"Do we need to register this AI system?" is one of those questions you hear in almost every AI governance discussion. The tricky part is that in practice, three different things are meant by "registration." Sometimes it refers to an internal overview of all AI and algorithms within the organization. Sometimes it refers to the Dutch Algorithm Register for government organizations. And sometimes it refers to the EU database that the EU AI Act introduces. These three easily get mixed up, while the legal obligations and target audience differ per register.
In this blog, I bring the registration obligations under the EU AI Act back to basics: when is registration mandatory, what role must you have (provider or deployer), which systems fall under it (Annex III), what must you register (Annex VIII), and what do Dutch sources like the Dutch DPA and the Algorithm Register say about this.
1) The Basics: The EU AI Act Does Not Have a General Registration Obligation for "All AI"
The AI Act does not require organizations to put every AI system used somewhere in a team into an external register. The registration obligation that many people refer to is more specific: it concerns registration in an EU database for certain high-risk AI systems, especially systems classified as high-risk because they fall under Annex III.
This EU database is governed by Article 71 (the database itself and how it works) and the registration obligation is in Article 49 (who must register when). The text of the AI Act explicitly states that providers of high-risk AI systems from Annex III (with an exception) register themselves and their system in the EU database, and that public deployers also register their use. (EUR-Lex)
The practical consequence: many organizations would be wise to build an internal AI register for grip and governance, but that internal register is something different from the legal registration obligation towards a European database.
2) Provider Versus Deployer: Why the Role Division Determines Everything
The AI Act works with roles. For registration, two roles are particularly relevant:
Provider: the party that develops or has the AI system developed and places it on the market under its own name, or puts it into service for its own purposes in a way that qualifies as "putting into service" in the AI Act.
Deployer: the party that uses the system in its own process.
This distinction is sometimes sharp in practice (software supplier delivers, customer uses), but often also grey, for example with custom models, open-source components, "AI features" in SaaS, or situations where an organization builds a model itself and rolls it out internally.
For the registration obligation, however, the distinction is decisive: Article 49 places the primary registration obligation for the system with the provider, and an additional registration obligation for use with public deployers. (EUR-Lex)
3) When is Registration in the EU Database Mandatory?
The AI Act creates three main categories.
A. Providers of High-Risk Annex III Systems: Registration is Required Before Market Introduction or Putting Into Service
Article 49(1) states: before placing on the market or putting into service a high-risk AI system listed in Annex III, the provider (or authorized representative) registers itself and the system in the EU database from Article 71. An exception is immediately stated: this does not apply to high-risk AI systems from Annex III point 2. (EUR-Lex)
It is useful to translate this into a recognizable scenario. Think of a supplier offering an AI system for automatically assessing candidates in a recruitment process, or a provider of an AI tool that influences access to education or exams. If such a system falls under Annex III and is high-risk, then that registration obligation arises on the provider side.
B. Providers Finding an Annex III System "Not High-Risk" Under Article 6(3): Still Register
The AI Act has a procedure whereby a provider can conclude that a system in an Annex III context is not high-risk, based on the conditions of Article 6(3). The legislator has explicitly prevented this from remaining invisible: Article 49(2) also requires registration of provider and system in the EU database. (EUR-Lex)
This is an important mechanism because it enforces two things. First: you cannot just write down your "not high-risk" position internally and move on. Second: the data set you must register also contains the basis and a brief justification of why you believe you fall under 6(3). This is elaborated in Annex VIII, Section B. (EUR-Lex)
C. Public Deployers: Registration of Use Before Deployment
Article 49(3) requires certain deployers to register their use in the EU database. This applies to deployers that are public authorities, EU institutions, or parties acting on their behalf. Here too, it concerns high-risk AI systems from Annex III, again with the exception for Annex III point 2. (EUR-Lex)
The thought behind this is visible in the design of the database: for public deployment, not only "which system" is registered, but also information about the impact and context, precisely because government applications often directly affect citizens' rights.
4) Exceptions You Really Need to Know
There are two exceptions that are quickly missed in practice.
Annex III Point 2: Registration at National Level, Not in the EU Database
Article 49(5) states that high-risk AI systems from Annex III point 2 are registered at national level. (EUR-Lex) This does not mean there is no registration, but the channel is different. For governance and procurement, this is relevant because you cannot automatically take the EU database as the "single source of truth" for this type of system.
Law Enforcement, Migration, Asylum and Border Control: Shielded Registration
Article 49(4) regulates that for high-risk AI systems in Annex III points 1, 6 and 7 within law enforcement and migration/asylum/border control, registration takes place in a secure non-public section of the EU database, with limited access and a limited data package. (EUR-Lex)
In the same vein, you see in the AI Act that "real-time remote biometric identification" in public spaces may only be deployed if, among other things, a FRIA has been conducted and registration in the database has been arranged, with an exception route for urgent situations where registration must follow "without undue delay." (EUR-Lex)
5) What Must You Register? Annex VIII Makes It Concrete
Many organizations think of registration as "name of the system and done." Annex VIII shows that the EU database is intended as structured transparency and traceability.
Section A (providers, Article 49(1)) asks for, among other things, provider details, trade name and identification, a description of the purpose, a concise description of inputs and operating logic, status, member states where it is available, and a copy of the EU declaration of conformity and instructions for use (with exceptions for certain domains). (EUR-Lex)
Section B (providers, Article 49(2)) asks, in addition to basic data, explicitly for: which condition(s) from Article 6(3) you use to claim "not high-risk," and a brief summary of the grounds. (EUR-Lex)
Section C (public deployers, Article 49(3)) is perhaps the most interesting because it links registration to impact assessments. The deployer registers, among other things, the URL of the provider's entry and adds a summary of the Fundamental Rights Impact Assessment (FRIA) and, where relevant, a summary of a DPIA under the GDPR or under the Law Enforcement Directive. (EUR-Lex)
There is a governance signal here: registration is not intended as a separate administrative step, but as part of a demonstrably responsible implementation process.
