The organisation should ensure all staff members and relevant third parties who develop, deploy, operate, or interact with AI systems possess the knowledge, skills, and awareness necessary to do so safely, ethically, and in compliance with applicable laws and standards.

Training should focus on areas most relevant for each role. Separate training on AI usage should be arranged for general and technical personnel. The scope of training and the training procedure should be documented.

The top management and the personnel responsible for the risk management system of the organization must take appropriate AI awareness training. The training ensures that their skills and knowledge are sufficient for determining the risks, assessing overall governance and leadership practices connected to the management of AI systems.

The management body should undergo training at least every two years to keep their knowledge and skills relevant and up-to-date. The training should reflect the organizational needs and be kept in line with the organizational AI usage policies.

A log is kept of the AI literacy training events provided by the organization to its staff. The log can be used to show what kind of specific investments the organization has made towards staff's expertise in the usage and development of AI systems.

For each training the documentation should include:

• Time
• Topics and duration of the training
• Training method and trainer
• Staff involved in the training

The organisation should appoint personnel to monitor for potential changes to AI system classifications. This ensures classification changes can be made without delay.

The organisation should ensure its high-risk AI systems undergo the required conformity assessment procedure before being placed on the market. This process includes drawing up an EU declaration of conformity and registering the system in the public EU database. These steps are necessary to formally demonstrate compliance with the regulation.

The organisation should create and maintain up-to-date technical documentation for its high-risk AI systems. This documentation must be detailed enough to allow authorities to assess the system's compliance with the regulation. It should describe the system's general characteristics, purpose, development process, and how risk management has been applied.

The organisation should implement a post-market monitoring system for its high-risk AI systems. A process must be in place to take necessary corrective actions if a system is found to be non-compliant. This includes informing distributors, importers, users, and relevant authorities about the non-conformity and the corrective measures taken.

Where the organization is a financial institution subject to internal governance requirements under EU financial services law, compliance with those governance requirements fulfil the obligation to put in place a quality management system under Article 17, except for points (g), (h) and (i).

The organization should identify and document the internal governance arrangements, processes and controls that address the applicable quality management system requirements. A clear linkage between those governance requirements and Article 17 obligations should be maintained.

The aspects referred to in Article 17.1 points (g), (h) and (i) should be addressed separately where applicable.

Any relevant harmonised standards referred to in Article 40 should also be taken into account. How such standards have been considered should be documented in order to demonstrate the internal governance framework fulfils the applicable requirements.

The organisation should establish a documented process for fulfilling its obligations as a distributor of high-risk AI systems. This process should address the entire lifecycle of the system under the distributor's responsibility.

The process should include procedures for:

• Verifying that systems have the required CE marking, EU declaration of conformity, and instructions for use before they are made available on the market.
• Handling non-conforming systems, including halting distribution and notifying the provider or importer.
• Implementing corrective actions, such as withdrawal or recall, for non-compliant systems already on the market.
• Cooperating with competent authorities and responding to information requests.

The organisation should define and implement a process for using deployed high-risk AI systems. This process must ensure the system is used in accordance with the provider's instructions. It should also specify the roles, competencies, and authority for individuals assigned to perform human oversight. If the organisation controls the input data, the process must include measures to verify that the data is relevant and representative for the system's intended purpose.

The organisation should establish and document a process for monitoring the operation of any deployed high-risk AI systems, based on the provider's instructions for use. This process should define the steps for identifying and reacting to potential risks or serious incidents. The procedure should include actions for suspending the system's use and for notifying the provider, distributor, and relevant authorities without undue delay.

Clear responsibilities for the continuous monitoring of deployed high-risk AI systems should be assigned. The designated personnel or roles must be made aware of their duties, which include following the provider's instructions for use and adhering to the internal procedures for reporting risks and incidents.

Sensitive operational data in cases where the organisation is a law enforcement authority are excluded from these obligations

The organisation should maintain a log of monitoring activities for each deployed high-risk AI system. This log should document regular operational checks, any identified risks or incidents, and all responsive actions taken, including system suspension and notifications to relevant parties. These records serve as evidence of compliance with monitoring obligations.

Deployers of high-risk AI systems should define and document a policy for the retention periods for logs automatically generated by its high-risk AI systems. The retention period must be appropriate for the system's intended purpose and last for a minimum of six months, unless other applicable laws require a different period. This policy ensures that logs are available for auditing and incident investigation as required.

