SIST-TP CEN/CLC/TR 17894:2025

SLOVENSKI STANDARD
01-april-2025
Umetna inteligenca - Ugotavljanje skladnosti z umetno inteligenco
Artificial Intelligence - Artificial Intelligence Conformity Assessment
Künstliche Intelligenz - Konformitätsbewertung von Künstlicher Intelligenz
Intelligence Artificielle - Évaluation de la conformité liée à l'Intelligence Artificielle
Ta slovenski standard je istoveten z: CEN/CLC/TR 17894:2024
ICS:
03.120.20 Certificiranje proizvodov in Product and company
podjetij. Ugotavljanje certification. Conformity
skladnosti assessment
35.240.01 Uporabniške rešitve Application of information
informacijske tehnike in technology in general
tehnologije na splošno
2003-01.Slovenski inštitut za standardizacijo. Razmnoževanje celote ali delov tega standarda ni dovoljeno.

TECHNICAL REPORT CEN/CLC/TR 17894

RAPPORT TECHNIQUE
TECHNISCHER REPORT
December 2024
ICS 03.120.20; 35.240.01
English version
Artificial Intelligence - Artificial Intelligence Conformity
Assessment
Intelligence Artificielle - Évaluation de la conformité Künstliche Intelligenz - Konformitätsbewertung von
liée à l'Intelligence Artificielle Künstlicher Intelligenz

This Technical Report was approved by CEN on 25 November 2024. It has been drawn up by the Technical Committee
CEN/CLC/JTC 21.
CEN and CENELEC members are the national standards bodies and national electrotechnical committees of Austria, Belgium,
Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy,
Latvia, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Republic of North Macedonia, Romania, Serbia,
Slovakia, Slovenia, Spain, Sweden, Switzerland, Türkiye and United Kingdom.

CEN-CENELEC Management Centre:
Rue de la Science 23, B-1040 Brussels
© 2024 CEN/CENELEC All rights of exploitation in any form and by any means
Ref. No. CEN/CLC/TR 17894:2024 E
reserved worldwide for CEN national Members and for
CENELEC Members.
Contents Page
European foreword . 4
1 Scope . 5
2 Normative references . 5
3 Terms and definitions . 5
4 Framework of conformity assessment and objects of conformity assessment . 6
4.1 General . 6
4.2 International accreditation and conformity assessment framework . 6
4.2.1 General . 6
4.2.2 Level 5 . 7
4.2.3 Level 4 . 8
4.2.4 Level 3 . 8
4.2.5 Level 2 . 9
4.2.6 Level 1 . 9
4.3 Conformity assessment modules . 9
4.3.1 Conformity assessment modules of Decision No 768/2008/EC . 9
4.3.2 Conformity assessment modules of the EU AI Act .12
4.3.3 Conformity assessment modules following the EU AI Act Annex II Section A .14
4.3.4 Conformity assessment modules under sectorial legislation .14
4.4 Considerations on the interplay of conformity assessment under EU AI Act and
sectorial legislation .21
4.4.1 General .21
4.4.2 Interplay between notified body requirements under EU AI Act and its Annex II
Section A legislation .21
4.4.3 Possible interplay between conformity assessment in the Machinery Regulation and
the EU AI Act .22
4.4.4 Possible interplay between conformity assessment in the medical devices sectorial
legislation and the EU AI Act .23
4.4.5 Conformity assessment in the automotive sectorial legislation .23
4.4.6 Conformity assessment of representative AI system (aka ‘sampling’) .24
5 Mapping of horizontal and vertical standard items to the level system and
assignment to conformity assessment activities .26
5.1 Mapping of AI horizontal standard items to conformity assessment activities .26
5.1.1 General .26
5.1.2 Management system certification according to EN ISO/IEC 17021-1 .27
5.1.3 Inspection according to EN ISO/IEC 17020 .27
5.1.4 Testing according to EN ISO/IEC 17025 .28
5.1.5 Verification and Validation according to EN ISO/IEC 17029 .28
5.1.6 Product, process or service certification according to EN ISO/IEC 17065 .29
6 Supporting compliance to EU AI Act .29
6.1 Analysis of conformity assessment elements in EU AI Act .29
6.1.1 Conformity assessment requirements for high-risk AI systems according to EU
C(2023)3215 – Standardization request M/593 .29
6.1.2 Interdependencies of EU AI Act provisions .30
6.1.3 Article 17 “quality management system” in the EU AI Act .32
6.2 EN ISO/IEC 17065 certification approach related to EU AI Act .33
