Module 4: AI Regulation · BoK IV.C
Conformity assessments, registration and notification
The Conformity assessment (CA) is how compliance is demonstrated for high-risk AI, underpinned by technical documentation. CAs borrow from DPIAs and product-safety assessments but cover safety, rights and fundamental impacts, not only data protection; the EU registers high-risk systems in a public EU database before market placement.
Goals of a CA
Identify how the technology was developed, the data set used, how the learning process was developed, how the AI behaves and potential impacts over time → adequate technical documentation is a key component.
| Jurisdiction | Assessment requirement |
|---|---|
| 🇪🇺 EU AI Act | Pre-market conformity assessments for high-risk AI (recruitment, biometrics, medical devices, credit scoring, infrastructure safety) with reassessment over the life cycle |
| 🇰🇷 South Korea | Designation confirmation for high-impact AI plus compliance checks → safety, documentation, oversight verified before release |
| 🇨🇳 China | Public generative AI must undergo security and safety assessment and be filed with the CAC before launch |
| 🇺🇸 Colorado | Deployers of consequential-decision AI complete an algorithmic impact assessment → purpose, data, risks, mitigation, monitoring |
- Common CA elements → conducted before deployment; evaluate safety, rights and fundamental impacts, not only data protection; reassess when systems are substantially modified; support accountability and regulator access through documentation.
- CAs vs DPIAs → CAs borrow from existing assessments (DPIAs, product safety); best practice is to complete and document a DPIA across the AI's life cycle; CAs can envision harms that inform DPIAs and supplement them in more technical, risk-heavy areas.
| Registration / filing | Notification / monitoring |
|---|---|
| EU → register high-risk systems in a public EU database before market placement (the only public database); China → public GenAI services file with the CAC + security assessment pre-launch; South Korea → designation confirmation plus a domestic representative for foreign operators above thresholds. | EU → run post-market monitoring and report serious incidents within set deadlines; South Korea → regulators can demand reports and order corrective measures; China → notify regulators of material changes; Colorado → review the AIA at least annually and provide it to the AG within 90 days of request, with developers disclosing known risks within 90 days of discovery; Japan → voluntary disclosure as good practice. |
Key terms - quick answers
What is “Conformity assessment (CA)”?
Pre-market evaluation demonstrating a high-risk AI's compliance; underpinned by technical documentation.
What is “DPIA”?
Data Protection Impact Assessment; CAs borrow from it but cover safety, rights and fundamental impacts more broadly.
What is “Algorithmic Impact Assessment (AIA)”?
Colorado assessment of a consequential-decision AI's purpose, data, risks, mitigation and monitoring.
What is “Fundamental Rights Impact Assessment (FRIA)”?
EU assessment of an AI's impact on fundamental rights, required of public bodies and public-service providers.