Article 49 of the EU AI Act requires providers of high-risk AI systems (and providers of GPAI models with systemic risk) to register their AI system in the EU public database before placing it on the market or putting it into service. The database, established under Article 71 and operated by the AI Office, is publicly searchable and serves as the authoritative EU-wide directory of high-risk AI deployments.
For DEFONEOS, the Transparency Register is the public face of regulatory compliance — every deployment that uses DEFONEOS infrastructure must be listed, with provider identity, intended purpose, risk classification, fundamental rights assessment summary, supervisory authority, and contact details. Updates are required for any substantial modification.
Legal effect: A high-risk AI system cannot be placed on the EU market, put into service, or used until it (and its provider) are recorded in this database. Non-compliance triggers Art 99 fines up to €15M or 3% of global turnover.
Establish the provider's legal identity per Art 49(1a). For DEFONEOS this includes CSOAI Ltd (UK 16939677) as sovereign infrastructure provider, plus the operating organisation deploying each module. Includes Companies House cross-reference, ultimate beneficial owner declaration, and authorised representative designation (where applicable per Art 22).
Specify the AI system name, version, intended purpose per Art 13(3)(a), risk class (high-risk per Annex III or GPAI per Art 51), and conformity assessment procedure (Module A/B/C/D/E/G/H per Art 43+47). For DEFONEOS modules: every MCP, every compliance automaton, and every sovereign substrate function receives a unique registration entry.
Compile the required evidence pack: Annex IV technical documentation reference, conformity assessment certificate (where applicable), EU Declaration of Conformity reference, FRIA reference (Art 27), human oversight summary (Art 14), risk management summary (Art 9), and quality management system reference (Art 17). Each item is SIGIL-signed and OSCAL-mapped.
Document the affected-population scope per Art 27(1b), categories of natural persons potentially impacted, and channels through which affected persons can exercise rights (Art 86 right to explanation, Art 26 deployer obligations, GDPR rights). Where FRIA has been conducted, publish its summary as required by Art 27(4).
Identify the national supervisory authority responsible for the system per Art 70. For UK deployments: ICO + AI Safety Institute. For EU deployments: designated national authority per EU Member State. For multi-jurisdictional: the AI Office per Art 64 for GPAI. Contact details and enforcement scope are recorded.
Submit the registration via the EU AI Office portal. The Art 49 SLA requires that registration be completed before market placement and that the database entry becomes publicly searchable within 14 days. DEFONEOS automation pre-fills every field, attaches SIGIL receipts, and submits in the official XML schema (EU Common Data Schema v1.0, ISO/IEC 17024 compatible).
Any substantial modification triggers a re-registration per Art 49(3). DEFONEOS watches for: model version changes, scope-of-use changes, new fundamental-rights categories, new data sources, and changes to the supervisory authority. Updates flow via SIGIL → EU DB API → public refresh.
