AI Regulatory Intelligence โ€” by YRproject

factual analysis · traceable to primary sources

Compliance platform Work with us LinkedIn NLยทENยทDE
Guide

Setting up and maintaining the risk management system (Article 9)

Adopted 2026-06-22 ยท ≈ 2 min read ยท Dirk Baaijen

Article 9 of the AI Act requires providers of high-risk AI to run a continuous risk management system: identify, estimate, mitigate and keep monitoring risks throughout the system's lifetime. It is an iterative process, not a one-off analysis, and sits at the heart of the compliance regime.

Short answer: Article 9 of the AI Act requires providers of high-risk AI to establish and maintain a risk management system. It revolves around a continuous cycle: identify, estimate and mitigate foreseeable risks to health, safety and fundamental rights with appropriate measures, and keep monitoring how they perform. It is not a one-off report but a process that runs for the system's whole lifetime.

A continuous process, not a snapshot

Article 9 explicitly describes the risk management system as a continuous, iterative process that runs across the system's entire lifecycle. A risk assessment you do once and then file away does not suffice. With every change to the system, the data or the use, you must run the cycle again. Findings from post-market monitoring feed back into the system.

The steps of Article 9

The regulation prescribes a recognisable cycle:

  • Identify and analyse the known and reasonably foreseeable risks the system can pose under intended use.
  • Estimate and evaluate risks that may arise under intended use and under reasonably foreseeable misuse.
  • Evaluate risks that emerge from post-market monitoring.
  • Adopt appropriate measures to manage those risks.

Measures must be chosen so that the residual risk of each hazard โ€” and the overall residual risk โ€” is judged acceptable.

Residual risk and the order of measures

Not every risk can be fully removed. Article 9 calls for a fixed order: first design out or reduce risks in the design itself, then add protective measures for risks that remain, and finally provide information and training for deployers. The remaining residual risk must be assessed and communicated explicitly, not accepted tacitly.

Attention to vulnerable groups

Article 9 calls for particular attention to systems that may impact vulnerable groups, including children. When estimating risks you must consider whether a system could unintentionally harm certain groups. That connects risk management to the broader fundamental-rights consideration in the AI governance framework.

Relation to documentation and assessment

The risk management system does not stand alone. Its outcomes belong in the technical documentation (Annex IV) and form part of the conformity assessment. See also the high-risk obligations overview.

What to do

  • Set up a fixed cycle with clear owners and recurring review moments.
  • Document each step: identification, estimation, measure and residual risk.
  • Apply the order of measures: design first, then protection, then information.
  • Feed monitoring back: let real-world signals adjust the risk assessment.
  • Assess residual risk explicitly and record why it is acceptable.

A risk management system that does not move with the system is compliant on paper and empty in practice.

Sources

  1. https://eur-lex.europa.eu/eli/reg/2024/1689/oj
    Regulation (EU) 2024/1689 (AI Act), Article 9: mandatory risk management system for high-risk systems, continuous over the whole lifetime.
  2. https://artificialintelligenceact.eu/article/9/
    Article 9 AI Act: steps for identifying, estimating and mitigating risks and managing residual risks.

Share on LinkedIn

Read next

W

Post-market monitoring (Article 72) after deployment

Article 72 of the AI Act requires providers of high-risk AI to keep actively monitoring systems after deployment. A post-market monitoring system collects and analyses performance data throughout the lifetime and feeds risk management. Compliance does not end at market launch.

U

Right to explanation of an AI decision: what Article 86 of the AI Act gives you

If you are affected by a decision based (in part) on a high-risk AI system, Article 86 of the AI Act gives you the right to a clear explanation of the AI system's role and the main elements of the decision โ€” from the deployer, on top of your GDPR rights.

A

DPIA for HR AI: when is it mandatory and how do you combine it with the FRIA?

A DPIA (Art. 35 GDPR) is mandatory for large-scale, systematic monitoring and for high-risk AI in HR. This article explains what it must contain and how to combine the DPIA with the FRIA (fundamental rights assessment, Art. 27 AI Act) into one process. With a practical step plan.

Dirk Baaijen

About this knowledge base

Compiled and maintained by YRproject โ€” programme and project direction at the intersection of digital transformation, AI and regulation. Every factual claim is traceable to its primary source. YRproject is led by Dirk Baaijen About & method โ†’

A project or programme? Work with YRproject โ†’

The monthly briefing

AI regulation in five minutes: what changed, what is coming and what it means. No spam, unsubscribe anytime.

Your address is used for this only and stored on our own servers.