I want to tell you about a conversation that made me realise how few people in the AI industry understand what’s coming.
Last week I was at a dinner in Brussels with a group of startup founders. Sharp people. Most of them had already done their AI system inventory, classified their products by risk tier, and started on technical documentation. They were ahead of the curve.
Then someone asked: “So who actually checks all this? Who verifies that our conformity assessment is real?”
Silence.
One founder said, “It’s self-assessment, right? We just… declare we’re compliant and move on?”
For most high-risk AI systems, yes — the conformity assessment is internal. You assess yourself against the requirements, document it, and declare conformity.
But there’s a critical exception that a lot of companies are about to discover the hard way: if your AI system involves remote biometric identification, or if it’s embedded in a product that already requires third-party certification under EU product safety law, your self-assessment isn’t enough. You need a notified body.
And here’s the problem: as of March 2026, the notified body ecosystem for AI is still being built. Designation processes are ongoing across member states. Capacity is limited. Timelines are uncertain. And the August 2026 deadline isn’t moving.
If you need a notified body and you haven’t engaged one yet, you’re already late.
What Is a Notified Body?
A notified body is an independent, third-party organisation officially designated by an EU member state to perform conformity assessment procedures for regulated products. They’re the entities that certify your product meets EU requirements before you can put it on the market.
If you’ve worked in medical devices, machinery, radio equipment, or any sector covered by EU product safety legislation, you know notified bodies. They’re the reason a pacemaker can’t be sold in Europe without independent certification. The AI Act applies the same concept to certain categories of high-risk AI systems.
| Aspect | What It Means |
|---|---|
| Independent | Must operate independently from AI providers, deployers, and any stakeholder that could compromise objectivity |
| Third-party | Not you, not your customer, not your investor — an external organisation with no commercial interest in your product |
| Designated by a member state | Each EU country has a “notifying authority” that evaluates and designates organisations as notified bodies |
| Performs conformity assessment | Reviews your technical documentation, quality management system, and AI system design against AI Act requirements |
| Issues certification | Authorises CE marking, enabling you to legally place your AI system on the EU market |
| Maintains ongoing oversight | Monitors your continued compliance through surveillance activities, audits, and incident investigation |
When Do You Need a Notified Body Under EU AI Act?
This is the question that matters most. The answer depends on what kind of AI system you’re building and how it’s classified.
| Scenario | Conformity Assessment Route | Notified Body Required? |
|---|---|---|
| High-risk AI system under Annex III (credit scoring, recruitment, education, etc.) | Internal conformity assessment (self-assessment) per Annex VI | No — you assess yourself |
| Remote biometric identification system (regardless of whether real-time or post) | Third-party conformity assessment per Annex VII | Yes |
| AI system that is a safety component of a product regulated by Annex I legislation (medical devices, machinery, vehicles, etc.) AND the product legislation requires third-party assessment | Conformity assessment under the relevant product legislation | Yes — through a notified body designated under that product legislation |
| AI system where the provider voluntarily requests third-party assessment | Third-party conformity assessment | Yes — any provider can choose this route even if not required |
| GPAI model (standard or systemic risk) | No conformity assessment — separate GPAI compliance framework | No |
| Limited risk AI system (chatbots, deepfake generators) | No conformity assessment — transparency obligations only | No |
| Minimal risk AI system | No obligations | No |
The critical takeaway: most companies won’t need a notified body. The vast majority of high-risk AI systems under Annex III — credit scoring, recruitment, education, law enforcement, insurance — use internal self-assessment. You don’t need anyone’s permission. You assess, document, declare conformity, affix CE marking, and register.
But if your AI involves biometrics or sits inside a regulated product, you’re in notified body territory. And that changes everything — your timeline, your costs, and your market access strategy.
The Two Routes to Third-Party AI Assessment
Route 1: Biometric AI Systems (Annex VII)
If you build AI for remote biometric identification — whether real-time or post-event — you need a notified body designated specifically under the AI Act. This is an AI Act-specific requirement, separate from any product legislation.
