EU AI Act EUDB Registration Checklist: 28-Item Pre-Registration Package for High-Risk AI Providers
Post #2 in the sota.io EU AI Act EUDB Registration Series
The EU AI Act database registration deadline for high-risk AI systems is August 2, 2026. That sounds far away — until you realize that the registration package requires information from across your organization: legal, engineering, compliance, QMS, and conformity assessment teams.
Most providers who miss the deadline do so not because they forgot, but because they started assembling the package too late and discovered gaps in their documentation on day 58 of a 60-day sprint.
This checklist covers every data element you need to have ready before you open the EUDB registration portal. Work through it systematically, and your actual portal submission will take under two hours.
Why Registration Preparation Matters
Under Art.51 of the EU AI Act, providers of high-risk AI systems listed in Annex III must register their systems in the EU database maintained by the European Commission before placing those systems on the EU market or putting them into service.
The registration is not just a form — it creates a public entry in the EUDB that regulators, deployers, and the public can query. Incomplete or inaccurate entries can trigger requests for clarification from National Competent Authorities (NCAs), delay your market entry, and in worst cases, block commercial deployment until the entry is corrected.
Getting the registration package right the first time saves weeks of back-and-forth.
The 28-Item Pre-Registration Checklist
Section A: Provider Identity (Items 1–6)
1. Legal entity name and registration number The exact registered name of the provider entity, plus the company registration number in your Member State. For non-EU providers, this is your EU authorized representative's entity under Art.22.
2. Registered address Full postal address of the provider's registered seat. For non-EU providers: the authorized representative's address in the EU.
3. Contact person and contact details A named individual (not a generic mailbox) with full name, job title, direct phone, and email. NCAs may contact this person directly.
4. Website URL Your company's public website where conformity information is accessible. If no public-facing information exists yet, plan to create a dedicated compliance page before registration.
5. Authorized representative details (non-EU providers only) If you are established outside the EU, provide your Art.22 authorized representative's name, address, and written mandate confirming they accept legal responsibility for EU market compliance.
6. Digital signature capability The EUDB portal requires electronic authentication. Confirm your organization has eIDAS-compatible electronic signature or your national equivalent ready for the signatory.
Section B: AI System Identification (Items 7–12)
7. AI system name and version The commercial product name exactly as it appears on the market, plus the specific version number being registered. Version numbering matters: a subsequent substantial modification under Art.43(4) requires a new registration entry.
8. General description of the AI system A plain-language description of the AI system's intended purpose, core functionality, and the specific task it performs. Aim for 200–400 words. Avoid marketing language; regulators want functional description.
9. Intended purpose statement The exact intended purpose as defined under Art.3(12) — the use the system was designed and developed for by the provider. This must match the intended purpose stated in your technical documentation under Art.11.
10. Categories of natural persons affected Identify which natural person categories your system processes data about or makes decisions concerning. For Annex III systems this typically includes job applicants, students, welfare recipients, or other defined groups depending on the use case.
11. Member States of intended deployment List all EU/EEA Member States where you intend to place the system on the market or put it into service. Be specific — "all EU Member States" is acceptable if genuinely intended, but vague coverage creates NCA jurisdiction questions.
12. Annex III classification category State which Annex III category your system falls under (e.g., employment and workers management, education, access to essential private services). Include the specific sub-item number from Annex III. If the system falls under multiple categories, list each.
Section C: Technical Documentation References (Items 13–17)
13. Technical documentation reference number Your internal reference for the technical documentation package per Art.11. This is not the document itself — just the identifier that allows NCAs to request the specific document set if needed.
14. QMS reference The reference number or identifier for your quality management system documentation per Art.17. Include the QMS standard it conforms to (e.g., ISO 9001:2015 adapted for AI, or a sector-specific QMS standard).
15. Instructions for use document reference Reference to the instructions for use prepared per Art.13. These must cover all information deployers and users need to understand the system's capabilities and limitations.
16. Post-market monitoring plan reference Reference to your post-market monitoring plan per Art.72. This document describes how you will systematically collect and review performance data after deployment.
17. Serious incident reporting procedure reference Reference to your documented procedure for reporting serious incidents to NCAs per Art.73. This includes the contact details for the responsible person who initiates reporting.
Section D: Conformity Assessment (Items 18–22)
18. Conformity assessment procedure applied State which conformity assessment procedure you used under Art.43: internal control under Annex VI, or third-party assessment under Annex VII (required for certain Annex III systems, including remote biometric identification).
19. Notified body name and identification number (if applicable) If you used a notified body for third-party conformity assessment, provide the body's official name and four-digit identification number from the NANDO database. Verify the notified body's scope includes your system's category.
