EU AI Act Article 43. The conformity assessment procedures that govern whether a high-risk AI system can legally reach the market.

Conformity assessment is the procedural gate through which a high-risk AI system must pass before it reaches the market. Article 43 of Regulation (EU) 2024/1689 governs this gate. It establishes which high-risk systems require a third-party assessment by a notified body, which can satisfy the requirement through internal production control, and what conditions apply in both cases. The downstream consequences of a deficient or absent conformity assessment extend beyond regulatory penalty: they reach the deployer, whose use of a non-conforming system creates its own Article 99 exposure, and they reach the insurer, whose underwriting of a system without a valid conformity record is a significant complication in policy pricing and placement.

The two-track structure of Article 43

Article 43 divides conformity assessment into two tracks defined by the category of high-risk AI system in question. The division reflects a distinction in how different high-risk systems generate risk and how well-established existing third-party infrastructure is for assessing them.

Track 1 requires third-party conformity assessment by a notified body. It applies to two categories. The first is AI systems that are safety components of products already subject to third-party conformity assessment under Union harmonisation legislation listed in Annex I of the Regulation, where the AI system's conformity must be assessed within the framework of that legislation. The second is AI systems in Annex III point 1, covering biometric identification and categorisation systems. For these systems, Article 43(1) requires the provider to apply to a notified body, which conducts the conformity assessment procedure set out in Annex VII.

Track 2 permits internal production control under Module A, set out in Annex VI. It applies to all other Annex III high-risk AI systems: employment, education, essential services, law enforcement, migration, and the administration of justice categories, except where they are simultaneously subject to Track 1 via an Annex I product integration. This is the track that the majority of enterprise AI deployments fall into. The provider conducts the conformity assessment internally, without an external third-party reviewer.

The two-track structure reflects a deliberate regulatory design choice. Biometric systems and Annex I product integrations were treated as requiring external verification because the risk profile of biometric identification, and the existing third-party certification architecture for regulated products, created a stronger case for external oversight. Employment, credit, and education AI, despite their significant impact on individuals, were considered suitable for provider self-assessment because the conformity criteria are primarily documentation-based and the technical standards infrastructure for third-party assessment of these systems did not exist when the regulation was finalised. Article 43(4) provides that the Commission may require notified body assessment for additional Annex III categories as the regulation matures.

Track 1: Third-party assessment by a notified body

Where Track 1 applies, the provider must submit the AI system to a conformity assessment carried out by a notified body designated under Article 28 of Regulation (EU) 2024/1689. Notified bodies are designated by Member State authorities and must meet the requirements set out in Annex VII. They operate under accreditation and under the oversight of the notifying authority in their Member State, with cross-border recognition across the EU through the NANDO (New Approach Notified and Designated Organisations) database maintained by the European Commission.

The conformity assessment procedure for Track 1 systems follows Annex VII, which sets out an examination procedure modelled on existing product safety conformity assessment modules. The notified body reviews the provider's technical documentation against the requirements of Chapter III of the Regulation, including the risk management requirements under Article 9, data governance under Article 10, technical documentation under Article 11, logging under Article 12, transparency under Article 13, human oversight under Article 14, and accuracy, robustness and cybersecurity under Article 15. The notified body issues an EU technical documentation assessment certificate if it concludes that the system meets these requirements.

For providers of Annex I product integrations, the AI conformity assessment must be coordinated with the existing third-party conformity assessment for the product under the applicable Annex I legislation. Where the same notified body can carry out both assessments, that is the preferred route. Where different notified bodies are used, coordination between them is required to avoid contradictory assessment conclusions.

For biometric AI systems, the Track 1 assessment is particularly consequential because the use of real-time remote biometric identification in publicly accessible spaces for law enforcement remains one of the most tightly regulated practices in the Regulation. Article 5(1)(d) prohibits it except in specifically defined exceptional circumstances. Providers seeking conformity assessment for a biometric identification system must demonstrate to the notified body that the system does not fall within the prohibited categories and that it satisfies the technical and governance requirements for the permissible uses.

