v2.4.0 | Report Errata
docs governance docs governance

The Declaration is a formal legal assertion that the system conforms to each applicable requirement at the time of signing. If the system is subsequently found to be non-conforming, the Declaration becomes evidence that the provider either knew or should have known of the non-conformity. A Declaration signed in the face of unresolved non-conformities exposes the signatory to personal liability and the organisation to Tier 3 penalties under Article 99(5) of up to EUR 7.5 million or 1% of global annual turnover for providing misleading information.

The AI Governance Lead, who typically signs the Declaration, must ensure that the internal conformity assessment is complete, all critical non-conformities are resolved, remaining non-conformities have documented remediation plans, and the assessment report supports the Declaration’s claims. The Declaration is not a statement of intent or aspiration; it is a binding commitment.

The signing ceremony should be treated with appropriate gravity. The AI Governance Lead confirms awareness of the legal implications before signing. The Legal and Regulatory Advisor witnesses the signature and confirms the Declaration’s legal sufficiency.

Key outputs

  • Legal significance communicated to signatory
  • Pre-signature confirmation that assessment supports claims
  • Signing ceremony with Legal and Regulatory Advisor review
  • Module 10 AISDP evidence

D&O; Insurance Exposure

The AI Governance Lead who signs the Declaration of Conformity may face personal liability if the Declaration is found to be inaccurate. Directors’ and officers’ (D&O;) insurance is reviewed by the Legal and Regulatory Advisor to confirm that AI Act compliance decisions fall within the policy’s coverage.

Some D&O; policies exclude regulatory fines; the Legal and Regulatory Advisor assesses this exclusion in light of the Article 99 penalty framework. If the policy excludes regulatory penalties, supplementary coverage may be needed, or the organisation may need to negotiate a policy amendment. The D&O; review should also consider whether the policy covers defence costs in the event of a competent authority investigation.

The D&O; review findings are documented and shared with the AI Governance Lead before the Declaration is signed. The AI Governance Lead should understand their personal exposure and the insurance coverage available before accepting the signing responsibility.

Key outputs

  • D&O; policy review for AI Act coverage
  • Regulatory fine exclusion assessment
  • Personal exposure communicated to signatory before signing
  • Module 10 AISDP documentation

Professional Indemnity & Product Liability

The revised Product Liability Directive includes software and AI systems within its scope. Defective AI system outputs that cause damage to individuals may give rise to product liability claims. The provider’s product liability insurance is reviewed by the Legal and Regulatory Advisor to confirm that AI system outputs are within scope and that policy limits are adequate for the system’s deployment scale.

For SaaS-based high-risk AI systems, professional indemnity insurance may be more relevant than product liability. The policy should cover claims arising from fairness deficiencies, inaccurate outputs, and failures of human oversight mechanisms. The Legal and Regulatory Advisor assesses whether existing coverage extends to AI-specific failure modes or whether supplementary coverage is needed.

The insurance review should also consider cyber insurance coverage for AI-specific incidents (model extraction, data poisoning, adversarial attacks), which may fall outside traditional cyber policies. The organisation confirms that cyber insurance covers AI-specific incident types and that the policy’s incident response provisions align with the AI Act incident response plan.

Key outputs

  • Product liability review for AI system output coverage
  • Professional indemnity review for SaaS-based systems
  • Cyber insurance review for AI-specific incident types
  • Module 10 AISDP documentation

Insurance Review Before Signing

The Legal and Regulatory Advisor conducts the insurance review during Phase 3 (Architecture and Design) of the delivery process, when the system’s risk profile is sufficiently defined to inform the coverage assessment. The review covers D&O;, product liability, professional indemnity, and cyber insurance across four dimensions: coverage scope (do the policies cover AI Act-related claims?), exclusions (are regulatory fines, AI-specific incidents, or compliance decisions excluded?), policy limits (are the limits adequate for the system’s deployment scale and penalty exposure?), and notification requirements (do the policies require early notification of potential claims, and are the organisation’s incident response procedures aligned with these requirements?).

The review findings are documented and shared with the AI Governance Lead and the organisation’s risk management function. Any coverage gaps are escalated as risk register entries. The insurance review is completed before the Declaration of Conformity is signed, ensuring the signatory understands the insurance protection available.

Key outputs

  • Four-dimension insurance review (scope, exclusions, limits, notification)
  • Completed during Phase 3 before Declaration signing
  • Coverage gaps escalated to the risk register
  • Module 10 AISDP documentation
On This Page