EU AI Act: EU Database Registration Requirements
EU Database Registration Requirements [Art 49, 71, 80]
Rule: Providers and deployers of high-risk AI systems must register themselves and their systems in a publicly accessible EU database before placing on market or putting into service. Market surveillance authorities can reclassify systems initially deemed non-high-risk.
Effective: August 2, 2026 (high-risk systems registration)
Article 49: Registration Obligations
49.1 — Provider Registration (High-Risk AI Systems)
Who must register:
- Providers (or authorized representatives) of high-risk AI systems listed in Annex III
- Registration required before placing on market or putting into service
Exceptions: High-risk AI systems in Annex III, point 2 (critical infrastructure) are registered at national level instead of EU database.
Examples of Registration Requirement
| System Type | Must Register in EU Database? |
|---|---|
| AI-powered hiring tool (Annex III point 4) | ✅ Yes — before market placement |
| AI for creditworthiness assessment (Annex III point 5) | ✅ Yes — before first use |
| Biometric identification system for law enforcement (Annex III point 1) | ✅ Yes — but in secure non-public section |
| AI for critical infrastructure management (Annex III point 2) | ❌ No — national-level registration only |
| Non-high-risk chatbot | ❌ No — unless provider claims non-high-risk under Art 6(3) |
49.2 — Provider Registration (Self-Assessed Non-High-Risk)
Special requirement: Providers who determine their AI systems are not high-risk under Article 6(3) must still register themselves and their system.
Purpose: Creates audit trail for systems where provider made judgment call about risk classification.
Example:
A provider develops an AI system for employee task allocation. Under Annex III point 4, this could be high-risk (employment decisions). The provider assesses it as non-high-risk because it only suggests tasks, doesn’t make final decisions. Provider must register this determination.
49.3 — Deployer Registration (Public Authorities)
Who must register:
- Public authorities or Union institutions/bodies
- Deploying high-risk AI systems under their authority
What they register:
- Their identity and contact details
- The system they’re using (by selecting from provider’s registration)
- Summary of fundamental rights impact assessment (FRIA)
- Summary of data protection impact assessment (DPIA), if applicable
Timeline: Before putting into service
49.4 — Secure Non-Public Section
Special rules for sensitive sectors:
- Law enforcement (Annex III point 1)
- Migration, asylum, border control (Annex III points 6-7)
Differences:
- Registration in secure non-public section of database
- Access restricted to European Commission and relevant national authorities
- Limited information fields (no instructions for use, no system description)
49.5 — National-Level Registration
Critical infrastructure systems (Annex III point 2) are registered at national level, not EU database.
Member States maintain separate registries for these systems.
Article 71: EU Database Structure
71.1 — Database Establishment
Administrator: European Commission, in collaboration with Member States
Purpose: Centralized registry of:
- High-risk AI systems (Annex III)
- Self-assessed non-high-risk systems (Article 6(3))
- Real-world testing (Article 60)
71.2 — Information Content
Database contains information from Annex VIII:
| Section | Who Enters | What It Contains |
|---|---|---|
| Section A | Provider/authorized rep | Provider details, system info, CE marking, declaration of conformity |
| Section B | Provider/authorized rep | Non-high-risk classification justification |
| Section C | Deployer (public authority) | Deployer details, FRIA summary, DPIA summary |
See Annex VIII details below for complete field lists.
71.3 — Public Access and Transparency
Publicly accessible information:
- All information registered under Article 49 (except secure sections)
- Must be in user-friendly manner
- Easily navigable and machine-readable
Restricted access:
- Real-world testing information (Article 60) — only market surveillance authorities and Commission
- Law enforcement/migration/border control registrations (Article 49(4)) — only Commission and national authorities
Purpose: Enable consumers, deployers, market surveillance to:
- Verify system compliance
- Track recalls or safety issues
- Make informed purchasing decisions
- Conduct oversight
71.4 — Personal Data Minimization
Database contains minimal personal data:
- Only names and contact details of representatives
- Legally authorized to register systems
- Must be necessary for registration purposes
GDPR compliance: Processing follows Regulation (EU) 2018/1725 (data protection in EU institutions).
71.5 — Commission Support
European Commission provides:
- Technical infrastructure
- Administrative support to users (providers, deployers, market surveillance)
- Database maintenance and updates
- Accessibility compliance (WCAG standards)
Article 80: Reclassification Procedure
80.1 — Market Surveillance Authority Powers
Trigger: Market surveillance authority has sufficient reason to believe a system classified by provider as non-high-risk is actually high-risk.
Process:
- Authority conducts evaluation under Article 6(3) standards
- Authority considers Commission guidelines on high-risk classification
- Authority assesses using objective criteria
80.2 — Required Actions if High-Risk
If evaluation confirms system is high-risk:
| Action | Timeline | Responsible Party |
|---|---|---|
| Directive to provider | Without undue delay | Market surveillance authority |
| Corrective actions | Authority-specified deadline | Provider |
| Full compliance | Must meet all Chapter III requirements | Provider |
| Union-wide correction | Across all Member States where system placed | Provider |
Chapter III requirements include:
- Risk management system (Article 9)
- Data governance (Article 10)
- Technical documentation (Article 11)
- Conformity assessment (Article 43)
- CE marking (Article 48)
- Registration (Article 49)
80.3 — Cross-Border Notification
When system extends beyond one Member State:
- Authority notifies European Commission without undue delay
- Authority notifies other Member States without undue delay
- Includes findings, required actions, and deadlines
Purpose: Coordinate enforcement across EU market.
