How do I use the Quality Management System Generator?

Describe your compliance strategy and governance structure Document your design control and testing procedures Record your data management, risk management, and accuracy metrics Define human oversight, post-sale modification, and document management procedures Name the responsible persons and accountability framework Export as legal-grade evidence and save to vault

Omnibus update (7 May 2026): Annex III high-risk provisionally shifted from 2 Aug 2026 to 2 Dec 2027. Art. 50 transparency (chatbots, deepfakes, emotion, biometric) still 2 Aug 2026. Art. 4 / Art. 5 / GPAI live now. Details.

Why this matters

Art. 17 requires every high-risk AI provider to implement and document a QMS covering 13 specific elements. This is the first document a notified body requests in any Annex VII conformity assessment.

How to use it

1Describe your compliance strategy and governance structure
2Document your design control and testing procedures
3Record your data management, risk management, and accuracy metrics
4Define human oversight, post-sale modification, and document management procedures
5Name the responsible persons and accountability framework
6Export as legal-grade evidence and save to vault

Legal basis

Art. 17
Art. 9
Annex VII

Quality Management System Generator

Required under Art. 17 EU AI Act for all high-risk AI providers. Complete all 13 elements for a submission-ready QMS document.

AI System Name

System Version

QMS Document Version

Effective Date

0/14 elements completed

Compliance Strategy

Art. 17(1)(a)

Design Control Procedures

Art. 17(1)(b)

Testing & Validation Procedures

Art. 17(1)(c)

Technical Specifications & Standards

Art. 17(1)(d)

Data Management Systems

Art. 17(1)(e)

Risk Management Integration

Art. 17(1)(f)

Accuracy Metrics & Thresholds

Art. 17(1)(g)

Human Oversight Measures

Art. 17(1)(h)

Post-Sale Modification Procedures

Art. 17(1)(i)

Substantial Modification Triggers (Art. 3(23) / Art. 43(4) / Art. 83)

Acknowledge each trigger your post-sale procedures monitor. Any trigger that fires mandates an Art. 43(4) conformity re-assessment before continued placement on the market — and, for GPAI models, an Art. 83 obligations review.

Training data refresh (new corpus, new collection period, or substantial re-balancing)Change of intended purpose (new use case, new user population, new sectoral context)Change of input modality (e.g. text-only → multimodal; structured → unstructured)Change of model architecture (different base model, different head, fine-tune type)Additional compute exceeding ~1/3 of original training compute (Commission GPAI guidance, July 2025)Safety- or fundamental-rights-relevant change identified by Art. 9 risk reviewChange of evaluation method or benchmark suite that affects reported Art. 15 metrics

0/7 triggers acknowledged in your post-sale procedures.

Document Management System

Art. 17(1)(j)

AI Literacy Programme (Art. 4)

Art. 4

Resource Management (HR + Budget)

Art. 17(1)(k)

Accountability Framework

Art. 17(1)(l)

QMS Monitoring & Review

Art. 17(2)

Cross-Cutting: Art. 18 — Documentation Retention

Art. 18

Document inside the QMS body how the 10-year retention duty (running from market placement or putting into service) is operationalised — storage, access controls, succession, and the Art. 18(3) duty to keep records available even after the provider ceases activity.

Cross-Cutting: Art. 21 — Cooperation with National Competent Authorities

Art. 21

Document inside the QMS body the cooperation procedure: named point of contact, response-time SLA on reasoned request, list of artefacts that can be supplied, language(s) of delivery, and confidentiality handling (Art. 78).

Export blocked. 7 required fields missing: AI system name, Art. 4 AI literacy programme (element 11), Risk management integration (element 6), +4 more

Complete the required QMS fields above to enable evidence export.

Important Legal Disclaimer

This tool is a self-assessment aid only and does not constitute legal advice, a formally certified compliance assessment, or an independently audited report.

Outputs — including reports, scores, checklists, and generated documents — are for internal use and should be reviewed by a qualified legal representative or independent AI compliance auditor before being relied upon for regulatory, procurement, or public-disclosure purposes.

This tool does not replace a notified body conformity assessment where one is required under Art. 43(1) of the EU AI Act (e.g. biometric identification systems for law enforcement).

All assessment risk lies with the user. AIAuditRef, its developers, and staff accept no liability for losses arising from use of or reliance on these outputs. Always verify against official sources: the EU AI Act (Regulation 2024/1689) and your national enforcement authority.