Article 8 of the EU AI Act is the gateway provision for high-risk AI systems. It requires every high-risk AI system to comply with the requirements set out in Section 2 of Chapter III (Articles 9 to 15), taking into account the system's intended purpose and the generally acknowledged state of the art. It applies from August 2, 2026.
EU AI Act Article 8: Compliance with Requirements for High-Risk AI Systems
What Article 8 Covers
Article 8 of Regulation (EU) 2024/1689, the EU AI Act, is short but foundational. It states that high-risk AI systems shall comply with the requirements laid down in Section 2 of Chapter III of the regulation. Those requirements are found in Articles 9 to 15 and cover risk management, data and data governance, technical documentation, record-keeping, transparency, human oversight, and accuracy, robustness and cybersecurity.
In practical terms, Article 8 is the hinge between classification and obligation. Articles 6 and 7, together with Annexes I and III, determine whether an AI system is high-risk. Once that classification is settled, Article 8 activates the entire substantive compliance programme. Every provider of a high-risk AI system must therefore read Article 8 as the entry point into the most demanding part of the regulation.
The Two Key Qualifiers: Intended Purpose and State of the Art
Article 8(1) contains two qualifiers that shape how strictly the Section 2 requirements apply. First, compliance must take into account the intended purpose of the high-risk AI system. The intended purpose, defined in Article 3(12), is the use for which the system is intended by the provider, as described in the instructions for use, promotional materials and technical documentation. A resume-screening system and a medical triage system are both high-risk, but the depth of testing, the relevant accuracy metrics and the human oversight design will differ according to what each system is meant to do.
Second, compliance must take into account the generally acknowledged state of the art. This means providers are not held to a standard of theoretical perfection. They are held to what competent professionals in the field would currently recognise as achievable and appropriate. The state of the art evolves, which is one reason the technical documentation under Article 11 must be kept up to date and the post-market monitoring system under Article 72 must feed real-world performance data back into the compliance assessment.
Article 8(1) also makes clear that the risk management system referred to in Article 9 shall be taken into account when ensuring compliance with the requirements. Risk management is therefore not one requirement among seven; it is the organising framework through which the other requirements are calibrated and evidenced.
Article 8(2): AI Embedded in Regulated Products
Article 8(2) addresses a situation that is common in machinery, medical devices, toys, lifts and other products covered by the Union harmonisation legislation listed in Section A of Annex I. Where a product contains an AI system to which both the AI Act and that sectoral legislation apply, providers are responsible for ensuring that the product is fully compliant with all applicable requirements under both regimes.
To avoid duplication, Article 8(2) allows providers to integrate the necessary testing and reporting processes, information and documentation they provide under the AI Act into documentation and procedures that already exist under the sectoral legislation. The goal stated in the provision is to ensure consistency, avoid duplication and minimise additional burdens. A medical device manufacturer, for example, can extend its existing technical file and quality processes rather than building a parallel AI-only compliance structure.
How to Implement Article 8 in Practice
Because Article 8 activates Articles 9 to 15, implementation is essentially a programme-management exercise. A workable sequence looks like this:
- Confirm classification. Document why the system is high-risk under Article 6, or why it is not, since Article 6(3) assessments must themselves be documented and registered under Article 49(2).
- Define the intended purpose precisely. The narrower and clearer the intended purpose, the more focused the testing, oversight design and instructions for use can be.
- Map each Section 2 requirement to an owner. Risk management (Article 9), data governance (Article 10), technical documentation (Article 11), logging (Article 12), transparency (Article 13), human oversight (Article 14) and accuracy, robustness and cybersecurity (Article 15) each need a named responsible person and a deliverable.
- Benchmark against the state of the art. Identify relevant harmonised standards, common specifications and recognised technical practices, and record which ones you applied and why.
- Integrate with existing product compliance where Article 8(2) applies, mapping AI Act deliverables onto the existing technical file structure.
- Run the conformity assessment under Article 43 and only then draw up the EU declaration of conformity and affix the CE marking.
A Concrete Example
Consider a software company offering an AI system that scores loan applicants for creditworthiness. That use case appears in point 5(b) of Annex III, so the system is high-risk. Article 8 tells the company what happens next: it must establish a risk management system, govern its training data, write Annex IV technical documentation, build automatic event logging, draft deployer-facing instructions for use, design effective human oversight and validate accuracy and robustness. Because the system is standalone software rather than a component of an Annex I product, Article 8(2) does not apply, and the company follows the conformity assessment based on internal control under Annex VI in most cases.
How Article 8 Connects to Other Provisions
Article 8 sits inside a chain of obligations. Article 16 requires providers to ensure their high-risk systems comply with Section 2, so a failure under Article 8 is also a failure of Article 16. Article 17 requires a quality management system that operationalises this compliance. Articles 43 and 47 turn compliance into an attested fact through conformity assessment and the EU declaration of conformity. Article 48 makes that fact visible through CE marking, and Article 49 makes it traceable through registration in the EU database. Downstream, Articles 23 to 25 require importers, distributors and other value-chain actors to verify that the provider did this work.
Actions to Take Before August 2, 2026
The requirements activated by Article 8 apply to high-risk AI systems from August 2, 2026, with a longer transition to August 2, 2027 for high-risk systems that are safety components of products under Article 6(1) and subject to existing third-party conformity assessment regimes. Between now and those dates, providers should complete a gap analysis against Articles 9 to 15, assign ownership for each requirement, begin drafting Annex IV documentation early, and decide whether harmonised standards published in support of the AI Act will be used to create a presumption of conformity under Article 40. Organisations that wait for the deadline typically discover that data governance and logging architecture cannot be retrofitted quickly. This article provides general information about Regulation (EU) 2024/1689 and is not a substitute for professional advice on a specific system.
Check your AI compliance readiness — free.
Take the Readiness Check 3 minutes · 10 questions · no signup requiredThis article is for informational purposes only and does not constitute legal advice. Regulatory requirements change frequently — verify current rules with official sources. Built by Sawai Gyoseishoshi Office, Hiroshima, Japan.