Conformity Assessment Roadmap — EU AI Act Article 43

Disclaimer: This is guidance only, not legal advice. Consult qualified legal counsel for your specific compliance obligations.

Template provided by VORLUX AI | vorluxai.com

Overview

Article 43 of the EU AI Act establishes the conformity assessment procedures that providers of high-risk AI systems must follow before CE marking and placing the system on the market. The route you take depends on your system category.

Quick Decision: Which Route Applies?

Is your system a high-risk AI system under Annex III?
        │
        ├── YES
        │       │
        │       ├── Is it listed in Annex III, item 1 (biometric identification)?
        │       │       │
        │       │       ├── YES → ROUTE B: Notified Body Assessment (Annex VII)
        │       │       │
        │       │       └── NO → Is it covered by pre-existing EU harmonised legislation
        │       │               that already requires notified body involvement?
        │       │                       │
        │       │                       ├── YES → Follow that sectoral procedure
        │       │                       │
        │       │                       └── NO → ROUTE A: Internal Control (Annex VI)
        │       │
        │       └── Has the provider chosen voluntary notified body involvement?
        │               │
        │               └── YES → ROUTE B (voluntary)
        │
        └── NO → EU AI Act high-risk conformity assessment does not apply

Route A: Internal Control (Annex VI)

Applicable to most Annex III, items 2–8 AI systems

Phase 1 — Preparation (Weeks 1–4)

1.1 Scope Definition

Confirm the AI system is correctly classified as high-risk under Annex III
Identify the specific Annex III category and item number
Confirm no mandatory notified body route applies to this category
Assign a Conformity Assessment Project Owner

Field	Value
System Name	`___________________________`
Annex III Item	`___________________________`
Assessment Route	☐ Route A (Annex VI) ☐ Route B (Annex VII)
Project Owner	`___________________________`
Start Date	`____-__-__`
Target Completion	`____-__-__`

1.2 Gap Analysis

Review existing technical documentation against Annex IV requirements
Review quality management system against Article 17 requirements
Identify compliance gaps with a prioritised remediation plan
Estimate effort and resource requirements to close all gaps

Gap Analysis Summary:

Requirement Area	Gap Identified	Priority (H/M/L)	Remediation Owner	Due Date
Technical Documentation (Annex IV)	`___________`	`___`	`___`	`____-__-__`
Quality Management (Art. 17)	`___________`	`___`	`___`	`____-__-__`
Risk Management (Art. 9)	`___________`	`___`	`___`	`____-__-__`
Data Governance (Art. 10)	`___________`	`___`	`___`	`____-__-__`
Human Oversight (Art. 14)	`___________`	`___`	`___`	`____-__-__`
Transparency (Art. 13)	`___________`	`___`	`___`	`____-__-__`
Accuracy & Robustness (Art. 15)	`___________`	`___`	`___`	`____-__-__`
Post-Market Monitoring (Art. 72)	`___________`	`___`	`___`	`____-__-__`

Phase 2 — Evidence Collection and Documentation (Weeks 4–12)

2.1 Technical Documentation (Article 11 + Annex IV)

Complete all 15 sections of Annex IV technical documentation
Technical documentation reviewed by subject matter experts
Technical documentation reviewed by legal/compliance team
Version controlled and stored in compliance document management system

Reference: See technical-documentation-annex-iv.md template

2.2 Quality Management System (Article 17)

The QMS must address all of the following elements:

QMS Document Reference: [File: ___________] QMS Version: ___ QMS Approval Date: ____-__-__

2.3 Data Governance Evidence (Article 10)

Training data documentation completed
Validation and test data documentation completed
Bias analysis results documented
Data quality management procedures documented
Personal data processing lawful basis confirmed

2.4 Human Oversight Evidence (Article 14)

Human oversight mechanisms described and implemented
Operator competency requirements defined
Override and intervention procedures documented and tested
Monitoring dashboard requirements specified

Reference: See human-oversight-guide.md template

2.5 Transparency and Instructions (Article 13)

Instructions for use drafted and reviewed
Capability and limitation disclosures included
User-facing transparency notices prepared
Multi-language versions for target markets prepared

Phase 3 — Internal Assessment (Weeks 12–16)

3.1 Self-Assessment Criteria

Use the following table to assess compliance against each Article 43 requirement.

