EU AI Act Conformity Assessment Sprint 2026 — Finale: Complete SaaS Provider Roadmap to August 2
Post #1461 in the sota.io EU AI Compliance Series — EU-AI-ACT-CONFORMITY-ASSESSMENT-SPRINT-2026 #5/5 SERIE KOMPLETT
August 2, 2026 is 61 days away. If your SaaS product embeds, operates, or deploys a high-risk AI system under Annex III of the EU AI Act, you need to complete conformity assessment before that date. This finale consolidates the entire sprint — technical documentation, assessment routes, Declaration of Conformity, CE marking, and registration — into a sequential pre-deadline roadmap.
This is not a theoretical overview. Each section links directly to the sprint posts that cover that obligation in depth, so you can navigate to the detail you need while keeping the full picture in view.
The Five-Part Conformity Assessment Obligation
The EU AI Act divides conformity assessment for high-risk AI systems into five sequential obligations. Miss any one and you cannot lawfully place the system on the EU market or put it into service on August 2, 2026.
| Step | Obligation | Key Article | Post |
|---|---|---|---|
| 1 | Classify system as high-risk (Annex III) | Art. 6 | Sprint #1 |
| 2 | Build technical documentation (Annex IV) | Art. 11 | Sprint #2 |
| 3 | Choose and complete assessment route (Art. 43) | Art. 43 | Sprint #3 |
| 4 | Draw up EU Declaration of Conformity (Art. 47) | Art. 47 | Sprint #4 |
| 5 | Affix CE marking and register | Art. 47–49 | This post |
Steps 1–4 are prerequisites for Step 5. You cannot register or affix CE marking without having completed the prior steps.
Step 1 — High-Risk Classification Audit (Annex III)
Annex III lists eight domains where AI systems are presumed high-risk: biometric identification, critical infrastructure, education, employment, essential services, law enforcement, migration/asylum, and administration of justice. If your SaaS AI feature operates in any of these domains, it is likely high-risk.
Sprint #1 covered: The classification decision tree, safe harbors (Art. 6(3) post-market deployment exemptions), and the "prohibited practice" overlap with Art. 5 banned systems.
Action: If you have not performed a written Annex III classification audit, do it now. Document the reasoning — you need this for the technical documentation in Step 2.
Step 2 — Technical Documentation: Annex IV Compliance
Annex IV specifies fourteen categories of documentation that providers must maintain before placing a high-risk AI system on the market. The categories span system description, training data governance, human oversight design, accuracy and robustness metrics, and post-market monitoring plans.
Sprint #2 covered: Annex IV item-by-item with SaaS-specific guidance, common gaps (missing data governance sections, absent robustness benchmarks), and the ten-year retention obligation (Art. 18) that runs from the last date the high-risk AI system has been placed on the market or put into service.
Key gaps to close before August 2:
- Annex IV §2(e): training dataset statistical properties and GDPR Art. 5 alignment
- Annex IV §2(f): pre-determined changes to the system post-deployment
- Annex IV §3: post-market monitoring plan (Art. 72 reference included)
Step 3 — Art. 43 Assessment Route Selection
Article 43 creates two routes depending on whether the high-risk system is covered by harmonised standards adopted by CEN/CENELEC:
Route A — Internal control (Annex VI): If harmonised standards exist and are listed in the Official Journal, you may self-assess against them. The provider conducts the assessment, produces records, and retains them for ten years.
Route B — Third-party notified body: For AI systems in the biometric identification domain (Annex III §1), third-party assessment by a notified body is mandatory unless the system is already subject to sectoral EU legislation with its own conformity assessment (Art. 43(3)).
Sprint #3 covered: The Art. 43 route decision in detail, how to find accredited notified bodies via the NANDO database, and what a notified body assessment actually requires (technical file review, system testing, ongoing surveillance).
Action right now: Check the Official Journal harmonised standards list for AI Act standards. As of June 2026, full harmonised standards under the AI Act are still delayed (CEN-CENELEC JTC 21 timeline slipped to Q4 2026). This means most providers cannot use harmonised standards to trigger Route A presumption of conformity — they must use the internal control route based on common specifications or their own documented procedures, or go Route B.
Step 4 — EU Declaration of Conformity (Art. 47)
Article 47 requires providers to draw up a written EU Declaration of Conformity (DoC) for each high-risk AI system before market placement. The DoC is a legal document — not a checkbox — and must contain at minimum:
- Provider name and contact address
- AI system name, version, and intended purpose
- Statement that the system complies with the EU AI Act and all applicable secondary legislation
- Reference to any harmonised standards or common specifications applied
- Name and address of the notified body (if Route B)
- Place and date of declaration, with signatory name and role
Sprint #4 covered: Full Art. 47 DoC template, CE marking affixing requirements under Art. 48 (visible, legible, indelible — software: printed documentation and UI), and how to handle multi-language DoC obligations when deploying across member states.
CRITICAL for SaaS: The DoC must accompany the system as long as it remains on the market. For cloud-delivered AI systems, "accompanying" means accessible in the user interface or documentation portal — print delivery is not required, but the document must be retrievable on request.
Step 5 — Registration in the EU AI Database (Art. 49)
Article 49 requires providers of high-risk AI systems to register in the EU AI database before placing the system on the EU market. The registration database — known as EUDAMED for AI systems — will be operated by the European AI Office.
