EU AI Act Art.49 CE Marking: Affixing Requirements and Provider Obligations — Developer Guide (2026)

EU AI Act Article 49 marks the end of the conformity assessment process and the beginning of the provider's public-facing market obligations. After drawing up the EU declaration of conformity under Art.48, the provider must affix the CE marking to the high-risk AI system before placing it on the EU market. The CE marking is not a formality — it is a legal signal, the public assertion that the provider has completed the full conformity chain under the AI Act (and, where applicable, under other EU harmonisation legislation), and it is the last active compliance step before EU database registration under Art.32 and market placement under Art.16.

For SaaS developers building high-risk Annex III AI systems, Art.49 defines how CE marking must be affixed, what rules govern its appearance and placement, when a notified body identification number must accompany it, what marks are prohibited alongside it, and how CE marking operates in dual-regulated product contexts (AI Act + MDR, Machinery Regulation, or RED).

The practical stakes are immediate: a high-risk AI system placed on the EU market without CE marking is simultaneously in violation of Art.49 and Art.16 — two overlapping infringement grounds, each carrying up to €15 million or 3% of global annual turnover.

Art.49 in the Conformity Chain

Art.49 occupies the penultimate position in the conformity chain — after the EU declaration of conformity (Art.48), and before EU database registration (Art.32) and market placement (Art.16):

Art.49 is the transition from private compliance work (assessment, documentation, declaration) to public market signalling. A CE marking affixed on a system communicates, without any additional documentation, that the system has successfully traversed the full conformity chain. Market surveillance authorities treat the presence of CE marking as creating a rebuttable presumption of conformity: they must demonstrate non-conformity to impose restrictions.

Art.49(1): CE Marking General Principles — Regulation (EC) No 765/2008

Art.49(1) subjects the CE marking under the AI Act to the general principles established in Article 30 of Regulation (EC) No 765/2008. This is the New Legislative Framework (NLF) regulation that governs CE marking across all EU product sectors — it ensures that CE marking means the same thing regardless of whether it appears on an AI system, a medical device, or a piece of construction machinery.

Core principles from Article 30 of Regulation (EC) No 765/2008 as applied to AI systems:

Responsibility allocation under Art.49(1): Only the AI Act provider as defined in Art.3(3) — the entity that develops (or has developed) the system and places it on the market under its own name — is authorised to affix the CE marking. Deployers, distributors, and importers do not affix the CE marking; if they substantially modify the system to the point that Art.3(23)'s substantial modification threshold is triggered, they become providers and must then affix CE marking themselves for the modified system.

Art.49(2): Digital CE Marking for Software AI Systems

Art.49(2) addresses the practical challenge that a software-based AI system has no physical housing on which a physical label can be indelibly affixed. For high-risk AI systems provided digitally — the dominant deployment form for SaaS AI — the CE marking may be provided through digital means, subject to the condition that it is easily accessible to the person to whom the system is provided.

Accepted digital affixing methods:

What "easily accessible" means in enforcement: A CE marking buried in a multi-level contractual document or accessible only through a support ticket is not easily accessible. Regulators applying the NLF standards will ask whether a typical deployer, at the point of receiving the system, could readily locate and verify the CE marking without special effort. Best practice is to include the CE marking in:

1. The system's compliance or legal documentation section (primary)
2. The technical documentation package delivered to the deployer on contract signing (secondary)
3. The written instructions for use required under Art.13 (tertiary)

Version specificity: The CE marking in the UI or documentation must identify which version of the AI system it corresponds to. A CE marking that applies to version 1.2 of a system does not automatically cover version 1.3 if the update constitutes a substantial modification under Art.3(23). Version pinning in the CE marking documentation is essential for maintaining a clear conformity chain per system version.

Art.49(3): Notified Body Identification Number

Art.49(3) requires that where a notified body participated in the conformity assessment, the CE marking must be followed by the notified body's identification number. The obligation applies specifically when:

• The full conformity assessment was conducted under Annex VII (notified body assessment) — Art.43 Track 2 — resulting in an Art.44 certificate of conformity
• The notified body is involved in production phase supervision under Annex VII, points 6 or 8 (production quality assurance or product verification)

The identification number is the four-digit NANDO number (New Approach Notified and Designated Organisations) assigned by the European Commission. Each designated notified body in the EU has a unique NANDO number, publicly verifiable in the NANDO database. The number appears immediately after the CE symbol — for example, CE 1234 — or in the documentation where CE marking is digitally affixed.

