Notifying Authority — EU AI Act Definition and Role

A notifying authority is the national body responsible for vetting, designating, and monitoring the conformity assessment bodies that can legally certify high-risk AI systems under Regulation (EU) 2024/1689. Without a notifying authority doing its job, there are no notified bodies — and without notified bodies, certain high-risk systems (principally biometric AI falling under Annex III, point 1) cannot reach the market lawfully.

Most companies subject to the EU AI Act will never deal with a notifying authority directly. They will deal with a notified body — the entity the notifying authority has vetted and placed on the EU's NANDO register. Understanding the distinction matters when you are mapping your compliance path, because it tells you exactly which body you need to engage and for what.

The EU AI Act definition

Article 3, point 19 of Regulation (EU) 2024/1689 defines a notifying authority as:

"the national authority responsible for setting up and carrying out the necessary procedures for the assessment, designation and notification of conformity assessment bodies and for their monitoring."

Three verbs carry all the weight: assess, designate, and monitor. The notifying authority is the gatekeeper that turns a conformity assessment body into a notified body — and that can withdraw that designation if performance slips.

What a notifying authority does

The notifying-authority framework sits in Chapter III, Section 4 of the EU AI Act, spanning Articles 28 through 39. The regime follows the same architecture used in EU product law (the New Legislative Framework), so Member States and bodies with experience under the Machinery Regulation or the Medical Device Regulation will recognise the structure.

Assessment. Before a conformity assessment body can be designated, the notifying authority must assess it against the criteria in Article 31: independence, competence, impartiality, confidentiality obligations, liability coverage, and the technical capacity to assess AI systems against the requirements in Articles 9 through 15. The assessment may draw on accreditation evidence from a national accreditation body operating under Regulation (EC) No 765/2008.

Designation. A successful assessment results in formal designation. The notifying authority then notifies the Commission and the other Member States, and the body enters the EU database of notified bodies. From that point, the body is authorised to perform the third-party conformity assessment procedure set out in Annex VII of the EU AI Act — the notified-body route available for high-risk systems in the biometrics category (Annex III, point 1) where harmonised standards have not been applied or do not fully cover the requirements.

Ongoing monitoring. Designation is not a one-time event. The notifying authority is responsible for monitoring notified bodies on an ongoing basis under the Articles 28–39 framework, investigating complaints, and — where a body no longer meets the designation criteria — restricting, suspending, or withdrawing the notification under Article 36. If it withdraws or suspends, it must notify the Commission immediately, and in-progress assessments must be transferred or cancelled.

Notification to the Commission. Under Article 30, the notifying authority notifies each conformity assessment body it has approved to the Commission and the other Member States, with details of the conformity assessment activities and the AI systems concerned. It keeps the Commission informed of any relevant changes.

The notifying authority's work is therefore structural: it shapes the pool of legitimate notified bodies. A weak or under-resourced notifying authority creates bottlenecks — if designation procedures are slow, companies in that Member State face delays getting third-party assessments done.

Notifying authority vs market surveillance authority vs notified body

These three bodies appear throughout the EU AI Act and are frequently confused. They have distinct functions and different legal bases.

The notifying authority's focus is prospective and institutional — it decides which bodies are fit to certify AI systems before any particular product reaches the assessment stage. The market surveillance authority's focus is retrospective and product-specific — it acts once a system is on the market and a problem arises. The notified body sits between them: it does the technical assessment work.

A single Member State may assign the notifying-authority function and the market-surveillance function to the same organisation or to different ones. Article 70 requires each Member State to designate at least one national competent authority to supervise the Act's application, and that authority must include or work alongside the market surveillance function. The choice of whether to merge or separate the notifying-authority role is a national structural decision; the EU AI Act does not mandate either model.

One thing the Act does prohibit: a notified body assessing its own work, or a notifying authority assessing a body in which it has a financial interest. The independence requirements in Article 31 and the conflict-of-interest rules in Article 38 close those gaps.

The conformity assessment path that involves a notified body

Understanding the notifying authority matters most for providers whose systems must use the Annex VII route under Article 43.

Article 43 sets out two conformity assessment options for high-risk AI systems:

• Annex VI (internal self-assessment): the provider conducts its own conformity assessment and draws up the technical documentation under Article 11 / Annex IV. This route is available to most Annex III categories (points 2–8: critical infrastructure, education, employment, services, law enforcement, migration, administration of justice).
• Annex VII (notified-body assessment): a designated notified body independently audits the system's technical documentation and quality management system and issues a certificate. This route is required for biometric AI systems falling under Annex III, point 1, unless the provider has applied harmonised standards that fully cover the relevant requirements.

Only the Annex VII route involves a notified body — and therefore only that route creates a practical link back to the notifying authority. If your system does not fall under Annex III, point 1, you will use the Annex VI self-assessment route and the notifying-authority framework will not touch your process directly.

For biometric AI providers, the practical sequence is: check whether harmonised standards cover your system → if not, identify a notified body designated under Annex VII for your system type → engage that body for assessment → receive the certificate → affix CE marking under Article 48 → register under Article 49.

How Confir supports your conformity assessment path

Before you decide which route applies, you need to know whether your system is high-risk and which Annex III point it falls under. Confir's rule-based classification engine applies Article 6 and the Annex III logic to your system's described use — same inputs, same output every time, with the rule that fired displayed so you can audit it. If the classification flags Annex III, point 1 (biometrics), the output will tell you that the Annex VII notified-body route is the default path. From there, Confir generates the Article 11 / Annex IV technical documentation pack that a notified body will need to audit.

Confir does not select or interact with notified bodies — that engagement is yours to manage. What it does is produce the documentation the body will scrutinise. Starting that documentation before you search for a notified body shortens the overall assessment timeline and reduces the risk of rework during the audit. Confir is available from €600/year at confir.eu.

Frequently Asked Questions

Which countries have designated a notifying authority for the EU AI Act?

The EU AI Act requires each Member State to designate its national competent authority under Article 70 and to set up its notifying-authority procedures under Chapter III, Section 4. As of mid-2026, formal designations are still being put in place across Member States — the notified-body notification procedures are operational but the full designation landscape continues to develop. Check the Commission's NANDO database for current status.

Does a company ever interact with the notifying authority directly?

Almost never. The notifying authority operates at the institutional level — vetting bodies, not individual AI systems. Your contact is the notified body the notifying authority has designated. The only scenario where a company might surface in notifying-authority proceedings is if it files a complaint about a notified body's conduct, which is routed to the notifying authority under Article 33.

Can the same body act as both the notifying authority and the market surveillance authority?

Yes. The EU AI Act permits a Member State to assign both functions to the same organisation. Article 70 requires each Member State to designate a competent authority — that authority can encompass both the notifying and the market surveillance roles, provided the independence and conflict-of-interest requirements in Articles 31 and 38 are satisfied. Several Member States operating under the New Legislative Framework in product law already run merged authorities.

What happens if a notified body loses its designation?

The notifying authority must immediately notify the Commission and the other Member States. Ongoing assessments are suspended: the affected provider must either have the work transferred to a different notified body or start a new assessment. Certificates already issued remain valid unless the notified body's errors affected the assessments that produced them, in which case the notifying authority may require a review. Article 36 governs changes to notifications, including the steps required where a notified body ceases its activity.

Is the notifying-authority framework new, or does it borrow from existing EU law?

The framework mirrors the New Legislative Framework architecture used across EU product law — the same model applies under the Machinery Regulation, the Radio Equipment Directive, and the Medical Device Regulation, among others. Accreditation bodies already operating under Regulation (EC) No 765/2008 and notifying authorities already running designation procedures in those domains will recognise the process. For the EU AI Act specifically, the framework is new in its application to AI systems but structurally familiar.

Why does any of this matter for the conformity assessment deadline?

High-risk AI systems under Annex III must complete their conformity assessment before being placed on the market. For stand-alone Annex III systems, that obligation applies from 2 December 2027 (the deadline pushed back from August 2026 under the Digital Omnibus agreed in May 2026). For systems that are safety components of Annex I regulated products, the date is 2 August 2028. The notified-body pool — which the notifying authority creates — needs to be large enough and available early enough to process assessments before those deadlines. Providers whose systems require Annex VII assessment should identify and engage a notified body well in advance; body capacity is finite.

Related terms

• Notified body — the conformity assessment body that a notifying authority has designated under Annex VII; the entity that performs third-party AI assessments
• Conformity assessment body — the broader category of bodies that assess conformity; a notified body is a conformity assessment body that has been designated and notified
• Market surveillance authority — the national body that enforces the EU AI Act against non-compliant systems on the market; distinct from the notifying authority
• Conformity assessment — the process under Article 43 by which a provider demonstrates that a high-risk AI system meets the Act's requirements before placing it on the market
• EU AI Act Article 43 — the Article that sets out the conformity assessment routes (Annex VI internal control; Annex VII notified body) and when each applies
• Annex IV technical documentation — the content requirements for the technical documentation that providers must compile and that notified bodies audit under the Annex VII route