AI Act Obligations for Notified Bodies
A complete, article-by-article reference for AI Act notified bodies — generated from the RuleMesh knowledge graph (CELEX 32024R1689). Covers all 39 obligation paragraphs sourced from the regulation, with relevant annexes and GDPR cross-references quoted verbatim.
This page is generated from the RuleMesh knowledge graph — every obligation, annex block, and cross-reference is pulled from the structured graph representation of CELEX 32024R1689, not recalled from memory.
Pending change — the Digital Omnibus on AI. An amendment approved in June 2026 is set to move stand-alone high-risk deadlines (Annex III) to 2 December 2027, while transparency, content-marking, and two new prohibitions still apply in 2026. The dates on this page remain the currently-binding Regulation 2024/1689 dates until the amendment is published in the Official Journal. Read the briefing.
Regulation (EU) 2024/1689 — CELEX 32024R1689
This page is generated from the RuleMesh knowledge graph — every obligation, annex block, and cross-reference below is pulled from the structured graph representation of the regulation, not recalled from memory.
Who is a notified body?
A notified body is a conformity assessment body that has been officially designated and notified to the European Commission by a Member State as competent to carry out third-party conformity assessment tasks under a specific Union harmonisation regulation or directive, including the AI Act and other relevant Union harmonisation legislation.
39 obligation paragraphs in the AI Act are addressed to the Notified Body role. Most obligations for high-risk AI systems apply from 2 August 2026; obligations for general-purpose AI model providers and the AI Act's governance bodies apply from 2 August 2025.
Jump to an article
- Article 11 - Technical documentation
- Article 29 - Application of a conformity assessment body for notification
- Article 31 - Requirements relating to notified bodies
- Article 32 - Presumption of conformity with requirements relating to notified bodies
- Article 33 - Subsidiaries of notified bodies and subcontracting
- Article 34 - Operational obligations of notified bodies
- Article 36 - Changes to notifications
- Article 38 - Coordination of notified bodies
- Article 39 - Conformity assessment bodies of third countries
- Article 43 - Conformity assessment
- Article 44 - Certificates
- Article 45 - Information obligations of notified bodies
- Article 48 - CE marking
- Article 62 - Measures for providers and deployers, in particular SMEs, including start-ups
- Frequently asked questions
Article 11 - Technical documentation
Art. 11(1). Providers of high-risk AI systems must prepare and maintain technical documentation before placing the system on the market or putting it into service, demonstrating compliance with Section requirements and enabling assessment by competent authorities and notified bodies. SMEs and start-ups may use a simplified Commission-established form for this documentation, which notified bodies must accept for conformity assessment purposes.
chevron_rightSource text
Source text: “The technical documentation of a high-risk AI system shall be drawn up before that system is placed on the market or put into service and shall be kept up-to date. The technical documentation shall be drawn up in such a way as to demonstrate that the high-risk AI system complies with the requirements set out in this Section and to provide national competent authorities and notified bodies with the necessary information in a clear and comprehensive form to assess the compliance of the AI system with those requirements. It shall contain, at a minimum, the elements set out in Annex IV. SMEs, including start-ups, may provide the elements of the technical documentation specified in Annex IV in a simplified manner. To that end, the Commission shall establish a simplified technical documentation form targeted at the needs of small and microenterprises. Where an SME, including a start-up, opts to provide the information required in Annex IV in a simplified manner, it shall use the form referred to in this paragraph. Notified bodies shall accept the form for the purposes of the conformity assessment.”
In practice: Establish a documentation management process that maps each Annex IV element to your AI system's design artefacts; if you are an SME, monitor the Commission's publication of the simplified form and adopt it as your standard template to reduce administrative burden while remaining audit-ready.