6.2.1 General .33
6.2.2 Potential certification process according to EN ISO/IEC 17065 .34
6.2.3 Accreditation of certification bodies according to EN ISO/IEC 17065 within the field
of AI . 36
6.3 Role of testing for conformity assessments . 37
6.3.1 General . 37
6.3.2 Testing of general purpose AI models and general purpose AI models with systemic
risk . 38
6.4 Measurement, measures and metrics . 38
7 Existing horizontal certifications possibly relevant for the AI area . 41
7.1 General . 41
7.2 Data related certifications: the example of GDPR-CARPA national level certification
................................................................................................................................................................... 41
7.3 Cybersecurity related certification . 42
8 Observations and identified gaps . 42
8.1 General . 42
8.2 Challenges of terms and definitions operationalisation for AI conformity assessment
................................................................................................................................................................... 44
8.2.1 General . 44
8.2.2 Identified differences of terms definition . 44
Annex A (informative) Tools to support operationalisation of AI conformity assessment . 45
Bibliography . 46
European foreword
This document (CEN/CLC/TR 17894:2024) has been prepared by Technical Committee CEN/CENELEC
JTC 21 “Artificial Intelligence”, the secretariat of which is held by Danish Standards (DS).
Attention is drawn to the possibility that some of the elements of this document may be the subject of
patent rights. CEN shall not be held responsible for identifying any or all such patent rights.
Any feedback and questions on this document should be directed to the users’ national standards body.
A complete listing of these bodies can be found on the CEN website.
1 Scope
This document sets out a review of the current methods and practices (including tools, assets, and
conditions of acceptability) for conformity assessment as relevant for the development and use of AI
systems. Among others, it addresses the conformity assessment for products, services, processes,
management systems and organizations. It includes an industry horizontal (vertical agnostic)
perspective and an industry vertical perspective.
This document focuses only on the process and gap analysis of conformity assessments. It defines the
objects of conformity related to AI systems and all other aspects of the conformity assessment process.
The document also reviews to what extent AI poses specific challenges with respect to assessment of, for
example, software engineering, data quality and engineering processes.
This document takes into account requirements and orientations from policy frameworks such as the EU
AI strategy and those from CEN and CENELEC member countries.
This document is intended for technologists, standards bodies, regulators and interest groups.
2 Normative references
There are no normative references in this document.
3 Terms and definitions
For the purposes of this document, the following terms and definitions apply.
ISO and IEC maintain terminology databases for use in standardization at the following addresses:
— IEC Electropedia: available at http://www.electropedia.org/
— ISO Online browsing platform: available at http://www.iso.org/obp
3.1
conformity assessment
demonstration that specified requirements (3.2) relating to a product, process, system, person or body are
fulfilled
Note 1 to entry: The process of conformity assessment as described in the functional approach in Annex A can have
a negative outcome, i.e. demonstrating that the specified requirements are not fulfilled.
Note 2 to entry: Conformity assessment includes activities defined elsewhere in this document, such as but not
limited to testing (6.2), inspection (6.3), validation (6.5), verification (6.6), certification (7.6), and accreditation (7.7).
Note 3 to entry: Conformity assessment is explained in Annex A as a series of functions. Activities contributing to
any of these functions can be described as conformity assessment activities.
