Chapter III, Section 3 — Obligations of providers and deployers of high-risk AI systemsArticle 17

Article 17: Quality Management System for High-Risk AI

Applies from 2 Aug 20265 min readEUR-Lex verified Apr 2026

Article 17 requires providers of high-risk AI systems to establish and maintain a quality management system (QMS) that ensures systematic compliance with the Regulation. The QMS must be documented in writing, proportionate to the size of the provider, and cover the entire AI lifecycle — from design and development through post-market monitoring. Article 17(1) lists specific QMS elements including: a compliance strategy, design and development techniques, testing and validation, data management, risk management, post-market monitoring, incident reporting, communication with authorities, record-keeping, resource management, and an accountability framework. For providers already subject to sectoral QMS (e.g. MDR, IVDR), the AI Act QMS can be integrated into the existing system.

Start free assessment All articles

Who does this apply to?

-Providers of high-risk AI systems under Article 6
-Quality and regulatory affairs teams designing or maintaining the QMS
-Notified bodies reviewing the QMS during conformity assessment (Annex VI/VII)
-Product manufacturers integrating AI QMS into existing sectoral quality systems

Scenarios

A provider's QMS maps Article 17(1) elements to internal SOPs: risk SOP references Article 9, data SOP references Article 10, test SOP references accuracy/robustness/cybersecurity in Article 15.

Structured QMS aligned with Article 17 — ready for conformity assessment under Article 43.

Ref. Art. 17(1)

A medical device company extends its MDR quality system with AI-specific SOPs covering data governance, model testing, and human oversight.

Integrated QMS covering both MDR and AI Act, as contemplated by Article 17(3).

Ref. Art. 17(3)

A start-up has no formal QMS and relies on informal processes for development and testing.

Non-compliant with Article 17; must formalise processes proportionate to risk and company size before market placement.

Ref. Art. 17(1)

What Article 17 requires (in plain terms)

The QMS must be documented, include written policies and procedures, and cover at least these elements as listed in Article 17(1):

1. A strategy for regulatory compliance including conformity assessment and management of substantial modifications 2. Techniques, procedures, and systematic actions for design, development, and testing 3. Examination, test, and validation procedures before, during, and after development 4. Technical specifications including standards to be applied 5. Systems for data management (collection, annotation, storage, filtering, analysis, labelling) 6. The risk management system under Article 9 7. A post-market monitoring system under Article 72 8. Procedures for reporting serious incidents under Article 73 9. Communication with national competent authorities, notified bodies, deployers, and other stakeholders 10. Record-keeping of all relevant documents and information 11. Resource management including supply chain measures 12. An accountability framework setting responsibilities of management and staff

All elements must be proportionate to the provider's size and the system's risk profile.

Integration with sectoral QMS (Article 17(3))

Providers already subject to Union harmonisation legislation quality requirements (e.g. MDR/IVDR for medical devices, Machinery Regulation, etc.) may integrate Article 17 elements into their existing sectoral QMS rather than building a parallel system. This reduces duplication for dual-regulated products.

The key is demonstrating that every Article 17(1) element is addressed — either by existing SOPs or by new AI-specific procedures grafted onto the current system.

How Article 17 connects to the rest of the Act

Article 16 — The master obligation list that references Article 17 as obligation (b).
Article 9 — Risk management feeds QMS element (6).
Article 10 — Data governance aligns with QMS element (5).
Article 11 — Documentation is part of the QMS evidence base.
Article 43 — Conformity assessment examines the QMS (Annex VI/VII).
Article 72 — Post-market monitoring is QMS element (7).
Article 73 — Incident reporting is QMS element (8).
Annex VI — Internal control procedure reviews the QMS.
Annex VII — Notified body procedure audits the QMS.

Recitals (preamble) on EUR-Lex

The recitals in the same consolidated AI Act on EUR-Lex contextualise proportionality, SME considerations, and the lifecycle approach to quality management. Use the official preamble on EUR-Lex.

Compliance checklist

Map each Article 17(1) element to an existing or new SOP/policy document.
Ensure the QMS is documented in writing and version-controlled.
Assign management responsibility for each QMS element (accountability framework).
Integrate AI QMS into existing sectoral quality systems where applicable (Article 17(3)).
Include data management procedures covering collection, annotation, storage, and labelling.
Link risk management (Article 9) and post-market monitoring (Article 72) outputs directly into QMS processes.
Establish incident reporting procedures tied to Article 73 timelines.
Plan internal audits and management reviews of the QMS.
Prepare QMS documentation for conformity assessment review (Annex VI or VII).

Read the official text on EUR-Lex

Build your AI QMS from Article 17—free assessment.

Start Free Assessment

Article 16: Obligations of Providers of High-Risk AI Systems

Article 9: Risk Management System

Article 10: Data and Data Governance

Article 11: Technical Documentation

Article 43: Conformity Assessment for High-Risk AI Systems

Article 72: Post-Market Monitoring

Article 73: Reporting of Serious Incidents

Article 99: Penalties for AI Act Infringements

Article 113: Entry into Force and Application Dates

Related annexes

Annex VI — Internal control conformity assessment (reviews QMS)
Annex VII — Notified body conformity assessment (audits QMS)

Frequently asked questions

Is ISO 9001 enough to comply with Article 17?

ISO 9001 provides a foundation but does not cover AI-specific elements (data management, AI risk management, bias testing, post-market monitoring). You need to gap-analyse Article 17(1) against your ISO 9001 system and add missing AI-specific SOPs.

Can we combine MDR and AI Act QMS?

Yes. Article 17(3) explicitly allows integration into existing sectoral quality systems. Map each Article 17(1) element to your MDR QMS and add AI-specific procedures where gaps exist.

How detailed does the QMS need to be for a start-up?

Proportionate to your size and risk. A small team may have lightweight SOPs, but all 12 elements must be addressed in writing. Start with a single compliance manual that cross-references the Article 17(1) list.

When is the QMS reviewed during conformity assessment?

Under Annex VI (internal control), the provider self-assesses the QMS. Under Annex VII (notified body), the body audits the QMS. In both cases, the QMS must be ready before assessment begins.

On this page

Key terms

Quality management system (QMS): A documented set of policies, procedures, and processes ensuring systematic compliance with the AI Act throughout the AI system's lifecycle.
Proportionality: The QMS must be scaled to the provider's size and the risk profile of the system — start-ups are not expected to replicate enterprise-grade frameworks, but all 12 elements must be addressed.
Lifecycle management: The QMS requirement to cover the entire AI system lifecycle from design, through development and testing, to deployment, monitoring, and decommissioning.

Maximum penalties (Art. 99)

3% of turnover / Up to EUR 15 million or 3% of global annual turnover under Article 99(4)
SMEs / start-ups: Lower caps for SMEs and start-ups under Article 99(6)
QMS deficiencies surface during conformity assessment — missing or inadequate QMS blocks lawful market placement.

Timeline

2 Aug 2026
Article 17 QMS obligations apply for most Annex III high-risk systems.
2 Aug 2027
Article 17 QMS obligations apply for Article 6(1)/Annex I product-law systems.

At a glance

Article: 17
Status: Upcoming
Timeline: 2 Aug 2026
Updated: 11 Apr 2026

Recommended next step

Run the short assessment to map risk class and obligations to your specific AI use case in minutes.

Start assessment now