Annex IV — technical documentation (quoted verbatim from the graph)
Technical documentation for a high-risk AI system must contain at minimum:
The technical documentation referred to in Article 11(1) shall contain at least the following information, as applicable to the relevant AI system:
1. A general description of the AI system including:
- (a) its intended purpose, the name of the provider and the version of the system reflecting its relation to previous versions;
- (b) how the AI system interacts with, or can be used to interact with, hardware or software, including with other AI systems, that are not part of the AI system itself, where applicable;
- (c) the versions of relevant software or firmware, and any requirements related to version updates;
- (d) the description of all the forms in which the AI system is placed on the market or put into service, such as software packages embedded into hardware, downloads, or APIs;
- (e) the description of the hardware on which the AI system is intended to run;
- (f) where the AI system is a component of products, photographs or illustrations showing external features, the marking and internal layout of those products;
- (g) a basic description of the user-interface provided to the deployer;
- (h) instructions for use for the deployer, and a basic description of the user-interface provided to the deployer, where applicable;
2. A detailed description of the elements of the AI system and of the process for its development, including:
- (a) the methods and steps performed for the development of the AI system, including, where relevant, recourse to pre-trained systems or tools provided by third parties and how those were used, integrated or modified by the provider;
- (b) the design specifications of the system, namely the general logic of the AI system and of the algorithms; the key design choices including the rationale and assumptions made, including with regard to persons or groups of persons in respect of who, the system is intended to be used; the main classification choices; what the system is designed to optimise for, and the relevance of the different parameters; the description of the expected output and output quality of the system; the decisions about any possible trade-off made regarding the technical solutions adopted to comply with the requirements set out in Chapter III, Section 2;
- (c) the description of the system architecture explaining how software components build on or feed into each other and integrate into the overall processing; the computational resources used to develop, train, test and validate the AI system;
- (d) where relevant, the data requirements in terms of datasheets describing the training methodologies and techniques and the training data sets used, including a general description of these data sets, information about their provenance, scope and main characteristics; how the data was obtained and selected; labelling procedures (e.g. for supervised learning), data cleaning methodologies (e.g. outliers detection);
- (e) assessment of the human oversight measures needed in accordance with Article 14, including an assessment of the technical measures needed to facilitate the interpretation of the outputs of AI systems by the deployers, in accordance with Article 13(3), point (d);
- (f) where applicable, a detailed description of pre-determined changes to the AI system and its performance, together with all the relevant information related to the technical solutions adopted to ensure continuous compliance of the AI system with the relevant requirements set out in Chapter III, Section 2;
- (g) the validation and testing procedures used, including information about the validation and testing data used and their main characteristics; metrics used to measure accuracy, robustness and compliance with other relevant requirements set out in Chapter III, Section 2, as well as potentially discriminatory impacts; test logs and all test reports dated and signed by the responsible persons, including with regard to pre-determined changes as referred to under point (f);
- (h) cybersecurity measures put in place;
3. Detailed information about the monitoring, functioning and control of the AI system, in particular with regard to: its capabilities and limitations in performance, including the degrees of accuracy for specific persons or groups of persons on which the system is intended to be used and the overall expected level of accuracy in relation to its intended purpose; the foreseeable unintended outcomes and sources of risks to health and safety, fundamental rights and discrimination in view of the intended purpose of the AI system; the human oversight measures needed in accordance with Article 14, including the technical measures put in place to facilitate the interpretation of the outputs of AI systems by the deployers; specifications on input data, as appropriate;
4. A description of the appropriateness of the performance metrics for the specific AI system;
5. A detailed description of the risk management system in accordance with Article 9;
6. A description of relevant changes made by the provider to the system through its lifecycle;
7. A list of the harmonised standards applied in full or in part the references of which have been published in the Official Journal of the European Union; where no such harmonised standards have been applied, a detailed description of the solutions adopted to meet the requirements set out in Chapter III, Section 2, including a list of other relevant standards and technical specifications applied;
8. A copy of the EU declaration of conformity referred to in Article 47;
9. A detailed description of the system in place to evaluate the AI system performance in the post-market phase in accordance with Article 72, including the post-market monitoring plan referred to in Article 72(3).
Article 29 - Application of a conformity assessment body for notification
Art. 29(1). (effective 2 August 2025) Conformity assessment bodies must formally apply for notification to the notifying authority of the Member State where they are established before they can act as notified bodies under the AI Act.
chevron_rightSource text
Source text: “Conformity assessment bodies shall submit an application for notification to the notifying authority of the Member State in which they are established.”
In practice: Conformity assessment bodies should identify the relevant national notifying authority in their Member State and prepare a complete notification application package before seeking designation under the AI Act.
Art. 29(2). (effective 2 August 2025) The notification application must include a description of the conformity assessment activities and AI system types covered, an accreditation certificate where available, and any existing designation documents under other Union harmonisation legislation.
chevron_rightSource text
Source text: “The application for notification shall be accompanied by a description of the conformity assessment activities, the conformity assessment module or modules and the types of AI systems for which the conformity assessment body claims to be competent, as well as by an accreditation certificate, where one exists, issued by a national accreditation body attesting that the conformity assessment body fulfils the requirements laid down in Article 31. Any valid document related to existing designations of the applicant notified body under any other Union harmonisation legislation shall be added.”
In practice: Prepare a comprehensive application package that includes the accreditation certificate from the national accreditation body, a detailed description of the conformity assessment modules and AI system types, and copies of any existing notified body designations under other EU harmonisation laws.
