Four months from the August 2, 2026 deadline, the conformity assessment infrastructure the EU AI Act depends on does not exist. No harmonised standards have been published in the Official Journal. No notified bodies are formally designated in the NANDO database for AI Act assessments. The common specifications the Commission can adopt as a fallback under Art. 41 have not been issued.
This matters because EU AI Act conformity assessment under Art. 43 of Regulation (EU) 2024/1689 was designed to work with these systems. Harmonised standards would give providers a clear recipe: follow the standard, get the presumption of conformity. Without them, every high-risk AI provider must demonstrate compliance directly against the regulation text. That is harder, slower, and more expensive than the process the Commission envisioned.
This guide covers the conformity assessment as it actually stands in April 2026 — not as the law imagined it would be.
Who Must Complete a Conformity Assessment?
Every provider of a high-risk AI system classified under Art. 6. That means systems listed in Annex III (biometrics, critical infrastructure, education, employment, essential services, law enforcement, migration, justice) and safety components of products listed in Annex I (medical devices, machinery, toys, aviation, vehicles).
The assessment must be completed before placing the system on the EU market or putting it into service. Not during deployment. Not retroactively. Before. A system deployed without a conformity assessment is non-compliant from day one, carrying Tier 2 penalties of up to EUR 15 million or 3% of global turnover.
Which Path Applies to Your System?
Art. 43 creates two conformity paths. Most providers will qualify for the simpler one. But the missing harmonised standards are forcing some systems onto the harder path.
Annex VI — Self-Assessment (Internal Control)
Available for Annex III categories 2 through 8: employment, education, essential services, law enforcement, migration, justice, and democratic processes. The provider verifies its own compliance. No external body reviews the work. You audit your quality management system against Art. 17, confirm your technical documentation meets Annex IV requirements, verify testing results, and issue your own EU Declaration of Conformity.
This path is cheaper and faster. It is also entirely on you. If a market surveillance authority later finds your self-assessment inadequate, the consequences are yours alone.
Annex VII — Third-Party Assessment (Notified Body)
Required for Annex III category 1 (biometric identification and categorization) when harmonised standards are not fully applied. Also required for certain law enforcement and immigration systems where the market surveillance authority itself acts as the notified body under Art. 74(8)/(9).
Here is the problem nobody is discussing openly: since no harmonised standards have been published, every biometric AI system currently falls into the mandatory third-party path. There is no self-assessment shortcut for biometrics until standards are finalized, published in the Official Journal, and applied by the provider. That sequence will not complete before August 2026.
Cost difference: Self-assessment runs EUR 20-50K in internal effort depending on system complexity and existing documentation. Third-party assessment runs EUR 50-150K or more, including notified body fees, remediation cycles, and the time cost of external coordination.
What Does “No Harmonised Standards” Actually Mean for You?
Art. 40 of the AI Act creates a “presumption of conformity.” If your system complies with a harmonised standard covering a specific requirement, you are presumed to meet that requirement. This simplifies enforcement: the standard is the benchmark, and compliance with it is a defensible position.
Without harmonised standards, there is no presumption. You must build your own compliance case for each requirement — risk management (Art. 9), data governance (Art. 10), technical documentation (Art. 11), record-keeping (Art. 12), transparency (Art. 13), human oversight (Art. 14), and accuracy, robustness, cybersecurity (Art. 15) — using your own methodology, validated by your own testing.
Status of key standards as of April 2026:
| Standard | Scope | Status | Expected Finalization |
|---|---|---|---|
| prEN 18286 | Core AI trustworthiness framework | Failed Enquiry vote (Feb 2026) — 1,288 comments; scope amended Mar 2026; re-vote pending | 2027 at earliest |
| CEN-CENELEC JTC 21 working groups | 10 requirement areas (Art. 9-15, Art. 17, Art. 43) | Active development | Various — 2026-2027 |
| ISO/IEC 42001 | AI management systems | Published | Available now, but does NOT create EU presumption of conformity |
The Commission has a fallback: Art. 41 allows it to adopt “common specifications” by implementing act when standards are delayed. As of April 2026, it has not used this power. If it does, common specifications would give providers a compliance benchmark — not identical to harmonised standards, but better than nothing.