The policy should define and document a process for managing the retention of logs from these systems to ensure logs are technically stored according to the defined retention policy, for at least six months or as required by other regulations. The process should cover how logs are collected, stored securely, and disposed of after the retention period.

The organisation should formally assess the impact of its AI systems on individuals, groups and society prior to deployment. This is particularly relevant for public bodies, providers of public services, and deployers of AI systems in employment and credit evaluation.

The assessment should include:

• A description of the processes where the AI system will be used.
• The intended period and frequency of use.
• The groups of people likely to be affected.
• The impact on minors and other vulnerable groups
• The specific risks of harm to those groups and measures to mitigate them.
• A description of the planned human oversight measures.

The assessment should be updated if any core system elements change during use. It should complement existing Data Protection Impact Assessments (DPIAs) where applicable.

The organization has defined procedures for assessing and treating risks to fundamental rights. The definition includes at least:

• The assessment process
• Methods for fundamental rights analysis
• Criteria for risk evaluation (impact and likelihood)
• Mitigation controls, plans and post-market monitoring
• Risk acceptance criteria
• Process implementation cycle, resourcing and responsibilities
• The results should be included into the organization risk management process
• The task owner regularly checks that the procedure is clear and produces consistent results

When implementing risk management measures for AI systems, the organisation must identify the risks that require treatment and define treatment plans for them. The organisation has defined how regularly the treatment plans defined as a whole for AI risk management are evaluated as well as their proportionality to the risk assessment (risk severity and probability).

Different controls and compliance requirements, such as data quality, transparency, and human oversight, interact with each other should be considered in this process. The combined measures should ensure risks are effectively minimised and balanced.

The organisation should establish a process to determine if the overall residual risk of a high-risk AI system is acceptable. This involves considering the combined effect of all individual residual risks associated with each hazard. The final judgment on risk acceptability must be formally documented before the system is placed on the market or put into service.

The organisation should establish and document a process for eliminating or reducing risks through the design and development of its high-risk AI systems. This process should ensure that risks are addressed as far as is technically feasible. Design choices aimed at AI risk reduction must consider the system deployer's expected technical knowledge, experience, and the system's intended use context.

Adequate mitigation and control measures should be implemented where identified risks cannot be eliminated through the design and development of the high-risk AI system. The selection and implementation of these controls must be documented as part of the risk management file.

The organisation should establish and maintain a testing process for its high-risk AI systems. This process ensures that testing is conducted at appropriate intervals throughout the development lifecycle and is completed before the system is placed on the market or put into service. All test activities and their outcomes must be documented to demonstrate compliance and system performance against the defined metrics.

The organization should maintain comprehensive documentation of the design and development processes for its AI systems. This documentation should clearly outline the strategic objectives that the AI system supports, the established requirements (both functional and non-functional), the relevant design choices and the specific criteria used in its design. The documentation should also demonstrate how the AI system's design and development align with these defined objectives, requirements, and criteria.

The organisation should ensure that its high-risk AI systems are designed to automatically record events (logs) throughout their operational lifetime. These logs are crucial for traceability, monitoring, and identifying potential risks or the need for substantial modifications.

Logging should capture events that facilitate post-market monitoring and ensure the system operates as intended. For certain systems, such as those for biometric identification, logs must also record details like the period of use, the reference database used, the input data causing a match, and the identity of the person who verified the results.

The organisation should define and document the required competencies, training, authority, and support for individuals assigned to human oversight of AI systems. This includes establishing processes to:

• Assess and ensure the necessary competence of personnel.
• Provide adequate and ongoing training on AI system functionalities, risks, and oversight procedures.
• Grant the necessary authority to intervene, monitor, and make informed decisions.
• Provide adequate support, resources, and tools (e.g., clear guidelines, technical support, time) to enable effective oversight.

Regular reviews should be conducted to ensure the continued effectiveness of these measures.

The organisation should establish and implement technical measures to ensure its high-risk AI systems are resilient against manipulation attempts. These measures should be appropriate for the identified risks and address AI specific vulnerabilities.

This includes measures to prevent, detect, and respond to attacks such as:

• Manipulation of training data or pre-trained components (data and model poisoning).
• Inputs intentionally designed to cause the model to make a mistake (adversarial examples).
• Confidentiality attacks aimed at extracting data or reverse engineering the model.

The organisation should establish and maintain a plan for responding to and resolving detected cybersecurity attacks against its high-risk AI systems. This plan should define the procedures for containing an attack, controlling its impact, and resolving the underlying vulnerability. For example, it could include steps for isolating a compromised system, reverting to a previous safe model version, and initiating a process to retrain the model on clean data.

