AI Act: EU Database for High-Risk AI Systems
EU Database for High-Risk AI Systems [Article 80]
Rule: All high-risk AI systems must be registered in a centralized publicly accessible EU database before being placed on the market or put into service. Registration enables transparency, public awareness, and market surveillance.
Purpose and Overview
Article 80 establishes a centralized EU database managed by the Commission for high-risk AI systems.
Objectives:
- Transparency - Enable public to know what high-risk AI systems deployed
- Market surveillance - Help authorities monitor compliance
- Public awareness - Inform citizens about AI systems affecting them
- Accountability - Create public record of provider compliance
Managed by: European Commission (AI Office)
Access: Publicly accessible online
Registration Obligation
Who Must Register [Article 80(1)]
Providers of high-risk AI systems listed in Annex III must register before:
- Placing on EU market, OR
- Putting into service in EU
Also required to register:
- Deployers of high-risk systems that are public authorities or EU institutions
- Providers making substantial modifications (become new provider)
Exemption: High-risk AI systems that are safety components of products under other EU legislation (medical devices, machinery, etc.) may have streamlined registration via those frameworks.
When to Register
Before market placement:
- At time of CE marking affixing
- Before making available to customers/users
- Before first deployment
Timing is critical: Registration is prerequisite for lawful placement on market.
Information to be Registered
Provider Information [Article 80(2)]
Providers must register:
| Category | Details |
|---|---|
| Provider identification | Name, address, contact details |
| Authorized representative | If non-EU provider |
| Trade name/trademark | Under which system placed |
| Unique identifier | For traceability |
System Information [Article 80(3)]
For each high-risk AI system:
| Category | Details |
|---|---|
| AI system identification | Name and type |
| Intended purpose | Clear description of use case |
| High-risk classification | Which Annex III category (or safety component) |
| Status | On market, withdrawn, recalled |
| Member States | Where system made available |
| Reference | To declaration of conformity |
| Electronic instructions for use | Link or access information |
| URL | If system has public interface |
Additional Information for Certain Systems
For AI systems involving biometrics:
- Type of biometric data processed
- Categories of persons affected
For emotion recognition/biometric categorization:
- Specific safeguards implemented
For systems in critical sectors (health, infrastructure):
- Additional risk mitigation measures
Deployer Registration [Article 80(4)]
Deployers that are public authorities or EU institutions must register:
| Category | Details |
|---|---|
| Deployer identification | Name, address, contact details |
| System being deployed | Reference to provider registration |
| Deployment location | Geographic area |
| Purpose of use | Specific application |
Why required: Enable oversight of public sector AI use.
Database Management and Access
Public Accessibility [Article 80(1)]
Database is freely accessible online to:
- General public
- Market surveillance authorities
- Commission
- National competent authorities
Anyone can search:
- By AI system type
- By provider
- By intended purpose
- By Member State
- By risk category
Protected Information [Article 80(6)]
Trade secrets protected:
- Commission ensures commercially sensitive information not publicly disclosed
- May restrict access to certain fields for authorized authorities only
Balance: Transparency vs. intellectual property protection.
Data Retention [Article 80(7)]
Information kept in database for:
- Duration system on market
- Plus 10 years after withdrawal/recall
Purpose: Enable retrospective analysis and enforcement.
Updates and Maintenance
Provider Obligation to Update [Article 80(5)]
Providers must promptly update registration when:
- System specifications change
- Intended purpose modified
- New Member States added
- System withdrawn or recalled
- Conformity status changes
- Contact details change
Timeline: Within reasonable time, generally within 30 days of change.
