EU AI Act Conformity Chain: Art.43 → Art.47 → Art.48

Post #2 in the EU AI Act CE-Marking-2026 Series

With 59 days until the EU AI Act August 2, 2026 deadline, high-risk AI providers face three distinct but tightly linked obligations: run the conformity assessment (Art.43), draw up the EU Declaration of Conformity (Art.47), and affix the CE mark (Art.48). Each step is a gate — you cannot complete one without finishing the previous. This guide maps the full chain.

The Three-Step Conformity Chain

Most providers treat these articles as independent checklists. They are not. The EU AI Act creates a strict dependency chain:

Art.43 Assessment Completed
        ↓
Art.47 EU DoC Signed (legally requires Art.43 to be done)
        ↓
Art.48 CE Mark Affixed (legally requires Art.47 DoC to exist)

Skipping or short-circuiting any step means the CE mark you affix is legally invalid, even if the CE symbol appears on your product.

Step 1: Art.43 — Conformity Assessment

Article 43 defines who performs the assessment and which procedure applies.

Assessment Route Selection

Route A: Internal Control (Annex VI)

• Applies to: High-risk AI systems in Annex III categories not already covered by sector-specific EU harmonisation legislation
• Who assesses: The provider themselves (no third party required)
• Key requirement: Complete technical documentation (Annex IV) + functioning QMS (Art.17)
• Typical for: SaaS providers offering general-purpose high-risk AI features (education, employment screening, credit risk, etc.)

Route B: Notified Body (Annex VII)

• Applies to: High-risk AI systems in Annex III, paragraph 1 (biometric identification systems) where a third party is needed OR systems based on AI models presenting systemic risk
• Who assesses: An EU-accredited Notified Body listed in NANDO database
• Timeline: Typically 90-180 days — if you need Route B, start immediately

Route C: Sector-Specific Procedures

• Applies to: High-risk AI systems in products covered by EU harmonisation legislation listed in Annex I (medical devices, machinery, vehicles, etc.)
• Who assesses: Follows the sector regulation's conformity rules; AI Act conformity is satisfied if sector rules are met (Art.43(3))

What Art.43 Assessment Produces

Completing Art.43 assessment means you have:

1. Technical documentation (Annex IV) — complete and current
2. QMS (Art.17) — documented and operational
3. Post-market monitoring plan (Art.72) — ready to activate
4. Evidence file — test results, validation data, human oversight records

This evidence package is what the DoC certifies. Without it, Art.47 cannot be completed.

Step 2: Art.47 — EU Declaration of Conformity

The EU Declaration of Conformity (EU DoC) is a legal document — not a checkbox. Article 47 specifies what it must contain. A DoC signed before Art.43 assessment is complete is legally void.

Mandatory Content (Art.47(1))

The EU AI Act specifies the DoC must contain:

1. Provider name and address — legal entity, not a trading name
2. AI system identification — name, version, batch/serial number or unique identifier
3. Statement of conformity — explicit declaration that the system conforms to Regulation (EU) 2024/1689
4. Conformity assessment procedure used — cite the specific Annex (e.g., "Annex VI internal control procedure")
5. Reference to harmonised standards applied — list EN standards or common specifications used
6. Notified Body — name and identification number, if Route B was used
7. Place and date of drawing up — must match when assessment was completed
8. Signatory — name and title of person signing on behalf of the provider

DoC Format Requirements

The DoC must be:

• Drawn up in an official EU language of the Member State where the product is placed on the market (or in a language accepted by that Member State's market surveillance authority)
• Kept for 10 years after the AI system is placed on the market or put into service
• Updated whenever the system undergoes substantial modification (which triggers a new Art.43 assessment — the chain restarts)
• Made available to market surveillance authorities on request

Annex V Template Structure

The EU AI Act references Annex V as the model for the DoC. Your DoC should follow this structure:

EU DECLARATION OF CONFORMITY
(Reference No. [your internal ref])

Provider: [Legal name and address]

AI System: [Name, version, unique ID]

The above-mentioned AI system is in conformity with
Regulation (EU) 2024/1689 of the European Parliament
and of the Council.

