137AI > Compliance & Conformity > EU Notified Bodies

EU Notified Bodies

Notified Bodies are third-party conformity assessment bodies that EU Member States designate to assess product conformity with specific EU regulations before products can be placed on the EU market. The concept originates in the EU New Approach framework that has shaped EU product regulation for decades and operates across many regulatory frameworks including medical devices, machinery, radio equipment, in vitro diagnostics, and now AI under the AI Act.

The discipline pairs with the conformity assessment procedures covered separately in EU AI Act Conformity Assessment. The conformity assessment page addresses what conformity assessment procedures the AI Act requires; this page addresses the institutional bodies designated to perform third-party conformity assessment under those procedures. The two pages together cover the EU conformity infrastructure that AI Act compliance depends on. The page also distinguishes from Standards Bodies covered separately — standards bodies develop the standards; Notified Bodies assess products against the regulatory requirements that may reference standards. The institutional distinction is operationally significant.

What Makes Notified Bodies Distinctive

Notified Bodies have institutional and methodological properties that distinguish them from other assessment infrastructure.

Notified Bodies are third-party rather than first-party or second-party. First-party assessment is operator self-assessment; second-party assessment is customer or business partner assessment; third-party assessment is independent assessment by an organization unrelated to operator and customer. The third-party position supports independence and credibility that the other positions do not produce.

Notified Bodies operate under public authority through Member State designation. The designation process requires Member States to assess body competence, independence, and ongoing performance. The designation provides legal authority that purely commercial assessment bodies do not have.

Notified Bodies are accredited through formal accreditation infrastructure. The accreditation provides independent assessment of body competence by national accreditation bodies operating under European Accreditation (EA) framework. The accreditation is a prerequisite for designation in most cases.

Notified Bodies perform specific assessment procedures defined by regulation. The procedures are not arbitrary; they are specified in EU regulations with detailed requirements for what assessment activities Notified Bodies perform. The procedures provide consistency across Notified Bodies and across Member States.

Notified Bodies issue certificates that have specific legal effect. Products bearing CE marking under regulations requiring Notified Body involvement have been assessed by the Notified Body that issued the certificate. The certificate is legally significant and supports product placement on the EU market.

Notified Bodies have ongoing obligations beyond initial certificate issuance. The bodies conduct surveillance of certified products and producers, may withdraw certificates when conformity lapses, and operate as ongoing infrastructure rather than one-time assessment.

The Institutional Structure

The Notified Body framework operates through specific institutional structure that the EU has developed across multiple regulatory areas.

Member States designate Notified Bodies under their national authority. The designation process requires applicant bodies to demonstrate competence, independence, and resources adequate to the conformity assessment work they will perform. Different Member States have different designating authorities and different specific procedures.

The European Commission maintains the New Approach Notified and Designated Organisations (NANDO) database that lists all Notified Bodies across the EU. The database provides public registry of which bodies are designated for which regulations and procedures.

National accreditation bodies provide accreditation that supports designation. National accreditation bodies operate under the European Accreditation cooperation framework with mutual recognition supporting consistent accreditation across Member States.

European Accreditation (EA) is the European cooperation of national accreditation bodies that coordinates accreditation practice across Europe. The EA framework supports consistent accreditation methodology and provides infrastructure for mutual recognition.

The Coordination Groups for specific regulations bring together Notified Bodies designated under the same regulation. The Medical Device Notified Body Coordination Group has been substantively important for medical device practice; equivalent coordination is developing for AI Act Notified Bodies.

The European Commission has substantial role beyond NANDO maintenance. The Commission engages on harmonized standards, develops guidance documents, addresses inconsistencies across Member States, and may take enforcement action when Member States fail to discharge designation responsibilities adequately.

National market surveillance authorities operate alongside Notified Bodies. The surveillance authorities address post-market conformity; Notified Bodies address pre-market conformity assessment. The two work together with different specific responsibilities.

The Accreditation Requirement

Accreditation is foundational to the Notified Body framework. The accreditation provides independent assessment that bodies have the competence to perform conformity assessment they will be designated for.

Accreditation is typically performed against ISO/IEC 17000-series standards including ISO/IEC 17020 for inspection bodies, ISO/IEC 17021 for management system certification bodies, ISO/IEC 17025 for testing and calibration laboratories, ISO/IEC 17065 for product certification bodies, and ISO/IEC 17029 for validation and verification bodies. The specific standard depends on the type of conformity assessment work the body performs.

The accreditation process involves application assessment, documentation review, on-site assessment by accreditation body assessors, witness assessment of conformity assessment activities, and ongoing surveillance through the accreditation cycle.