The notified body will assess:
| What They Review | What They’re Looking For |
|---|---|
| Technical documentation | Comprehensive Annex IV documentation covering design, architecture, training data, testing methodology, risk management, and performance characteristics |
| Quality management system | Your documented QMS covering compliance strategy, development procedures, data management, testing, post-market monitoring, incident reporting, and accountability |
| Risk management system | Continuous, iterative risk identification, assessment, and mitigation throughout the system lifecycle |
| Data governance | Training, validation, and testing data quality, representativeness, and bias assessment |
| Human oversight design | Technical measures enabling effective human oversight of the biometric system |
| Accuracy and robustness | Performance metrics, error rates, and resilience against adversarial attacks |
| Cybersecurity | Protections against unauthorised access, manipulation, and data breach |
The assessment procedure under Annex VII involves two options. The provider can choose either a quality management system assessment combined with technical documentation assessment, or a type examination combined with production quality assurance. In both cases, the notified body conducts an initial assessment and then maintains ongoing surveillance.
Route 2: Product-Embedded AI (Annex I Legislation)
If your AI system is a safety component of a product covered by EU harmonisation legislation — medical devices, machinery, vehicles, radio equipment, lifts, marine equipment — the conformity assessment follows the rules of that product legislation, not the AI Act’s own procedures.
This means:
| Product Category | Relevant Legislation | Notified Body Designation |
|---|---|---|
| Medical devices (including AI diagnostics) | Medical Devices Regulation (EU) 2017/745 | Notified body designated under MDR |
| In vitro diagnostic devices | IVDR (EU) 2017/746 | Notified body designated under IVDR |
| Machinery (including AI-controlled robots) | Machinery Regulation (EU) 2023/1230 | Notified body designated under Machinery Regulation |
| Radio equipment | Radio Equipment Directive 2014/53/EU | Notified body designated under RED |
| Civil aviation | Various aviation safety regulations | EASA and designated aviation bodies |
| Motor vehicles | Vehicle type-approval regulations | Notified body designated under type-approval legislation |
The Digital Omnibus clarifies that when a high-risk AI system is both subject to product regulation (Annex I) and classified as a high-risk Annex III use case, the conformity assessment under the product regulation takes precedence. You don’t do two separate conformity assessments — one covers both.
EU AI Act Notified Bodies: The Current State of Play
Let me be direct about where things stand, because this is where most guides are too diplomatic.
The notified body ecosystem for the AI Act is not ready.
The designation process commenced on 2 August 2025. As of March 2026, here’s the reality:
| Status | Detail |
|---|---|
| Member state notifying authorities | Only three member states have fully designated both notifying and market surveillance authorities. Ten have partial clarity. Fourteen have yet to designate any competent authority. |
| Notified body designation | Ongoing. Conformity assessment bodies are submitting applications, but the evaluation and designation process takes time — potentially 6-12 months per applicant. |
| Available AI-specific notified bodies | Very few, if any, have been fully designated specifically for AI Act conformity assessment as of early 2026. |
| Existing product notified bodies | Bodies already designated under MDR, Machinery Regulation, etc. can assess AI components within their existing scope — but may need additional AI-specific competence. |
| Capacity | Industry estimates suggest hundreds of high-risk AI systems will need assessment. Current capacity is a fraction of anticipated demand. |
| Harmonised standards | CEN/CENELEC standards for AI Act compliance are still under development. Without finalised standards, notified bodies lack the definitive benchmarks for assessment. |
This is why the Digital Omnibus exists. The Commission recognises that the infrastructure isn’t ready — harmonised standards aren’t published, notified bodies aren’t designated in sufficient numbers, and many member states haven’t established their competent authorities.
The proposed deadline extension to December 2027 (Annex III) and August 2028 (Annex I) is a direct response to this reality.
But the Omnibus isn’t adopted yet. Plan for August 2026. Get a demo. Be safe.
Industry Examples: Who Needs a Notified Body and Who Doesn’t
Credit Scoring (Banking) — No Notified Body Needed
Your AI credit scoring system is high-risk under Annex III (5b). But the conformity assessment is internal — self-assessment per Annex VI. You don’t need a notified body. You assess your own system against the requirements, document everything, declare conformity, affix CE marking, and register in the EU database.
This doesn’t mean it’s easy. Self-assessment requires rigorous documentation and honest evaluation. But you control the timeline and the process.
