Quick answer

Article 17 of the EU AI Act requires providers of high-risk AI systems to put in place a quality management system, documented through written policies, procedures and instructions, that ensures compliance with the regulation. It must cover the full lifecycle, from regulatory strategy and design control to data management, post-market monitoring and incident reporting.

Updated June 2026 · MmowW AI Compliance

EU AI Act Article 17: Quality Management System Obligations for Providers

What Article 17 Covers

Article 17 of Regulation (EU) 2024/1689 requires every provider of a high-risk AI system to put in place a quality management system, often abbreviated QMS, that ensures compliance with the regulation. The QMS must be documented in a systematic and orderly manner in the form of written policies, procedures and instructions. Where the technical documentation under Article 11 evidences the compliance of a specific system, the QMS evidences the compliance capability of the organisation that builds and maintains it.

For organisations from regulated product sectors such as medical devices, the concept is familiar. For pure software companies, Article 17 is often the most culturally demanding requirement of the AI Act, because it asks them to formalise practices that may currently live in tribal knowledge, wikis and individual judgement.

The Required Components

Article 17(1) lists the aspects the QMS must at least include:

Proportionality and Sector-Specific Relief

Article 17(2) states that the implementation of these aspects shall be proportionate to the size of the provider's organisation. A ten-person startup does not need the document hierarchy of a multinational, but it must in any event respect the degree of rigour and the level of protection required to ensure the compliance of its high-risk AI systems. Proportionality changes the form, not the protective outcome.

Article 17(3) and 17(4) address financial institutions. Providers that are financial institutions subject to requirements regarding internal governance, arrangements or processes under Union financial services law may satisfy parts of the QMS obligation through compliance with those existing rules, with specified exceptions that continue to apply, such as the listed AI-specific aspects. This avoids forcing banks and insurers to duplicate governance structures they already operate under supervisory oversight.

How to Build an Article 17 QMS in Practice

  1. Map existing practice first. Most engineering organisations already perform design review, testing and incident handling; the gap is usually documentation, consistency and accountability, not activity.
  2. Use the thirteen-point list as the table of contents for the QMS manual, and write one procedure per point, each naming an owner, inputs, outputs and records produced.
  3. Anchor the QMS to recognised frameworks. ISO/IEC 42001 for AI management systems and harmonised standards developed in support of the AI Act are natural reference points, and using harmonised standards can support a presumption of conformity under Article 40.
  4. Integrate, do not duplicate. The risk management system, post-market monitoring and incident reporting procedures required here are the same ones required by Articles 9, 72 and 73; the QMS is where they are formally housed.
  5. Make the accountability framework real: a responsibility matrix that names which roles approve releases, sign the EU declaration of conformity and decide on corrective actions under Article 20.
  6. Operate it before you need it. Records of executed procedures, completed reviews, test runs and management oversight are what a notified body or market surveillance authority will ask for; an unused manual is close to worthless.

A Concrete Example

A forty-person company providing an AI system for exam proctoring, high-risk under point 3 of Annex III, could implement Article 17 with a lean structure: a fifteen-page QMS manual mapped to the thirteen points, a release procedure requiring documented validation runs before each model update, a data management procedure covering dataset versioning and labelling quality, a post-market monitoring plan reviewed quarterly, an incident playbook with the Article 73 deadlines built in, and a responsibility matrix approved by management. The same documents then feed the conformity assessment and the Annex IV technical documentation, so little of the work is wasted paperwork.

How Article 17 Connects to Other Provisions

Article 16(c) makes having an Article 17 QMS one of the core provider obligations. The QMS documentation must be kept for ten years under Article 18 and is examined where the Annex VII conformity assessment procedure involving a notified body applies. Article 22 authorised representatives and Article 23 importers rely on the provider having done this work, and Article 25 means a distributor or deployer that rebrands or substantially modifies a high-risk system inherits the obligation to operate a QMS of its own. Failures in QMS-governed processes are also where market surveillance investigations under Article 74 and following typically focus.

Actions to Take Before August 2, 2026

Building and embedding a QMS takes quarters, not weeks. Providers expecting to place high-risk systems on the EU market should draft the manual and core procedures now, run at least one full release cycle under the QMS before the compliance date to generate records, and train staff on the procedures that affect them. SMEs should design for proportionality from the start rather than copying enterprise templates they cannot operate. This article provides general information about Regulation (EU) 2024/1689 and is not advice for any specific organisation.

Check your AI compliance readiness — free.

Take the Readiness Check 3 minutes · 10 questions · no signup required

This article is for informational purposes only and does not constitute legal advice. Regulatory requirements change frequently — verify current rules with official sources. Built by Sawai Gyoseishoshi Office, Hiroshima, Japan.