What is CA (EU AI Act Conformity Assessment)?
The EU AI Act's verification process by which a provider demonstrates a high-risk AI system meets Article 11 + Annex IV requirements. Two routes: self-assessment per Annex VI or Notified Body assessment per Annex VII.
Full explanation
Most high-risk Annex III systems can self-assess if harmonised standards are applied (Annex VI). Biometric identification + remote biometric ID systems require Notified Body assessment (Annex VII) — an independent third-party reviewing the technical documentation + testing the system. After assessment, the provider affixes CE marking and registers the system in the EU AI database (Article 71). The provider must maintain the technical documentation for 10 years post-market-placement and notify any substantial change per Article 43(4).
Example
A credit-scoring startup applies harmonised standards ISO/IEC 23053:2022 + ISO/IEC 42001:2023 + CycloneDX 1.6 AIBOM, completes Annex VI self-assessment, signs the declaration of conformity, affixes CE marking, registers in the EU AI database, and places the system on the EU market. Total elapsed time for a prepared startup: 4-6 weeks.
Related
FAQ
Self vs Notified Body — how do I choose?
If your system is in Annex III categories OTHER than biometric ID, Annex VI self-assessment is permitted IF you apply harmonised standards. If your system involves biometric / remote biometric identification, Annex VII Notified Body assessment is required. The penalty for self-assessing a system that requires Notified Body is the same as non-compliance.
What does 'CE marking' mean for software?
Same as for hardware — affix the CE mark to the system documentation + UI prominently to indicate the provider has completed conformity assessment. Without CE marking, the system cannot legally be placed on the EU market.