2026-04-16·12 min read·

EU AI Act Art.71: EU Database for High-Risk AI Systems (EUAIDB) — Developer Guide (2026)

EU AI Act Article 71 establishes the EU AI database — a publicly accessible registry of every high-risk AI system that providers are required to register before placing on the EU market. Where Art.22 creates the registration obligation on providers, Art.71 governs the database itself: its establishment by the Commission, operational management by the AI Office, the data content requirements from Annex VIII and Annex IX, public accessibility rules, and the governance framework that makes EUAIDB registration a hard gate for lawful EU market placement.

For developers, Art.71 matters for three reasons. First, the EUAIDB registration number is not optional metadata — it must appear in Art.73 serious incident reports (Art.73(1) requires identification "with EU database registration number under Art.71"), in CE marking documentation (Art.49), and in deployer-facing instructions for use (Art.13). Second, the database is public and permanent: once your system is registered, its intended purpose, Annex III category, and provider identity are publicly searchable by regulators, researchers, and competitors. Third, GPAI model providers must separately register training data summaries in the EUAIDB under Art.52(1)(b) — a different registration track from the high-risk AI provider pathway.

Art.71 became operational in provisional form in 2025; the full operational database was established by the AI Office ahead of the Chapter III (high-risk AI) obligation dates in 2026. Providers of Annex III category systems must register before market placement on or after 2 August 2026.

Why Art.71 Matters for Developers

Developer Action	Art.71 Connection
Pre-launch compliance chain	Art.71 registration is the final gate after Art.43 → Art.48 → Art.49
Incident reporting (Art.73)	Registration number from Art.71 required in every Art.73 report
CE marking (Art.49)	CE marking documentation must include Art.71 database reference
GPAI API launch	Art.52(1)(b) machine-readable model card registered in EUAIDB
Public authority deployer	Art.71 deployer registration required before operational use
MSA investigation	Art.21 cooperation requires providing Art.71 registration details on request

Most developer guides treat the EU AI database as an administrative formality. It is not. The registration process validates that conformity assessment (Art.43), declaration of conformity (Art.47/48), and CE marking (Art.49) are complete. Without Art.71 registration, the system cannot be lawfully placed on the EU market. And critically, the registration number cascades downstream: incident reports, instructions for use, post-market monitoring records, and MSA cooperation dossiers all reference it.

Art.71 at a Glance

Provision	Content	Developer Obligation
Art.71(1)	Commission establishes EU AI database	Passive (Commission obligation)
Art.71(2)	AI Office operational management	Interface with AI Office registration portal
Art.71(3)	Provider registration — standalone high-risk AI (Annex VIII)	Register before market placement
Art.71(4)	Deployer registration — public authorities using high-risk AI	Register before operational use
Art.71(5)	GPAI training data summary registration (Art.52)	Register machine-readable model card
Art.71(6)	Public accessibility, searchability	No obligation; creates public exposure
Annex VIII	12 mandatory registration fields for standalone systems	Complete all fields before submission
Annex IX	Registration fields for regulated-product AI (Annex I)	Different track for embedded systems

Art.71(1): Commission Establishment Obligation

Art.71(1) places the establishment obligation on the European Commission: the Commission shall establish and maintain a publicly accessible EU AI database containing information on high-risk AI systems registered under Art.22, and on GPAI model training data summaries registered under Art.52(1)(b).

What "Publicly Accessible" Means

The database is open without authentication for read access. Any person — regulator, researcher, competitor, journalist, or member of the public — can search for registered AI systems by provider, category, intended purpose, or registration number. This creates strategic implications for providers:

Intended purpose statements are public: The Annex VIII field for "intended purpose" (field 4) becomes a public commitment. Deploying the system for purposes not listed in the registration without amendment is a compliance risk.
Annex III category is disclosed: Registering under a specific Annex III category (e.g., category 6 — employment AI) triggers public accountability for all category-specific obligations.
Provider identity is disclosed: The registering provider's name, registration number, and contact information are visible. This is intentional — public accountability is a design principle of the EUAIDB.

Database Infrastructure

The EUAIDB is hosted by EU Commission infrastructure under the operational management of the AI Office. This is significant for the CLOUD Act analysis — see the dedicated section below.

