Do I need an EU AI Act conformity assessment?
Only if your AI system is high-risk under Annex III: credit / employment / education / law enforcement / migration / critical infra / biometric ID. Most B2B SaaS is NOT high-risk. If you are in scope, the deadline is August 2 2026 and the penalty is up to €35M or 7% of global turnover.
Self-classification is the first step. Annex III lists 8 high-risk categories: biometric identification, employment / workforce management, education / vocational training, credit / insurance scoring, law enforcement, migration / asylum / border control, justice / democratic processes, critical infrastructure. If your AI system falls under any of those, you need conformity assessment.
Two routes: Annex VI (self-assessment) is permitted for most categories IF you apply harmonised standards (ISO/IEC 23053:2022, 42001:2023, CycloneDX 1.6 AIBOM). Annex VII (Notified Body) is required for biometric + remote biometric ID systems.
For a prepared startup, Annex VI takes 4-6 weeks. Required outputs: Article 11 technical documentation, signed CycloneDX AIBOM, risk-management evidence, declaration of conformity, CE marking, EU AI database registration.