Acuity AI Advisory

EU AI Act FAQ

What is a conformity assessment for AI?

Quick answer

A conformity assessment is the process by which a high-risk AI system is checked against the requirements of the EU AI Act before it is placed into service. The assessment evaluates: whether the system meets accuracy and robustness standards, whether the required technical documentation exists, whether the risk management system is adequate, whether human oversight mechanisms are in place, and whether the system meets transparency requirements. Some conformity assessments can be conducted internally; others require a third-party notified body.

What a conformity assessment involves

A conformity assessment for a high-risk AI system under the EU AI Act is a structured evaluation that covers five areas. Accuracy, robustness, and cybersecurity: the system must be tested to demonstrate it performs at the level specified in its technical documentation under normal and reasonably foreseeable conditions, and that it is resilient against attempts to manipulate its outputs. Technical documentation: the assessment verifies that the required documentation exists — the design specifications, training data descriptions, testing methodology, performance metrics, and operational requirements that the Act mandates. Risk management: the assessment reviews whether the provider's risk management system covers the full lifecycle of the AI system, identifies known and foreseeable risks, and specifies residual risk levels. Human oversight: the assessment checks that the system includes adequate interface features for oversight and that the oversight mechanisms described in the instructions for use are genuine and operable. Transparency: the assessment verifies that the instructions for use are adequate for deployers to understand the system's purpose, limitations, and oversight requirements.

When a notified body is required

Under the EU AI Act, most conformity assessments for high-risk AI systems can be conducted as internal assessments by the provider — the provider assesses its own system against the Act's requirements, documents the assessment, and draws up the EU declaration of conformity. However, for certain high-risk AI systems — primarily those in biometric identification and categorisation — third-party assessment by a notified body (an accredited conformity assessment organisation) is mandatory. The Act also allows Member States to require third-party assessment for additional categories, and some sectoral regulators may impose equivalent requirements through their own frameworks. For Irish organisations deploying high-risk AI systems built by others, the key question is whether the provider has completed the conformity assessment — this should be confirmed in the procurement or vendor contract process. Deployers cannot assume a system is compliant without documentary evidence of a completed assessment.

Acuity AI helps Irish organisations navigate conformity assessment requirements for high-risk AI. See our EU AI Act compliance services.