Art. 29(3). (effective 2 August 2025) Where a conformity assessment body cannot provide an accreditation certificate, it must instead provide the notifying authority with all documentary evidence needed to verify, recognise, and regularly monitor its compliance with Article 31 requirements.
chevron_rightSource text
Source text: “Where the conformity assessment body concerned cannot provide an accreditation certificate, it shall provide the notifying authority with all the documentary evidence necessary for the verification, recognition and regular monitoring of its compliance with the requirements laid down in Article 31.”
In practice: If your organisation lacks an accreditation certificate, compile a comprehensive dossier of documentary evidence demonstrating compliance with Article 31 requirements, including internal audits, competence records, independence declarations, and quality management documentation, to support the notifying authority's verification and ongoing monitoring.
Art. 29(4). (effective 2 August 2025) Notified bodies already designated under other EU harmonisation legislation may use those existing documents and certificates to support their designation under the AI Act, and must keep their documentation updated whenever relevant changes occur to enable ongoing compliance monitoring.
chevron_rightSource text
Source text: “For notified bodies which are designated under any other Union harmonisation legislation, all documents and certificates linked to those designations may be used to support their designation procedure under this Regulation, as appropriate. The notified body shall update the documentation referred to in paragraphs 2 and 3 of this Article whenever relevant changes occur, in order to enable the authority responsible for notified bodies to monitor and verify continuous compliance with all the requirements laid down in Article 31.”
In practice: Notified bodies with existing designations under other EU harmonisation laws should map their current documentation to AI Act requirements and establish a change management process to trigger documentation updates whenever relevant changes occur, ensuring the notifying authority can continuously verify compliance with Article 31.
Article 31 - Requirements relating to notified bodies
Art. 31(1). (effective 2 August 2025) A notified body must be established under the national law of a Member State and must have legal personality, meaning it is a formally recognised legal entity capable of rights and obligations.
chevron_rightSource text
Source text: “A notified body shall be established under the national law of a Member State and shall have legal personality.”
In practice: Verify that any candidate notified body is formally incorporated or established under the relevant Member State's national law and holds recognised legal personality before applying for notification status.
Art. 31(2). (effective 2 August 2025) Notified bodies must meet organisational, quality management, resource, and process requirements necessary for their tasks, and must also satisfy suitable cybersecurity requirements.
chevron_rightSource text
Source text: “Notified bodies shall satisfy the organisational, quality management, resources and process requirements that are necessary to fulfil their tasks, as well as suitable cybersecurity requirements.”
In practice: Notified bodies should implement a documented quality management system, ensure adequate staffing and technical resources, and establish cybersecurity controls (e.g., access controls, secure data handling) appropriate to their conformity assessment activities.
Art. 31(3). (effective 2 August 2025) The organisational structure, allocation of responsibilities, reporting lines, and operations of notified bodies must be designed to ensure confidence in their performance and in the results of their conformity assessment activities.
chevron_rightSource text
Source text: “The organisational structure, allocation of responsibilities, reporting lines and operation of notified bodies shall ensure confidence in their performance, and in the results of the conformity assessment activities that the notified bodies conduct.”
In practice: Notified bodies should document their internal governance structure, clearly define roles and responsibilities, establish transparent reporting lines, and conduct regular internal audits to demonstrate organisational integrity and impartiality.
Art. 31(4). (effective 2 August 2025) Notified bodies must be independent of the providers and other operators with economic interests in the high-risk AI systems they assess, though they may use such systems for their own operations or personal purposes.
chevron_rightSource text
Source text: “Notified bodies shall be independent of the provider of a high-risk AI system in relation to which they perform conformity assessment activities. Notified bodies shall also be independent of any other operator having an economic interest in high-risk AI systems assessed, as well as of any competitors of the provider. This shall not preclude the use of assessed high-risk AI systems that are necessary for the operations of the conformity assessment body, or the use of such high-risk AI systems for personal purposes.”
In practice: Notified bodies should implement conflict-of-interest policies, conduct regular independence checks, and maintain documented procedures to identify and manage any financial or commercial relationships with providers or competitors of assessed AI systems.
Art. 31(6). (effective 2 August 2025) Notified bodies must be organised and operated in a way that guarantees their independence, objectivity, and impartiality, and must document and implement procedures to uphold these principles across their organisation, personnel, and assessment activities.
chevron_rightSource text
Source text: “Notified bodies shall be organised and operated so as to safeguard the independence, objectivity and impartiality of their activities. Notified bodies shall document and implement a structure and procedures to safeguard impartiality and to promote and apply the principles of impartiality throughout their organisation, personnel and assessment activities.”
In practice: Notified bodies should establish a formal impartiality policy, conduct regular internal reviews to detect conflicts of interest, and maintain documented organisational charts showing separation between commercial and assessment functions.