Art.71(2): AI Office Operational Management

While the Commission establishes the database, Art.71(2) designates the AI Office (established by Commission Decision C(2024)2025, Art.64 of the AI Act) as the entity responsible for:

Operational management of the EUAIDB portal and API
Ensuring user-friendly access for providers, deployers, and the public
Coordinating with national competent authorities (NCAs) for registration validation
Maintaining data accuracy and processing correction requests
Publishing statistics on registered systems by category and Member State

For developers interfacing with the registration process:

Submissions go through the AI Office portal (eDelivery-compatible API planned for programmatic submission)
Amendment requests (for substantial modifications under Art.43(4)) are processed by the AI Office
Registration numbers are AI Office-issued and follow the format established in implementing acts
Cross-border verification (when a system is registered by a non-EU provider via authorised representative) is AI Office-coordinated

The AI Office published a provisional registration interface in 2025, with full API access for Chapter III compliance launches in 2026.

Annex VIII: The 12 Mandatory Registration Fields

Annex VIII establishes the mandatory content for provider registration of standalone high-risk AI systems (not embedded in regulated products). Understanding each field is essential for your registration workflow.

Registration Content for Providers (Annex VIII, Part I)

#	Field	Content Requirement
1	Provider identity	Name, address, registration number of provider
2	Provider contact	Name and contact details of the person(s) responsible for compliance (Art.21 cooperation point)
3	Authorised representative	Identity and contact if provider is established outside EU (Art.22(2)(b))
4	AI system name	Trade name or commercial name + version identifier
5	Intended purpose	Complete description including users, target population, operational context
6	Annex III category	The specific category (1–8) under which the system is classified as high-risk
7	Status	Whether the system is available on the market or in service
8	Conformity assessment type	Art.43(1) (self-assessment per Annex VI/VII) or Art.43(2) (notified body)
9	Notified body details	Name, number, and certificate reference if notified body assessment performed
10	Declaration of conformity	Reference to Art.48 declaration (unique identifier)
11	Member States	EU Member States where system is or will be placed on market or put into service
12	URLs	Any available URL for additional documentation or system information

The Intended Purpose Field — Strategic Implications

Field 4 (intended purpose) is the registration field with the most downstream compliance impact:

Art.13 instructions for use must be consistent with the registered intended purpose
Art.9 risk management is scoped to the intended purpose
Art.73 incident reports reference the intended purpose to establish causal link and harm category
Deployer Art.29 obligations are bounded by the registered intended purpose — deployers may not use the system outside its intended purpose without triggering Art.25 (when deployer becomes provider)

Document the intended purpose with specificity: the user population, the operational environment, the decision type (supporting vs. autonomous), and the input/output data types. Vague intended purpose statements increase MSA investigation risk.

Substantial Modification and Re-Registration

Art.43(4) requires providers to conduct a new conformity assessment when making a substantial modification to a registered high-risk AI system. When a new conformity assessment is required, the Art.71 registration must be updated or a new registration submitted reflecting the modified system. The AI Office maintains the version history of registrations.

What triggers substantial modification:

Changes to the intended purpose (field 4)
Changes affecting the system's performance at the intended purpose level
Changes to the training data that affect the bias evaluation or performance declarations
Changes that affect the overall risk level of the system

Art.71 × Art.22: The Provider Registration Chain

Art.22 creates the obligation on providers to register. Art.71 establishes the database they register in. The two articles form a mandatory sequential chain:

Art.9-15 Compliance Build
        ↓
Art.17 Quality Management System
        ↓
Art.43 Conformity Assessment
  (Self-Assessment [Annex VI/VII] OR Notified Body [Annex VII Part II])
        ↓
Art.47 Technical Documentation sign-off
        ↓
Art.48 Declaration of Conformity (signed by provider)
        ↓
Art.49 CE Marking affixed (includes Art.71 registration reference)
        ↓
Art.71/Art.22 EUAIDB Registration (Annex VIII fields submitted)
        ↓
Lawful Market Placement / Service Launch

No step can be skipped. Registration without completed conformity assessment is a false registration — Art.48(1) requires that the declaration of conformity confirm conformity assessment completion before signing. The EUAIDB portal validates that a declaration of conformity reference (field 10) exists before issuing a registration number.

