Quick answer

Providers of high-risk AI systems under the EU AI Act must implement a quality management system, prepare technical documentation, complete conformity assessment, affix CE marking, register in the EU database, and maintain post-market monitoring and incident reporting systems.

Updated June 2026 · MmowW AI Compliance

EU AI Act Provider Obligations: What High-Risk AI System Providers Must Do

Overview of Provider Obligations

Article 16 of Regulation (EU) 2024/1689 sets out the core obligations for providers of high-risk AI systems. A provider is defined as any natural or legal person, public authority, agency, or other body that develops an AI system or a general-purpose AI model, or that has an AI system or model developed on its behalf, and places it on the market or puts it into service under its own name or trademark.

The obligations are comprehensive and span the entire lifecycle of the AI system, from design and development through to post-market monitoring and eventual decommissioning. They apply regardless of whether the provider is established in the EU, as long as the high-risk AI system is placed on the EU market or its output is used in the EU.

Most provider obligations for high-risk AI systems become applicable on 2 August 2026 for systems listed in Annex III. For AI systems that are safety components of products covered by Annex I, Section A harmonisation legislation, the deadline is 2 February 2027.

Quality Management System

Article 17 requires providers to establish, implement, document, and maintain a quality management system (QMS). This system must ensure compliance with the regulation in a systematic and documented manner. The QMS is not a generic management standard but must specifically address AI-related risks and regulatory requirements.

The QMS must include, at minimum, a strategy for regulatory compliance, techniques and procedures for the design, development, and examination of the AI system, techniques and procedures for testing before and after placing on the market, technical specifications and standards applied, systems and procedures for data management, the risk management system referred to in Article 9, a post-market monitoring system, procedures related to incident reporting, and communication with national competent authorities and deployers.

For providers already certified under relevant quality management standards (such as ISO 13485 for medical devices), existing QMS frameworks can serve as a foundation. However, they must be supplemented with AI-specific elements to address the full scope of Article 17 requirements.

Technical Documentation

Articles 11 and 18 require providers to draw up technical documentation before the system is placed on the market and to keep it up to date throughout the system lifecycle. The specific contents are detailed in Annex IV of the regulation.

Technical documentation must contain a general description of the AI system including its intended purpose, the provider identity, system version, and how the system interacts with hardware and software. It must describe the development methodology, design specifications, system architecture, and key algorithmic choices. Data governance practices must be documented, including descriptions of training, validation, and testing datasets, data collection processes, and data preparation operations such as annotation, labelling, and cleaning.

The documentation must also describe the risk management measures applied under Article 9, the validation and testing procedures performed (including metrics used and test results), a description of the human oversight measures designed into the system under Article 14, and the post-market monitoring plan. Technical documentation must be retained for 10 years after the system is placed on the market or put into service.

Conformity Assessment, CE Marking, and Registration

Before placing a high-risk AI system on the market or putting it into service, the provider must complete the applicable conformity assessment procedure under Article 43. For most Annex III systems, this is an internal (self-assessment) procedure. For remote biometric identification systems and certain safety component scenarios, third-party assessment by a notified body is required.

Upon successful completion of the conformity assessment, the provider must draw up an EU declaration of conformity under Article 47. This declaration identifies the provider, the AI system, the applicable requirements, and confirms that the system meets those requirements. The declaration must be kept for 10 years and made available to national authorities on request.

The provider must affix the CE marking to the AI system or, where that is not possible, to the packaging or accompanying documentation, in accordance with Article 48. The CE marking must be visible, legible, and indelible. It indicates to market surveillance authorities and to deployers that the system has undergone the required conformity assessment process.

Article 49 requires registration of the AI system in the EU database before it is placed on the market. The provider must enter information including the system name, description, intended purpose, conformity assessment status, and contact details. This database is publicly accessible, promoting transparency about high-risk AI systems operating within the EU market.

Post-Market Monitoring

Article 72 requires providers to establish and document a post-market monitoring system proportionate to the nature of the AI system and its associated risks. This system must actively and systematically collect, document, and analyse relevant data provided by deployers or collected through other sources throughout the lifetime of the system.

The post-market monitoring system must allow the provider to evaluate the continuous compliance of the AI system with the requirements of the regulation, identify potential risks that may emerge during real-world use, and detect any need for corrective or preventive actions. The data collected must be used to update the risk management system and the technical documentation as needed.

Providers must draw up a post-market monitoring plan as part of the technical documentation. This plan should describe the data collection methodology, the frequency and scope of monitoring activities, the criteria for evaluating compliance, and the procedures for taking corrective action when issues are identified.

Serious Incident Reporting and Corrective Actions

Article 73 establishes mandatory reporting obligations for serious incidents. Providers must report any serious incident to the market surveillance authorities of the Member States where the incident occurred. A serious incident is defined as one that directly or indirectly leads to, or is realistically likely to lead to, death, serious damage to health, serious and irreversible disruption of critical infrastructure management, or a breach of fundamental rights obligations.

Reporting must occur immediately after the provider becomes aware of the incident and, in any case, no later than 15 days. The report must include the description of the incident, the AI system involved, the immediate corrective measures taken, and the expected timeline for further investigation and remediation.

Beyond incident reporting, Article 20 requires providers to take immediate corrective action when a high-risk AI system is found to be non-compliant with any requirement of the regulation. This may include modifying the system, withdrawing it from the market, recalling it, or informing deployers of the non-compliance and necessary actions. Where the non-compliance is not restricted to the national territory, the provider must inform all relevant national authorities across the EU.

The combination of post-market monitoring, incident reporting, and corrective action obligations creates a continuous compliance loop. Providers cannot treat market placement as the end of their regulatory responsibility. Instead, they must maintain active oversight and be prepared to respond rapidly when issues arise.

Check your AI compliance readiness — free.

Take the Readiness Check 3 minutes · 10 questions · no signup required

This article is for informational purposes only and does not constitute legal advice. Regulatory requirements change frequently — verify current rules with official sources. Built by Sawai Gyoseishoshi Office, Hiroshima, Japan.