Art. 31(7). (effective 2 August 2025) Notified bodies must have documented procedures ensuring that all personnel, subsidiaries, subcontractors, and associated bodies maintain confidentiality of information obtained during conformity assessment activities, with staff bound by professional secrecy except in relation to notifying authorities.
chevron_rightSource text
Source text: “Notified bodies shall have documented procedures in place ensuring that their personnel, committees, subsidiaries, subcontractors and any associated body or personnel of external bodies maintain, in accordance with Article 78, the confidentiality of the information which comes into their possession during the performance of conformity assessment activities, except when its disclosure is required by law. The staff of notified bodies shall be bound to observe professional secrecy with regard to all information obtained in carrying out their tasks under this Regulation, except in relation to the notifying authorities of the Member State in which their activities are carried out.”
In practice: Implement confidentiality agreements for all staff, subcontractors, and associated bodies; establish a clear policy referencing Article 78 obligations; and create a register of personnel with access to sensitive conformity assessment information.
Art. 31(8). (effective 2 August 2025) Notified bodies must have procedures that take into account the size of the provider, the sector it operates in, its structure, and the complexity of the AI system when performing conformity assessment activities.
chevron_rightSource text
Source text: “Notified bodies shall have procedures for the performance of activities which take due account of the size of a provider, the sector in which it operates, its structure, and the degree of complexity of the AI system concerned.”
In practice: Develop tiered assessment procedures that scale with provider size and AI system complexity; document how these factors are considered in each assessment; consider creating specific checklists for SMEs versus large enterprises.
Art. 31(9). (effective 2 August 2025) Notified bodies must take out appropriate liability insurance for their conformity assessment activities, unless the Member State in which they are established assumes liability under national law or is itself directly responsible for the conformity assessment.
chevron_rightSource text
Source text: “Notified bodies shall take out appropriate liability insurance for their conformity assessment activities, unless liability is assumed by the Member State in which they are established in accordance with national law or that Member State is itself directly responsible for the conformity assessment.”
In practice: Notified bodies should obtain and maintain professional indemnity and liability insurance policies commensurate with the scope and risk of their conformity assessment activities; document the insurance coverage and review it annually.
Art. 31(10). (effective 2 August 2025) Notified bodies must be capable of carrying out all their tasks under the AI Act with the highest degree of professional integrity and the requisite competence in the specific field, whether tasks are performed by the notified body itself or on its behalf under its responsibility.
chevron_rightSource text
Source text: “Notified bodies shall be capable of carrying out all their tasks under this Regulation with the highest degree of professional integrity and the requisite competence in the specific field, whether those tasks are carried out by notified bodies themselves or on their behalf and under their responsibility.”
In practice: Notified bodies should maintain a competency framework documenting required qualifications for all assessment roles, conduct regular competency assessments of staff and subcontractors, and ensure that any tasks delegated to third parties are subject to the same integrity and competence standards.
Art. 31(11). (effective 2 August 2025) Notified bodies must have sufficient internal expertise to effectively oversee tasks delegated to external parties, and must permanently employ administrative, technical, legal, and scientific staff with relevant knowledge of AI systems, data, and data computing, as well as the high-risk AI requirements in Section 2.
chevron_rightSource text
Source text: “Notified bodies shall have sufficient internal competences to be able effectively to evaluate the tasks conducted by external parties on their behalf. The notified body shall have permanent availability of sufficient administrative, technical, legal and scientific personnel who possess experience and knowledge relating to the relevant types of AI systems, data and data computing, and relating to the requirements set out in Section 2.”
In practice: Notified bodies should conduct regular skills gap analyses to ensure their permanent staff covers all relevant AI domains (e.g., machine learning, data governance, legal frameworks). Consider establishing a competency matrix mapping staff qualifications to the types of AI systems they assess.
Art. 31(12). (effective 2 August 2025) Notified bodies are required to participate in coordination activities under Article 38 and must either directly participate in European standardisation organisations or ensure they remain aware of and up to date with relevant standards.
chevron_rightSource text
Source text: “Notified bodies shall participate in coordination activities as referred to in Article 38. They shall also take part directly, or be represented in, European standardisation organisations, or ensure that they are aware and up to date in respect of relevant standards.”
In practice: Notified bodies should designate a standards liaison officer responsible for tracking relevant CEN, CENELEC, and ETSI activities on AI, and should formally register participation in Article 38 coordination groups. Maintain a standards monitoring log updated at least quarterly.
Article 32 - Presumption of conformity with requirements relating to notified bodies
Art. 32. A conformity assessment body that demonstrates compliance with relevant harmonised standards published in the Official Journal of the EU is presumed to meet the requirements for notified bodies set out in Article 31, to the extent those standards cover those requirements.
chevron_rightSource text
Source text: “Where a conformity assessment body demonstrates its conformity with the criteria laid down in the relevant harmonised standards or parts thereof, the references of which have been published in the Official Journal of the European Union, it shall be presumed to comply with the requirements set out in Article 31 in so far as the applicable harmonised standards cover those requirements.”