Accreditation has specific requirements addressing competence (the body must have personnel with technical competence for the conformity assessment work), independence (the body must be independent from those they assess to support impartiality), and resources (the body must have adequate infrastructure, personnel, and processes).

The accreditation has time-limited validity. Bodies are typically reaccredited periodically with ongoing surveillance throughout the accreditation period. Loss of accreditation generally results in loss of designation though the specific relationship depends on the regulation involved.

The EA-MLA (European Accreditation Multilateral Agreement) supports mutual recognition across European national accreditation bodies. The arrangement means that accreditation by one EA-MLA signatory accreditation body is recognized across other signatory countries. The arrangement extends the integration the broader EU framework supports.

The Conformity Assessment Procedures

EU conformity assessment regulations specify procedures (Modules) that products must undergo to demonstrate conformity. The procedures vary in stringency with Notified Body involvement scaled to risk level.

Module	Approach	Notified Body Role
Module A (Internal Production Control)	Operator self-assessment without Notified Body involvement	No role; operator declares conformity based on internal assessment
Module B (EU Type-Examination)	Notified Body examines technical design and test results	Performs type examination, issues EU type-examination certificate
Module C (Conformity to Type Based on Internal Production Control)	Operator self-assesses production conformity to certified type	No role in production phase; relies on prior Module B type examination
Module D (Quality Assurance of Production Process)	Operator implements quality assurance system; Notified Body assesses and surveils	Assesses quality assurance system, conducts ongoing surveillance
Module E (Quality Assurance of Final Product Inspection)	Operator implements final inspection quality assurance; Notified Body assesses	Assesses inspection quality assurance, conducts ongoing surveillance
Module F (Conformity to Type Based on Product Verification)	Notified Body verifies each product or statistical sample	Performs product verification, issues conformity certificates
Module G (Conformity Based on Unit Verification)	Notified Body examines each individual product	Performs individual product examination, issues conformity certificate
Module H (Conformity Based on Full Quality Assurance)	Operator implements comprehensive quality assurance covering design and production	Assesses full quality assurance system, conducts ongoing surveillance

Specific regulations specify which modules apply to which product categories. AI Act conformity assessment procedures for high-risk AI systems include both internal control procedures and procedures requiring Notified Body involvement, with the specific modules depending on the AI system category and the standards the operator uses.

EU AI Act Notified Body Implementation

The EU AI Act establishes Notified Body framework for AI conformity assessment with implementation continuing to develop.

The AI Act provisions for Notified Bodies appear in Articles 28-39, addressing notifying authorities, requirements relating to notified bodies, application for notification, notification procedure, identification numbers and lists of notified bodies, changes to notifications, challenge of competence of notified bodies, operational obligations of notified bodies, coordination of notified bodies, presumption of conformity, and additional related provisions.

Specific Notified Body designation for AI Act has been developing through 2024-2026. The designation process requires Member States to assess potential Notified Bodies against the substantive requirements; the process has been slower than the broader AI Act implementation timeline given the substantive new methodological work involved.

The AI Act requires Notified Bodies for specific high-risk AI system categories where conformity assessment requires third-party involvement. The detailed treatment of which conformity assessment procedures apply to which AI systems appears in EU AI Act Conformity Assessment. The Notified Body role specifically applies to certain Annex III categories and to AI components of products subject to other EU harmonization legislation listed in Annex I.

AI Act-specific competence requirements for Notified Bodies include AI-specific expertise, capacity for the substantive technical assessment AI systems require, infrastructure for ongoing surveillance of certified AI systems, and integration with the broader AI governance infrastructure including the AI Office and other AI Act implementation bodies.

The relationship between AI Act Notified Bodies and existing Notified Bodies under other regulations has been an implementation consideration. Medical Device Notified Bodies have substantial relevant infrastructure; existing Notified Bodies under other regulations may extend to AI Act work. The framework supports either dedicated AI Notified Bodies or extension of existing Notified Bodies to AI work with appropriate competence demonstrations.

Standards harmonization through CEN-CENELEC JTC 21 supports Notified Body work. The detailed treatment appears in Standards Bodies. Harmonized standards provide presumption of conformity that Notified Body assessment can reference, supporting more consistent and tractable assessment than work without standards reference.

Medical Device Sector Experience

The medical device Notified Body framework provides substantial experience that informs AI Act Notified Body work. The experience is operationally significant because medical device Notified Bodies face challenges that AI Act Notified Bodies will likely face.

The EU Medical Device Regulation (MDR), which replaced the previous Medical Device Directive in 2017 with transitional provisions extending to 2027 for some devices, substantially expanded conformity assessment requirements and Notified Body responsibilities. The transition has produced substantial capacity challenges with Notified Body throughput becoming bottleneck for medical device market access.

