Article 9

Article 9 — Risk Management System

1. A risk management system shall be established, implemented, documented and maintained in relation to high-risk AI systems.

2. The risk management system shall be understood as a continuous iterative process run throughout the entire lifecycle of a high-risk AI system, requiring regular systematic updating. It shall comprise the following steps:
(a) identification and analysis of the known and reasonably foreseeable risks that the high-risk AI system can pose to health, safety or fundamental rights;
(b) estimation and evaluation of the risks that may emerge when the high-risk AI system is used in accordance with its intended purpose and under conditions of reasonably foreseeable misuse;
(c) evaluation of other possibly arising risks based on the analysis of data gathered from the post-market monitoring system;
(d) adoption of appropriate and targeted risk management measures.

3. The risk management measures referred to in paragraph 2(d) shall give due consideration to the effects and possible interactions resulting from the combined application of the requirements set out in Articles 10 to 15. They shall take into account the generally acknowledged state of the art, including as reflected in relevant harmonised standards or common specifications.

4. The risk management measures referred to in paragraph 2(d) shall be such that the residual risk associated with each hazard as well as the overall residual risk of the high-risk AI systems is judged to be acceptable.

5. Testing of high-risk AI systems shall be performed to identify the most appropriate and targeted risk management measures. Testing shall ensure that high-risk AI systems perform consistently for their intended purpose and are in compliance with the requirements set out in this Section.