EU AI Act Annex V: Complete EU Declaration of Conformity Template and Guide for High-Risk AI Providers

Post #1489 in the sota.io EU AI Act Compliance Series — EU-AI-ACT-CE-MARKING-2026 #3/5

The EU Declaration of Conformity (DoC) is the legal document that makes your CE marking meaningful. Without a properly structured DoC signed by an authorised representative, the CE mark on your high-risk AI system is invalid — and market surveillance authorities can require its removal.

Under Article 47 of the EU AI Act (Regulation (EU) 2024/1689), every provider of a high-risk AI system must draw up a written EU Declaration of Conformity before placing the system on the market or putting it into service. The content of that declaration is specified in Annex V of the Regulation.

This guide covers every required element of the Annex V DoC, a complete fillable template, who must sign, and when the declaration must be updated or withdrawn.

Why the DoC Is Not Optional — Even for Internal Deployments

Many SaaS providers assume the EU Declaration of Conformity is only required when selling to third parties. This is incorrect.

Art.47(1) requires the DoC whenever a high-risk AI system is "placed on the market or put into service." Putting a system "into service" includes deploying it in your own organisation for use in regulated contexts — for example, an HR decision-support tool you develop and deploy internally for recruitment decisions falls under Annex III, Point 4.

The DoC is the legal record that:

• You conducted a conformity assessment under Art.43
• The system meets all requirements under Articles 8 through 15
• You accept full provider liability for the system

Without it, your system cannot legally carry the CE mark.

The 9 Required Elements of the EU Declaration of Conformity

Annex V of the EU AI Act specifies the mandatory content for the DoC. All nine elements must be present for the declaration to be valid:

1. Provider Identification

The full legal name and registered address of the provider — the entity that developed and placed the AI system on the market. If the provider is established outside the EU, this section must also identify the authorised representative established in the Union under Art.22, including their full name, address, and the mandate reference number.

Provider:        [Full Legal Company Name]
Registered at:   [Street, City, Country, Postal Code]
VAT/Registration: [EU company registration number]

2. AI System Identification

The DoC must uniquely identify the AI system it covers. This typically requires:

• System name and version number: The exact product name and version string (e.g., "RecrutAI Screening Engine v3.4.2")
• Intended purpose: The specific use case as described in your technical documentation — copied verbatim to ensure consistency
• Annex III classification: Which point in Annex III classifies this system as high-risk

AI System Name:     [System name as in technical documentation]
Version/Release:    [vX.Y.Z or build identifier]
Intended Purpose:   [Exact text from Art.11 technical documentation, Section 1]
High-Risk Category: Annex III, Point [X] — [Category name]

3. Statement That the AI System Meets the EU AI Act

The core of the DoC — a clear legal statement that the system conforms to the requirements of Regulation (EU) 2024/1689. The statement should reference the regulation by its full CELEX identifier and the specific chapters that apply.

We hereby declare that the AI system identified above meets the requirements 
of Regulation (EU) 2024/1689 of the European Parliament and of the Council 
(EU AI Act), in particular the obligations set out in Chapter 2 of Title III 
(Articles 8–15) applicable to high-risk AI systems.

4. Reference to Relevant Harmonised Standards or Common Specifications

If your conformity assessment relied on harmonised standards (published in the Official Journal) or common specifications adopted under Art.41, these must be listed with their full reference numbers and publication dates.

If no harmonised standards were available — which is the reality for most providers before August 2026, as the standards are still being developed — you must state this explicitly and describe the alternative assessment basis used:

Harmonised standards applied: None available at time of conformity assessment.
Assessment basis: Internal assessment against Art.9–15 requirements [describe 
methodology, e.g., "risk management documentation, QMS, internal test protocols"].

5. Identification of the Notified Body (If Applicable)

If a notified body was involved in the conformity assessment under Art.43, you must provide:

• The notified body's name
• Its identification number as listed in the NANDO database
• The certificate number and date of issue

For providers using the internal control route (self-assessment under Annex VI), this section states: "No notified body was involved. Assessment conducted via internal control procedure in accordance with Annex VI of Regulation (EU) 2024/1689."

