Notified Body: Definition and Role Under the EU AI Act
A notified body assesses high-risk AI systems under Annex VII. Required mainly for biometrics (Annex III, point 1). Most high-risk uses self-assess under Annex VI.
A notified body is a conformity assessment organisation that a national notifying authority has formally notified to the European Commission and to other Member States as competent to carry out third-party assessments of AI systems. Under Regulation (EU) 2024/1689, the term is a defined term of art: Article 3, point 22 defines a notified body as a conformity assessment body notified in accordance with the EU AI Act and, where relevant, other Union harmonisation legislation. The notification is what transforms an accredited assessor into a "notified body" — accreditation alone is not sufficient.
The EU AI Act definition
The statutory definition sits in Article 3, point 22, and it is deliberately brief: a conformity assessment body notified in accordance with this Regulation. The substance is in what surrounds it.
The framework that governs notifying authorities and notified bodies runs across Chapter III, Section 4 — Articles 28 through 39. These provisions create a two-tier structure. First, each Member State designates a notifying authority: a public body responsible for establishing and carrying out the procedures necessary to assess, designate, and monitor conformity assessment bodies. Second, once a conformity assessment body satisfies the requirements of Articles 31 through 33 — covering independence, technical competence, impartiality, confidentiality, and liability — it applies to be notified. If the notifying authority is satisfied, it notifies that body to the Commission and the other Member States, at which point the body acquires its status as a notified body and may appear in the NANDO (New Approach Notified and Designated Organisations) database maintained by the Commission.
The distinction between the two roles matters. The notifying authority is the national designator and ongoing supervisor — it monitors performance, investigates complaints, and can suspend or withdraw notification. The notified body is the independent third-party assessor. Conflating the two is a common source of confusion in implementation planning.
Article 35 requires the Commission to maintain a publicly accessible list of notified bodies. Article 36 specifies the information each notified body must publish. Article 38 provides for operational coordination among notified bodies. Article 39 addresses the specific case of notified bodies operating under other Union harmonisation legislation, which matters for AI systems embedded in regulated products — though the conformity-assessment integration for those systems is governed by Article 43(3) and the product-law timeline of 2 August 2028.
When you actually need a notified body
The starting point is Article 43, which sets out the conformity assessment procedure for high-risk AI systems. Article 43 creates two routes, each with its own Annex.
The Annex VI route is internal control: the provider carries out the conformity assessment itself, documents the process, and issues the EU declaration of conformity under Article 47. No third party is involved. This route is available to the great majority of high-risk AI systems — those covered by Annex III headings 2 through 8 (critical infrastructure, education, employment, access to essential services, law enforcement, migration and border control, administration of justice and democratic processes).
The Annex VII route involves a notified body. A notified body conducts a third-party quality management system assessment and, where applicable, a technical documentation assessment. This route applies primarily to Annex III, point 1 — biometric systems, meaning remote biometric identification systems, biometric categorisation systems, and emotion-recognition systems (where those are still lawful rather than prohibited under Article 5). There is an important nuance: the notified-body route is triggered when the provider of an Annex III, point 1 system has not applied harmonised standards covering all the relevant requirements. If a provider has applied harmonised standards that have been published in the Official Journal, the Annex VI internal route remains open. In practice, harmonised standards under the EU AI Act are still being developed, which means that for most Annex III, point 1 systems today, the Annex VII route is the operative path.
For every other Annex III category — recruitment tools, credit-scoring models, public-benefits eligibility systems, exam-proctoring software, judicial-assistance tools — a notified body is not required. The provider conducts its own internal assessment under Annex VI. This is often misunderstood: the assumption that an independent auditor is always needed for a high-risk AI system is wrong. The EU AI Act reserves third-party involvement for the category where the risks to fundamental rights are highest — biometric identification and categorisation — and for product-safety components where the existing product-law framework already mandates a notified body.
It is worth being precise about scope. Article 43(4) allows the Commission, by delegated act, to extend the notified-body route to other Annex III systems if the risk profile justifies it. That power has not yet been exercised, but it is a watch point for providers outside the biometrics category. Conversely, Article 43(5) gives providers of high-risk systems that are safety components of products already covered by Union harmonisation legislation listed in Annex I — machinery, medical devices, civil aviation equipment, and others — a specific integration path: the AI conformity assessment is folded into the product's existing procedure, typically involving the notified body already engaged for the product.
Why it matters for your planning
Third-party conformity assessment by a notified body takes longer and costs more than internal assessment. Engagement timelines vary, but lead times of three to six months for initial scoping — before assessment work begins in earnest — are common at bodies with established practices. For biometrics providers, this means identifying a suitable notified body well before the 2 December 2027 application deadline for Annex III stand-alone high-risk systems (under the Digital Omnibus agreed in May 2026, which deferred the original 2 August 2026 date).
