Article 34 of Regulation (EU) 2024/1689 — Operational obligations of notified bodies. Official text, practical interpretation, key obligations and compliance implications.
Official Text Summary
Article 34 of Regulation (EU) 2024/1689 sets out the operational obligations that notified bodies must comply with on a continuing basis once designated. The article requires notified bodies to perform conformity assessments in line with the procedures specified in Annex VII of the Regulation, ensuring consistency, impartiality, and technical rigour throughout the process.
Notified bodies are required to maintain, and make available upon request to the notifying authority, documented procedures covering all conformity assessment activities they carry out. They must employ sufficient numbers of personnel with the necessary competence, qualifications, and experience relevant to the specific types of AI systems and risk domains for which they are designated.
The article imposes a strict obligation of confidentiality: notified bodies and their staff must treat all information obtained in the course of their assessment activities as confidential, subject to obligations owed to the relevant national authority. Conflicts of interest must be systematically identified, documented, and avoided. Notified bodies are required to take out and maintain appropriate professional liability insurance commensurate with their activities.
Where a notified body subcontracts specific assessment tasks or relies on a subsidiary, it remains fully accountable for the quality and outcome of the work. Subcontractors must meet the same requirements as the notified body, and the provider subject to assessment must be informed of any subcontracting arrangement before it takes place.
Finally, notified bodies must participate in relevant coordination activities and cooperate with competent authorities, market surveillance authorities, and other notified bodies to ensure coherent application of the conformity assessment procedures across the Union.
What This Means in Practice
For organisations operating as or seeking to become notified bodies, Article 34 translates into a demanding and continuous compliance burden rather than a one-time designation exercise.
For notified bodies, the article means establishing and maintaining robust internal management systems that document every step of each conformity assessment. Staffing decisions must be driven by demonstrated technical competence specific to the AI domains covered — a notified body designated for medical AI systems, for instance, must be able to demonstrate that its assessors understand both AI methodology and the relevant medical device regulatory context. Personnel rosters, training records, and competence matrices will all be subject to scrutiny by the notifying authority.
Conflict-of-interest policies must go beyond paper commitments. Notified bodies must actively screen for relationships between their staff and the providers submitting for assessment, and must document the outcome of each screening. Where a conflict is identified, the affected personnel must be excluded from the relevant assessment.
On subcontracting, practical due diligence is required before any work is delegated: written agreements, competence verification, and advance notification to the AI system provider. The notified body cannot disclaim responsibility for subcontracted work if the assessment is later found to be deficient.
For providers of high-risk AI systems, Article 34 is largely procedural background — but it matters for selecting a notified body. Providers should verify that a candidate notified body holds a current designation scope covering their product category, carries adequate insurance, and has published transparent procedures. Providers also retain the right to be informed of subcontracting arrangements and may factor this into their assessment planning.
Notified bodies must also feed into the broader EU oversight architecture, sharing information with the European Artificial Intelligence Office and contributing to harmonised assessment standards as they develop.
Key Obligations
- Conformity assessment procedures: Notified bodies must conduct all assessments in accordance with the procedures laid down in Annex VII to the Regulation, maintaining documented processes for each assessment activity.
- Competence and staffing: Sufficient qualified personnel must be available at all times, with expertise matched to the specific type and risk domain of the AI systems for which the body is designated.
- Confidentiality: All information acquired in the course of conformity assessment activities must be kept confidential, except where disclosure is required by the relevant national authority or by Union law.
- Conflict-of-interest management: Notified bodies must systematically identify and exclude conflicts of interest, documenting the screening process for each assessment and ensuring impartiality at every stage.
- Professional liability insurance: Appropriate insurance must be maintained on an ongoing basis to cover the notified body's conformity assessment activities, providing recourse in the event of an erroneous or deficient assessment.
- Subcontracting and subsidiary use: Where tasks are subcontracted or delegated to a subsidiary, the notified body remains fully responsible, must verify subcontractor competence against the same standards, and must inform the provider before subcontracting takes place.
Relationship to Other Articles
Article 34 sits within Title III, Chapter 4 (Articles 28–39), which governs the full lifecycle of notified bodies — from designation through to monitoring and withdrawal. It builds directly on Article 33, which sets out the substantive requirements a body must meet to qualify for designation, and should be read alongside Article 35, which governs the conformity assessment process for high-risk AI systems in the product safety-regulated sectors listed in Annex II.
