v2.4.0 | Report Errata
docs getting-started docs getting-started

Phase 6: Registration & Deployment — Owner & Outputs

Phase 6 runs during Weeks 20 to 22. The Conformity Assessment Coordinator owns this phase.

The objective is to register the system in the EU database, affix the CE marking, and deploy to production. The Coordinator registers the provider and system in the EU database under Article 71, submitting the Annex VIII information. For multi-jurisdiction deployments, registration information reflects all deployment member states. Systems in sensitive domains (law enforcement, migration, border control) are registered in the secure, non-public section. The CE marking is affixed to the user interface and accompanying documentation.

Deployment follows the CI/CD pipeline’s compliance controls: staging validation, canary or shadow deployment, a human approval gate, and deployment logging. The AI Governance Lead reviews validation results and authorises production deployment for the initial release. The deployment event is recorded in the immutable deployment ledger.

Deployers are provided with the Instructions for Use (Article 13), which include the system’s intended purpose, capabilities and limitations, performance characteristics, human oversight requirements, and maintenance obligations. These instructions must be specific enough that deployers understand the residual risks they are inheriting and the compensating controls they should apply.

Key outputs

  • EU database registration confirmation
  • CE marking evidence (screenshots in UI and documentation)
  • Deployment ledger entry
  • Deployer communication records (Instructions for Use)
  • Signed Declaration of Conformity (filed with the AISDP)

Phase 6: Governance Gate (Registration & CE Verification)

Phase 6 concludes with a three-part governance gate. First, EU database registration must be confirmed. The Conformity Assessment Coordinator verifies that the registration is complete and accurate, covering all deployment jurisdictions. Second, CE marking is verified. The marking must be visible, legible, and indelible on the system’s user interface and documentation, and must comply with Article 48’s requirements. Third, production deployment must be authorised and logged.

Registration under Article 71 is a mandatory precondition for placing a high-risk system on the market. The database is publicly accessible (with the exception of the restricted section for sensitive domains), and the information submitted becomes a matter of public record. Inaccurate registration data is a Tier 3 violation under the penalty framework, carrying fines of up to EUR 7.5 million or 1% of turnover.

CE marking under Article 48 is the provider’s visible declaration that the system conforms to all applicable requirements. It is affixed only after the conformity assessment is complete and the Declaration of Conformity is signed. Affixing the CE marking without a completed conformity assessment is itself a non-compliance finding.

The deployment authorisation confirms that the system deployed to production matches the system that passed conformity assessment. The immutable deployment ledger provides the traceability link between the assessed artefacts and the production deployment.

Key outputs

  • Verified EU database registration
  • CE marking verification record
  • Authorised production deployment record

Phase 6: Per-Jurisdiction Deployment Checklist

Organisations deploying across multiple member states face coordination challenges that compound with each additional jurisdiction. Although the AI Act is a regulation applying uniformly, the implementation ecosystem (competent authorities, guidance documents, inspection practices, enforcement priorities) varies by member state.

For each deployment jurisdiction, the following actions are required before deployment. The Legal and Regulatory Advisor identifies the national competent authority and market surveillance authority, reviews jurisdiction-specific guidance for conflicts with the existing compliance posture, and translates the Declaration of Conformity if the member state requires it. The Conformity Assessment Coordinator translates Instructions for Use into the member state’s official language and verifies that EU database registration covers the new jurisdiction. The AI Governance Lead pre-identifies the serious incident reporting channel for the member state.

At deployment, the AI Governance Lead briefs deployers in the new jurisdiction on their Article 26 obligations, and the Legal and Regulatory Advisor adds the jurisdiction to the quarterly guidance monitoring cycle. Additional considerations include pre-translating incident report templates where authorities require the national language, confirming data residency and sovereignty compliance for the jurisdiction, and managing divergent interpretive guidance across member states.

A single internal coordination point, typically the Conformity Assessment Coordinator, maintains a register of all relevant authorities across deployment jurisdictions. This register captures the competent authority, market surveillance authority, data protection authority, sector-specific regulators, published guidance, and preferred communication channels for each member state.

Key outputs

  • Per-jurisdiction deployment checklist (completed)
  • Jurisdiction register
  • Translated Instructions for Use and Declarations of Conformity
On This Page