Learn
This article walks you through the entire conformity assessment process from start to finish - what it is, when you need a third party, what documentation you’ll prepare, and the shortcuts that exist for financial services firms.
Let me start with the thing that surprised me most about EU AI Act conformity assessments: most financial institutions don’t need a notified body. The self-assessment route is available for the majority of financial services AI use cases, and it’s significantly less expensive than external assessment. But - and this is important - “self-assessment” doesn’t mean “easy.” The documentation requirements alone can take months.
I’ve been working through the conformity assessment requirements with several financial institutions over the past year, and the pattern is always the same. Everyone starts confident (“we already have model governance, this should be straightforward”). Everyone ends humbled (“Annex IV wants what level of detail?”).
So here’s the honest walkthrough. No sugar-coating, no handwaving. Just the process as it actually works for a financial institution with high-risk AI systems.
First, What Exactly Is a Conformity Assessment?
Strip away the legal jargon and a conformity assessment is just a structured process for proving that your AI system meets the EU AI Act’s requirements for high-risk systems. Think of it as the AI equivalent of a CE marking process for industrial products. You’re demonstrating that your AI system is safe, fair, transparent, and well-governed enough to be deployed in the EU.
The legal basis is Article 43 of the EU AI Act. For most high-risk AI systems (including the financial services categories in Annex III, paragraph 5(b)), the assessment follows Annex VI, which describes an internal control-based conformity assessment. This means you assess yourself, following a prescribed methodology, and declare conformity based on your own evaluation.
For a small number of AI systems (biometric identification, critical infrastructure management), a third-party assessment by a notified body is required under Annex VII. But for financial services AI - credit scoring, insurance pricing, fraud detection, risk assessment - the self-assessment route under Annex VI applies.
Don’t let “self-assessment” fool you into thinking this is optional or lightweight. The EU AI Act is very specific about what the internal assessment must cover, and market surveillance authorities can request your documentation at any time. A poorly conducted self-assessment is worse than no assessment at all, because it creates a false sense of compliance while leaving you exposed.
Which Financial AI Systems Are High-Risk?
Annex III, paragraph 5(b) of the EU AI Act classifies the following as high-risk:
“AI systems intended to be used to evaluate the creditworthiness of natural persons or establish their credit score, with the exception of AI systems used for the purpose of detecting financial fraud.”
Plus paragraph 5(a):
“AI systems intended to be used for the evaluation of the creditworthiness of natural persons or for establishing their credit score, with the exception of AI systems put into service by small-scale providers for their own use.”
And more broadly, paragraph 5 also covers AI systems used for:
- Risk assessment and pricing in life and health insurance
- Evaluation of creditworthiness
- Setting credit scores
In practical terms, for a typical financial institution, the high-risk classification likely covers:
Clearly high-risk
AI credit scoring, automated lending decisions, AI-driven insurance underwriting/pricing, AI risk assessment for loan approval
Likely high-risk
AI-driven customer segmentation (if it affects access to financial products), automated claims assessment, AI investment suitability screening
Probably not high-risk
Fraud detection (explicitly excluded), chatbots (unless they influence financial decisions), internal analytics, market data processing
Grey area
Algorithmic trading (may fall under MiFID II instead), AML transaction monitoring, KYC automation. Regulatory guidance still evolving.
The Conformity Assessment Process: All 7 Steps
Based on Annex VI and Articles 9-15 of the EU AI Act
Step 1: Establish Your Quality Management System (Art. 17)
Before you can assess individual AI systems, you need a quality management system (QMS) that covers your entire AI lifecycle. This isn’t a new concept if you come from a manufacturing or ISO background, but it’s new territory for many financial institutions.
Your QMS must cover: design and development procedures, testing and validation processes, data management practices, post-market monitoring, incident reporting mechanisms, communication with authorities, record-keeping, resource management, and accountability frameworks. Think of it as the organisational layer that ensures every AI system you build or deploy goes through a consistent governance process.
Step 2: Build the Technical Documentation (Annex IV)
This is where most teams stall. Annex IV is extraordinarily detailed. For each high-risk AI system, you need to document:
- General description of the AI system (intended purpose, provider details, version history)
- Detailed description of system elements and development process
- Monitoring, functioning, and control mechanisms
- Risk management system details (per Article 9)
- Data governance practices (per Article 10) - including training, validation, and testing datasets
- Detailed description of performance metrics and robustness measures
- Description of human oversight measures (per Article 14)
- Description of the logging system (per Article 12)
- Expected lifetime of the system, planned changes, and maintenance procedures
Step 3: Implement the Risk Management System (Art. 9)
Article 9 requires a risk management system that runs throughout the AI system’s entire lifecycle. Not a point-in-time risk assessment - a continuous process. It must include:
Identification and analysis of known and foreseeable risks. Estimation and evaluation of risks when the system is used as intended and under conditions of reasonably foreseeable misuse. Evaluation of risks from data analysis. Adoption of appropriate risk mitigation measures. And testing to ensure the system performs consistently with its intended purpose. For a credit scoring model, this means you need to document risks like demographic bias, data quality degradation, model drift, adversarial inputs, and the consequences of incorrect decisions - and then show what you’re doing about each of them.
Step 4: Ensure Data Governance (Art. 10)
For financial AI systems, data governance is particularly critical. Article 10 requires that training, validation, and testing data sets are relevant, representative, free of errors, and complete. You must document data collection processes, data preparation operations (annotation, labelling, cleaning), data gaps and shortcomings, and measures taken to address bias. For a bank using AI credit scoring, this means you need to demonstrate that your training data doesn’t systematically underrepresent certain demographic groups, that your validation data is separate from your training data, and that you’ve tested for proxy discrimination.