Track 2: Internal production control under Module A

Module A, set out in Annex VI of Regulation (EU) 2024/1689, is the internal production control procedure available to providers of Annex III high-risk AI systems outside the biometric and Annex I categories. The name is borrowed from the module structure used in traditional product safety regulation, and the core structure is the same: the provider takes sole responsibility for demonstrating conformity with the applicable requirements.

The Module A procedure has four elements. First, the provider must draw up technical documentation in accordance with Annex IV. This documentation must be sufficient to allow assessment of the system's conformity with the requirements of the Regulation and must include the information specified in Annex IV: a general description of the system, a description of development methods, information about training and testing data, a description of the risk management system, details of human oversight measures, and the results of testing and validation. The technical documentation is a living document that must be updated throughout the system's operational lifecycle.

Second, the provider must implement a quality management system under Article 17 of the Regulation. The quality management system must cover all aspects of the provider's operations relevant to the AI system, including design and development, testing, compliance monitoring, and post-market monitoring. Article 17 specifies the minimum content of the quality management system: policies for AI system design, quality objectives and risk management strategies, data management procedures, post-market monitoring obligations, and incident reporting procedures. The quality management system is the organizational infrastructure that supports the technical documentation.

Third, the provider must draw up an EU declaration of conformity under Article 47. This is a formal legal declaration in which the provider states that the high-risk AI system satisfies all applicable requirements of the Regulation. The declaration must include the name and address of the provider, information about the AI system, a statement that the system is in conformity with the Regulation, references to any harmonised standards or common specifications applied, and the signature of the provider's authorised representative. The declaration must be available to market surveillance authorities on request.

Fourth, the provider must affix the CE marking under Article 49 and register the system in the EU AI database before placing it on the market. The CE marking indicates that the conformity assessment has been completed and that the system meets the Regulation's requirements. It must be affixed visibly, legibly, and indelibly on the system or on the documentation accompanying it. Registration in the EU AI database is a separate step from CE marking and provides the publicly accessible record that allows deployers and market surveillance authorities to verify that a system has been assessed.

Module A places the full burden of conformity assessment adequacy on the provider. There is no external reviewer to validate the technical documentation or to challenge the conformity conclusion. This means that a provider who produces superficial or incomplete technical documentation, or who draws up a declaration of conformity without genuinely having met the Regulation's requirements, is creating both a regulatory violation and a significant liability exposure for deployers who rely on that declaration.

The deployer's verification obligations under Article 26

Article 26(1) of Regulation (EU) 2024/1689 requires deployers to take appropriate technical and organisational measures to ensure they use high-risk AI systems in accordance with the instructions for use supplied with those systems. Article 26(1) further requires deployers to ensure that the systems they use comply with the Regulation. This creates an active verification obligation on the deployer's side, not merely a passive reliance right.

The practical implication is that a deployer who accepts a high-risk AI system from a provider without confirming that a conformity assessment has been completed, a declaration of conformity drawn up, and a CE marking affixed, is accepting compliance risk that belongs with the provider but that the deployer cannot entirely disclaim. If a market surveillance authority investigates a system and finds that the provider's conformity assessment was deficient, the deployer who deployed the system without verifying its conformity status is in a weaker position than one who conducted a verification and received documentation.

Five verification steps structure a sound deployer-side conformity assessment review. First, check the EU AI database for a registration entry corresponding to the system. The database is publicly accessible and should contain the system name, provider information, the applicable conformity assessment procedure, and a reference to the EU declaration of conformity. A system not in the database has either not been assessed or has not been registered, both of which are non-compliant conditions for a high-risk system.

Second, request a copy of the EU declaration of conformity. Read it carefully. Confirm that it identifies the specific system version being deployed, that it references the applicable requirements of the Regulation, and that it is signed by an authorised representative. A declaration that is generic, undated, or that refers to a version of the system different from the one being deployed is not a valid conformity record for the deployed version.