[SOURCE: EN ISO/IEC 17000:2020]
3.2
specified requirement
need or expectation that is stated
Note 1 to entry: Specified requirements can be stated in normative documents such as regulations, standards and
technical specifications.
Note 2 to entry: Specified requirements can be detailed or general.
[SOURCE: EN ISO/IEC 17000:2020]
3.3
accreditation
attestation by a national accreditation body that a conformity assessment body meets the requirements
set by harmonised standards and, where applicable, any additional requirements including those set out
in relevant sectorial schemes, to carry out a specific conformity assessment activity, according to EU
regulation (see [1] and [2])
Note 1 to entry: Accreditation is the last level of public control in the conformity assessment system. It is designed
to ensure that conformity assessment bodies (e.g. laboratories, inspection or certification bodies) have the technical
capacity to perform their duties. Used in regulated sectors and voluntary areas, accreditation increases trust in
conformity assessment. It reinforces the mutual recognition of products, services, systems, and bodies across the
EU. [3]
Note 2 to entry: At ISO level accreditation is the formal recognition by an independent body, generally known as an
accreditation body, that a certification body operates according to international standards.
[SOURCE: Regulation (EC) No 765/2008 of the European Parliament and of the Council of 9 July 2008
setting out the requirements for accreditation and market surveillance relating to the marketing of
products and repealing Regulation (EEC) No 339/93 https://eur-lex.europa.eu/legal-
content/EN/TXT/?uri=CELEX:32008R0765 (see [1] and [2]) Accreditation of conformity assessment
bodies (accessed on 6 November 2023), https://single-market-economy.ec.europa.eu/single-
market/goods/building-blocks/accreditation-conformity-assessment-bodies_en (see [3])]
3.4
object of conformity assessment
entity to which specified requirements (3.2) apply
EXAMPLE Product, process, service, system, installation, project, data, design, material, claim, person, body or
organization, or any combination thereof
Note 1 to entry: The term “body” is used in this document to refer to conformity assessment bodies (4.6) and
accreditation bodies (4.7). The term “organization” is used in its general meaning and may include bodies according
to the context. The more specific ISO/IEC Guide 2 definition of an organization as a body based on membership is
not applicable to the field of conformity assessment (3.1).
[SOURCE: EN ISO/IEC 17000:2020]
4 Framework of conformity assessment and objects of conformity assessment
4.1 General
In this clause, an overview of the current conformity assessment schemes for organizations in areas such
as cybersecurity is provided, highlighting their pros and cons. It also discusses the necessary adaptations
required to make these schemes applicable to AI. Additionally, AI assessment frameworks for
organizations are proposed, including relevant AI components. These supports providing a
comprehensive understanding of the assessment process of AI systems.
4.2 International accreditation and conformity assessment framework
4.2.1 General
Technical standards are met to achieve accreditation and conformity assessment. However, in the field
of conformity assessment and accreditation, different levels are assessed. This is why there is a level
system, which is outlined in documents EA 1/06 [4] under European Accreditation Multilateral
agreement Structure and IAF PR 4 [5] and illustrated in Figure 1.

Figure 1 — Accreditation Standardization System - classification of evaluation methods in level
structure
The elements which have been identified as needed to be addressed with priority are highlighted in red.
According to EA 1/06 and as depicted in Figure 1, for level 2 the main conformity assessment activities
against standards by Conformity Assessment Bodies (CABs), to which accreditation bodies grant
accreditation, are highlighted in red. Additional activities include: PT (Proficiency Testing) Providers,
Reference Material (RM) Producers as well as calibration activities. At level 3, ISO 17065 [6] (highlighted
in green) is identified to be the preferred standard regarding conformity assessment of high-risk AI
systems by third parties with respect to the EU AI Act, which was proposed by the European Commission
st
on the 21 April 2021 [7]. From herein reference to the EU AI Act refers to the EU's Artificial Intelligence
Act which was unanimously approved by Members of the competent Council of Ministers' Permanent
nd
Representatives Committee (Coreper), on the 2 of February 2024 [8].