As of June 2026, the EU AI database is not yet fully operational for provider self-registration. The European AI Office has indicated that the registration portal will be ready ahead of the August 2 deadline. Providers should:
- Monitor ai-office.ec.europa.eu for portal launch announcements
- Prepare registration data in advance (Art. 49 specifies required fields)
- Complete registration as soon as the portal opens — the Act requires registration before market placement, not within a grace period after
Required registration data under Art. 49:
- Provider identity and contact details
- System description, version, and intended purpose
- Countries of deployment within the EU
- Reference to the EU Declaration of Conformity
- Post-market monitoring plan summary
For notified body assessments: the notified body registration number must be included.
The 61-Day Pre-Deadline Checklist
Work backwards from August 2, 2026. Each item has a realistic time estimate for a mid-size SaaS team.
Weeks 1–2 (June 2–15): Documentation Sprint
- Annex III audit — Write and sign the classification determination (2 days)
- Annex IV gap analysis — Map existing documentation against all 14 categories (3 days)
- Close Annex IV gaps — Especially §2(e) data governance and §3 post-market monitoring (5 days)
- Art. 43 route decision — Confirm Route A (internal control) or Route B (notified body) in writing (1 day)
Week 3 (June 16–22): Assessment Execution
- Route A: Conduct internal conformity assessment — Complete Annex VI procedure, generate assessment records (3–5 days depending on complexity)
- Route B: Submit to notified body — If Route B: notified body engagement should already be underway — assessment takes 4–8 weeks minimum. If you haven't started this, you likely cannot complete it before August 2.
Week 4 (June 23–30): Declaration and Marking
- Draft EU Declaration of Conformity — Follow Art. 47 template, have legal review (2 days)
- Affix CE marking — UI, documentation, API responses where applicable (1 day)
- Publish DoC on documentation portal — Accessible to users and NCA on request (1 day)
Weeks 5–8 (July 1–August 2): Registration and Monitoring
- Register in EU AI database — When portal opens (2 hours once ready)
- Activate post-market monitoring — Art. 72 requires active monitoring from market placement (1 week setup)
- National NCA notification — If applicable per member state implementation law (varies)
The Notified Body Problem
If your system is in the biometric identification domain and requires a notified body under Art. 43(1)(a), you face a structural problem: the accredited notified body list under the AI Act is minimal as of June 2026. Most conformity assessment bodies that will be notified under the AI Act are still in the accreditation process with national notification bodies.
Practical implication: If you need a notified body and have not already engaged one, August 2 is almost certainly unreachable. Contact your national NCA (in Germany: Federal Network Agency / Bundesnetzagentur for AI Act matters) immediately to understand whether a derogation under Art. 43(2) or a provisional measure is available.
What Happens After August 2
The Art. 47 DoC and Art. 49 registration are point-in-time obligations — but conformity assessment is not a one-time event. Post-market obligations continue:
- Art. 12 (logging): Automatic log retention for high-risk AI systems for defined retention periods
- Art. 18 (documentation): Technical documentation retention for 10 years from market placement
- Art. 72 (post-market monitoring): Active monitoring plan with incident tracking
- Art. 73 (incident reporting): Serious incidents reported to national market surveillance authorities within 15 working days
- Substantial modification (Art. 83): Any substantial change to the system restarts the conformity assessment process
For SaaS providers, Art. 83 "substantial modification" is the ongoing compliance trap: every major model update, fine-tuning cycle, or scope expansion must be assessed against the substantial modification definition. Build this into your release process now.
EU Hosting and Conformity Assessment: The Sovereignty Advantage
Conformity assessment is a compliance burden that falls equally on all providers. But where your AI infrastructure runs affects your risk profile in two ways:
First, GDPR compliance (required for Annex IV §2(e) data governance sections) is structurally easier when training data and inference pipelines run within the EU under a provider not subject to the US CLOUD Act. This simplifies your Annex IV documentation substantially.
Second, national market surveillance authorities conducting Art. 74 inspections may have different practical access to EU-hosted vs. US-hosted infrastructure. EU hosting does not reduce your legal obligations — but it reduces jurisdictional friction in the event of an audit.
Series Complete
This five-part sprint has covered the complete conformity assessment lifecycle under the EU AI Act for SaaS providers:
- Sprint #1 — High-risk classification and Annex III scope
- Sprint #2 — Technical documentation (Annex IV) item by item
- Sprint #3 — Art. 43 assessment routes: Route A (internal control) vs. Route B (notified body)
- Sprint #4 — EU Declaration of Conformity (Art. 47), CE marking (Art. 48), and registration introduction
- Sprint #5 (this post) — Complete pre-deadline roadmap, 61-day checklist, and post-market obligations
The August 2, 2026 deadline is a legal cliff edge, not a soft target. Providers who have not started conformity assessment need to begin immediately — the documentation and assessment process cannot be completed in a weekend.
For deployment infrastructure that simplifies EU AI Act data governance obligations, sota.io provides EU-native managed PaaS — Hetzner Germany, no US parent, no CLOUD Act exposure. Deploy your AI system in the EU →
EU-Native Hosting
Ready to move to EU-sovereign infrastructure?
sota.io is a German-hosted PaaS — no CLOUD Act exposure, no US jurisdiction, full GDPR compliance by design. Deploy your first app in minutes.