In practice: Conformity assessment bodies seeking notification should identify and document which harmonised standards they comply with, ensuring those standards are published in the OJEU and map directly to the Article 31 criteria. Maintain up-to-date records of standard references and coverage gaps.
Article 33 - Subsidiaries of notified bodies and subcontracting
Art. 33(1). (effective 2 August 2025) When a notified body subcontracts conformity assessment tasks or uses a subsidiary, it must verify that the subcontractor or subsidiary meets the requirements of Article 31 and must inform the notifying authority of this arrangement.
chevron_rightSource text
Source text: “Where a notified body subcontracts specific tasks connected with the conformity assessment or has recourse to a subsidiary, it shall ensure that the subcontractor or the subsidiary meets the requirements laid down in Article 31, and shall inform the notifying authority accordingly.”
In practice: Maintain a register of all subcontractors and subsidiaries involved in conformity assessment activities, document their compliance with Article 31 requirements, and establish a formal notification process to the notifying authority whenever such arrangements are made or changed.
Art. 33(2). (effective 2 August 2025) Notified bodies bear full and undivided responsibility for all conformity assessment tasks performed by their subcontractors or subsidiaries, regardless of the delegation arrangement.
chevron_rightSource text
Source text: “Notified bodies shall take full responsibility for the tasks performed by any subcontractors or subsidiaries.”
In practice: Implement robust oversight mechanisms and contractual accountability clauses with all subcontractors and subsidiaries to ensure the notified body can demonstrate full responsibility for all delegated conformity assessment work.
Art. 33(3). (effective 2 August 2025) Conformity assessment activities may only be subcontracted or carried out by a subsidiary with the provider's agreement, and notified bodies must make a publicly available list of their subsidiaries.
chevron_rightSource text
Source text: “Activities may be subcontracted or carried out by a subsidiary only with the agreement of the provider. Notified bodies shall make a list of their subsidiaries publicly available.”
In practice: Establish a formal consent process with providers before subcontracting any conformity assessment activities, and publish and regularly update a list of subsidiaries on the notified body's public website to ensure transparency.
Art. 33(4). (effective 2 August 2025) Documents relating to the assessment of subcontractor or subsidiary qualifications and the work they performed must be kept available to the notifying authority for five years after the subcontracting relationship ends.
chevron_rightSource text
Source text: “The relevant documents concerning the assessment of the qualifications of the subcontractor or the subsidiary and the work carried out by them under this Regulation shall be kept at the disposal of the notifying authority for a period of five years from the termination date of the subcontracting.”
In practice: Implement a document retention policy that ensures all qualification assessment records and work documentation for subcontractors and subsidiaries are securely stored and accessible to the notifying authority for at least five years from the termination date of each subcontracting arrangement.
Article 34 - Operational obligations of notified bodies
Art. 34(1). Notified bodies are required to verify that high-risk AI systems comply with applicable requirements by following the conformity assessment procedures specified in Article 43 of the AI Act.
chevron_rightSource text
Source text: “Notified bodies shall verify the conformity of high-risk AI systems in accordance with the conformity assessment procedures set out in Article 43.”
In practice: Ensure that your high-risk AI system undergoes the correct conformity assessment procedure as defined in Article 43 before market placement; engage an accredited notified body early in the development lifecycle to avoid delays.
Art. 34(2). Notified bodies must avoid placing unnecessary burdens on providers, especially micro- and small enterprises, while still maintaining the required level of rigour and protection when assessing high-risk AI systems.
chevron_rightSource text
Source text: “Notified bodies shall avoid unnecessary burdens for providers when performing their activities, and take due account of the size of the provider, the sector in which it operates, its structure and the degree of complexity of the high-risk AI system concerned, in particular in view of minimising administrative burdens and compliance costs for micro- and small enterprises within the meaning of Recommendation 2003/361/EC. The notified body shall, nevertheless, respect the degree of rigour and the level of protection required for the compliance of the high-risk AI system with the requirements of this Regulation.”
In practice: SMEs and micro-enterprises should document their size and sector context when engaging notified bodies, as this information can be used to tailor the assessment process and reduce administrative overhead without compromising compliance standards.
Art. 34(3). Notified bodies must make available and submit upon request all relevant documentation, including providers' documentation, to the notifying authority to enable that authority to conduct its assessment, designation, notification, and monitoring activities.
chevron_rightSource text
Source text: “Notified bodies shall make available and submit upon request all relevant documentation, including the providers’ documentation, to the notifying authority referred to in Article 28 to allow that authority to conduct its assessment, designation, notification and monitoring activities, and to facilitate the assessment outlined in this Section.”
