Conformity Assessment Procedures and Methodologies
This new topic is needed to specifically address the procedural and methodological aspects of conformity assessment for AI systems, including step-by-step procedures, assessment phases, documentation requirements, and reporting mechanisms that are distinct from the general conformity assessment concept.
assessment procedure assessment methodology assessment protocol assessment steps assessment phases assessment documentation assessment report assessment findings
Overview
Legal Framework
Conformity assessment procedures for high-risk AI systems are governed by Article 43 of the AI Act, which mandates that providers follow one of two prescribed conformity assessment procedures before placing such a system on the market or putting it into service. The choice of procedure depends on the nature of the AI system. For high-risk AI systems that are safety components of products, or are themselves products, already subject to existing Union harmonisation legislation listed in Annex I, the conformity assessment is carried out under that sectoral legislation, as referenced in Recital 50. For all other high-risk AI systems, providers must undergo a conformity assessment based on internal control (Annex VI), unless the system is intended for remote biometric identification, which requires involvement of a notified body.
Practical Application
The procedural methodology is distinct from the general concept of conformity. It involves a structured, documented process where the provider must:
- Apply the relevant conformity assessment procedure as mandated by Article 43.
- Generate and maintain comprehensive technical documentation (as per Article 11 and Annex IV) that demonstrates compliance with all applicable requirements of the AI Act. This serves as the primary evidence for the assessment.
- Establish and maintain a quality management system (Article 17) to ensure ongoing compliance.
- Draw up an EU declaration of conformity (Article 48) and affix the CE marking upon successful completion of the procedure.
For AI systems falling under existing product legislation (e.g., machinery, medical devices), the conformity assessment under that legislation is deemed to also cover the AI Act requirements, as noted in Recital 78. This avoids dual procedures but requires the assessment to maintain the level of reliability and protection mandated by the AI Act.
Key Considerations
- Procedural Choice is Mandatory: Determine the correct conformity assessment pathway (under sectoral legislation or the AI Act's internal control procedure) at the outset. An incorrect choice invalidates the process.
- Documentation is Central: The technical documentation is not just an output but the core of the assessment methodology. It must be prepared in parallel with system development to accurately reflect the design, risk management, and testing processes.
- Integration with Existing Frameworks: For products with digital elements or other regulated products, ensure the single conformity assessment procedure adequately addresses and documents compliance with both the sectoral law's essential requirements and the AI Act's specific requirements for high-risk AI systems.
Laws (14)
Guidance (10)
Richtsnoeren 02/2022 voor de toepassing van artikel 60 AVG
guidelines voor de toepassing van artikel 60 AVG
Een van de belangrijkste innovaties bij de invoering van de AVG was de introductie van het concept 'één-loketmechanisme'. In gevallen van grensoverschrijdende verwerking is de toezichthoudende autoriteit in de lidstaat van de hoofdvestiging van de verwerkingsverantwoordelijke of verwerker de autoriteit die leidinggeeft aan de handhaving van de AVG met betrekking tot de grensoverschrijdende verwerkingsactiviteiten in kwestie. Daarbij wordt samengewerkt met alle autoriteiten die de gevolge...
Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation
Guidelines on certification and identifying certification criteria
Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679
Guidelines on codes of conduct and monitoring bodies
Guidelines 02/2022 on the application of Article 60 GDPR
Guidelines on the application of Article 60 GDPR
With the introduction of the GDPR, the concept of the one-stop shop was established as one of the main innovations. In cross-border processing cases, the supervisory authority in the Member State of the controller's or processor's main establishment is the authority leading the enforcement of the GDPR for the respective cross-border processing activities, in cooperation with all the authorities which may face the effects of the processing activities at stake: be it through the establishments ...
Guidelines 04/2022 on the calculation of administrative fines under the GDPR
Guidelines on the calculation of administrative fines under the GDPR
The European Data Protection Board (EDPB) has adopted these guidelines to harmonise the methodology supervisory authorities use when calculating of the amount of the fine. These Guidelines complement the previously adopted Guidelines on the application and setting of administrative fines for the purpose of the Regulation 2016/679 (WP253), which focus on the circumstances in which to impose a fine. The calculation of the amount of the fine is at the discretion of the supervisory authority, ...
Richtsnoeren 04/2022 voor de berekening van administratieve geldboeten krachtens de AVG
guidelines berekenen administratieve boetes
Het Europees Comité voor gegevensbescherming (EDPB) heeft deze richtsnoeren vastgesteld met het oog op de harmonisatie van de methode die de toezichthoudende autoriteiten gebruiken om het bedrag van de geldboete te berekenen. Deze richtsnoeren vormen een aanvulling op de eerder vastgestelde Richtsnoeren voor de toepassing en vaststelling van administratieve geldboeten in de zin van Verordening (EU) 2016/679 (WP 253), die betrekking hebben op de omstandigheden waarin een geldboete moet worden opg...
Richtsnoeren van 1/2018 voor certificering en het vaststellen van certificeringscriteria overeenkomstig de artikelen 42 en 43 van de verordening
guidelines certificering
Richtsnoeren 1/2019 voor gedragscodes en toezichthoudende organen in de zin van Verordening 2016/679
guidelines gedragscodes en toezichthoudende organen
Richtsnoeren 04/2021 voor gedragscodes als instrumenten voor doorgifte
Volgens artikel 46 van de AVG moeten verwerkingsverantwoordelijken/verwerkers passende waarborgen bieden voor de doorgifte van persoonsgegevens aan derde landen of internationale organisaties. Daarom worden in de AVG de verschillende passende waarborgen aangegeven die organisaties op grond van artikel 46 kunnen gebruiken voor doorgiften aan derde landen, onder meer door gedragscodes in te voeren als nieuw doorgiftemechanisme (artikel 40, lid 3, en artikel 46, lid 2, punt ...
Guidelines 04/2021 on Codes of Conduct as tools for transfers
Guidelines on codes of conduct and monitoring bodies
The GDPR requires in its Article 46 that controllers/processors shall put in place appropriate safeguards for transfers of personal data to third countries or international organisations. To that end, the GDPR diversifies the appropriate safeguards that may be used by organisations under Article 46 for framing transfers to third countries by introducing amongst others, codes of conduct as a new transfer mechanism (articles 40-3 and 46-2-e). In this respect, as provi...
News (2)
Is the AI Act caging ChatGPT and other General Purpose Artificial Intelligence systems?
> The growth of generative artificial intelligence systems has led EU lawmakers to focus on General Purpose AI in drafting the AI Act, which will set the framework governing artificial intelligence in the European Union. As previously reported, the EU Parliament has already broadened the definition of artificial intelligence for the purposes of the AI Act… The post Is the AI Act caging ChatGPT and other General Purpose Artificial Intelligence systems? appeared first on GamingTechLaw.
“Social media profiles and phone contacts” used as proof of identity for deportations
> Thirteen non-EU countries sometimes accept “social media profiles and phone contacts” as evidence of identity for the purpose of deportations, according to an internal European Commission assessment of third country cooperation on readmission.