Capacity is a genuine constraint. The number of conformity assessment bodies with the specific technical competence to assess AI systems under Annex VII is limited. National accreditation bodies are still building assessment infrastructure, and many established bodies that operate in adjacent product-law areas have not yet been notified under the EU AI Act specifically. For biometrics providers, this is not a hypothetical risk — it is a concrete operational constraint that makes early engagement a strategic necessity.
Even for providers who will use the Annex VI internal route and never deal directly with a notified body, understanding the notified-body framework matters for a different reason: deployers performing due diligence, and public-sector procurement processes, increasingly ask for evidence of a provider's conformity-assessment process. Being able to explain clearly whether your system required Annex VI or Annex VII, and why, is part of the technical documentation you are required to maintain under Article 11 and Annex IV.
Providers of systems in the biometrics category should also ensure their Article 17 quality management system is mature enough to withstand third-party scrutiny. A notified body assessing under Annex VII will review the QMS, the technical documentation, the risk management system (Article 9), and the post-market monitoring plan (Article 72). Gaps discovered during that review add cost and delay. Preparing the QMS documentation as though for external audit — even before engaging a body — is sound practice.
Frequently Asked Questions
Is a notified body the same as a national competent authority?
No. A national competent authority (designated under Article 70) carries out market surveillance and enforcement on AI systems already placed on the market. A notified body is a private-sector or semi-public accredited body that carries out conformity assessments before — or as a condition of — market placement. The notifying authority (which designates and monitors notified bodies) is also distinct from the market-surveillance authority, though some Member States may combine roles in the same ministry. Article 28 addresses the notifying-authority requirements specifically.
My AI system handles recruitment screening — do I need a notified body?
No. Recruitment and worker management systems fall under Annex III, point 4. High-risk systems in that category use the Annex VI internal-control route; no notified body is required. You will conduct the conformity assessment yourself, issue the EU declaration of conformity under Article 47, and register the system under Article 49. The notified-body requirement applies principally to Annex III, point 1 (biometrics) where harmonised standards have not been applied.
How do I find an EU AI Act notified body?
The Commission maintains the NANDO database, which lists all bodies notified under Union harmonisation legislation. Specific notifications under Regulation (EU) 2024/1689 are being added as national accreditation procedures are completed. As of mid-2026, the list of AI Act-notified bodies is short — the accreditation infrastructure is still being built. Contact your national accreditation body (the body designated under Regulation (EC) 765/2008) to understand which assessment bodies are in the pipeline for notification in your jurisdiction.
What happens if a notified body finds non-conformity during assessment?
The body may refuse to issue the assessment certificate, issue it with conditions, or — for systems already on the market under a provisional arrangement — notify the relevant national authority. Article 39 of the EU AI Act and the relevant provisions in Chapter VI (market surveillance) govern follow-up. A provider whose system fails assessment must address the non-conformities before market placement. Supplying incorrect or misleading information to a notified body carries a separate penalty ceiling of €7,500,000 or 1% of worldwide annual turnover, whichever is higher (Article 99, paragraph 5).
Can a notified body refuse to assess my system?
Yes. A notified body may decline an engagement — for instance, if it lacks the specific technical competence for the system type, or if taking the work would create a conflict of interest. Article 38 establishes coordination mechanisms among bodies, but there is no obligation on any individual body to accept every application. This reinforces the case for early outreach: if your first-choice body declines or is fully booked, finding an alternative takes time.
Does the notified-body requirement apply to GPAI model providers?
No. The conformity assessment framework in Chapter III, Section 4 and Article 43 covers high-risk AI systems under Article 6. GPAI models are governed by Chapter V (Articles 51–56). GPAI providers have separate obligations — technical documentation, downstream information, copyright policy, and (for systemic-risk models under Article 55) model evaluations and incident reporting — but these do not involve notified bodies. If a GPAI model is deployed as a component in a high-risk AI system, the provider of that downstream system bears the Article 43 conformity-assessment obligation, not the GPAI model provider.
Related terms
- Conformity assessment (Article 43)
- Article 43: High-risk conformity assessment procedures
- Annex III: High-risk AI system categories
- Annex IV: Technical documentation requirements
- Provider obligations under the EU AI Act
- Harmonised standard
Manage your EU AI Act compliance in one place
Confir automates risk classification, technical documentation, and audit trails for any company. No consultants. No 6-month projects. 7-day free trial.
Start free trial →