Article 49 of the EU AI Act requires providers, or their authorised representatives, to register themselves and their Annex III high-risk AI systems in the EU database before placing them on the market, with critical infrastructure systems registered at national level instead. Systems assessed as not high-risk under Article 6(3) must also be registered, and public-sector deployers must register their use.
EU AI Act Article 49: Registration in the EU Database for High-Risk AI
What Article 49 Covers
Article 49 of Regulation (EU) 2024/1689 creates the registration layer of the high-risk regime. Before a high-risk AI system listed in Annex III reaches the EU market, it must be entered in the EU database established under Article 71, a publicly accessible register operated by the Commission. Registration converts private compliance into public traceability: authorities, researchers, journalists and affected persons can see which high-risk systems exist, who provides them and what they are for.
The Four Registration Duties
Article 49 contains four distinct obligations:
- Provider registration for high-risk systems. Before placing on the market or putting into service a high-risk AI system listed in Annex III, with the exception of point 2 of Annex III, the provider or, where applicable, the authorised representative shall register themselves and their system in the EU database, entering the information set out in Section A of Annex VIII.
- Registration of systems judged not high-risk. Before placing on the market or putting into service an AI system for which the provider has concluded, under the filter of Article 6(3), that it is not high-risk despite falling within an Annex III area, the provider or authorised representative shall register themselves and that system, with the information set out in Section B of Annex VIII. This makes the self-declassification visible and reviewable.
- Deployer registration for the public sector. Before putting into service or using a high-risk Annex III system, again excluding point 2, deployers that are public authorities, Union institutions, bodies, offices or agencies, or persons acting on their behalf, shall register themselves, select the system and register its use in the EU database, with the information in Section C of Annex VIII.
- The critical infrastructure exception. High-risk AI systems referred to in point 2 of Annex III, critical infrastructure, shall be registered at national level rather than in the EU database.
The Secure Non-Public Section
Article 49(4) carves out sensitive state functions. For high-risk AI systems in the areas of law enforcement, migration, asylum and border control management, Annex III points 1, 6 and 7, the registration shall be in a secure non-public section of the EU database, limited to a reduced set of information, accessible only to the Commission and to national authorities in defined roles. This preserves traceability for supervisors without publishing operational details of policing and border systems.
What Gets Registered: Annex VIII
For providers of high-risk systems, Section A of Annex VIII requires, among other items: the name, address and contact details of the provider and, where applicable, of the authorised representative; the AI system's trade name and any additional unambiguous reference allowing identification and traceability; a description of the intended purpose and of the components and functions supported; a basic and concise description of the information used by the system and its operating logic; the status of the system; the conformity assessment certificate details and notified body where applicable; Member States where the system is or has been placed on the market; a copy of the EU declaration of conformity; electronic instructions for use, except for law enforcement and migration-area systems; and a URL for additional information. Under Article 71, the database information is, with the noted exceptions, publicly accessible in a user-friendly and machine-readable format.
How to Implement Article 49 in Practice
- Place registration correctly in the launch sequence: after conformity assessment, declaration of conformity and CE marking, but before placing on the market. A system that is live for EU customers without registration is non-compliant even if everything else is perfect.
- Prepare the Annex VIII data pack as a structured artefact maintained alongside the technical documentation, so registration is an export, not an authoring exercise.
- Write the public-facing descriptions with care. The intended purpose and operating logic descriptions will be read by customers, competitors and journalists; they must be accurate, consistent with the instructions for use, and free of overstatement.
- For non-EU providers, agree with the authorised representative who performs the registration, since Article 22(3) makes registration or its verification part of the representative's mandated tasks.
- If you rely on Article 6(3) to treat an Annex III-area system as not high-risk, document the assessment and complete the Section B registration; skipping it undermines the entire declassification.
- Keep entries current as versions, Member State coverage and status change, and retire entries properly when systems are withdrawn.
A Concrete Example
A provider prepares to launch an AI system that screens tenant applications for housing providers, which falls within Annex III point 5(a) as a system used to evaluate eligibility for essential private services in defined respects, or alternatively concludes after analysis that its narrow filtering function qualifies for the Article 6(3) exception. In the first case, it registers itself and the system with the full Section A data, including the declaration of conformity and electronic instructions for use. In the second case, it still registers under Section B, recording its conclusion that the system is not high-risk. Either way, the launch checklist blocks go-live until the database entry exists, and the registration URL is filed in the technical documentation.
How Article 49 Connects to Other Provisions
Article 71 establishes the database itself, with the Commission as controller and public access in machine-readable form. Article 16(i) makes registration compliance a provider obligation, and Article 26(8) requires public-sector deployers to use only registered systems contextually with their own duty. Article 22 mandates the authorised representative's role for third-country providers. Registration data interlocks with the Article 47 declaration and Article 48 marking, and market surveillance authorities use the database in enforcement under Chapter IX. Non-compliance with registration duties is sanctionable under Article 99 within the operator-obligation fine band of up to 15 million euros or 3 percent of worldwide annual turnover.
Actions to Take Before August 2, 2026
Providers should draft their Annex VIII data packs now, decide who in the organisation owns database entries, and rehearse the registration step in their launch process. Public-sector deployers should inventory planned high-risk AI uses and prepare their Section C registrations. Providers relying on Article 6(3) should treat the Section B registration as the visible half of that decision and make sure the underlying assessment can withstand scrutiny. This article provides general information about Regulation (EU) 2024/1689 and is not advice on any specific registration.
Check your AI compliance readiness — free.
Take the Readiness Check 3 minutes · 10 questions · no signup requiredThis article is for informational purposes only and does not constitute legal advice. Regulatory requirements change frequently — verify current rules with official sources. Built by Sawai Gyoseishoshi Office, Hiroshima, Japan.