20. Certificate reference and validity dates The notified body's certificate number, the date of issue, and the expiry date. Expired certificates must be renewed before registration can be completed.
21. EU declaration of conformity reference The reference number, date, and version of the EU declaration of conformity signed by the authorized signatory under Art.47. This document must be finalized and signed before registration.
22. EU declaration of conformity — signatory details Full name, title, and signature authority of the person who signed the EU declaration. The signatory must be legally authorized to bind the provider entity.
Section E: CE Marking Status (Items 23–25)
23. CE marking status confirmation Confirm whether CE marking has been affixed. For high-risk AI systems in the scope of harmonised legislation, CE marking is affixed after conformity assessment and before market placement.
24. Union harmonisation legislation reference (if applicable) If your system is also covered by other Union harmonisation legislation (e.g., Medical Device Regulation, Machinery Regulation), list the applicable directives/regulations and confirm the AI Act conformity assessment was coordinated with those assessments.
25. CE marking affixing date The date the CE marking was affixed, or the intended date if registration is being completed before final market placement.
Section F: Final Verification (Items 26–28)
26. Substance of information accuracy confirmation Internal sign-off confirming that all information submitted is accurate at the time of registration. Identify the individual responsible for this confirmation and their authority level.
27. Update procedure in place Confirm you have an internal procedure to update the EUDB entry when information changes — provider address, new versions, conformity certificate renewal, or withdrawal from the market.
28. Evidence of EU registration capability Confirm the signatory has access to the EUDB portal, has completed identity verification, and that the account can submit on behalf of the registered entity.
Common Pre-Registration Gaps
In practice, three items create the most delays:
Gap 1 — Outdated conformity certificates. Notified body certificates are typically issued for specific product versions. If you have released updates since the original assessment, verify whether each update constitutes a "substantial modification" under Art.43(4) requiring reassessment, or whether the original certificate still covers the current version.
Gap 2 — Inconsistent intended purpose across documents. The intended purpose statement in the EUDB registration must align exactly with the intended purpose in the technical documentation (Art.11), the instructions for use (Art.13), and the EU declaration of conformity (Art.47). Mismatches between documents trigger NCA scrutiny.
Gap 3 — Missing Annex III sub-item specificity. Providers often state a general category ("employment") without identifying the specific Annex III sub-item. NCAs expect precise classification, and vague entries delay acceptance of the registration.
Before You Open the Portal
Run through this checklist as a team exercise, not a solo compliance task. Each section spans a different functional area:
| Section | Responsible Team |
|---|---|
| Provider Identity (1–6) | Legal / Corporate Affairs |
| AI System Identification (7–12) | Product / Engineering |
| Technical Documentation (13–17) | Compliance / QMS |
| Conformity Assessment (18–22) | Compliance / Legal |
| CE Marking (23–25) | Legal / Engineering |
| Final Verification (26–28) | CCO / CTO |
Allocate at least three weeks for the pre-registration package assembly if you are starting from scratch. If you already have a complete technical documentation package and conformity assessment, the timeline shrinks to five to seven working days.
Hosting Infrastructure as Part of Registration Readiness
One dimension that often surfaces during EUDB registration preparation: where is the system deployed?
For high-risk AI systems serving EU users, deployment on EU-sovereign infrastructure directly supports the Art.13 transparency obligations, the Art.72 post-market monitoring data obligations, and the Art.17 quality management system requirements. NCAs reviewing your EUDB entry may probe whether the post-market monitoring data can be accessed and retained in conformance with EU law.
Systems deployed on US-jurisdiction cloud infrastructure carry additional compliance overhead: GDPR Chapter V transfer mechanisms, Cloud Act exposure for monitoring data, and questions about whether your QMS can actually access the monitoring data it claims to collect.
EU-sovereign PaaS deployment is not required by the AI Act — but it materially simplifies the answer to "how do you ensure continuity of post-market monitoring data access?"
Next in This Series
- Post #3: EU AI Act EUDB Database API: How Deployers and Regulators Query the Registration Database
- Post #4: EUDB Registration Annexes: Technical Documentation vs. Database Entries — What Goes Where
- Post #5: EUDB Registration Finale: Step-by-Step Portal Walkthrough and First-Submission Checklist
This post is part of the sota.io EU AI Act EUDB Registration series. All series posts reference official EU AI Act text (Regulation (EU) 2024/1689). Verify current regulatory guidance from the European Commission and your national NCA before submitting your registration.
EU-Native Hosting
Ready to move to EU-sovereign infrastructure?
sota.io is a German-hosted PaaS — no CLOUD Act exposure, no US jurisdiction, full GDPR compliance by design. Deploy your first app in minutes.