Track determination and Art.49(3) obligations:

NANDO number lookup: The European Commission's NANDO information system (accessible at the Commission's website) lists all designated notified bodies for each EU harmonisation legislation, including the AI Act. The four-digit NANDO number for the AI Act notified body that issued the Art.44 certificate is the number to affix after CE.

Impact when notified body's designation is suspended: If the notified body whose NANDO number appears in the CE marking has its designation suspended under Art.36, the affected Art.44 certificates may be impacted. Providers should monitor NANDO database updates for their notified body's designation status and have a contingency plan for notified body reassignment. The CE marking with a suspended body's NANDO number may become invalid if the Art.44 certificate is revoked under Art.44(4).

Art.49(4): Prohibition on Misleading Marks

Art.49(4) prohibits providers of high-risk AI systems from affixing to those systems any marks, labels, symbols, or inscriptions relating to conformity assessment that:

• Are likely to mislead third parties about the meaning or form of the CE marking, or
• Could be confused with national marks — the CE marking is a Union mark; national conformity marks should not create ambiguity about whether a product's conformity was assessed against EU requirements or only national requirements

Practical scope of the prohibition:

The distinguishing question: Does the mark create a reasonable impression that the product has been conformity assessed under EU harmonisation legislation in a way it has not? If yes, Art.49(4) applies. ISO/SOC certifications are clearly management system marks and do not create CE confusion. Marketing claims that use CE-resembling symbols or language like "EU Regulatory Approved" that imply government approval create meaningful Art.49(4) risk.

CE Marking in Multi-Regulatory Products

Where a high-risk AI Act system is embedded in or constitutes a product subject to other Union harmonisation legislation that also requires CE marking, the AI Act follows the New Legislative Framework convention: a single CE marking indicates conformity with all applicable Union legislation. The provider does not affix multiple CE marks — a single CE mark covers the AI Act and all other applicable legislation.

Common multi-regulatory product scenarios for AI developers:

The documentation burden in multi-regulatory products: While a single CE marking is affixed, the provider must maintain separate technical documentation for each applicable regulation. The Art.48 EU declaration of conformity must explicitly reference all applicable Union harmonisation legislation — a DoC that mentions only the AI Act but not MDR, for a medically embedded AI system, is an incomplete DoC. Market surveillance authorities from multiple sectoral bodies may request their respective documentation sets.

Simplified declaration for Annex I products — Art.48(3) interaction with Art.49: Where the AI Act system is embedded in an Annex I regulated product (subject to its own sectoral safety legislation), Art.48(3) permits a simplified declaration approach — the sectoral legislation's declaration of conformity can incorporate the AI Act compliance assertion by reference or jointly. This affects CE marking in that the CE marking on the Annex I product package signals combined conformity, and the provider must ensure the simplified declaration approach is clearly documented so that market surveillance authorities can trace the AI Act conformity basis from the CE marking to the underlying assessment.

Art.49 and Art.32 EU Database: The Registration Sequence

CE marking is a functional prerequisite for Art.32 EU database registration: a provider cannot register a system in the EU AI database before having completed the conformity assessment chain culminating in CE marking. In practice, providers typically initiate or complete database registration simultaneously with CE marking affixing, as both must be completed before market placement.

Sequence and data dependencies:

Art.43 Assessment Complete
    ↓
Art.44 Certificate (Track 2 only)
    ↓
Art.48 DoC Drawn Up
    ↓
Art.49 CE Marking Affixed ──────→ CE marking date recorded
    ↓                               NANDO number (if Track 2)
Art.32 Database Registration ────→ Registration uses CE marking data:
    ↓                               - Assessment procedure (Annex VI or VII)
Art.16 Market Placement            - NANDO number
                                   - CE marking affixing date

What Art.32 registration requires that Art.49 provides: The EU AI database registration (conducted via the European AI Office portal, ec.europa.eu/transparency/ai-register) requires the provider to submit information including the applicable conformity assessment procedure and — for Track 2 systems — the notified body identification. The NANDO number in the CE marking affixed under Art.49(3) is the same number entered into the Art.32 database. Any discrepancy between the CE marking and the database registration is a red flag for market surveillance.

Market Surveillance and CE Marking Enforcement

Market surveillance authorities under Art.74 have the right to request a copy of the EU declaration of conformity, access to the technical documentation, and inspection of the CE marking. Art.49 violations generate direct enforcement exposure:

CE marking violation scenarios:

CLOUD Act dimension for CE marking records: Providers must maintain records of when CE marking was affixed, to which system version, in what form, and with what assessment basis (Art.18 — 10-year retention from last market placement date). If these compliance records are stored on US-based cloud infrastructure (AWS, Azure, GCP), they are potentially compellable by US federal agencies under CLOUD Act (18 U.S.C. §2713) — parallel to and simultaneous with any EU market surveillance request under Art.74. EU-native PaaS infrastructure eliminates this dual-access scenario: compliance records remain under a single regulatory regime with no US government parallel access path.