Conformity assessment procedure applied: [Annex VI / Annex VII]

Harmonised standards, common specifications, or other 
technical specifications referenced:
[List EN standards or cite "none available" if no harmonised 
standards exist for your category]

Notified Body (if applicable):
[Name, ID, certificate number]

Signed for and on behalf of: [Legal entity name]

Place: [City, Member State]
Date: [DD/MM/YYYY]

[Handwritten or qualified electronic signature]
[Name and title of signatory]

Step 3: Art.48 — CE Marking Affixing

Article 48 establishes the right and obligation to affix the CE mark — once, and only once, the Art.47 DoC has been drawn up. The CE marking is not a badge you apply and then do the paperwork; the paperwork must come first.

CE Mark Format

The CE mark must:

• Be the standardised CE symbol (as defined in Annex V of Regulation (EC) No 765/2008)
• Have a minimum height of 5mm when physically affixed
• Maintain legible proportions if scaled up

For software and SaaS AI systems, "affixing" means:

What Art.48 Prohibits

• No CE mark without a valid DoC — this is a criminal/administrative offence in all Member States
• No CE mark if assessment is incomplete — partial assessment ≠ conformity
• No CE mark that misleads about conformity scope — if your DoC covers version 2.1, you cannot affix the CE mark to version 2.2 without a new assessment

CE Mark Alongside Other Marks

If your AI system is embedded in a product already bearing CE marks under other EU legislation (e.g., a medical device), the AI Act CE mark is additional. The Annex I sector regulation controls the primary mark; Art.43(3) handles the interaction, but the Art.48 mark still needs to be affixed.

The Conformity Chain in Practice: SaaS Provider Timeline

For a typical SaaS provider with a high-risk AI feature (employment screening, creditworthiness, education assessment):

If you are on Route B (Notified Body): Start Week 1 immediately. Notified Bodies are booking out into Q4 2026. The assessment alone takes 90-180 days — you cannot make the August 2 deadline if you start Notified Body outreach in July.

Common Errors That Break the Chain

Error 1: Drawing up the DoC before assessment is complete The DoC certifies that assessment has been done. Signing it first is fraud. Market surveillance authorities are specifically trained to cross-reference DoC dates with assessment evidence timestamps.

Error 2: Affixing the CE mark to a version not covered by the DoC If you update your AI model after signing the DoC, you must determine whether this is a "substantial modification" under Art.3(23). If yes: restart from Art.43.

Error 3: Using the wrong Annex Most SaaS providers are Route A (Annex VI internal control). Using Annex VII language in your DoC when no Notified Body was involved creates a false statement.

Error 4: Missing the DoC 10-year retention requirement Art.47 requires keeping the DoC for 10 years. This means version-controlled storage — not just a PDF on someone's desktop.

Error 5: Not updating the DoC when the system changes substantially Art.47 requires the DoC to reflect the current state of the system. An outdated DoC covering an old version, while a new version is on the market, leaves you exposed.

Infrastructure Jurisdiction and the CE Marking Audit Trail

One practical issue that surfaces during market surveillance inspections: your conformity evidence (technical docs, test results, QMS records) must be accessible to EU National Competent Authorities. If your AI system runs on US cloud infrastructure, a government subpoena under the US CLOUD Act could expose your entire conformity evidence package to US law enforcement — before the EU authorities have seen it.

Providers deploying on EU-sovereign infrastructure (servers in EU Member States with no US parent company) maintain full control over their conformity audit trail. The CE mark means more when the evidence supporting it is beyond US jurisdiction.

August 2026 Readiness Checklist

Before the August 2, 2026 deadline, confirm:

Art.43 (Assessment)

• Identified applicable Annex III category
• Selected conformity assessment route (A/B/C)
• Technical documentation complete and current (Annex IV)
• QMS documented and operational (Art.17)
• Post-market monitoring plan ready (Art.72)
• Assessment evidence file timestamped and stored

Art.47 (EU DoC)

• DoC drawn up after assessment completed
• All 7 mandatory content elements present
• DoC signed by authorised signatory
• DoC in appropriate EU language
• 10-year retention system in place

Art.48 (CE Marking)

• CE mark affixed in all required places (UI, docs, packaging)
• CE mark proportions meet minimum 5mm height requirement
• CE mark references correct DoC version
• CE mark not applied to substantially modified versions without new DoC

Next in the CE-Marking-2026 Series

Post #3 covers Non-EU Providers: Authorised Representatives and Art.47 obligations — including the full EORI registration path and what an EU-based authorised representative must do on your behalf.

Part of the sota.io EU AI Act CE-Marking-2026 series. See also: Art.48 Declaration of Conformity Guide (Post #1) and the EUDB Registration Series.