Once an AI system is classified as high-risk under the EU AI Act, the next question is which conformity assessment route applies — and for most systems the answer is self-assessment, not a Notified Body. This tool walks the Article 43 decision logic to map your route, documentation, and registration duties.
The two routes: self-assessment vs Notified Body
The EU AI Act splits high-risk AI into two populations for conformity assessment purposes.
Annex III systems — AI used in areas like biometric identification, critical infrastructure management, education and vocational training, employment and HR decisions, access to essential services, law enforcement, migration, and administration of justice. These are the use-case-based high-risk categories. For most of them, the provider self-assesses (internal control under Article 43): you apply harmonised standards, prepare the Annex IV technical documentation, sign the EU declaration of conformity, and affix CE marking without needing a Notified Body.
The exception within Annex III is remote biometric identification and categorisation systems where the relevant harmonised standards do not exist or are not fully applied. Those require a Notified Body to perform or validate the assessment.
Annex I systems — AI embedded as a safety component in a product already regulated under existing EU product safety legislation (medical devices, machinery, toys, lifts, and similar). The conformity route follows the sectoral legislation’s existing route, which may already require third-party involvement. The AI Act adds AI-specific requirements on top of the product regulation rather than replacing it.
How it works
The pathway follows the AI Act’s conformity assessment structure:
Is the system Annex III high-risk, or a safety component under Annex I?
Annex III (most cases) → internal control (self-assessment), UNLESS it is a
biometric identification/categorisation system where harmonised standards
are absent or not fully applied → then Notified Body assessment.
Annex I safety component → follow the sectoral product legislation's route,
which may already require third-party assessment.
Then for every high-risk system:
→ draw up Annex IV technical documentation
→ sign the EU declaration of conformity + affix CE marking
→ register in the EU database before market placement
The Annex IV documentation set
Regardless of route, every high-risk AI system must maintain Annex IV technical documentation covering:
- A general description of the system and its intended purpose
- Design and development choices, including training data and data governance
- Risk management process and measures taken
- Monitoring and human oversight mechanisms
- Accuracy, robustness, and cybersecurity measures
- The conformity assessment performed
This documentation must be kept current for ten years after the system is placed on the market or put into service.
Notes and tips
The headline takeaway is that the AI Act leans on internal self-assessment for the bulk of Annex III high-risk systems — recruitment, credit scoring, education scoring, and similar — provided you apply the relevant harmonised standards. Third-party Notified Body involvement is the exception, concentrated on remote biometric identification where standards are missing, and on AI embedded as a safety component of products that already face third-party assessment under sectoral law. Whichever route applies, the Annex IV technical documentation and the EU database registration are mandatory. This is an educational aid, not legal advice — confirm with counsel or a Notified Body.