EU AI Act conformity assessment — Annex VI vs Annex VII

The two procedures

• Annex VI — internal control. The provider verifies that its quality-management system complies with Article 17, examines the technical documentation to assess the AI system’s compliance with the Section 2 essential requirements (Articles 8 to 15), and verifies that the design and development process and the post-market monitoring system are consistent with the technical documentation. No notified body is involved.
• Annex VII — assessment with a notified body. A notified body assesses the quality-management system and the technical documentation, may require additional information or tests, and where applicable issues an EU technical-documentation assessment certificate. The certificate is valid for a period not exceeding five years for Annex III systems and four years for Annex I systems, renewable on re-assessment.

Which route applies under Article 43

For high-risk AI systems referred to in point 1 of Annex III (biometrics), Article 43(1) gives the provider a choice: where harmonised standards or, where applicable, common specifications referred to in Article 41 have been applied, the provider may use Annex VI; otherwise, Annex VII with a notified body is required.

For high-risk AI systems referred to in points 2 to 8 of Annex III(critical infrastructure, education, employment, essential services, law enforcement, migration and border control, administration of justice and democratic processes), Article 43(2) requires the Annex VI internal-control procedure. No notified body is involved unless the provider voluntarily seeks one or is later required to do so.

For high-risk AI systems falling under Annex I (sectoral product legislation already covered by a notified-body regime — e.g. machinery, medical devices, in-vitro diagnostic devices), Article 43(3) requires that the relevant sectoral conformity-assessment procedure be followed, with the AI-Act requirements integrated into the existing audit.

Annex VI — what internal control actually involves

1. Verification that the established Article 17 quality-management system covers regulatory compliance, design control, development control, testing, data management, post-market monitoring, incident reporting and record-keeping.
2. Examination of the Article 11 technical documentation against the Section 2 essential requirements (risk management Art 9, data governance Art 10, technical documentation Art 11, record-keeping Art 12, transparency Art 13, human oversight Art 14, accuracy / robustness / cybersecurity Art 15).
3. Verification that the design and development process and the post-market monitoring system under Article 72 are consistent with the technical documentation.
4. Provider signs the EU declaration of conformity under Article 47 and affixes the CE marking under Article 48. Registration in the Article 71 EU database before placing on the market or putting into service.

Substantial modifications trigger a new assessment

Article 43(4) provides that for high-risk AI systems that have already been subject to a conformity-assessment procedure, a new conformity-assessment procedure must be carried out in the event of a substantial modification, regardless of whether the modified system is intended to be further distributed or continues to be used by the current deployer.

For high-risk AI systems that continue to learn after being placed on the market or put into service, Article 43(4) clarifies that changes to the high-risk AI system and its performance that have been pre-determined by the provider at the moment of the initial conformity assessment and are part of the information contained in the technical documentation referred to in point 2(f) of Annex IV are not considered substantial modifications.

What this means for deployers (Article 25)

Article 25(1) reclassifies a deployer as a provider — with all the conformity-assessment and Annex IV documentation duties — in three situations: (a) putting their name or trademark on a high-risk system already placed on the market; (b) making a substantial modification to a high-risk system in a way that it remains a high-risk system; or (c) modifying the intended purpose of an AI system, including a general-purpose AI system, in such a way that the resulting system becomes high-risk under Article 6.

Practically: a HR-tech deployer that rebrands a vendor’s screening model, fine-tunes it on its own data in ways that change behaviour, or repurposes a general-purpose model into an Annex III point 4(a) recruitment system, is treated as the provider and must run the Annex VI assessment itself.

Deployer pre-purchase checklist

• Vendor confirms which Annex III point applies and which Article 43 route was used.
• Copy of the EU declaration of conformity (Art 47) and CE-marking statement (Art 48).
• Registration in the Article 71 EU database with the public registration number.
• Annex IV technical-documentation index sufficient for the deployer’s Article 26 and Article 27 FRIA duties.
• Vendor commitment to perform a new conformity assessment on substantial modification (Art 43(4)).
• Internal sign-off that no Article 25 trigger applies (no rebrand, no fine-tune, no purpose change).

Common misconceptions

• “A notified body is always involved.” For Annex III points 2 to 8, including HR / employment use cases, the default is Annex VI internal control without a notified body.
• “Fine-tuning is not substantial.” Whether a fine-tune is substantial is judged against the technical documentation. If the change was not pre-declared in Annex IV point 2(f), it is presumptively substantial under Article 43(4).
• “CE marking is the deployer’s job.” The CE mark belongs to the provider. Deployers verify it; they do not affix it — unless Article 25 has reclassified them as the provider.

Related EU guides

• Annex IV technical documentation
• NIS2 incident reporting timeline
• AI literacy obligation — Article 4
• Prohibited AI practices — Article 5
• GPAI vs deployer obligations

Sources

• Regulation (EU) 2024/1689, Articles 6, 17, 25, 43, 47, 48, 71, 72; Annex VI; Annex VII — EUR-Lex: eur-lex.europa.eu/eli/reg/2024/1689/oj
• European Commission — AI Act Service Desk, Article 43: ai-act-service-desk.ec.europa.eu/en/ai-act/article-43