Designation under MDR has been more stringent than under the prior directive. The number of designated Notified Bodies dropped substantially after MDR entry into force as bodies failed to meet enhanced requirements or chose not to pursue designation. The reduction in available capacity combined with increased per-device assessment work produced significant backlogs.

Notified Body capacity has been the substantive bottleneck for medical device market access. The pattern produces delays in product approval, market access challenges for innovators, and operational pressure on the broader medical device ecosystem. The experience informs concerns about AI Act Notified Body capacity development.

Technical assessment methodology for medical devices including AI/ML-based medical devices has been developing through MDR implementation. The methodology engages how to assess AI components of medical devices, what evidence supports conformity claims, and what surveillance addresses ongoing AI-specific concerns. The methodology informs AI Act Notified Body work.

Coordination among medical device Notified Bodies through the Notified Body Operations Group (NBOG) and similar infrastructure has produced consistent methodology development. The coordination model provides reference for AI Act Notified Body coordination.

External oversight of medical device Notified Bodies through Commission joint assessments, surveillance by Member State authorities, and broader oversight infrastructure has been substantively important. Joint assessments have produced findings affecting specific Notified Bodies; the oversight infrastructure supports framework integrity.

The aggregate medical device experience suggests that AI Act Notified Body framework development will face substantial challenges including capacity development, methodology maturation, coordination infrastructure, and ongoing oversight. The experience informs realistic expectations for AI Act implementation timeline and operational dynamics.

Ongoing Surveillance Role

Notified Bodies have substantial obligations beyond initial certificate issuance. The ongoing surveillance dimension is operationally significant.

Surveillance of certified operators verifies continued compliance with the conformity assessment basis. Notified Bodies conduct periodic surveillance audits or assessments, review operator changes that may affect conformity, address operator non-conformities when identified, and may suspend or withdraw certificates when surveillance produces concerning findings.

Surveillance frequency depends on the specific regulation and conformity assessment procedure. Some regulations require annual surveillance; some require less frequent surveillance; some require event-driven surveillance triggered by specific changes or incidents.

Surveillance methodology continues to develop. The methodology for AI Act surveillance specifically addresses what changes in AI systems warrant Notified Body engagement, how to assess ongoing AI behavior in deployment, and what evidence supports continued conformity claims. The methodology development continues alongside the broader AI Act implementation.

Certificate suspension and withdrawal authority is substantive. Notified Bodies that identify ongoing non-conformity through surveillance can suspend or withdraw certificates with substantial market consequences for affected operators. The authority supports framework integrity beyond what one-time assessment alone would produce.

Incident response involves Notified Body engagement in some contexts. When deployed products produce incidents affecting safety or conformity, Notified Bodies that certified the products may have specific obligations including investigation, surveillance escalation, and certificate review.

The surveillance dimension produces ongoing relationship between operator and Notified Body. The relationship continues throughout the certification validity period with operational engagement on changes, surveillance, and ongoing compliance. The relationship is substantively different from one-time assessment.

Notified Body Selection and Engagement

Operators required to engage Notified Bodies face specific considerations in selection and ongoing engagement.

Selection considerations include scope of designation (the Notified Body must be designated for the specific regulation and procedure the operator needs), competence in the specific product or technology area, geographic considerations (Notified Bodies can serve operators across the EU; geographic location may affect operational considerations), capacity availability given Notified Body workload, and broader business considerations including cost, timeline, and relationship considerations.

The NANDO database supports operator identification of designated Notified Bodies for specific regulations. Operators can identify which bodies are designated, what scope they have, and what specific procedures they can perform.

Cost varies substantially across Notified Bodies and across specific assessments. Operators benefit from understanding the cost structure before commitment, with the understanding that cost reflects substantial work the Notified Body performs.

Timeline considerations are substantive. Notified Body backlogs have been operationally significant in some regulatory contexts; operators in regulated markets often face substantial pre-market timelines that include Notified Body assessment time.

Documentation preparation supports efficient Notified Body engagement. Operators that prepare comprehensive technical documentation, conformity evidence, and supporting materials enable more efficient assessment than operators with less mature documentation.

Ongoing engagement extends beyond initial assessment. Surveillance audits, change notifications, incident response, and other ongoing engagement is part of the certification relationship. Operators plan for ongoing engagement rather than treating Notified Body work as one-time activity.

Multiple Notified Body relationships may be operationally necessary. Operators in multiple product categories or with multiple regulatory frameworks may engage multiple Notified Bodies. The relationships require coordination to support consistent practice across regulations.

Limitations and Challenges

The Notified Body framework faces substantive limitations and challenges that warrant direct treatment.

