EU AI Act Declaration of Conformity: What SaaS Providers Must Issue Before August 2, 2026

Post #1460 in the sota.io EU Regulatory Compliance Series — EU AI Act Conformity Assessment Sprint 2026 #4/5

You've completed your technical documentation under Annex IV. You've chosen between internal control or notified body assessment under Article 43. Now comes the step that makes it official: issuing the EU Declaration of Conformity under Article 47, affixing the CE marking, and registering your high-risk AI system in the EU database under Article 49.

These three actions — declaration, marking, registration — are not formalities you complete after the real compliance work is done. They are legally binding acts with specific content requirements, retention obligations, and deadlines tied to August 2, 2026. If your SaaS product deploys a high-risk AI system and you plan to keep operating in the EU after that date, this post covers exactly what you need to issue and where.

This is the fourth post in our five-part conformity assessment sprint series. The full series covers the complete conformity assessment pathway for SaaS providers.

What the EU Declaration of Conformity Actually Is

The EU Declaration of Conformity (EU DoC) is a written statement that a provider issues under their sole legal responsibility. It declares that the high-risk AI system in question complies with the EU AI Act and any other applicable EU harmonized legislation.

Article 47(1) requires providers to draw up a written EU declaration of conformity for each high-risk AI system before placing it on the market or putting it into service. The same article requires providers to keep that declaration available to national authorities for 10 years after the AI system has been placed on the market or put into service.

This 10-year retention obligation is not an administrative suggestion. National competent authorities conducting market surveillance have the right to request the declaration at any time during that window. If you cannot produce it, you are non-compliant regardless of whether your actual system meets technical requirements.

For SaaS providers, the practical implication is that the EU DoC must be:

• Stored in a location that survives organizational changes, staff turnover, and system migrations
• Version-controlled alongside your technical documentation under Annex IV
• Updated whenever you modify your system in a way that affects conformity
• Issued separately for each distinct high-risk AI system you place on the market

What Must Go Into the EU Declaration of Conformity

Article 47(2) states that the EU declaration of conformity must contain the information set out in Annex V of the regulation. Annex V specifies the following required elements:

1. Provider Identity

The full name and address of the provider. For SaaS companies this means the legal entity responsible for placing the AI system on the market — not the development team, not a subsidiary, but the entity that bears legal responsibility under Article 47.

If your company operates across multiple EU member states or has a non-EU parent, make sure this is the correct legal entity. Market surveillance authorities will contact this entity directly.

2. Sole Responsibility Statement

A statement that the EU declaration of conformity is issued under the sole responsibility of the provider. This language must appear verbatim or substantively in your declaration. It confirms that the provider is asserting compliance and cannot deflect responsibility to a third-party assessor even if a notified body was involved.

3. AI System Identification

The name of the AI system and its version number or other unambiguous identification. For SaaS providers, this typically means:

• Product name as marketed to EU customers
• Software version or model version (for AI components)
• Any internal identifier that links to your technical documentation package

Ambiguity here creates audit problems. If your system runs multiple AI models or has been updated since the original conformity assessment, document how version identification links to each assessment cycle.

4. System Description and Intended Purpose

A description of the high-risk AI system and a statement of its application or intended purpose(s) as defined in Article 9 and documented in your technical documentation under Annex IV. This should match the intended purpose stated elsewhere in your compliance package — any divergence between what you declared to the notified body and what you state in the EU DoC will be flagged during surveillance.

5. Harmonized Standards and Technical Specifications

A list of the relevant harmonized standards applied, or in the absence of harmonized standards, the technical specifications or other means used to demonstrate conformity. As of mid-2026, harmonized standards under the EU AI Act remain limited. Most providers will reference:

• ISO/IEC 42001 (AI Management System) where applicable
• NIST AI Risk Management Framework where accepted as equivalent evidence
• Internal quality management documentation under Article 9

When no harmonized standard applies to your specific use case, document which technical specifications or risk management procedures you applied and why they are sufficient to demonstrate compliance.

6. Conformity Assessment Procedure

A reference to the conformity assessment procedure followed under Article 43. This means stating clearly whether you followed:

• Annex VI (internal control procedure) for high-risk AI systems not covered by the notified body route
• Annex VII (quality management system assessment by notified body) where a notified body was required

7. Notified Body Information (Where Applicable)

Where a notified body was involved in the conformity assessment procedure: the name of the notified body, its identification number, and the number of the EU type-examination certificate or quality management system approval certificate issued. This links your EU DoC to the formal notified body record.

If you used internal control under Annex VI with no notified body involvement, this field does not apply — but you must make that explicit in your declaration.

8. Technical Documentation Location

A reference to where the technical documentation under Annex IV is kept and will be made available to authorities on request. This is an address or system location — not a confidentiality disclaimer. Authorities requesting technical documentation under Article 74 have the right to access it.

9. Signature and Date

The declaration must be signed in the name of the provider, with the date and place of issue. Digital signatures from authorized signatories are acceptable. The person signing takes on personal accountability for the accuracy of the declaration.

CE Marking: What It Means for Software and SaaS

CE marking under the EU AI Act works differently from CE marking on physical products. For high-risk AI systems:

• The CE marking must be affixed to the AI system or to its documentation before the system is placed on the market
• For software, this typically means affixing the marking to the interface, the system documentation, or the information accompanying the system
• The marking must be visible, legible, and indelible

For SaaS providers, practical implementation options include:

In-product markings: Adding a CE mark in the product's compliance or settings section, alongside a reference to the EU DoC.