The organisation should establish and follow a verification process for any high-risk AI system it imports before placing it on the market. This process ensures the system's provider has met their obligations. The verification should confirm that:

• The provider has completed the required conformity assessment.
• The provider has created the necessary technical documentation.
• The system has the CE marking, an EU declaration of conformity, and instructions for use.
• The provider has appointed an authorised representative in the EU.

The organisation should also add its own contact details to the system, its packaging, or its documentation.

The organisation should define a process for handling imported high-risk AI systems that are suspected of being non-conforming or having falsified documentation. This process must prevent the system from being placed on the market until it is brought into conformity. If the system poses a risk, the procedure should include steps for notifying the provider, their representative, and market surveillance authorities. The organisation must also ensure that storage and transport conditions do not compromise the system's compliance.

When using the internal control procedure, the organisation should verify that its quality management system is compliant and that the AI system's technical documentation demonstrates conformity with all requirements. Following this, the organisation should draw up the written EU declaration of conformity and affix the CE marking to the system.

Providers of high risk AI systems should establish and document an internal control procedure to assess the conformity of its high-risk AI systems. This procedure ensures that the AI system meets regulatory requirements before it is placed on the market. The assessment should cover all relevant obligations, such as the risk management system, data governance, technical documentation, and transparency measures in the following areas:

• AI systems intended to be used as safety components in the management and operation ofcritical digital infrastructure, road traffic, or in the supply of water, gas, heating or electricity
• Education and vocational training
• Employment, workers’ management and access to self-employment
• Access to and enjoyment of essential private services and essential public services and benefits
• Law enforcement, in so far as their use is permitted under relevant EU or national law
• Migration, asylum and border control management, in so far as their use is permitted under relevant EU or national law
• Administration of justice and democratic processes

The organisation should establish a documented process to evaluate changes made to a high-risk AI system after its initial conformity assessment. This process should distinguish between substantial modifications, which require a new assessment, and changes that were pre-determined and documented during the initial assessment. The criteria for identifying a substantial modification should be clearly defined.

The organisation should establish a policy that clarifies the responsibilities associated with applying the CE mark to its high-risk AI systems. This policy should state that the act of affixing the mark signifies the provider's declaration of conformity and assumption of responsibility. The policy should also prohibit the use of other markings that might obscure or be confused with the CE marking.

The policy should establish and document the process for coordinating with the notified body responsible for the conformity assessment. This process should ensure the notified body's identification number is affixed to the high-risk AI system, its packaging, or documentation either by the body itself or precisely according to its instructions.

The organisation should establish a process for handling serious incidents that occur during the real-world testing of high-risk AI systems. This process should define the steps for reporting, mitigation, and potential recall.

• Identification and documentation of the serious incident.
• Immediate reporting to the relevant national market surveillance authority.
• Actions for immediate mitigation, or the suspension/termination of testing if mitigation is not feasible.
• A procedure for the prompt recall of the AI system if testing is terminated.

The organisation should establish a process to ensure all AI systems are registered as required before being placed on the market or put into service. This process must determine the correct registration body, either the EU-wide database or a national authority, based on the system's specific classification under the AI Act.

The organization should incorporate AI-related risks into its information security management system.

The boundaries and scope, contents, role, cumulative implementation information and other necessary descriptive information related to AI within the management system must be clearly documented.

The organization should establish and maintain a process for assessing AI risks. This process must be guided by the organization's AI policy and AI objectives, ensuring that subsequent assessments yield consistent, valid, and comparable results.

The process should identify risks that could either help or hinder the achievement of the organization's AI objectives. Risk analysis should involve evaluating the potential consequences for the organization, people, and society, assessing the probability of these risks where possible, and establishing the levels of these risks.

Thhe process should also inlcude evaluating AI risks by comparing the analysis results against the defined risk criteria and prioritizing the identified risks for subsequent treatment. Documented information concerning the AI risk assessment process and its results should be maintained.

The organisation should demonstrate its compliance with the AI Act's requirements for general-purpose AI models. One way to do this is by adhering to an approved code of practice until harmonised standards are available. The organisation should identify a relevant code of practice, implement its requirements, and document the adherence process to ensure and prove compliance. General themes for a code of practice can include, for example:

• Governance and accountability
• Technical documentation
• Transparency
• Risk management and harm reduction
• Data governance and quality
• Information for suppliers and downstream users
• Testing, evaluation and robustness
• Post-market monitoring and incident reporting
• Regulatory cooperation and continuous improvement

Providers established outside the EU should appoint an authorised representative within the Union through a written mandate. This mandate must empower the representative to act on the provider's behalf and ensure compliance with the AI Act.