Art.22(2): What Providers Must Submit

Art.22(2) specifies that registration must include "the information referred to in Annex VIII, Parts I and II." The registration is not a self-certification of compliance — it is a transparency filing that records the completed conformity chain and makes the system visible to NCAs and the public.

Art.22(3): Deployer Registration for Public Authorities

Art.22(3) requires deployers that are public authorities using Annex III AI systems in categories 1, 2, 6, 7, or 8 to register their use in the EUAIDB. This creates a two-layer registration: the provider registers the system; the public authority deployer registers their use of it.

The deployer registration includes:

Identity of the deploying authority
Name and version of the AI system being used (referencing the provider's registration number)
The geographic area of use (Member State, region)
Categories of persons affected
Whether a Fundamental Rights Impact Assessment (FRIA, Art.27) has been conducted

Art.71 × Art.73: Registration Number in Incident Reports

This is the most operationally critical Art.71 connection for developers. Art.73(1) requires that when a serious incident is reported, the report must include identification of the AI system with the EU database registration number under Art.71.

This means:

You cannot submit an Art.73 report without a registration number — a system that has not completed Art.71 registration cannot be properly identified in an incident report
The registration number must be in your incident response runbook — when an incident occurs, responders need the registration number immediately; it should not require a database lookup during the 2-working-day window
The registration number creates a public record link — once an incident is reported citing a registration number, regulators can pull the public EUAIDB record to see the intended purpose, conformity assessment details, and Member State deployment scope
MSA investigation begins with the registration — Art.21 cooperation (producing Annex IV documentation) starts with the MSA pulling the EUAIDB record; an outdated or inaccurate registration complicates investigation

For the 2-working-day rule (death/health risk), your Art.73 preliminary report will be submitted under time pressure. The registration number must be instantly accessible — build it into your incident response tooling.

Art.71 × Art.52: GPAI Training Data Summary Registration

Art.71 also serves as the public repository for GPAI model training data summaries required under Art.52(1)(b). This is a separate registration track from the high-risk AI provider pathway.

What GPAI Providers Must Register

Under Art.52(1)(a)(i) read with Art.52(1)(b), GPAI model providers must:

Register a machine-readable training data summary in the EUAIDB before commercial availability
The summary must include: data categories, geographic origins, data collection methods, copyright compliance documentation reference, and the TDM (text and data mining) opt-out compliance policy
The registration must be updated when the model is substantially retrained on new data
The AI Office verifies completeness (not accuracy) of submissions

GPAI Registration ≠ High-Risk AI Registration

These are two distinct pathways in the EUAIDB:

High-risk AI registration (Annex VIII): Triggered by Annex III classification; prerequisite-gated by conformity assessment
GPAI training data registration (Art.52): Triggered by GPAI model general obligations; not gated by conformity assessment; applies to all GPAI models (not just systemic risk)

A provider building a GPAI model and deploying it as a high-risk AI system (e.g., an employment screening tool) may need both registrations: the GPAI training data summary (Art.52/Art.71) AND the high-risk AI system registration (Art.22/Art.71/Annex VIII).

Art.71(6): Public Accessibility and Database Search

Art.71(6) requires the EUAIDB to be easily searchable and publicly accessible without login. The AI Office implementation supports search by:

Provider name or registration number
Annex III category
Intended purpose keywords
Member State availability
Conformity assessment type (self-assessment vs. notified body)

Strategic Implications of Public Searchability

For your own systems:

Competitors can monitor your registration timeline — EUAIDB registration signals imminent product launch
MSAs can run automated monitoring queries to detect unregistered systems in their jurisdiction
Researchers and civil society organizations actively monitor high-risk AI registrations, particularly in categories 6 (employment), 7 (critical infrastructure), and 8 (law enforcement/migration)

For vendor due diligence: The EUAIDB enables you to verify that AI systems you procure from third-party providers are correctly registered before you deploy them. Art.29 deployer obligations require you to use AI systems only in accordance with their intended purpose — the EUAIDB registration confirms what the intended purpose is.

