Article 33 of Regulation (EU) 2024/1689 — Subsidiaries of notified bodies and subcontracting. Official text, practical interpretation, key obligations and compliance implications.
Official Text Summary
Article 33 of Regulation (EU) 2024/1689 governs the conditions under which notified bodies may delegate conformity assessment activities to subsidiaries or external subcontractors. The article establishes that a notified body wishing to subcontract specific conformity assessment tasks or use a subsidiary to carry out such tasks must first obtain the client's consent to that arrangement.
Where subcontracting or subsidiary arrangements are used, the notified body is required to ensure that the subcontractor or subsidiary meets the same requirements established for notified bodies in respect of the specific tasks being delegated. This obligation mirrors the qualification, impartiality, and operational requirements set out elsewhere in Chapter 4 of Title III.
Crucially, Article 33 places unambiguous responsibility on the notified body: it must take full responsibility for the work carried out by subcontractors and subsidiaries, regardless of where those entities are established — whether within the EU or in a third country. The notified body is also required to keep at the disposal of its notifying authority all relevant documentation concerning the assessment of the subcontractor's or subsidiary's qualifications and the work performed by those entities under the delegation.
This article ensures that the delegation of conformity assessment tasks cannot be used to circumvent the stringent requirements that notified bodies themselves must satisfy, and that accountability remains concentrated at the level of the body formally designated by the notifying authority.
What This Means in Practice
Article 33 directly affects notified bodies operating under the EU AI Act, their corporate parents, subsidiaries, and any third-party service providers they engage to perform portions of conformity assessment work for high-risk AI systems.
For a notified body seeking to scale its operations or leverage specialist expertise, subcontracting and the use of subsidiaries offers operational flexibility — but that flexibility comes with strict accountability requirements. Before engaging a subcontractor, the notified body must verify that the subcontractor satisfies the relevant qualification requirements applicable to notified bodies for those specific tasks. A general vendor contract is insufficient; a substantive compliance assessment of the subcontractor's competence and independence must be conducted and documented.
The client of the conformity assessment — typically the provider of the high-risk AI system — must explicitly consent to any subcontracting arrangement. In practice, this means that contractual agreements for conformity assessment services should address subcontracting upfront, specifying whether consent is granted in general or must be sought case by case.
For AI system providers undergoing third-party conformity assessment, Article 33 provides a right of transparency: they must know who is performing the assessment and have the opportunity to object. Providers should include subcontracting disclosure clauses in their agreements with notified bodies and verify that any subcontractors engaged are suitably qualified.
For notified bodies with international group structures, Article 33 is particularly relevant: work performed by a non-EU subsidiary on behalf of the notified body falls within scope, and the EU-based notified body remains accountable for the quality and compliance of that work.
Key Obligations
- Prior client consent: The notified body must obtain the conformity assessment client's explicit consent before subcontracting any task or using a subsidiary to perform conformity assessment activities.
- Equivalence of requirements: Subcontractors and subsidiaries must meet the same requirements that apply to the notified body itself for the specific conformity assessment tasks being delegated, including competence, impartiality, and operational standards.
- Full retained responsibility: The notified body retains complete legal and regulatory responsibility for all work performed by subcontractors and subsidiaries; this accountability cannot be transferred, delegated, or contractually disclaimed.
- Notification to notifying authority: The notified body must inform its notifying authority of subcontracting arrangements and subsidiary activities, and must make available all relevant documentation regarding the qualifications of subcontractors and the work they have performed.
- Documentation and record-keeping: The notified body must maintain comprehensive records of subcontractor qualification assessments and the outputs of delegated conformity assessment tasks, available to the notifying authority on request.
- Geographic scope: Obligations apply regardless of whether the subcontractor or subsidiary is established within the European Union or in a third country.
Relationship to Other Articles
Article 33 must be read in close conjunction with the broader framework for notified bodies established in Chapter 4 of Title III. Article 28 (Notified bodies) sets out the substantive requirements — including competence, independence, and impartiality — that subcontractors and subsidiaries must satisfy under Article 33. Article 29 (Independence of notified bodies) is equally relevant, since subcontracting arrangements must not compromise the impartiality of the conformity assessment process. Articles 30 and 31 govern the notification and designation process for notified bodies and inform what standards a body must meet to be eligible to perform conformity assessment tasks.