80.4 — Provider Obligations
Once notified of reclassification:
- Compliance actions: Take all necessary steps to bring system into compliance
- Union-wide application: Ensure corrective measures apply to all systems in EU market
- Cease non-compliant use: Stop placing on market/putting into service until compliant
If provider fails to comply: Article 79(5)-(9) enforcement powers apply (withdrawal from market, recall).
80.5 — Penalties for Intentional Misclassification
Enhanced penalties apply when provider deliberately misclassified system to circumvent requirements.
Article 99 penalties:
- Up to €15,000,000 OR 3% of total worldwide annual turnover (whichever higher)
- For SMEs: Up to €3 million or 3% of total worldwide annual turnover (whichever higher)
Aggravating factors:
- Intentional evasion of compliance obligations
- Repeat violations
- Refusal to cooperate with authorities
80.6 — Authority Use of Database
Information source: Market surveillance can use EU database information (Article 71) to:
- Identify systems claimed as non-high-risk
- Cross-reference provider declarations
- Monitor compliance trends
- Detect patterns of misclassification
Legal basis: Regulation (EU) 2019/1020 (market surveillance and product compliance).
Annex VIII: Registration Information Fields
Section A — Provider Registration (High-Risk Systems)
Required fields (Article 49(1)):
| Field | Description |
|---|---|
| 1. Provider identity | Name, address, contact details |
| 2. Submitter identity | If different person submitting on behalf of provider |
| 3. Authorized representative | Name, address, contact (if applicable) |
| 4. System identification | Trade name and unique reference for traceability |
| 5. Intended purpose | Description of purpose, components, functions supported |
| 6. System description | Basic, concise description of data inputs and operating logic |
| 7. Status | On market / in service / no longer placed / recalled |
| 8. Certificate details | Type and number of conformity assessment certificate (if applicable) |
| 9. Certificate copy | Scanned copy of certificate (if applicable) |
| 10. Geographic scope | Member States where system placed on market/put into service |
| 11. Declaration of conformity | Copy of EU declaration per Article 47 |
| 12. Instructions for use | Electronic instructions (NOT required for law enforcement/migration/border systems) |
Update requirement: Information must be kept current throughout system lifecycle.
Section B — Provider Registration (Non-High-Risk Systems)
Required fields (Article 49(2)):
| Field | Description |
|---|---|
| 1. Provider identity | Name, address, contact details |
| 2. Submitter identity | If different person submitting on behalf of provider |
| 3. Authorized representative | Name, address, contact (if applicable) |
| 4. System identification | Trade name and unique reference for traceability |
| 5. Intended purpose | Description of intended purpose |
| 6. Classification justification | Short summary of grounds for non-high-risk classification under Article 6(3) |
| 7. Status | On market / in service / no longer placed / recalled |
| 8. Geographic scope | Member States where system placed on market/put into service |
Purpose of Section B: Creates transparency for provider self-assessments, enables market surveillance to identify potential misclassifications.
Section C — Deployer Registration (Public Authorities)
Required fields (Article 49(3)):
| Field | Description |
|---|---|
| 1. Deployer identity | Name, address, contact details |
| 2. Submitter identity | Person submitting on behalf of deployer |
| 3. System reference | URL of system’s entry in EU database (links to provider registration) |
| 4. FRIA summary | Summary of fundamental rights impact assessment (Article 27) |
| 5. DPIA summary | Summary of data protection impact assessment per GDPR Article 35 or LED Article 27 (if applicable per Article 26(8)) |
When required: Before putting high-risk AI system into service.
FRIA requirement: All public authority deployers must conduct fundamental rights impact assessment before deployment (Article 27).
Registration Timeline
| Date | Milestone |
|---|---|
| August 2, 2026 | Registration obligations become mandatory for high-risk systems |
| August 2, 2027 | Full enforcement (providers must have completed registration) |
| Before market placement | Provider registration deadline for new systems |
| Before putting into service | Deployer registration deadline (public authorities) |
Grace period for existing systems: Providers with systems already on market before August 2, 2026 have transition period (check Article 111 for specific dates).
Compliance Workflow
For Providers (High-Risk Systems)
- Risk classification: Determine if system is high-risk (Article 6, Annex III)
- Conformity assessment: Complete required assessment (Article 43)
- Technical documentation: Prepare per Article 11, Annex IV
- EU declaration of conformity: Draft per Article 47
- CE marking: Affix per Article 48
- Database registration: Register in EU database before market placement
- Complete Section A of Annex VIII
- Upload declaration of conformity
- Provide instructions for use
- Update registration: Keep information current (status changes, recalls, etc.)
