AI Notified Bodies
AI notified bodies are conformity assessment organizations designated under EU law to verify certain high-risk AI systems before those systems are placed on the market or put into service.
Definition
An AI notified body is a conformity assessment body that has been assessed, designated, and notified by an EU Member State to perform third-party assessment tasks under the EU AI Act. In ordinary EU product law, a notified body is an organization designated by a country to assess whether certain products comply with applicable rules before market placement when a third-party assessment is required.
For AI, the term matters because some high-risk systems cannot rely only on a provider's internal statement of compliance. A notified body may review the provider's quality management system, technical documentation, and conformity with the AI Act's high-risk requirements. That role connects law, technical evidence, auditing, and market access.
AI notified bodies are related to EU AI Act, AI Audits and Assurance, and AI Post-Market Monitoring, but they are more specific. They are not general AI safety labs, model-ranking services, or public-interest watchdogs. They are designated conformity assessment organizations operating within a legal procedure.
How It Works
The EU AI Act separates notifying authorities from notified bodies. Article 28 says each Member State must designate or establish at least one notifying authority responsible for assessment, designation, notification, and monitoring of conformity assessment bodies. Those authorities must protect objectivity, avoid conflicts of interest, safeguard confidentiality, and have competent personnel with relevant expertise, including information technology, AI, law, and fundamental-rights supervision where applicable.
A conformity assessment body applies for notification in the Member State where it is established. If it meets the requirements, it can be notified to perform defined assessment activities. Article 35 requires the European Commission to assign a single identification number to each notified body and to make public an up-to-date list of bodies notified under the regulation, including their identification numbers and the activities for which they have been notified.
Current Context
As of June 16, 2026, the legal anchor is Chapter III, Section 4 and Section 5 of Regulation (EU) 2024/1689, presented in the European Commission's AI Act Service Desk. Article 31 requires notified bodies to have legal personality under Member State law; organizational, quality management, resource, process, and cybersecurity capacity; independence from the provider and other interested operators; confidentiality procedures; liability insurance unless covered by the Member State; and sufficient administrative, technical, legal, and scientific personnel.
Article 34 states that notified bodies verify conformity of high-risk AI systems according to Article 43 procedures. It also tells them to avoid unnecessary burdens, especially for micro and small enterprises, while still respecting the level of protection required by the regulation. Article 32 adds a presumption of conformity route when a conformity assessment body demonstrates conformity with relevant harmonised standards published in the Official Journal, to the extent those standards cover Article 31 requirements.
Article 43 is the practical routing rule. For Annex III point 1 high-risk AI systems in biometrics, the provider may use internal control when harmonised standards or common specifications are applied, but notified-body involvement is required when those standards or specifications are absent, restricted, not applied, or only partly applied. For Annex III points 2 to 8, the route is internal control without a notified body. For product-integrated high-risk AI systems covered by existing EU product legislation, the relevant product-safety conformity assessment procedures apply, and notified bodies under those acts may assess AI-specific requirements when their competence has been assessed.
Governance and Safety
The safety value of notified bodies is procedural discipline: an external organization checks whether the provider's evidence meets the legal requirements before the system reaches the market. That can improve documentation quality, quality-management practice, traceability, human-oversight analysis, cybersecurity review, and accountability for high-risk systems.
The governance risk is assurance theater. A notified body can review evidence within its legal scope, but it does not guarantee that a system will never harm people, that every deployment context is safe, or that later updates will remain compliant. Capacity also matters. If there are too few competent bodies for specialized AI systems, conformity assessment can become a bottleneck or a shallow paperwork exercise.
Defense Pattern
- Check designation scope. Use official lists to confirm that a body is notified for the relevant regulation, activity, and system type.
- Prepare technical evidence early. Documentation, logs, risk management, data governance, human oversight, and cybersecurity evidence should exist before assessment.
- Protect independence. Avoid consultancy or commercial relationships that could compromise impartiality.
- Track substantial changes. Updates that affect compliance or intended purpose may trigger a new conformity assessment.
- Keep post-market evidence connected. Incidents, monitoring results, and corrective actions should feed back into assessment records.
- Do not confuse certification with safety. Treat notified-body review as one control in a wider governance system.
Spiralist Reading
An AI notified body is a checkpoint in the bureaucracy of trust.
The machine does not become safe because an institution has stamped a file. But the file matters. It forces claims into documents, documents into review, review into responsibility, and responsibility into a public list.
For Spiralism, the lesson is not faith in certification. It is distrust made orderly enough to leave a record.
Open Questions
- How many notified bodies will have enough AI, cybersecurity, data, and fundamental-rights expertise for complex systems?
- How should notified bodies review adaptive systems that change through updates, fine-tuning, retrieval, or user feedback?
- What evidence should be available to affected people when a certified high-risk system causes harm?
- How should conflicts be managed when assessment bodies also sell adjacent consulting services?
- Will conformity assessment improve real safety, or mainly improve the appearance of compliance?
Related Pages
- EU AI Act
- AI Audits and Assurance
- AI Governance
- AI Post-Market Monitoring
- AI Incident Reporting
- AI Liability and Accountability
- Human Oversight in AI
- Algorithmic Impact Assessments
- Secure AI System Development
- AI System Inventory
Sources
- AI Act Service Desk, Article 28: Notifying authorities, reviewed June 16, 2026.
- AI Act Service Desk, Article 31: Requirements relating to notified bodies, reviewed June 16, 2026.
- AI Act Service Desk, Article 32: Presumption of conformity with requirements relating to notified bodies, reviewed June 16, 2026.
- AI Act Service Desk, Article 34: Operational obligations of notified bodies, reviewed June 16, 2026.
- AI Act Service Desk, Article 35: Identification numbers and lists of notified bodies, reviewed June 16, 2026.
- AI Act Service Desk, Article 43: Conformity assessment, reviewed June 16, 2026.
- European Commission, Notified bodies, reviewed June 16, 2026.
- European Commission, NANDO notified bodies database, reviewed June 16, 2026.
- Church of Spiralism, EU AI Act and AI Audits and Assurance, related background pages.