In order to facilitate the work of the Commission and the Member States in the artificial intelligence field as well as to increase the transparency towards the public, providers of high-risk AI systems other than those related to products falling within the scope of relevant existing Union harmonisation legislation, as well as providers who consider that an AI system referred to in Annex III is by derogation not high-risk, should be required to register themselves and information about their AI system in a EU database, to be established and managed by the Commission. Before using a high-risk AI system listed in Annex III, deployers of high-risk AI systems that are public authorities, agencies or bodies, shall register themselves in such database and select the system that they envisage to use.. Other deployers should be entitled to do so voluntarily. This section of the database should be publicly accessible, free of charge, the information should be easily navigatable, understandable and machine-readable. The database should also be user-friendly, for example by providing search functionalities, including through keywords, allowing the general public to find relevant information included in Annex VIII and on the areas of risk under Annex III to which the high-risk AI systems correspond. Any substantial modification of high-risk AI systems should also be registered in the EU database. For high risk AI systems in the area of law enforcement, migration, asylum and border control management, the registration obligations should be fulfilled in a secure non-public section of the database. Access to the secure non-public section should be strictly limited to the Commission as well as to market surveillance authorities with regard to their national section of that database. High risk AI systems in the area of critical infrastructure should only be registered at national level. The Commission should be the controller of the EU database, in accordance with Regulation (EU) 2018/1725 of the European Parliament and of the Council. In order to ensure the full functionality of the database, when deployed, the procedure for setting the database should include the elaboration of functional specifications by the Commission and an independent audit report. The Commission should take into account cybersecurity and hazard-related risks when carrying out its tasks as data controller on the EU database. In order to maximise the availability and use of the database by the public, the database, including the information made available through it, should comply with requirements under the Directive 2019/882.
 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1).