arrow_backAI Act Actor Hub·Notifying authority

AI Act Obligations for Notifying Authorities

A complete, article-by-article reference for AI Act notifying authorities — generated from the RuleMesh knowledge graph (CELEX 32024R1689). Covers all 16 obligation paragraphs sourced from the regulation, with relevant annexes and GDPR cross-references quoted verbatim.

CELEX 32024R1689·16 obligation paragraphs·Most obligations effective 2026-08-02

This page is generated from the RuleMesh knowledge graph — every obligation, annex block, and cross-reference is pulled from the structured graph representation of CELEX 32024R1689, not recalled from memory.

update

Pending change — the Digital Omnibus on AI. An amendment approved in June 2026 is set to move stand-alone high-risk deadlines (Annex III) to 2 December 2027, while transparency, content-marking, and two new prohibitions still apply in 2026. The dates on this page remain the currently-binding Regulation 2024/1689 dates until the amendment is published in the Official Journal. Read the briefing.

Regulation (EU) 2024/1689 — CELEX 32024R1689

This page is generated from the RuleMesh knowledge graph — every obligation, annex block, and cross-reference below is pulled from the structured graph representation of the regulation, not recalled from memory.


Who is a notifying authority?

A notifying authority is the national public authority responsible for establishing and conducting the procedures necessary to assess, designate, and formally notify conformity assessment bodies to the European Commission, and for the ongoing monitoring of those bodies to ensure continued compliance with applicable requirements.

16 obligation paragraphs in the AI Act are addressed to the Notifying Authority role. Most obligations for high-risk AI systems apply from 2 August 2026; obligations for general-purpose AI model providers and the AI Act's governance bodies apply from 2 August 2025.


Jump to an article


Article 28 - Notifying authorities

Art. 28(1). (effective 2 August 2025) Each Member State must designate or establish at least one notifying authority responsible for assessing, designating, notifying, and monitoring conformity assessment bodies for AI systems. These procedures must be developed cooperatively among all Member States' notifying authorities.

chevron_rightSource text

Source text: “Each Member State shall designate or establish at least one notifying authority responsible for setting up and carrying out the necessary procedures for the assessment, designation and notification of conformity assessment bodies and for their monitoring. Those procedures shall be developed in cooperation between the notifying authorities of all Member States.”

In practice: Member States should establish a clear organisational structure for their notifying authority, including documented procedures for assessment, designation, notification, and monitoring of conformity assessment bodies, and actively participate in cross-border cooperation mechanisms with other Member States.

Art. 28(3). (effective 2 August 2025) Notifying authorities must be structured and operated in a way that prevents any conflict of interest with conformity assessment bodies and ensures their activities remain objective and impartial.

chevron_rightSource text

Source text: “Notifying authorities shall be established, organised and operated in such a way that no conflict of interest arises with conformity assessment bodies, and that the objectivity and impartiality of their activities are safeguarded.”

In practice: Notifying authorities should implement formal conflict-of-interest policies, including declarations of interest for staff, separation of duties, and regular audits to verify that no financial or organisational ties exist with the conformity assessment bodies they oversee.

Art. 28(4). (effective 2 August 2025) Notifying authorities must ensure that the persons who make decisions about notifying conformity assessment bodies are different from those who conducted the assessment of those bodies, ensuring separation of roles.

chevron_rightSource text

Source text: “Notifying authorities shall be organised in such a way that decisions relating to the notification of conformity assessment bodies are taken by competent persons different from those who carried out the assessment of those bodies.”

In practice: Establish clear organisational charts and role definitions within the notifying authority that formally separate the assessment team from the decision-making team, and document this separation in internal governance policies.

Art. 28(6). (effective 2 August 2025) Notifying authorities must protect the confidentiality of all information they obtain in the course of their duties, in accordance with the confidentiality provisions set out in Article 78 of the AI Act.

chevron_rightSource text

Source text: “Notifying authorities shall safeguard the confidentiality of the information that they obtain, in accordance with Article 78.”

In practice: Notifying authorities should implement internal confidentiality policies and data handling procedures aligned with Article 78, including access controls and non-disclosure agreements for staff handling sensitive conformity assessment information.

Art. 28(7). (effective 2 August 2025) Notifying authorities must have a sufficient number of qualified staff with the necessary expertise in relevant fields such as information technologies, AI, law, and fundamental rights supervision to properly carry out their tasks.

chevron_rightSource text

Source text: “Notifying authorities shall have an adequate number of competent personnel at their disposal for the proper performance of their tasks. Competent personnel shall have the necessary expertise, where applicable, for their function, in fields such as information technologies, AI and law, including the supervision of fundamental rights.”

In practice: Notifying authorities should conduct a skills gap analysis to ensure their staff have adequate expertise in AI, IT, and law including fundamental rights; consider establishing training programmes or hiring specialists in these domains to meet the staffing requirement.


