EU AI Act CE Marking: Complete Implementation Checklist for August 2, 2026

Post #5 in the sota.io EU AI Act CE Marking 2026 Series

The EU AI Act's August 2, 2026 deadline for high-risk AI systems is now 59 days away. If you have a high-risk AI system placed on the EU market — whether you're an EU-based provider, a non-EU provider, or a deployer purchasing third-party AI — CE marking compliance is now urgent.

This finale post consolidates the entire CE marking process into a single actionable checklist. Use it as your master implementation guide, cross-referencing each step with the deeper dives in this series.

What CE Marking Means Under the EU AI Act

CE marking on a high-risk AI system is a provider's formal declaration that the system:

• Has undergone conformity assessment under Art.43
• Has a signed EU Declaration of Conformity under Art.47
• Is registered in the EU AI database under Art.49
• Meets all applicable requirements in Title III, Chapter 2 (Arts. 8-15)

The CE mark itself is a signal to national market surveillance authorities, customers, and downstream deployers. Without it, a high-risk AI system cannot legally be placed on the EU market from August 2, 2026.

Phase 1: Classification and Scoping

Before starting the CE marking process, confirm you actually need it.

Step 1: Confirm High-Risk Classification

High-risk AI systems are defined in Annex III to the AI Act. They cover:

• Biometric identification and categorisation systems
• Critical infrastructure management (water, gas, electricity, traffic)
• Education and vocational training (access, assessment)
• Employment and worker management (recruitment, performance, promotion)
• Essential services (creditworthiness, public assistance, emergency dispatch)
• Law enforcement (risk assessment, polygraphs, crime analytics)
• Migration and border control (risk assessment, asylum applications)
• Administration of justice and democratic processes

If your AI system falls into any Annex III category, CE marking is mandatory.

Exception check: Art.6(3) excludes narrow-purpose AI that merely performs a preparatory task for a human decision-maker. If this applies to your system, document the rationale carefully — market surveillance authorities may challenge it.

Step 2: Identify Your Role

Phase 2: Documentation Assembly (Art.11 + Annex IV)

The CE marking process begins with assembling the technical documentation package. No conformity assessment can be completed without it.

Step 3: Build the Technical Documentation Package

Under Art.11 and Annex IV, technical documentation must include:

• General description of the AI system, its intended purpose, and version information
• Design and development process documentation (training methodology, data governance records)
• Information about the training, validation, and testing datasets used (Art.10)
• Description of human oversight measures (Art.14)
• Description of the risk management system (Art.9) and how risks were identified and mitigated
• Description of monitoring, logging, and record-keeping systems (Art.12)
• Cybersecurity measures under Art.15
• A copy of the EU Declaration of Conformity (filled in after assessment)

Minimum viable documentation: For most SaaS providers, this means a Technical Documentation Package (TDP) of 15-40 pages covering the above. The TDP is not filed with authorities but must be available upon request by national supervisory authorities for 10 years from placement on the market.

Phase 3: Risk Management System (Art.9)

Step 4: Implement and Document the Risk Management System

Art.9 requires an iterative risk management process that runs throughout the AI system lifecycle. The documentation must show:

• Identification and analysis of known and foreseeable risks
• Estimation and evaluation of risks arising from intended and reasonably foreseeable misuse
• Risk evaluation once the system is placed on the market (post-market monitoring)
• Adoption of suitable risk management measures

The risk management system is not a one-time checklist — it must be a living process. Document each risk, its evaluation, the mitigation measure, and the residual risk accepted.

Phase 4: Conformity Assessment (Art.43)

Step 5: Select the Conformity Assessment Route

Art.43 provides two conformity assessment routes:

Route A — Self-Assessment (Art.43(1)): Available for most high-risk AI systems except biometric identification systems and systems used in law enforcement/migration control. The provider conducts the assessment internally.

