CE Marking
CE marking — from the French Conformité Européenne — is the visible symbol indicating that a product meets the EU's safety, health, environmental, and consumer protection requirements applicable to it and may be freely placed on the EU market. For high-risk AI systems under the EU AI Act, CE marking is a mandatory step before the system can be placed on the market or put into service in the EU. The CE mark is not a quality label or an endorsement — it is a declaration by the manufacturer or provider that the product complies with applicable EU law. For high-risk AI systems, the steps required before affixing a CE mark are prescribed in Articles 43 and 48. The provider must first complete the applicable conformity assessment procedure — internal self-assessment for most Annex III systems, or third-party assessment by a notified body for biometric identification systems and certain others. The provider must then draw up an EU declaration of conformity under Article 47, a legally binding document that identifies the system, lists the applicable AI Act provisions it conforms with, includes the name and address of the provider and any authorised representative, and is signed by a person authorised to bind the provider. Once the conformity assessment is complete and the declaration is drawn up, the CE mark may be affixed to the system, its packaging, or its accompanying documentation. The CE mark under the AI Act must appear together with any other CE marks required by other applicable EU legislation. If the product is also subject to the Machinery Regulation, the Medical Devices Regulation, or another CE-marking framework, a single CE mark covers all applicable legislation, but each assessment must be completed separately. If a notified body was involved in the assessment, the notified body's four-digit identification number must accompany the CE mark. For an EU SME, placing a CE mark on a high-risk AI system without completing the required conformity assessment is not only a regulatory violation — it is a misrepresentation to customers, procurement authorities, and regulators. Market surveillance authorities actively check for CE marks on AI systems and can require providers to demonstrate the underlying documentation. Unlawful affixing of a CE mark can attract fines of up to €15 million or 3% of global annual turnover, and national authorities can order immediate market withdrawal. See the AI Act compliance guide at eurocomply.app/regulations/ai-act
Official regulation guide
AI Act Compliance Guide →Related terms
EU AI Act
Regulation (EU) 2024/1689, known as the EU AI Act, is the world's first comprehensive horizontal legal framework for artificial intelligence. Published in the Official Journal of the EU on 12 July 2024, it entered into force on 1 August 2024 and applies in phases over a 36-month transition period. The regulation applies to providers who place AI systems on the EU market or put them into service in the EU, regardless of whether the provider is established inside or outside the Union. It also applies to deployers — organisations that use AI systems in a professional context — when those systems are classified as high-risk. The Act classifies AI systems into four risk tiers. Unacceptable-risk practices (Article 5) are prohibited outright and have applied since 2 February 2025. Limited-risk systems — such as chatbots — carry transparency obligations requiring users to be informed they are interacting with AI. Minimal-risk systems face no mandatory requirements. High-risk systems, defined in Article 6 and Annex III, are the Act's main regulatory target: they must meet requirements covering risk management, training data governance, technical documentation (Annex IV), logging, transparency, human oversight, accuracy, and robustness before being placed on the market. For EU SMEs, the most pressing deadline is 2 August 2026, when obligations for high-risk AI systems under Annex III fully apply. If your business uses AI in hiring decisions, creditworthiness assessment, access to essential services, or safety-critical operations, you are almost certainly in scope. The Act also introduces requirements for General Purpose AI models (Chapter V) — large foundational models such as those underlying popular AI tools. Penalties are steep: up to €35 million or 7% of global annual turnover for deploying prohibited AI, up to €15 million or 3% for violations of other obligations, and up to €7.5 million or 1.5% for supplying incorrect information to regulators. See the AI Act compliance guide at eurocomply.app/regulations/ai-act
High-Risk AI System
The EU AI Act's concept of a high-risk AI system is the regulation's central regulatory category — it is where the vast majority of substantive obligations sit, and where most compliance effort for commercial AI applications must be focused. High-risk AI systems are defined in Article 6 and Annex III, and the classification has two tracks. The first track covers AI systems that are themselves safety components of products subject to existing EU product safety legislation — such as the Machinery Regulation, the Medical Devices Regulation, or the Radio Equipment Directive — where those products require a third-party conformity assessment. The second track, which is far broader in commercial significance, covers AI systems in eight use-case categories listed in Annex III: biometric identification and categorisation of natural persons; management and operation of critical infrastructure; education and vocational training; employment, workers management, and access to self-employment; access to and enjoyment of essential private and public services and benefits; law enforcement; migration, asylum, and border control management; and administration of justice and democratic processes. With certain exceptions for narrow or low-risk applications, an AI system that falls