Providers of GPAI models and their organisation should ensure the written mandate for its authorised representative explicitly empowers them to be addressed by the AI Office or competent authorities on all compliance matters. The mandate should also task the representative with providing a copy of the mandate to the AI Office upon request.

The mandate should specify that the representative is responsible for:

• Verifying that the required technical documentation is complete and obligations are met.
• Keeping the technical documentation available for authorities for 10 years.
• Providing information and documentation to the AI Office upon request.
• Cooperating with authorities in any actions they take regarding the AI model.

The organisation should establish a process for managing the systemic risks associated with its general-purpose AI models. This process should include:

• Performing model evaluations, including adversarial testing, to identify vulnerabilities and risks.
• Assessing and mitigating possible systemic risks that may arise from the model's development or use.
• Documenting the testing, risk assessments, and mitigation measures taken.

The organisation should establish and document a formal process for handling requests from the Commission and national competent authorities. This ensures timely and appropriate cooperation as required by regulations.

The process should include:

• Designating a responsible person or team to act as the point of contact for authorities.
• A procedure for receiving, authenticating, and logging official requests.
• Steps for coordinating the internal response and gathering the necessary information.
• Guidelines for reviewing and approving the response before submission.

Providers of general-purpose AI models should establish and document processes to ensure its authorised representative has the necessary information, access, and resources to fulfill their mandated duties. This includes providing timely access to technical documentation and cooperating with the representative's requests for information needed to demonstrate compliance with the AI Act.

The organisation should ensure that natural persons overseeing high-risk AI systems are aware of the potential for automation bias, which is the tendency to over-rely on AI-generated outputs. This includes providing specific training and guidance on how to critically evaluate information and recommendations from AI systems, particularly those used for human decision-making. Measures should be in place to help human overseers identify and mitigate this bias.

AI literacy guidelines are specified in connection to the employee's role. The organization has identified units and roles that require separate guidance and develops its own detailed guidelines for these.

Examples of units that may require their own guidelines are e.g. customer service, IT and HR. Examples of work roles that require their own instructions are system administrators and remote workers.

The organization should establish and maintain a documented assessment procedure to determine whether it qualifies as a provider of a high-risk AI system under Article 25 of the AI Act. This assessment should be conducted whenever the organization places its name or trademark on a high-risk AI system developed by another entity, performs a substantial modification to an existing high-risk AI system that remains high-risk pursuant to Article 6, or modifies the intended purpose of an AI system in a manner that results in its classification as high-risk.

The procedure should also cover cases where the organization manufactures a product incorporating a high-risk AI system that qualifies as a safety component under EU harmonisation legislation listed in Section A of Annex I.

In such cases, the product manufacturer should be treated as the provider where:

1. The high-risk AI system is placed on the market together with the product under the name or trademark of the product manufacturer, or
2. The high-risk AI system is put into service under the name or trademark of the product manufacturer after the product has been placed on the market.

Where provider status is triggered, the organization should implement the full set of provider obligations under Article 16, including conformity assessment, technical documentation, risk management, and post-market monitoring. The allocation and transfer of responsibilities should be formally documented whenever such a change occurs.

If the organization becomes the provider of a high-risk AI system previously placed on the market, it should establish cooperation arrangements with the initial provider to obtain all necessary technical documentation, technical access, and other reasonably required assistance to ensure compliance with the Regulation. It should be verified whether the initial provider has explicitly restricted modification of the AI system into a high-risk system. All determinations, contractual arrangements, and supporting evidence should be retained.

Providers and deployers of AI systems or their organizations should define and document a code of conduct for the development and deployment of its AI systems. This code can be created internally, or an existing industry code can be adopted. The code of conduct should outline the organisation's commitment to responsible AI usage. Relevant themes can include, for example:

• System purpose and accountability
• Risk identification and mitigation
• Data governance and technical limitations
• Fundamental rights
• Human oversight
• Technical robustness and operational resilience
• Continuous improvement
• Record-keeping

Consultation with external stakeholders such as civil society organisations and academia be incorporated into the process of drawing up codes of conduct where possible.

