GovCompass
Knowledge base
ReferenceAccountabilitySafety & reliability

Art. 9 EU AI Act: the risk management system for high-risk AI

By Michel Venniker· · Aligned with the consolidated EU AI Act, including the 2026 Omnibus amendments.

Art. 9 requires providers of high-risk AI systems to establish, document, and maintain a risk management system that runs across the entire lifecycle. It is a continuous, iterative process: identify the known and foreseeable risks, estimate and evaluate them, and adopt targeted mitigation measures, updating the cycle as the system and its environment change. It is not a one-time pre-deployment assessment.

Updated: June 2026

This is an explicit providerproviderThe actor who develops an AI system (or has it developed) and places it on the market or into service under its own name — carrying manufacturer-style duties: design controls, documentation, conformity.Open full entry → obligation under the EU AI Act. It falls on whoever develops or places the high-risk AI systemAI systemA machine-based system that, for explicit or implicit objectives, infers from input how to generate outputs — predictions, content, recommendations or decisions — that can influence physical or virtual environments. The OECD-style definition followed by the EU AI Act.Open full entry → on the market. Deployers meet a related but lighter set of duties under Art. 26.

Introduction: the obligation that holds the others together

Art. 9 is the first of the technical requirements the EU AI Act places on providers of high-risk AI systems, and it is deliberately first. The risk management system is the framework into which the other obligations fit: the data governance of Art. 10, the technical documentation of Art. 11, the logging of Art. 12, the transparencytransparencyOpenness about the fact that AI is used and how it operates in general: disclosures, documentation, notices. Pairs with explainability, which addresses individual outcomes.Open full entry → of Art. 13, the human oversighthuman oversightDesigned-in human ability to monitor, intervene in, override or shut down an AI system — meaningful only when the human has authority, information and time to act.Open full entry → of Art. 14, and the accuracy and robustnessrobustnessA system's ability to perform reliably under realistic conditions including noise, edge cases and adversarial pressure — the engineering core of the safety-and-reliability principle.Open full entry → of Art. 15 are all, in part, risk mitigation measures that the Art. 9 system identifies, justifies, and tracks.

The defining feature of Art. 9 is that it is continuous. The article uses the word "iterative" and requires the process to run "throughout the entire lifecycle" of the system. A provider who conducts a single risk assessment before launch, files it, and never revisits it has not satisfied Art. 9, regardless of how thorough that assessment was. The obligation is to operate a living system, not to produce a document.

What the risk management system must do

Art. 9 sets out a cycle with four recurring steps:

  1. Identify and analyse the known and reasonably foreseeable risks the system can pose to health, safety, and fundamental rights when used for its intended purpose.
  2. Estimate and evaluate the risks that may emerge when the system is used as intended and under conditions of reasonably foreseeable misuse.
  3. Evaluate other risks that arise from the analysis of post-market monitoringpost-market monitoringProvider-side duty to systematically collect and act on experience from systems in use — the product-regulation half of continuous monitoring.Open full entry → data (the feedback loopfeedback loopA dynamic where a system's own outputs influence its future training data, amplifying initial patterns — e.g. investigating only flagged claims, then learning from those investigations.Open full entry → from Art. 72).
  4. Adopt appropriate and targeted risk management measures to address the identified risks.

The measures must reduce each risk so far as is technically feasible, through the design and build of the system itself, through mitigation and control measures where the risk cannot be eliminated, and through the information and training provided to deployers. Residual risks that remain after mitigation must be judged acceptable and communicated to the deployerdeployerAn organization using an AI system under its own authority in its activities — carrying operator duties: use per instructions, oversight, input relevance, monitoring, notices.Open full entry →.

The relationship to the other technical articles

Art. 9 does not operate in isolation. It is the orchestrating process, and the other articles are where its measures are implemented:

  • A data quality risk identified under Art. 9 is mitigated through the Art. 10 data governance measures.
  • A risk of insufficient traceability is mitigated through the Art. 12 logging capability.
  • A risk that a deployer misunderstands the system is mitigated through the Art. 13 instructions for use.
  • A risk that the system acts without meaningful human control is mitigated through the Art. 14 human oversight design.
  • A risk of inaccurate or non-robust performance is mitigated through the Art. 15 measures.

This is why Art. 9 is the backbone: a finding in the risk management system flows out into a concrete measure in one of the other articles, and the evidence that the measure works flows back in through testing and monitoring.

Why it matters

For a provider, the risk management system is the document a conformity assessmentconformity assessmentThe pre-market process demonstrating a high-risk AI system meets the EU AI Act's requirements, leading to CE marking and registration.Open full entry → examines first, because it demonstrates whether the provider's compliance is systematic or improvised. A coherent Art. 9 system, with each identified risk traced to a mitigation measure and a piece of evidence, signals a system under control. A pile of separate assessments with no connecting process signals the opposite.

