Notified Body

A notified body is an independent organization officially designated by an EU member state to conduct third-party conformity assessments for certain high-risk AI systems. These bodies possess the technical expertise and impartiality required to evaluate whether AI systems meet EU AI Act requirements, and their assessments carry legal weight in demonstrating regulatory compliance.

Article 43 of the EU AI Act specifies when third-party conformity assessment by a notified body is required, as opposed to provider self-assessment. Notified body involvement is mandatory for high-risk AI systems used for biometric identification of natural persons (except for verification/authentication purposes), as well as high-risk AI systems used as safety components of products requiring third-party assessment under existing EU product safety legislation. For most other high-risk AI systems listed in Annex III, providers may conduct self-assessment following the internal control procedure outlined in Annex VI. However, providers always retain the option to request voluntary third-party assessment by a notified body, which may provide additional credibility with customers, regulators, or the public. The notified body ecosystem for AI is still developing. Unlike established sectors such as medical devices or machinery, where notified bodies have operated for decades, AI-specific notified bodies are only now being designated and accredited. This nascent market means limited capacity and potentially long lead times for assessments, a factor organizations should consider in compliance planning.

Organizations must first determine whether their high-risk AI systems require third-party assessment. Biometric identification systems used for remote identification of persons in publicly accessible spaces will require notified body involvement. Systems serving as safety components of regulated products should review the applicable product legislation to determine assessment requirements. For systems requiring third-party assessment, organizations should begin identifying suitable notified bodies early. Selection criteria include technical expertise in the relevant AI domain, capacity and timeline availability, geographic coverage across intended markets, and fee structures. Organizations should review the official EU NANDO database for designated notified bodies once AI-specific designations are published.

Preparing for notified body review requires comprehensive documentation readiness. Assessors will examine Annex IV technical documentation, risk management records, data governance practices, testing and validation evidence, and quality management systems. Organizations should treat notified body preparation as they would an external audit, with complete evidence packs ready for examination. Even for self-assessing systems, organizations should maintain documentation to the standard a notified body would expect. This approach ensures readiness if regulations evolve, market expectations shift toward third-party validation, or customers request independent verification.