Coordinate provider and deployer programmes so Title III quality management, conformity assessment, monitoring, and human oversight are live before the Regulation applies on 2 August 2026.
Updated to translate the Commission’s enforcement calendar and Zeph Tech’s August 2026 activation briefing into dual provider–deployer control tracks.Zeph Tech briefing — Aug 1 2026
Lock in the quality management system. Build the documented policies, lifecycle controls, and accountability required by Articles 16–17 so Annex VI internal control or Annex VII notified-body pathways are audit-ready.Regulation (EU) 2024/1689 Articles 16–17; Annexes VI–VII
Operationalise monitoring and incident response. Stand up Article 72 post-market monitoring plans, Article 73 incident pipelines, and Annex VIII/EU database submissions so market surveillance requests are fulfilled within statutory clocks.Regulation (EU) 2024/1689 Articles 49, 72–73; Annex VIII
Equip deployers for governance accountability. Train oversight personnel, validate input data, register deployments, and run fundamental-rights impact assessments that mirror provider artefacts.Regulation (EU) 2024/1689 Articles 26–27, 13, 49; Annex VIII
Activation timeline
2 February 2025 — governance scaffolding live. Chapters I–II enter into application, enabling providers to finalise risk management designs and map obligations before Title III applies.Article 113
2 August 2025 — notified-body ecosystem and monitoring rules operational. Chapter III Section 4 and Chapter VII apply, activating notified-body designations, conformity pathways, and market-surveillance coordination one year ahead of deployment deadlines.Article 113
By 2 August 2026 — Title III obligations bite. Providers must complete conformity assessments, register Annex III systems, and hand deployers Article 13 instructions, while deployers evidence oversight and logging before go-live.Zeph Tech briefing — Aug 1 2026
From 2 August 2027 — high-risk classification audits expand. Article 6(1) duties take effect, requiring reassessment of Annex III inventories and registration logic against any delegated updates.Article 113
Provider control families
Providers bear the burden of establishing compliant design lifecycles, documenting evidence, and choosing conformity pathways that survive notified-body scrutiny. Use these checklists to keep Title III artefacts inspection-ready.
Quality management & design control
Document the quality management system. Capture Article 17 policies covering regulatory strategy, design controls, validation cadence, data management, incident reporting, and accountability structures.Articles 16–17
Integrate risk management and post-market plans. Embed Article 9 risk controls and Article 72 monitoring plans inside the QMS so Annex VI internal control reviews can verify alignment.Articles 9, 72; Annex VI
Stage surveillance-ready audits. Schedule internal audits, supplier reviews, and retraining approvals to provide notified bodies with evidence for Annex VII surveillance and certificate renewals.Annex VII points 3–5
Technical documentation & conformity
Maintain Annex IV technical files. Assemble model descriptions, data lineage, validation evidence, cybersecurity controls, and change logs for each high-risk system and retain them for 10 years.Articles 11, 18; Annex IV
Issue EU declarations of conformity. Publish Annex V declarations and affix CE marking once conformity assessment steps conclude, keeping translations for every Member State where the system launches.Articles 47–48; Annex V
Select the correct assessment route. Use Annex VI internal control when harmonised standards or common specifications are fully applied; otherwise prepare for Annex VII notified-body review, including access to training data or models if requested.Article 43; Annexes VI–VII
Provider monitoring, registration, and market interface
Conformity does not end at placing a system on the market. Providers must sustain monitoring routines and support authorities with timely disclosures.
Run Article 72 post-market monitoring. Execute template-driven monitoring plans, analyse telemetry for drift or incidents, and feed results into Article 20 corrective actions.Articles 20, 72
Trigger Article 73 serious-incident reporting. Escalate within the 15-day window, coordinating with deployers and notifying authorities while respecting confidentiality duties.Articles 21, 73
Register systems in the EU database. Populate Annex VIII fields, upload certificates and instructions, and keep status changes synchronised with Article 49 obligations prior to deployment.Article 49; Annex VIII
Support real-world testing entries. When running Article 60 trials, submit Annex IX plans, participant details, and termination notices before large-scale pilots progress.Article 60; Annex IX
Deployer governance programme
Deployers must use provider artefacts to operate systems safely, keep records, and demonstrate accountability to market surveillance authorities and affected individuals.
Oversight & data governance
Assign trained oversight personnel. Designate staff with authority to override outputs, prevent automation bias, and invoke stop functions per Article 26(2)–(5).Article 26(2)–(5)
Validate input data. When controlling inputs, ensure relevance and representativeness, documenting tests and adjustments to support provider risk management and deployer accountability.Article 26(4)
Preserve Article 12 logs. Retain system-generated logs for at least six months, extending retention where other regimes require longer evidence windows.Article 26(6); Article 12
Impact assessments & transparency
Conduct fundamental-rights impact assessments. Complete Article 27 FRIA templates, document scope, affected groups, and mitigation measures, and notify market surveillance authorities of results.Article 27
Use provider transparency packs. Apply Article 13 instructions, consumer notices, and explanations when briefing individuals, with special handling for post-remote biometric identification.Articles 13, 26(10)–(11)
Register deployments. Public-sector deployers and service providers must enter Annex VIII Section C data—linking FRIA findings and data protection impact assessments to provider records—before activation.Article 49(3); Annex VIII Section C
Joint provider–deployer coordination
Contracts and operational cadences must keep both sides synchronised so serious incidents, audits, and updates can be executed without delays.
Embed contractual assistance clauses. Specify data access, logging, and notification duties between providers and suppliers to uphold Article 16(4) collaboration requirements.Article 16(4)
Harmonise change management. Define substantial-modification review boards so providers can re-run Article 43 assessments and deployers can re-evaluate impact assessments when models evolve.Article 43(4); Article 27(2)
Coordinate market surveillance responses. Maintain shared contact trees and evidence repositories so requests under Articles 21 and 74 receive timely, consistent answers across the value chain.Articles 21, 74