Art.71: Deployer Registration for Public Authorities — Implementation Detail

Public authority deployers using high-risk AI systems in Annex III categories 1, 2, 6, 7, or 8 must register their use under Art.22(3). The registration process:

Identify the provider registration number from the EUAIDB for the system being deployed
Complete the deployer registration form (Annex VIII Part II equivalent fields)
Confirm FRIA status — whether a Fundamental Rights Impact Assessment under Art.27 has been conducted
Specify deployment scope — geographic area, affected populations, operational context
Submit to the EUAIDB via the AI Office portal before operational use begins

The deployer registration does NOT require conformity assessment — that obligation rests with the provider. The deployer registration creates the audit trail linking a specific public body's use of a system to the provider's registration, enabling national supervisory authorities (NSAs) to monitor deployment patterns across jurisdictions.

CLOUD Act × Art.71: Database Infrastructure Jurisdiction

The EUAIDB is hosted on EU Commission infrastructure, operated by the AI Office. This creates a CLOUD Act jurisdictional profile distinct from provider-side compliance records:

Database Records Submitted to EU Commission

When a provider submits Annex VIII registration data to the EUAIDB:

The registration data is stored on EU Commission servers (DIGIT-managed infrastructure in Luxembourg and Brussels data centers)
The Commission infrastructure is not subject to US CLOUD Act jurisdiction — the CLOUD Act applies to "electronic communication service providers" and "remote computing service providers" with US ties; the EU Commission is neither
Submitted registration records are not CLOUD Act-reachable once stored in Commission infrastructure

However, the compliance pipeline that generates registration submissions may involve CLOUD Act exposure:

Record Type	Storage	CLOUD Act Risk
Submitted EUAIDB registration	EU Commission DIGIT infrastructure	None (EU sovereign infrastructure)
Conformity assessment documentation (Art.43)	Provider's systems	Risk if on US cloud provider
Declaration of conformity (Art.48)	Provider's systems	Risk if on US cloud provider
Annex IV technical documentation (Art.11)	Provider's systems	Risk if on US cloud provider
Incident reports submitted to MSA (Art.73)	MSA systems (national government)	None (national government infrastructure)
Provider's own Art.73 incident records	Provider's systems	Risk if on US cloud provider

The CLOUD Act risk is not in what you submit to Art.71 — it is in the documentation you hold that supports the registration and ongoing compliance. If your conformity assessment records, Annex IV documentation, and QMS files live on US cloud providers, they are CLOUD Act-reachable even though the EUAIDB registration entry itself is not.

EU-native PaaS infrastructure — where these compliance documentation systems are hosted — creates single-regime document jurisdiction: the documentation underlying your Art.71 registration is subject only to EU legal process, not parallel US government access.

Python Implementation

from dataclasses import dataclass, field
from enum import Enum
from datetime import date
from typing import Optional
import uuid


class AnnexIIICategory(Enum):
    BIOMETRICS = 1                    # Art. 6(2) + Annex III, category 1
    CRITICAL_INFRASTRUCTURE = 2       # Annex III, category 2
    EDUCATION = 3                     # Annex III, category 3
    EMPLOYMENT = 4                    # Annex III, category 4 (note: employment = 4 in Annex III)
    ESSENTIAL_SERVICES = 5            # Annex III, category 5
    LAW_ENFORCEMENT = 6               # Annex III, category 6
    MIGRATION_ASYLUM = 7              # Annex III, category 7
    JUSTICE_DEMOCRACY = 8             # Annex III, category 8


class ConformityAssessmentType(Enum):
    SELF_ASSESSMENT = "Art.43(1) - Internal Control (Annex VI/VII)"
    NOTIFIED_BODY = "Art.43(2) - Notified Body Assessment (Annex VII Part II)"


@dataclass
class EUAIDatabaseRecord:
    """
    Represents an EU AI Act Art.71 / Annex VIII registration record.
    Complete all fields before submitting to the EUAIDB portal.
    The database registration number (euaidb_number) is issued by the AI Office
    upon successful submission and must be retained for use in:
    - Art.73 serious incident reports
    - Art.49 CE marking documentation
    - Art.13 instructions for use
    - Art.21 MSA cooperation dossiers
    """
    # Field 1: Provider identity
    provider_name: str
    provider_address: str
    provider_registration_number: str  # VAT or national company registration

