Quality Management System – Art. 17
Requirement
Providers of high-risk AI systems must implement and maintain a documented QMS.
QMS Components (Art. 17(1))
The QMS must cover:
- Strategy for compliance with regulatory requirements
- Conformity assessment procedures (design, testing, validation)
- Technical specifications and standards
- Data management (collection, analysis, labelling, storage, filtering, aggregation, retention)
- Risk management (Art. 9)
- Post-market monitoring (Art. 72)
- Incident/vulnerability reporting (Art. 73)
- Communication with authorities, deployers and other stakeholders
- Change management — procedures and measures for system changes
- Training and support programmes for personnel
BAUER GROUP Implementation
The AI Act QMS is implemented as an extension of the existing CRA QMS, not as a separate system.
| CRA QMS Element | AI Act Supplement |
|---|---|
| Conformity assessment | + AI-specific assessment criteria |
| Technical documentation | + Annex IV content |
| Vulnerability management | + AI-specific vulnerabilities (bias, adversarial) |
| Incident response | + AI incident reporting to market surveillance |
| Change management | + Model versioning, retraining protocols |
| Training | + AI literacy (Art. 4) |
Core Principle
One QMS, two regulations. No separate paper tiger for the AI Act. The CRA QMS structure is extended with the AI-specific elements.