6. The Conformity Assessment Procedure Used

Identify which conformity assessment procedure from Art.43 was followed:

• Internal control (Annex VI, Procedure A): Available for all Annex III high-risk systems except those using biometric data for categorisation, real-time remote biometric identification, or certain critical infrastructure contexts
• Third-party assessment (Annex VII, Procedure B): Required for the specific categories above, optional for all others

Conformity Assessment Procedure:  
[ ] Internal control — Annex VI, Art.43(2)  
[ ] Third-party assessment — Annex VII, Notified Body involvement, Art.43(1)

7. Place and Date of Issue

The DoC must be dated at the point when conformity assessment was completed and before the CE mark was affixed or the system placed on the market.

Place of issue:    [City, Country]
Date of issue:     [YYYY-MM-DD]

8. Authorised Signatory Information

The DoC must be signed by the provider's authorised representative — typically the CEO, CTO, Chief Compliance Officer, or another senior executive with authority to make legal declarations on behalf of the company. This person's name, title, and signature must appear on the document.

Signed on behalf of:   [Full Legal Company Name]
Name:                  [First Name Last Name]  
Title:                 [Position/Title]
Signature:             ______________________
Date:                  [YYYY-MM-DD]

9. Reference to the Technical Documentation and Where It Is Kept

The DoC must reference where the supporting technical documentation required by Art.11 and Annex IV is maintained, and for how long. The retention period under Art.47(2) is 10 years after the system was last placed on the market.

Technical Documentation Location: [Internal system/repository, e.g., "Maintained at 
registered address above, ref: AI-DOC-2026-[SYSTEM-ID], available on request 
from competent authorities"]
Retention until: [YYYY — 10 years from last market placement]

Complete Fillable Template

─────────────────────────────────────────────────────
EU DECLARATION OF CONFORMITY
Regulation (EU) 2024/1689 — EU Artificial Intelligence Act
─────────────────────────────────────────────────────

1. PROVIDER

   Company:          ___________________________________
   Address:          ___________________________________
   Country:          ___________________________________
   Registration No.: ___________________________________

   Authorised Representative (if non-EU provider):
   Name:             ___________________________________
   Address:          ___________________________________
   Mandate Ref:      ___________________________________

2. AI SYSTEM IDENTIFICATION

   System Name:      ___________________________________
   Version:          ___________________________________
   Intended Purpose: ___________________________________
                     ___________________________________
   High-Risk Category: Annex III, Point ___

3. DECLARATION OF CONFORMITY

   We hereby declare that the AI system identified above meets the 
   requirements of Regulation (EU) 2024/1689 (EU AI Act), specifically 
   the obligations set out in Chapter 2 of Title III (Articles 8–15) 
   applicable to high-risk AI systems.

4. HARMONISED STANDARDS / COMMON SPECIFICATIONS

   [ ] Harmonised standard(s) applied:
       Reference: ___________________________________
       Publication date: ___________________________
   
   [ ] No harmonised standards available. Assessment basis:
       ___________________________________

5. NOTIFIED BODY (if applicable)

   [ ] Not applicable — Internal control procedure used (Annex VI)
   [ ] Notified Body Name: ___________________________
       Notified Body No.:  ___________________________
       Certificate No.:    ___________________________
       Certificate Date:   ___________________________

6. CONFORMITY ASSESSMENT PROCEDURE

   [ ] Internal control — Annex VI, Art.43(2)
   [ ] Third-party assessment — Annex VII, Art.43(1)

7. DATE AND PLACE OF ISSUE

   Place: ___________________  Date: ________________

8. AUTHORISED SIGNATORY

   Signed on behalf of: ___________________________________
   Name:                ___________________________________
   Title:               ___________________________________
   Signature:           ___________________________________

9. TECHNICAL DOCUMENTATION

   Location: _____________________________________________
   Available on request from competent authorities.
   Retention until: ______ (10 years from last market placement)

─────────────────────────────────────────────────────

Who Must Sign the DoC — And Who Cannot

The person signing must have the authority to legally bind the organisation. In practice, this typically means:

• CEO / Managing Director
• CTO (if granted signing authority by board resolution)
• Chief Compliance Officer (with documented delegated authority)
• General Counsel

A developer or engineer cannot sign the DoC, even if they authored the entire compliance programme. The signatory must have organisational authority to commit the company to the representations made in the declaration.

