Conformity Assessment Body (EU AI Act): Definition and Role

A conformity assessment body (CAB) is any organisation authorised to carry out third-party testing, certification, and inspection activities that verify whether an AI system meets the requirements of Regulation (EU) 2024/1689. Most companies required to do a conformity assessment under the EU AI Act will never deal with one — but understanding the distinction between a CAB, a notified body, a notifying authority, and a market surveillance authority matters when you are scoping your Article 43 obligations.

The EU AI Act definition

Article 3, point 21 of Regulation (EU) 2024/1689 defines a conformity assessment body as:

"a body that performs third-party conformity assessment activities, including testing, certification and inspection."

That definition is deliberately broad. A CAB is a structural category — the class of independent organisations capable of verifying compliance on behalf of someone other than the manufacturer or operator. Whether a specific CAB has the legal authority to issue a notified-body finding under the EU AI Act is a separate question, answered by the notification process described below.

The definition sits alongside Article 3, point 22, which defines a notified body as a conformity assessment body that has been notified to the European Commission following a formal national assessment and designation. The two terms share a parent-child relationship: every notified body is a CAB, but not every CAB is a notified body.

From conformity assessment body to notified body

A CAB acquires notified-body status through a structured procedure set out in Chapter III, Section 4 of the EU AI Act (Articles 28–39). The steps are sequential and non-trivial.

Step 1 — Application to the notifying authority (Article 28)

A CAB applies to the national notifying authority of the Member State in which it is established. The notifying authority is the public body designated under Article 28 to assess, designate, and monitor notified bodies — it is entirely separate from the market surveillance authority that enforces the Act against providers and deployers.

Step 2 — Assessment (Articles 29–33)

The notifying authority assesses the applicant against the requirements in Articles 31 and 32: organisational structure, independence, technical competence, impartiality, insurance, and confidentiality obligations. Where national accreditation infrastructure exists, accreditation by the national accreditation body under Regulation (EC) No 765/2008 creates a presumption of conformity with Articles 31 and 32 — it is not mandatory, but it is the standard route.

Step 3 — Designation and notification (Articles 29, 34)

Once satisfied, the notifying authority designates the body and notifies it to the Commission and all other Member States via the NANDO database. From that point, the body may carry out the Annex VII third-party assessment for which it has been designated.

Step 4 — Ongoing supervision (Articles 36–39)

Notifying authorities monitor their notified bodies continuously. A notified body that no longer meets the requirements in Articles 31–32, or that has committed a serious breach, can have its designation suspended or withdrawn under Article 36. The Commission itself can investigate where it has doubts about a notified body's competence (Article 37).

One practical consequence of this structure: a CAB with an established track record in medical device certification under the MDR is not automatically authorised to act as a notified body for AI Act purposes. It must seek separate designation for the specific AI Act tasks it intends to carry out.

When a conformity assessment body is actually involved

Here the EU AI Act diverges sharply from what many assume. Third-party assessment through a notified body is the exception, not the rule.

The two routes under Article 43

Article 43 of the EU AI Act prescribes two conformity assessment procedures for high-risk AI systems:

• Annex VI — internal control: the provider conducts the conformity assessment itself, documents that the system meets the requirements of Articles 9–15, draws up the technical documentation under Article 11 and Annex IV, and issues the EU Declaration of Conformity under Article 47. No CAB is involved.
• Annex VII — conformity assessment with involvement of a notified body: the provider submits the system for third-party assessment by a designated notified body, which examines the technical documentation and may carry out testing before issuing a certificate.

Which systems use which route

Article 43 makes the route selection turn on two conditions: whether the system falls under Annex III point 1 (biometrics), and whether the provider has applied harmonised standards covering all of the relevant requirements.

Most high-risk AI systems — those covering employment and worker management (Annex III point 4), credit scoring (Annex III point 5(b)), education (Annex III point 3), or law enforcement support (Annex III point 6) — use the Annex VI internal self-assessment route. A CAB plays no role in their conformity assessment.

The Annex VII notified-body route is principally required for high-risk AI systems in the biometrics category (Annex III point 1 — remote biometric identification, biometric categorisation, and emotion recognition where not prohibited under Article 5). Even within that category, the Annex VII route is triggered only where the provider has not applied harmonised standards that cover all of the applicable requirements. If relevant harmonised standards exist and have been applied in full, the provider can use the internal control route even for a biometric system.

This means a well-documented biometric AI system built entirely to applicable harmonised standards has a self-assessment path. That path remains open only if the technical documentation demonstrates full coverage of those standards.