Facial Recognition for Building Access (Biometrics) — Notified Body Required
You build an AI system for remote biometric identification at secure facilities. This is explicitly listed as requiring third-party conformity assessment under Annex VII. You need a notified body.
The challenge: finding a designated notified body with AI-specific competence, in a market where designation processes are still ongoing. Start looking now. Expect 9-24 months for the full assessment process.
AI Diagnostic Tool (Medical Device) — Notified Body Required
Your AI system analyses medical images to assist clinical diagnosis. This is a medical device under the MDR and a high-risk AI system under both Annex I and potentially Annex III. You need a notified body designated under the MDR.
The good news: MDR notified bodies already exist and are operational. The challenge: they need to assess AI-specific requirements in addition to MDR requirements. Your conformity assessment needs to satisfy both frameworks. Engaging a notified body with AI expertise in medical devices is critical — not all MDR notified bodies have built this capability yet.
AI Recruitment Platform (HR Tech) — No Notified Body Needed
Your AI screens CVs and ranks candidates. Employment is high-risk under Annex III (category 4). But the conformity assessment is self-assessment. No notified body required.
However: if your recruitment platform includes video interview analysis with biometric processing (facial recognition to verify candidate identity), the biometric component may trigger the notified body requirement — even though the recruitment component alone wouldn’t.
AI in Autonomous Vehicles (Automotive) — Notified Body Required
Your AI is a safety component of a vehicle’s autonomous driving system. This falls under Annex I, covered by vehicle type-approval regulation. You need a notified body designated under the relevant automotive safety legislation.
Automotive type-approval bodies are well-established, but AI-specific assessment methodologies within automotive are still maturing. Engage early and expect iterative dialogue with the notified body about how AI-specific requirements map onto existing automotive safety frameworks.
AI Chatbot for Customer Service — No Notified Body Needed
Your chatbot handles customer enquiries on a website. This is limited risk — transparency obligations only. No conformity assessment. No notified body. Just make sure users know they’re talking to AI.
How the Notified Body AI Assessment Works
For companies that do need a notified body, here’s what the process looks like in practice:
| Phase | What Happens | Typical Duration |
|---|---|---|
| 1. Selection | Identify and engage an appropriate notified body. Verify their designation covers your AI system type. | 1-3 months |
| 2. Application | Submit your application with technical documentation, QMS documentation, and system description. | 1 month |
| 3. Documentation review | The notified body reviews your technical documentation against AI Act requirements. Questions, clarifications, requests for additional information. | 3-6 months |
| 4. On-site audit | Physical or remote audit of your quality management system, development processes, and testing procedures. | 1-2 months |
| 5. System evaluation | Technical evaluation of the AI system itself — performance, accuracy, robustness, bias assessment. | 2-4 months |
| 6. Decision | The notified body issues its assessment. Pass, conditional pass with corrective actions, or fail. | 1 month |
| 7. Certification | If passed, the notified body issues a certificate and authorises CE marking. | Immediate upon decision |
| 8. Ongoing surveillance | Regular audits, documentation reviews, and monitoring throughout the system’s operational life. | Continuous |
Total estimated timeline: 9-24 months from engagement to certification, depending on system complexity, documentation readiness, and notified body capacity.
This is why “start now” is not paranoia — it’s arithmetic.
Best Practices for Working with Notified Bodies Under EU AI Act
| Practice | Why It Matters |
|---|---|
| Determine your conformity assessment route immediately | If you need a notified body, your timeline just doubled. Know this now, not in June. |
| Engage notified bodies early | Capacity is limited. Early engagement secures your place in the queue and gives the body time to understand your system. |
| Prepare your documentation before engagement | Walking into a notified body with incomplete documentation wastes everyone’s time and extends your timeline. Have Annex IV documentation, QMS, and risk management files ready. |
| Choose a notified body with relevant domain expertise | A body experienced in medical devices may not understand recruitment AI, and vice versa. Sector-specific expertise accelerates the process. |
| Build your QMS to notified body standards from the start | If you know you’ll need third-party assessment, design your QMS with that scrutiny in mind. Retrofitting a QMS to survive an audit is painful. |
| Don’t treat self-assessment as a lower bar | Even if you don’t need a notified body, your self-assessment must be thorough, honest, and documented. A market surveillance authority can review your self-assessment at any time — and if it’s superficial, you’re in trouble. |
| Monitor the Digital Omnibus | If adopted, deadline extensions give you more time — but don’t guarantee notified body availability will improve at the same rate. |
| Consider voluntary third-party assessment | Even if not required, a voluntary notified body assessment adds credibility and may ease conversations with enterprise customers, regulators, and investors. |
How EYREACT Can Help
Whether you’re heading for self-assessment or notified body certification, EYREACT’s platform generates the documentation, evidence, and audit trail that assessors expect. Living Compliance Binders map every requirement to evidence. The Rule Engine validates completeness before you submit. Gap analysis tells you what’s missing before an assessor does.
