EuroComply
Sign up
AI Act

Notified Body

A notified body is a third-party conformity assessment organisation that has been designated by an EU member state authority and formally notified to the European Commission as competent to carry out specific conformity assessment procedures on behalf of commercial operators. Notified bodies are the institutional mechanism through which the EU delivers independent technical verification of product compliance across a wide range of regulations — from medical devices and pressure equipment to the EU AI Act. For the EU AI Act, notified bodies play a role in the conformity assessment of specific high-risk AI systems that cannot rely on the self-assessment route. Under Article 43, AI systems listed in Annex III paragraphs 1(a) — AI systems intended to be used for the real-time remote biometric identification of natural persons in publicly accessible spaces — require a third-party conformity assessment by a notified body. Other systems may also require notified body involvement if they are safety components of products subject to third-party assessment under other EU product safety legislation. A notified body is not a government agency: it is an accredited private or public organisation that has been evaluated by the national accreditation body — such as DAkkS in Germany or COFRAC in France — and found to meet the competence, impartiality, and independence requirements set out in the AI Act and in ISO/IEC 17065. Notified bodies are listed in the NANDO database maintained by the European Commission, and providers must use a notified body from this registry. The process of engaging a notified body involves submitting technical documentation, application documentation, and potentially sample systems for evaluation. The notified body issues a certificate valid for a defined period, subject to surveillance audits. The certificate is required before the CE mark can be affixed and before the system can be registered in the EU AI Act database. For an EU SME developing a biometric identification AI system, selecting and engaging a notified body early in the development lifecycle is essential — lead times can be substantial. Placing a system that requires notified body assessment on the market without such assessment can attract fines of up to €15 million or 3% of global annual turnover. See the AI Act compliance guide at eurocomply.app/regulations/ai-act

Official regulation guide

AI Act Compliance Guide →

Related terms

EU AI Act

Regulation (EU) 2024/1689, known as the EU AI Act, is the world's first comprehensive horizontal legal framework for artificial intelligence. Published in the Official Journal of the EU on 12 July 2024, it entered into force on 1 August 2024 and applies in phases over a 36-month transition period. The regulation applies to providers who place AI systems on the EU market or put them into service in the EU, regardless of whether the provider is established inside or outside the Union. It also applies to deployers — organisations that use AI systems in a professional context — when those systems are classified as high-risk. The Act classifies AI systems into four risk tiers. Unacceptable-risk practices (Article 5) are prohibited outright and have applied since 2 February 2025. Limited-risk systems — such as chatbots — carry transparency obligations requiring users to be informed they are interacting with AI. Minimal-risk systems face no mandatory requirements. High-risk systems, defined in Article 6 and Annex III, are the Act's main regulatory target: they must meet requirements covering risk management, training data governance, technical documentation (Annex IV), logging, transparency, human oversight, accuracy, and robustness before being placed on the market. For EU SMEs, the most pressing deadline is 2 August 2026, when obligations for high-risk AI systems under Annex III fully apply. If your business uses AI in hiring decisions, creditworthiness assessment, access to essential services, or safety-critical operations, you are almost certainly in scope. The Act also introduces requirements for General Purpose AI models (Chapter V) — large foundational models such as those underlying popular AI tools. Penalties are steep: up to €35 million or 7% of global annual turnover for deploying prohibited AI, up to €15 million or 3% for violations of other obligations, and up to €7.5 million or 1.5% for supplying incorrect information to regulators. See the AI Act compliance guide at eurocomply.app/regulations/ai-act

