A Global Law Firm Just Asked for Your AI Legal Research Tool's Conformity Assessment: How to Answer the Article 19 Self-Assessment Questions

Your largest law firm customer is finalising their vendor approval process. You're three weeks into their information security and technology review when the new question arrives from their AI governance lead: "Please provide documentation of the conformity assessment conducted for your AI legal research tool under Article 19 of the EU AI Act, including the assessment method chosen and the outcome."

You search Article 19. It's four paragraphs. It tells you which conformity assessment procedure to use — but the procedures themselves are in Annex VI. You open Annex VI.

This post explains what Article 19 requires, how the self-assessment path works, and exactly what to send a law firm that asks this question.

What Article 19 Says

Article 19 requires providers of high-risk AI systems to follow a conformity assessment procedure before placing the system on the EU market. The purpose is to verify that the system meets the requirements in Chapter III, Section 2 of the EU AI Act — covering data governance, technical documentation, transparency, human oversight, accuracy, and robustness.

For most Annex III high-risk AI systems that are not safety components and do not involve biometric identification, the procedure is internal control under Annex VI. This is a self-assessment: the provider conducts the assessment, documents it, and draws up a declaration of conformity. No notified body is required.

AI systems for biometric identification, or AI systems that are safety components of products covered by other EU regulations (medical devices, machinery), follow different procedures requiring third-party involvement.

For a legal research or contract analysis tool, the Annex VI path almost certainly applies.

What the Annex VI Self-Assessment Actually Involves

Annex VI has three elements:

1. Technical documentation. You must establish and maintain the technical documentation required by Annex IV. This covers the system description and intended purpose, the design and development methodology, training data description and governance measures, the risk management system, performance metrics and test results, human oversight design, and the post-market plan.

2. Quality management system. You must implement the quality management system required by Article 17. This covers documented processes for risk management, data quality, design control, change management, corrective action, and training.

3. EU declaration of conformity. Once the assessment is complete, you draw up the declaration required by Article 47. It is signed by a person with authority to bind the company, identifies the system, references the applicable requirements and standards, and states the conformity outcome.

How to Answer the Law Firm's Question

Law firm procurement and AI governance teams asking this question want three things: confirmation that you have done the assessment, a summary of the method used, and evidence they can file.

Confirm the procedure: State that your system is subject to Annex VI internal control. Name the system, its Annex III classification, and the date the assessment was completed.

Describe the method: Summarise the assessment process. What requirements did you test against? What standards or frameworks did you reference? ISO 42001 is the current management system standard for AI; CEN/CENELEC output is the emerging harmonised standard set. Referencing either adds credibility.

Provide the evidence: The declaration of conformity is the primary deliverable. You can share it directly or under NDA. Attach or reference: technical documentation summary (not the full Annex IV file, but a summary), risk management output summary, test results for accuracy and robustness, and the signed declaration.

What If Your Assessment Is In Progress

If your conformity assessment is underway but not finalised, say so precisely. State what has been completed, what remains, and your expected completion date. Enterprise legal buyers can accommodate a timeline. What they cannot accommodate is a vendor who cannot explain what a conformity assessment is or whether they have one.

The law firms asking this question are not doing it to catch you. They are doing it because their own clients — large corporates under AI governance pressure — are asking them to vet their AI tool stack. A clear, document-backed answer closes this section of the questionnaire and moves the relationship forward.

Try Complizo free at complizo.com