Step 5: Test and Validate (Art. 9(5-7))
Testing must happen before deployment and at appropriate intervals throughout the system’s lifecycle. The regulation requires testing against “preliminarily defined metrics and probabilistic thresholds” - meaning you can’t just run the model and see if the outputs “look right.” You need to define acceptance criteria upfront (accuracy thresholds, fairness metrics, robustness benchmarks) and test against them with proper methodology. Document everything: test plans, test results, identified issues, and corrective actions taken.
Step 6: Conduct the Internal Assessment (Annex VI)
Here’s where it all comes together. The internal conformity assessment under Annex VI requires you to verify that:
- Your QMS complies with Article 17
- Your technical documentation complies with Annex IV
- Your design and development process is consistent with the QMS
- The AI system meets the essential requirements in Articles 8-15
- All testing and validation has been properly conducted and documented
Step 7: Issue the Declaration of Conformity and Register (Art. 47-49)
Once the assessment is complete, you draw up an EU declaration of conformity (per Annex V) for each high-risk AI system. This is a formal legal document stating that the system meets the requirements of the EU AI Act. You then register the system in the EU database for high-risk AI systems (Article 49). The declaration must be kept available for 10 years after the AI system is placed on the market or put into service. That’s a long time. Make sure your record-keeping is robust.
The Documentation Reality Check
Let me be blunt about the documentation burden. For a single high-risk AI system, the Annex IV technical documentation alone typically runs 50-150 pages when done properly. It needs to be detailed enough for a market surveillance authority to understand your system’s purpose, architecture, training data, testing methodology, performance characteristics, limitations, and risk mitigations - without needing to speak to you.
Now count how many AI systems your financial institution has in production. Credit scoring model. Fraud detection (not high-risk, but you should still document it for good governance). Customer segmentation. Automated underwriting. Collections prioritisation. Marketing personalisation.
If you have five high-risk AI systems, you’re looking at 250-750 pages of technical documentation. Plus the QMS documentation. Plus individual risk assessments. Plus test reports. Plus declarations of conformity.
This is why starting now isn’t just advisable - it’s mathematically necessary if you want to be ready by August 2026.
Provider vs. Deployer: Who Does the Assessment?
This trips up a lot of financial institutions. The EU AI Act distinguishes between providers (who develop or commission the AI system) and deployers (who use it). The conformity assessment is the provider’s responsibility.
So if your bank buys a credit scoring model from a vendor, the vendor is the provider and must conduct the conformity assessment. You, the bank, are the deployer.
But here’s the catch: Article 25 says that a deployer becomes a provider if they:
- Put their own name or trademark on the AI system
- Make a “substantial modification” to the system
- Modify the intended purpose of the system so it becomes high-risk
In financial services, “substantial modification” is common. You buy a credit scoring framework from a vendor, then retrain it on your own data, adjust the features, and calibrate the decision thresholds for your risk appetite. Have you substantially modified it? Quite possibly. And if so, the conformity assessment becomes your responsibility, not the vendor’s.
Even if you remain a deployer, Article 26 still imposes obligations: you must use the system in accordance with its instructions, ensure human oversight, monitor the system’s operation, keep logs for at least six months, and conduct a fundamental rights impact assessment if applicable.
What I’d Do If I Were Starting Today
You have roughly five months until the August 2026 deadline. That’s tight but doable if you prioritise ruthlessly. Here’s the order I’d tackle things:
Month 1: Inventory and classification. Catalogue every AI system in your organisation. Classify each one against Annex III. For each system, determine whether you’re the provider or deployer. This sounds simple. It isn’t. Most organisations are surprised by how many AI systems they have when they look carefully. That “Excel model with some macros” might actually be using a machine learning library under the hood.
Month 2: QMS framework. If you don’t have a quality management system for AI, build one. If you have ISO 42001 (the AI management system standard), you’re ahead - there’s significant overlap. But the QMS must specifically address Article 17’s requirements, which go beyond ISO 42001 in certain areas.
Months 2-4: Technical documentation. Start with your highest-risk, most critical AI system. Build the Annex IV documentation. Use it as a template for subsequent systems. Assign a dedicated person to each system - this can’t be done by committee.
Month 4-5: Testing and validation. Run (or document existing) testing against defined metrics. Ensure fairness testing, robustness testing, and accuracy validation are all properly documented with methodology, results, and conclusions.
Month 5: Assessment, declaration, and registration. Conduct the internal assessment per Annex VI. Issue declarations of conformity. Register in the EU database. Set up post-market monitoring processes.
It’s a Lot. It’s Also Manageable.
The conformity assessment process feels overwhelming when you first look at it. Annex IV alone is daunting. But it’s a structured process with clear steps, and once you’ve done it for one AI system, the second one takes half the time.
The key insight for financial institutions is that you’re not starting from zero. You already have model governance frameworks (SR 11-7, SS1/23, EBA guidelines). You already have data quality processes. You already have testing procedures. The conformity assessment requires restructuring and augmenting what you have, not building from scratch.
And if you’re managing AI Act compliance alongside DORA, GDPR, and other frameworks, having a platform that tracks obligations across all of them in one place is not a luxury - it’s a sanity-preservation measure. Venvera supports 13 regulatory frameworks including the EU AI Act and DORA, with cross-framework mapping that shows where a single control satisfies multiple regulations.
Track Your AI Act Conformity Journey
Venvera helps financial institutions manage EU AI Act compliance alongside DORA, GDPR, and 10 other frameworks - with cross-regulation mapping, risk assessments, and gap analysis. Starting at €399/month.
Book a Demo →Last updated: March 2026. The EU AI Act conformity assessment framework is subject to ongoing implementing acts and guidance from the European AI Office. This article is educational and does not constitute legal advice.