Rating Scale: 1 = Non-compliant | 2 = Partially compliant | 3 = Largely compliant | 4 = Fully compliant

Requirement	Article	Evidence Reference	Rating (1–4)	Gaps / Actions
Risk Management System	Art. 9	`___________`	`___`	`___________`
Data Governance	Art. 10	`___________`	`___`	`___________`
Technical Documentation	Art. 11	`___________`	`___`	`___________`
Transparency & Information	Art. 13	`___________`	`___`	`___________`
Human Oversight	Art. 14	`___________`	`___`	`___________`
Accuracy, Robustness, Cybersecurity	Art. 15	`___________`	`___`	`___________`
Quality Management System	Art. 17	`___________`	`___`	`___________`
Registration (EUAIS DB)	Art. 49	`___________`	`___`	`___________`

Overall Compliance Rating: _____ / 32

Pass Threshold: All items rated 4 (or documented exception agreed with legal counsel)

3.2 Internal Review Panel

Technical review completed by: ___________________________ on ____-__-__
Legal/compliance review completed by: ___________________________ on ____-__-__
Data protection review completed by DPO: ___________________________ on ____-__-__
Senior management sign-off: ___________________________ on ____-__-__

3.3 Remediation of Outstanding Gaps

All critical (High priority) gaps closed
Medium priority gaps closed or risk-accepted with documented rationale
Evidence of gap closure collected and filed
Updated technical documentation version issued

Phase 4 — Declaration and Registration (Weeks 16–18)

4.1 EU Declaration of Conformity

EU Declaration of Conformity drafted (see declaration-of-conformity.md)
Declaration reviewed by legal counsel
Declaration signed by authorised person
Declaration dated and version-controlled
Declaration stored for minimum 10 years after last placement on market

Declaration Reference: DOC-____-____ Declaration Date: ____-__-__ Authorised Signatory: ___________________________

4.2 CE Marking

CE marking affixed to the system (or accompanying documentation where marking on system not possible)
CE marking meets format requirements (minimum height 5mm where size allows)
CE marking accompanied by identification number of notified body (Route B only)

4.3 EU AI System Database Registration

High-risk AI system registered in EU AI systems database before placing on market
Registration number obtained: ___________________________
Registration kept up to date with each significant change

Route B: Conformity Assessment Involving Notified Body (Annex VII)

Required for: Annex III item 1 (biometric ID systems); Optional for others

When Must You Use a Notified Body?

Trigger	Mandatory?	Notes
Biometric identification/categorisation systems (Annex III, item 1)	YES	All systems in this category
Remote biometric identification in public spaces	YES	Even when prohibited categories are excluded
Provider voluntary choice	No — optional	Provider may choose for added assurance
Significant change to a system previously assessed by NB	Conditional	Check with your NB

Selecting a Notified Body

Confirm the notified body is accredited for the relevant AI Act scope
Verify notified body is listed in NANDO (New Approach Notified and Designated Organisations) database
Check notified body has relevant sector expertise
Obtain quotes from at least 2 notified bodies
Select notified body and formalise engagement

Selected Notified Body: ___________________________ NB Reference Number: ___________________________ NB Contact: ___________________________ Engagement Agreement Date: ____-__-__

Notified Body Assessment Phases

NB Phase 1 — Application and Scoping

Formal application submitted to notified body
Scope of assessment agreed in writing
Technical documentation package submitted (Annex IV)
QMS documentation submitted (Art. 17)
Pre-assessment meeting held

Application Date: ____-__-__ Agreed Scope Reference: ___________________________

NB Phase 2 — Document Review

Notified body reviews technical documentation
Notified body reviews QMS
NB queries/requests for information responded to
Document review outcome received: ☐ Satisfactory ☐ Conditional ☐ Unsatisfactory

Document Review Completion Date: ____-__-__ Outcome Summary: ___________________________

NB Phase 3 — On-Site Assessment (where applicable)

On-site assessment dates agreed: ____-__-__ to ____-__-__
Team briefed on assessment process
Systems and environments prepared for demonstration
Test cases and evidence packages ready for review
Non-conformities identified and tracked

On-Site Assessment Outcome: ☐ Pass ☐ Pass with conditions ☐ Fail (major non-conformities)