The organisation should define a process for situations where it assumes the role of a provider for a high-risk AI system. This includes when the organisation re-brands an existing system with its own name, substantially modifies a high-risk system, or alters a system in a way that it becomes high-risk. The process must ensure that the organisation then fulfils all legal obligations required of a provider.

The organisation should ensure that it keeps the logs that are automatically generated by its high-risk AI systems. These logs must be retained for a period appropriate to the system's intended purpose to allow for the monitoring of operations and to enable post-incident investigation.

The organisation should establish a defined process for responding to requests from national competent authorities. This process should outline the responsibilities and steps for demonstrating the conformity of its high-risk AI systems. This includes gathering and providing access to technical documentation, logs, quality management system records, and any other relevant evidence of compliance upon a reasoned request.

The organisation should ensure the written mandate with its authorised representative includes a termination clause. This clause should state that the representative is required to terminate the mandate and immediately inform the relevant market surveillance authority if they have reason to consider the provider to be acting contrary to its obligations under the AI Act.

If the organisation is established outside the European Union, it should appoint an authorised representative located within the Union. This appointment must be formalised through a written mandate before making any high-risk AI system available on the EU market.

The responsibilities of the authorised representative should be defined by the organisation of the provider of high-risk AI systems when the representative is appointed. The authorised representative should act within the scope of these responsibilities and be able to provide a copy of them to market surveillance authorities upon request in an official language of the EU as indicated by the competent authority.

The authorised representative should be empowered to:

• verify that the EU declaration of conformity and the required technical documentation have been prepared and that the appropriate conformity assessment procedure has been carried out by the provider
• retain, for 10 years after the high-risk AI system has been placed on the market or put into service, the provider’s contact details, the EU declaration of conformity, the technical documentation and any applicable notified body certificate, and make them available to competent authorities upon request
• provide competent authorities, upon a reasoned request, with the information and documentation necessary to demonstrate conformity, including access to automatically generated logs where such logs are under the provider’s control
• cooperate with competent authorities in actions taken to address or mitigate risks related to the high-risk AI system
• comply with applicable registration obligations, or ensure the correctness of registration information where registration is carried out by the provider

Competent authorities should be able to address the authorised representative, in addition to or instead of the provider of the high-risk AI system, on matters related to compliance with the AI Act.

The organization should maintain documented evidence covering the full spectrum of these responsibilities.

The organisation should ensure that while a high-risk AI system is under its responsibility, the conditions for its storage and transport do not compromise its compliance. This includes defining and implementing appropriate physical and digital security measures to protect the system's integrity, for example during warehousing or digital transfer.

The organisation should establish a clear procedure for situations where a high-risk AI system it has distributed is found to be non-compliant and presents a significant risk. This procedure should ensure immediate notification to the system's provider or importer, as well as the relevant competent authorities. The notification must include details of the non-compliance and any corrective actions being taken.

The organisation should establish a procedure for reporting issues found during the monitoring of high-risk AI systems. This procedure must specify the reporting chain and timelines based on the severity of the issue. It should detail the steps for informing the provider, distributor, and relevant authorities for both general risks and serious incidents, including the protocol for when a provider cannot be reached.

For organisations that qualify as financial institutions under EU financial services law, an assessment of internal governance and technical measures should be carried out to determine how monitoring obligations under the AI Act are addressed.

The organisation should identify, document and review existing governance structures, processes and mechanisms to verify whether they fulfil obligations applicable to high-risk AI systems under Article 26. Technical measures connected to existing logging systems should be evaluated on a similar basis.

Where equivalence is identified, the organisation should maintain documented evidence demonstrating how existing internal governance arrangements and technical implementations meet the relevant monitoring requirements of the AI Act.

The organisation should implement the technical measures to store logs automatically generated by its high-risk AI systems. The storage solution must ensure logs are retained for the period defined in the retention policy, for at least six months. The system must also protect logs from unauthorised access, modification, and deletion, and ensure their secure disposal after the retention period.

The organisation should establish a procedure for registering the high-risk AI systems it deploys in the EU database. This registration must be completed before the system is put into operation and kept up to date as mandated by the regulation.

The organisation should verify that any high-risk AI system the organisation intends to deploy is registered in the EU database. This check must be performed before the system is put into use. If a system is not found in the database, its deployment is prohibited, and the organisation should inform the provider or distributor of the missing registration.

After completing the fundamental rights impact assessment for a high-risk AI system, the organisation should notify the relevant market surveillance authority of the results. This notification must be submitted before the system is first deployed. The organisation should use the official template provided by the authority for this purpose.

