EU AI Act Conformity Assessment 2026: Self-Assessment vs Third-Party for High-Risk AI Deployers
Post #2 in the sota.io EU AI Act Deployer Sprint 2026 — August Deadline
Conformity assessment is the most misunderstood obligation in the EU AI Act — particularly for deployers. The short version: if you buy a high-risk AI system from a vendor, you do not run your own conformity assessment. The vendor (provider) already did. Your job is to verify they did it correctly.
But it gets complicated the moment you deviate from the vendor's intended use case, substantially modify the system, or build AI in-house. At that point, you cross from deployer into provider territory — and the full conformity assessment machinery kicks in.
This guide covers everything a SaaS deployer needs to know before the August 2, 2026 deadline.
Who Does Conformity Assessment Under the AI Act?
The AI Act divides responsibility clearly:
Providers (those who develop or place high-risk AI on the market) must run conformity assessment before the system is placed on the market or put into service. This is a condition for affixing the CE marking.
Deployers (those who use high-risk AI for a professional purpose) are not the primary party responsible for conformity assessment — but they carry verification and documentation obligations that are almost as demanding.
The critical exception: a deployer becomes a provider — and takes on full conformity assessment obligations — in any of these cases:
- They place the AI system on the market or put it into service under their own name or trademark
- They make a substantial modification to a high-risk AI system
- They change the intended purpose of a non-high-risk AI system in a way that makes it high-risk
- They develop a high-risk AI system entirely in-house
If you customise a third-party AI model, integrate it into your SaaS product, and sell it to customers — you are likely a provider for conformity assessment purposes.
Article 43: The Conformity Assessment Article
Article 43 of the AI Act governs conformity assessment procedures for high-risk AI systems listed in Annex III. It establishes two distinct paths:
Path A: Internal Control (Annex VI) — Self-Assessment
The default path for most high-risk AI systems. The provider:
- Documents the technical basis for compliance (Annex IV technical documentation)
- Implements and verifies the risk management system (Art.9)
- Verifies data governance (Art.10)
- Tests and validates the AI system
- Draws up the EU Declaration of Conformity (Art.47)
- Affixes the CE marking (Art.48)
- Registers in the EU database (Art.49, Art.71)
No external notified body is involved. The provider self-certifies compliance using the Annex VI procedure. This applies to the majority of Annex III categories: HR systems, credit scoring, biometric categorisation for access control, educational tools, law enforcement risk assessment, migration and border management, administration of justice.
Path B: Quality Management System + Notified Body (Annex VII) — Third-Party Assessment
Required for the highest-risk categories where the consequences of failure are most severe. Under Annex VII, the provider must:
- Implement a quality management system compliant with Annex VII requirements
- Submit the technical documentation to an accredited notified body
- Obtain a certificate of conformity from the notified body before placing the system on the market
- Maintain the quality management system under ongoing notified-body surveillance
Which AI systems require the Annex VII path?
The Annex VII procedure is mandatory for:
- Remote biometric identification systems deployed in publicly accessible spaces (real-time or post-remote)
- Systems that fall under Annex I sector-specific Union legislation that already mandates notified body involvement
For the majority of deployers using general-purpose AI systems, HR tools, credit decision support, or customer-facing recommendation engines, the self-assessment (Annex VI) path applies — provided the provider has completed it.
What Deployers Must Verify (Even Without Running Their Own Assessment)
You did not do the conformity assessment — your vendor did. But Article 26 imposes verification obligations that require you to scrutinise the evidence.
Mandatory Verification Checklist (Art.26)
Before deploying any high-risk AI system, verify the following:
1. CE Marking and Declaration of Conformity
- The system bears a CE marking affixed by the provider
- The provider has drawn up an EU Declaration of Conformity (Art.47)
- The Declaration covers the specific version of the system you are deploying (not a different version)
- The Declaration of Conformity is available to you — request it contractually if not provided automatically
2. EU Database Registration
- The system is registered in the EU database (Art.49 / Art.71) — check the EU AI Act database once operational
- If the deployer is a public body, verify you also register your deployment (Art.26(6))
3. Technical Documentation and Logs
- The provider has made available the technical documentation (Annex IV) — summarised access is sufficient, full access may require an NDA
- Automatic logging capabilities are built into the system (Art.12)
- Logs are generated automatically and cover the full operational lifecycle
4. Instructions for Use
- You have received instructions for use (Art.13) covering the intended purpose, performance limitations, prohibited uses, and maintenance requirements
- Your operational team has been trained on these instructions (Art.26(4))
5. Appropriate Oversight Measures
- Human oversight measures specified in the instructions for use are implemented (Art.14)
- You have not disabled or circumvented any built-in oversight tools
6. Intended Purpose
- You are using the system strictly within its intended purpose as defined by the provider
- You have not substantially modified the system (if you have, re-read the next section)
When Do You Become a Provider? The Substantial Modification Test
The substantial modification concept is where deployers most often unknowingly cross into provider territory.
