v2.4.0 | Report Errata
docs resources docs resources

Route Determination (Annex VI, NB, Voluntary) Three conformity assessment routes: Annex VI internal control (default for most Annex III systems), Annex VII notified body assessment (mandatory for biometric identification for law enforcement under Annex III point 1), and voluntary third-party review (a complement to Annex VI providing independent credibility). See for detailed treatment. Key outputs

  • Three assessment routes
  • Mandatory NB for biometric identification
  • Voluntary third-party review option

Three Workstreams Summary Three concurrent assessment workstreams: QMS assessment (Article 17 quality management system evaluated against twelve sub-requirements), technical documentation assessment (AISDP reviewed for completeness, accuracy, and traceability), and evidence verification (evidence pack artefacts verified against AISDP claims). See for detailed treatment. Key outputs

  • Three concurrent workstreams
  • QMS, technical documentation, and evidence verification
  • Cross-workstream finding consolidation

Five Execution Phases Summary Five execution phases: Phase 1 — assessment planning (scope, schedule, team, criteria). Phase 2 — document review (AISDP completeness and consistency). Phase 3 — evidence verification (artefact-level testing against claims). Phase 4 — finding consolidation and NC classification. Phase 5 — determination (conformity confirmed, conditional conformity, or non-conformity). See for detailed treatment. Key outputs

  • Five sequential execution phases
  • Three possible determination outcomes
  • Non-conformity classification and remediation

NC Severity Summary Three non-conformity severity levels: Critical — prevents the system from meeting a mandatory requirement; blocks Declaration of Conformity until resolved. Major — significant gap that weakens compliance posture; must be resolved within defined timeline with interim mitigations. Minor — documentation deficiency or process improvement opportunity; resolved through normal governance cycle. See for detailed treatment. Key outputs

  • Three severity levels (critical, major, minor)
  • Critical blocks Declaration of Conformity
  • Remediation timelines per severity

Notified Body Engagement Summary Notified body engagement is mandatory for Annex III point 1 (biometric identification for law enforcement) under Annex VII. Voluntary engagement with a recognised assessment body strengthens compliance credibility for other high-risk systems. The engagement process covers selection (NANDO register), scope agreement, assessment execution, certificate issuance, and ongoing surveillance. See for detailed treatment. Key outputs

  • Mandatory for Annex III point 1
  • Voluntary for other high-risk systems
  • NANDO register for selection
On This Page