Walk into your conformity assessment — internal or third-party — with everything in order. Don’t delay and book a demo!
FAQ
Do most companies need a notified body for AI Act compliance?
No. The majority of high-risk AI systems under Annex III (credit scoring, recruitment, education, insurance, law enforcement) use internal self-assessment. Notified body involvement is mandatory only for remote biometric identification systems and for AI systems embedded in products that already require third-party certification under EU product legislation.
How many notified bodies are currently designated for the AI Act?
As of March 2026, the designation process is ongoing. Very few bodies have been fully designated specifically for AI Act conformity assessment. Existing notified bodies under product legislation (MDR, Machinery Regulation, etc.) can assess AI components within their existing scope, but AI-specific designation remains limited. This is a known bottleneck that the Digital Omnibus aims to address through extended timelines.
How long does a notified body assessment take?
Estimates range from 9 to 24 months from initial engagement to certification, depending on system complexity, documentation readiness, and the notified body’s capacity. For straightforward self-assessments (no notified body), plan for 3-6 months if you’ve been building compliance artefacts alongside development.
How much does a notified body assessment cost?
Costs vary significantly by system complexity, assessment scope, and the notified body’s pricing. For medical device AI, costs comparable to existing MDR assessments (€50K-€300K+) are expected. For AI-specific biometric assessments, market pricing is still emerging. Budget early and request quotes from multiple bodies.
Can I choose any notified body in any EU member state?
You can choose any notified body designated for the relevant assessment scope, regardless of which member state designated them. However, practical considerations matter — language, proximity for on-site audits, and domain expertise. Check the EU’s NANDO database for designated bodies and their scope of competence.
What if no notified body is available for my AI system type?
This is a real risk in 2026, particularly for AI-specific designations. If no designated body is available, you technically cannot complete the mandatory third-party assessment and therefore cannot legally place the system on the EU market. The Digital Omnibus addresses this by linking enforcement deadlines to the availability of compliance support tools, including notified body capacity.
What’s the difference between a notified body and a market surveillance authority?
The notified body operates pre-market — they assess your system before you can sell it. The market surveillance authority operates post-market — they monitor the market, investigate complaints, and enforce compliance after systems are deployed. Different organisations, different functions, different stages of the lifecycle.
Can a notified body also provide compliance consulting?
No. Notified bodies must be independent and impartial. They cannot provide consulting advice on how to achieve compliance — that would compromise their assessment objectivity. They can clarify requirements and explain what’s expected, but they cannot tell you how to design your system to pass. Separate your compliance consultants from your certification body.
If I self-assess now, can a market surveillance authority challenge my assessment later?
Yes. Self-assessment doesn’t mean no oversight. Market surveillance authorities can request your conformity assessment documentation at any time, review it, and determine that your assessment was inadequate. If they disagree with your self-assessment, they can require corrective actions, restrict market access, or impose penalties. Take self-assessment seriously.
Does the Digital Omnibus change the notified body requirements?
The Digital Omnibus proposes extending deadlines, which gives more time for notified body designation and capacity building. It also clarifies that when an AI system is subject to both Annex I product legislation and Annex III use case classification, the product legislation conformity assessment takes precedence. It does not change which systems require notified body involvement.
This article is for informational purposes only and does not constitute legal advice. Organisations should seek qualified legal counsel for jurisdiction-specific compliance guidance.