Route B — Third-Party Assessment (Art.43(1)(b) + Annex VII): Mandatory for real-time remote biometric identification systems and other biometric systems deployed by public authorities. Also available voluntarily for any provider who wants third-party validation.

For Route A, the conformity assessment checks:

• Technical documentation completeness (Art.11 + Annex IV)
• Conformity with Arts. 9-15 requirements
• Quality management system adequacy (Art.17)

For Route B, a notified body conducts the assessment and issues a certificate of conformity.

Step 6: Conduct the Conformity Assessment

If doing a self-assessment (Route A):

1. Review each requirement in Arts. 9-15 against your system
2. For each requirement, document: (a) what you did, (b) evidence it was done, (c) any gaps and how they were addressed
3. Have the assessment reviewed by someone not involved in the system's development
4. Record the assessment date, assessor, and findings

The conformity assessment record must be maintained for 10 years.

Phase 5: EU Declaration of Conformity (Art.47 + Annex V)

Step 7: Draft the EU Declaration of Conformity

Once conformity assessment is complete, the provider prepares the EU Declaration of Conformity (DoC) under Art.47 using the Annex V template structure.

The DoC must contain:

1. Provider name and address
2. AI system name, type, model or serial number
3. Statement that the provider takes sole responsibility for compliance
4. Object of the declaration (the high-risk AI system)
5. Reference to relevant EU harmonised standards applied
6. Reference to the Annex III category that classifies the system
7. Notified body identification and certificate number (if Route B was used)
8. Place and date of issue
9. Signature and position of the authorised signatory

The DoC must be written in the language(s) of the EU member state(s) where the system is placed. For SaaS providers deploying across the EU, prepare it in all applicable EU languages or at minimum in English with translations available on request.

Step 8: Sign and Date the DoC

A named individual with authority to commit the company must sign the DoC. This is typically the CEO, CTO, or a formally designated Compliance Officer.

Important: The DoC signature is a formal legal declaration. The signatory is personally affirming that the system meets all applicable requirements. If the system later proves non-compliant, the signatory is exposed to liability.

Phase 6: CE Marking (Art.48)

Step 9: Affix the CE Marking

Art.48 governs how and where CE marking must be applied.

For physical AI systems: affix the CE mark to the product in a visible, legible, indelible location.

For AI systems without a physical form (SaaS, cloud-deployed AI): the CE mark must appear on the documentation accompanying the system — specifically:

• In the information provided to the deployer (user documentation, system description)
• On the provider's website in a visible location on the product page
• In any packaging or promotional material referencing conformity

The CE mark must be the standardised format under Regulation (EC) 765/2008. It cannot be combined with other marks in a way that reduces its visibility or legibility.

Step 10: Display the CE Mark Correctly

The minimum height of the CE mark is 5mm. If you're displaying it digitally, use an SVG version at the correct proportions. The letters C and E must have equal height.

Do not add text next to the CE mark that implies attributes the mark doesn't certify (e.g., "CE — GDPR Compliant" is not permitted).

Phase 7: EUDB Registration (Art.49 + Art.51)

Step 11: Register in the EU AI Database

Art.49 requires providers to register their high-risk AI systems in the EU AI database (EUDB) maintained under Art.51 before placing the system on the EU market.

Registration fields include:

• Provider name and contact information
• System name, version, description
• Intended purpose and Annex III classification
• Member states where the system is or will be placed
• Conformity assessment method used (self-assessment or notified body)
• EU Declaration of Conformity (attached or referenced)

The EUDB registration generates a unique registration number that must be referenced in the DoC and in communications with downstream deployers and importers.

Phase 8: Authorised Representative (Art.22) — Non-EU Providers Only

Step 12: Appoint an EU Authorised Representative

If the provider is established outside the EU, Art.22 requires appointing a written-mandate authorised representative before placing the system on the EU market. This representative must be established in the EU.