For the activity of testing (i.e. “conformity assessment” in the form of testing/inspection/certification,
etc. [Level 2 to 4]) there are international standards (ISO/IEC), which define the minimum standard for
these organisations and for their (testing) activities. The same applies to the activities of the accreditation
authorities, whose tasks and procedures are regulated in the ISO/IEC 17011 standard (see [9]). The
reciprocal agreements (MLA/MRA) administered by the international organisations EA, ILAC and IAF are
binding under international law. Anyone who falls short of these standards does not test lege artis (= in
conformity with the law).
4.2.2 Level 5
Starting from level 5, the object of conformity assessment produced or created by an organization is
considered. This can include products, processes, services, systems or persons who need to meet specific
requirements outlined by laws and regulations, such as the EU AI Act (see [8]) or normative documents
such as standards.
Upon demonstrating conformity with the relevant requirements of a normative document, cited in the
OJEU as harmonized standard, the organization benefits from a presumption of conformity with the
legally mandated essential requirements set out in the EU AI Act (see [8]). Harmonized standards assist
in conferring a presumption of conformity with the requirements set out in laws and regulations.
Accordingly, organisations that demonstrate conformity with the relevant harmonized standards are
therefore presumed to be in compliance with the corresponding legally mandated essential requirement
set out in the EU AI Act (see [8]).
Examples of level 5 standards:
— EN ISO 9001:2015 (see [10]);
— EN ISO/IEC 27001:2013 (see [11]);
— EN ISO/IEC 27701:2021 (see [12]);
— EN ISO 14064-1:2019 (see [13]);
— EN ISO 13485:2016/A11:2021 (see [14]).
4.2.3 Level 4
When confirming adherence to the relevant criteria pertaining to the subject of the assessment,
conformity assessment bodies adhere to explicitly outlined requirements governing the execution of the
assessment. In cases where these requirements are particularly defined for certain product categories or
specific economic sectors, those are incorporated and met. There can be requirements that further
specify the procedure of the necessary conformity assessment activities. These specifying requirements
for the conformity assessment procedures are found at level 4 and are fulfilled by the conformity
assessment body and not by the distributor or manufacturer of the object of conformity assessment.
In principle, certification schemes and validation and verification programs audited by the accreditation
body apply as level 4 for [6] (including activities that may include a test according to [15] or inspection
according to [16]) and [17].
Examples of level 4 standards:
— ISO/IEC 42006 (see [18]);
— EN ISO/IEC 27006-1:2024 (see [19]);
— ISO/IEC TS 27006-2:2021 (see [20]);
— EN ISO/IEC 17021-3:2018 (see [21]);
— EN ISO 14064-3:2019 (see [22]).
4.2.4 Level 3
A conformity assessment by a first, second, or independent third party is always a defined process of
conformity assessment, which contains several steps based on the functional approach defined in
EN ISO/IEC 17000:2020, Annex A. The type(s) of conformity assessment activities used differ depending
on the object of the conformity assessment. The requirements for these conformity assessment activities
are also specified in standards, which are met by the conformity assessment body performing these
activities.
Under preparation. Stage at the time of publication: ISO/IEC DIS 42006.
Examples of level 3 standards (not comprehensive):
— EN ISO/IEC 17021-1:2015 (see [23]);
— EN ISO/IEC 17029:2019 (see [17]);
— EN ISO/IEC 17065:2012 (see [6]).
4.2.5 Level 2
Conformity assessment includes activities such as testing, inspection, as well as certification. To
offer these activities, conformity assessment bodies demonstrate their competence. The competence of a
conformity assessment body is assessed by means of accreditation, which verifies whether it meets the
requirements for the activities it offers. These requirements are located on level 2. Accreditation activities
determine the competence of a conformity assessment body, coinciding with level 3 activities.