6) The Timing: When Will This Come Into Play?
The AI Act entered into force on August 1, 2024, as the European Commission also confirms in its communication. (European Commission) For the registration obligations from Article 49 and the EU database from Article 71, a phased application applies in the AI Act. In many implementation overviews, August 2, 2026 is mentioned as the application date for these articles, as this coincides with the broader start of high-risk obligations. (artificialintelligenceact.eu)
At the same time, this is precisely the kind of part where political dynamics hang around at the end of 2025. In November 2025, it was reported in the media that the Commission is exploring or has presented proposals to delay parts of high-risk obligations towards 2027, under pressure from various parties. (Reuters) For organizations, this is a familiar tension: the formal legal text gives one date, but policy discussions can later adjust. Until an amendment is adopted, the legal text governs, and that makes 2026 still the anchor point for your preparation.
7) How Does This Relate to the Dutch Algorithm Register?
The Netherlands has its own register for public organizations: algoritmes.overheid.nl. That register is broader than the AI Act because it does not only concern AI systems in the sense of the AI Act and is not limited to Annex III high-risk. The goal is transparency towards citizens, media and organizations about the deployment of impactful algorithms.
Two points are important here.
First: the Algorithm Register explicitly states that providing information is not yet mandatory, but that an obligation is coming. (algoritmes.overheid.nl) Second: the government website Digital Government states that registration of impactful algorithms will eventually become legally mandatory, also referring to Dutch and European legislation as context. (Digitale Overheid)
For practice, this means that government organizations may soon have to deal with two tracks:
- EU database (AI Act) for the specific group of Annex III systems (plus 6(3) cases) and public use thereof. (EUR-Lex)
- Dutch Algorithm Register as a transparency instrument for impactful algorithms in a broader sense, with its own publication fields and its own objectives. (algoritmes.overheid.nl)
These registers can share information, but they are not identical in scope and purpose.
8) What Does This Mean for Organizations Outside Government?
For private organizations, the headline is often: "we don't have to register our use in the EU database, so done." That's too narrow a reading. It's true that Article 49(3) targets public deployers. (EUR-Lex) But private organizations can be providers, even unknowingly. Think of:
- a large organization that develops a model itself and rolls it out internally in multiple countries, under its own name, with its own documentation and management;
- an organization that modifies an existing model so significantly that a new system effectively emerges;
- a platform party that offers AI functionality as a product to customers.
In such cases, you can suddenly end up in a provider position, with registration obligation under Article 49(1) or 49(2) if the system is Annex III high-risk or if you make a 6(3) claim. (EUR-Lex)
Additionally, there's a second reason why "we don't have to" is rarely the endpoint in practice: you cannot execute the AI Act without internal oversight. Without inventory, you don't know which systems might hit Annex III, which suppliers you need to direct for documentation, and where FRIA or DPIA logic belongs in your process. The law may not explicitly require an internal register for everyone, but compliance management becomes virtually impossible without one.
9) A Workable Approach to Registration Without Bureaucracy
If you don't want to approach registration as a standalone project but as part of AI governance, it helps to distinguish three layers:
Layer 1: Internal Inventory (Broad) An internal overview in which you include every relevant AI or algorithmic system that can have an impact on people, business operations, or public values. This is your steering information for procurement, risk management, audits, and incident handling.
Layer 2: EU Database Registration (Narrow, Legally Hard) Only for the cases of Article 49. This requires that you already know internally whether a system is Annex III, whether you are provider or deployer, and whether an exception applies (Annex III point 2 or shielded domains). (EUR-Lex)
Layer 3: National Transparency (Public Sector) For governments, the Algorithm Register is a separate track with a broader transparency approach and a route towards obligation. (algoritmes.overheid.nl)
Once you make this distinction explicit in policies and processes, many discussions disappear. Teams then know why they register internally (governance), when external registration is required (AI Act), and when publication towards citizens is relevant (Algorithm Register).
10) What You Can Already Prepare Towards 2026
If you don't want a last-minute data collection project towards 2026, there are a few concrete preparations that immediately add value.
Start by mapping your role per system: are you deployer, provider, or in a hybrid situation. Link your supplier management directly to this, because Annex VIII shows that registration content doesn't just consist of a name, but also of purpose, basic logic, status, and conformity documents. (EUR-Lex)
For public organizations, it's smart not to treat FRIA and DPIA as separate worlds. The AI Act makes that relationship explicit: Section C asks for summaries, and Article 27 describes how FRIA can connect to what is already done in a DPIA. (EUR-Lex)
Finally: treat registration as part of "change management." A register is only useful if it moves along with updates, retraining, change of purpose, new datasets, new departments using the system, or new countries where it is deployed. This applies internally, and it applies equally to what you need to maintain in external registers, because Annex VIII also says that information must be kept up-to-date. (EUR-Lex)
Sources
- Regulation - EU - 2024/1689 - EN - EUR-Lex
- AI Act enters into force - European Commission
- Article 49: Registration | EU Artificial Intelligence Act
- EU to delay 'high risk' AI rules until 2027 after Big Tech pushback - Reuters
- Over het Algoritmeregister - algoritmes.overheid.nl
- Algoritmeregister voor de overheid Algoritmes - Digitale Overheid
AI System Registration Quiz
Test your knowledge about registration obligations under the EU AI Act and the Dutch Algorithm Register. From Article 49 to Annex III - discover where you stand.
🏛️ More about AI Governance: Check out the AI Governance & Compliance Guide for structure, audit-readiness and oversight.