Corrective measure timeline: Once a market surveillance authority identifies a CE marking violation and issues a corrective measure demand, the provider typically has 15–30 days to comply (specific timelines set by national competent authority). Failure to correct leads to market withdrawal orders under Art.79 and possible referral to the European AI Office under Art.80 for cross-border systemic violations.

Python Implementations

# Example 1: CEMarkingRecord — Art.49 compliance record
from dataclasses import dataclass, field
from datetime import date
from typing import Optional
import hashlib
import json


@dataclass
class CEMarkingRecord:
    """
    Immutable record of CE marking affixing for Art.49 compliance.

    Maintains a traceable record of when CE marking was affixed, to which
    system version, in what form, and with what assessment basis.
    Required for Art.18 10-year retention and Art.74 market surveillance access.
    """
    system_id: str
    system_version: str
    affixed_date: date
    affixing_method: str      # 'physical', 'digital_ui', 'documentation', 'packaging'
    doc_reference: str        # Art.48 DoC reference number
    assessment_track: str     # 'track_1' (Annex VI) or 'track_2' (Annex VII)
    notified_body_id: Optional[str] = None   # NANDO number — required for Track 2
    applicable_legislation: list = field(default_factory=lambda: ["AI Act 2024/1689"])

    def display_marking(self) -> str:
        """CE marking string as it must appear on product/documentation (Art.49(3))."""
        if self.notified_body_id:
            return f"CE {self.notified_body_id}"
        return "CE"

    def content_hash(self) -> str:
        """SHA-256 hash for audit trail integrity."""
        record = {
            "system_id": self.system_id,
            "system_version": self.system_version,
            "affixed_date": self.affixed_date.isoformat(),
            "affixing_method": self.affixing_method,
            "doc_reference": self.doc_reference,
            "assessment_track": self.assessment_track,
            "notified_body_id": self.notified_body_id,
        }
        return hashlib.sha256(
            json.dumps(record, sort_keys=True).encode()
        ).hexdigest()

    def is_valid(self) -> bool:
        """Validates CE marking record completeness."""
        if not (self.system_id and self.system_version and self.doc_reference):
            return False
        if self.affixed_date > date.today():
            return False
        if self.assessment_track == "track_2" and not self.notified_body_id:
            return False
        return True


# Example 2: CEMarkingValidator — Art.49 compliance validation
from enum import Enum
from dataclasses import dataclass as dc
from typing import List


class CEMarkingIssue(Enum):
    MISSING_DOC_REFERENCE = "CE marking lacks Art.48 EU DoC reference"
    MISSING_NOTIFIED_BODY_ID = "Track 2 system requires NANDO number in CE marking"
    INVALID_AFFIXING_METHOD = "Affixing method not permitted for product type"
    AFFIXED_BEFORE_ASSESSMENT = "CE marking affixed before conformity assessment completed"
    MISSING_DOC_REFERENCE_DIGITAL = "Digital CE marking must be easily accessible (Art.49(2))"
    MULTI_REGULATION_INCOMPLETE = "DoC must reference all applicable legislation"


@dc
class ValidationResult:
    is_valid: bool
    issues: List[CEMarkingIssue]
    warnings: List[str]


class CEMarkingValidator:
    """
    Validates CE marking compliance with Art.49 AI Act requirements.

    Checks:
    - Art.49(1): CE marking affixed after assessment completion
    - Art.49(2): Digital accessibility for digital AI systems
    - Art.49(3): NANDO number present for Track 2 systems
    - Art.49(4): No prohibited additional marks
    """
    VALID_METHODS = {"physical", "digital_ui", "documentation", "packaging"}

    def validate(
        self,
        marking: CEMarkingRecord,
        assessment_completed: bool,
        product_type: str = "digital",   # 'physical' or 'digital'
        additional_marks: Optional[List[str]] = None,
    ) -> ValidationResult:
        issues = []
        warnings = []

        if not assessment_completed:
            issues.append(CEMarkingIssue.AFFIXED_BEFORE_ASSESSMENT)

        if not marking.doc_reference:
            issues.append(CEMarkingIssue.MISSING_DOC_REFERENCE)

        if marking.assessment_track == "track_2" and not marking.notified_body_id:
            issues.append(CEMarkingIssue.MISSING_NOTIFIED_BODY_ID)

        if marking.affixing_method not in self.VALID_METHODS:
            issues.append(CEMarkingIssue.INVALID_AFFIXING_METHOD)

        if product_type == "digital" and marking.affixing_method == "physical":
            warnings.append(
                "Physical CE affixing alone may not satisfy Art.49(2) accessibility "
                "requirement for digital AI systems — add documentation/UI form"
            )

        if len(marking.applicable_legislation) > 1:
            warnings.append(
                "Multi-legislation CE marking: verify Art.48 DoC references "
                f"all {len(marking.applicable_legislation)} applicable instruments"
            )

        return ValidationResult(
            is_valid=len(issues) == 0,
            issues=issues,
            warnings=warnings,
        )