4.2.6 Level 1
The requirements that the accreditation bodies have to fulfil are referred to as level 1 and are laid down
in the standard EN ISO/IEC 17011:2017 (see [9]). Independent of the legal requirements, this
harmonized standard in connection with the obligatory documents published by the European and
international umbrella organizations of the accreditation bodies form the practical framework for the
recognition of accredited conformity assessment activities in the international context.
4.3 Conformity assessment modules
4.3.1 Conformity assessment modules of Decision No 768/2008/EC
The EU AI Act (see [8]) refers to Regulation (EC) 765/2008 (see [1]) and Decision No 768/2008/EC (see
[24]). Regulation (EC) 765/2008 [1] sets out the requirements for the accreditation of conformity
assessment bodies. At the same time, Decision No 768/2008/EC (see [24]) lays down a 'horizontal menu'
of conformity assessment modules and the ways procedures are built of modules (see Table 1).
Table 1 — Conformity Assessment Modules described in Annex II of EU Decision No
768/2008/EC (see [25])
A Internal production Covers both design and production.
control
The manufacturer himself ensures the conformity of the products to the
legislative requirements (no EU-type examination)
A1 Internal production Covers both design and production.
control plus supervised
A + tests on specific aspects of each individual product carried out by an in-
product testing
house accredited body or under the responsibility of a notified body
chosen by the manufacturer.
A2 Internal production Covers both design and production.
control plus supervised
A + product checks at random intervals carried out by a notified body or
product checks at
in-house accredited body based on samples of manufactured products.
random intervals
B EU-type examination Covers design.
It is always followed by other modules by which the conformity of the
products to the approved EU-type is demonstrated.
A notified body examines the technical design and or the specimen of a
type and verifies and attests that it meets the requirements of the
legislative instrument that apply to it by issuing an EU-type examination
certificate. There are 3 ways to carry out EU-type examination: 1)
production type, 2) combination of production type and design type and 3)
design type
C Conformity to EU-type Covers production and follows module B.
based on internal
The manufacturer must internally control its production to ensure product
production control
conformity against the EU-type approved under module B.
C1 Conformity to EU-type Covers production and follows module B.
based on internal
The manufacturer must internally control its production to ensure product
production control plus
conformity against the EU-type approved under module B.
supervised product
C + tests on specific aspects of each individual product carried out by an in-
testing
house accredited body or under the responsibility of a notified body
chosen by the manufacturer.
C2 Conformity to EU-type Covers production and follows module B.
based on internal
The manufacturer must internally control its production to ensure product
production control plus
conformity against the EU-type approved under module B.
supervised product
C + at random intervals a notified body or in-house accredited body tests
checks at random
product on specific aspects based on samples of manufactured products.
intervals
D Conformity to EU-type Covers production and follows module B.
based on quality
The manufacturer operates a production (manufacturing part and
assurance of the
inspection of final product) quality assurance system to ensure conformity
production process
to EU-type. The notified body assesses the quality system.
D1 Quality assurance of the Covers both design and production.
production process
The manufacturer operates a production (manufacturing part and
inspection of the final product) quality assurance system to ensure
conformity to legislative requirements (no EU-type, used like D without
module B). Notified body assesses the production (manufacturing part and
inspection of final product) quality system
E Conformity to type based Covers production and follows module B.
on product quality
The manufacturer operates a product quality (=' production' quality
assurance
without the manufacturing part) assurance system for final product
inspection and testing to ensure conformity to EU-type. A notified body
assesses the quality system.
The idea behind module E is like the one under module D: both are based
on a quality system and follow module B. Their difference is that the
quality system under module E aims to ensure the quality of the final
product, while the quality system under module D (and D1 too) aims to
ensure the quality of the whole production process (that includes the
manufacturing part and the test of final product). E is thus like module D
without the provisions relating to the manufacturing process.