A modification is substantial if it:
- Affects the system's compliance with the requirements in Chapter III of the AI Act
- Changes the intended purpose
- Results in a change to the risk level such that the system now meets the high-risk threshold when it did not before
Practical examples:
| Action | Provider or Deployer? |
|---|---|
| Using the AI system as shipped, within its stated intended purpose | Deployer — no conformity assessment required |
| Fine-tuning the AI model on your own proprietary dataset | Likely provider — could constitute substantial modification |
| Adding a pre/post-processing layer that changes how the AI output is used in consequential decisions | Potentially provider — depends on whether it changes the compliance basis |
| Changing the use case from non-high-risk to a category listed in Annex III | Provider — must complete full conformity assessment |
| Deploying the system as a white-label product under your brand | Provider — placing it on market under own name |
| Integrating multiple AI components from different vendors into a new system | Provider — for the integrated system |
When in doubt, perform a substantial modification impact assessment before proceeding. If the modification is substantial, stop and complete the Annex VI or Annex VII conformity assessment before deployment.
Self-Assessment (Annex VI): A Step-by-Step Walk-Through
If you have established that you are the provider — or if you build AI systems in-house — here is how the Annex VI internal control procedure works.
Phase 1: Technical Documentation (Annex IV)
Prepare comprehensive technical documentation covering:
- General description of the AI system and its intended purpose
- Description of the components: software, hardware, input/output data
- Design specifications and architecture
- Training methodology and datasets (source, characteristics, labelling)
- Validation and testing results, including performance metrics
- Risk management documentation (Art.9 risk log)
- Cybersecurity measures
- Post-market monitoring plan (Art.72)
Time estimate: 4–8 weeks for a mid-complexity AI system.
Phase 2: Risk Management System (Art.9)
Establish and maintain a continuous risk management system covering:
- Identification and analysis of known and reasonably foreseeable risks
- Estimation and evaluation of risks in intended and reasonably foreseeable misuse scenarios
- Evaluation of risks after post-market monitoring data is considered
- Adoption of suitable risk management measures
The risk management system must be documented, regularly reviewed, and updated throughout the AI system's lifecycle.
Phase 3: Testing and Validation
Test the AI system against the requirements in Chapter III, Section 2 (Arts.8–15). Document:
- Test scenarios including edge cases and adversarial conditions
- Performance benchmarks against accuracy, robustness, and cybersecurity metrics (Art.15)
- Results of validation against the requirements, with pass/fail evidence for each
Phase 4: EU Declaration of Conformity (Art.47)
Draw up a written EU Declaration of Conformity containing:
- Name and address of the provider
- A statement that the system is in conformity with the AI Act
- The identity of the authorised representative (if relevant)
- References to relevant harmonised standards or common specifications applied (Art.40, Art.41)
- The conformity assessment procedure followed (Annex VI or Annex VII)
- The CE marking decision date
Keep the Declaration updated for the lifetime of the system and for 10 years after the last unit is placed on the market.
Phase 5: CE Marking (Art.48) and Registration (Art.49)
Affix the CE marking to the AI system or its documentation. Then register the system in the EU database (Art.49) before placing it on the market or putting it into service.
Registration triggers — you must register if:
- Your system is a high-risk AI system listed in Annex III
- You are placing it on the EU market
- Exception: law enforcement and migration management systems have limited registration rules for confidentiality
Third-Party Assessment (Annex VII): When You Need a Notified Body
For systems that require Annex VII conformity assessment, the process adds notified-body involvement at two points:
1. Quality Management System Assessment Submit your QMS to an accredited notified body. The QMS must cover design, development, production, and post-market surveillance of the AI system. The notified body audits the QMS against the requirements in Annex VII and issues a certificate.
