Do You Have to Register Your AI System in the EU Database?
The Short Answer First
Most AI systems do not get registered anywhere. If your tool is a typical chatbot, a recommendation widget, a spam filter, or any of the thousands of everyday AI features that carry limited or minimal risk, there is no EU database obligation waiting for you.
High-risk systems are the exception. For those, the EU AI Act sets up a public EU database and tells the people behind the system to register it. And here is the part that surprises operators: for high-risk systems the registration generally happens before the system is placed on the market or put into service, not after. So the obligation lands earlier than most teams expect.
That makes one question urgent before anything else. Is your system actually high-risk? If it is not, you can stop reading and get on with your day. If it is, registration is one of several concrete duties you now own. The fastest way to settle it is the free risk check, which tells you your risk tier in about 90 seconds.
Find out if you're high-risk (90 seconds)What the EU Database Actually Is
The EU AI Act (Regulation (EU) 2024/1689) creates a single public database for high-risk AI systems. It is provided for in Article 71. Think of it as an EU-wide register, set up and run at the EU level, where information about high-risk systems is recorded and, for most of that information, made publicly accessible.
The point is transparency. Regulators, businesses, and the public can look up which high-risk AI systems are operating in the EU market and see who stands behind them. It is the opposite of AI running quietly in the background where nobody can see it.
The registration duties that feed this database sit in Article 49. That article spells out who has to register and at what point in the system's life. Two articles, one job: Article 71 builds the database, Article 49 tells you when to put your system in it.
Who Has to Register?
This is where precision matters, because the duty does not fall on everyone equally. It tracks your role.
Providers carry the main registration duty. If you develop a high-risk AI system, or have one developed for you, and put it on the market or into service under your own name or trademark, you are the provider. Under Article 49, the provider (or their authorised representative, if they have one) generally registers the system in the EU database before it is placed on the market or put into service. Authorised representatives matter here because a provider based outside the EU often acts through one.
Deployers are treated differently, and this trips people up. A deployer is anyone using a high-risk system under their own authority in their business. Most private-sector deployers do not register the system themselves. The provider already did that. But there is a carve-out: deployers that are public authorities, EU institutions, bodies, or agencies (or parties acting on their behalf) do have their own registration duties when they put a high-risk system to use. So a government department using a high-risk tool has a step that a private company using the same tool generally does not.
Here is the split at a glance.
| Provider | Deployer | |
|---|---|---|
| Who you are | You build the high-risk system or put your name on it | You use someone else's high-risk system in your business |
| Do you register the system? | Generally yes, in the EU database under Article 49 | Generally no, if you are a private business |
| Public-authority twist | Same provider duty applies | Public authorities, EU institutions/bodies/agencies (or those acting for them) do have registration duties |
| When | Generally before placing on the market or putting into service | Tied to putting the system to use, where the duty applies |
If you are not sure which role you hold, that question deserves its own answer. We walk through it in detail in provider vs deployer under the EU AI Act. And if you are not even sure you are high-risk in the first place, run the free risk check before you worry about any of this.
What Gets Registered
Registration is not a one-line form. The provider records identifying and descriptive information about the high-risk system: who the provider is, what the system is, what it is intended to do, its status, and similar details that let a reader understand the system at a glance. The database is designed so that this information is, for the most part, public.
You do not upload your full technical documentation into the public database. That documentation still has to exist (Article 11 governs it for high-risk systems), and it has to be ready for authorities on request, but the public register is the descriptive layer that sits on top of the deeper paperwork.
One thing worth saying plainly. Registration in the EU database is free to do. There is no fee to file. The real cost is the work behind it: producing the technical documentation, running the risk management, and getting the system through conformity assessment so that you can stand behind what you register. That is the heavy lifting, and it is why "just register it" is rarely a five-minute job.
Check your risk tier before you registerA Nuance Worth Knowing: the Article 6(3) Derogation
There is a subtle case that catches careful teams off guard. Some systems fall under Annex III, the list of high-risk use cases, yet the provider concludes the system does not actually pose a high risk and relies on the derogation in Article 6(3) to treat it as not high-risk.
Even in that situation, registration can still come into play. The Act anticipates that a provider taking this position may still need to register the system, so that the claim of "not high-risk" is visible and traceable rather than an unrecorded judgment call. We will not overstate the mechanics here, because the details get specific fast. The takeaway is simple: deciding your Annex III system is not high-risk does not automatically mean you have nothing to file. If you are leaning on that derogation, get the specifics confirmed.
When Does Registration Have to Happen?
Two timing layers matter, and people mix them up.
The first is the per-system rule. For a high-risk system in scope, registration generally happens before the system is placed on the market or put into service. Live first, register later is not the model. The register is meant to reflect systems as they enter the market.
The second is the calendar. The EU AI Act phases its obligations in over time, and the high-risk obligations (registration included) are part of a later wave rather than something that was in force on day one. For many Annex III high-risk systems, the main high-risk obligations apply from 2 August 2026. That date has been the planning anchor for a lot of teams.
There is a moving piece here, and we will be straight about its status. A proposed package often referred to as a "Digital Omnibus," provisionally agreed around 7 May 2026, could push some Annex III high-risk obligations later, with dates as far out as December 2027 discussed. This is proposed, not enacted. Until it is formally adopted, the prudent move is to plan against the existing 2 August 2026 anchor and treat any delay as a bonus, not a guarantee. We track this and update our guidance as it firms up. For the full timeline, see our guide to EU AI Act enforcement dates and deadlines.
A quick honesty note while we are here. This is a plain-English guide, not legal advice. The articles are real and we have cited them carefully, but your specific situation deserves a look at the actual text or a word with counsel.
Your Practical Next Steps
- Confirm your risk tier first. Registration only matters if you are high-risk. Run the free risk check and you will know in about 90 seconds, no card, no call.
- Pin down your role. If you are high-risk, are you the provider or the deployer? The provider usually registers. Private deployers usually do not. Public authorities have their own duty.
- Build the documentation behind the registration. The filing is free, but the technical documentation, risk management, and conformity work underneath it are the real task. Start them early.
- Watch the calendar. Plan against 2 August 2026 for many Annex III high-risk obligations, and keep an eye on the proposed Omnibus delay without betting on it.
- Put it in one place. AI Comply HQ maps each of your systems to its tier, role, and obligations, and drafts the documentation you need to stand behind a registration. You can start a free trial and have your systems mapped today.
Registration sounds intimidating until you realize the first gate is simply whether you are high-risk at all. Most operators are not, and they walk away with their afternoon back. The ones who are high-risk are far better off learning it now, with time to do the work properly, than discovering it from a regulator after the system is already live.
Find out if you're high-risk (90 seconds)For related reading, see provider vs deployer, our breakdown of high-risk AI systems, and the full enforcement dates and deadlines.