High-Risk AI System

The EU AI Act's concept of a high-risk AI system is the regulation's central regulatory category — it is where the vast majority of substantive obligations sit, and where most compliance effort for commercial AI applications must be focused. High-risk AI systems are defined in Article 6 and Annex III, and the classification has two tracks. The first track covers AI systems that are themselves safety components of products subject to existing EU product safety legislation — such as the Machinery Regulation, the Medical Devices Regulation, or the Radio Equipment Directive — where those products require a third-party conformity assessment. The second track, which is far broader in commercial significance, covers AI systems in eight use-case categories listed in Annex III: biometric identification and categorisation of natural persons; management and operation of critical infrastructure; education and vocational training; employment, workers management, and access to self-employment; access to and enjoyment of essential private and public services and benefits; law enforcement; migration, asylum, and border control management; and administration of justice and democratic processes. With certain exceptions for narrow or low-risk applications, an AI system that falls into these Annex III categories is presumed high-risk. Before deploying such a system, providers must implement a risk management system under Article 9; use high-quality training, validation, and testing datasets under Article 10; produce and maintain Annex IV technical documentation under Article 11; build in automatic event logging under Article 12; ensure transparency to deployers under Article 13; design for effective human oversight under Article 14; achieve appropriate levels of accuracy, robustness, and cybersecurity under Article 15; and — for providers — complete a conformity assessment and register the system in the EU database before placing it on the market. For an EU SME deploying AI, the critical threshold question is whether the system materially influences an outcome that significantly affects a person's access to employment, services, education, or similar consequential domains. Getting this classification wrong — deploying a system that should be classified as high-risk without the required documentation and assessment — can result in fines of up to €15 million or 3% of global annual turnover. See the AI Act compliance guide at eurocomply.app/regulations/ai-act

Annex IV Technical Documentation

Annex IV of the EU AI Act specifies the technical documentation that providers of high-risk AI systems must draw up and maintain under Article 11. This documentation is the evidentiary record that demonstrates a high-risk AI system was designed, built, and validated in compliance with the Act's requirements. It must be kept up to date throughout the system's lifecycle and made available to national market surveillance authorities and notified bodies on request. The Annex IV documentation requirement is substantial. It must include: a general description of the AI system, including its intended purpose, the version placed on the market, and how it interacts with hardware and software; a detailed description of the design specifications, including general logic, key design choices, the assumptions made, and the limitations of the system; a description of the system architecture and processes involved in developing and monitoring the system; a description of the training and testing methodologies used, including the datasets used and the validation approach; a description of the technical measures for human oversight under Article 14; a copy of the EU declaration of conformity; detailed information on the monitoring, functioning, and control of the AI system; and the results of all tests carried out to demonstrate conformity with Article 15 requirements on accuracy, robustness, and cybersecurity. For a provider deploying an AI system under its own name, this documentation must exist before the system is placed on the EU market or put into service. For deployers using a third-party high-risk system, the documentation obligation sits with the original provider, but deployers must be able to obtain it and understand it sufficiently to fulfil their own obligations around human oversight and monitoring. For an EU SME developing AI products in the high-risk categories, Annex IV documentation is best treated as a continuous engineering artefact rather than a compliance document produced after the fact. Regulators evaluating a system will look for evidence that the documentation reflects actual design decisions, not post-rationalisation. Failure to produce adequate technical documentation — or producing documentation that is found to be misleading — can attract fines of up to €15 million or 3% of global annual turnover. See the AI Act compliance guide at eurocomply.app/regulations/ai-act

Conformity Assessment

Conformity assessment is the process by which a high-risk AI system is evaluated against the requirements of the EU AI Act before it is placed on the market or put into service in the EU. It is a mandatory gate through which all high-risk AI systems must pass, and it results in the provider drawing up an EU declaration of conformity and affixing a CE mark to the system (or its documentation, where the physical product does not accommodate marking). The EU AI Act provides two routes to conformity assessment. The first, available for most high-risk AI systems listed in Annex III, is internal conformity assessment — sometimes called self-assessment. The provider carries out its own assessment, working through a checklist of the Act's requirements, generating Annex IV technical documentation, and drawing up the declaration of conformity. This self-assessment route mirrors the approach used for many CE-marked products and places the entire burden of demonstrating compliance on the provider. The second route applies to AI systems listed in Annex III paragraphs 1(a) — remote biometric identification systems intended to be used in publicly accessible spaces — and paragraph 6 when used by law enforcement. These systems require third-party assessment by a notified body: an independent, accredited conformity assessment organisation designated by an EU member state and notified to the European Commission. The notified body examines the technical documentation, audits processes, and issues an EU-type examination certificate if the system meets the requirements. For an EU SME, understanding which route applies to your specific AI system is the critical first step. Even for self-assessed systems, the documentation burden is substantial and the declaration of conformity is a legal statement for which the provider takes direct responsibility. Market surveillance authorities can challenge conformity assessments, require additional evidence, and in cases of non-conformity order withdrawal from the market and suspension of services. Placing a non-conforming high-risk AI system on the market can attract fines of up to €15 million or 3% of global annual turnover. See the AI Act compliance guide at eurocomply.app/regulations/ai-act

← All glossary terms