Commission’s Role
Commission maintains database and ensures:
- User-friendly interface
- Search functionality
- Data accuracy
- System availability (uptime)
- Integration with other EU databases
Interoperability: Database designed to work with:
- Product Safety databases
- RAPEX (rapid alert system)
- Market surveillance information systems
Penalties for Non-Compliance
Failure to Register [Article 99(4)]
Placing high-risk system on market without registration:
- Up to €15 million OR 3% of total worldwide annual turnover
- Whichever is higher
Inaccurate Information
Providing false or misleading information in registration:
- Civil penalties
- Potential system recall
- Reputational harm
Failure to Update
Not updating registration when required:
- Warning notice
- Progressive fines for continued non-compliance
- Potential market withdrawal order
Practical Compliance
Registration Process
Step-by-step for providers:
- ✅ Complete conformity assessment
- ✅ Draw up EU declaration of conformity
- ✅ Affix CE marking
- ✅ Access EU database portal
- ✅ Create provider account
- ✅ Enter all required information
- ✅ Submit registration
- ✅ Receive registration confirmation
- ✅ Include registration reference in documentation
- ✅ Monitor for required updates
Tools: Commission provides:
- Online registration portal
- User guides
- Templates for information
- Helpdesk support
Information to Prepare Before Registration
Before accessing portal, have ready:
| Document/Info | Purpose |
|---|---|
| CE marking documentation | Prove conformity |
| Declaration of conformity | Reference number |
| Technical documentation | Summary information |
| Intended purpose description | Clear, precise statement |
| Instructions for use | Electronic version or link |
| Provider legal details | Registration, VAT, address |
| Authorized representative details | If non-EU provider |
Format: Most information entered via web form; some documents uploaded.
Maintaining Registration
Ongoing obligations:
- Quarterly review: Check if any information changed
- Immediate update: For recalls, safety issues, status changes
- Annual verification: Confirm all information still accurate
- Monitor database: Check own entries for accuracy
- Document updates: Keep records of all changes made
Best practice: Assign specific staff member responsibility for database maintenance.
Public Authority Deployers
Additional considerations for public sector:
| Obligation | Details |
|---|---|
| Transparency duty | Registration makes use visible to citizens |
| Public scrutiny | Civil society can monitor government AI use |
| Fundamental rights | Registration includes FRIA summary |
| Procurement | Check provider registration before purchase |
Before deploying high-risk system, public authorities should:
- ✅ Verify provider registration in database
- ✅ Confirm system registered for intended purpose
- ✅ Conduct own FRIA (Article 27)
- ✅ Register as deployer
- ✅ Publish summary of deployment decision
Accountability: Public can search database to see what AI systems used by government.
Interaction with Other Databases
Integration with Product Safety
For high-risk AI systems that are safety components:
- May register via Medical Device databases (EUDAMED)
- May register via Machinery databases
- Information flows to central AI database
Streamlined approach: Avoid duplicate registration.
National Databases
Member States may maintain national databases for:
- Non-high-risk AI systems
- Internal market surveillance
- Sector-specific requirements
Must not conflict with EU database: EU database is authoritative for high-risk systems.
Future Developments
Database Evolution [Article 80(8)]
Commission empowered to:
- Expand information requirements
- Add new search functionalities
- Integrate with other EU systems
- Improve user interface based on feedback
Stakeholder input: Regular consultation on database improvements.
Implementing Acts
Commission may adopt implementing acts specifying:
- Technical specifications for registration
- Data formats
- Interoperability requirements
- Security measures
Timeline: Expected 2025-2026.
Common Mistakes
Registration timing:
- Registering after market placement (must be before)
- Assuming grace period exists (none - immediate requirement)
- Waiting for customer orders before registering (register when CE marked)
Information quality:
- Vague intended purpose descriptions (must be specific)
- Not updating when system modified (prompt updates required)
- Incomplete provider details (all fields mandatory)
- Not registering authorized representative (non-EU providers must)
Deployer obligations:
- Public authorities not registering as deployers (mandatory)
- Not checking provider registration before procurement
- Assuming registration transfers from provider (deployers must register separately)
Technical issues:
- Not maintaining database access credentials
- Not assigning responsibility for updates
- Not keeping internal records of registrations
Citation
Sources
Related
- AI Act general provisions (Arts 1-4)
- AI Act provider/deployer obligations (Arts 16-50)
- AI Act post-market monitoring (Arts 81-93)
- AI Act enforcement (Arts 94-101)
- Back to AI Act overview