EU AI Act Article 50 โ 20 days to seal | Get passport
๐
Conformity Assessment Preparation
EU AI Act Annex IV technical documentation ยท Module A self-assessment ยท internal market control ยท Declaration of Conformity readiness ยท EAT Directive aligned
ANNEX IVMODULE APREPARED
11
Annex IV Items
8/11
Fully Ready
3/11
In Progress
12
Frameworks Crosswalked
Module A
Self-Assessment
73%
Readiness Score
What is Conformity Assessment?
Under the EU AI Act, before placing a high-risk AI system on the market, the provider must carry out a conformity assessment. For most high-risk AI systems (excluding those listed in Annex I and stand-alone remote biometric identification), the conformity assessment follows Module A (internal control) โ meaning the provider self-assesses compliance with the requirements set out in Chapter III of the Act.
DEFONEOS is being prepared for Module A conformity assessment. This page documents readiness against each Annex IV technical documentation requirement, crosswalks to other frameworks, and identifies remaining gaps.
Key distinction: Conformity assessment is preparation for self-declaration. It is NOT the same as certification. DEFONEOS does not claim to be "certified compliant" โ it claims to be "conformity-ready, self-assessed". The EU AI Act does not require third-party certification for most high-risk systems under Module A.
๐ Annex IV Technical Documentation โ Item-by-Item Readiness
The following maps each Annex IV requirement to DEFONEOS's current state of preparation.
ANNEX IV (1)(a)
Description of AI System and Intended Purpose
General description of the AI system, its intended purpose, name of provider, and system version. Includes the context in which it is to be used and the persons likely to interact with it.
๐ DEFONEOS System Card (defoneos-system-card.html) โ Section 1. Intended purpose, use cases, 4 stakeholder groups documented. โ READY
ANNEX IV (1)(b)
Data Governance (Art 10)
Description of data sets used for training, validation, and testing, including: origin, collection methodology, data preparation, labeling methodology, data quality assumptions, and bias examination.
๐ Data Governance (defoneos-data-governance.html) โ 6 data categories, 7 GDPR principles, provenance chain. โ ๏ธ IN PROGRESS โ bias examination methodology needs formal documentation
ANNEX IV (1)(c)
Detailed Information About System Design
Architecture, model types, key design choices, risk mitigation measures, and trade-offs. Development process and validation/verification methodology.
Description of logging capabilities and how events are recorded (automatic event recording, timestamps, user identification, log retention, tamper-detection).
Detailed accuracy and robustness metrics in light of the intended purpose. Description of cybersecurity measures in light of risks.
๐ Adversarial Robustness page โ metrics documented per vector. โ ๏ธ IN PROGRESS โ formal accuracy benchmarking against standard datasets not yet complete
ANNEX IV (1)(i)
Post-Market Monitoring Plan (Art 72)
Post-market monitoring plan as referred to in Article 72, including: monitoring methodology, reporting cadence, corrective action framework.
Description of the risk management system as referred to in Article 9, including known and reasonably foreseeable risks.
๐ System Card โ STRIDE risk model documented. Risk-management.html is planned. โ ๏ธ IN PROGRESS โ full risk management system page not yet built
ANNEX IV (1)(k)
Substantial Modification Documentation
Where applicable, documentation of all substantial modifications made to the system after initial placement on the market.
๐ SIGIL Chain + Git History โ all modifications are signed and traceable. Versioned deployment manifest. โ READY
๐ Module A Self-Assessment Workflow
Module A (Annex VI, Part 1, Section A) is the internal control conformity assessment procedure. The provider carries out the assessment without a notified body. Steps:
Step
Action
DEFONEOS Status
1. Risk Management
Establish, implement, document, and maintain a risk management system (Art 9)
In progress โ STRIDE model done, full RMS not yet
2. Data Governance
Implement data governance (Art 10) for training/validation/testing
In progress โ 6 categories documented, bias examination incomplete
3. Technical Documentation
Draw up technical documentation (Annex IV) before placement on market
8/11 items ready
4. Record-Keeping
Automatic logging of events (Art 12)
SIGIL chain exceeds requirements
5. Transparency
Instructions for use and transparency to deployers (Art 13)
In progress โ instructions for use not yet drafted
6. Human Oversight
Design for effective human oversight (Art 14)
5-level framework exceeds requirements
7. Accuracy/Robustness/Cyber
Achieve appropriate accuracy, robustness, and cybersecurity (Art 15)
8-vector adversarial testing pipeline
8. Quality Management
Establish QM system (Art 17)
In progress โ QMS not yet formalised
9. EU Declaration of Conformity
Draw up Declaration of Conformity (Art 47/48)
Not started โ depends on steps 1-8
10. CE Marking
Affix CE marking (Art 48)
Not started โ depends on Declaration
๐ Readiness Scorecard
Requirement Area
Readiness
Key Gap
Target Date
Risk Management (Art 9)
60%
Full RMS not documented as standalone
15 Jul 2026
Data Governance (Art 10)
75%
Bias examination methodology
12 Jul 2026
Technical Documentation (Annex IV)
73%
3/11 items need completion
15 Jul 2026
Record-Keeping (Art 12)
100%
None โ SIGIL exceeds
โ Complete
Transparency (Art 13)
50%
Instructions for use document
14 Jul 2026
Human Oversight (Art 14)
95%
Formal training delivery
18 Jul 2026
Accuracy/Robustness (Art 15)
90%
Standard dataset benchmarking
16 Jul 2026
Quality Management (Art 17)
40%
QMS not formalised
20 Jul 2026
Post-Market Monitoring (Art 72)
100%
None โ exceeds requirements
โ Complete
Incident Reporting (Art 73)
100%
None โ incident-response.html covers this
โ Complete
Overall
73%
7 areas need work, 4 areas complete
20 Jul 2026
๐ EU Declaration of Conformity (Template)
Per Article 47, the EU Declaration of Conformity must contain the following information. DEFONEOS's template is ready but NOT SIGNED (it will be signed when all Module A steps are complete).