For Providers (Self-Assessed Non-High-Risk)
- Article 6(3) assessment: Document why system is not high-risk despite Annex III category
- Database registration: Register determination in EU database
- Complete Section B of Annex VIII
- Provide classification justification
- Maintain documentation: Keep assessment records for market surveillance audits
- Monitor for reclassification: Respond promptly if authority challenges assessment
For Deployers (Public Authorities)
- Verify provider registration: Check system in EU database
- Conduct FRIA: Fundamental rights impact assessment (Article 27)
- Conduct DPIA: If processing personal data (GDPR Article 35)
- Database registration: Register use in EU database before putting into service
- Complete Section C of Annex VIII
- Upload FRIA and DPIA summaries
- Monitor and log: Track system performance and incidents (Article 26)
Common Registration Pitfalls
| Mistake | Consequence | Fix |
|---|---|---|
| Registering after market placement | Non-compliance, potential fines up to €15M or 3% global revenue | Register BEFORE placing on market |
| Incomplete Annex VIII information | Registration rejected or incomplete | Provide all mandatory fields |
| No update when system recalled | Misleads market, enforcement action | Update status immediately upon recall |
| Provider claims non-high-risk without documentation | Vulnerable to Article 80 reclassification | Document Article 6(3) assessment thoroughly |
| Deployer skips FRIA | Non-compliance (Article 27 mandatory) | Conduct FRIA before putting into service |
| Using wrong registration section | Confusion, potential non-compliance | High-risk → Section A; Non-high-risk → Section B; Deployer → Section C |
Database Access and Queries
Public Can View:
- Provider names and contact information
- System names and intended purposes
- High-level system descriptions
- CE marking and conformity certificates
- Geographic availability (which Member States)
- System status (on market, recalled, etc.)
Public Cannot View:
- Detailed operating logic or algorithms
- Real-world testing data (unless provider consents)
- Law enforcement/migration/border control system details
- Proprietary technical specifications
Market Surveillance Authorities Can View:
- Everything public can view, PLUS:
- Real-world testing information (Article 60)
- Secure non-public section (law enforcement/migration/border)
- Full technical documentation (via inspection powers)
Machine-Readable Format
Requirement: Database must be machine-readable for automated compliance checking.
Use cases:
- Automated procurement checks (public authorities verify compliance before purchase)
- Supply chain verification (deployers check provider registration)
- Consumer apps (scan CE marking, look up system in database)
- Research and analysis (aggregated statistics on AI system types)
Format: Likely JSON or XML API, details to be specified in Commission implementing acts.
Penalties for Registration Violations
| Violation | Fine (Large Companies) | Fine (SMEs) |
|---|---|---|
| Failure to register (high-risk) | Up to €15M or 3% global revenue | Up to €3M or 3% global revenue |
| Incomplete/false information | Up to €15M or 3% global revenue | Up to €3M or 3% global revenue |
| Failing to update registration | Up to €7.5M or 1.5% global revenue | Up to €1.5M or 1.5% global revenue |
| Intentional misclassification to evade | Up to €15M or 3% global revenue (aggravated) | Up to €3M or 3% global revenue (aggravated) |
Article 99 basis: Registration obligations fall under Article 49 (provider obligations) and Article 26 (deployer obligations).
Interaction with Other Requirements
CE Marking (Article 48)
- Cannot affix CE marking without completing registration
- CE marking indicates conformity + registration completion
Conformity Assessment (Article 43)
- Registration includes uploading conformity assessment certificate
- Certificate number must match database entry
Market Surveillance (Chapter IX)
- Authorities use database to:
- Identify systems for inspection
- Track compliance trends
- Coordinate cross-border enforcement
Fundamental Rights Assessment (Article 27)
- Deployer FRIA summary uploaded to database (public authorities)
- Creates transparency for civil society oversight
Compliance Checklist
Providers (High-Risk Systems)
- Determine system is high-risk (Article 6, Annex III)
- Complete conformity assessment (Article 43)
- Prepare technical documentation (Article 11)
- Draft EU declaration of conformity (Article 47)
- Register in EU database before market placement (Article 49(1))
- Complete all Section A fields of Annex VIII
- Upload declaration of conformity and instructions for use
- Affix CE marking (Article 48)
- Update registration upon any changes (status, recall, modifications)
Providers (Self-Assessed Non-High-Risk)
- Document Article 6(3) assessment (why not high-risk)
- Register in EU database (Article 49(2))
- Complete all Section B fields of Annex VIII
- Provide clear classification justification
- Maintain documentation for potential Article 80 challenges
- Update registration upon any changes
Deployers (Public Authorities)
- Verify system registered by provider in EU database
- Conduct fundamental rights impact assessment (Article 27)
- Conduct data protection impact assessment if applicable (GDPR Article 35)
- Register in EU database before putting into service (Article 49(3))
- Complete all Section C fields of Annex VIII
- Upload FRIA and DPIA summaries
- Implement human oversight (Article 14)
- Monitor system performance (Article 26)
Citation
Article 49 — Registration, Regulation (EU) 2024/1689
Article 71 — EU Database for High-Risk AI Systems, Regulation (EU) 2024/1689
Article 80 — Procedure for Non-High-Risk Reclassification, Regulation (EU) 2024/1689
Related: