How to Pass the AI Act Risk Assessment: Complete Guide 2026

What is the EU AI Act Risk Assessment?

The EU AI Act requires providers of high-risk AI systems to implement a continuous Risk Management System (Article 9). Risk assessment is the process of identifying, evaluating, and mitigating risks throughout the AI system lifecycle. The European Commission defines this as an ongoing obligation, not a one-time check.

Source: European Commission – Regulatory framework on AI

Who must pass the Risk Assessment?

The following actors must ensure that the Risk Assessment is passed and documented:

• Providers: Organizations that develop high-risk AI systems (Annex III or products under EU harmonization legislation)
• Deployers: Organizations that use high-risk AI systems under their authority
• Importers and distributors: Entities placing high-risk AI systems on the EU market

If your AI system falls under Annex III of the EU AI Act (e.g. biometrics, critical infrastructure, education, employment), you must pass the Risk Assessment and maintain a Risk Management System.

What does Article 9 require for Risk Management?

Article 9 of the EU AI Act sets out the obligations for the Risk Management System. To be compliant, you must implement the following:

Source: Regulation (EU) 2024/1689 – EU AI Act (eur-lex.europa.eu)

What are the steps to pass the Risk Assessment?

To pass the AI Act Risk Assessment, implement these steps in order:

• Classify your AI system: Confirm whether it is high-risk (Annex III or harmonized product). If not high-risk, no Risk Assessment under Article 9 is required.
• Establish a Risk Management process: Define roles, methods and tools for continuous risk identification, evaluation and mitigation.
• Identify and document risks: Document all identified risks (including residual risks) and link them to affected persons and fundamental rights.
• Implement risk mitigation: Apply measures to reduce risks to an acceptable level. Integrate risk management into design, development and Post-market monitoring.
• Update Technical documentation: Include risk management outcomes in the Technical documentation required by Article 11 and Annex IV.
• Complete conformity assessment: Undergo the applicable conformity assessment procedure (internal control, EU-type examination or full quality assurance) before placing on the market.

ActProof automates risk identification and documentation for your repositories, helping you align with Article 9 and Annex IV. Explore ActProof features.

What Technical documentation is required?

Technical documentation (Article 11 and Annex IV) must include a description of the risk management system and the results of the risk assessment. In particular:

• Description of the risk management system and its implementation
• List of identified risks and residual risks
• Risk mitigation measures adopted
• Evidence that risks have been evaluated and reduced as far as possible

This documentation is mandatory for high-risk AI systems and is examined during the conformity assessment.

How does the conformity assessment work?

Before placing a high-risk AI system on the market, the provider must complete a conformity assessment. The chosen procedure depends on the type of system:

The Risk Assessment and Risk Management System are part of the evidence assessed. A positive outcome leads to the EU declaration of conformity and CE marking (where applicable).

Next steps and resources

To be compliant by August 2, 2026, start now: classify your AI systems, implement the Risk Management System (Article 9), prepare Technical documentation (Annex IV), and plan the conformity assessment. Use official sources for the latest deadlines and implementing acts.

• Regulation (EU) 2024/1689 (EU AI Act) – EUR-Lex
• European Commission – Regulatory framework on AI
• Risk Management System for EU AI Act Compliance – ActProof Blog
• Complete Guide to EU AI Act Compliance – ActProof Blog