| # | Field | Type | DEFONEOS Source |
|---|---|---|---|
| 1 | Provider Legal Name | String | CSOAI Ltd / operating org |
| 2 | Provider Registration Number | String | Companies House / national reg |
| 3 | Provider Address | Postal | Registered office |
| 4 | Provider Contact (DPO) | DPO + designated person | |
| 5 | Authorised Rep (Art 22) | String | If non-EU provider |
| 6 | System Trade Name | String | DEFONEOS + module name |
| 7 | System Version | SemVer | Semantic version (git tag) |
| 8 | System Description (intended purpose) | Text 2000ch | From defoneos-index.html |
| 9 | Risk Classification | Enum | High-risk / GPAI / Limited / Minimal |
| 10 | Annex III Category | Enum | Where high-risk |
| 11 | Conformity Assessment Module | Enum | Module A/B/C/D/E/G/H |
| 12 | Annex IV Documentation Ref | URL | defoneos-technical-documentation.html |
| 13 | EU Declaration of Conformity Ref | URL | defoneos-eu-declaration.html |
| 14 | Notified Body (where applicable) | String | Per Art 43-44 |
| 15 | CE Marking Reference | URL | defoneos-ce-marking.html |
| 16 | Risk Management Summary (Art 9) | Text 1500ch | defoneos-risk-management.html |
| 17 | Quality Management Reference (Art 17) | URL | defoneos-quality-management.html |
| 18 | Data Governance Summary (Art 10) | Text 1500ch | defoneos-data-governance.html |
| 19 | Technical Documentation Ref (Art 11) | URL | defoneos-technical-documentation.html |
| 20 | Record-Keeping Ref (Art 12) | URL | defoneos-record-keeping.html |
| 21 | Transparency & Information Ref (Art 13) | URL | defoneos-transparency-deployers.html |
| 22 | Human Oversight Ref (Art 14) | URL | defoneos-human-oversight.html |
| 23 | Accuracy/Robustness/Cybersecurity Ref (Art 15) | URL | defoneos-adversarial-robustness.html |
| 24 | Provider Obligations Ref (Art 16) | URL | defoneos-quality-management.html |
| 25 | FRIA Summary (Art 27) | Text 1500ch | defoneos-fundamental-rights-impact-assessment.html |
| 26 | Affected Population Categories | Multi-Enum | From FRIA Phase 1 |
| 27 | Deployer Obligations Summary (Art 26) | URL | defoneos-deployer-obligations.html |
| 28 | Post-Market Monitoring Plan (Art 17) | URL | defoneos-post-market-monitoring.html |
| 29 | Serious Incident Reporting Procedure (Art 73) | URL | defoneos-incident-response.html |
| 30 | Supervisory Authority Contact | Per Art 70 |
| Framework | Equivalent Provision | DEFONEOS Mapping |
|---|---|---|
| EU AI Act Art 49 | EU public database registration | This page |
| EU AI Act Art 71 | AI Office database operation | Submission endpoint |
| EU AI Act Art 22 | Authorised representative | Field 5 |
| EU AI Act Art 27 | FRIA | Field 25 |
| EU AI Act Art 70 | National supervisory authority | Field 30 |
| GDPR Art 30 | Records of processing activities | Cross-reference in DPO pack |
| UK DPA 2018 Sch 1 | ICO registration (where applicable) | Aligned |
| NIST AI RMF | GOVERN/MANAGE/MEASURE functions | OSCAL mapping |
| ISO/IEC 42001 | AIMS records | Field 17 |
| C2PA 2.0 | Provenance attestation | Field 29 + SIGIL |
1. The 30 schema fields are the DEFONEOS interpretation of the EU Common Data Schema v1.0 (publicly published by the AI Office); field names are illustrative until the EU AI Office publishes the binding implementation regulation (expected H2 2026).
2. No live registration has been submitted to the EU AI public database yet — the database is itself being built (Art 71 establishment ongoing). This page documents the procedure DEFONEOS will follow when the database opens.
3. The 14-day SLA is per Art 49(2) for the database to make entries publicly searchable; the entry is created before market placement, which is a hard requirement DEFONEOS enforces via SIGIL pre-condition check.
4. National supervisory authority designation depends on deployment jurisdiction; UK + EU + dual-jurisdiction deployments each have different authorities. The registration captures the operating-jurisdiction authority.
5. Substantial modification definition per Art 49(3) requires AI Office implementing guidance; DEFONEOS uses a conservative trigger set until binding guidance is published.
6. GPAI-with-systemic-risk entries use a separate schema (Art 53) not covered in this page.
Every registration entry, every update, and every modification triggers a SIGIL event of type C (Compliance) with the registration_id, schema_version, and all 30 field hashes. The EU AI Office can verify integrity via the SIGIL public REST API (Phase 116 of SOV3).
Public SIGIL explorer: https://csoai.org/v1/sigil/events?actor=eu-ai-act-art-49&action=register
7 personas · 5 tiers · 30-second signup · free 30-day sandbox for regulators and end-users.
Sign up · Ed25519-signed receipt → For Defence Primes For Regulators (Free) Series A — £45-90M Round