What’s Required
High-risk AI systems (Annex III) must undergo conformity assessment before deployment. Technical documentation, risk management system, quality management, human oversight design, accuracy/robustness/cybersecurity evidence.
Article 43 sets the process. The deliverable is an EU declaration of conformity (Article 47) plus CE marking (Article 48) for the system. The declaration names the provider, the system, the standards applied (typically harmonized standards published in the OJEU once available — until then, draft CEN-CENELEC JTC 21 standards are the working reference), and the conformity-assessment route used. Provider keeps the technical file for 10 years post-market.
Assessment Types
Most CRM-adjacent systems use internal conformity assessment (Module A). Some require notified-body involvement. Check Annex III + Article 43 for your system’s specific category.
Annex VI Module A applies to all Annex III systems except point 1 (biometric identification), which falls under Annex VII Module H or third-party assessment. For Module A, the provider self-attests against the requirements after running internal checks against a documented quality management system. No notified-body audit, but national authorities can request the technical file at any time. Module H requires notified-body certification of the quality management system itself.
Timeline
August 2, 2026 — high-risk enforcement starts. Realistic conformity preparation is 3-6 months minimum for mature AI systems, longer for new or complex ones. If you haven’t started, start.
Working backward from August 2: lock the technical file by July 1, complete internal QMS audit in June, finalize risk-management documentation in May, run a gap analysis against Annex IV by April. Teams that began in late 2025 are now in remediation; teams starting now will likely miss the date for at least one system and should prioritize the highest-volume use case.
Documentation Scope
Technical specs, training data sources and rationale, test results, risk analysis, mitigation measures, oversight design, deployment restrictions. Comprehensive — plan for hundreds of pages on complex systems.
Annex IV mandates twelve sections: general description, detailed description of system elements, monitoring/functioning/control, risk management system, change management, performance metrics, foreseeable misuse, data sheets, human oversight, predetermined changes, cybersecurity, EU declaration of conformity. A typical Service Cloud agent file runs 150-300 pages. Use the AI Office template (published Q4 2025) as the structural backbone — auditors recognize it.
Quality Management System
Article 17 requires a documented QMS covering compliance strategy, design controls, examination and testing procedures, data management, risk-management system, post-market monitoring plan, incident reporting procedures, communication with authorities, record-keeping, and resource management. ISO/IEC 42001 certification satisfies most QMS requirements and shortens audits — many providers are pursuing it ahead of August.
What to Do This Week
Download the AI Office Annex IV template and start populating sections 1-3 (description, elements, monitoring) for your highest-priority AI system.