NB Phase 4 — Certificate Issuance

All major non-conformities closed
Notified body issues EU type-examination certificate (Annex VII, module B) or
Quality management system approval issued (Annex VII, module D)
Certificate reference number recorded: ___________________________
Certificate validity period noted: ____-__-__ to ____-__-__
Annual surveillance schedule agreed with NB

Third-Party Assessment Triggers

Even under Route A (internal control), the following events should prompt consideration of voluntary third-party review or mandatory re-assessment:

Trigger	Action Required
Substantial modification to the AI system	Repeat conformity assessment for modified aspects
Change of intended purpose	Full reassessment required
New deployment in a new Annex III category	New conformity assessment required
Material change to training data	Re-run data governance section; consider partial reassessment
Serious incident involving the AI system	Incident investigation; assess whether reassessment needed
Significant performance degradation	Technical documentation update; risk management review
New harmonised standards published	Gap analysis against new standards; update as needed
Regulatory guidance update from national authority	Review compliance and update documentation
Acquisition / change of legal entity	Confirm obligations transfer; update declarations

Conformity Assessment Timeline Tracker

Phase	Planned Start	Planned End	Actual End	Status
1. Preparation & Gap Analysis	`____-__-__`	`____-__-__`	`____-__-__`	☐ Not started ☐ In progress ☐ Complete
2. Evidence Collection	`____-__-__`	`____-__-__`	`____-__-__`	☐ Not started ☐ In progress ☐ Complete
3. Internal Assessment	`____-__-__`	`____-__-__`	`____-__-__`	☐ Not started ☐ In progress ☐ Complete
4. Declaration & Registration	`____-__-__`	`____-__-__`	`____-__-__`	☐ Not started ☐ In progress ☐ Complete
5. NB Assessment (Route B only)	`____-__-__`	`____-__-__`	`____-__-__`	☐ N/A ☐ In progress ☐ Complete

Template	Purpose
`technical-documentation-annex-iv.md`	Complete Annex IV technical documentation
`declaration-of-conformity.md`	EU Declaration of Conformity (Art. 47)
`prohibited-practices-checklist.md`	Confirm no prohibited AI practices (Art. 5)
`human-oversight-guide.md`	Human oversight implementation (Art. 14)

Template provided by VORLUX AI | vorluxai.com | This is guidance only, not legal advice.

Versión Española

Mapa de Evaluación de Conformidad — Artículo 43 del Acto UE sobre Inteligencia Artificial > Advertencia: Esta es orientación solo, no asesoramiento legal. Consulte a un abogado calificado para sus obligaciones específicas de cumplimiento. Plantilla proporcionada por VORLUX AI | vorluxai.com --- ## Visión general El artículo 43 del Acto UE sobre Inteligencia Artificial establece los procedimientos de evaluación de conformidad que deben seguirse por parte de los proveedores de sistemas de inteligencia artificial de alto riesgo antes de marcar con CE y poner el sistema en el mercado. La ruta que debes tomar depende de la categoría de tu sistema.

Decisión rápida: ¿Cuál es la Ruta que Aplica?

¿Es su sistema un sistema de inteligencia artificial de alto riesgo según el Anexo III?
│ ├── SÍ
│ │ │ ├── ¿Está incluido en el Anexo III, item 1 (identificación biométrica)?
│ │ │ │ │ ├── SÍ → RUTA B: Evaluación por parte de un Organismo Notificado (Anexo VII)
│ │ │ │ │ └── NO → ¿Se cubre con legislación UE armonizada preexistente que ya requiere la participación de un organismo notificado?
│ │ │ │ │ │ ├── SÍ → Sigue el procedimiento sectorial
│ │ │ │ │ │ └── NO → RUTA A: Control Interno (Anexo VI)
│ │ │ └── ¿El proveedor ha elegido la participación voluntaria de un organismo notificado?
│ │ │ └── SÍ → RUTA B (voluntario)
└── NO → La evaluación de conformidad del Acto UE sobre Inteligencia Artificial no se aplica a sistemas de alto riesgo

--- ## Ruta A: Control Interno (Anexo VI) Aplicable a la mayoría de los sistemas de inteligencia artificial de alto riesgo según el Anexo III, items 2–8

Fase 1 — Preparación (Semanas 1-4)

