EU AI Act registration is not a single form. It is a multi-step process involving inventory, classification, documentation, assessment, representative appointment, and database submission. With Annex III obligations applying 2 December 2027 post-trilogue, here is exactly what each step requires — and what should not wait until 2027.
Before you can classify anything, you need a complete picture of every AI system your organization uses, develops, or deploys. This includes third-party AI tools embedded in your products, AI-powered features in SaaS platforms you use, and internal AI systems for decision-making.
Most companies significantly undercount their AI systems. A thorough inventory typically reveals 3–5x more AI systems than initially expected. Document each system's purpose, data inputs, outputs, and where it is deployed geographically.
For each AI system identified, determine whether it falls under one of the eight high-risk categories in Annex III. Consider both direct use cases and indirect impacts — a system that feeds into a hiring decision, even indirectly, may qualify.
Systems that do not fall under Annex III may still have transparency obligations (Article 50, applying 2 August 2026 — unchanged by the trilogue) or require registration if the provider has classified them as non-high-risk under the Article 6(3) exception (Article 49(2)).
For each high-risk system, prepare the mandatory technical documentation under Annex IV. This is the most resource-intensive step, requiring input from engineering, data science, legal, and compliance teams. Documentation must cover system design, training data governance, risk management, testing methodology, and human oversight measures.
This step alone typically takes 4–6 weeks per system.
Complete the applicable conformity assessment procedure. For most Annex III systems, this is internal self-assessment under Annex VI. For biometric identification systems, third-party assessment by a Notified Body is required. Upon completion, issue the EU Declaration of Conformity (Article 47) and affix the CE marking (Article 48).
If you are a non-EU provider, appoint an EU Authorised Representative under Article 22 by written mandate. The representative must be established in an EU Member State and empowered to perform the tasks specified in the AI Act — including holding the technical documentation under custody for 10 years, registering the system in the EU database, and acting as the point of contact for national market surveillance authorities and the EU AI Office.
Our strategic partner SecureFound (SECURE FOUND, S.L., established in Adeje, Tenerife — Spain) holds this mandate under both Articles 22 (high-risk providers) and 54 (GPAI providers), covering all 27 EU Member States from a single appointment with AESIA as the coordinating home authority. SecureFound is led by bar-admitted attorneys with decades of regulatory practice, maintains EU data residency, and provides the statutory 10-year documentation custody. The Lexara × SecureFound engagement covers Steps 1–4 from New York and Steps 5–6 from Spain — one transatlantic process, two jurisdictions.
Submit the required Annex VIII information to the EU AI database. The data required includes the provider's name, authorised representative details, system description, intended purpose, conformity assessment status, and Member States where the system is placed on the market.
The information in the database is publicly accessible (with limited exceptions for law enforcement systems under Article 49(4)), so ensure your submissions are accurate and complete — incorrect information carries its own penalty tier.
Timeline reality: Steps 1–6 take a minimum of 8–12 weeks for a single system. Companies with multiple high-risk systems should plan for 3–6 months. The post-trilogue calendar means two parallel tracks: Annex III obligations apply 2 December 2027 (real runway); but Article 50 transparency, GPAI obligations, AI Office full enforcement powers, and the new Article 5 prohibition on AI-generated NCII/CSAM all apply between 2 August and 2 December 2026 (operational, near-term). If your systems generate synthetic content, interact with humans, or qualify as GPAI, the operational deadlines do not move — starting now is essential.
Does This Apply to US Companies? — extraterritorial scope analysis
Penalties — consequences of incomplete or late registration
Implementation Timeline — full post-trilogue calendar
SecureFound — the EU Authorised Representative partner
Lexara Advisory and SecureFound (Spain) guide US companies through every step — one transatlantic engagement, two jurisdictions.
Contact Lexara Advisory →Lexara Advisory LLC is an AI governance consulting firm, not a law firm. SecureFound (SECURE FOUND, S.L., Spain) is the strategic EU partner providing Article 22 / Article 54 EU Authorised Representative services. This content is for informational purposes only and does not constitute legal advice.
🤖 AI — not a human or lawyer