In practice: Notified bodies should maintain a well-organised, up-to-date documentation repository for each assessed AI system so that it can be promptly provided to the notifying authority upon request, ensuring smooth oversight and monitoring activities.
Article 36 - Changes to notifications
Art. 36(3). (effective 2 August 2025) When a notified body ceases its conformity assessment activities, it must notify the notifying authority and affected providers as soon as possible (at least one year in advance for planned cessations), and its certificates may remain valid for nine months if another notified body assumes responsibility and completes a full assessment within that period.
chevron_rightSource text
Source text: “Where a notified body decides to cease its conformity assessment activities, it shall inform the notifying authority and the providers concerned as soon as possible and, in the case of a planned cessation, at least one year before ceasing its activities. The certificates of the notified body may remain valid for a period of nine months after cessation of the notified body’s activities, on condition that another notified body has confirmed in writing that it will assume responsibilities for the high-risk AI systems covered by those certificates. The latter notified body shall complete a full assessment of the high-risk AI systems affected by the end of that nine-month-period before issuing new certificates for those systems. Where the notified body has ceased its activity, the notifying authority shall withdraw the designation.”
In practice: Notified bodies should maintain a succession plan identifying potential successor bodies; providers should monitor their notified body's status and proactively seek reassignment of certificates if cessation is announced.
Art. 36(5). (effective 2 August 2025) When a notified body's designation is suspended, restricted, or fully or partially withdrawn, it must inform all affected providers within 10 days.
chevron_rightSource text
Source text: “Where its designation has been suspended, restricted, or fully or partially withdrawn, the notified body shall inform the providers concerned within 10 days.”
In practice: Notified bodies should maintain an up-to-date register of all providers for whom they have issued certificates, enabling rapid notification within the 10-day deadline if their designation status changes.
Art. 36(9). When a notified body's designation is withdrawn, certificates (excluding unduly issued ones) remain valid for nine months if the national competent authority confirms no risk to health, safety, or fundamental rights and another notified body confirms it will assume responsibility and complete its assessment within 12 months; the validity may be extended by three-month periods up to a maximum of 12 months total.
chevron_rightSource text
Source text: “With the exception of certificates unduly issued, and where a designation has been withdrawn, the certificates shall remain valid for a period of nine months under the following circumstances: In the circumstances referred to in the first subparagraph, the national competent authority of the Member State in which the provider of the system covered by the certificate has its place of business may extend the provisional validity of the certificates for additional periods of three months, which shall not exceed 12 months in total. The national competent authority or the notified body assuming the functions of the notified body affected by the change of designation shall immediately inform the Commission, the other Member States and the other notified bodies thereof.”
In practice: Maintain a registry of all active certificates linked to each notified body so that upon withdrawal, the national competent authority can immediately assess validity conditions; pre-identify candidate replacement notified bodies and establish written assumption-of-responsibility agreements to avoid gaps in certificate coverage.
Article 38 - Coordination of notified bodies
Art. 38(2). (effective 2 August 2025) Each notifying authority is obligated to ensure that the notified bodies it has designated participate in the sectoral coordination group established under Article 38(1), either directly or through designated representatives. This ensures all notified bodies contribute to harmonised conformity assessment practices.
chevron_rightSource text
Source text: “Each notifying authority shall ensure that the bodies notified by it participate in the work of a group referred to in paragraph 1, directly or through designated representatives.”
In practice: Notifying authorities should establish formal mechanisms (e.g., mandates or standing instructions) requiring notified bodies under their jurisdiction to actively participate in the sectoral group, and should monitor attendance and contribution to group activities.
Article 39 - Conformity assessment bodies of third countries
Art. 39. Conformity assessment bodies established in third countries with which the EU has concluded an agreement may be authorised to act as notified bodies under the AI Act, provided they meet the requirements of Article 31 or demonstrate an equivalent level of compliance. This facilitates mutual recognition of conformity assessments across borders.
chevron_rightSource text
Source text: “Conformity assessment bodies established under the law of a third country with which the Union has concluded an agreement may be authorised to carry out the activities of notified bodies under this Regulation, provided that they meet the requirements laid down in Article 31 or they ensure an equivalent level of compliance.”
In practice: Providers seeking conformity assessment from a third-country body should verify that the relevant EU-third country agreement is in force and that the body has been formally authorised under this provision. Document the authorisation status and equivalence determination before relying on the body's assessment for CE marking purposes.
