Blog

EU AI Act Conformity Assessment: What High-Risk AI Systems Need

How organisations developing or deploying AI systems in the EU can prepare for conformity assessment requirements under the EU Artificial Intelligence Act.

← Back to Blog
Published 28 April 2026 · BCERT Editorial Team · 8 min read

The EU Artificial Intelligence Act (AI Act), formally Regulation (EU) 2024/1689, entered into force on 1 August 2024 and is being phased in progressively through 2026 and beyond. It is the world's first comprehensive legal framework for AI systems, establishing a risk-based regulatory approach that imposes different obligations depending on the risk category of the AI application. For organisations developing, deploying, or using AI systems in the EU — or exporting AI-enabled products to EU markets — understanding conformity assessment requirements is now a commercial and legal imperative.

Risk Classification: High-Risk, Limited, and Minimal

The AI Act categorises AI systems into four risk tiers:

  • Unacceptable risk (prohibited): AI systems that pose a clear threat to fundamental rights — such as real-time remote biometric surveillance in public spaces for law enforcement (with limited exceptions), social scoring by governments, and manipulation of subconscious behaviour. These are banned outright.
  • High risk: AI systems used in critical infrastructure, education, employment, essential services, law enforcement, migration, and the administration of justice. Also includes AI safety components in products already covered by EU harmonisation legislation (medical devices, machinery, vehicles). High-risk AI is subject to the most stringent requirements including conformity assessment before market placement.
  • Limited risk: AI systems with specific transparency obligations — chatbots must identify themselves as AI; deepfakes must be labelled. No mandatory conformity assessment, but transparency requirements apply.
  • Minimal risk: The vast majority of AI applications — spam filters, AI in video games, basic recommendation systems. No specific obligations beyond general product safety law.

Requirements for High-Risk AI Systems

Providers of high-risk AI systems must comply with a set of mandatory requirements before placing the system on the EU market:

  • Technical documentation: Comprehensive documentation covering system design, development methodology, training data, performance metrics, known limitations, and risk management measures.
  • Conformity assessment: Either self-assessment (for most high-risk AI categories) or third-party assessment by a Notified Body (for biometric systems and certain safety-critical applications). The assessment must be repeated for substantial modifications.
  • EU Declaration of Conformity and CE marking: Required before market placement.
  • Registration: High-risk AI systems must be registered in the EU AI database before deployment.
  • Human oversight: Systems must be designed to enable effective human oversight, including the ability to halt or override the system.
  • Accuracy, robustness, and cybersecurity: Systems must meet appropriate performance levels throughout their lifecycle and be resilient to adversarial attacks.
  • Post-market monitoring: Providers must actively monitor system performance in deployment and report serious incidents to national authorities.

Transparency Requirements

Transparency obligations apply across risk categories. For high-risk AI, users (deployers) must be provided with clear instructions for use, including the intended purpose, known limitations, and performance metrics. For limited-risk AI, natural persons interacting with an AI system must be informed they are doing so, unless this is obvious. For general-purpose AI models (GPAI) with systemic risk — large language models above a defined compute threshold — additional transparency and safety requirements apply, including model evaluations and adversarial testing.

Implementation Timeline and Preparing Now

Key dates in the AI Act phased implementation:

  • 2 February 2025: Prohibited AI practices rules apply.
  • 2 August 2025: Obligations for GPAI models and governance rules apply.
  • 2 August 2026: Full obligations for high-risk AI systems apply (most categories).
  • 2 August 2027: Obligations for high-risk AI systems in Annex I (products already under harmonisation legislation) apply.

Organisations with high-risk AI systems have a narrow window before the 2026 deadline. Starting with an AI inventory, risk classification exercise, and gap analysis against the technical documentation and conformity assessment requirements now avoids a last-minute compliance rush. BCERT provides structured AI Act readiness assessments to help organisations understand their obligations and build a credible compliance programme.

Ready to get certified?

Visit bcert.uk or contact us at info@bcert.uk to discuss EU AI Act conformity assessment.

Request an Assessment →