1.1 Definición del alcance - [ ] Confirme que el sistema de inteligencia artificial se ha clasificado correctamente como de alto riesgo según el Anexo III - [ ] Identifique la categoría específica y número del item del Anexo III - [ ] Confirme que no hay una ruta obligatoria de organismo notificado aplicable a esta categoría - [ ] Asigne un Propietario de Proyecto de Evaluación de Conformidad | Campo | Valor | |-------|-------| | Nombre del sistema | `_____________` | | Item del Anexo III | `_` | | Ruta de evaluación | ☐ RUTA A (Anexo VI) ☐ RUTA B (Anexo VII) | | Propietario del Proyecto | `___________` | | Fecha de inicio | `--` | | Fecha objetivo de finalización | `--` |

1.2 Análisis de brechas - [ ] Revisa la documentación técnica existente frente a los requisitos del Anexo IV - [ ] Revisa el sistema de gestión de calidad frente a los requisitos del artículo 17 - [ ] Identifica las brechas de cumplimiento con un plan de priorización para su remediaciónde - [ ] Estima el esfuerzo y recursos necesarios para cerrar todas las brechas Resumen del Análisis de Brechas: | Área de Requisito | Brecha identificada | Prioridad (A/M/B) | Propietario de la Remediaciónde | Fecha límite | |-----------------|----------------|------------------|-------------------|----------| | Documentación técnica (Anexo IV) | `_________` | `_` | `_` | `__

y control de versiones - [ ] Declaración almacenada durante un mínimo de 10 años después de la última colocación en el mercado Referencia a la declaración: DOC-____-____ Fecha de la declaración: ____-__-__ Firma autorizada: ___________________________

4.2 Marcado CE - [ ] Marcado CE aplicado al sistema (o documentación acompañante donde no sea posible el marcado en el sistema) - [ ] El marcado CE cumple con los requisitos de formato (mínimo altura de 5mm donde sea posible) - [ ] El marcado CE está acompañado del número de identificación de la entidad notificada (Ruta B solo)

4.3 Registro de bases de datos de sistemas AI de la UE - [ ] Sistema AI de alto riesgo registrado en la base de datos de sistemas AI de la UE antes de colocarlo en el mercado - [ ] Número de registro obtenido: `___________________________` - [ ] El registro se mantiene actualizado con cada cambio significativo

Ruta B: Evaluación de conformidad que implica una entidad notificada (Anexo VII)

Requerido para: Anexo III, item 1 (sistemas de identificación biométrica); Opcional para otros

¿Cuándo debe utilizar una entidad notificada?

Desencadenante	Obligatorio?	Notas
Sistemas de identificación/categorización biométricos (Anexo III, item 1)	SÍ	Todos los sistemas en esta categoría
Identificación biométrica remota en espacios públicos	SÍ	Incluso cuando se excluyen las categorías prohibidas
Elección voluntaria del proveedor	No — opcional	El proveedor puede elegir para obtener una mayor garantía
Cambio significativo a un sistema previamente evaluado por la entidad notificada	Condicionado	Verifique con su entidad notificada

Seleccione una entidad notificada

Confirme que la entidad notificada está acreditada para el alcance relevante del Reglamento AI
Verifique si la entidad notificada está incluida en la base de datos NANDO (Nuevas Enfoques Notificadas y Organizaciones Designadas)
Verifique que la entidad notificada tenga experiencia en el sector relevante
Obtenga cotizaciones de al menos 2 entidades notificadas
Seleccione la entidad notificada y formalice su compromiso

Entidad Notificada Seleccionada: ___________________________ Número de referencia de la entidad notificada: ___________________________ Contacto de la entidad notificada: ___________________________ Fecha del acuerdo de compromiso: ____-__-__

Fases de evaluación de la entidad notificada

Fase 1 de la entidad notificada — Solicitud y alcance

Solicitud formal presentada a la entidad notificada
Alcance del análisis acordado por escrito
Paquete de documentación técnica presentado (Anexo IV)
Documentación de QMS presentada (Art. 17)
Reunión previa al análisis realizada

Fecha de la solicitud: ____-__-__ Referencia del alcance acordado: ___________________________

Fase 2 de la entidad notificada — Revisión documental

La entidad notificada revisa la documentación técnica