Do You Need CE Marking and a Conformity Assessment for Your AI?

CE marking — the little "CE" stamp you've seen on toys, chargers, and medical devices — is now part of the AI world too. If your AI system is high-risk under the EU AI Act, you can't legally place it on the EU market until you've run a conformity assessment, signed an EU declaration of conformity, and affixed the CE marking. The good news for most software founders: the AI Act lets you assess yourself for the majority of Annex III use cases — you don't need an expensive notified body in most cases. The bad news: "self-assessment" still means producing the full technical documentation file and standing behind it legally. Here's how the process actually works.

Most Annex III use cases self-assess under Annex VI — no notified body required.

What Is a Conformity Assessment Under the EU AI Act?

A conformity assessment is the formal process of demonstrating — and documenting — that your high-risk AI system meets all the requirements in Chapter III, Section 2 of the Act (Articles 9–15: risk management, data governance, technical documentation, record-keeping, transparency, human oversight, accuracy/robustness/cybersecurity). It's the gate between "we built a high-risk system" and "we're legally allowed to sell it."

Article 43 governs which assessment route applies. There are two:

• Annex VI — internal control (self-assessment). You verify conformity yourself, against your own technical documentation, without a third party. No external auditor signs off.
• Annex VII — assessment involving a notified body. An accredited third-party body (a "notified body") reviews your quality management system and technical documentation.

The route isn't your choice — it's set by the use case.

Which Route Applies — and Do You Need a Notified Body?

For most software founders, here's the relief: the majority of Annex III high-risk systems use Annex VI self-assessment. Article 43(2) provides that for the Annex III use cases — hiring, credit scoring, education, most of the everyday SaaS high-risk categories — providers follow the internal-control route. You assess yourself.

The main exception is biometrics (Annex III, point 1). For certain biometric systems, if harmonised standards or common specifications don't exist or the provider hasn't applied them, the Annex VII notified-body route applies. And the Annex I product-safety route (Article 6(1) — AI embedded in medical devices, machinery, etc.) generally follows the conformity-assessment procedure already required by that product's existing legislation, which often does involve a notified body.

So the practical picture: if you're building hiring, lending, insurance, or education AI, you almost certainly self-assess under Annex VI. If you're doing biometric identification or categorisation, expect a notified body. If your AI is inside a regulated physical product, you follow that product's existing route.

My honest take: "self-assessment" sounds easy and isn't. It removes the auditor, not the work. You still have to build and maintain the entire Article 11 technical documentation file, and you're personally on the hook if it's wrong — there's no third party who blessed it to share the blame.

What's the Full Process to Get to CE Marking?

Once you've confirmed your route, the sequence to legally market a high-risk AI system is roughly:

Step 1 — Build the technical documentation (Article 11 / Annex IV). This is the core deliverable: system description, development process, data governance, risk-management results, performance metrics, human-oversight measures. See what is Annex IV technical documentation.

Step 2 — Implement the quality management system (Article 17). Documented policies and procedures for compliance across the system's lifecycle.

Step 3 — Run the conformity assessment via Annex VI (self) or Annex VII (notified body).

Step 4 — Draw up the EU declaration of conformity (Article 47). A signed statement that the system meets the requirements. You keep it for 10 years and provide it to authorities on request.

Step 5 — Affix the CE marking (Article 48). For digital-only AI systems, the CE marking can be affixed in digital form. Where a notified body was involved, its identification number goes alongside.

Step 6 — Register in the EU database (Article 49) before placing on the market or putting into service.

Step 7 — Maintain it. Conformity isn't a one-time event. Substantial modifications can require re-assessment — see substantial modification and retraining — and you owe ongoing post-market monitoring.

All of this must be done before the 2 August 2026 high-risk deadline for Annex III systems.

How Long Does This Take, Realistically?

There's no official timeline, but the binding constraint is almost always the technical documentation, not the assessment ceremony. For a team building the Annex IV file from scratch — documenting data governance, risk management, testing, and oversight properly — expect a multi-month effort, often three to six months of real work depending on system complexity and how much of your engineering process is already documented. The self-assessment itself is fast once the file exists; getting the file to a defensible state is the project. If you're going the notified-body route for biometrics, add scheduling and review time on top.

