v2.4.0 | Report Errata
docs governance

Governance

Risk classification, conformity assessment, notified bodies, QMS framework, CE marking, regulator interaction, and multi-jurisdiction deployment.

127 articles in this section

1.
Risk Assessment (S.2) Risk assessment under the EU AI Act begins with classification and extends through identification, scoring, mitigation,…
2.
Risk Classification Four-Tier Framework Overview(
3.
Four-Tier Framework Overview The EU AI Act establishes a four-tier risk classification framework that determines the obligations attaching to each…
4.
Tier 1: Prohibited Practices (Art. 5) — Seven Categories & Immediate Cessation Article 5 prohibits eight categories of AI practice. Subliminal, manipulative, or deceptive techniques that materially…
5.
Tier 2: High-Risk (Annex III) — Eight Domains Annex III defines eight domains within which AI systems are classified as high-risk. Biometrics covers remote biometric…
6.
Tier 2: Annex I Safety Components AI systems that constitute safety components of products governed by Annex I harmonisation legislation are classified…
7.
Tier 2: Full Obligation Set (AISDP, Conformity Assessment, CE, EU DB) High-risk systems (whether Annex III(
8.
Tier 3: Limited Risk (Art. 50) — Transparency Obligations Systems triggering Article 50 transparency obligations include chatbots and conversational AI (which must inform users…
9.
Tier 4: Minimal Risk — Baseline AISDP Only Systems that do not trigger any prohibited practice, high-risk classification, or Article…
10.
Article 6(3) Exception Assessment Art. 6(3) Functional Criterion Article 6(3) allows certain systems that would otherwise be classified as high-risk to…
11.
Classification Decision Record CDR Content The Classification Decision Record (CDR) is the formal artefact documenting the system's risk tier…
12.
Reclassification Triggers A system that has drifted from its intended purpose into a higher-risk domain since classification requires…
13.
Five-Method Risk Identification FMEA — Structured Failure Mode Analysis Failure Mode and Effects Analysis (FMEA), following the IEC 60812 framework, is…
14.
Risk Scoring & Calibration Four Scoring Dimensions Risks are scored using a likelihood-impact matrix. Impact is assessed against four dimensions:…
15.
Reputational Risk Assessment Five Reputational Risk Dimensions Reputational risk, though not explicitly within the AI Act's scope, is among the most…
16.
Residual Risk & Acceptability Operationalising "As Far As Possible" Article 9(4) requires that risks be eliminated or reduced "as far as possible…
17.
Fundamental Rights Impact Assessment Note: is populated. are awaiting content from a subsequent batch. FRIA Scope & EU Charter Rights Article 27 requires…
18.
Risk Assessment for Specific Categories Note: Awaiting content from a subsequent batch (v13). Awaiting content.
19.
GPAI Model Risk Assessment Note: Awaiting content from a subsequent batch (v13). Awaiting content.
20.
Iterative Risk Management Note: Awaiting content from a subsequent batch (v13). Awaiting content.
21.
Risk Assessment Artefacts Note: Awaiting content from a subsequent batch (v13). Awaiting content.
22.
Conformity Assessment (S.9) Conformity assessment is the process by which the provider demonstrates that the high-risk AI system meets the…
23.
Annex VI Internal Assessment Note: Awaiting content from a subsequent batch (v13). Awaiting content.
24.
Assessment Execution Methodology Note: is populated. are awaiting content from a subsequent batch. Phase 5: Synthesis & Reporting Phase 5 consolidates…
25.
Pre-Assessment Readiness Evidence Currency — 60-Day Maximum & Staleness Tracking Evidence artefacts have a freshness requirement: each artefact…
26.
Assessor Independence & Competence Conflict of Interest Declarations Each assessor participating in the internal conformity…
27.
Non-Conformity Management Critical NC — Definition & Effect A critical non-conformity indicates a fundamental failure to meet a requirement that…
28.
Notified Bodies When NB Required(
29.
