Skip to main content
v2026.1714 entries · CC-BY 4.0
CiteLicenceEN-GB
CASRAI

Definition · Plain-language

Conformity assessment

Conformity assessment is the process of verifying that a high-risk AI system meets the requirements of the EU AI Act before it is placed on the market.

CASRAI research-methods explainer — Conformity assessment

The step most authors miss

Doing CRediT right? Don’t stop at the statement.

A CRediT statement credits you inside one paper. The recognition CRediT was built for happens when those roles are tied to you, persistently. Sign in with your ORCID — free — and claim your CRediT contributions on casrai.org, the home of the standard. They become a verified, portable part of your identity, not a line that disappears into one PDF.

Free: claim your contributions, then export a journal-ready CRediT statement, schema.org structured data, JATS XML, CSV or BibTeX — and preview your public profile. A membership publishes that profile publicly and verifies the journals you serve.

Sign in with ORCID — free Why this matters →

What conformity assessment checks

Conformity assessment is the EU AI Act’s gate for high-risk AI systems: before such a system may be placed on the market or put into service, its provider must demonstrate that it meets the regulation’s requirements. Those requirements span areas such as risk management, data governance, technical documentation, record-keeping, transparency, human oversight, and accuracy, robustness and cybersecurity. The assessment checks that these obligations have been met and properly evidenced. It is a documented procedure rather than a single test, drawing on the provider’s technical documentation and quality management system to show the system was designed and built in line with the rules.

Self-assessment or third-party

The Act provides two broad routes. For most high-risk systems, conformity assessment is carried out internally by the provider on the basis of internal control — a self-assessment supported by documentation. For certain categories, an independent third party called a notified body must be involved in the assessment. Where harmonised standards exist and are applied, providers can benefit from a presumption of conformity, simplifying the route. The applicable route depends on the type of system and the requirements set out in the regulation, which is why determining the correct procedure is itself an early step for any provider.

What follows a successful assessment

When a high-risk system passes conformity assessment, the provider draws up an EU declaration of conformity, affixes the CE marking, and registers the system in the relevant EU database before placing it on the market. These steps signal that the provider takes responsibility for the system meeting the Act’s requirements. Conformity is not a one-off event: substantial modifications can trigger a fresh assessment, and providers carry ongoing obligations such as post-market monitoring. Conformity assessment therefore sits within a broader compliance lifecycle rather than concluding it. This is a description of the regulatory mechanism, not legal advice.

Key facts

At a glance

  • Definition: verifying a high-risk AI system meets EU AI Act requirements before market placement
  • Two routes: provider self-assessment (internal control) or third-party notified body
  • Checks: risk management, data governance, documentation, oversight, robustness
  • Standards: applying harmonised standards can give a presumption of conformity
  • Outputs: EU declaration of conformity, CE marking, EU database registration
  • Ongoing: substantial changes can require re-assessment

Common misconceptions

What people often get wrong

Often heard: Every high-risk AI system must be assessed by an external body.

Actually: Under the EU AI Act most high-risk systems use provider self-assessment based on internal control; third-party assessment by a notified body is required only for certain categories. The route depends on the type of system.

Often heard: Conformity assessment is a one-time step that never needs repeating.

Actually: Substantial modifications to a system can trigger a fresh conformity assessment, and providers retain ongoing obligations such as post-market monitoring. Conformity is maintained over the lifecycle, not granted permanently.

Often heard: Passing conformity assessment proves the AI system is risk-free.

Actually: Conformity assessment verifies that defined regulatory requirements have been met and evidenced; it does not certify that a system carries no risk. It demonstrates regulatory compliance, not the elimination of all risk.

Going deeper

Related CASRAI guidance

Notified bodyAI Act timelineEU AI ActAI governanceStandards dictionaryStandards compared

Referenced across the research world

University of Cambridge logoColumbia University logoUniversity of Edinburgh logoHarvard University logoUniversity of Oxford logoPrinceton University logoStanford School of Medicine logoUniversity College London logoORCID logoCrossref logoUniversity of Cambridge logoColumbia University logoUniversity of Edinburgh logoHarvard University logoUniversity of Oxford logoPrinceton University logoStanford School of Medicine logoUniversity College London logoORCID logoCrossref logo
  • University of Cambridge logo
  • Columbia University logo
  • University of Edinburgh logo
  • Harvard University logo
  • University of Oxford logo
  • Princeton University logo
  • Stanford School of Medicine logo
  • University College London logo
  • ORCID logo
  • Crossref logo

View CASRAI adoption →