# Example 3: ConformityChainFinalizer — Art.9 → Art.49 → Art.32 completion tracker
from dataclasses import dataclass as dc2
from typing import Optional as Opt


@dc2
class ConformityChainFinalizer:
    """
    Tracks and validates the complete Art.9 → Art.49 → Art.32 conformity chain.

    Use to verify readiness for CE marking (Art.49) and subsequent
    EU database registration (Art.32) before market placement (Art.16).
    """
    system_id: str
    risk_management_complete: bool = False       # Art.9
    technical_documentation_complete: bool = False  # Annex IV
    qms_complete: bool = False                    # Art.17
    assessment_complete: bool = False             # Art.43
    is_track2: bool = False
    certificate_ref: Opt[str] = None             # Art.44 — Track 2 only
    doc_ref: Opt[str] = None                     # Art.48 DoC reference
    ce_marking_record: Opt[CEMarkingRecord] = None  # Art.49
    db_registration_id: Opt[str] = None          # Art.32

    def ready_for_ce_marking(self) -> bool:
        """Art.49 prerequisites: completed Art.43 + Art.48 DoC drawn up."""
        base = (
            self.risk_management_complete
            and self.technical_documentation_complete
            and self.qms_complete
            and self.assessment_complete
            and self.doc_ref is not None
        )
        if self.is_track2:
            return base and self.certificate_ref is not None
        return base

    def ce_marking_valid(self) -> bool:
        """CE marking is present and internally valid."""
        return (
            self.ce_marking_record is not None
            and self.ce_marking_record.is_valid()
        )

    def ready_for_market_placement(self) -> bool:
        """Art.16 prerequisites: full chain including Art.49 CE + Art.32 registration."""
        return (
            self.ready_for_ce_marking()
            and self.ce_marking_valid()
            and self.db_registration_id is not None
        )

    def chain_completion_pct(self) -> float:
        """Progress through the full conformity chain (Art.9 → Art.16)."""
        steps = [
            self.risk_management_complete,
            self.technical_documentation_complete,
            self.qms_complete,
            self.assessment_complete,
            (not self.is_track2) or (self.certificate_ref is not None),
            self.doc_ref is not None,
            self.ce_marking_valid(),
            self.db_registration_id is not None,
        ]
        return round(sum(steps) / len(steps) * 100, 1)

    def blocking_steps(self) -> list:
        """Returns list of incomplete steps blocking market placement."""
        pending = []
        if not self.risk_management_complete:
            pending.append("Art.9 Risk Management")
        if not self.technical_documentation_complete:
            pending.append("Annex IV Technical Documentation")
        if not self.qms_complete:
            pending.append("Art.17 Quality Management System")
        if not self.assessment_complete:
            pending.append("Art.43 Conformity Assessment")
        if self.is_track2 and not self.certificate_ref:
            pending.append("Art.44 Certificate of Conformity (Track 2)")
        if not self.doc_ref:
            pending.append("Art.48 EU Declaration of Conformity")
        if not self.ce_marking_valid():
            pending.append("Art.49 CE Marking")
        if not self.db_registration_id:
            pending.append("Art.32 EU Database Registration")
        return pending

40-Item Art.49 CE Marking Compliance Checklist

Prerequisites (Steps Before CE Marking)

• 1. Art.9 risk management system established, documented, and current
• 2. Annex IV technical documentation complete for the specific AI system version
• 3. Art.17 quality management system operational and documented
• 4. Art.43 conformity assessment completed — Track 1 (Annex VI) or Track 2 (Annex VII)
• 5. (Track 2 only) Art.44 certificate of conformity obtained from designated notified body
• 6. Art.48 EU declaration of conformity drawn up with all mandatory elements (Art.48(2))
• 7. Art.48 DoC specifies the AI system version to which the CE marking will apply

CE Marking Content and Form (Art.49(1) + Art.49(3))