Article 30 - Notification procedure

Art. 30(2). (effective 2 August 2025) Notifying authorities must use the Commission-developed electronic notification tool to inform both the Commission and all other Member States about each conformity assessment body they have approved. This ensures a centralised, transparent notification process across the EU.

chevron_rightSource text

Source text: “Notifying authorities shall notify the Commission and the other Member States, using the electronic notification tool developed and managed by the Commission, of each conformity assessment body referred to in paragraph 1.”

In practice: Notifying authorities should register and familiarise themselves with the Commission's electronic notification tool well in advance of any planned notifications. Ensure all required information is prepared before submission to avoid delays.

Art. 30(3). (effective 2 August 2025) The notification must include full details of the conformity assessment activities, modules, AI system types, and competence attestation. Where no accreditation certificate exists, the notifying authority must provide documentary evidence of the body's competence and ongoing monitoring arrangements.

chevron_rightSource text

Source text: “The notification referred to in paragraph 2 of this Article shall include full details of the conformity assessment activities, the conformity assessment module or modules, the types of AI systems concerned, and the relevant attestation of competence. Where a notification is not based on an accreditation certificate as referred to in Article 29(2), the notifying authority shall provide the Commission and the other Member States with documentary evidence which attests to the competence of the conformity assessment body and to the arrangements in place to ensure that that body will be monitored regularly and will continue to satisfy the requirements laid down in Article 31.”

In practice: Prepare a comprehensive notification dossier that includes all required details. If relying on documentary evidence rather than an accreditation certificate, ensure the evidence clearly demonstrates both current competence and the existence of regular monitoring mechanisms as required by Article 31.


Article 36 - Changes to notifications

Art. 36(1). (effective 2 August 2025) The notifying authority must inform the Commission and all other Member States of any relevant changes to a notified body's notification using the designated electronic notification tool referenced in Article 30(2).

chevron_rightSource text

Source text: “The notifying authority shall notify the Commission and the other Member States of any relevant changes to the notification of a notified body via the electronic notification tool referred to in Article 30(2).”

In practice: Establish an internal process to track and promptly communicate any changes to notified body status via the EU electronic notification tool; assign a dedicated compliance officer to manage this obligation.

Art. 36(2). (effective 2 August 2025) Extensions of a notified body's scope of notification must follow the full procedures in Articles 29 and 30, while other changes to the notification follow the lighter procedures in paragraphs 3 to 9 of Article 36.

chevron_rightSource text

Source text: “The procedures laid down in Articles 29 and 30 shall apply to extensions of the scope of the notification. For changes to the notification other than extensions of its scope, the procedures laid down in paragraphs (3) to (9) shall apply.”

In practice: Distinguish between scope extensions (requiring full re-notification under Articles 29 and 30) and other changes (governed by Article 36 paragraphs 3–9); document the type of change before initiating the appropriate procedure.

Art. 36(3). (effective 2 August 2025) When a notified body ceases its conformity assessment activities, it must notify the notifying authority and affected providers as soon as possible (at least one year in advance for planned cessations), and its certificates may remain valid for nine months if another notified body assumes responsibility and completes a full assessment within that period.

chevron_rightSource text

Source text: “Where a notified body decides to cease its conformity assessment activities, it shall inform the notifying authority and the providers concerned as soon as possible and, in the case of a planned cessation, at least one year before ceasing its activities. The certificates of the notified body may remain valid for a period of nine months after cessation of the notified body’s activities, on condition that another notified body has confirmed in writing that it will assume responsibilities for the high-risk AI systems covered by those certificates. The latter notified body shall complete a full assessment of the high-risk AI systems affected by the end of that nine-month-period before issuing new certificates for those systems. Where the notified body has ceased its activity, the notifying authority shall withdraw the designation.”

In practice: Notified bodies should maintain a succession plan identifying potential successor bodies; providers should monitor their notified body's status and proactively seek reassignment of certificates if cessation is announced.

Art. 36(4). (effective 2 August 2025) If a notifying authority has sufficient reason to believe a notified body no longer meets the requirements of Article 31 or is failing its obligations, it must investigate without delay, give the body a chance to respond, and then restrict, suspend, or withdraw the designation as appropriate, immediately informing the Commission and other Member States.

chevron_rightSource text

Source text: “Where a notifying authority has sufficient reason to consider that a notified body no longer meets the requirements laid down in Article 31, or that it is failing to fulfil its obligations, the notifying authority shall without delay investigate the matter with the utmost diligence. In that context, it shall inform the notified body concerned about the objections raised and give it the possibility to make its views known. If the notifying authority comes to the conclusion that the notified body no longer meets the requirements laid down in Article 31 or that it is failing to fulfil its obligations, it shall restrict, suspend or withdraw the designation as appropriate, depending on the seriousness of the failure to meet those requirements or fulfil those obligations. It shall immediately inform the Commission and the other Member States accordingly.”