into these Annex III categories is presumed high-risk. Before deploying such a system, providers must implement a risk management system under Article 9; use high-quality training, validation, and testing datasets under Article 10; produce and maintain Annex IV technical documentation under Article 11; build in automatic event logging under Article 12; ensure transparency to deployers under Article 13; design for effective human oversight under Article 14; achieve appropriate levels of accuracy, robustness, and cybersecurity under Article 15; and — for providers — complete a conformity assessment and register the system in the EU database before placing it on the market. For an EU SME deploying AI, the critical threshold question is whether the system materially influences an outcome that significantly affects a person's access to employment, services, education, or similar consequential domains. Getting this classification wrong — deploying a system that should be classified as high-risk without the required documentation and assessment — can result in fines of up to €15 million or 3% of global annual turnover. See the AI Act compliance guide at eurocomply.app/regulations/ai-act
Annex IV Technical Documentation
Annex IV of the EU AI Act specifies the technical documentation that providers of high-risk AI systems must draw up and maintain under Article 11. This documentation is the evidentiary record that demonstrates a high-risk AI system was designed, built, and validated in compliance with the Act's requirements. It must be kept up to date throughout the system's lifecycle and made available to national market surveillance authorities and notified bodies on request. The Annex IV documentation requirement is substantial. It must include: a general description of the AI system, including its intended purpose, the version placed on the market, and how it interacts with hardware and software; a detailed description of the design specifications, including general logic, key design choices, the assumptions made, and the limitations of the system; a description of the system architecture and processes involved in developing and monitoring the system; a description of the training and testing methodologies used, including the datasets used and the validation approach; a description of the technical measures for human oversight under Article 14; a copy of the EU declaration of conformity; detailed information on the monitoring, functioning, and control of the AI system; and the results of all tests carried out to demonstrate conformity with Article 15 requirements on accuracy, robustness, and cybersecurity. For a provider deploying an AI system under its own name, this documentation must exist before the system is placed on the EU market or put into service. For deployers using a third-party high-risk system, the documentation obligation sits with the original provider, but deployers must be able to obtain it and understand it sufficiently to fulfil their own obligations around human oversight and monitoring. For an EU SME developing AI products in the high-risk categories, Annex IV documentation is best treated as a continuous engineering artefact rather than a compliance document produced after the fact. Regulators evaluating a system will look for evidence that the documentation reflects actual design decisions, not post-rationalisation. Failure to produce adequate technical documentation — or producing documentation that is found to be misleading — can attract fines of up to €15 million or 3% of global annual turnover. See the AI Act compliance guide at eurocomply.app/regulations/ai-act
Conformity Assessment
Conformity assessment is the process by which a high-risk AI system is evaluated against the requirements of the EU AI Act before it is placed on the market or put into service in the EU. It is a mandatory gate through which all high-risk AI systems must pass, and it results in the provider drawing up an EU declaration of conformity and affixing a CE mark to the system (or its documentation, where the physical product does not accommodate marking). The EU AI Act provides two routes to conformity assessment. The first, available for most high-risk AI systems listed in Annex III, is internal conformity assessment — sometimes called self-assessment. The provider carries out its own assessment, working through a checklist of the Act's requirements, generating Annex IV technical documentation, and drawing up the declaration of conformity. This self-assessment route mirrors the approach used for many CE-marked products and places the entire burden of demonstrating compliance on the provider. The second route applies to AI systems listed in Annex III paragraphs 1(a) — remote biometric identification systems intended to be used in publicly accessible spaces — and paragraph 6 when used by law enforcement. These systems require third-party assessment by a notified body: an independent, accredited conformity assessment organisation designated by an EU member state and notified to the European Commission. The notified body examines the technical documentation, audits processes, and issues an EU-type examination certificate if the system meets the requirements. For an EU SME, understanding which route applies to your specific AI system is the critical first step. Even for self-assessed systems, the documentation burden is substantial and the declaration of conformity is a legal statement for which the provider takes direct responsibility. Market surveillance authorities can challenge conformity assessments, require additional evidence, and in cases of non-conformity order withdrawal from the market and suspension of services. Placing a non-conforming high-risk AI system on the market can attract fines of up to €15 million or 3% of global annual turnover. See the AI Act compliance guide at eurocomply.app/regulations/ai-act