• 8. CE marking uses the prescribed form from Annex V of Regulation (EC) No 765/2008
• 9. CE marking meets the 5mm minimum height requirement for physical affixing
• 10. CE marking proportions maintained if scaled up or down
• 11. CE marking is visually distinguishable from surrounding text and other marks
• 12. (Track 2 only) Notified body NANDO four-digit identification number affixed after CE symbol
• 13. (Track 2 production phase) NANDO number also included where notified body supervises Annex VII points 6 or 8
• 14. NANDO number in CE marking matches the notified body that issued the Art.44 certificate

CE Marking Placement (Art.49(1) + Art.49(2))

• 15. Physical AI systems: CE marking affixed directly on the product housing
• 16. If direct product affixing not possible: CE marking on packaging or accompanying documentation
• 17. Digital AI systems: CE marking accessible via the user interface (Art.49(2))
• 18. Digital AI systems: CE marking included in deployer-facing technical documentation
• 19. CE marking references the specific system version (not a generic version)
• 20. Instructions for use (Art.13) reference the CE marking and conformity status

Anti-Misleading Marks (Art.49(4))

• 21. No national conformity marks affixed that could be confused with CE marking
• 22. No internal quality/compliance badges that visually resemble CE symbol
• 23. No "EU Certified" or "EU Approved" marks without legal harmonisation basis
• 24. Marketing materials do not misrepresent the scope of CE certification
• 25. Any ISO/SOC/CSA certifications displayed alongside CE marking are clearly distinguished

Multi-Regulatory Products

• 26. Where AI Act + other EU legislation: single CE marking used for all applicable legislation
• 27. Art.48 DoC explicitly references all applicable Union harmonisation legislation
• 28. (MDR/IVDR products) Joint Art.48 DoC with MDR/IVDR references reviewed by legal counsel
• 29. (Annex I simplified declaration, Art.48(3)) Simplified declaration approach documented
• 30. (Multi-regulation) All relevant notified body NANDO numbers reflected in CE marking documentation

Documentation and Records (Art.18 + Art.49)

• 31. CEMarkingRecord (or equivalent) created with affixing date, method, system version, DoC reference
• 32. CE marking records stored securely for minimum 10 years (Art.18 retention obligation)
• 33. CE marking records stored in EU-jurisdiction infrastructure or CLOUD Act risk formally documented
• 34. Version control system links each CE marking record to specific software commit/release tag
• 35. Process documented for updating CE marking when substantial modification (Art.3(23)) occurs

EU Database Registration Linkage (Art.32)

• 36. Art.32 EU database registration initiated after CE marking affixing
• 37. NANDO number in Art.32 registration matches CE marking (Track 2)
• 38. CE marking affixing date entered into Art.32 registration record

Post-Market Obligations

• 39. Market surveillance authority (Art.74) access to CE marking documentation ensured in case of inspection
• 40. Authorised representative (Art.22) informed of CE marking documentation requirements if provider is non-EU

For SaaS Developers: Do You Need CE Marking?

CE marking applies if all three conditions are met:

1. Your AI system is listed in Annex III of the AI Act (it qualifies as high-risk)
2. You are placing the system on the EU market or putting it into service in the EU
3. You are the "provider" under Art.3(3) — you develop or have developed the system and offer it under your own name or trademark

CE marking does NOT apply if:

• Your AI system is not in Annex III (the vast majority of SaaS AI features are not)
• Your system falls within an Art.6(3) exception (general-purpose AI with no high-risk intended purpose)
• You are a "deployer" using a third-party AI system (the provider you purchase from bears the CE obligation)
• Your system is solely deployed internally within your own organisation and not placed on the EU market

High-risk Annex III categories most relevant for SaaS developers (where CE marking applies):

• AI systems for biometric identification of natural persons (including emotion recognition)
• AI systems in educational assessment (evaluating learning outcomes, screening admissions)
• AI systems in employment recruitment (CV screening, interview assessment, promotion decisions)
• AI systems in creditworthiness assessment for natural persons
• AI systems in critical infrastructure management (energy, water, transport)
• AI systems in law enforcement for individual risk assessment

If your AI system does any of these at scale for EU users, CE marking is mandatory before EU market placement.

See Also

• EU AI Act Art.43 Conformity Assessment: Internal Control vs. Notified Body Procedures — Developer Guide (2026)
• EU AI Act Art.44 Certificates of Conformity: Notified Body Certification — Developer Guide (2026)
• EU AI Act Art.48 EU Declaration of Conformity: Provider Obligations — Developer Guide (2026)
• EU AI Act Art.32 EU Database Registration for High-Risk AI Systems — Developer Guide (2026)
• EU AI Act Art.9 Risk Management Requirements for High-Risk AI Systems — Developer Guide (2026)