v2.4.0 | Report Errata
docs governance docs governance

Remediation & Re-Assessment

Remediation and re-assessment is the most common pathway when the conformity assessment identifies non-conformities that cannot be resolved within the planned timeline. The non-conformities are remediated, the affected AISDP modules updated, and the remediated areas re-assessed. A full re-assessment is not necessary unless the remediation affected the system’s architecture or intended purpose; the AI System Assessor scopes the re-assessment to the remediated areas.

This pathway is appropriate when the non-conformities are bounded and the remediation is technically feasible within a reasonable timeframe. The Conformity Assessment Coordinator tracks each non-conformity through the remediation workflow, with the assessor verifying each remediation before the assessment can conclude.

Assessment failure should be treated as a normal part of the compliance process, not as a crisis. Organisations undertaking AISDP preparation for the first time should expect at least one remediation cycle. The assessment timeline should include contingency for remediation.

Key outputs

  • Scoped re-assessment of remediated areas
  • Non-conformity remediation tracked through standard workflow
  • Contingency time built into the assessment timeline
  • Module 6 AISDP documentation

Deployment Deferral — Fundamental Issues

If non-conformities are fundamental, where the system’s architecture does not support required human oversight, the training data cannot be shown to be representative, or the model’s explainability is insufficient for the deployment context, remediation may require rearchitecture or redevelopment. The system cannot be deployed until the fundamental issues are resolved.

The AI Governance Lead communicates the deferral to the Business Owner, including the deployment timeline impact, the resource requirements for remediation, and the business case for proceeding with remediation versus alternative approaches. Deployment deferral is a significant business decision. Deploying a non-conforming system carries greater risk than deferral: Tier 2 penalties of up to EUR 15 million or 3% of global turnover, reputational harm, and potential enforcement action.

The deferral decision is documented in the Assessment Report with the specific non-conformities that triggered it, the remediation plan, and the revised timeline. The AISDP is updated to reflect the system’s deferred status.

Key outputs

  • Deployment deferral for fundamental non-conformities
  • Business impact communication to Business Owner
  • Documented remediation plan with revised timeline
  • Module 6 AISDP documentation

System Withdrawal — Irremediable Within Constraints

If non-conformities are irremediable within the system’s economic or technical constraints, the system may need to be withdrawn from AISDP preparation entirely. This may lead to decommissioning the system, replacing it with an alternative that can achieve conformity, or reclassifying the system if the assessment reveals that the actual risk profile differs from the initial classification.

The AI Governance Lead documents the withdrawal decision with the rationale, the non-conformities that triggered it, and the alternatives considered. The withdrawal record is retained in the AISDP evidence pack. If the system was already operational (a brownfield system undergoing retrospective compliance), the withdrawal triggers the end-of-life procedures described above, including deployer notification, EU database status update, and ongoing documentation retention.

System withdrawal is a governance outcome, not a failure. A system that cannot achieve conformity should not be forced into compliance theatre.

Key outputs

  • Documented withdrawal decision with rationale and alternatives
  • Decommissioning, replacement, or reclassification pathway
  • End-of-life procedures triggered for operational systems
  • Module 6 AISDP evidence

Notified Body Rejection — Budget for 2–3 Cycles

For systems subject to third-party conformity assessment, the notified body may decline to certify. A rejection carries greater consequence than internal assessment failure: the rejection is documented in the body’s records, may be communicated to the competent authority, and for mandatory assessments (biometric identification under Annex III, point 1), the provider cannot self-certify as an alternative.

When a notified body identifies non-conformities, it typically provides a detailed report specifying the deficiencies. The provider treats this report as a remediation plan, addresses each deficiency, and resubmits. Multiple rounds of review and remediation are common. Organisations should budget for at least two to three assessment cycles when planning for notified body engagement.

The financial and timeline implications of a rejection are significant. Each additional cycle adds weeks to the timeline and incremental fees. The assessment timeline and budget should include contingency for rejection and resubmission.

Key outputs

  • Notified body rejection treated as remediation opportunity
  • Detailed deficiency report as remediation plan
  • Budget and timeline contingency for 2–3 assessment cycles
  • Module 6 AISDP documentation
On This Page