Capacity development has been the substantive challenge in recent EU regulatory implementation including MDR and is expected to be challenge for AI Act. Building Notified Body capacity for new substantial regulation takes time that may not match regulatory implementation timeline. The pattern produces tension between regulatory ambition and operational capability.

Methodology development for new technical areas requires substantial work. AI Act Notified Bodies need methodology for assessing AI systems that did not exist in prior conformity assessment work. The development takes time and produces variance across Notified Bodies during the development period.

Cross-Notified Body consistency is substantively difficult. Different Notified Bodies may interpret regulatory requirements differently, may apply methodology differently, and may produce different conclusions on similar assessments. The coordination infrastructure addresses this but does not eliminate the underlying variance.

Cost and timeline implications for operators are substantial. Notified Body engagement adds substantial cost and time to product approval; the impact disproportionately affects smaller operators with less compliance infrastructure. The framework can become barrier to entry that affects competitive dynamics.

The relationship between Notified Body assessment and substantive safety has been contested in some contexts. Notified Body certification establishes that conformity assessment procedures were followed; whether the underlying products are actually safe depends on the rigor of assessment and the adequacy of the conformity requirements themselves.

External oversight of Notified Bodies has produced specific findings affecting framework integrity. Joint assessments by Commission and Member States have identified specific Notified Body concerns; the oversight infrastructure produces ongoing development but the variance affects operator experience.

The framework operates within EU market context that may not extend cleanly to international practice. Notified Body certification supports EU market access; international markets may require different conformity assessment infrastructure that operators navigate separately.

What Notified Bodies Do Not Do

The framework has real limits.

Notified Bodies do not develop the standards or regulations they assess against. The detailed treatment of standards development appears in Standards Bodies. Notified Bodies assess products against requirements developed elsewhere; they implement assessment of given requirements rather than developing the requirements themselves.

Notified Bodies do not have regulatory authority. Notified Body certification is not regulation; it is third-party conformity assessment that supports regulatory compliance. Regulatory authority remains with Member State competent authorities and the European Commission.

Notified Bodies do not guarantee safety. The certification establishes that conformity assessment procedures were followed and substantive assessment found the product met the assessment criteria. Substantive safety depends on the adequacy of the requirements and the rigor of assessment beyond the formal procedures.

Notified Bodies do not replace market surveillance. Post-market surveillance by national market surveillance authorities operates alongside Notified Body pre-market and surveillance work. The two work together with different specific responsibilities.

Notified Bodies do not address all relevant product considerations. Conformity assessment addresses what regulations require; broader considerations including ethical considerations, market positioning, and societal effects are not within the conformity assessment scope.

Notified Bodies do not extend cleanly beyond EU market. The framework supports EU market access; international market requirements operate through different infrastructure. Multi-market operators navigate multiple frameworks rather than relying on EU certification for global market access.

The Reframe

Notified Bodies are third-party conformity assessment bodies designated by EU Member States to assess product conformity with EU regulations including the AI Act. The bodies operate within institutional structure including Member State designation, NANDO database maintenance by the Commission, accreditation through national accreditation bodies operating under EA framework, coordination through specific regulation coordination groups, and ongoing oversight including Commission engagement and surveillance authority interaction. The accreditation requirement against ISO/IEC 17000-series standards supports body competence and independence. The conformity assessment procedures across Modules A through H provide structured methodology that bodies implement; AI Act conformity assessment includes both procedures requiring third-party Notified Body involvement and procedures permitting internal assessment. The medical device sector experience under MDR provides substantial operational reference for AI Act Notified Body framework development, with capacity challenges, methodology development, and coordination infrastructure all paralleling expected AI Act implementation dynamics. Notified Body ongoing surveillance role extends beyond initial certificate issuance through periodic surveillance, change management, certificate suspension or withdrawal authority, and incident response. Notified Body selection and engagement involves scope of designation, competence, capacity, timeline, cost, documentation preparation, and ongoing relationship considerations. Limitations and challenges include capacity development, methodology development for new technical areas, cross-Notified Body consistency, cost and timeline implications, the relationship between certification and substantive safety, external oversight findings, and framework boundaries beyond EU market. The framework has real limits including not developing the standards assessed against, not having regulatory authority, not guaranteeing safety, not replacing market surveillance, not addressing all product considerations, and not extending cleanly beyond EU market. The work of building adequate Notified Body capacity and methodology for AI Act implementation is one of the substantive institutional projects the EU AI framework requires, with substantial development continuing alongside the broader AI Act implementation timeline.

Related Coverage

Compliance & Conformity | EU AI Act Conformity Assessment | Standards Bodies | Regulatory Frameworks