When NB Required Article 43(1) establishes the conformity assessment(
30.
NB Evidence Pack Notified body documentation expectations are materially more demanding than for internal assessment. Where internal…
31.
Data Access Protocol Annex VII points 4.3 and 4.5 grant the notified body access to training, validation, and testing datasets, and to…
32.
Annex VII Procedural Mapping Annex VII establishes a five-point sequence running from initial application through ongoing surveillance. The…
33.
Interaction Protocol A formal interaction protocol is established with the notified body before the assessment begins. The protocol covers…
34.
Fee Structures & Budget Notified body(
35.
Timeline Planning Timeline planning accounts for the full assessment lifecycle. Pre-engagement (body selection, scope agreement, contract…
36.
Annex I Product Integration — Three Coordination Models For AI systems that are safety components of products covered by Annex I harmonisation legislation, the conformity…
37.
Maintaining NB Certification Notified body certification is not permanent. Article 44 provides for periodic reassessment, and the notified body may…
38.
Multi-System Assessment Multi-System Assessment Coordination Organisations with multiple high-risk AI systems coordinate their assessments to…
39.
Continuous Assessment & Surveillance Continuous Assessment & CI/CD as Continuous Checking The internal conformity…
40.
Assessment Tools & Technology Note: This topic is covered within the parent article. See the full QMS Framework(
41.
QMS Framework ISO 42001:2023 — Foundation(
42.
ISO 42001:2023 — Foundation ISO/IEC 42001:2023 (Artificial Intelligence Management System) provides the most directly relevant framework for the…
43.
Document Control Document control requires that every AISDP module, procedure, and evidence artefact has a defined owner, a version…
44.
Change Management (S.6 Integration) Change management requires that every change to the system, whether to code, data, model, configuration, or…
45.
Non-Conformity Management When a gap between the system's actual state and its declared compliance state is identified, whether through…
46.
Continual Improvement Continual improvement requires mechanisms for learning from incidents, assessment findings, and operational experience,…
47.
Procedural Alternative for Small Portfolios A QMS is fundamentally a set of documented procedures, not a software platform. ISO…
48.
Conformity Assessment Artefacts Internal Assessment Report(
49.
Internal Assessment Report The Internal Assessment Report is the formal output of the conformity…
50.
Non-Conformity Register The Non-Conformity Register(
51.
Evidence Register The evidence register(
52.
Assessment Checklist The completed assessment checklist(
53.
Assessor Independence & Competence Records The assessor records archive contains the conflict of interest declarations, the competence evidence (qualifications,…
54.
Assessment Plan The Assessment Plan is prepared before the assessment begins and approved by the AI Governance…
55.
Stakeholder Interview Records The stakeholder interview records from Phase 4 of the assessment are retained as evidence. Each record documents the…
56.
Certification, Standards & Legal (S.10) Certification, standards, and legal obligations intersect to define the compliance pathway for high-risk AI systems.…
57.
Harmonised Standards Landscape CEN/CENELEC JTC 21 CEN/CENELEC Joint Technical Committee 21 (JTC 21) is responsible for developing the harmonised…
58.
CE Marking (Art. 48) Affixation Requirements Article 48 requires high-risk AI systems to bear the CE marking after the Declaration of…
59.
Declaration of Conformity Eight Mandatory Content Points Annex V specifies eight mandatory content points for the Declaration of Conformity.…
60.
Liability & Insurance Legal Significance — Binding Statement & Personal Exposure The Declaration is a formal legal assertion that the system…
61.
Assessment Failure Pathways Remediation & Re-Assessment Remediation and re-assessment is the most common pathway when the conformity…
62.
Regulator Interaction & Registration (S.11) Regulator interaction spans the full lifecycle of a high-risk AI system, from initial EU database…
63.
EU Database Registration Provider Registration (Art. 49(1), Annex VIII-A)(
64.