    # Field 2: Contact person
    compliance_contact_name: str
    compliance_contact_email: str
    compliance_contact_phone: str

    # Field 3: Authorised representative (required if provider outside EU)
    authorised_representative_name: Optional[str] = None
    authorised_representative_address: Optional[str] = None

    # Field 4: AI system identification
    ai_system_name: str = ""
    ai_system_version: str = ""
    ai_system_trade_name: Optional[str] = None

    # Field 5: Intended purpose (critical — public and permanent)
    intended_purpose: str = ""
    intended_users: str = ""  # Who operates the system
    affected_persons: str = ""  # Who the system makes decisions about
    operational_context: str = ""  # Where/how the system operates

    # Field 6: Annex III classification
    annex_iii_category: Optional[AnnexIIICategory] = None

    # Field 7: Market status
    is_on_market: bool = False
    is_in_service: bool = False
    market_placement_date: Optional[date] = None

    # Field 8: Conformity assessment
    conformity_assessment_type: Optional[ConformityAssessmentType] = None

    # Field 9: Notified body (if applicable)
    notified_body_name: Optional[str] = None
    notified_body_number: Optional[str] = None  # EU notified body registry number
    certificate_reference: Optional[str] = None

    # Field 10: Declaration of conformity
    declaration_of_conformity_id: str = ""  # Art.48 declaration unique identifier
    declaration_of_conformity_date: Optional[date] = None

    # Field 11: Member State availability
    member_states: list = field(default_factory=list)

    # Field 12: URLs
    system_url: Optional[str] = None
    documentation_url: Optional[str] = None

    # AI Office-issued after successful submission
    euaidb_number: Optional[str] = None
    registration_date: Optional[date] = None

    def registration_completeness_check(self) -> dict:
        """Check all Annex VIII mandatory fields before submission."""
        issues = []

        # Provider identity
        if not self.provider_name:
            issues.append("MISSING: provider_name (Annex VIII field 1)")
        if not self.provider_address:
            issues.append("MISSING: provider_address (Annex VIII field 1)")
        if not self.provider_registration_number:
            issues.append("MISSING: provider_registration_number (Annex VIII field 1)")

        # Contact
        if not self.compliance_contact_name:
            issues.append("MISSING: compliance_contact_name (Annex VIII field 2)")
        if not self.compliance_contact_email:
            issues.append("MISSING: compliance_contact_email (Annex VIII field 2)")

        # AI system identification
        if not self.ai_system_name:
            issues.append("MISSING: ai_system_name (Annex VIII field 4)")
        if not self.ai_system_version:
            issues.append("MISSING: ai_system_version (Annex VIII field 4)")

        # Intended purpose — detailed check
        if not self.intended_purpose:
            issues.append("MISSING: intended_purpose (Annex VIII field 5) — CRITICAL: public and permanent once registered")
        if not self.intended_users:
            issues.append("MISSING: intended_users (Annex VIII field 5)")
        if not self.affected_persons:
            issues.append("MISSING: affected_persons (Annex VIII field 5)")

        # Classification
        if not self.annex_iii_category:
            issues.append("MISSING: annex_iii_category (Annex VIII field 6)")

        # Market status
        if not self.is_on_market and not self.is_in_service:
            issues.append("WARNING: neither is_on_market nor is_in_service is True — verify field 7")

        # Conformity assessment
        if not self.conformity_assessment_type:
            issues.append("MISSING: conformity_assessment_type (Annex VIII field 8)")
        if self.conformity_assessment_type == ConformityAssessmentType.NOTIFIED_BODY:
            if not self.notified_body_name:
                issues.append("MISSING: notified_body_name (Annex VIII field 9 — required for notified body assessment)")
            if not self.notified_body_number:
                issues.append("MISSING: notified_body_number (Annex VIII field 9)")
            if not self.certificate_reference:
                issues.append("MISSING: certificate_reference (Annex VIII field 9)")

