Conformity Assessment for AI Systems
Provider obligations typically include conformity assessment procedures and documentation requirements, which is a specific compliance mechanism under the AI Act that warrants dedicated coverage.
conformity assessment conformity evaluation compliance assessment third-party assessment notified body assessment procedure conformity documentation assessment criteria
Overview
Legal Framework
The conformity assessment procedure for high-risk AI systems is primarily governed by Article 43 of the AI Act, which mandates that providers of such systems must subject them to a conformity assessment before placing them on the market or putting them into service. The specific requirements for the assessment are detailed in Chapter III, Section 3 (Articles 43-51) of the Act. The law establishes two main routes: conformity assessment based on internal control (Annex VI) for certain systems, and assessment involving a notified body (third-party conformity assessment under Annex VII) for others, particularly those used in biometrics or critical infrastructure. The procedure requires the provider to demonstrate compliance with all relevant requirements of Chapter II, including those on risk management, data governance, technical documentation, record-keeping, transparency, and human oversight.
Practical Application
As articulated in Recital 125, the involvement of notified bodies in third-party conformity assessments is deemed essential due to the complexity and inherent risks of high-risk AI systems. The assessment is not a one-time event but an ongoing obligation; providers must ensure continued compliance and undertake a new assessment if the system is substantially modified. The process culminates in the provider drawing up an EU declaration of conformity (Article 48) and affixing the CE marking (Article 49). Furthermore, Recital 139 highlights regulatory sandboxes as a controlled environment where innovators can develop and test AI systems with a view to ensuring their compliance, offering a pathway to navigate the conformity assessment framework during the development and pre-marketing phases.
Key Considerations
- Route Determination: Providers must first meticulously determine the correct conformity assessment procedure (Annex VI or VII) based on their AI system's specific intended purpose and classification. An incorrect choice invalidates the entire compliance process.
- Documentation as Evidence: The technical documentation (Annex IV) is the cornerstone of the assessment. It must be prepared to serve as clear, auditable, and comprehensive evidence for the notified body or market surveillance authority, detailing how each Chapter II requirement has been met.
- Post-Market Vigilance: Successfully completing the assessment and affixing the CE marking initiates, rather than concludes, compliance obligations. Providers must have robust post-market monitoring systems in place to ensure ongoing conformity and to trigger a re-assessment for any substantial modifications.
Laws (57)
View all 57Recital 161
Recital 173
Recital 179
Article 29
Verzoek om aanmelding van een conformiteitsbeoordelingsinstantie
Article 31
Voorschriften in verband met aangemelde instanties
Article 32
Vermoeden van conformiteit met voorschriften met betrekking tot aangemelde instanties
Article 33
Dochterondernemingen van aangemelde instanties en onderaanneming
Article 34
Operationele verplichtingen van aangemelde instanties
Article 35
Identificatienummers en lijsten van aangemelde instanties
Article 37
Betwisting van de bekwaamheid van aangemelde instanties
Article 38
Coördinatie van aangemelde instanties
Recital 49
Recital 50
Recital 51
Recital 78
Recital 81
Recital 86
Recital 123
Recital 124
Guidance (10)
Richtsnoeren 02/2022 voor de toepassing van artikel 60 AVG
guidelines voor de toepassing van artikel 60 AVG
Een van de belangrijkste innovaties bij de invoering van de AVG was de introductie van het concept 'één-loketmechanisme'. In gevallen van grensoverschrijdende verwerking is de toezichthoudende autoriteit in de lidstaat van de hoofdvestiging van de verwerkingsverantwoordelijke of verwerker de autoriteit die leidinggeeft aan de handhaving van de AVG met betrekking tot de grensoverschrijdende verwerkingsactiviteiten in kwestie. Daarbij wordt samengewerkt met alle autoriteiten die de gevolge...
Version history
Guidelines on the accreditation of certification bodies
Guidelines 02/2022 on the application of Article 60 GDPR
Guidelines on the application of Article 60 GDPR
With the introduction of the GDPR, the concept of the one-stop shop was established as one of the main innovations. In cross-border processing cases, the supervisory authority in the Member State of the controller's or processor's main establishment is the authority leading the enforcement of the GDPR for the respective cross-border processing activities, in cooperation with all the authorities which may face the effects of the processing activities at stake: be it through the establishments ...
Guidelines 04/2022 on the calculation of administrative fines under the GDPR
Guidelines on the calculation of administrative fines under the GDPR
The European Data Protection Board (EDPB) has adopted these guidelines to harmonise the methodology supervisory authorities use when calculating of the amount of the fine. These Guidelines complement the previously adopted Guidelines on the application and setting of administrative fines for the purpose of the Regulation 2016/679 (WP253), which focus on the circumstances in which to impose a fine. The calculation of the amount of the fine is at the discretion of the supervisory authority, ...
Versiegeschiedenis
guidelines accreditatie
Richtsnoeren 04/2021 voor gedragscodes als instrumenten voor doorgifte
Volgens artikel 46 van de AVG moeten verwerkingsverantwoordelijken/verwerkers passende waarborgen bieden voor de doorgifte van persoonsgegevens aan derde landen of internationale organisaties. Daarom worden in de AVG de verschillende passende waarborgen aangegeven die organisaties op grond van artikel 46 kunnen gebruiken voor doorgiften aan derde landen, onder meer door gedragscodes in te voeren als nieuw doorgiftemechanisme (artikel 40, lid 3, en artikel 46, lid 2, punt ...
Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation
Guidelines on certification and identifying certification criteria
Richtsnoeren 1/2019 voor gedragscodes en toezichthoudende organen in de zin van Verordening 2016/679
guidelines gedragscodes en toezichthoudende organen
Richtsnoeren 04/2022 voor de berekening van administratieve geldboeten krachtens de AVG
guidelines berekenen administratieve boetes
Het Europees Comité voor gegevensbescherming (EDPB) heeft deze richtsnoeren vastgesteld met het oog op de harmonisatie van de methode die de toezichthoudende autoriteiten gebruiken om het bedrag van de geldboete te berekenen. Deze richtsnoeren vormen een aanvulling op de eerder vastgestelde Richtsnoeren voor de toepassing en vaststelling van administratieve geldboeten in de zin van Verordening (EU) 2016/679 (WP 253), die betrekking hebben op de omstandigheden waarin een geldboete moet worden opg...
Richtsnoeren van 1/2018 voor certificering en het vaststellen van certificeringscriteria overeenkomstig de artikelen 42 en 43 van de verordening
guidelines certificering