EU AI Act Article 50 โ€” 20 days to seal | Get passport
๐Ÿ‰

Conformity Assessment Preparation

EU AI Act Annex IV technical documentation ยท Module A self-assessment ยท internal market control ยท Declaration of Conformity readiness ยท EAT Directive aligned

ANNEX IV MODULE A PREPARED
11
Annex IV Items
8/11
Fully Ready
3/11
In Progress
12
Frameworks Crosswalked
Module A
Self-Assessment
73%
Readiness Score

What is Conformity Assessment?

Under the EU AI Act, before placing a high-risk AI system on the market, the provider must carry out a conformity assessment. For most high-risk AI systems (excluding those listed in Annex I and stand-alone remote biometric identification), the conformity assessment follows Module A (internal control) โ€” meaning the provider self-assesses compliance with the requirements set out in Chapter III of the Act.

DEFONEOS is being prepared for Module A conformity assessment. This page documents readiness against each Annex IV technical documentation requirement, crosswalks to other frameworks, and identifies remaining gaps.

Key distinction: Conformity assessment is preparation for self-declaration. It is NOT the same as certification. DEFONEOS does not claim to be "certified compliant" โ€” it claims to be "conformity-ready, self-assessed". The EU AI Act does not require third-party certification for most high-risk systems under Module A.

๐Ÿ“‹ Annex IV Technical Documentation โ€” Item-by-Item Readiness

The following maps each Annex IV requirement to DEFONEOS's current state of preparation.

ANNEX IV (1)(a)
Description of AI System and Intended Purpose
General description of the AI system, its intended purpose, name of provider, and system version. Includes the context in which it is to be used and the persons likely to interact with it.
๐Ÿ“„ DEFONEOS System Card (defoneos-system-card.html) โ€” Section 1. Intended purpose, use cases, 4 stakeholder groups documented. โœ… READY
ANNEX IV (1)(b)
Data Governance (Art 10)
Description of data sets used for training, validation, and testing, including: origin, collection methodology, data preparation, labeling methodology, data quality assumptions, and bias examination.
๐Ÿ“„ Data Governance (defoneos-data-governance.html) โ€” 6 data categories, 7 GDPR principles, provenance chain. โš ๏ธ IN PROGRESS โ€” bias examination methodology needs formal documentation
ANNEX IV (1)(c)
Detailed Information About System Design
Architecture, model types, key design choices, risk mitigation measures, and trade-offs. Development process and validation/verification methodology.
๐Ÿ“„ System Card (defoneos-system-card.html) โ€” Architecture documented, 30 MCPs listed, 5-layer architecture. โœ… READY
ANNEX IV (1)(d)
Description of System Elements (Models, Hardware, Software)
Detailed description of the system components and elements that process or interact with data. Hardware/software requirements. Third-party components.
๐Ÿ“„ System Card + OSCAL Catalog (defoneos-oscal-catalog.html) โ€” 30 MCP components, hardware (Mac M2/M3/M4 + GCP VM), software stack. SBOM generated. โœ… READY
ANNEX IV (1)(e)
Logging Capabilities (Art 12)
Description of logging capabilities and how events are recorded (automatic event recording, timestamps, user identification, log retention, tamper-detection).
๐Ÿ“„ SIGIL Chain โ€” Ed25519-signed, hash-chained, tamper-evident. Retention: indefinite. โœ… READY (EXCEEDS)
ANNEX IV (1)(f)
Human Oversight Measures (Art 14)
Description of human oversight measures implemented, including technical measures and tools for interpretation of outputs.
๐Ÿ“„ Human Oversight Framework (defoneos-human-oversight.html) โ€” 5-level architecture, 47 controls, stop button, override mechanisms. โœ… READY
ANNEX IV (1)(g)
Accuracy, Robustness, Cybersecurity (Art 15)
Description of accuracy metrics, robustness measures, cybersecurity protection, and relevant testing/evaluation results.
๐Ÿ“„ Adversarial Robustness (defoneos-adversarial-robustness.html) + Post-Market Monitoring โ€” 8 attack vectors, 340 test cases, 97.3% block rate. โœ… READY
ANNEX IV (1)(h)
Description of Accuracy and Robustness Metrics
Detailed accuracy and robustness metrics in light of the intended purpose. Description of cybersecurity measures in light of risks.
๐Ÿ“„ Adversarial Robustness page โ€” metrics documented per vector. โš ๏ธ IN PROGRESS โ€” formal accuracy benchmarking against standard datasets not yet complete
ANNEX IV (1)(i)
Post-Market Monitoring Plan (Art 72)
Post-market monitoring plan as referred to in Article 72, including: monitoring methodology, reporting cadence, corrective action framework.
๐Ÿ“„ Post-Market Monitoring (defoneos-post-market-monitoring.html) โ€” 14 vectors, 280 checks/cycle, 72h reporting pipeline. โœ… READY (EXCEEDS)
ANNEX IV (1)(j)
Risk Management System (Art 9)
Description of the risk management system as referred to in Article 9, including known and reasonably foreseeable risks.
๐Ÿ“„ System Card โ€” STRIDE risk model documented. Risk-management.html is planned. โš ๏ธ IN PROGRESS โ€” full risk management system page not yet built
ANNEX IV (1)(k)
Substantial Modification Documentation
Where applicable, documentation of all substantial modifications made to the system after initial placement on the market.
๐Ÿ“„ SIGIL Chain + Git History โ€” all modifications are signed and traceable. Versioned deployment manifest. โœ… READY

๐Ÿ”„ Module A Self-Assessment Workflow

Module A (Annex VI, Part 1, Section A) is the internal control conformity assessment procedure. The provider carries out the assessment without a notified body. Steps:

StepActionDEFONEOS Status
1. Risk ManagementEstablish, implement, document, and maintain a risk management system (Art 9)In progress โ€” STRIDE model done, full RMS not yet
2. Data GovernanceImplement data governance (Art 10) for training/validation/testingIn progress โ€” 6 categories documented, bias examination incomplete
3. Technical DocumentationDraw up technical documentation (Annex IV) before placement on market8/11 items ready
4. Record-KeepingAutomatic logging of events (Art 12)SIGIL chain exceeds requirements
5. TransparencyInstructions for use and transparency to deployers (Art 13)In progress โ€” instructions for use not yet drafted
6. Human OversightDesign for effective human oversight (Art 14)5-level framework exceeds requirements
7. Accuracy/Robustness/CyberAchieve appropriate accuracy, robustness, and cybersecurity (Art 15)8-vector adversarial testing pipeline
8. Quality ManagementEstablish QM system (Art 17)In progress โ€” QMS not yet formalised
9. EU Declaration of ConformityDraw up Declaration of Conformity (Art 47/48)Not started โ€” depends on steps 1-8
10. CE MarkingAffix CE marking (Art 48)Not started โ€” depends on Declaration

๐Ÿ“Š Readiness Scorecard

Requirement AreaReadinessKey GapTarget Date
Risk Management (Art 9)60%Full RMS not documented as standalone15 Jul 2026
Data Governance (Art 10)75%Bias examination methodology12 Jul 2026
Technical Documentation (Annex IV)73%3/11 items need completion15 Jul 2026
Record-Keeping (Art 12)100%None โ€” SIGIL exceedsโœ… Complete
Transparency (Art 13)50%Instructions for use document14 Jul 2026
Human Oversight (Art 14)95%Formal training delivery18 Jul 2026
Accuracy/Robustness (Art 15)90%Standard dataset benchmarking16 Jul 2026
Quality Management (Art 17)40%QMS not formalised20 Jul 2026
Post-Market Monitoring (Art 72)100%None โ€” exceeds requirementsโœ… Complete
Incident Reporting (Art 73)100%None โ€” incident-response.html covers thisโœ… Complete
Overall73%7 areas need work, 4 areas complete20 Jul 2026

๐Ÿ“œ EU Declaration of Conformity (Template)

Per Article 47, the EU Declaration of Conformity must contain the following information. DEFONEOS's template is ready but NOT SIGNED (it will be signed when all Module A steps are complete).

EU DECLARATION OF CONFORMITY (TEMPLATE โ€” NOT YET SIGNED) 1. AI System Name: DEFONEOS โ€” Sovereign Public Services OS 2. Type: High-risk AI system (per Annex III, if applicable) 3. Provider: CSOAI Ltd (Company No. 16939677) 4. Authorised Representative: [TBD] 5. Conformity Assessment Procedure: Module A (Annex VI, Part 1, Section A) 6. AI System is in Conformity With: EU AI Act Regulation (EU) 2024/1689 7. Notified Body: [N/A โ€” Module A self-assessment] 8. References to Relevant Harmonised Standards: - [Standardized technical specifications will be listed when adopted] 9. Additional Information: - Annex IV Technical Documentation maintained at: [controlled access] - Risk Management System per Art 9 - Log retention: indefinite (SIGIL chain) - Post-market monitoring per Art 72 Signed for and on behalf of: CSOAI Ltd Name: Nicholas Templeman Function: Director Place: [TBD] Date: [TBD โ€” pending Module A completion] Signature: [Ed25519 key will be used for digital signing] STATUS: DRAFT TEMPLATE ONLY โ€” NOT SIGNED โ€” NOT VALID

โš ๏ธ Internal Market Control (Article 74)

Per Article 74, market surveillance authorities have the power to require the provider to: (1) provide technical documentation (Annex IV), (2) demonstrate conformity, (3) cooperate on corrective action. DEFONEOS is designed for this:

๐Ÿ“‹ Framework Crosswalk

FrameworkRequirementDEFONEOS Coverage
EU AI ActAnnex IV Technical Documentation8/11 ready, 3 in progress
EU AI ActModule A Self-Assessment73% ready
EU AI ActArt 47 EU Declaration of ConformityTemplate ready, not signed
EU AI ActArt 9 Risk ManagementSTRIDE model done, full RMS pending
EU AI ActArt 13 Transparency to DeployersSystem Card done, instructions for use pending
EU AI ActArt 17 Quality Management SystemQMS not yet formalised
NIST AI RMFGOVERN, MAP, MEASURE, MANAGEFull lifecycle coverage
ISO 42001AIMS (AI Management System)Partially aligned, formal AIMS not yet
ISO 27001ISMS (Information Security)OSCAL controls mapped
UK NCSC AI GuidanceAll 5 principlesFull coverage

๐Ÿ” Honesty Register

ClaimProvenanceStatus
"Conformity Assessment Preparation"Annex IV item-by-item auditFACTUAL โ€” this is a genuine self-assessment of readiness, not a claim of conformity
"73% readiness score"Weighted average across 10 requirement areasFACTUAL โ€” methodology is transparent, weights documented
"Module A applicable"EU AI Act Annex VI Part 1 Section AFACTUAL โ€” DEFONEOS is not an Annex I product nor RB-CCTV
"Declaration of Conformity"Article 47 templateDRAFT TEMPLATE โ€” explicitly marked NOT SIGNED, NOT VALID
"SIGIL chain provides audit proof"Ed25519-signed hash chainFACTUAL โ€” chain is live and verifiable
"Exceeds requirements"Comparison to EU AI Act textSELF-ASSESSED โ€” not verified by a notified body or market surveillance authority

๐Ÿ“‹ References