        # Declaration of conformity
        if not self.declaration_of_conformity_id:
            issues.append("MISSING: declaration_of_conformity_id (Annex VIII field 10) — Art.48 declaration must exist before registration")

        # Member States
        if not self.member_states:
            issues.append("MISSING: member_states (Annex VIII field 11)")

        # Non-EU provider check
        if not any([
            "DE" in self.provider_address if self.provider_address else False,
            "FR" in self.provider_address if self.provider_address else False,
            # In production: validate against EU country list
        ]):
            if not self.authorised_representative_name:
                issues.append("WARNING: Non-EU provider? authorised_representative_name may be required (Annex VIII field 3, Art.22(2)(b))")

        return {
            "complete": len(issues) == 0,
            "field_issues": issues,
            "registration_ready": len(issues) == 0 and bool(self.declaration_of_conformity_id),
        }

    def get_art73_reference(self) -> str:
        """Return the reference string for use in Art.73 serious incident reports."""
        if not self.euaidb_number:
            raise ValueError(
                "EUAIDB number not assigned — system is not yet registered. "
                "Art.73 incident reports require an EUAIDB registration number. "
                "Ensure Art.71 registration is complete before operational deployment."
            )
        return f"EUAIDB/{self.euaidb_number} ({self.ai_system_name} v{self.ai_system_version})"

    def substantial_modification_check(
        self,
        new_intended_purpose: Optional[str] = None,
        new_version: Optional[str] = None,
        training_data_changed: bool = False,
        performance_level_changed: bool = False,
        risk_level_changed: bool = False,
    ) -> dict:
        """
        Check if a proposed change triggers substantial modification
        requiring new Art.43 conformity assessment and Art.71 registration update.
        Reference: Art.43(4) + Recital 66.
        """
        triggers = []

        if new_intended_purpose and new_intended_purpose != self.intended_purpose:
            triggers.append("SUBSTANTIAL MODIFICATION: Intended purpose changed (Annex VIII field 5 update required)")

        if training_data_changed:
            triggers.append("POTENTIAL SUBSTANTIAL MODIFICATION: Training data changed — evaluate Art.43(4) impact on bias evaluation and performance declarations")

        if performance_level_changed:
            triggers.append("POTENTIAL SUBSTANTIAL MODIFICATION: Performance level changed — evaluate Art.43(4) impact on accuracy declarations (Art.15, Annex IV Section 6)")

        if risk_level_changed:
            triggers.append("SUBSTANTIAL MODIFICATION: Overall risk level changed — new Art.43 conformity assessment required; Art.71 registration update required")

        if new_version and new_version != self.ai_system_version:
            triggers.append(f"REVIEW REQUIRED: Version changed {self.ai_system_version} → {new_version}. Evaluate if change constitutes substantial modification under Art.43(4)")

        return {
            "substantial_modification": len([t for t in triggers if "SUBSTANTIAL" in t]) > 0,
            "triggers": triggers,
            "action_required": "New Art.43 conformity assessment + Art.71 registration update" if any("SUBSTANTIAL MODIFICATION" in t for t in triggers) else "Review required",
        }


@dataclass
class RegistrationComplianceAuditor:
    """
    Audits the Art.71 registration pipeline for a high-risk AI provider.
    Checks the complete Art.43 → Art.48 → Art.49 → Art.71 chain.
    """
    system_name: str
    provider_name: str
    target_member_states: list = field(default_factory=list)

    # Prerequisite chain status
    art43_conformity_assessment_complete: bool = False
    art43_assessment_date: Optional[date] = None
    art43_type: Optional[str] = None  # "self-assessment" or "notified-body"

    art48_declaration_signed: bool = False
    art48_declaration_date: Optional[date] = None
    art48_declaration_id: Optional[str] = None

    art49_ce_marking_affixed: bool = False
    art49_marking_date: Optional[date] = None

    art71_registration_submitted: bool = False
    art71_registration_date: Optional[date] = None
    art71_euaidb_number: Optional[str] = None