Documentation-level marking: Including the CE mark in your terms of service, data processing agreements, and technical documentation that accompanies the system.

API and integration documentation: For AI systems delivered as an API, including the CE mark in API reference documentation with a link to the full EU DoC.

The CE marking cannot be affixed until the conformity assessment procedure has been completed and the EU DoC has been drawn up. Affixing CE marking before completing the conformity assessment is a compliance violation regardless of whether the system actually meets technical requirements.

Article 49: Registration in the EU Database

Article 49 requires providers of high-risk AI systems to register those systems in the EU database before placing them on the market or putting them into service. The EU database is established under Article 71 and managed by the European AI Office.

For SaaS providers, registration means:

What you register: High-risk AI systems listed in Annex III that you are placing on the market. This includes systems in categories such as biometric identification, critical infrastructure management, employment and workforce management, access to essential services, law enforcement support, and others listed in Annex III.

When you register: Before placing the system on the market. This is not a post-launch registration — it must be completed before EU users can access the system in the context of its high-risk use.

What you provide: The registration includes information that mirrors elements of your EU DoC plus operational details such as the geographic areas of use, the natural languages the system operates in, and the specific intended purpose and use case.

Updates: If your registered information changes materially — new intended purpose, new geographic scope, updated version with changed risk profile — you must update the registration accordingly.

Deployers: A Different Set of Registration Obligations

The EU AI Act applies different registration requirements to deployers. If your SaaS platform is being used by a deployer to operate a high-risk AI system in specific contexts (for example, a customer using your AI recruitment screening tool within their HR workflow), the deployer has their own registration obligations that are distinct from yours as a provider.

This deployer-provider distinction is important for SaaS products where the same system is deployed in different contexts by different operators. Your EU DoC covers your system as a provider. Your deployers may need separate registration entries that reference your system.

Timeline: What Must Be Done Before August 2, 2026

For SaaS providers operating high-risk AI systems under Article 43:

Common SaaS-Specific Problems With the EU DoC

Version drift: SaaS systems update continuously. The EU DoC must accurately reflect the version it covers. If your system has been materially modified since the DoC was issued, you may need to reissue the declaration and potentially repeat portions of the conformity assessment.

Multi-tenant complexity: If your AI system serves multiple enterprise customers with different use configurations, your EU DoC must cover the full scope of intended purposes, not just one customer's use case.

Cloud infrastructure dependencies: If your high-risk AI system runs on third-party cloud infrastructure, your EU DoC covers your system — not the underlying infrastructure. However, if that infrastructure affects system properties that were assessed (availability, security, data isolation), changes to that infrastructure may affect the accuracy of your declaration.

Scope of "placing on the market": For SaaS, placing on the market occurs when you make the system commercially available, not when a specific customer deploys it. If your system was already available to EU customers before August 2, 2026, the declaration obligation applies to the existing system, not just future versions.

The EU DoC in the Wider Conformity Assessment Package

Your EU Declaration of Conformity is not a standalone document. It sits alongside:

• Technical documentation (Annex IV): The evidentiary foundation for your conformity claims
• Article 9 risk management records: Documentation of how you identified, assessed, and mitigated risks
• Post-market monitoring plan (Article 72): Your commitment to ongoing surveillance after market placement
• Conformity assessment records: The internal audit trail or notified body certificate that precedes the declaration

Authorities examining your compliance will look at all of these together. A well-drafted EU DoC that references an incomplete Annex IV package will not survive scrutiny. The declaration is only as strong as the documentation it points to.

Deploying Compliant AI Systems on EU Infrastructure

Whether your high-risk AI system runs on EU-native infrastructure affects both your technical risk profile and the practical feasibility of maintaining 10 years of documentation in a GDPR-compliant form.

SaaS providers running high-risk AI workloads on US-parent cloud platforms face a structural tension: your EU DoC asserts conformity with EU law, but your compliance records and system data may be subject to access by US authorities under the CLOUD Act. This does not automatically invalidate your conformity, but it creates a risk that your technical documentation — which contains sensitive system details including bias evaluation records and risk management logs — could be accessed without EU market surveillance authority involvement.

EU-native infrastructure under Hetzner or similar providers resolves this structural tension by keeping your compliance documentation and AI workloads under clear EU jurisdiction throughout the 10-year retention window.

Conclusion: Issue Your EU Declaration of Conformity Now

The EU Declaration of Conformity under Article 47 is the legal completion of the conformity assessment process. Without it, you have done the compliance work but have no formal output that satisfies the EU AI Act's requirements.

For SaaS providers with high-risk AI systems already deployed:

• Issue the EU DoC now, before August 2, 2026
• Ensure it contains all Annex V elements, not just the ones that are convenient
• Register in the EU database and affix CE marking before the deadline
• Store the declaration with a 10-year retention plan

The next and final post in this series covers the complete conformity assessment readiness checklist — a consolidated review of everything you need in place across all five sprint topics before the August deadline.

This post is part of the EU AI Act Conformity Assessment Sprint 2026 series. Other posts in the series cover Technical Documentation Annex IV, Art. 43 Conformity Assessment Routes, and the upcoming finale checklist.