Article 9. Risk management system

12 obligations

EU-AIA-9-01 Risk Management

Establish risk management system for high-risk AI systems

A risk management system must be established, implemented, documented and maintained in relation to high-risk AI systems

EU-AIA-9-02 Risk Management

Implement continuous iterative risk management process

The risk management system must be understood as a continuous iterative process planned and run throughout the entire li

EU-AIA-9-03 Risk Management

Identify and analyze known and reasonably foreseeable risks

Providers must identify and analyze the known and the reasonably foreseeable risks that the high-risk AI system can pose

EU-AIA-9-04 Risk Management

Estimate and evaluate risks under intended use and foreseeable misuse

Providers must estimate and evaluate the risks that may emerge when the high-risk AI system is used in accordance with i

EU-AIA-9-05 Risk Management

Evaluate risks from post-market monitoring data

Providers must evaluate other risks possibly arising, based on the analysis of data gathered from the post-market monito

EU-AIA-9-06 Risk Management

Adopt appropriate and targeted risk management measures

Providers must adopt appropriate and targeted risk management measures designed to address the risks identified through

EU-AIA-9-07 Risk Management

Consider combined effects of requirements in risk management

Risk management measures must give due consideration to the effects and possible interactions resulting from the combine

EU-AIA-9-08 Risk Management

Ensure acceptable residual risk levels

Risk management measures must ensure that the relevant residual risk associated with each hazard, as well as the overall

EU-AIA-9-09 Risk Management

Eliminate or reduce risks through adequate design and development

Providers must ensure elimination or reduction of identified and evaluated risks as far as technically feasible through

EU-AIA-9-10 Risk Management

Implement mitigation and control measures for non-eliminable risks

Where appropriate, providers must implement adequate mitigation and control measures addressing risks that cannot be eli

EU-AIA-9-12 Risk Management

Test high-risk AI systems for risk management purposes

High-risk AI systems must be tested for the purpose of identifying the most appropriate and targeted risk management mea

EU-AIA-9-15 Risk Management

Consider impact on minors and vulnerable groups in risk management

When implementing the risk management system, providers must give consideration to whether, in light of its intended pur

Article 10. Data and data governance

2 obligations

EU-AIA-10-08 Risk Management

Examine data for possible biases

Data governance practices must include examination for possible biases that are likely to affect health and safety, nega

EU-AIA-10-09 Risk Management

Implement bias detection, prevention and mitigation measures

Data governance practices must include appropriate measures to detect, prevent and mitigate possible biases identified i

Article 16. Obligations of providers of high-risk AI systems

1 obligation

EU-AIA-16-03 Risk Management

Quality management system establishment

Providers must establish and maintain a quality management system that complies with the requirements specified in Artic

Article 17. Quality management system

1 obligation

EU-AIA-17-09 Risk Management

Include risk management system in QMS

The quality management system must include the risk management system referred to in Article 9.

Article 20. Corrective actions and duty of information

1 obligation

EU-AIA-20-03 Risk Management

Immediate investigation of causes when risk presents

When a high-risk AI system presents a risk within the meaning of Article 79(1) and the provider becomes aware of that ri

Article 27. Fundamental rights impact assessment for high-risk AI systems

4 obligations

EU-AIA-27-01 Risk Management

Perform fundamental rights impact assessment before deployment

Prior to deploying a high-risk AI system, specified deployers must perform an assessment of the impact on fundamental ri

EU-AIA-27-04 Risk Management

Identify categories of persons affected by AI system use

As part of the fundamental rights impact assessment, deployers must identify the categories of natural persons and group

EU-AIA-27-05 Risk Management

Assess specific risks of harm to affected persons

As part of the fundamental rights impact assessment, deployers must assess the specific risks of harm likely to impact t

EU-AIA-27-07 Risk Management

Define measures for when risks materialize

As part of the fundamental rights impact assessment, deployers must define the measures to be taken when identified risk

Article 55. Obligations for providers of general-purpose AI models with systemic risk

1 obligation

EU-AIA-55-02 Risk Management

Assess and mitigate systemic risks from model development and deployment

Assess and mitigate possible systemic risks including their sources that may arise from development, placing on market,

Article 73. Reporting of serious incidents

1 obligation

EU-AIA-73-06 Risk Management

Perform necessary investigations after reporting serious incident

Following the reporting of a serious incident, the provider must perform without delay the necessary investigations in r