Your HR Tech Customer Just Asked for Your EU AI Act "Conformity Assessment" — Here's What That Actually Means and What to Send
Your HR Tech Customer Just Asked for Your EU AI Act "Conformity Assessment" — Here's What That Actually Means and What to Send
The email arrived from a Fortune 500 HR director on a Thursday. Your AI-assisted hiring platform had been in security and procurement review for six weeks. The deal was at final approval stage.
"Before we can sign, our legal team needs your EU AI Act conformity assessment documentation. Can you send this over by end of week?"
You opened a new tab and typed the phrase into search. Twelve paragraphs of EU regulation later, you had more questions than you started with.
Here is exactly what a conformity assessment is, whether you need one, and what to actually send.
What "Conformity Assessment" Actually Means
The EU AI Act uses "conformity assessment" to describe the process a provider of a high-risk AI system must go through to verify that the system meets the regulation's requirements before placing it on the market.
The relevant articles:
- Article 43 — the conformity assessment procedure itself
- Article 47 — the EU Declaration of Conformity your company signs at the end
- Article 48 — the CE marking that signals conformity (for systems within scope)
For most B2B SaaS HR tech companies, the conformity assessment under Article 43 is self-assessment — you do not need a third-party notified body to certify you (notified bodies are required only for specific high-risk categories like biometric categorization and general-purpose AI models used in high-risk contexts).
This is important. Your customer's legal team probably does not know that the conformity assessment for your hiring tool is internal. They are imagining an ISO-style third-party certification. You need to explain what the process actually is.
Does Your AI Hiring Tool Require a Conformity Assessment?
Only if it qualifies as a high-risk AI system under Annex III of the EU AI Act.
Annex III, point 4 covers: "AI systems intended to be used for recruitment or selection of natural persons, notably for advertising vacancies, screening or filtering applications, evaluating candidates in the course of interviews or tests."
If your platform does any of the following, you are almost certainly in scope:
- Screens or scores resumes automatically
- Ranks candidates
- Generates interview questions tailored to candidates
- Recommends or de-ranks candidates for human review
If you are in scope, you must complete a conformity assessment before placing the system on the EU market. The enforcement deadline for Annex III systems is August 2, 2026.
What the Conformity Assessment Involves
Under Article 43(3), for high-risk AI systems not covered by harmonized standards (which is most AI systems today), the provider shall verify that:
1. The risk management system (Article 9) is established and operational — you have identified, analyzed, and mitigated foreseeable risks associated with the system.
2. Training, validation, and testing data (Article 10) governance is in place — your data practices meet the regulation's requirements for relevance, representativeness, and bias mitigation.
3. Technical documentation (Article 11 + Annex IV) is complete — you have documented what the system is, how it works, what it was trained on, and how it performs.
4. Logging (Article 12) is implemented — your system generates logs sufficient to allow post-market monitoring and incident investigation.
5. Transparency (Article 13) is satisfied — users receive adequate information about the system's capabilities, limitations, and the role of human oversight.
6. Human oversight (Article 14) is designed in — the system allows competent persons to monitor, override, and if necessary, halt the system.
7. Accuracy, robustness, and cybersecurity (Article 15) requirements are met — the system performs consistently, is tested against foreseeable misuse, and is adequately secured.
When this internal review is complete, your company signs the EU Declaration of Conformity under Article 47 — a formal document stating that the system meets the requirements of the EU AI Act.
What to Actually Send Your Customer
The customer's legal team is not asking you to send them the conformity assessment itself — they probably do not want to read 40 pages of technical documentation.
What they want to know:
- Have you conducted a conformity assessment? Yes or no, with the date completed and the name of the person responsible.
- What is the outcome? Your Declaration of Conformity (Article 47) is the formal output. This is typically a 1-2 page document.
- What are the key findings? A brief summary of how the seven areas above are addressed in your system.
A practical response to send:
"We have completed our EU AI Act conformity assessment for [product name] under Article 43. Our system qualifies as high-risk under Annex III point 4 as it performs candidate screening and ranking. The assessment was completed on [date] and the EU Declaration of Conformity is attached. Key findings: [2-3 bullet summary]. Technical documentation is available upon NDA request."
If you have not completed a formal conformity assessment, do not say you have. Instead, describe where you are in the process, what your timeline is, and what documentation you do have available now (a Technical Overview, your bias testing results, your human oversight architecture).
The Declaration of Conformity
Article 47 requires the Declaration to include:
- Your company's name and address
- The AI system name and version
- A statement that the system meets the applicable requirements of the EU AI Act
- Reference to any harmonized standards applied
- Location where technical documentation can be accessed
- Date and signature of the responsible person
This is a signed legal document. It is the output of your conformity assessment process. Keep it versioned — every material update to the system that affects its risk profile triggers a new assessment and new Declaration.
The Practical Gap Most HR Tech Companies Have
Most AI-assisted hiring platforms have done significant internal work on bias testing, data governance, and human oversight design. Very few have packaged that work into the formal Article 43 process and produced a signed Article 47 Declaration.
The gap is usually documentation and process, not substance. The technical work often exists. The question is whether it has been organized into the format the EU AI Act requires.
Complizo's AI Feature Registry maps your existing features and controls to the EU AI Act articles. The resulting answers give you the substance of the conformity assessment in a format your customers can read. From there, producing the Article 47 Declaration is a documentation step, not a rebuilding step.
Try Complizo free at complizo.com — paste your conformity assessment questions and get draft answers aligned to your actual product.