Article 31 — Requirements relating to notified bodies (EU AI Act)

Article 31 of Regulation (EU) 2024/1689 — Requirements relating to notified bodies. Official text, practical interpretation, key obligations and compliance implications.

Official Text Summary

Article 31 of Regulation (EU) 2024/1689 establishes the conditions that a conformity assessment body must satisfy before a Member State may notify it to the European Commission as a body competent to carry out third-party conformity assessments of high-risk AI systems.

The article imposes requirements across several dimensions. First, the body must be established under national law and have legal personality. Second, it must be independent of the AI systems it assesses, of their providers, and of any commercial, financial, or other pressure that could compromise its judgement; neither the body nor its staff may be the designer, developer, manufacturer, supplier, installer, purchaser, owner, user, or maintainer of the AI systems they assess. Third, the body and its staff must possess the necessary technical competence — including relevant experience with AI technologies and data practices — and must maintain that competence through continuous training. Fourth, the body must be financially sound and carry adequate liability insurance. Fifth, the body must have documented processes for handling conflicts of interest, for confidentiality of information obtained during assessment, and for protecting the interests of providers and third parties. Finally, the body must participate in coordination activities at Union level and cooperate with market surveillance authorities and notifying authorities.

Where a notified body subcontracts tasks or uses a subsidiary, it must ensure those entities meet the same requirements and retains full liability for their work.

What This Means in Practice

Article 31 is primarily directed at conformity assessment bodies seeking notified-body status, and at the national notifying authorities responsible for evaluating and designating them. It does not impose direct obligations on AI providers, but its requirements shape the ecosystem in which providers must operate.

For conformity assessment bodies, compliance with Article 31 means undertaking a comprehensive internal readiness exercise before applying for notification. This includes conducting a structural review to verify independence from providers and supply chains, recruiting or retraining staff with hands-on expertise in machine learning, data governance, and the specific application domain of the AI systems to be assessed (for example, medical devices, biometric systems, or critical infrastructure). Bodies must put in place documented management systems covering confidentiality, conflict of interest, and quality assurance, and must secure appropriate professional liability insurance.

For AI providers of high-risk systems that require a third-party conformity assessment under Article 43 — for instance, systems listed in Annex III for which no harmonised standard covers the full requirements — choosing a notified body means verifying that the body is duly listed in the NANDO database and that its scope of notification covers the relevant AI application sector. Providers should also verify the body's sub-contracting arrangements and confirm that subsidiary assessors are themselves compliant.

National notifying authorities must build evaluation frameworks that test applicants rigorously against each Article 31 criterion and must put in place monitoring procedures to verify ongoing compliance after notification, since continued satisfaction of these requirements is a condition of maintaining notified status.

Key Obligations

• Independence and impartiality: The notified body, its senior management, and the staff responsible for carrying out conformity assessment tasks must not be the designer, developer, manufacturer, supplier, or user of the AI systems they assess, and must be free from any influence — commercial, financial, or otherwise — that could affect their objectivity.
• Technical competence: The body must demonstrate sufficient knowledge and experience in AI technologies, data and data governance, cybersecurity, and the specific application domain of the systems it is notified to assess, and must ensure staff undergo ongoing training to keep pace with technological developments.
• Legal personality and financial stability: The body must be a legally constituted entity under national law and must be able to demonstrate financial health and hold adequate liability insurance to cover its assessment activities.
• Documented management systems: The body must operate documented procedures for handling conflicts of interest, protecting the confidentiality of commercially sensitive information, and managing complaints and appeals from providers.
• Subcontracting and subsidiary rules: Where tasks are subcontracted or delegated to a subsidiary, the notified body must verify that the subcontractor or subsidiary satisfies all Article 31 requirements, must inform the provider before subcontracting, and retains full legal responsibility for the outputs.
• Cooperation and participation: The notified body must cooperate with national market surveillance authorities and notifying authorities, and must participate in Union-level coordination groups established for notified bodies under the AI Act framework.

Relationship to Other Articles

Article 31 sits within Title III, Chapter 4, which governs the entire notifying authority and notified body framework. It must be read together with Article 28, which defines the obligations of notifying authorities, Article 29, which sets the requirements for notification applications and the Commission notification procedure, and Article 30, which addresses the establishment and tasks of notifying authorities at national level.

Downstream, Article 31 connects directly to Article 33, which specifies the operational obligations of notified bodies once designated — including their duty to carry out assessments in accordance with Articles 43 and 44 — and to Article 44, which governs the certificates issued by notified bodies and the conditions for their suspension or withdrawal. Article 43 determines precisely when third-party conformity assessment by a notified body is mandatory versus when a provider may rely on internal control. Article 49 on the EU declaration of conformity and Article 50 on CE marking are the downstream outputs that depend on a valid notified-body certificate where one is required.

Compliance Timeline

Regulation (EU) 2024/1689 entered into force on 1 August 2024. The EU AI Act applies in phased stages:

• 2 February 2025: Prohibitions on unacceptable-risk AI practices (Title II) began to apply.
• 2 August 2025: Rules on general-purpose AI models (Title VIII) and governance obligations for Member States became applicable.
• 2 August 2026: The main obligations for high-risk AI systems listed in Annex III — including conformity assessment requirements under Article 43, and therefore the operational requirements for notified bodies under Article 31 — become fully applicable.
• 2 August 2027: Extended deadline for certain high-risk AI systems that are also safety components of products already subject to Union harmonisation legislation listed in Annex I (such as medical devices and machinery).

In practical terms, conformity assessment bodies wishing to be operational on 2 August 2026 must have begun their application process well before that date, given the time required for national evaluation and formal notification to the Commission. Member States were therefore expected to have their notifying authority frameworks and evaluation procedures in place by mid-2025 at the latest.