EUDB Registration and Conformity Assessment: How EU AI Act Art.51 and Art.43 Are Connected
Post #1484 in the sota.io EU AI Act Compliance Series — EU-AI-ACT-EUDB-REGISTRATION-2026 #3/5
Most EU AI Act compliance checklists treat registration and conformity assessment as two separate items on a to-do list. In practice they are tightly coupled: you cannot register a high-risk AI system in the EU database under Art.51 without first completing conformity assessment under Art.43. And the documentation you produce for conformity assessment is directly reused in the registration form fields defined in Annex VIII.
This post maps the legal sequencing between Art.43 and Art.51, explains exactly which conformity assessment outputs feed which EUDB fields, and identifies the failure mode that sends companies back to square one six weeks before the August 2 deadline.
The Legal Sequencing Problem
Article 51 requires registration before placing a high-risk AI system on the market or putting it into service. Article 43 requires that conformity assessment precedes the EU Declaration of Conformity (Art.47), which in turn is a prerequisite for CE marking (Art.49) and EUDB registration.
The dependency chain looks like this:
Art.43 Conformity Assessment
↓
Art.47 EU Declaration of Conformity (DoC)
↓
Art.48 CE Marking
↓
Art.51 EUDB Registration
↓
Market Placement / First Service Delivery to EU Customers
Every step has a hard gate. The EUDB registration form (based on Annex VIII) requires you to provide:
- The conformity assessment procedure used (internal control or notified body)
- The reference number of your EU Declaration of Conformity
- If a notified body was involved: the body's name and certificate reference number
If you open the EUDB portal without a signed Declaration of Conformity in hand, you cannot complete a valid registration. You are literally missing a required field.
What Art.43 Requires That Art.51 Consumes
Internal Control Path (Annex VI)
For most high-risk AI systems in the standard Annex III categories — employment tools, credit scoring, education assessment — providers are permitted to conduct conformity assessment through internal control (Annex VI). No external notified body is required.
Internal control conformity assessment under Annex VI requires:
| Annex VI Requirement | Document Produced | Maps to EUDB Annex VIII Field |
|---|---|---|
| Technical documentation prepared per Art.11 + Annex IV | Technical documentation package | General system description |
| Internal control checklist confirming all Chapter III Section 2 obligations met | Internal control sign-off | Conformity assessment procedure: internal control |
| Quality management system (Art.17) verified | QMS documentation | No direct field, but part of technical documentation reference |
| Post-market monitoring plan (Art.72) in place | Monitoring plan | Deployment status and update obligations |
| EU Declaration of Conformity signed (Art.47) | DoC document with registration number | Required field: DoC reference |
The key output is the EU Declaration of Conformity — a formal document you draft, sign as the legal representative, and keep on file. The DoC's reference number goes directly into the EUDB registration form.
Notified Body Path (Annex VII)
For systems intended for use in law enforcement, migration, administration of justice, and selected biometric applications, a notified body must conduct or review the conformity assessment. This is the more demanding path.
When a notified body is involved, the EUDB registration requires:
- Notified body identification number — a four-digit EU-assigned number that identifies the body
- Certificate number — the specific conformity certificate issued for your system
- Certificate validity period — notified body certificates have expiry dates; registration must reflect current certificate status
You cannot substitute "we are in the process of engaging a notified body" for these fields. The certificate must exist, must cover your specific system version, and must not be expired. This is where providers who delayed notified body engagement since early 2025 are now critically behind.
Where Technical Documentation Feeds Both Processes
The technical documentation package prepared under Art.11 (using Annex IV as the structural template) is the shared evidence base for both conformity assessment and EUDB registration. The same documents that the notified body or your internal control process reviews are the documents that support your Annex VIII registration fields.
Annex IV → Annex VIII Mapping
| Annex IV Technical Documentation Element | Used in Art.43 Assessment | Referenced in Annex VIII Registration |
|---|---|---|
| General description and intended purpose | Conformity review basis | "General description of the AI system" field |
| Intended purpose + foreseeable misuse | Risk assessment input | Scope of Annex III category self-declaration |
| System architecture and algorithms | Technical review | Part of general description field |
| Training data governance (Art.10 requirements) | QMS and data control review | Supports technical documentation reference |
| Validation and testing protocols | Accuracy and robustness evidence | Post-market monitoring obligations reference |
| Version history and change log | Substantial modification assessment | Version field in EUDB — must match registered versions |
| Post-market monitoring plan | Ongoing compliance evidence | Deployment status update obligations |
The critical implication: if your technical documentation is incomplete at the time you attempt conformity assessment, the assessment will surface gaps — and those same gaps will block registration. There is no shortcut that allows a partial documentation package to pass conformity review and then be supplemented before registration.