E1 Quality assurance of final
Covers both design and production.
product inspection and
The manufacturer operates a product quality (=' production' quality
testing
without the manufacturing part) assurance system for final product
inspection and testing to ensure conformity to the legislative requirements
(no module B (EU-type), used like E without module B). The notified body
assesses the quality system.
The idea behind module E1 is like the one under module D1: both are
based on a quality system. Their difference is that the quality system under
module E1 aims to ensure the quality of the final product, while the quality
system under module D1 aims to ensure the quality of the whole
production process (that includes the manufacturing part and the test of
final product). E1 is thus like module D1 without the provisions relating to
the manufacturing process.
F Conformity to EU-type Covers production and follows module B.
based on product
The manufacturer ensures compliance of the manufactured products to
verification
approved EU-type. The notified body carries out product examinations
(testing of every product or random sample checks) to control product
conformity to EU-type.
Module F is like C2, but the notified body carries out more systematic
product checks.
F1 Conformity based on Covers both design and production.
product verification
The manufacturer ensures compliance of the manufactured products to the
legislative requirements. The notified body carries out product
examinations (testing of every product or random sample checks) to
control product conformity to the legislative requirements (no EU-type,
used like F without module B)
Module F1 is like A2 but the notified body carries out more detailed
product checks.
G Conformity based on unit Covers both design and production.
verification
The manufacturer ensures compliance of the manufactured products to the
legislative requirements. The notified body verifies every product to
ensure conformity to legislative requirements (no EU-type).
H Conformity based on full Covers both design and production.
quality assurance
The manufacturer operates a full quality assurance system to ensure
conformity to legislative requirements (no EU-type). The notified body
assesses the quality system.
H1 Conformity based on full Covers both design and production.
quality assurance plus
The manufacturer operates a full quality assurance system to ensure
design examination
conformity to legislative requirements (no EU-type). The notified body
assesses the quality system and the product design and issues an EU
design examination certificate.
Module H1 in comparison to module H provides in addition that the
notified body carries out a more detailed examination of the product
design.
The EU-design examination certificate must not be confused with the EU-
type examination certificate of module B that attests the conformity of a
specimen 'representative of the production envisaged', so that the
conformity of the products can be checked against this specimen. Under EU
design examination certificate of module H1, there is no such specimen.
The EU design examination certificate attests that the conformity of the
design of the product has been checked and certified by a notified body.
4.3.2 Conformity assessment modules of the EU AI Act
According to Article 43(3) of the EU AI Act (see [8]), “AI providers for high-risk AI systems, to which legal
acts listed in Annex II, section A, apply shall follow the relevant conformity assessment as required under
those legal acts”. The following sections provide an overview of the conformity assessment modules (see
Table 1) available under that sectorial legislation.
As products under Annex II section A are to follow the conformity assessment under sectorial legislation,
it is unclear whether the notified body designated under sectorial legislation requires a specific
designation and notification under the EU AI Act (see [8]), or whether the sectorial designation and
notification is sufficient, provided the notified body can demonstrate sufficient competence required by
the EU AI Act (see [8]) for certain AI technologies, including demonstrating sufficient consideration of the
whole range of risks addressed by the EU AI Act (see [8]).
The EU AI Act (see [8]) foresees conformity assessment procedures aligned with modules A and H1 of
Decision No 768/2008/EC (see Figure 2 and [24]). However, according to Article 43(3) of EU AI Act
(see [8]): “For high-risk AI systems, to which legal acts listed in Annex II, section A, apply, the provider shall
follow the relevant conformity assessment as required under those legal acts. The requirements set out in
Chapter 2 of this Title shall apply to those high-risk AI systems and shall be part of that assessment. Points
4.3., 4.4., 4.5. and the fifth paragraph of point 4.6 of Annex VII shall also apply.”