The organisation should establish measures to be taken if fundamental rights risks from a high-risk AI system materialise. This includes defining internal governance arrangements and creating accessible complaint mechanisms for affected individuals to report issues and seek redress.

The organisation should define criteria for when a previously conducted fundamental rights impact assessment (FRIA), or one provided by the system's provider, can be reused for a new deployment. For similar deployments, an existing assessment can be leveraged to streamline the compliance process. The organisation should document the justification for reusing an assessment.

The organisation should review and document the legal basis for providing explanations for decisions made by its high-risk AI systems. This review should identify any applicable exceptions or restrictions under Union or national law, and determine if the obligation is already fulfilled by other regulations like the GDPR.

The organization proactively seeks to list and assess the likelihood and severity of various risks related to the use of high-risk AI systems. The documentation should include the following:

• Description of the risk
• Evaluated impact and likelihood of risks affecting fundamental rights
• Tasks for managing the risk or other treatment options
• Acceptability of the risk

The organization assesses risks by responding to situations where the integrity of the high-risk AI system has been mildly or severely compromised. The documentation shall include at least the following:

• Description of the incident
• Risks associated with the incident
• New tasks introduced as a result of the incident
• Other measures taken due to the incident

The impact of significant changes to high-risk AI systems must be assessed in advance and executed in a controlled way. The consequences of unintentional changes must be assessed and efforts made to mitigate possible adverse effects.

This process must also include analysing data from the post-market monitoring system to identify new or previously unknown risks. Findings from these evaluations should be used to regularly update the system's risk management plan.

Significant changes may include: changes in the organization, operating environment, business processes and data systems as well as changes to high risk systems that require formal evaluation, documented risk assessment and approval prior to implementation. Changes can be identified e.g. through management reviews and other work associated with the development and maintenance of high-risk AI systems.

The organisation should estimate and evaluate risks that may emerge when a high-risk AI system is used under conditions of reasonably foreseeable misuse. This process should consider scenarios where the system is used maliciously or incorrectly, and assess the potential impact on health, safety, and fundamental rights.

The organisation regularly evaluates the effectiveness of risk management measures for high-risk AI systems. It evaluates these measures as far as technically feasible through adequate design and development of the high-risk AI system;

The organisation has defined:

• metrics to provide comparable results on the design and development of high-risk AI stems
• persons responsible for metering
• methods, timetable and responsible persons for metrics reviewing and evaluation
• methods to document metric-related evaluations and results

Effective metrics should be usable for identifying weaknesses, targeting resources better and assessing organisation's success / failure related to the design and development of high-risk AI systems.

The organisation should establish a testing process for its high-risk AI systems. This process ensures the system consistently performs its intended function and complies with legal requirements. Testing should be conducted before deployment to identify the most suitable risk management measures.

The organisation should define and document the metrics and probabilistic thresholds for testing its high-risk AI systems. This ensures testing is consistent, objective, and aligned with the system's intended purpose. These metrics and thresholds must be established before testing begins and should be reviewed throughout the development lifecycle.

If a high-risk AI system is a component of a product that is also covered by other specific EU laws, the organisation should create a single, unified set of technical documentation. This document must contain all the information required by the AI Act and the relevant product legislation.

If the organisation qualifies as a small or medium-sized enterprise (SME), including a start-up, it should use the simplified technical documentation form provided by the European Commission. This form is designed to reduce the administrative burden while still demonstrating compliance. Notified bodies are required to accept this specific form for conformity assessments.

The organisation should specify the exact events and data to be logged by each high-risk AI system. This specification ensures logs provide the traceability needed to identify risks, monitor operations, and support post-market surveillance. For applicable systems, the specification must include the period of use, reference databases checked, input data causing a match, and the identity of the person verifying the results.

The organisation should design and implement technical features directly into high-risk AI systems to enable effective human oversight. These built-in mechanisms should facilitate human understanding, monitoring, and intervention in the system's operation, including clear interfaces, monitoring dashboards, alert systems, and override functionalities.

The organisation should analyse and document the necessary human oversight measures for each high-risk AI system. This analysis should be based on the system's specific risks, level of autonomy, and context of use to ensure the chosen measures are effective and proportionate.

The organisation should define and document the technical requirements for its AI systems. This documentation should specify the expected levels of accuracy, robustness, and cybersecurity based on the system's intended purpose and the risks involved. The requirements should be consistently reviewed and maintained throughout the AI system's entire lifecycle.

