07 · Conformity Assessment & Notified Bodies
- VDE guide + MedEnvoy – notified bodies + arXiv technical paper
- Notified bodies chapter became applicable: 2 August 2025
Notified bodies chapter became applicable 2 August 2025. Under PE-CONS 30/26, Chapter III high-risk conformity requirements apply from 2 December 2027 for Article 6(2) / Annex III systems and 2 August 2028 for Article 6(1) / Annex I systems, pending OJ publication.
What conformity assessment means
Before a high-risk AI system can be placed on the EU market, the provider must demonstrate it meets all requirements in Chapter III. This is the conformity assessment. Two routes:
Route 1 — Internal (self-assessment)
Available for most Annex III high-risk AI systems. The provider conducts and documents the assessment themselves against the requirements. If done correctly, they can then issue an EU Declaration of Conformity and affix the CE mark.
Route 2 — Third-party (notified body)
Required for:
- Article 6(1) / Annex I systems where the relevant Union harmonisation legislation requires third-party conformity assessment, with AI Act requirements integrated into that product-law assessment for Section A systems
- Remote biometric identification systems, biometric categorisation systems and emotion recognition systems where Article 43 requires notified-body involvement
A notified body assesses the technical documentation, quality management system, and the AI system itself.
What notified bodies are
Notified bodies (NBs) are independent third-party conformity assessment organisations designated by member state notifying authorities. They must meet criteria in Article 31 (independence, competence, impartiality, liability coverage). They notify the Commission of their designation. Once notified, they appear in the NANDO database.
Capacity warning: AI-focused notified bodies are scarce as of mid-2026. Most AI NBs come from adjacent sectors (medical devices, machinery). This gap is part of why the Omnibus extended the high-risk product transition to 2028.
Conformity assessment process for a high-risk AI provider
Step-by-step (self-assessment route):
| Step | Action | Article |
|---|---|---|
| 1 | Confirm system is high-risk under Art. 6 (Annex I or III) | Art. 6 |
| 2 | Establish and document risk management system (lifecycle-long) | Art. 9 |
| 3 | Document data governance (training/validation/testing datasets) | Art. 10 |
| 4 | Compile Annex IV technical documentation package | Art. 11 + Annex IV |
| 5 | Build in automatic event logging | Art. 12 |
| 6 | Prepare instructions for use for deployers | Art. 13 |
| 7 | Design and validate human oversight mechanisms | Art. 14 |
| 8 | Establish quality management system | Art. 17 |
| 9 | Conduct internal assessment (or engage notified body if required) | Art. 43 |
| 10 | Issue EU Declaration of Conformity (keep for 10 years) | Art. 47 |
| 11 | Affix CE marking | Art. 48 |
| 12 | Register system in EU database (before deployment for public-body deployers) | Art. 71 |
Post-market obligations
- Post-market monitoring plan: continuous monitoring of performance in production per Art. 72
- Serious incident reporting: providers must report to national market surveillance authorities without undue delay (Art. 73)
- Market surveillance: national authorities conduct checks; can require access to training data and documentation
Harmonised standards
CEN/CENELEC and ETSI are developing harmonised standards under the AI Act. Once published in the Official Journal, compliance with them creates a presumption of conformity — a fast path to completing the assessment. Standards are not yet available (as of mid-2026); their absence is part of why the Omnibus extended the high-risk transition.
Standards page: https://digital-strategy.ec.europa.eu/en/policies/ai-act-standardisation FLI standards overview: https://artificialintelligenceact.eu/standard-setting-overview/
Technical verification framework (academic perspective)
The arXiv paper (arXiv:2512.13907, Dec 2024) maps each legal requirement to concrete technical verification methods — covering dataset documentation, algorithmic auditing, robustness testing, and human oversight mechanisms. Useful for technical teams building compliance processes. URL: https://arxiv.org/html/2512.13907v3
Key articles
| Topic | Article(s) |
|---|---|
| Conformity assessment procedures | Art. 43 |
| Annex I / product-law conformity route | Art. 43(1), Art. 43(3), Annex I |
| Self-assessment (Annex III) | Art. 43(2) |
| Notified body criteria | Art. 31 |
| Notifying authorities | Arts. 28–30 |
| EU Declaration of Conformity | Art. 47 |
| CE marking | Art. 48 |
| EU database | Art. 71 |
| Post-market monitoring | Art. 72 |
| Serious incident reporting | Art. 73 |
| Quality management system | Art. 17 |
| Technical documentation | Art. 11 + Annex IV |