Article 43 - Conformity assessment
Art. 43(3). High-risk AI systems covered by Union harmonisation legislation in Annex I Section A must follow the conformity assessment procedure of that legislation, with the AI Act's Section 2 requirements integrated into that assessment. Notified bodies under those acts may assess AI Act compliance if they meet Article 31 requirements, and manufacturers may only opt out of third-party assessment if they have applied all relevant harmonised standards including those covering AI Act Section 2 requirements.
chevron_rightSource text
Source text: “For high-risk AI systems covered by the Union harmonisation legislation listed in Section A of Annex I, the provider shall follow the relevant conformity assessment procedure as required under those legal acts. The requirements set out in Section 2 of this Chapter shall apply to those high-risk AI systems and shall be part of that assessment. Points 4.3., 4.4., 4.5. and the fifth paragraph of point 4.6 of Annex VII shall also apply. For the purposes of that assessment, notified bodies which have been notified under those legal acts shall be entitled to control the conformity of the high-risk AI systems with the requirements set out in Section 2, provided that the compliance of those notified bodies with requirements laid down in Article 31(4), (5), (10) and (11) has been assessed in the context of the notification procedure under those legal acts. Where a legal act listed in Section A of Annex I enables the product manufacturer to opt out from a third-party conformity assessment, provided that that manufacturer has applied all harmonised standards covering all the relevant requirements, that manufacturer may use that option only if it has also applied harmonised standards or, where applicable, common specifications referred to in Article 41, covering all requirements set out in Section 2 of this Chapter.”
In practice: If your AI system is a safety component of a product regulated under Annex I Section A legislation (e.g., medical devices, machinery), integrate the AI Act's Section 2 requirements into your existing conformity assessment. Verify that your notified body has been assessed against Article 31(4), (5), (10) and (11). If opting out of third-party assessment, ensure harmonised standards covering all Section 2 AI Act requirements have been applied.
Article 44 - Certificates
Art. 44(1). Certificates issued by notified bodies under Annex VII must be written in a language that is easily understood by the relevant authorities in the Member State where the notified body is established. This ensures that national authorities can effectively review and act upon conformity certificates.
chevron_rightSource text
Source text: “Certificates issued by notified bodies in accordance with Annex VII shall be drawn-up in a language which can be easily understood by the relevant authorities in the Member State in which the notified body is established.”
In practice: Notified bodies should establish a language policy ensuring all certificates are drafted in the official language(s) of their Member State of establishment. Where a notified body operates across borders, consider providing translations or bilingual certificates to facilitate oversight by national authorities.
Art. 44(2). Conformity certificates are valid for up to five years for AI systems under Annex I and up to four years for those under Annex III, and may be extended upon provider request following re-assessment. Any supplement to a certificate remains valid only as long as the main certificate is valid.
chevron_rightSource text
Source text: “Certificates shall be valid for the period they indicate, which shall not exceed five years for AI systems covered by Annex I, and four years for AI systems covered by Annex III. At the request of the provider, the validity of a certificate may be extended for further periods, each not exceeding five years for AI systems covered by Annex I, and four years for AI systems covered by Annex III, based on a re-assessment in accordance with the applicable conformity assessment procedures. Any supplement to a certificate shall remain valid, provided that the certificate which it supplements is valid.”
In practice: Providers should track certificate expiry dates and initiate re-assessment requests well in advance of expiry. Maintain a register of all certificates and their supplements, ensuring that supplements are automatically flagged for review when the parent certificate approaches expiry or is withdrawn.
Art. 44(3). If a notified body finds that an AI system no longer meets the applicable requirements, it must suspend, withdraw, or restrict the certificate unless the provider takes appropriate corrective action within a deadline set by the notified body, and must give reasons for its decision. An appeal procedure against notified body decisions must be available.
chevron_rightSource text
Source text: “Where a notified body finds that an AI system no longer meets the requirements set out in Section 2, it shall, taking account of the principle of proportionality, suspend or withdraw the certificate issued or impose restrictions on it, unless compliance with those requirements is ensured by appropriate corrective action taken by the provider of the system within an appropriate deadline set by the notified body. The notified body shall give reasons for its decision. An appeal procedure against decisions of the notified bodies, including on conformity certificates issued, shall be available.”
In practice: Providers should establish internal processes to respond promptly to notified body findings of non-compliance, including a corrective action plan with clear timelines. Notified bodies should document their decisions with detailed reasoning and ensure that an accessible, transparent appeal mechanism is in place and communicated to providers.
Article 45 - Information obligations of notified bodies
Art. 45(1). (effective 2 August 2025) Notified bodies must inform the notifying authority about certificates, quality management system approvals, and any changes to their scope or conditions of notification issued under Annex VII. This includes both positive issuances and any refusals, restrictions, suspensions, or withdrawals.
chevron_rightSource text
Source text: “Notified bodies shall inform the notifying authority of the following:”
In practice: Establish an internal tracking system for all certificates and QMS approvals issued or refused, with automated alerts to trigger notifications to the notifying authority whenever a certificate status changes or scope conditions are affected.