    def audit_chain(self) -> dict:
        """Full prerequisite chain audit."""
        chain = {
            "Art.43 Conformity Assessment": {
                "complete": self.art43_conformity_assessment_complete,
                "date": str(self.art43_assessment_date) if self.art43_assessment_date else None,
                "type": self.art43_type,
                "blocker_for": ["Art.48", "Art.49", "Art.71/Art.22"],
            },
            "Art.48 Declaration of Conformity": {
                "complete": self.art48_declaration_signed,
                "date": str(self.art48_declaration_date) if self.art48_declaration_date else None,
                "declaration_id": self.art48_declaration_id,
                "blocked_by": "Art.43" if not self.art43_conformity_assessment_complete else None,
                "blocker_for": ["Art.49", "Art.71/Art.22"],
            },
            "Art.49 CE Marking": {
                "complete": self.art49_ce_marking_affixed,
                "date": str(self.art49_marking_date) if self.art49_marking_date else None,
                "blocked_by": "Art.48" if not self.art48_declaration_signed else None,
                "blocker_for": ["Art.71/Art.22 registration"],
            },
            "Art.71/Art.22 EUAIDB Registration": {
                "complete": self.art71_registration_submitted,
                "date": str(self.art71_registration_date) if self.art71_registration_date else None,
                "euaidb_number": self.art71_euaidb_number,
                "blocked_by": "Art.49" if not self.art49_ce_marking_affixed else None,
                "enables": ["Lawful EU market placement", "Art.73 incident reporting", "Art.13 instructions for use"],
            },
        }

        all_complete = all(v["complete"] for v in chain.values())
        first_blocker = next(
            (k for k, v in chain.items() if not v["complete"]),
            None
        )

        return {
            "chain_complete": all_complete,
            "market_placement_lawful": all_complete,
            "first_blocker": first_blocker,
            "chain": chain,
            "euaidb_number_for_art73": self.art71_euaidb_number if self.art71_registration_submitted else "NOT AVAILABLE — complete Art.71 registration first",
        }

Art.71 Registration Timeline

Milestone	Date	Details
AI Office established	January 2024	Commission Decision C(2024)2025 — provisional AI Office operational
EUAIDB provisional launch	2025 (Q1)	Beta registration portal for voluntary early submissions
Chapter III obligations applicable (Annex III)	2 August 2026	Registration mandatory before market placement for most Annex III systems
Art.6(2) newly Annex III categories	2 August 2027 (if extended by Commission)	Specific categories may have extended deadlines per Art.111
Annex I regulated product AI (Art.6(1))	2 August 2027 (aligned with product regulation dates)	Embedded AI in medical devices, machinery, vehicles — different conformity track

For Annex III standalone high-risk AI systems, the hard deadline for Art.71 registration is before market placement on or after 2 August 2026. Systems already in service before that date have transition periods specified in Art.111(3).

40-Item Art.71 Compliance Checklist

Section 1: Pre-Registration Prerequisites (Items 1–10)

1. Art.9 risk management system documented and operational
2. Art.10 training data governance documented (bias examination complete)
3. Art.11 technical documentation (Annex IV, all 8 sections) prepared
4. Art.12 automatic logging system operational
5. Art.13 instructions for use prepared (consistent with intended purpose for field 5)
6. Art.14 human oversight mechanisms implemented and tested
7. Art.15 accuracy and robustness declarations prepared
8. Art.17 QMS documented with ISO/IEC 42001 mapping
9. Art.43 conformity assessment type selected (self-assessment vs. notified body)
10. Art.43 conformity assessment completed with documented evidence

Section 2: Declaration and Marking (Items 11–15)

11. Art.48 declaration of conformity signed by authorised signatory
12. Art.48 declaration unique identifier assigned and recorded
13. Art.48 declaration contains all required elements (Art.48(2) list)
14. Art.49 CE marking affixed (on system or accompanying documentation for software)
15. Art.49 CE marking includes notified body number if applicable

Section 3: Annex VIII Registration Content (Items 16–27)