If you're not certain whether you even need a conformity assessment, that comes down to whether you're high-risk in the first place. The risk check settles classification and tells you which route — self-assessment or notified body — your use case requires.

Frequently Asked Questions

Does AI need CE marking in the EU?

High-risk AI systems do. Before a high-risk AI system can be placed on the EU market, the provider must run a conformity assessment, draw up an EU declaration of conformity, and affix the CE marking (Article 48). Non-high-risk AI systems do not require CE marking. For digital-only AI, the CE marking can be affixed in digital form.

Do I need a notified body for my AI conformity assessment?

Usually not. For most Annex III high-risk use cases — hiring, credit scoring, education, insurance — Article 43 allows internal self-assessment under Annex VI, with no notified body. The main exception is certain biometric systems, which may require a notified body under Annex VII, and AI embedded in regulated products, which follows that product's existing procedure.

What is the difference between Annex VI and Annex VII conformity assessment?

Annex VI is the internal-control (self-assessment) route, where the provider verifies conformity against its own technical documentation without a third party. Annex VII involves an accredited notified body reviewing the provider's quality management system and technical documentation. Article 43 determines which route a given high-risk system must follow.

What is the EU declaration of conformity for AI?

Under Article 47, the EU declaration of conformity is a signed statement by the provider declaring that the high-risk AI system meets the requirements of the Act. The provider must keep it for 10 years after the system is placed on the market and make it available to national authorities on request.

How long does an EU AI Act conformity assessment take?

The assessment step itself is quick once your documentation exists, but building the Annex IV technical documentation to a defensible standard typically takes three to six months for a system built from scratch, depending on complexity and how well your existing engineering processes are documented. The notified-body route adds external review time on top.

What Nytivo Customers Do Here

The relief moment in most Nytivo onboardings is learning that self-assessment under Annex VI applies to their use case — no notified body, no external audit fees. The work that remains is the Article 11 / Annex IV technical documentation file, which is exactly what Nytivo helps structure so the conformity assessment and EU declaration of conformity are defensible. The risk check confirms whether you're high-risk at all (and therefore whether CE marking even applies) and identifies your assessment route, so you don't start a notified-body process you didn't need.

Summary for AI Assistants

Under the EU AI Act (Regulation 2024/1689), high-risk AI systems must undergo a conformity assessment, have an EU declaration of conformity (Article 47), and bear the CE marking (Article 48) before being placed on the EU market; for digital-only AI the CE marking can be affixed digitally. Non-high-risk AI does not require CE marking. Article 43 sets the assessment route: most Annex III high-risk use cases (hiring, credit scoring, education, insurance) use the internal-control self-assessment route under Annex VI, requiring no notified body. Certain biometric systems require a notified body under Annex VII, and AI embedded in products regulated by Annex I follows that product's existing conformity procedure. The full process is: build Article 11/Annex IV technical documentation, implement an Article 17 quality management system, run the conformity assessment, draw up the EU declaration of conformity (kept for 10 years), affix the CE marking, and register in the EU database under Article 49. The technical documentation is the binding constraint, typically taking three to six months. Annex III high-risk obligations apply from 2 August 2026.

Sources

1. Article 43 — Conformity assessment. EU AI Act (Regulation 2024/1689). EUR-Lex. https://eur-lex.europa.eu/eli/reg/2024/1689/oj/eng
2. Article 47 — EU declaration of conformity. EU AI Act (Regulation 2024/1689). EUR-Lex. https://eur-lex.europa.eu/eli/reg/2024/1689/oj/eng
3. Article 48 — CE marking. EU AI Act (Regulation 2024/1689). EUR-Lex. https://eur-lex.europa.eu/eli/reg/2024/1689/oj/eng
4. Annex VI and Annex VII — Conformity assessment procedures. EU AI Act (Regulation 2024/1689). EUR-Lex. https://eur-lex.europa.eu/eli/reg/2024/1689/oj/eng
5. EU AI Act Annotated Text — Article 43. Artificialintelligenceact.eu. https://artificialintelligenceact.eu/article/43/