Art. 45(2). (effective 2 August 2025) Each notified body must inform other notified bodies about quality management system approvals it has refused, suspended, or withdrawn, and upon request, those it has issued; the same applies to Union technical documentation assessment certificates. This ensures mutual awareness among notified bodies to prevent forum shopping.
chevron_rightSource text
Source text: “Each notified body shall inform the other notified bodies of:”
In practice: Implement a shared information protocol or use the Commission's electronic notification tool to systematically share certificate and QMS approval decisions with peer notified bodies, ensuring timely responses to information requests.
Art. 45(3). (effective 2 August 2025) Each notified body must share relevant information about negative conformity assessment results with other notified bodies that carry out similar assessments for the same types of AI systems, and must share positive results upon request. This promotes consistency and prevents divergent assessment outcomes.
chevron_rightSource text
Source text: “Each notified body shall provide the other notified bodies carrying out similar conformity assessment activities covering the same types of AI systems with relevant information on issues relating to negative and, on request, positive conformity assessment results.”
In practice: Create a structured process for documenting and categorising conformity assessment outcomes by AI system type, and establish a secure channel for sharing negative results proactively and positive results on request with peer notified bodies covering the same AI system categories.
Art. 45(4). (effective 2 August 2025) Notified bodies are required to maintain the confidentiality of all information they obtain in the course of their activities, in accordance with Article 78 of the AI Act. This protects sensitive business information, trade secrets, and other confidential data shared during conformity assessments.
chevron_rightSource text
Source text: “Notified bodies shall safeguard the confidentiality of the information that they obtain, in accordance with Article 78.”
In practice: Implement a confidentiality policy for all staff and subcontractors of the notified body, including NDAs, data classification procedures, and secure handling protocols for all information received during conformity assessment activities, aligned with Article 78 requirements.
Article 48 - CE marking
Art. 48(4). Where a notified body is involved in the conformity assessment, its identification number must follow the CE marking and be included in any promotional material claiming CE marking compliance; the number is affixed by the notified body itself or under its instructions.
chevron_rightSource text
Source text: “Where applicable, the CE marking shall be followed by the identification number of the notified body responsible for the conformity assessment procedures set out in Article 43. The identification number of the notified body shall be affixed by the body itself or, under its instructions, by the provider or by the provider’s authorised representative. The identification number shall also be indicated in any promotional material which mentions that the high-risk AI system fulfils the requirements for CE marking.”
In practice: After obtaining a notified body certificate, ensure the notified body's identification number is placed immediately after the CE marking on the product, packaging, and documentation, and is also included in all marketing materials referencing CE compliance.
Article 62 - Measures for providers and deployers, in particular SMEs, including start-ups
Art. 62(2). When setting fees for conformity assessment under Article 43, the specific interests and needs of SME providers and start-ups must be taken into account by reducing fees proportionately to their size and market size.
chevron_rightSource text
Source text: “The specific interests and needs of the SME providers, including start-ups, shall be taken into account when setting the fees for conformity assessment under Article 43, reducing those fees proportionately to their size, market size and other relevant indicators.”
In practice: Notified bodies and competent authorities should establish a tiered fee schedule for conformity assessments that explicitly accounts for SME status, using criteria such as number of employees, annual turnover, and market reach to determine proportionate reductions.
Related
This page covers the AI Act obligations of an oversight/governance role. If you build or supply AI systems, see the actor pages for providers and deployers — where the AI Act's requirements map onto the GDPR control modules RuleMesh delivers.
Frequently asked questions
Who is a notified body under the EU AI Act?
A notified body is a conformity assessment body that has been officially designated and notified to the European Commission by a Member State as competent to carry out third-party conformity assessment tasks under a specific Union harmonisation regulation or directive, including the AI Act and other relevant Union harmonisation legislation. (Source: AI Act definitions, CELEX 32024R1689.)
How many obligations does the AI Act place on notified bodies?
The RuleMesh knowledge graph identifies 39 obligation paragraphs addressed to the Notified Body role, across Articles 11, 29, 31, 32, 33, 34, 36, 38, 39, 43, 44, 45, 48, 62.
When do AI Act notified bodies obligations apply?
Most obligations relating to high-risk AI systems apply from 2 August 2026. Obligations for providers of general-purpose AI models and the AI Act's governance framework apply from 2 August 2025, and the Article 5 prohibitions applied from 2 February 2025.
Source data: RuleMesh knowledge graph — Fuseki legalrules dataset, CELEX 32024R1689 (EU AI Act), with cross-references resolved into CELEX 32016R0679 (GDPR). This page is education and reference only — it is not legal advice. RuleMesh's product offer is GDPR control modules in Jira.