16. Provider identity (name, address, registration number) prepared
17. Compliance contact person identified and available
18. Authorised representative designated if provider outside EU
19. AI system name, trade name, and version identifier finalized
20. Intended purpose statement drafted with specificity (users, affected persons, operational context)
21. Intended purpose reviewed by legal counsel for scope accuracy
22. Annex III category confirmed with legal analysis
23. Market status (on market / in service) determined
24. Conformity assessment type and date recorded in registration form
25. Notified body name, number, and certificate reference included (if applicable)
26. Art.48 declaration of conformity ID entered in field 10
27. All relevant Member States listed in field 11

Section 4: Post-Registration Operations (Items 28–35)

28. EUAIDB registration number stored in incident response runbook (Art.73 readiness)
29. EUAIDB number included in Art.13 instructions for use for deployers
30. EUAIDB number included in Art.49 CE marking documentation
31. Registration update process defined for substantial modifications (Art.43(4))
32. Art.30 post-market monitoring system feeds substantial modification trigger review
33. MSA cooperation protocol (Art.21) references EUAIDB registration as entry point
34. Deployer onboarding includes EUAIDB registration number for their Art.29 records
35. Annual review process for registration accuracy against deployed system

Section 5: GPAI and Infrastructure (Items 36–40)

36. If GPAI model: Art.52(1)(b) machine-readable training data summary registered separately in EUAIDB
37. If GPAI + high-risk AI: both registration tracks completed (Art.52 + Art.22/Art.71)
38. Compliance documentation hosting reviewed for CLOUD Act exposure (Art.11/Art.17/Art.43 records)
39. EU-native infrastructure assessed for single-regime document jurisdiction
40. Public EUAIDB record reviewed for accuracy after AI Office processing (typically 5–10 business days after submission)

Art.71 × Cross-Article Intersection Matrix

Article	Connection to Art.71	Practical Impact
Art.22	Establishes the registration obligation Art.71 fulfills	Provider cannot place on market without completing both
Art.43	Conformity assessment prerequisite for registration	No Art.71 registration without Art.43 completion
Art.47/Art.48	Declaration of conformity referenced in Annex VIII field 10	Declaration must precede registration; date verifiable in EUAIDB
Art.49	CE marking includes EUAIDB reference; Art.71 enables CE marking	Sequential gate: Art.71 → CE marking → market placement
Art.52	GPAI training data summary registered in EUAIDB	Separate registration track for GPAI providers
Art.53	Systemic risk GPAI: adversarial test results referenced via EUAIDB	GPAI provider EUAIDB record linked to Art.53 compliance documentation
Art.64-70	AI Office manages EUAIDB; NCAs validate registrations	Art.65 investigation powers include EUAIDB record review
Art.73	EUAIDB registration number required in incident reports	System not yet registered = incomplete Art.73 report
Art.21	MSA cooperation starts with EUAIDB record pull	Registration must be accurate; MSA has basis for Art.21 access request
Art.27	Public authority deployer FRIA status in deployer registration	Art.22(3) deployer registration includes Art.27 FRIA confirmation
Annex VIII	12 mandatory fields for standalone high-risk AI registration	Complete reference for registration content requirements

What Developers Should Do Now

If you have a high-risk AI system targeting the EU market:

Start the Art.43 conformity assessment now — this is the longest lead-time step. Self-assessment (Annex VI/VII) requires complete internal documentation; notified body assessment requires booking a body (limited capacity in 2025-2026) and preparing Annex VII Part II documentation.
Draft your Annex VIII registration fields in parallel — especially field 5 (intended purpose). This field is public, permanent, and must be consistent with your Art.13 instructions for use and Art.9 risk management documentation. Legal review is advisable before submission.
Assign your EUAIDB number to your incident response runbook — the number exists only after registration, but your runbook should have a placeholder and a clear protocol for retrieving and using the number in the 2-working-day Art.73 window.
If you're a non-EU provider: Confirm your authorised representative (Art.22(2)(b)) is designated before registration. The representative's identity goes in Annex VIII field 3 and they receive a copy of the Art.48 declaration.

If you're a GPAI model provider:

Prepare your Art.52(1)(b) machine-readable training data summary — this goes in the EUAIDB as the public-facing record of your model's training data provenance and copyright compliance.
Check if your GPAI model is also used as a high-risk AI component — if so, both the Art.52 EUAIDB track and the Art.22/Art.71 high-risk AI track may apply.