"status": status.value,
"issues": issues,
"warnings": warnings,
"market_placement_cleared": status == ChainValidationStatus.COMPLETE and not issues,
}
3. DoCSigner — Digital Signing and Version Control for DoC Records
import hashlib
import json
from dataclasses import dataclass
from datetime import date, datetime
from typing import Optional
@dataclass
class DocSignatureRecord:
doc_version: str
system_version: str
signatory: str
signing_date: datetime
document_hash: str # SHA-256 of DoC JSON
signature_method: str = "SHA-256-hash" # extend to RSA-PSS or PKCS#7 for production
class DoCSigner:
"""
Signs and version-controls the EU Declaration of Conformity.
Provides audit trail for Art.18 10-year retention obligation.
"""
def __init__(self, doc: "DeclarationOfConformity"):
self.doc = doc
self.signatures: list[DocSignatureRecord] = []
def sign(self, signatory_name: str) -> DocSignatureRecord:
"""Sign the DoC — produces a SHA-256 content hash as tamper-evident seal."""
doc_json = json.dumps(self.doc.to_dict(), sort_keys=True, default=str)
doc_hash = hashlib.sha256(doc_json.encode()).hexdigest()
record = DocSignatureRecord(
doc_version=self.doc.doc_version,
system_version=self.doc.system_version,
signatory=signatory_name,
signing_date=datetime.utcnow(),
document_hash=doc_hash,
)
self.signatures.append(record)
self.doc.signatory_name = signatory_name
self.doc.signatory_date = date.today()
self.doc.status = DoCStat.VALID
return record
def verify(self, signature: DocSignatureRecord) -> bool:
"""Verify the document matches a recorded signature hash."""
doc_json = json.dumps(self.doc.to_dict(), sort_keys=True, default=str)
current_hash = hashlib.sha256(doc_json.encode()).hexdigest()
return current_hash == signature.document_hash
def supersede(self, new_doc_reference: str, reason: str) -> None:
"""Mark DoC as superseded — typically after substantial modification under Art.3(23)."""
self.doc.status = DoCStat.SUPERSEDED
self.doc.superseded_by = new_doc_reference
# Log the supersession for Art.18 audit trail
print(f"DoC version {self.doc.doc_version} superseded by {new_doc_reference}: {reason}")
def export_audit_log(self) -> list[dict]:
"""Export signature history for Art.18 10-year retention."""
return [
{
"doc_version": s.doc_version,
"system_version": s.system_version,
"signatory": s.signatory,
"signed_at": s.signing_date.isoformat(),
"document_hash": s.document_hash,
}
for s in self.signatures
]
Art.48 Compliance Checklist (40 Items)
Prerequisites (1–10)
- Art.9 risk management file is complete, version-matched, and signed off
- Annex IV technical documentation is complete for the exact system version being declared
- Art.17 QMS is documented and operational before DoC is drawn up
- Art.43 conformity assessment is complete — Track 1 (Annex VI) or Track 2 (Annex VII) confirmed
- For Track 2 systems: Art.44 certificate of conformity has been issued and is currently valid
- Art.44 certificate's conditions and restrictions have been reviewed and are compatible with intended deployment
- Applicable harmonised standards (Art.40) have been identified and applied
- Applicable common specifications (Art.41) have been identified and applied (if any)
- Other applicable Union harmonisation legislation (Annex I) has been identified
- Authorised signatory has documented delegated authority in the QMS
DoC Content — Mandatory Elements (11–25) 11. [ ] Provider name and registered address are correct and current 12. [ ] Sole responsibility statement is explicitly included in the DoC text 13. [ ] AI system is identified by name, version, type, and (where applicable) serial number 14. [ ] System version in DoC matches the exact version being placed on market 15. [ ] Regulation reference is "Regulation (EU) 2024/1689" (the AI Act) 16. [ ] Conformity assessment procedure referenced as "Annex VI (Internal Control)" or "Annex VII (Third-Party Assessment)" 17. [ ] Harmonised standards listed with full identifiers and publication dates 18. [ ] Common specifications listed where applied (or "not applicable" noted) 19. [ ] Notified body name and NANDO number included (Track 2 only; "not applicable" for Track 1) 20. [ ] Art.44 certificate reference number and issue date included (Track 2 only) 21. [ ] Other Union legislation references included for multi-regulation systems 22. [ ] Place of issue stated 23. [ ] Date of issue stated 24. [ ] Signatory's name, function, and signature present 25. [ ] Signatory has actual delegated authority documented in QMS
Annex I / Simplified Declaration (26–28) 26. [ ] If system is covered by Annex I legislation: all applicable legislation identified in DoC 27. [ ] If using simplified declaration (Art.48(3)): full DoC location explicitly referenced 28. [ ] If using combined single DoC for Annex I + AI Act: all elements for both regimes present
Post-Issuance Obligations (29–35) 29. [ ] Art.49 CE marking will be affixed after DoC is drawn up (not before) 30. [ ] Art.32 EU database registration scheduled before market placement 31. [ ] DoC filed with technical documentation package (Art.18 retention: 10 years) 32. [ ] Version control applied: DoC version number tracks system version 33. [ ] DoC update process defined: trigger conditions for issuing updated DoC documented 34. [ ] Substantial modification detection process (Art.3(23)) linked to DoC update workflow 35. [ ] Annual QMS review includes DoC currency check
Infrastructure and Jurisdiction (36–40) 36. [ ] DoC and supporting records stored with defined access controls 37. [ ] Storage infrastructure jurisdiction assessed for CLOUD Act applicability 38. [ ] If records stored on US-controlled infrastructure: CLOUD Act dual-access risk documented 39. [ ] Art.74 disclosure readiness: DoC can be produced to competent authorities within defined timeframes 40. [ ] Art.18 retention mechanism confirmed: DoC retrievable 10 years after market placement
See Also
- EU AI Act Art.43 Conformity Assessment: Internal Control vs. Notified Body — the conformity assessment that is the prerequisite for Art.48
- EU AI Act Art.44 Certificates of Conformity: Notified Body Certification — the Art.44 certificate referenced in Art.48 DoC for Track 2 systems
- EU AI Act Art.49 CE Marking and EU Declaration of Conformity — CE marking obligations that follow from the Art.48 DoC
- EU AI Act Art.23 Provider Obligations: Post-Market, Substantial Modification, Cooperation — Art.23 obligations including keeping DoC up to date
- EU AI Liability Directive (AILD) 2024: Developer Guide — how Art.48's "sole responsibility" statement interacts with AILD causation presumptions