The Failure Mode: Premature Registration Attempts
The failure mode that appears most often in EU AI Act readiness reviews is attempting to begin EUDB registration before the EU Declaration of Conformity exists.
Providers who misread the timeline often believe that EUDB registration is a late administrative step — something that happens in the final days before launch, handled by the legal team while engineering completes the last round of testing. This is incorrect. The EU Declaration of Conformity must be signed before registration. The DoC cannot be signed until conformity assessment is complete. Conformity assessment cannot be complete until the technical documentation package is finalised and the QMS is operational.
If your organisation has 60 days until the August 2 deadline and you have not yet started conformity assessment:
- Start technical documentation drafting immediately — Annex IV provides the structure
- Schedule the internal control review or notified body engagement now — notified bodies have 3–4 month backlogs for EU AI Act assessments
- Prepare the EU Declaration of Conformity template — your legal team needs this ready to sign once assessment is complete
- Only then will you be in a position to open the EUDB portal with complete, valid registration data
Working backwards from August 2: if notified body certification is required, the practical deadline for first contact with the notified body is already past for most organisations. Internal control assessments can be completed faster, but "faster" still requires complete Annex IV documentation.
Post-Market Updates: Art.51 and the Substantial Modification Threshold
Art.51 registration is not a one-time event. Providers are required to update the EUDB when a substantial modification occurs — defined as a change that affects the AI system's compliance with applicable requirements or alters its intended purpose.
This connects Art.51 directly to your internal change management process and the post-market monitoring obligations under Art.72. Every significant update must be evaluated:
- Does this change alter the AI system's intended purpose? → New or updated Annex III category declaration
- Does this change require repeating conformity assessment? → New or updated DoC reference
- Does this change create a new version that was not covered by the original registration? → Version field update required
In practice, most SaaS AI providers ship frequent model updates. The "substantial modification" assessment needs to be embedded in your standard release process, not treated as a one-off legal review. A practical implementation is a change log governance checklist — a structured question set that engineering and product complete for each release to determine whether a new DoC and EUDB update are required.
The Connection in Operational Terms: A Readiness Checklist
| Readiness Criterion | Art.43 Gate | Art.51 Gate |
|---|---|---|
| Technical documentation (Annex IV) complete | Required for assessment start | Referenced in registration |
| Quality management system (Art.17) documented | Required for assessment sign-off | Indirect (via DoC) |
| Post-market monitoring plan (Art.72) ready | Required for assessment sign-off | Deployment status updates |
| Conformity assessment completed (internal or notified body) | — | Required field |
| Notified body certificate (if applicable) obtained | — | Required field with certificate number |
| EU Declaration of Conformity (Art.47) signed | — | Required field with DoC reference |
| CE marking applied (Art.48) | — | Must precede market placement |
| EUDB registration submitted (Art.51) | — | Must precede market placement |
Every row above is a sequential dependency. Start at the top. Do not skip to the bottom.
Practical Advice: Start with Documentation, End with Registration
For teams approaching this sequence for the first time, the recommended workflow is:
- Build Annex IV documentation — this creates the shared evidence base for both conformity assessment and registration
- Run your conformity assessment using internal control (Annex VI) or by engaging a notified body (Annex VII) — assess which applies to your Annex III category
- Issue the EU Declaration of Conformity — use the Commission's template structure, include the DoC reference number in your document management system
- Apply CE marking if your product is hardware-inclusive or if marking is otherwise required
- Open the EUDB portal — at this point all required Annex VIII fields are backed by completed documents
- Establish a change governance process — to evaluate future releases against the substantial modification threshold
The EUDB registration step itself is relatively fast for a well-prepared provider: 30–60 minutes to enter data into the portal if all prerequisite documents are ready. The preparation — particularly conformity assessment — is where the calendar months go.
See Also
- EU AI Act Art.51 EUDB Registration: What High-Risk AI Providers Must Register Before August 2026
- EU AI Act EUDB Registration Checklist: 28-Item Pre-Registration Package
- EU AI Act Conformity Assessment: Art.43 Routes for High-Risk AI
- EU AI Act Technical Documentation Annex IV Guide
- EU AI Act NCA Inspection Readiness Sprint 2026
EU-Native Hosting
Ready to move to EU-sovereign infrastructure?
sota.io is a German-hosted PaaS — no CLOUD Act exposure, no US jurisdiction, full GDPR compliance by design. Deploy your first app in minutes.