The organisation should ensure that high-risk AI systems that continue to learn after deployment are designed to mitigate risks from feedback loops. This involves preventing biased outputs from influencing future operations. The organisation should establish appropriate mitigation measures to address any such feedback loops that are discovered.

The organisation should establish and document a process for the conformity assessment of its high-risk AI systems. This process must define how to select the appropriate assessment procedure, either internal control or assessment by a notified body, based on the application of harmonised standards or common specifications.

When the conformity assessment procedure requires the involvement of a notified body, the organisation should submit its quality management system and the AI system's technical documentation for assessment. The notified body will evaluate these to determine if the system and related processes conform to the requirements. Upon successful assessment, the notified body issues the relevant EU certificate.

The organisation should prepare a written EU Declaration of Conformity for each high-risk AI system before it is placed on the market. This document serves as a formal declaration that the system meets the requirements of the AI Act. The declaration must be translated into the required languages and kept available for national authorities for 10 years after the system is placed on the market.

The organisation should execute its internal conformity assessment procedure for high-risk AI systems as outlined in Annex VI of the AI Act. This involves verifying that the quality management system is adequate and examining the technical documentation to confirm the system meets all requirements. The results of this assessment must be documented to provide the necessary evidence before an EU Declaration of Conformity can be issued.

The organisation should affix the CE marking to each high-risk AI system that meets the AI Act's requirements after a successful conformity assessment. The CE marking must be visible, legible, and permanent. It should be placed on the AI system itself, its data plate, or, if not possible, on its packaging and accompanying documents.

The organisation should establish and document a process to determine the correct conformity assessment procedure for its high-risk AI systems. This process should verify if the AI system is covered by other EU harmonisation legislation listed in Annex I, Section A of the AI Act. If it is, the organisation must follow the conformity assessment procedure from that legislation, while also ensuring that all relevant requirements from the AI Act are included in the assessment.

The organisation should ensure that the technical documentation for a high-risk AI system also covered by other EU legislation includes specific elements from the AI Act. This documentation must contain a detailed description of the AI system's development process, information on its monitoring and control, and a description of its capabilities and limitations, as specified in Annex VII.

The organisation should establish a process for selecting a Notified Body for high-risk AI systems that also fall under other EU legislation. The process must verify that the chosen body is not only notified under the other relevant law, but is also officially entitled to assess conformity with the requirements of the AI Act.

The organisation should establish a process for creating, managing, and maintaining an EU declaration of conformity for each high-risk AI system it provides. This declaration confirms that the system complies with the AI Act.

The process should ensure the declaration:

• Is created before the system is placed on the market.
• Contains all information specified in Annex V of the AI Act.
• Is kept for 10 years after the system is placed on the market and provided to authorities upon request.
• Is kept up to date with any changes to the system or regulations.

The declaration should be translated into a language understood by competent authorities of the Member States where the system is marketed. It should be structured to be provided as a single declaration where the AI system is also subject to other EU harmonisation legislation.

The organisation should establish a documented process for the CE marking of its high-risk AI systems to demonstrate conformity. The process should cover both physical and digital systems and ensure the marking is correctly applied.

This process should address:

• Ensuring the marking is visible, legible, and indelible.
• Rules for placement on the system, packaging, or documentation.
• How to provide an easily accessible digital CE mark for digital systems.
• When and how to include the notified body's identification number with the mark and in promotional materials.

The organisation should maintain a register of its high-risk AI systems and their conformity status. For each system, this register should document that the CE marking has been correctly applied according to the established process. The documentation should also specify any other EU legislation that the CE marking covers for that specific system.

Providers of high-risk AI systems should establish and document a clear process for responding to requests from competent authorities. This ensures that all necessary information, documentation, and logs demonstrating the AI system's conformity can be provided in a timely manner.

The process should specify:

• A designated contact person or team responsible for handling authority requests.
• A procedure for validating the legitimacy of a request.
• Steps to compile and provide all required documentation and log data.
• A plan for providing the information in a required official EU language.

Providers of high-risk AI systems can take steps to ensure competent authorities respect the confidentiality of information and data so as to protect:

• Intellectual property rights and confidential business information
• The effective implementation of of the AI Act for the purposes of inspections, investigations or audits
• Public and national security interests
• The conduct of criminal or administrative proceedings
• Information classified pursuant to Union or national law

The organisation should establish and document a post-market monitoring plan for its high-risk AI systems. The plan should define a structured and systematic process for monitoring, measuring, documenting, and analysing system performance throughout the entire lifecycle.