High-risk AI embedded in regulated products

A separate route applies to high-risk AI systems that are safety components of products already subject to EU product legislation listed in Annex I of the EU AI Act (medical devices, machinery, aviation equipment, and similar). For those systems, Article 43(3) integrates the AI Act conformity assessment into the existing product conformity procedure — so the notified body already reviewing the product under, say, the Medical Device Regulation also reviews the AI component. These systems face the later deadline of 2 August 2028 rather than 2 December 2027.

The three authorities: not interchangeable

A persistent source of confusion is conflating three distinct bodies that play different roles in the EU AI Act framework.

The conformity assessment body / notified body is the independent assessor — it carries out or reviews the technical conformity check where third-party assessment is required.

The notifying authority (Article 28) is the national public body that assesses, designates, and supervises notified bodies. It does not itself assess AI systems for compliance.

The market surveillance authority (Articles 70, 74–83) is the national authority that enforces the Act once a product is on the market — it investigates non-compliance, orders corrective action, and can require a product to be withdrawn. It is not involved in the pre-market conformity assessment.

A provider dealing with an Article 43 conformity assessment interacts with the notified body (if the Annex VII route applies) and with the notifying authority only indirectly. Market surveillance authorities become relevant post-launch, particularly under the incident reporting obligations in Article 73.

How Confir helps

For most companies deploying or building high-risk AI systems under Annex III, the conformity assessment is an internal self-assessment exercise — not a third-party engagement. What that exercise requires is rigorous technical documentation (Article 11 / Annex IV), a functioning risk management system (Article 9), and records that demonstrate each of the Article 9–15 requirements has been met.

Confir's rule-based compliance tool walks your team through the Article 43 classification — determining whether your system needs the Annex VI or Annex VII route — and generates the Article 11 / Annex IV technical documentation pack and the Article 47 EU Declaration of Conformity as structured outputs. The engine is deterministic: the same inputs produce the same findings, with the rule that fired identified for each result. From €600/year at confir.eu.

Frequently Asked Questions

Does every high-risk AI system require a conformity assessment body?

No. The majority of high-risk AI systems under Annex III — those in employment, education, credit, law enforcement, migration, and justice — use the Annex VI internal self-assessment route. The provider conducts the assessment without involving a CAB at all. A notified body (a designated CAB) is principally required for biometric AI systems under Annex III point 1, and only where harmonised standards covering all requirements have not been applied.

What is the difference between a conformity assessment body and a notified body?

A conformity assessment body is the general category: any independent organisation that carries out third-party testing, certification, or inspection. A notified body is a CAB that has been formally assessed by a national notifying authority and designated to carry out EU AI Act conformity assessments, then notified to the European Commission and other Member States. The designation is specific — a body notified for biometric AI systems is not automatically authorised to certify other high-risk categories.

Which authority designates notified bodies?

The national notifying authority of the Member State where the CAB is established — a public body designated under Article 28 of the EU AI Act. It is structurally separate from the market surveillance authority and from the AI Office at EU level. Designation requires the CAB to meet the requirements in Articles 31 and 32, covering independence, technical competence, and impartiality.

Can a CAB accredited for medical devices act as a notified body under the EU AI Act?

Not automatically. A body already notified under, say, the Medical Device Regulation must seek a separate designation under the EU AI Act for the specific AI Act tasks it intends to perform. Accreditation by the national accreditation body under Regulation (EC) No 765/2008 supports the application (it creates a presumption of conformity with Articles 31 and 32), but the designation itself must go through the Article 28 notifying authority.

When does the Annex VII notified-body route apply to biometric systems?

Article 43(1) requires the Annex VII route for systems under Annex III point 1 (biometrics) where the provider has not applied harmonised standards that cover all of the applicable requirements. Where relevant harmonised standards exist and have been applied in full, the provider may use the Annex VI internal control route even for a biometric system.

What happens if a notified body loses its designation?

Under Article 36, a notifying authority may suspend, restrict, or withdraw a notified body's designation if it no longer meets the requirements in Articles 31–32, or if it has committed a serious breach. The Commission may also investigate and, if warranted, request the notifying authority to take corrective action (Article 37). Providers holding certificates from that body would need to obtain re-assessment from an alternative notified body.

Related terms

• Notified body — a CAB that has been designated and notified to the Commission; the entity that carries out the Annex VII assessment
• Conformity assessment (Article 43) — the pre-market procedure that establishes whether a high-risk AI system meets the EU AI Act requirements
• EU AI Act Article 43 — the article prescribing which assessment procedure (Annex VI or Annex VII) applies to which high-risk systems
• Notifying authority — the national public body that assesses, designates, and supervises notified bodies; distinct from the CAB itself
• Market surveillance authority — the national enforcement authority that monitors AI systems post-launch; not involved in pre-market conformity assessment
• Annex IV technical documentation — the nine-area documentation content requirement that providers must assemble for any high-risk AI system before the Article 43 assessment