Article 28 of Regulation (EU) 2024/1689 — Notifying authorities. Official text, practical interpretation, key obligations and compliance implications.
Official Text Summary
Article 28 of Regulation (EU) 2024/1689 (the EU AI Act) establishes the framework for notifying authorities — the national bodies responsible for designating, monitoring, and overseeing conformity assessment bodies (notified bodies) that evaluate high-risk AI systems.
Under Article 28, each Member State must designate at least one notifying authority responsible for: establishing and carrying out the procedures required for the assessment and designation of conformity assessment bodies; notifying those bodies to the European Commission and to other Member States; and providing ongoing monitoring of notified bodies to ensure continued compliance with the requirements set out in Article 31.
The notifying authority must be structured so as to avoid conflicts of interest with the conformity assessment bodies it oversees. It must be operationally independent from those bodies and must have sufficient technical competence and resources to perform its functions effectively. Member States may assign the notifying authority role to an existing national body — including a market surveillance authority — provided the necessary independence criteria are met.
Article 28 further requires notifying authorities to make information about their assessment and notification procedures publicly available, and to cooperate with the Commission and notifying authorities of other Member States, including through the Commission's electronic notification tool linked to the NANDO database. Any changes to a notification — including suspension, restriction, or withdrawal — must be communicated promptly through that system.
What This Means in Practice
Article 28 operates primarily at the Member State institutional level, but its practical implications ripple across providers of high-risk AI systems that require third-party conformity assessment before being placed on the EU market.
For Member State governments, the immediate obligation is administrative: each must formally designate or establish a notifying authority and communicate that designation to the Commission. Member States that have existing notified body infrastructure under sectoral harmonisation legislation (such as for medical devices under Regulation (EU) 2017/745, or machinery under Directive 2006/42/EC) will typically extend or adapt those structures to cover AI-specific requirements.
For providers of high-risk AI systems, the notifying authority is the gatekeeper for accessing accredited conformity assessment bodies. If a provider's system falls within Annex I categories requiring mandatory third-party conformity assessment, the provider must work with a notified body that has been formally designated by a national notifying authority and listed in the NANDO database. Providers should verify that any conformity assessment body they engage has current, valid notification covering the relevant AI system category.
In practice, a provider placing, for example, a biometric categorisation system or an AI-based safety component in industrial machinery on the EU market must:
- Identify whether their system triggers mandatory third-party conformity assessment.
- Select a notified body listed in NANDO under the relevant scope.
- Submit to the conformity assessment procedure overseen by that body.
- Ensure the notified body remains validly designated throughout the product lifecycle.
The notifying authority's monitoring function means that if a notified body loses its designation — due to non-compliance findings — any certificates it has issued may be affected, creating downstream compliance risk for providers holding those certificates.
Key Obligations
- Member States must designate a notifying authority: Each Member State is obligated to formally designate at least one national body as the notifying authority for AI conformity assessment bodies, and to communicate that designation to the European Commission.
- Independence requirement: The notifying authority must be organised so as to be operationally independent from the conformity assessment bodies it designates and monitors, avoiding any conflicts of interest.
- Competence and resources: Notifying authorities must possess sufficient technical expertise, staffing, and resources to carry out assessment, designation, and ongoing monitoring of notified bodies against the criteria in Article 31.
- Transparent procedures: Notifying authorities must make their assessment and notification procedures publicly available and must use the Commission's electronic notification tool (linked to the NANDO database) for all notifications, updates, suspensions, and withdrawals.
- Ongoing monitoring: Notifying authorities are responsible for continuous oversight of notified bodies to ensure they maintain the required competence and compliance; they must investigate complaints and take corrective action where deficiencies are found.
- Cross-border cooperation: Notifying authorities must cooperate with each other and with the Commission, sharing information relevant to the competence and conduct of notified bodies to maintain consistent standards across the single market.
Relationship to Other Articles
Article 28 is the structural foundation of Chapter 4 (Title III) and must be read together with the articles that immediately follow it. Article 29 specifies the detailed requirements that notifying authorities themselves must meet — including independence, impartiality, and absence of conflicts of interest. Article 30 governs the application process by which conformity assessment bodies seek notification, establishing what information must be submitted to and assessed by the notifying authority. Article 31 sets out the substantive requirements that notified bodies must satisfy for designation to be granted or maintained.