If the provider is established outside the EU, the authorised representative (Art.22) can sign the DoC on the provider's behalf — but only if the mandate explicitly grants this authority.

When Must the DoC Be Updated?

The DoC is not a one-time document. Several events trigger an obligation to update or re-issue it:

Substantial Modification (Art.83)

A substantial modification resets the conformity assessment. You must:

1. Conduct a new conformity assessment for the modified system
2. Issue a new DoC reflecting the new version
3. Register the new version in the EU database (Art.49)
4. Update the CE marking

What counts as a substantial modification: a change that affects conformity with requirements or alters the intended purpose. This includes significant retraining on new data categories, architectural changes, or expansion of intended purpose to new use cases.

Withdrawal of CE Marking

If a serious incident reveals that the system does not meet the requirements it was assessed against, market surveillance authorities may require withdrawal. In this case, the DoC must be formally withdrawn and the CE mark removed while remediation occurs.

You cannot retroactively amend a DoC to cover incidents that occurred before the amendment. The original dated version remains the legal record for the period it covered.

Version Updates That Do Not Constitute Substantial Modifications

Minor updates — bug fixes, parameter tuning within the same model architecture, UI changes that do not affect AI outputs — do not require a new DoC, but must be documented in the technical documentation version history. Your QMS under Art.17 should have a formal change-control procedure that classifies every update as "substantial" or "non-substantial."

Common DoC Mistakes That Fail NCA Inspection

Based on market surveillance experience from analogous CE marking regimes (medical devices, radio equipment), the most common DoC failures are:

1. Version mismatch: DoC covers v3.4.1 but system in deployment is v3.5.0 — if that upgrade was a substantial modification, the DoC is invalid for the deployed version.

2. No harmonised standards section: Leaving the field blank rather than explicitly noting "no harmonised standards were available at time of assessment."

3. Missing intended purpose specificity: Copying a marketing description rather than the precise intended purpose from technical documentation.

4. Incorrect conformity assessment reference: Stating "Annex VI" when a notified body was involved, or vice versa.

5. Unsigned or undated: A DoC without a date or authorised signature is legally void.

6. No technical documentation cross-reference: Failing to identify where the supporting Annex IV documentation is kept.

DoC and the EU Database Connection

After issuing the DoC, providers of high-risk AI systems listed in Annex III must register in the EU database under Art.49. The registration must include a reference to the DoC — specifically, the date of issue and the conformity assessment route used.

The EU database entry and the DoC must be consistent. NCAs cross-reference both documents during inspections. If the database entry says "internal control" but the DoC says "notified body," that discrepancy will be flagged.

The 59-Day Countdown: DoC Timeline for August 2, 2026

With 59 days until the enforcement deadline, here is the minimum timeline for completing a valid DoC:

CE-MARKING-2026 Series Navigation

• #1/5 — Art.47 DoC + Art.48 CE Marking Basics: What each requires, why both are mandatory, the difference between signing a DoC and affixing the CE mark
• #2/5 — Conformity Chain (Art.43→Art.47→Art.48): Step-by-step workflow linking conformity assessment to DoC to CE marking
• #3/5 — Annex V DoC Template ← You are here
• #4/5 — DoC Enforcement: What Happens When CE Marking Is Wrong (coming next)
• #5/5 — CE Marking Finale: 60-Day Roadmap to August 2, 2026 (series close)

Key Takeaways

• Annex V specifies 9 required elements for a valid EU Declaration of Conformity — all nine must be present
• The signatory must have organisational authority — engineers and developers cannot sign
• The DoC must reference the conformity assessment route — internal control (Annex VI) or notified body (Annex VII)
• Substantial modifications reset the DoC — a new version of the system with significant changes needs a new declaration
• The DoC must be retained for 10 years and made available to market surveillance authorities on request
• No valid DoC = invalid CE marking — market surveillance can require withdrawal of the system from the market

Deploy on EU infrastructure — and keep your compliance documentation where CLOUD Act jurisdiction cannot reach it.