2. Technical Documentation Assessment The notified body also assesses the technical documentation package for the first type of each high-risk AI system. This is an additional audit layer on top of the QMS certification.
Selecting a notified body: Once the EU Commission publishes the list of designated notified bodies (NANDO list, expected 2025–2026), search for notified bodies with scope covering AI systems. As of 2026, the notified body ecosystem is still developing — limited bodies are designated; some early-mover providers are already in the queue.
Timeline reality: The Annex VII procedure takes significantly longer than self-assessment. Budget:
- QMS development and implementation: 3–6 months
- Notified body audit and certification: 2–4 months after QMS is ready
- Total minimum: 6–12 months before market placement
If you need to place a system on the market by August 2, 2026, and you have not started the Annex VII process, this is a critical planning issue.
Deployer Verification Checklist: 25 Items Before Go-Live
Use this checklist before deploying any high-risk AI system regardless of who performed the conformity assessment:
Regulatory Verification
- Confirmed the system is or is not high-risk under Art.6 and Annex III
- Confirmed the Annex category and the applicable conformity assessment path
- CE marking verified on the system or accompanying documentation
- EU Declaration of Conformity obtained and filed
- EU database registration confirmed (provider-side; deployer registers separately if public body)
Vendor Due Diligence
- Contractual confirmation that conformity assessment was completed before delivery
- Conformity assessment path confirmed (Annex VI self-assessment or Annex VII notified body)
- Notified body certificate obtained (if Annex VII required)
- Technical documentation available under NDA if required
- Software version and hash of deployed system matches Declaration of Conformity
Operational Readiness
- Instructions for use received and reviewed
- Intended purpose limitations documented internally
- Prohibited uses list distributed to operational teams
- Human oversight measures implemented per Art.14
- Oversight personnel trained on override and intervention procedures
Logging and Monitoring
- Automatic logging confirmed operational
- Log retention period defined and meets regulatory requirements
- Post-market monitoring integration in place (Art.72)
- Serious incident escalation path defined (Art.73 via provider)
Modification Controls
- Internal approval gate for any AI system modification (blocks substantial modifications)
- Substantial modification impact assessment template ready for use
- Version control enforced — no deployment of unverified versions
SME-Specific Items
- Investigated whether regulatory sandbox (Art.57, Art.62) is appropriate for pre-market testing
- Considered applying for the SME support measures under Art.62 for lighter administrative burden
Key Deadlines
| Date | Obligation |
|---|---|
| Already in force (since Feb 2025) | Art.5 prohibited AI practices apply — no deploying banned systems |
| August 2, 2026 | Full high-risk AI obligations apply: conformity assessment, human oversight, logging, registration |
| Ongoing | Post-market monitoring and incident reporting (Art.72 / Art.73) |
The August 2, 2026 deadline is hard. There are no grace periods for Annex III high-risk AI systems that were not subject to earlier sector legislation. If you are deploying a high-risk AI system after that date without a verified conformity assessment, you are in breach.
The Developer's Practical Takeaway
For most SaaS deployers:
- You do not run conformity assessment — your vendor does. Verify they did it.
- Get the Declaration of Conformity from every high-risk AI vendor contractually.
- Do not modify the system's intended purpose without a substantial modification review.
- If you build or substantially modify — you are now a provider. Budget 6–12 months for Annex VI or Annex VII depending on your Annex III category.
- If your system is biometric-categorisation or real-time remote biometric ID — you need a notified body. Start now if you have not already.
The EU AI Act does not exempt developers who "just use" AI systems. But it does allocate the heaviest burden to those who make consequential decisions with high-risk AI — which is exactly the right place to put it.
Post #2 of 5 in the sota.io EU AI Act Deployer Sprint 2026. Next: Art.11 Technical Documentation — What Deployers Must Maintain. See also: EU AI Act Art.26 Deployer Obligations 2026 · EU AI Act Deployer Sprint Finale
EU-Native Hosting
Ready to move to EU-sovereign infrastructure?
sota.io is a German-hosted PaaS — no CLOUD Act exposure, no US jurisdiction, full GDPR compliance by design. Deploy your first app in minutes.