Article 43 (Conformity assessment procedures for high-risk AI systems) defines the scope of conformity assessment activities that notified bodies are called upon to perform, and therefore the activities to which Article 33 subcontracting rules apply. Article 74 (Market surveillance) is also relevant, as market surveillance authorities may scrutinise whether notified bodies and their subcontractors have respected Article 33 obligations when investigating compliance failures.
Compliance Timeline
The EU AI Act (Regulation 2024/1689) entered into force on 1 August 2024. Article 33, as part of the framework governing notified bodies and their operational requirements, is subject to the general phased application schedule:
- 1 August 2024: Entry into force. The Regulation becomes binding EU law.
- 2 February 2025: Prohibitions on unacceptable-risk AI practices apply (Title II).
- 2 August 2025: Rules on general-purpose AI models (Title VIII) and governance provisions begin to apply.
- 2 December 2026: The conformity assessment framework — including the rules on notified bodies under Title III, Chapter 4, and therefore Article 33 — applies to high-risk AI systems listed in Annex I (safety-component systems regulated by Union harmonisation legislation).
- 2 August 2027: Full application of conformity assessment obligations for high-risk AI systems listed in Annex III, including the operational requirements under Article 33 for subcontracting and use of subsidiaries.
Notified bodies seeking designation under the EU AI Act should treat Article 33 compliance as part of their initial designation readiness, ensuring that subcontracting policies, subsidiary governance frameworks, and client contract templates reflect the article's requirements well before the relevant application dates.
Official AI Act Compliance Deadline Calendar
Updated · Sources: Regulation (EU) 2024/1689 and the 2026 Digital Omnibus on AI.
| Obligation | Applies to | Original date | New date | Status | Countdown | Legal basis |
|---|---|---|---|---|---|---|
| Prohibited Practices (Art. 5) | All providers and deployers | active | — | AI Act Art. 5 | ||
| GPAI Rules (Chapter 5) | GPAI model providers | active | — | AI Act Art. 51-56 | ||
| High-risk AI — Annex III (standalone) | Providers of standalone Annex III systems | deferred | — | AI Omnibus 2026 Art. 6(2) | ||
| High-risk AI — Annex I (embedded) | AI embedded in Annex I regulated products | deferred | — | AI Omnibus 2026 Art. 6(1) | ||
| AI-Generated Content Marking | Providers of generative GPAI systems | active | — | AI Act Art. 50(2) | ||
| Regulatory Sandboxes | National competent authorities | active | — | AI Act Art. 57 |
⬇ Download JSON · CC BY 4.0
AI Act meets DORA and NIS2
Is your organisation subject to both the AI Act and DORA? The two regulations intersect on the operational resilience of financial AI systems. Our sister site regulation-dora.eu covers DORA in depth.
Explore regulation-dora.eu ↗Frequently Asked Questions
Yes, but only under strict conditions. The notified body must obtain the conformity assessment client's consent, ensure the subcontractor meets the same requirements as notified bodies for the specific tasks, and retain full responsibility for the work performed. The notified body must also inform its notifying authority of the subcontracting arrangement.
Subsidiaries carrying out conformity assessment activities on behalf of a notified body must comply with the same requirements applicable to the notified body itself. The notified body must inform its notifying authority of the subsidiary's activities and take full responsibility for the work performed by subsidiaries.
The notified body retains full legal responsibility for the work performed by subcontractors and subsidiaries, regardless of their location within or outside the Union. The notified body cannot transfer or dilute its accountability through subcontracting or subsidiary arrangements.
Yes. Article 33 requires that the conformity assessment client's consent be obtained before subcontracting takes place. This ensures transparency and allows the client to assess whether the proposed subcontractor is appropriate for the tasks involved.
Stay ahead of AI Act changes
Get compliance alerts when deadlines or obligations change.
No spam. One-click unsubscribe.