← Back to blogEU AI Database Registration: A Step-by-Step Guide for High-Risk Systems
2026-06-05·6 min read·High-Risk, Registration, Compliance
Who needs to register
Registration in the EU high-risk AI systems database is mandatory for providers of high-risk AI systems (Annex III categories) before the system is placed on the market or put into service. Deployers that are public authorities also have a registration obligation for their use of certain high-risk systems.
If your scan or legal review classified your product as high-risk — CV screening, credit scoring, education assessment, biometric categorization, and similar Annex III categories — this applies to you.
What the registration actually contains
The database entry isn't a one-line form. Expect to provide:
| Section | What goes in it |
| Provider identity | Legal name, contact details, EU representative if applicable |
| System identification | Name, version, intended purpose |
| Risk category | Which Annex III category, and justification |
| Description | Plain-language summary of what the system does and how |
| Instructions for use | Summary of what deployers need to know |
| Conformity assessment | Reference to the assessment performed and the body involved, if third-party |
| Status | Whether the system is on the market, withdrawn, or recalled |
The realistic timeline
- Before you can register, you need the underlying documentation — technical file (Annex IV), risk management records, and conformity assessment. Registration is the last step of a chain, not the first.
- Self-assessment vs third-party assessment: most software-based Annex III systems can go through self-assessment (internal conformity assessment) rather than requiring a notified body — check which applies to your specific category, since a few (like certain biometric categories) require third-party involvement.
- Registration happens before market placement, not after. If you're already live with a high-risk system and haven't registered, that's a gap to close immediately, not on your next release cycle.
Common mistakes we see
- Registering the company, not the system. Each distinct high-risk AI system needs its own entry — you can't cover multiple products under one registration.
- Treating registration as a formality that skips the technical file. Regulators can and do request the underlying Annex IV documentation; the database entry is a summary, not a substitute.
- Forgetting to update the entry. Material changes to the system's intended purpose or risk profile require an update — registration isn't a one-time task.
What happens if you skip it
Operating a high-risk AI system without registration is treated the same as other high-risk non-compliance — subject to the mid-tier fine bracket (up to €15M or 3% of global turnover), independent of any harm actually caused. Regulators can identify unregistered high-risk systems through market surveillance, complaints, or during due diligence tied to other proceedings.
Where to start
- Confirm your risk classification is actually high-risk (don't assume — run a scan or get a legal opinion first; over-registering wastes effort, under-registering is the fineable mistake).
- Assemble the Annex IV technical file before touching the registration form.
- Determine self-assessment vs third-party conformity assessment for your specific Annex III category.
- Register before market placement, and calendar a review whenever the system changes materially.