AI Act high-risk from August 2026: conformity assessment step by step

Step 1: classification under Annex III

Eight areas define high-risk: biometric identification and categorisation, critical infrastructure, education and vocational training, employment and worker management, access to essential private and public services (incl. credit scoring), law enforcement, migration and border control, justice and democratic processes.

Within these areas there is a list of concrete use cases. Only systems listed there qualify as high-risk.

Exemptions: purely preparatory tasks, narrow procedural tasks, improving the result of a human activity, pattern detection in existing data without influence on the human assessment. These exemptions must be actively documented and justified.

Step 2: determine provider or deployer role

Provider: develops the system or has it developed and places it on the market under its own name. Full duty for conformity assessment, technical documentation, declaration of conformity, CE marking, registration.

Deployer: uses an AI system in a professional context. Duty to ensure human oversight, data quality checks, monitoring, informing affected persons, FRIA in some cases.

Important: anyone who materially modifies an existing system (fine-tuning for own purposes, own branding, new intended uses) becomes the new provider and takes on all provider duties.

Step 3: run the conformity assessment

Risk management system across the full lifecycle (Art. 9).

Data quality and data governance (Art. 10): training, validation and test data must be relevant, representative, error-low and complete.

Technical documentation (Annex IV): purpose, architecture, training data, validation, performance metrics, risk assessment, oversight measures.

Logging duty (Art. 12): logs during operation across the full lifecycle.

Transparency and information (Art. 13): usable instructions for deployers.

Human oversight (Art. 14): appropriate measures for effective human oversight.

Accuracy, robustness, cybersecurity (Art. 15): demonstrated and documented.

Conformity assessment procedure (Art. 43): internal control (Annex VI) or notified body (Annex VII) depending on the high-risk category.

Step 4: FRIA (Fundamental Rights Impact Assessment)

Mandatory for certain deployers: public bodies, private bodies providing public services, deployers of high-risk systems in credit scoring and life insurance.

Contents: system purpose, affected persons, specific fundamental rights risks, oversight measures, complaint mechanisms.

FRIA is to be repeated when relevant parameters change. It is not public, but reportable to the competent market surveillance authority.

Step 5: registration, CE marking, market monitoring

Providers register the high-risk system before placing it on the market in the EU database (Art. 49 and 71).

CE marking on the system or in the accompanying documentation.

Declaration of conformity (Annex V) drafted and kept for 10 years after placement.

Post-market monitoring and reporting of serious incidents within 15 days (Art. 73).

What DecisionOS does

The conformity assessment is at its core a structured decision with many stakeholders (engineering, legal, privacy, executive). DecisionOS runs it as an auditable memo: risk assessment, data quality check, FRIA excerpt, human oversight, dealbreakers. The output is a dossier that operationally pre-builds the Annex IV technical documentation.