For a deployer, Art. 9 matters indirectly but materially: the residual risks the provider judged acceptable, and the conditions under which the system is safe to use, are communicated through the instructions for use. A deployer who operates the system outside those conditions inherits the risk that the provider's Art. 9 system explicitly excluded.

Governing the risk management system

The practical challenge is keeping the system alive after launch, when the pressure to move on to the next release is strongest. The controls below treat the risk management system as a process with a heartbeat, not a deliverable with a deadline.

The core artefact is a risk registerrisk registerThe living record of an AI system's identified risks, ratings, responses, owners and review dates — kept current from design through retirement.Open full entry → that, for each identified risk, records the description, the affected rights or safety dimension, the severity and likelihood, the mitigation measure, the article under which that measure sits, the evidence that the measure works, and the residual riskresidual riskThe risk remaining after mitigations — compared against risk appetite and accepted in writing by someone with authority, or the project doesn't proceed.Open full entry → after mitigation. This register is updated on a defined cadence and on trigger events: a system change, a new intended use, a post-market monitoring signal, or a serious incidentserious incidentAn AI incident causing (or nearly causing) death, serious harm to health, property, fundamental rights or infrastructure — triggering regulatory reporting duties for high-risk systems.Open full entry →.

The feedback loop is what makes the system iterative. Post-market monitoring data under Art. 72 and serious incident reports under Art. 73 feed back into the register, where they either confirm that a risk was correctly judged or reveal that it was underestimated. Each incident closes with the register updated so the next iteration of the system carries the lesson forward.

Compliance checklist

  1. Is there a documented risk management system that covers the full lifecycle of each high-risk system, not a single pre-deployment assessment?
  2. Does the risk register trace each identified risk to a specific mitigation measure and the article under which it sits?
  3. Is there evidence that each mitigation measure was tested and works?
  4. Are residual risks documented, judged acceptable, and communicated to deployers through the instructions for use?
  5. Is the register updated on a defined cadence and on trigger events (system change, new use, monitoring signal, incident)?
  6. Does post-market monitoring and incident data feed back into the register?
Legal referencesArt. 9Art. 10Art. 15Art. 72

More on Accountability

Art. 10 EU AI Act: data and data governance for high-risk AI

Reference

Art. 10 requires that the training, validation, and testing data for high-risk AI systems meets quality criteria: relevant, sufficiently representative, and as free of errors and complete as possible for the intended purpose. It also requires documented data governance practices covering collection, preparation, bias examination, and gap mitigation, and it permits the limited processing of special-category data where strictly necessary to detect and correct bias, under safeguards.

Art. 12 EU AI Act: record-keeping and logging for high-risk AI

Reference

Art. 12 requires high-risk AI systems to technically allow for the automatic recording of events (logs) over their lifetime. The logging must enable traceability of the system's functioning at a level appropriate to its intended purpose, support post-market monitoring, and help identify situations that may lead to risk or substantial modification. It is a design obligation on the provider that makes the system auditable by construction.

Art. 19 EU AI Act: keeping the automatically generated logs

Reference

Art. 19 requires providers of high-risk AI systems to keep the logs that the system automatically generates (under Art. 12) for as long as they control them, for a period appropriate to the intended purpose and at least six months unless other law requires longer. It is the retention counterpart to the Art. 12 logging capability, and it works alongside the deployer retention duty in Art. 26.6.

Art. 26.1 EU AI Act: following provider instructions as a deployer

Reference

Art. 26.1 requires deployers to use high-risk AI systems strictly in accordance with the provider's instructions for use. This means using the system only for its intended purpose, within its specified technical configuration, and by qualified users, and documenting that compliance. Deviating from the instructions can shift liability entirely to the deployer.

More on Safety & reliability

Art. 14 EU AI Act: designing high-risk AI for human oversight

Reference

Art. 14 requires providers to design and build high-risk AI systems so that they can be effectively overseen by humans during use. The system must let an overseer understand its capabilities and limits, watch for anomalies, resist automation bias, correctly interpret outputs, decide not to use the system, and intervene or stop it through a kill switch (Art. 14(4)(e)). It is the design obligation that makes the deployer oversight duty of Art. 26.2 possible.

Art. 26.4 EU AI Act: input data quality for deployers

Reference

Art. 26.4 requires deployers of high-risk AI to ensure that input data is relevant and sufficiently representative for the system's intended purpose. The deployer is responsible for data quality in operation, even though the provider sets the specifications under Art. 10.

Art. 26.5 EU AI Act: post-market monitoring for deployers

Reference

Art. 26.5 requires deployers of high-risk AI to monitor the system's operation against the provider's instructions and to report risks and serious incidents. Monitoring is the early-warning mechanism that connects to incident reporting under Art. 73.

Art. 5 EU AI Act: all 8 prohibited AI practices explained

Reference

Art. 5 lists the eight prohibited AI practices, including subliminal manipulation, exploitation of vulnerable groups, social scoring, and untargeted facial-recognition scraping. These prohibitions are absolute, apply to every organisation regardless of size, and have been in force since 2 February 2025.