EU DECLARATION OF CONFORMITY (TEMPLATE โ NOT YET SIGNED)
1. AI System Name: DEFONEOS โ Sovereign Public Services OS
2. Type: High-risk AI system (per Annex III, if applicable)
3. Provider: CSOAI Ltd (Company No. 16939677)
4. Authorised Representative: [TBD]
5. Conformity Assessment Procedure: Module A (Annex VI, Part 1, Section A)
6. AI System is in Conformity With: EU AI Act Regulation (EU) 2024/1689
7. Notified Body: [N/A โ Module A self-assessment]
8. References to Relevant Harmonised Standards:
- [Standardized technical specifications will be listed when adopted]
9. Additional Information:
- Annex IV Technical Documentation maintained at: [controlled access]
- Risk Management System per Art 9
- Log retention: indefinite (SIGIL chain)
- Post-market monitoring per Art 72
Signed for and on behalf of: CSOAI Ltd
Name: Nicholas Templeman
Function: Director
Place: [TBD] Date: [TBD โ pending Module A completion]
Signature: [Ed25519 key will be used for digital signing]
STATUS: DRAFT TEMPLATE ONLY โ NOT SIGNED โ NOT VALID
โ ๏ธ Internal Market Control (Article 74)
Per Article 74, market surveillance authorities have the power to require the provider to: (1) provide technical documentation (Annex IV), (2) demonstrate conformity, (3) cooperate on corrective action. DEFONEOS is designed for this:
โ Technical documentation โ Annex IV items maintained in machine-readable (OSCAL) + human-readable (HTML) format
โ SIGIL chain โ provides cryptographic proof of all system behaviour, signed with Ed25519
โ Replay tool โ the SIGIL chain can be replayed to reconstruct system state at any historical point
โ OSCAL catalog โ machine-readable compliance posture, queryable by auditors
โ SBOM โ software bill of materials generated on every deploy
โ ๏ธ Corrective action framework โ defined in incident-response.html but not yet tested with a real authority
๐ Framework Crosswalk
Framework
Requirement
DEFONEOS Coverage
EU AI Act
Annex IV Technical Documentation
8/11 ready, 3 in progress
EU AI Act
Module A Self-Assessment
73% ready
EU AI Act
Art 47 EU Declaration of Conformity
Template ready, not signed
EU AI Act
Art 9 Risk Management
STRIDE model done, full RMS pending
EU AI Act
Art 13 Transparency to Deployers
System Card done, instructions for use pending
EU AI Act
Art 17 Quality Management System
QMS not yet formalised
NIST AI RMF
GOVERN, MAP, MEASURE, MANAGE
Full lifecycle coverage
ISO 42001
AIMS (AI Management System)
Partially aligned, formal AIMS not yet
ISO 27001
ISMS (Information Security)
OSCAL controls mapped
UK NCSC AI Guidance
All 5 principles
Full coverage
๐ Honesty Register
Claim
Provenance
Status
"Conformity Assessment Preparation"
Annex IV item-by-item audit
FACTUAL โ this is a genuine self-assessment of readiness, not a claim of conformity
"73% readiness score"
Weighted average across 10 requirement areas
FACTUAL โ methodology is transparent, weights documented
"Module A applicable"
EU AI Act Annex VI Part 1 Section A
FACTUAL โ DEFONEOS is not an Annex I product nor RB-CCTV
"Declaration of Conformity"
Article 47 template
DRAFT TEMPLATE โ explicitly marked NOT SIGNED, NOT VALID
"SIGIL chain provides audit proof"
Ed25519-signed hash chain
FACTUAL โ chain is live and verifiable
"Exceeds requirements"
Comparison to EU AI Act text
SELF-ASSESSED โ not verified by a notified body or market surveillance authority
๐ References
๐ AI System Card โ Annex IV technical documentation