Legalithm logo
Chapter III, Section 3 — Obligations of providers and deployers of high-risk AI systemsArticle 16

Article 16: Obligations of Providers of High-Risk AI Systems

Applies from 2 Aug 20266 min readEUR-Lex verified Apr 2026

Article 16 is the master obligation list for providers of high-risk AI systems. It consolidates every duty a provider must fulfil before and after placing a high-risk system on the EU market or putting it into service. Rather than creating new rules, it acts as a routing table: each lettered point references a specific requirement article (Articles 8–15, 17, 43, 47–49, 72) so the provider can track every obligation in one place. Always verify on EUR-Lex.

Start free assessmentAll articles

Who does this apply to?

  • -Providers of high-risk AI systems under Article 6 (both Annex III and Annex I paths)
  • -Product manufacturers placing AI safety components on the market under Annex I legislation
  • -Any entity that becomes a provider through re-qualification under Article 25
  • -Authorised representatives and importers who inherit certain provider obligations

Scenarios

A startup building an Annex III recruitment screening tool uses Article 16 as its compliance checklist before market launch.

Article 16 maps the full set of duties: risk management (Art. 9), data governance (Art. 10), technical documentation (Art. 11/Annex IV), logging (Art. 12), transparency/IFU (Art. 13), human oversight design (Art. 14), accuracy/robustness/cybersecurity (Art. 15), QMS (Art. 17), conformity (Art. 43), CE marking (Art. 48), registration (Art. 49), post-market monitoring (Art. 72).
Ref. Art. 16

A medical device company with an AI-based diagnostic tool verifies that Article 16 obligations are met through its integrated MDR and AI Act compliance process.

The provider uses Article 16 to confirm that every referenced requirement is addressed in the combined technical file, as required by Article 43(3) for Annex I products.
Ref. Art. 16 + Art. 43(3)

A deployer substantially modifies a high-risk system and is re-classified as a provider under Article 25.

The new provider now inherits the full Article 16 obligation set, including conformity assessment and post-market monitoring.
Ref. Art. 16 + Art. 25

What Article 16 does (plain terms)

Article 16 is a routing table — it lists every obligation a high-risk AI provider must meet and points to the article where each is detailed. The provider shall:

(a) Ensure compliance with the requirements in Section 2 (Articles 8–15): - Article 9 — Risk management system - Article 10 — Data and data governance - Article 11 + Annex IV — Technical documentation - Article 12 — Record-keeping / logging - Article 13 — Transparency and information to deployers - Article 14 — Human oversight - Article 15 — Accuracy, robustness, and cybersecurity

(b) Put in place a quality management systemArticle 17

(c) Keep the technical documentationArticle 11

(d) Keep logs automatically generated by the system when under their control — Article 12

(e) Carry out the relevant conformity assessment before market placement — Article 43

(f) Comply with registration obligations — Article 49

(g) Take necessary corrective actionsArticle 20

(h) Affix CE markingArticle 48

(i) Draw up the EU declaration of conformityArticle 47

(j) Establish and maintain a post-market monitoring systemArticle 72

Always confirm the full lettered list on EUR-Lex Article 16.

Why Article 16 matters for project planning

In practice, Article 16 is the article compliance teams print and hang on the wall. It answers: *"What must I do before I can ship?"* Each bullet gives you a checklist item with a direct link to the detailed requirement article. Missing any single point blocks lawful market placement.

Use Article 16 as the backbone of your compliance programme: map each lettered obligation to an internal workstream owner, timeline, and evidence artefact.

How Article 16 connects to the rest of the Act

  • Article 6 — Determines whether Article 16 applies (high-risk classification).
  • Articles 8–15 — The Section 2 requirements referenced by Article 16(a).
  • Article 17QMS — referenced by Article 16(b).
  • Article 25Re-qualification: deployers/distributors/importers who trigger re-qualification inherit the full Article 16 set.
  • Article 26Deployer obligations (counterpart to Article 16 for the downstream actor).
  • Article 43Conformity assessment — referenced by Article 16(e).
  • Article 47EU declaration of conformity — referenced by Article 16(i).
  • Article 48CE marking — referenced by Article 16(h).
  • Article 49Registration — referenced by Article 16(f).
  • Article 72Post-market monitoring — referenced by Article 16(j).
  • Article 99Penalties for non-compliance.
  • Article 113Application dates.

Recitals (preamble) on EUR-Lex

The recitals in the same consolidated AI Act on EUR-Lex contextualise provider accountability, proportionality for SMEs, and the lifecycle approach. Use the official preamble on EUR-Lex.

Compliance checklist

  • Map every Article 16 lettered obligation (a)–(j) to an internal workstream owner and timeline.
  • Verify Section 2 requirements (Articles 9–15) are addressed in your technical documentation.
  • Establish a QMS per Article 17 before conformity assessment.
  • Complete conformity assessment (Article 43) before market placement.
  • Register in the EU database (Article 49) before market placement.
  • Affix CE marking (Article 48) and draw up EU declaration of conformity (Article 47).
  • Establish post-market monitoring (Article 72) from day one.
  • Implement corrective action procedures (Article 20) tied to post-market signals.
  • Track Article 25 re-qualification triggers for downstream actors using your system.
Read the official text on EUR-Lex

Map your Article 16 provider obligations—free assessment.

Start Free Assessment

Related Articles

Article 6: Classification Rules for High-Risk Systems

Article 9: Risk Management System

Article 10: Data and Data Governance

Article 11: Technical Documentation

Article 12: Record-keeping

Article 13: Transparency and provision of information to deployers

Article 14: Human oversight

Article 15: Accuracy, robustness and cybersecurity

Article 17: Quality Management System for High-Risk AI

Article 20: Corrective Actions and Duty of Information

Article 25: Responsibilities Along the AI Value Chain

Article 26: Obligations of Deployers of High-Risk AI Systems

Article 43: Conformity Assessment for High-Risk AI Systems

Article 47: EU Declaration of Conformity

Article 48: CE Marking for High-Risk AI Systems

Article 49: EU Database Registration

Article 72: Post-Market Monitoring

Article 99: Penalties for AI Act Infringements

Article 113: Entry into Force and Application Dates

Related annexes

  • Annex III — High-risk AI system areas
  • Annex IV — Technical documentation

Frequently asked questions

Does Article 16 create new requirements?

No. Article 16 consolidates references to requirement articles. Each obligation is detailed in its own article (9–15, 17, 43, 47–49, 72). Article 16 is the routing table.

What if I'm a deployer, not a provider?

Deployer obligations are in Article 26. However, if you substantially modify a system or place it under your own name, Article 25 may re-classify you as a provider subject to Article 16.

Do all lettered points apply to every provider?

Yes, for any provider of a high-risk system. The scope and depth of each obligation is proportionate to risk, but none can be skipped entirely.

Can I use Article 16 as a project management checklist?

Absolutely. Many teams convert the lettered list into a RACI matrix with one workstream per letter, tracked from design through post-market.