D3. Non-Conformity Register Records all non-conformities identified during assessment, classified by severity (critical, major, minor). Each entry records the finding, severity, root cause analysis, corrective action plan, assigned owner, deadline, and verification step confirming corrective action effectiveness. Critical non-conformities must be fully resolved before the Declaration can be signed; major non-conformities must have approved remediation plans. The register is also used during operational life for PMM findings, vulnerability SLA breaches, and audit findings. Responsible party: Conformity Assessment Coordinator maintains. AI Governance Lead reviews before Declaration signing. Regulations addressed: Article 43 (conformity assessment); Annex VI (internal control); Article 17 (QMS, non-conformity management). Key outputs

• Per-finding severity classification with root cause
• Corrective action tracking with verification
• Pre-Declaration clearance status