Provider Registration (Art. 49(1), Annex VIII-A) Providers of high-risk systems under Annex III(
65.
Non-High-Risk Provider Registration (Art. 49(2), Annex VIII-B) Providers who have concluded under Article 6(3)(
66.
Deployer Registration (Art. 49(3), Annex VIII-C) Public authority deployers (or persons acting on their behalf) register themselves and their use of the system. Section…
67.
Real-World Testing Registration (Art. 60, Annex IX) Article 60 permits providers to test high-risk Annex III(
68.
Sensitive Domains — Non-Public Section High-risk AI systems under Annex III(
69.
Multi-Jurisdiction Registration The EU database is a single European database; a provider's registration covers the EU market. The coordination…
70.
Registration Data Quality Assurance The EU database registration is publicly accessible; errors are visible to authorities, deployers, affected persons,…
71.
Keeping Registration Current Updates on Material Changes & Version Alignment The AI Act requires registration information to be kept up to date…
72.
AI Office & European-Level Oversight AI Office Functions The European AI Office coordinates the consistent application of the AI Act across member states.…
73.
National Competent Authority Landscape NCA Maturity Levels National competent authorities are at varying stages of operational readiness as of early 2026.…
74.
Regulatory Sandbox Strategic Benefits & Practical Considerations (Regulatory Sandbox) Sandbox participation provides direct regulatory…
75.
Inspection Readiness Readiness Capability — AISDP Retrieval & Drills The organisation maintains an "inspection-ready" posture at all times.…
76.
Multi-Jurisdiction Deployment Language & Translation(
77.
Language & Translation Different compliance documents have different language requirements. The AISDP itself is maintained in the provider's…
78.
Jurisdiction-Specific Guidance & Quarterly Monitoring The Legal and Regulatory Advisor maintains a jurisdiction register capturing, for each deployment member state, the…
79.
Deployer Communications per Member State Deployers in different member states may have different expectations, capabilities, and legal obligations under…
80.
Incident Reporting Across Borders A serious incident under Article 73 must be reported to the market…
81.
Data Sovereignty Constraints Multi-jurisdiction deployment(
82.
Mutual Recognition & Single Market The AI Act is a Regulation, meaning it applies directly and uniformly across all member states without requiring…
83.
Third-Country Providers — Authorised Representative (Art. 22) Providers established outside the EU who place AI systems on the EU market must appoint an authorised representative…
84.
Per-Jurisdiction Deployment Checklist Each additional deployment jurisdiction requires a structured pre-deployment checklist. The eight steps, each completed…
85.
Multi-Jurisdiction Cost Implications & Phased Rollout Multi-jurisdiction deployment(
86.
Conflicting Guidance Identifying, Resolving & Documenting Conflicting Positions In the early implementation period, conflicting guidance…
87.
Enforcement & Penalties Penalty Tiers (Art. 99) Article 99 establishes three penalty tiers calibrated to violation severity. Tier 1 covers…
88.
Communication Protocols Proactive Engagement & Consistent Messaging Organisations should introduce themselves to relevant competent authorities…
89.
Regulator Interaction Artefacts EU Database Registration Confirmation(
90.
EU Database Registration Confirmation The EU database registration confirmation is retained as Module 10 evidence. It documents the registration date, the…
91.
Real-World Testing Registration Where real-world testing was conducted under Article 60, the registration and associated documentation are retained:…
92.
Deployer Communication Records The deployer communication records archive documents all provider-to-deployer communications: Instructions for Use…
93.
Inspection Readiness Drill Records The drill records archive documents each annual inspection rehearsal: the date, the mock inspector team, the requests…
94.
NCA Engagement Log The NCA engagement log archive is the master record of all regulatory interactions. It is retained for the ten-year…
95.
Translation Records The translation records archive documents each translation commissioned: the source document, target language,…
96.
Multi-Jurisdiction Checklist Completed per-jurisdiction deployment checklists are retained as Module 10 evidence, documenting that all…
97.