In practice: Notifying authorities should establish a formal investigation protocol with defined timelines and due-process steps (including the right of the notified body to be heard) to ensure swift and legally sound action when compliance concerns arise.

Art. 36(6). When a notified body's designation is restricted, suspended, or withdrawn, the notifying authority must preserve that body's files and make them available to other Member States' notifying authorities and market surveillance authorities upon request.

chevron_rightSource text

Source text: “In the event of the restriction, suspension or withdrawal of a designation, the notifying authority shall take appropriate steps to ensure that the files of the notified body concerned are kept, and to make them available to notifying authorities in other Member States and to market surveillance authorities at their request.”

In practice: Establish a secure document management protocol for notified body files that enables rapid sharing with other national authorities; ensure files are stored in a format accessible to cross-border requests and assign a responsible custodian within the notifying authority.

Art. 36(7). Upon restriction, suspension, or withdrawal of a notified body's designation, the notifying authority must assess the impact on issued certificates, report findings to the Commission and other Member States within three months, and require the notified body to suspend or withdraw any unduly issued certificates.

chevron_rightSource text

Source text: “In the event of the restriction, suspension or withdrawal of a designation, the notifying authority shall:”

In practice: Create a certificate impact assessment template to be activated immediately upon any change to a notified body's designation; set up automated tracking of all certificates issued by each notified body and establish a reporting workflow to the Commission within the three-month deadline.

Art. 36(8). Certificates issued by a notified body whose designation has been suspended or restricted (excluding unduly issued ones) remain valid if the notifying authority confirms no risk to health, safety, or fundamental rights and outlines a remediation timeline, or confirms no new certificates will be issued and addresses the notified body's capability to monitor existing certificates.

chevron_rightSource text

Source text: “With the exception of certificates unduly issued, and where a designation has been suspended or restricted, the certificates shall remain valid in one of the following circumstances:”

In practice: Develop a certificate validity decision tree for use by notifying authorities when a suspension or restriction occurs; ensure written confirmations and timelines are documented within one month and that providers are notified immediately if a substitute notified body must be engaged within three months.


Article 37 - Challenge to the competence of notified bodies

Art. 37(2). (effective 2 August 2025) Notifying authorities are obliged to provide the Commission with all relevant information about a notified body's notification or the maintenance of its competence whenever the Commission requests it. This ensures transparency and accountability in the notification process.

chevron_rightSource text

Source text: “The notifying authority shall provide the Commission, on request, with all relevant information relating to the notification or the maintenance of the competence of the notified body concerned.”

In practice: Notifying authorities should maintain organised and readily accessible records of all information related to notified body notifications, including competence assessments, audits, and ongoing monitoring results, so they can respond promptly to Commission requests.


Article 38 - Coordination of notified bodies

Art. 38(2). (effective 2 August 2025) Each notifying authority is obligated to ensure that the notified bodies it has designated participate in the sectoral coordination group established under Article 38(1), either directly or through designated representatives. This ensures all notified bodies contribute to harmonised conformity assessment practices.

chevron_rightSource text

Source text: “Each notifying authority shall ensure that the bodies notified by it participate in the work of a group referred to in paragraph 1, directly or through designated representatives.”

In practice: Notifying authorities should establish formal mechanisms (e.g., mandates or standing instructions) requiring notified bodies under their jurisdiction to actively participate in the sectoral group, and should monitor attendance and contribution to group activities.


Related

This page covers the AI Act obligations of an oversight/governance role. If you build or supply AI systems, see the actor pages for providers and deployers — where the AI Act's requirements map onto the GDPR control modules RuleMesh delivers.


Frequently asked questions

Who is a notifying authority under the EU AI Act?

A notifying authority is the national public authority responsible for establishing and conducting the procedures necessary to assess, designate, and formally notify conformity assessment bodies to the European Commission, and for the ongoing monitoring of those bodies to ensure continued compliance with applicable requirements. (Source: AI Act definitions, CELEX 32024R1689.)

How many obligations does the AI Act place on notifying authorities?

The RuleMesh knowledge graph identifies 16 obligation paragraphs addressed to the Notifying Authority role, across Articles 28, 30, 36, 37, 38.

When do AI Act notifying authorities obligations apply?

Most obligations relating to high-risk AI systems apply from 2 August 2026. Obligations for providers of general-purpose AI models and the AI Act's governance framework apply from 2 August 2025, and the Article 5 prohibitions applied from 2 February 2025.



Source data: RuleMesh knowledge graph — Fuseki legalrules dataset, CELEX 32024R1689 (EU AI Act), with cross-references resolved into CELEX 32016R0679 (GDPR). This page is education and reference only — it is not legal advice. RuleMesh's product offer is GDPR control modules in Jira.