High-risk AI systems shall comply with the requirements established in this section. For the compliance requirements, the labelling maps to the Seclea Platform compliance category and compliance item labels.
The main articles in the EC AIA draft are listed below, and their details are in the following sections:
Seclea Platform tracks the compliance of AI applications with above listed EC AIA articles.
Obligation of AI Providers and Users
Article 16 of the regulation states the obligations of the Providers and Users of the High-Risk systems that are details in this section:
Obligation of the High-Risk AI Providers
Providers of High-risk AI systems shall:
ensure that their high-risk AI systems are compliant with the requirements set out in Article 9-15;
have a quality management system in place which complies with Article 17 (discussed subsequent in this section);
draw-up the technical documentation of the high-risk AI system (Article 11);
when under their control, keep the logs automatically generated by their high-risk AI systems (Article 12);
ensure that the high-risk AI system undergoes the relevant conformity assessment procedure, prior to its placing on the market or putting into service;
comply with the registration obligations referred to in Article 51 (requirement to register the high-risk AI application onto the EU database for such application – which is going to be available publicly);
take the necessary corrective actions, if the high-risk AI system is not in conformity with the requirements set out in Article 9-15;
inform the national competent authorities of the Member States in which they made the AI system available or put it into service and, where applicable, the notified body of the non-compliance and of any corrective actions taken;
to affix the CE marking to their high-risk AI systems to indicate the conformity with this Regulation in accordance with Article 49;
upon request of a national competent authority, demonstrate the conformity of the high-risk AI system with the requirements set out in Article 9-15.
Conformity Assessment
Providers of high-risk AI systems shall ensure that their systems undergo the relevant conformity assessment procedure in accordance with Article 43, prior to their placing on the market or putting into service.
The provider shall follow one of the following procedures:
the conformity assessment procedure based on internal control referred to in Annex VI;
the conformity assessment procedure based on assessment of the quality management system and assessment of the technical documentation, with the involvement of a notified body, referred to in Annex VII.
Annex VI - Conformity Assessment Procedure based on Internal Control
Based on Annex VI, the provider has to perform a self-assessment to make sure:
The provider verifies that the established quality management system complies with the requirements of Article 17.
The provider examines the information in the technical documentation to assess the compliance of the AI system with the relevant essential requirements set out in Articles 9-15.
The provider also verifies that the design and development process of the AI system and its post-market monitoring, as referred to in Article 61, is consistent with the technical documentation.
Annex VII - Conformity based on Assessment of Quality Management System and Assessment of Technical Documentation
The approved quality management system for the design, development and testing of AI systems pursuant to Article 17 shall be examined in accordance with point 1 and shall be subject to surveillance as specified in point 3. The technical documentation of the AI system shall be examined in accordance with point 2. Point 1 to 3 are listed below:
Quality Management System
The application of the provider shall include
the name and address of the provider and, if the application is lodged by the authorised representative, their name and address as well;
the list of AI systems covered under the same quality management system;
the technical documentation for each AI system covered under the same quality management system;
the documentation concerning the quality management system which shall cover all the aspects listed under Article 17;
a description of the procedures in place to ensure that the quality management system remains adequate and effective;
a written declaration that the same application has not been lodged with any other notified body.
The quality management system shall be assessed by the notified body, which shall determine whether it satisfies the requirements referred to in Article 17.
The quality management system as approved shall continue to be implemented and maintained by the provider so that it remains adequate and efficient.
Any intended change to the approved quality management system or the list of AI systems covered by the latter shall be brought to the attention of the notified body by the provider.
Control of the technical documentation
In addition to the application referred to in point 1, an application with a notified body of their choice shall be lodged by the provider for the assessment of the technical documentation relating to the AI system which the provider intends to place on the market or put into service and which is covered by the quality management system referred to under point 1.
The application shall include:
the name and address of the provider;
a written declaration that the same application has not been lodged with any other notified body;
the technical documentation referred to in Annex IV (details of which are included in the Article 11 of this document).
Surveillance of the approved quality management system
The purpose of the surveillance carried out by the notified body referred to in Point 1 is to make sure that the provider duly fulfils the terms and conditions of the approved quality management system.
For assessment purposes, the provider shall allow the notified body to access the premises where the design, development, testing of the AI systems is taking place. The provider shall further share with the notified body all necessary information.
The notified body shall carry out periodic audits to make sure that the provider maintains and applies the quality management system and shall provide the provider with an audit report. In the context of those audits, the notified body may carry out additional tests of the AI systems for which an EU technical documentation assessment certificate was issued.