Conflicting Guidance Position Papers Where conflicting member state guidance was identified and a position adopted, the position paper documents the…
98.
End-to-End Technical Delivery (S.14) End-to-end technical delivery translates the AISDP(
99.
Seven-Phase Delivery Framework Phase 1: Discovery & Classification (Weeks 1–3)(
100.
Phase 1: Discovery & Classification (Weeks 1–3) Phase 1 determines whether the system falls within the AI Act's scope, classifies its risk tier, and produces the…
101.
Phase 2: Risk Assessment & FRIA (Weeks 2–6) Phase 2 conducts the comprehensive risk assessment that informs all subsequent design and development decisions. The…
102.
Phase 3: Architecture & Design (Weeks 4–8) Phase 3 designs the system architecture informed by the risk assessment(
103.
Phase 4: Development & Testing (Weeks 6–18) Phase 4 builds the system in accordance with the approved architecture, with compliance evidence generated as a natural…
104.
Phase 5: Pre-Deployment Validation (Weeks 16–20) Phase 5 validates the complete system in a production-representative environment and compiles the AISDP. The system is…
105.
Phase 6: Registration & Deployment (Weeks 20–22) Phase 6 registers the system in the EU database, affixes the CE marking(
106.
Phase 7: Operational Monitoring (Ongoing) Phase 7 maintains the system's compliance posture throughout its operational lifetime. The PMM system operates…
107.
Agile Adaptation Sprint-Level Compliance Activities The compliance framework integrates with agile practices rather than imposing a…
108.
Brownfield Compliance Gap Assessment — Per Module(
109.
Gap Assessment — Per Module Many organisations must bring existing AI systems into compliance. The first step for brownfield…
110.
Documentation Reconstruction — Transparent Labelling For brownfield system(
111.
Retrofitting Version Control — Baseline Capture Systems that were not developed under version control can be brought into the framework from the current point forward.…
112.
Retrofitting Testing — Comprehensive Retrospective Systems that were not subject to the full test suite described in undergo comprehensive retrospective testing. This…
113.
Phased Compliance (A: Critical, B: Documentation, C: Infrastructure) Brownfield compliance(
114.
Milestones Before August 2026 The August 2026 deadline applies to the Chapter 2 requirements (Articles 8–15) and the conformity…
115.
Parallel Track Coordination Portfolio Prioritisation — Four Axes Organisations with multiple high-risk systems cannot address all systems…
116.
Organisational Roles AI Governance Lead — Responsibilities & Authority(
117.
AI Governance Lead — Responsibilities & Authority The AI Governance Lead holds ultimate accountability for the organisation's AI compliance programme. Responsibilities…
118.
AI System Assessor — Classification, AISDP, Independence The AI System Assessor conducts discovery, classification, risk assessment(
119.
Conformity Assessment Coordinator — Gates, Evidence, Registration The Conformity Assessment(
120.
Technical SME — Risk, Architecture, Testing The Technical SME provides engineering evidence: architecture documentation, model evaluation results, data…
121.
Legal & Regulatory Advisor — Provider Boundary, IP, Cross-Regulatory The Legal and Regulatory Advisor reviews evidence for legal sufficiency, advises on novel or ambiguous regulatory…
122.
Classification Reviewer — Independent CDR Validation The Classification Reviewer independently reviews the AI System…
123.
Internal Audit Assurance Lead — Annual Audit The Internal Audit Assurance Lead provides independent verification that the certification process was followed…
124.
DPO Liaison — DPIA & Special Category Data The DPO Liaison confirms that data governance documentation is consistent with GDPR obligations, verifies that DPIAs…
125.
Resource Estimation FTE per System Resource estimation for a single medium-complexity high-risk system typically requires approximately 0.5…
126.
Delivery Artefacts Programme Plan & Milestone Calendar The programme plan documents the seven-phase…
127.
Multi-System & Continuous Assessment This section covers the following topics: Multi-System Assessment(
On This Page