Annexes — referenced by Article 43(1)Article Annex VII

Annex VII: Conformity Assessment Based on Assessment of Quality Management System and Technical Documentation

Applies from 2 Aug 20264 min readEUR-Lex verified Apr 2026

Annex VII sets out the notified body conformity assessment procedure. This is the third-party assessment route required for biometric identification systems under Annex III point 1 (unless harmonised standards allow internal control). The notified body reviews the quality management system and technical documentation, may conduct testing and audits, issues a certificate (or refuses), and conducts ongoing surveillance. It is more rigorous, more expensive, and more time-consuming than Annex VI internal control.

Start free assessment All articles

Who does this apply to?

-Providers of biometric identification systems under Annex III point 1 (default route)
-Notified bodies designated to assess high-risk AI systems
-Providers who voluntarily choose third-party assessment for market confidence
-Regulatory teams coordinating with notified bodies

Scenarios

A biometric identification system for public-space surveillance requires conformity assessment. No harmonised standard has been adopted yet.

Annex VII applies: the provider must engage a notified body for QMS audit, technical documentation review, and certificate issuance.

Ref. Annex VII + Art. 43(1)

A provider of a biometric system has applied a published harmonised standard covering all Chapter III Section 2 requirements.

May use Annex VI internal control instead of Annex VII — the harmonised standard exception in Article 43.

Ref. Art. 43(1) exception

The Annex VII procedure (plain terms)

The notified body conformity assessment involves:

Phase 1 — Application: The provider submits an application to a designated notified body, including the QMS documentation, Annex IV technical documentation, and a description of the AI system.

Phase 2 — QMS assessment: The notified body audits the quality management system against Article 17 requirements. This includes reviewing written procedures, management responsibility, resource management, and AI-specific processes.

Phase 3 — Technical documentation review: The body reviews Annex IV technical documentation for compliance with Chapter III, Section 2 requirements — risk management, data governance, testing, transparency, human oversight, accuracy/robustness/cybersecurity.

Phase 4 — Decision: The notified body issues a certificate confirming compliance or refuses with reasons. The provider may appeal.

Phase 5 — Surveillance: The notified body conducts periodic surveillance activities to ensure continued compliance, including audits and reviews of modifications.

Costs and lead times

Annex VII assessment involves: - Notified body fees (varies by body, complexity, and jurisdiction) - Lead times of 3–12+ months depending on documentation readiness and body availability - Ongoing surveillance fees for the certificate's validity period - Re-assessment costs for substantial modifications

Early engagement with the notified body is strongly recommended. Prepare Annex IV documentation and Article 17 QMS evidence before applying.

Recitals (preamble) on EUR-Lex

The recitals in the same consolidated AI Act on EUR-Lex contextualise the biometric exception, notified body role, and the rationale for requiring third-party scrutiny for systems that process sensitive biometric data. Use the official preamble on EUR-Lex.

Compliance checklist

Confirm that Annex VII is required for your system (biometric ID under Annex III pt 1 without harmonised standards).
Identify and engage a designated notified body early — lead times can be significant.
Prepare complete Annex IV technical documentation before applying.
Ensure Article 17 QMS is fully documented and operational before the audit.
Budget for notified body fees, timeline, and ongoing surveillance.
Address any non-conformities identified during assessment promptly.
Obtain the certificate before market placement.
Plan for re-assessment when making substantial modifications.

Read the official text on EUR-Lex

Prepare for notified body assessment—free assessment.

Start Free Assessment

Article 43: Conformity Assessment for High-Risk AI Systems

Article 17: Quality Management System for High-Risk AI

Article 44: Certificates Issued by Notified Bodies

Article 47: EU Declaration of Conformity

Article 48: CE Marking for High-Risk AI Systems

Article 16: Obligations of Providers of High-Risk AI Systems

Article 99: Penalties for AI Act Infringements

Article 113: Entry into Force and Application Dates

Annex IV: Technical Documentation for High-Risk AI Systems

Annex VI: Internal Control Conformity Assessment Procedure

Related annexes

Annex IV — Technical documentation reviewed by the notified body
Annex VI — Internal control (the simpler alternative route)

Frequently asked questions

Is Annex VII only for biometric systems?

It is the mandatory route only for Annex III point 1 biometric identification systems (without harmonised standards). Other providers may voluntarily choose Annex VII for additional market confidence, but Annex VI is sufficient.

How do I find a notified body?

The Commission maintains a database of designated notified bodies (NANDO). Check which bodies are designated for AI Act assessments in your Member State.

What if the notified body refuses the certificate?

The provider receives reasons for refusal and may address non-conformities and re-apply. The provider also has appeal rights under national procedures.

On this page

Key terms

Notified body: A third-party conformity assessment body designated by a Member State to assess, certify, and surveil high-risk AI systems under Annex VII.
Certificate: The formal document issued by a notified body confirming that the AI system's QMS and technical documentation comply with Chapter III requirements.
Surveillance: Periodic audits and reviews conducted by the notified body after certificate issuance to ensure continued compliance.

Maximum penalties (Art. 99)

3% of turnover / Up to EUR 15 million or 3% of global annual turnover under Article 99(4)
SMEs / start-ups: Lower caps for SMEs and start-ups under Article 99(6)
Placing a biometric ID system on the market without Annex VII assessment (when required) is a serious infringement.

Timeline

2 Aug 2026
Annex VII conformity assessment applies for Annex III biometric ID systems.

At a glance

Article: Annex VII
Status: Upcoming
Timeline: 2 Aug 2026
Updated: 11 Apr 2026

Recommended next step

Run the short assessment to map risk class and obligations to your specific AI use case in minutes.

Start assessment now