AI Governance Library

Conformity Assessments under the EU AI Act: A step-by step guide

This updated 2025 guide offers a complete breakdown of the EU AI Act’s conformity assessment (CA) process for high-risk AI systems, aligned with the final adopted text. It clarifies when CAs are required, who performs them, and what legal, procedural, and technical requirements must be met.
Jakub Szarmach
3 min read
Conformity Assessments under the EU AI Act: A step-by step guide
Conformity Assessments under the EU AI Act- A step-by step guide Updated with the final text of the AI Act
Conformity Assessments under the EU AI Act- A step-by step guide Updated with the final text of the AI Act .pdf
4 MB
download-circle

📘 What’s Covered

🔹 Foundation of the EU AI Act

The guide introduces the EU AI Act as a risk-based, product-safety-style regulation. It defines the conformity assessment (CA) as the process to ensure high-risk AI systems meet mandatory requirements before market access, and positions CAs as tools for legal accountability.

🔹 Key Dates

  • Aug 1, 2024 – Entry into force
  • Feb 2, 2025 – Prohibited AI use bans + AI literacy obligations begin
  • Aug 2, 2025 – Notified bodies, GPAI rules, and governance provisions kick in
  • Aug 2, 2026 – Full application, excluding some high-risk classifications
  • Aug 2, 2027 – Final staggered obligations apply (e.g. Art. 6(1))

🔹 Step-by-Step Breakdown of the CA Process

The guide divides the conformity assessment process into four main steps:

✅ Step 1: Do You Need a Conformity Assessment?

This depends on whether the system:

  • Is an AI system under AIA Art. 3(1)
  • Is high-risk (Annex I or III, or GPAI with systemic risk)
  • You are a provider or party acting as one under Art. 25 (e.g., if you rebrand or substantially modify the system)

🧭 Visual Flowchart on page 8 helps identify CA obligations.

✅ Step 2: When Must the CA Be Done?

Before the system is:

  • Placed on the market or put into service
  • Substantially modified post-market, changing purpose or compliance level

📌 Page 16 includes a decision diagram that distinguishes between internal CA vs. third-party CA based on system category.

✅ Step 3: Who Conducts the CA?

Two CA types exist:

  • Internal CA – For most Annex III systems (provider performs self-assessment based on Annex VI)
  • Third-party CA – Mandatory for:
    • Systems in Annex I or biometric systems in Annex III (if no harmonized standards used)
    • Systems used in law enforcement, immigration, or asylum

Table on pages 21–22 outlines which systems require which CA type.

✅ Step 4: How to Comply with High-Risk Requirements

You must document and validate the following:

  1. Risk Management System (Art. 9) – Ongoing, documented, includes post-market updates
  2. Data Governance (Art. 10) – Ensure datasets are high-quality, statistically relevant, and bias-mitigated
  3. Technical Documentation (Art. 11) – Comprehensive records (structure, lifecycle changes, standards used)
  4. Record-Keeping (Art. 12) – Mandatory logging, especially for biometric systems
  5. Transparency (Art. 13) – Clear, user-friendly documentation, explainability, and user instructions
  6. Human Oversight (Art. 14) – Operational controls + trained supervisors
  7. Accuracy, Robustness, Cybersecurity (Art. 15) – Design for resilience, feedback loops, threat mitigation

Each requirement is cross-referenced with GDPR or the Cyber Resilience Act where applicable. For instance, providers can benefit from presumed compliance if they follow EU cybersecurity schemes under the Cybersecurity Act (p. 37–38).

💡 Why it matters?

This guide translates the legal text of the AI Act into actionable compliance steps for providers and downstream actors. It reflects the final AIA version and helps organizations prepare for enforcement. Particularly valuable is its emphasis on lifelong compliance — not just one-off certification. With the AI Act setting global precedents, understanding conformity assessments is essential for anyone building or deploying high-risk systems in the EU.

🔍 What’s Missing

  1. No sector-specific implementation examples – For example, healthcare or fintech scenarios aren’t explored.
  2. Limited procedural detail for sandbox participation – While sandboxes are listed as an alternate compliance route, the setup and approval process aren’t covered in depth.
  3. No checklist or tools for gap analysis – The guide could be more practical with annexed templates, forms, or audit-ready examples.
  4. No crosswalk between AIA and other regimes – It briefly mentions GDPR and the Cybersecurity Act but doesn’t deeply map overlaps (e.g., ISO 42001, NIS2, DSA).

👥 Best For

  • AI compliance leads or product managers preparing high-risk AI systems for EU markets
  • Legal counsel assessing when a CA is triggered or who must perform it
  • Notified bodies and auditors preparing for designation
  • Companies using GPAI models in high-risk contexts (e.g., employment, biometric verification)

🔗 Source Details

Title: Conformity Assessments under the EU AI Act: A Step-by-Step Guide

Authors: Andreea Serban, Vasileios Rovilos, Katerina Demetzou (FPF alumni)

Published: April 2025

Organizations: Future of Privacy Forum, OneTrust

Pages: 41

URL: https://fpf.org

Template Guide EU AI ACT
About the author
Jakub Szarmach

Jakub Szarmach

Read next

AI Accountability in Practice

AI Safety in Practice

Responsible Data Stewardship in Practice

Alan Turing Institute’s two-part guide “AI Sustainability in Practice” (Parts One and Two)

AI Ethics and Governance in Practice: An Introduction

AI Governance Library

Curated Library of AI Governance Resources

AI Governance Library

Great! You’ve successfully signed up.

Welcome back! You've successfully signed in.

You've successfully subscribed to AI Governance Library.

Your link has expired.

Success! Check your email for magic link to sign-in.

Success! Your billing info has been updated.

Your billing was not updated.