EU AI Act conformity assessment: how it works for startups

EU AI Act conformity assessment: how it works for startups

If your startup develops or deploys a high-risk AI system, you cannot simply ship it and hope for the best. The EU AI Act requires you to complete a conformity assessment before placing that system on the market or putting it into service. This article explains what that means in practice, which route applies to you, and how to prepare ahead of the December 2027 deadline.

What the EU AI Act says

The EU AI Act establishes a tiered risk framework. At the top of that framework sit high-risk AI systems, defined primarily by reference to Annex III of the regulation. These are systems used in sensitive domains: biometric identification, management of critical infrastructure, education and vocational training, employment and worker management, access to essential private and public services, law enforcement, migration and border control, and administration of justice.

For any system that falls into these categories, Article 43 of the EU AI Act sets out the conformity assessment obligation. A provider cannot affix the CE marking or make the system available in the EU market without first completing this process. The assessment is not a one-time checkbox; if you make a substantial modification to a high-risk system after its initial assessment, you must reassess it.

Who this applies to

The conformity assessment obligation falls on the provider of the high-risk AI system. In EU AI Act terminology, a provider is any natural or legal person who develops an AI system and places it on the market or puts it into service under their own name or trademark, whether for payment or free of charge.

If you are a startup building an AI product that another business deploys in a high-risk context, you are likely the provider. If you are integrating a third-party AI model into your own product and placing it on the market as your own solution, you are also likely the provider.

Deployers (businesses that use a high-risk AI system but did not build it) generally have a lighter set of obligations, but they cannot use a system that has not passed conformity assessment. So if you are selling to enterprise customers in regulated sectors, their procurement teams will ask for your documentation.

The two assessment routes

The EU AI Act provides two routes to conformity assessment, and which one applies depends on the category of system you are building.

Route 1: Self-assessment (Annex VI internal control)

For the majority of high-risk AI systems listed in Annex III, providers can carry out the conformity assessment themselves. This is the internal control procedure set out in Annex VI of the regulation. You do not need to involve an external notified body.

Self-assessment does not mean a light-touch review. You must demonstrate, through documented evidence, that your system complies with all relevant requirements in Chapter III, Section 2 of the EU AI Act. That covers the risk management system, data governance, technical documentation, transparency and provision of information to deployers, human oversight measures, accuracy, robustness, and cybersecurity.

The self-assessment process involves:

  • Completing and maintaining the technical documentation described in Article 11 and Annex IV
  • Implementing and operating a risk management system throughout the system lifecycle
  • Conducting appropriate testing to verify the system meets the required performance thresholds
  • Drawing up the EU declaration of conformity
  • Registering the system in the EU database before placing it on the market

Route 2: Third-party notified body assessment

For certain higher-sensitivity categories, self-assessment is not sufficient. Third-party involvement from a notified body is required for:

  • Remote biometric identification systems (such as real-time facial recognition in public spaces, where this is permitted at all)
  • AI systems for biometric categorisation based on sensitive attributes
  • Emotion recognition systems

A notified body is an independent conformity assessment organisation designated by an EU member state. They review your technical documentation, may request testing, and issue a certificate confirming the system meets the regulatory requirements. This process takes longer and costs more, but it is mandatory for the categories listed above.

Even if your system falls outside these categories today, it is worth checking whether planned feature additions could move you into notified body territory. Biometric functionality added to a product that was initially assessed under Route 1 may trigger a new, more demanding assessment.

The EU declaration of conformity and CE marking

Once a conformity assessment is complete, the provider must draw up an EU declaration of conformity. This is a formal document in which you, as the provider, declare that the AI system meets all applicable requirements of the EU AI Act. The declaration must include the name and address of the provider, a description of the system, a reference to the relevant harmonised standards or common specifications applied, where applicable the notified body identification number, the place and date of issue, and the signature of an authorised person.

After the declaration is in place, you can affix the CE marking to the system or its accompanying documentation. The CE marking signals to customers, deployers, and regulators in EU member states that the product has been assessed and meets the regulatory standard. You cannot legally use the CE marking for an AI system covered by the EU AI Act without completing this process first.

Keep the declaration and supporting technical documentation for ten years after the system is placed on the market. Market surveillance authorities can request this documentation at any time during that period.

Key deadlines

The timeline for compliance with the EU AI Act is staggered by obligation type:

  • February 2 2025: Article 5 prohibited AI practices came into force. If your system engages in social scoring, subliminal manipulation, or real-time biometric surveillance in public spaces (with limited exceptions), it has been illegal since this date.
  • August 2 2026: GPAI model obligations and governance rules apply. Fines for GPAI violations begin. The transparency requirements in Article 50 (such as AI-generated content labelling) also apply from this date.
  • December 2 2027: The high-risk AI system obligations under Annex III fully apply. This is the deadline for completing conformity assessments for systems already on the market, and the date from which new Annex III systems cannot be placed on the market without prior assessment.

December 2027 may sound distant, but conformity assessment preparation takes time. Technical documentation needs to be built alongside the product, not retrofitted afterward. Risk management systems need to be embedded in your development process. Waiting until late 2027 is a serious compliance risk.

What to do now

The most important first step is to determine whether your AI system is actually high-risk under Annex III. Many startup founders assume their product is in scope when it is not, and vice versa. A recruiting tool that ranks candidates is likely in scope. A general-purpose chatbot that does not make consequential decisions probably is not, unless it integrates into a high-risk workflow.

Once you have established scope, start building your technical documentation in parallel with your product roadmap. Annex IV specifies exactly what this documentation must contain: a general description of the system, a description of its intended purpose, the design specifications, information about training data, testing and validation results, and details of the monitoring system. This is not a document you can write from memory; it requires engineering records and process logs maintained throughout development.

Implement your risk management system early. The EU AI Act requires this to be a continuous process, not a point-in-time assessment. Build it into your sprint cycles and product reviews.

If your system falls into the notified body category, identify accredited bodies in the relevant member states and make contact early. Queues at notified bodies can be long, particularly as the December 2027 deadline approaches and more providers seek assessment slots.

Use the free ActComply risk screener to check your obligations: https://www.getactcomply.com/check

Check your EU AI Act risk in 5 minutes

Free risk classifier. No signup required. August 2 deadline.

Run the free screener
EU AI Act conformity assessment: how it works for startups | ActComply