The authorised representative is responsible for:

• Verifying the DoC and technical documentation are complete
• Liaising with national competent authorities on behalf of the provider
• Registering in the EUDB (may be done by the representative)
• Maintaining the technical documentation for 10 years
• Cooperating with market surveillance authorities on recall or withdrawal requests

The mandate must be in writing and explicitly authorise the representative to act on behalf of the provider in all compliance and enforcement matters.

Phase 9: Post-Market Obligations

Step 13: Implement Post-Market Monitoring (Art.72)

CE marking is not a one-time certification — the provider must maintain a post-market monitoring system under Art.72 that:

• Actively collects and reviews data on system performance after deployment
• Identifies new or previously unknown risks
• Reports serious incidents to authorities under Art.73
• Updates technical documentation and DoC if material changes are made

If a material change is made to the AI system after CE marking (retraining, significant feature addition, algorithm change), the conformity assessment must be repeated.

Step 14: Serious Incident Reporting (Art.73)

Under Art.73, providers must report serious incidents to market surveillance authorities. Deadlines are:

• 2 business days: Incidents constituting a serious breach of EU fundamental rights obligations or threats to critical infrastructure
• 10 calendar days: Incidents resulting in death of a person
• 15 calendar days: All other serious incidents

Document your incident response procedure and designate the individual responsible for Art.73 reporting.

Complete CE Marking Checklist

Pre-Assessment

• Confirm Annex III high-risk classification and document rationale
• Identify provider role (EU provider, non-EU provider, deployer/importer)
• Map all EU member states where system will be placed
• Assemble Art.11 + Annex IV technical documentation package
• Implement and document Art.9 risk management system
• Verify Art.10 data governance documentation is complete
• Verify Art.12 logging and record-keeping is implemented
• Verify Art.14 human oversight measures are documented
• Verify Art.15 cybersecurity measures are documented

Conformity Assessment

• Select assessment route (Art.43 self-assessment or notified body)
• If notified body: identify and engage a qualified body listed in NANDO
• If self-assessment: conduct and document the full Art.43 assessment
• Review assessment for gaps; address and document all findings
• Retain conformity assessment records (10-year obligation)

Declaration of Conformity

• Draft the EU DoC using Annex V structure
• Include all mandatory Annex V elements (see Step 7 above)
• Prepare in required EU language(s)
• Obtain authorised signatory review and approval
• Sign and date the DoC

CE Marking

• Affix CE mark to documentation accompanying the system
• Publish CE mark on product page / provider website
• Verify CE mark dimensions and format comply with Reg. 765/2008

EUDB Registration

• Create account in the EU AI database
• Complete all mandatory registration fields
• Attach or reference the signed DoC in the registration
• Record the EUDB registration number
• Include EUDB registration number in DoC and deployer communications

Non-EU Providers Only (Art.22)

• Identify and contract an EU-established authorised representative
• Execute written mandate covering all Art.22 obligations
• Ensure representative has access to technical documentation
• Include representative information in EUDB registration

Post-Market

• Implement Art.72 post-market monitoring system
• Designate Art.73 serious incident reporting contact
• Document procedure for material-change re-assessment
• Calendar technical documentation review (annual minimum)

Timeline: 59 Days to August 2, 2026

Where sota.io Fits

Every step above generates documentation, audit trails, logs, and version records that need to live somewhere. Keeping conformity assessment records, DoC archives, post-market monitoring logs, and incident reports on EU-native infrastructure eliminates the CLOUD Act exposure that US-based cloud storage creates.

sota.io runs on Hetzner Germany — no US parent, no CLOUD Act reach. Your 10-year technical documentation archive stays under GDPR-only jurisdiction. Start with sota.io →

Series Wrap-Up

This concludes the EU AI Act CE Marking 2026 series:

1. CE Marking Fundamentals: Art.47 DoC and Art.48 CE Marking Requirements
2. The Conformity Chain: Art.43 → Art.47 → Art.48 Workflow
3. Annex V Declaration of Conformity Template
4. Art.22 Authorised Representatives for Non-EU Providers
5. This post: Complete Implementation Checklist