Third, request a summary of the technical documentation, or at minimum confirmation that the documentation exists and covers the intended use case. A provider who cannot or will not provide any information about their technical documentation for a high-risk system is a provider whose conformity claim cannot be verified. The deployer is accepting a compliance risk with no factual basis for confidence.

Fourth, confirm that the CE marking is present on the system or its accompanying documentation in the form required by the Regulation. The CE marking must conform to the dimensions specified in Article 49(3), with a minimum height of 5mm unless the nature of the system makes this impractical.

Fifth, confirm the applicable conformity assessment track. If the system is a biometric system or an Annex I product integration, a notified body certificate should exist. Request the certificate number and the name of the notified body, and verify that the notified body is designated for the relevant sector using the NANDO database.

For the full framework of deployer obligations that Article 43 conformity assessment feeds into, see the Article 26 deployer obligations complete guide. For the technical documentation requirements that Module A assessment depends on, see the analysis of Article 17 technical documentation.

Substantial modifications and re-assessment

Article 43(4) provides that where a high-risk AI system undergoes a substantial modification after its initial conformity assessment, a new conformity assessment is required before the modified system is placed on the market or put into service. The Regulation defines a substantial modification at Article 3(23) as a change that affects the system's compliance with the Regulation or results in a modification to the intended purpose. This definition requires judgment in application: not every update to an AI system is a substantial modification, but the threshold for what requires re-assessment is lower than many providers assume.

In practice, changes that trigger substantial modification analysis include changes to the model architecture, changes to the training dataset that materially affect the system's performance profile, changes to the output types or decision-making scope, changes to the intended purpose as described in the technical documentation, and performance degradations that affect the accuracy or robustness parameters specified in the conformity documentation. Minor bug fixes that do not affect the system's functionality, updates to the user interface that do not affect outputs, and performance improvements that stay within the documented accuracy range are generally not substantial modifications.

For deployers, the substantial modification rule creates an ongoing verification obligation. A system that was conformity-assessed in 2025 and then substantially modified in 2026 without a new assessment is a non-conforming system from the date of the modification. Contracts between providers and deployers should include an obligation for the provider to notify the deployer of any modifications that the provider has assessed as potentially substantial, and to provide updated conformity documentation when a new assessment has been completed. A deployer who continues to use a system through a substantial modification without receiving updated conformity documentation is in an increasingly uncertain compliance position.

Conformity assessment and insurance underwriting

The conformity assessment record is among the first documents an insurer underwriting AI liability coverage will request. Before any question of risk management processes, incident history, or governance documentation arises, the underwriter needs to understand whether the system being insured has a legally valid conformity assessment record and what that record demonstrates about the provider's compliance with the high-risk AI requirements.

A system with a complete Module A internal conformity assessment, a valid EU declaration of conformity, a CE marking, and a database registration entry presents a structured compliance record that an underwriter can evaluate. A system with none of these is, from the insurer's perspective, a system operating in regulatory non-compliance. Insuring a non-compliant system creates two separate problems. The regulatory exposure is uninsured because no policy covers deliberate non-compliance as a coverage trigger. And the technical documentation that the insurer needs to assess the system's risk profile does not exist.

For systems where the provider has completed a Track 1 notified body assessment, the notified body certificate provides an additional layer of independent verification that the system meets the Regulation's technical requirements. This level of independent review is rarely available for Module A systems, which is why some underwriters request a technical audit of the system's documentation as part of the underwriting process for Module A high-risk AI deployments.

The certification framework developed by the Agent Certified methodology provides an independent assessment of high-risk AI deployments that can supplement the provider's Module A conformity assessment documentation. A deployment assessed against the seven certification dimensions generates a structured evidence record that addresses the informational gaps that Module A self-assessment leaves for insurers and enterprise procurement teams.