When can I self-assess a high-risk AI system?

Most Annex III high-risk systems use internal control (self-assessment) under Article 43, where the provider applies harmonised standards, draws up technical documentation, signs the EU declaration of conformity, and affixes the CE marking without a Notified Body.

When is a Notified Body required?

Third-party assessment is required mainly for certain biometric identification and categorisation systems when harmonised standards do not exist or are not fully applied, and for AI that is a safety component of products already needing third-party assessment under the Annex I sectoral legislation.

What technical documentation must I prepare?

Annex IV documentation: a general description of the system, its design and development, risk management, data and data governance, monitoring and human oversight measures, accuracy and robustness, and the conformity assessment performed. It must be kept up to date for ten years.

Do I have to register the system?

Yes. Providers of high-risk AI systems must register the system and themselves in the EU database before placing it on the market or putting it into service, with limited exceptions for certain law-enforcement and migration uses.

Is this legal advice?

No. This is an educational tool reflecting the published structure of the EU AI Act conformity assessment provisions. Classification and obligations depend on specific facts. Confirm your route with qualified counsel or a Notified Body before relying on it.

EU AI Act Conformity Assessment Pathway

Once an AI system is classified as high-risk under the EU AI Act, the next question is which conformity assessment route applies — and for most systems the answer is self-assessment, not a Notified Body. This tool walks the Article 43 decision logic to map your route, documentation, and registration duties.

How it works

The pathway follows the AI Act’s conformity assessment structure:

Is the system Annex III high-risk, or a safety component under Annex I?
  Annex III (most cases) → internal control (self-assessment), UNLESS it is a
     biometric identification/categorisation system where harmonised standards
     are absent or not fully applied → then Notified Body assessment.
  Annex I safety component → follow the sectoral product legislation's route,
     which may already require third-party assessment.
Then for every high-risk system:
  → draw up Annex IV technical documentation
  → sign the EU declaration of conformity + affix CE marking
  → register in the EU database before market placement

Notes and tips

The headline takeaway is that the AI Act leans on internal self-assessment for the bulk of Annex III high-risk systems — recruitment, credit scoring, education scoring, and similar — provided you apply the relevant harmonised standards. Third-party Notified Body involvement is the exception, concentrated on remote biometric identification where standards are missing, and on AI embedded as a safety component of products that already face third-party assessment under sectoral law. Whichever route applies, the Annex IV technical documentation and the EU database registration are mandatory. This is an educational aid, not legal advice — confirm with counsel or a Notified Body.