Until then, compliance is a judgment call documented in your technical file. That judgment will be tested only when a market surveillance authority reviews it.
The Notified Body Shortage
For systems requiring the Annex VII path, you need an accredited notified body. The AI Act requires Member States to designate these bodies through their national notifying authorities (Art. 31). The designated bodies are listed in the EU’s NANDO database.
As of April 2026, zero notified bodies are formally designated in NANDO for AI Act conformity assessments. Designation processes are underway in multiple Member States, but capacity is limited and timelines uncertain.
One partial solution exists for healthcare AI: medical device notified bodies already designated under the Medical Devices Regulation (MDR) may assess AI Act requirements under Art. 31(4)/(5)/(10)/(11), provided they meet additional verification requirements. This is currently the fastest path to third-party assessment for health sector AI.
Notified body certificates are valid for four years and renewable. Fees must be proportionate to the size of the provider, with reduced fees for SMEs (Art. 33(4)).
If your biometric AI system needs a notified body and you have not started the engagement process, the capacity constraints will only worsen as August 2026 approaches.
The 9-Step Process — What You Can Start Today
Every step except step 8 (for Annex VII systems) can begin immediately.
| Step | Action | Depends On | Effort | Start Now? |
|---|---|---|---|---|
| 1 | Classify your system under Art. 6 | Nothing | 1-2 weeks | Yes |
| 2 | Determine conformity path (Annex VI or VII) | Step 1 | 1 day | Yes |
| 3 | Establish or audit QMS against Art. 17 (13 elements) | Step 1 | 2-4 months | Yes |
| 4 | Prepare technical documentation per Annex IV | Step 3 | 2-6 months | Yes |
| 5 | Implement risk management system (Art. 9) | Step 3 | Ongoing | Yes |
| 6 | Implement data governance (Art. 10) | Step 3 | 2-3 months | Yes |
| 7 | Conduct testing and validation | Steps 4-6 | 1-3 months | Yes — start designing test protocols |
| 8 | Complete assessment (self-audit or notified body) | Steps 3-7 | 1-3 months | Annex VI: yes. Annex VII: depends on body availability |
| 9 | Issue EU Declaration of Conformity, affix CE marking, register in EU database | Step 8 | 1 week | After assessment complete |
The constraint is not the law. Steps 1 through 7 have no external dependency. The organizational willingness to start before the infrastructure is perfectly clear is what separates companies that will be compliant in August 2026 from those scrambling for extensions.
What Does This Actually Cost?
No competitor publishes cost estimates. These are directional, based on EU product safety conformity assessment precedent, medical device certification costs, and early AI governance consulting rates. They are not quotes.
| Company Profile | Systems | Path | Estimated Cost | Timeline |
|---|---|---|---|---|
| Health AI startup (50 people) | 1 radiology AI | Annex VII | EUR 80-150K | 6-9 months |
| HR tech company (200 people) | 2 recruitment AI, 1 low-risk | Annex VI | EUR 40-80K per system | 4-6 months |
| Financial services (1,000 people) | 5 credit scoring + fraud AI | Annex VI | EUR 150-300K total | 6-12 months |
| Global tech (50+ AI systems) | 15+ across Annex III areas | Mixed VI + VII | EUR 500K-2M+ | 12-18 months |
The largest cost driver is technical documentation (Annex IV). Systems with existing model cards, test records, and data governance documentation will spend less. Systems built without documentation discipline will spend months reconstructing what should have been recorded during development.
Is ISO 42001 Certification Enough?
No. It is a head start — roughly 40-60% overlap with AI Act requirements — but it is not sufficient.
What ISO 42001 covers: Organizational governance, AI risk management processes, roles and responsibilities, policy frameworks, continuous improvement cycles.