Annex VII:
Point 4.3: “The technical documentation shall be examined by the notified body. Where relevant and limited
to what is necessary to fulfil their tasks, the notified body shall be granted full access to the training,
validation, and testing datasets used ….”
Point 4.4: “In examining the technical documentation, the notified body may require that the provider
supplies further evidence or carries out further tests so as to enable a proper assessment of conformity of the
AI system with the requirements set out in Title III, Chapter 2. Whenever the notified body is not satisfied
with the tests carried out by the provider, the notified body shall directly carry out adequate tests, as
appropriate.”
Point 4.5: “… after all other reasonable ways to verify conformity have been exhausted and have
proven to be insufficient, and upon a reasoned request, the notified body shall be granted access to the
training and trained models of the AI system, including its relevant parameters. Such access shall be
subject to existing Union law on the protection of intellectual property and trade secrets.”
Point 4.6: “Where the AI system is not in conformity with the requirements set out in Title III, Chapter 2, the
notified body shall refuse to issue an EU technical documentation assessment certificate and shall inform the
applicant accordingly, giving detailed reasons for its refusal.
Where the AI system does not meet the requirement relating to the data used to train it, re-training of the
AI system will be needed prior to the application for a new conformity assessment. In this case, the reasoned
assessment decision of the notified body refusing to issue the EU technical documentation assessment
certificate shall contain specific considerations on the quality data used to train the AI system, notably on
the reasons for non-compliance.”
Notified body access to source code, training, validation, and testing data sets corresponds to module B
(EC type examination), while the notified bodies carrying out tests corresponds to module D (Conformity
to type based on quality assurance of the production process) of Decision No 768/2008/EC (see [24]).
When only Technical Documentation and Quality Assurance are reviewed, then this corresponds to
module H1 (Conformity based on full quality assurance plus design examination)(see Figure 2 and Table
1). Note that rather than module H, module H1 applies as the EU AI Act (see [8]) refers to notified bodies
issuing an EU technical documentation assessment certificate (aka EU-design examination certificate
following Blue Guide 2022 [25] terminology).
Figure 2 — Decision No 768/2008/EC (see [24]) conformity assessment procedures available in
the EU AI Act (AIA), see [8], in consideration of access to source code, training, validation, and
test data sets and test provisions.
4.3.3 Conformity assessment modules following the EU AI Act Annex II Section A
According to Article 43(3) of the EU AI Act (see [8]), the following applies: “For high-risk AI systems, to
which legal acts listed in Annex II, section A, apply, the provider shall follow the relevant conformity
assessment as required under those legal acts. The requirements set out in Chapter 2 of this Title shall apply
to those high-risk AI systems and shall be part of that assessment. Points 4.3., 4.4., 4.5. and the fifth paragraph
of point 4.6 of Annex VII shall also apply.”
The following sections provide an overview of the conformity assessment modules available under
sectorial legislation.
4.3.4 Conformity assessment modules under sectorial legislation
4.3.4.1 Conformity assessment modules of the Machinery Regulation
Machinery Regulation 2023/1230 (MR) (see lays down requirements for the safety of, among others,
machinery. Depending on whether the machinery (or other items in scope of the regulation) is referenced
in Annex I of the regulation, Module A, B or H apply (see Figure 3).
Figure 3 — Decision No 768/2008/EC (see [24]) conformity assessment procedures available in
Machinery Regulation 2023/1230
4.3.4.2 Conformity assessment modules of the Medical Device Regulations
The Medical Device Regulations foresee conformity assessment procedures aligned with modules A, B, D,
H and H1 (see Figure 4). In addition, the in vitro Diagnostic Medical Device Regulation also provides
module F. The conformity assessment procedures available to a manufacturer depend (see Figure 5) on
the device's
1) Placement on the market, i.e. devices manufactured and used only within health institutions
established in the Union and not placed on the market follow module A, whereas all other relevant
modules potentially apply to devices that are placed on the market
2) Regulatory class, which is determined through the classification rules (MDR/IVDR Annex VIII)
3) Whether the device is custom-made
Contrary to their status under the former Medical Device Directives (see [26], [27], [28]), most medical
devices that are or that contain software are class IIa or higher under the MDR or class B and higher under
IVDR (see [29]), which implies that the manufacturer requires a notified body for the conformity
assessment.