The plan should specify:

• Aspects to be monitored and measured, including system performance, the effectiveness of implemented risk controls, and continued compliance with applicable legal and regulatory requirements
• Methods for monitoring, measurement, and analysis, ensuring that results are valid, reliable, and suitable for demonstrating compliance
• The frequency and timing of monitoring and measurement activities, as well as the intervals for formal analysis and evaluation

The plan should be formally included as part of the technical documentation. Documented information should be retained as evidence of the performance and effectiveness of each high-risk AI system.

The organisation should implement the process for post-market monitoring as defined in its plan. This involves actively and systematically collecting, documenting, and analysing relevant data on the performance of its high-risk AI systems throughout their lifetime.

The organisation should establish and document a procedure for managing and reporting serious incidents involving its high-risk AI systems. This procedure should ensure timely communication with market surveillance authorities.

The procedure should include:

• Criteria for identifying a serious incident.
• Clear responsibilities for investigation and reporting.
• The specific reporting deadlines based on the incident's severity (e.g., within 2, 10, or 15 days).
• A process for conducting post-incident investigations, risk assessments, and implementing corrective actions in cooperation with authorities.

The organisation should maintain a record of all serious incidents related to its high-risk AI systems. This record should document the details of the incident, the investigation performed, the reports submitted to authorities, and the corrective actions taken to resolve the issue and prevent future occurrences.

The organisation should define a process for notifying the relevant national market surveillance authority when real-world testing of an AI system is suspended or terminated. The process should also ensure that the final outcomes are reported to the authority in the Member State where the testing took place.

AI systems intended to be used as safety components in the management and operation of critical digital infrastructure, road traffic, or in the supply of water, gas, heating or electricity should be registered at the national level.

The organisation should establish and document a strategy for regulatory compliance which includes a process for managing modifications to its high-risk AI systems. This process ensures that all changes are systematically reviewed, validated, and approved before being deployed to maintain compliance. The procedure should define how to classify modifications and outline the steps for re-evaluation to ensure the system remains compliant throughout its lifecycle.

The organisation should establish a formal process for notifying relevant parties when a high-risk AI system is found to be non-compliant. The process should specify responsibilities and timelines for these communications.

Depending on the situation, the parties to be informed should include:

• Distributors, deployers, authorised representatives, and importers
• Relevant market surveillance authorities
• The notified body that issued the system's certificate

The organization should define and document the event logging requirements for its AI systems across their lifecycle. This includes identifying the types of events to be logged (e.g., system actions, user interactions, errors, performance metrics) and the specific stages of the AI system's lifecycle where logging is required, such as development, testing, deployment, and operation.

Technical solutions should be implemented to ensure that these defined logs are effectively captured, especially during the AI system's operation. Logs should be securely stored, retained according to defined policies, and accessible for purposes such as auditing, incident investigation, performance monitoring, and compliance verification.

The organization should define clear roles and responsibilities for the management, development, deployment, and monitoring of AI systems. These roles should cover all phases of the AI system's life cycle and be assigned to competent individuals or teams. The defined responsibilities can include aspects such as risk management, AI system impact assessments, privacy, security, development, performance, data governance, human oversight, and compliance with relevant regulations.

The organisation should implement adequate mitigation and control measures to address risks associated with high-risk AI systems that cannot be eliminated through design. The selection of these measures should be based on risk analysis and documented accordingly.

Providers of general-purpose AI models should ensure internal procedures are in place to prevent unauthorized access, disclosure or misuse of information and documentation connected to the provision of GPAI models with systemic risk.

The organisation should establish and implement a policy to ensure compliance with relevant copyright law when training general-purpose AI models. This policy must include a process for identifying and respecting the reservation of rights by rights-holders concerning text and data mining.

If the organisation does not adhere to an approved code of practice or a harmonised standard, it should prepare alternative methods to demonstrate compliance. This involves creating and maintaining detailed documentation of the measures, processes, and controls implemented to meet the AI Act's obligations for general-purpose AI models. The documentation should be sufficient to undergo assessment by the Commission.

The organisation should monitor for the publication of European harmonised standards applicable to general-purpose AI models. Upon their release, the organisation should adopt and implement these standards. Adhering to harmonised standards provides a presumption of conformity with the AI Act, which can simplify the compliance process.