What ISO 42001 does NOT cover:
- Annex IV technical documentation specifics (system architecture, training data provenance, validation methodology, accuracy metrics)
- Art. 10 data governance requirements (training data quality assessment, bias examination, representativeness testing)
- Art. 15 accuracy, robustness, and cybersecurity metrics specific to your system
- CE marking and the EU Declaration of Conformity
- Registration in the EU database under Art. 49
ISO 42001 also does not create a “presumption of conformity” under EU law. It is an international standard, not a harmonised European standard under the New Legislative Framework. Claiming ISO 42001 compliance in your technical file is helpful context, but it does not discharge your Art. 43 obligations.
Three Sector Scenarios
Healthcare: The Most Mature Path
Medical device AI (Software as a Medical Device, SaMD) already follows CE marking under the MDR. The AI Act adds Arts. 9-15 requirements on top. The practical impact is an expanded technical file covering AI-specific risk management, data governance, and accuracy metrics that the MDR does not require at the same granularity.
Existing MDR notified bodies can potentially assess AI Act requirements under Art. 31 conditions, avoiding the designation bottleneck. Estimated cost premium over MDR-only conformity: EUR 20-40K. This is the sector closest to having a workable conformity path.
Financial Services: Leverage Existing Frameworks
Credit scoring and fraud detection AI fall under Annex III area 5(b). Self-assessment only — no notified body required. Banks and insurers already operate under model risk management frameworks (EBA Guidelines on ICT Risk, national supervisory expectations). An estimated 60-70% of AI Act documentation requirements overlap with what these institutions already maintain.
The gap is in AI-specific requirements that financial regulation does not cover: Art. 10 data governance with bias examination, Art. 14 human oversight design, and the formal EU Declaration of Conformity. Budget EUR 30-60K per system for gap closure, less if you have strong existing model governance.
HR Tech: Building from Scratch
Recruitment and employee management AI falls under Annex III area 4. Self-assessment path. This is the least prepared sector. Most HR tech companies have minimal technical documentation, limited bias testing, and no formal risk management system for their AI.
Building the conformity package from scratch — technical documentation, QMS, risk management, data governance, testing — will cost EUR 30-60K per system and take 4-6 months. Companies that have invested in responsible AI practices will move faster. Companies that have not are facing a six-month sprint starting now.
This content is for informational purposes only and does not constitute legal advice. Cost and timeline estimates are directional based on market precedent and are not guarantees. Organizations should engage qualified legal and technical advisors for conformity assessment. Reg Intel is not a law firm and does not provide legal services.
Last verified: 9 April 2026
Sources
Official Sources
- European Union, Regulation (EU) 2024/1689 (EU AI Act), Art. 43 — Conformity Assessment. EUR-Lex. Last accessed 8 April 2026.
- European Union, Regulation (EU) 2024/1689, Annex VI — Internal Control, Annex VII — Third-Party Assessment. Full text. Last accessed 8 April 2026.
- European Union, Regulation (EU) 2024/1689, Art. 40 — Harmonised Standards, Art. 41 — Common Specifications. Full text. Last accessed 8 April 2026.
- European Commission, NANDO Database — Notified Bodies. NANDO. Last accessed 8 April 2026.
- CEN-CENELEC JTC 21 Work Programme. CEN-CENELEC. Last accessed 8 April 2026.
Analysis & Commentary
- Openlayer, “EU AI Act Conformity Assessment Guide,” April 2026. Openlayer. Last accessed 8 April 2026.
- European Parliament Think Tank, “Enforcement of the AI Act,” 18 March 2026. EP Think Tank. Last accessed 8 April 2026.
Data Sources
- Cost estimates based on EU medical device conformity assessment market rates (BSI, TUV, Dekra published fee schedules), AI governance consulting market surveys (Gartner, Forrester), and early AI Act compliance project data.
- Harmonised standards timeline based on CEN-CENELEC JTC 21 published work programme and public enquiry schedules.