It is worth noting that while it is legally possible for a device that is or that incorporates software to follow
conformity assessment modules B, D, and (in the case of a medical device under MDR) also module F,
historically, i.e. under the former medical device directives, notified bodies expected that when a
manufacturer chooses to apply modules B, D, or F, that also module H or H1 is applied. The mandatory
use of module H or H1 under the directives caused manufacturers to refrain from using modules B, D, and
F for devices that are or that contain software. The rationale for requiring full quality assurance for
software devices under the old directives was that product verification and production control give
insufficient assurance of the safety and performance of a device that is or that contains software because
it is impossible to test software exhaustively. The only way to ensure the safety and performance of
software-based devices is to assess whether the software is developed and undergoes post-market
surveillance using state-of-the-art processes. Today, while the medical device regulations do not require
the mandatory use of full quality assurance for devices that are or that incorporate software, no
manufacturers of software devices are known to opt for a module B, D, or F approach for conformity
assessment.
Figure 4 — Decision No 768/2008/EC (see [24]) conformity assessment procedures available in
the Medical Device Regulations
Figure 5 — Illustration of how conformity assessment procedures available in the Medical
Device Regulations depend on placement on the market, regulatory class, and whether the
device is custom-made, is a well-established technology (WET) or subject to European Union
Reference Laboratory verification
4.3.4.3 Conformity assessment modules of the Personal Equipment Directive
Personal Protective Equipment (EU) 2016/425 (PPE) lays down requirements for designing and
manufacturing personal protective equipment. PPE Annex I defines three categories of risk against which
PPE is intended to protect users. PPE follows Module A for PPE category I, Module B+C for PPE category
II and Modules B+C2 or B+D for PPE category III (see Figure 6).

Figure 6 — Decision No 768/2008/EC (see [24]) conformity assessment procedures available in
Personal Protective Equipment Directive (EU) 2016/425
4.3.4.4 Conformity assessment modules of the Radio Equipment Directive
Radio Equipment Directive 2014/53/EU (RED) sets essential requirements for safety and health,
electronic magnetic compatibility, and the efficient use of the radio spectrum. The RED follows Module A
when harmonized standards are used, otherwise Module B+C or Module H (see Figure 7).

) conformity assessment procedures available in
Figure 7 — Decision No 768/2008/EC (see [24]
Radio Equipment Directive 2014/53/EU
4.4 Considerations on the interplay of conformity assessment under EU AI Act and
sectorial legislation
4.4.1 General
When more than one NLF-style legislation applies to a product the manufacturer or provider creates
technical documentation and follows the collective conformity assessment procedures prescribed by
those legislations to demonstrate whether all specified requirements relating to the product have been
fulfilled. An efficient conformity assessment requires that conformity assessment procedures of the EU
AI Act (see [8]) and the sectorial legislation are integrated and that the interplay is clear. This section
deals with the interplay between conformity assessment under the EU AI Act (see [8]) and sectorial
legislation and the related standardization deliverables that could operationally support the process.
As a basis for conformity assessments ISO/IEC published conformity assessment standards and guides
known collectively as the CASCO Toolbox [30] In related areas as data protection the establishment of
conformity assessment schemes for data protection is envisaged between various countries.
4.4.2 Interplay between notified body requirements under EU AI Act and its Annex II Section A
legislation
Articles of EU AI Act (see [8]) that cover AI NBs obligations are:
— Article 33: Requirements relating to notified bodies
— Article 33a: Presumption of conformity
...