More broadly, Article 28 connects to Article 43, which specifies which high-risk AI systems in Annex I are subject to mandatory third-party conformity assessment — making notified bodies, and therefore notifying authorities, operationally relevant. The article also links to Article 74 and the broader market surveillance framework: notifying authorities and market surveillance authorities may be the same body, and their cooperation is essential for effective enforcement. The NANDO database infrastructure referenced in Article 28 underpins the transparency obligations that run throughout the conformity assessment chapters.
Compliance Timeline
The EU AI Act entered into force on 1 August 2024, triggering a phased application schedule with different deadlines across different obligations.
Article 28, as part of the institutional and governance framework for notified bodies, falls within the provisions applicable to high-risk AI systems under Annex I (systems covered by Union harmonisation legislation). The conformity assessment infrastructure — including the formal designation of notifying authorities — must be operational in time to support the application of high-risk obligations.
Key reference dates:
- 1 August 2024 — Regulation enters into force; Member States begin preparatory work on authority designation.
- 2 February 2025 — Prohibited AI practices under Article 5 become applicable; no direct impact on Article 28, but marks the beginning of phased enforcement.
- 2 August 2025 — GPAI model obligations (Title VIII) and governance provisions become applicable; Commission guidance on notified body procedures expected.
- 2 August 2026 — High-risk AI systems under Annex III (standalone high-risk systems, e.g. in employment, education, law enforcement) become subject to full obligations; notifying authorities must be fully operational by this date at the latest.
- 2 August 2027 — High-risk AI systems that are safety components of products already covered by Union harmonisation legislation (Annex I systems) become fully subject to the AI Act's conformity assessment requirements; this is the date by which the notifying authority and notified body infrastructure under Article 28 must be fully functional for legacy product categories.
Providers and national authorities should use the 2024–2026 window to identify the competent notifying authority in the relevant Member State and confirm that appropriately scoped notified bodies are available for their product category.
Official AI Act Compliance Deadline Calendar
Updated · Sources: Regulation (EU) 2024/1689 and the 2026 Digital Omnibus on AI.
| Obligation | Applies to | Original date | New date | Status | Countdown | Legal basis |
|---|---|---|---|---|---|---|
| Prohibited Practices (Art. 5) | All providers and deployers | active | — | AI Act Art. 5 | ||
| GPAI Rules (Chapter 5) | GPAI model providers | active | — | AI Act Art. 51-56 | ||
| High-risk AI — Annex III (standalone) | Providers of standalone Annex III systems | deferred | — | AI Omnibus 2026 Art. 6(2) | ||
| High-risk AI — Annex I (embedded) | AI embedded in Annex I regulated products | deferred | — | AI Omnibus 2026 Art. 6(1) | ||
| AI-Generated Content Marking | Providers of generative GPAI systems | active | — | AI Act Art. 50(2) | ||
| Regulatory Sandboxes | National competent authorities | active | — | AI Act Art. 57 |
⬇ Download JSON · CC BY 4.0
AI Act meets DORA and NIS2
Is your organisation subject to both the AI Act and DORA? The two regulations intersect on the operational resilience of financial AI systems. Our sister site regulation-dora.eu covers DORA in depth.
Explore regulation-dora.eu ↗Frequently Asked Questions
A notifying authority is the national public body designated by each EU Member State to be responsible for setting up and carrying out the procedures necessary for the assessment, designation, notification, and monitoring of conformity assessment bodies (notified bodies) for high-risk AI systems. Each Member State must establish or designate one such authority under Article 28.
Notified bodies — overseen by notifying authorities — are relevant for high-risk AI systems listed in Annex I and certain systems in Annex III that are subject to third-party conformity assessment. This particularly includes AI systems intended to be used as safety components of products covered by Union harmonisation legislation (e.g. machinery, medical devices, lifts), where existing sectoral rules require notified body involvement.
Yes. Article 28 explicitly permits Member States to designate an existing national authority to fulfil the role of notifying authority, including a body that also carries out market surveillance functions, provided that body meets the independence and competence requirements set out in Article 28 and Article 29.
The European Commission may request clarification or remediation from the Member State. Persistent failures could trigger infringement proceedings under EU law. Notifying authorities must keep the Commission and other Member States informed of relevant changes to notified body designations, ensuring the NANDO (New Approach Notified and Designated Organisations) database remains accurate.
Notifying authorities operate as public administrative bodies and are subject to the national administrative law of their Member State and to EU oversight mechanisms. They are not directly subject to the fines regime applicable to private operators under Article 99, but their conduct can be scrutinised by the Commission and relevant EU institutions under the broader framework of Union law.
Stay ahead of AI Act changes
Get compliance alerts when deadlines or obligations change.
No spam. One-click unsubscribe.