Article 43 (Conformity assessment) specifies when third-party notified body involvement is mandatory versus when a provider may self-assess, making it essential context for understanding the scope of Article 34 obligations. Article 44 addresses the certificates issued following assessment, while Article 45 governs the obligations of notified bodies in respect of those certificates once issued, including suspension and withdrawal.
Broader oversight accountability connects Article 34 to Article 70 (Confidentiality) and Articles 74–77 governing market surveillance authorities, since notified bodies must cooperate with surveillance activities and supply information to competent authorities on request.
Compliance Timeline
Regulation (EU) 2024/1689 entered into force on 1 August 2024, with application phased across several dates.
Article 34 falls within the framework governing high-risk AI systems subject to third-party conformity assessment. The relevant phased application dates are:
- 1 August 2024 — Entry into force. The Regulation became binding Union law; Member States began preparatory work on notifying authority structures.
- February 2025 — Prohibited AI practices (Article 5) became applicable. Notified body obligations were not yet active for most high-risk categories.
- August 2025 — GPAI model obligations became applicable. Notified body provisions remained in preparatory phase for high-risk systems.
- 2 August 2026 — Full application of Title III provisions, including Article 34, for high-risk AI systems listed in Annex III. Notified bodies must be operationally compliant and designated national notifying authorities must be fully functional by this date.
- 2 August 2027 — Extended deadline for high-risk AI systems covered by existing Union harmonisation legislation listed in Annex II, where those systems are placed on the market or put into service before August 2026.
Organisations seeking designation as notified bodies should have initiated the application process well in advance of August 2026, given that designation procedures require assessment by the national notifying authority and, where applicable, peer review involving the European Commission and other Member States.
Official AI Act Compliance Deadline Calendar
Updated · Sources: Regulation (EU) 2024/1689 and the 2026 Digital Omnibus on AI.
| Obligation | Applies to | Original date | New date | Status | Countdown | Legal basis |
|---|---|---|---|---|---|---|
| Prohibited Practices (Art. 5) | All providers and deployers | active | — | AI Act Art. 5 | ||
| GPAI Rules (Chapter 5) | GPAI model providers | active | — | AI Act Art. 51-56 | ||
| High-risk AI — Annex III (standalone) | Providers of standalone Annex III systems | deferred | — | AI Omnibus 2026 Art. 6(2) | ||
| High-risk AI — Annex I (embedded) | AI embedded in Annex I regulated products | deferred | — | AI Omnibus 2026 Art. 6(1) | ||
| AI-Generated Content Marking | Providers of generative GPAI systems | active | — | AI Act Art. 50(2) | ||
| Regulatory Sandboxes | National competent authorities | active | — | AI Act Art. 57 |
⬇ Download JSON · CC BY 4.0
AI Act meets DORA and NIS2
Is your organisation subject to both the AI Act and DORA? The two regulations intersect on the operational resilience of financial AI systems. Our sister site regulation-dora.eu covers DORA in depth.
Explore regulation-dora.eu ↗Frequently Asked Questions
Notified bodies must carry out conformity assessments in accordance with the procedures established in Annex VII, maintain sufficient qualified personnel, protect confidential information, carry professional liability insurance, and avoid conflicts of interest. They must also cooperate with national competent authorities and with other notified bodies.
Yes, but only under strict conditions. A notified body may subcontract specific conformity assessment activities or use a subsidiary, provided it informs the provider, verifies the subcontractor's competence, retains full responsibility for the work performed, and ensures the subcontractor meets the same requirements as the notified body itself.
Article 34 requires notified bodies to hold appropriate professional liability insurance. This is intended to ensure that providers and affected parties have recourse where a flawed assessment contributed to harm or non-compliance. The notified body also has ongoing obligations to monitor and, where necessary, withdraw, suspend, or impose conditions on certificates it has issued.
The national notifying authority that designated the notified body retains ongoing oversight responsibility. Notified bodies must provide all relevant information upon request, cooperate with market surveillance activities, and participate in coordination activities organised through the European Artificial Intelligence Office and the notified bodies working groups.
Article 34 applies specifically in the context of conformity assessment procedures for high-risk AI systems listed in Annex III and, where required, Annex II. Only high-risk AI systems require third-party conformity assessment by a notified body; providers of other AI systems self-certify compliance and are not subject to notified body involvement.
Stay ahead of AI Act changes
Get compliance alerts when deadlines or obligations change.
No spam. One-click unsubscribe.