Article 35 of Regulation (EU) 2024/1689 — Identification numbers and lists of notified bodies. Official text, practical interpretation, key obligations and compliance implications.
Official Text Summary
Article 35 of Regulation (EU) 2024/1689 (the EU AI Act) establishes the administrative and transparency framework governing the identification and public listing of notified bodies operating under the regulation. The article places obligations principally on the European Commission and on Member States' notifying authorities.
Under Article 35, the Commission is required to assign an identification number to each notified body. Crucially, where a body is notified under more than one Union act, it receives a single identification number, ensuring consistency across legislative instruments. The Commission is further required to make publicly available a list of all notified bodies, including their identification numbers and the activities for which they have been notified. This list must be kept up to date.
Member States bear a complementary obligation: they must inform the Commission of any changes to a notified body's status — including the granting of new notifications, and any restrictions, suspensions, or withdrawals of existing notifications. The Commission is then responsible for reflecting those changes in the public list without undue delay.
The article operates within Chapter 4 of Title III, which governs the overall architecture of notification: who may assess conformity of high-risk AI systems, under what conditions, and with what oversight. Article 35 specifically addresses the identification and visibility layer of that architecture, ensuring that the market — including providers seeking assessment, downstream deployers, and national authorities — can reliably identify which bodies are authorised, for what scope, and whether that authorisation remains current.
What This Means in Practice
Article 35 has direct operational implications for three categories of actors: providers of high-risk AI systems, notified bodies themselves, and national notifying authorities.
For providers seeking third-party conformity assessment under Annex VI or the full quality management system route, Article 35 provides the primary verification mechanism. Before engaging a notified body, a provider should consult the Commission's NANDO database to confirm that the body holds a valid notification under the EU AI Act, covering the specific product category or AI system type in question. Relying on a body whose notification has lapsed, been suspended, or never formally extended to AI Act scope creates a compliance gap that could invalidate a conformity assessment certificate.
For notified bodies, Article 35 creates an indirect obligation to cooperate with their national notifying authority to ensure that any change in their operational scope or authorisation status is promptly communicated upward. A body expanding its assessment scope — for example, adding a new high-risk category such as biometric categorisation systems — cannot legitimately act under that expanded scope until the notification has been updated and reflected on the Commission list.
For national notifying authorities, the obligation is procedural but consequential: changes in a body's status must be communicated to the Commission promptly. Delays create a window during which the public list is inaccurate, potentially misleading providers or undermining market surveillance actions taken by authorities in other Member States.
In concrete terms, a legal or compliance team preparing for a conformity assessment should build a checklist step that cross-references the selected notified body's identification number on NANDO, verifies the scope of notification matches the system's risk classification, and checks that no restrictions or suspensions appear against that record.
Key Obligations
- The European Commission must assign a single identification number to each notified body, consistent across all Union acts under which that body operates.
- The Commission must publish and maintain a publicly accessible, up-to-date list of all notified bodies, including their identification numbers and notified scope.
- Member States and their notifying authorities must inform the Commission without undue delay of any grants, restrictions, suspensions, or withdrawals of notification.
- The Commission must update the public list to reflect changes in notified body status without undue delay following Member State notification.
- Notified bodies may not act beyond their notified scope; any expansion of scope requires a formal update to the notification before the body may conduct assessments under that extended scope.
- Providers must verify, prior to engaging a notified body, that the body's current listing on the Commission database covers the relevant activity and remains in good standing.
Relationship to Other Articles
Article 35 cannot be read in isolation; it forms part of a coherent framework within Chapter 4 of Title III.
Article 28 defines the requirements that notifying authorities — the national bodies responsible for establishing and carrying out notification procedures — must themselves satisfy, providing the institutional foundation on which Article 35's notification flows depend. Article 29 sets out the detailed application requirements a conformity assessment body must meet before it can be notified, while Article 30 governs the notification procedure itself, including the formal communication to the Commission that triggers an Article 35 listing. Article 31 addresses the presumption of conformity for notified bodies certified under relevant harmonised standards.
Operationally, Article 35 connects to Articles 43 and 44, which govern the conformity assessment procedures for high-risk AI systems and the resulting certificates — documents whose validity is inseparable from the standing of the issuing body as properly listed under Article 35. Article 74 (market surveillance) also relies on accurate Article 35 listings, since authorities coordinating cross-border oversight need to identify which body issued a given certificate and whether that body remains authorised.
Compliance Timeline
The EU AI Act entered into force on 1 August 2024, twenty days after publication in the Official Journal. Application is phased:
- February 2, 2025 — Prohibitions on unacceptable-risk AI practices (Title II) became applicable.
- August 2, 2025 — Provisions on general-purpose AI models (Title VIII) and governance obligations became applicable.
- August 2, 2026 — The bulk of Title III, including the notified body framework under Chapter 4, becomes fully applicable for high-risk AI systems listed in Annex III, except those covered by the extended deadline below.
- August 2, 2027 — Extended deadline for high-risk AI systems covered by existing Union harmonisation legislation listed in Annex I (e.g., machinery, medical devices), giving those sectors additional time to integrate AI Act conformity assessment requirements into existing certification workflows.
Article 35 itself, as part of the notified body infrastructure, becomes operationally relevant in parallel with the application of Chapter 4 conformity assessment requirements. Member States and the Commission should ensure that notification procedures, identification number assignment, and the public database are fully operational ahead of the August 2026 date so that providers of high-risk AI systems can engage compliant notified bodies from the moment mandatory conformity assessment obligations apply.
Official AI Act Compliance Deadline Calendar
Updated · Sources: Regulation (EU) 2024/1689 and the 2026 Digital Omnibus on AI.
| Obligation | Applies to | Original date | New date | Status | Countdown | Legal basis |
|---|---|---|---|---|---|---|
| Prohibited Practices (Art. 5) | All providers and deployers | active | — | AI Act Art. 5 | ||
| GPAI Rules (Chapter 5) | GPAI model providers | active | — | AI Act Art. 51-56 | ||
| High-risk AI — Annex III (standalone) | Providers of standalone Annex III systems | deferred | — | AI Omnibus 2026 Art. 6(2) | ||
| High-risk AI — Annex I (embedded) | AI embedded in Annex I regulated products | deferred | — | AI Omnibus 2026 Art. 6(1) | ||
| AI-Generated Content Marking | Providers of generative GPAI systems | active | — | AI Act Art. 50(2) | ||
| Regulatory Sandboxes | National competent authorities | active | — | AI Act Art. 57 |
⬇ Download JSON · CC BY 4.0
AI Act meets DORA and NIS2
Is your organisation subject to both the AI Act and DORA? The two regulations intersect on the operational resilience of financial AI systems. Our sister site regulation-dora.eu covers DORA in depth.
Explore regulation-dora.eu ↗Frequently Asked Questions
Article 35 requires the European Commission to assign a single identification number to each notified body, regardless of how many EU acts it has been notified under. This ensures a consistent, traceable identity for each body across all regulated domains, allowing providers and market surveillance authorities to unambiguously verify a body's status and scope.
The Commission maintains a publicly accessible list of all notified bodies on the NANDO (New Approach Notified and Designated Organisations) information system. This list includes each body's identification number, scope of notification, and current status, and is updated as notifications are granted, suspended, or withdrawn.
Member States must notify the Commission and other Member States without delay when a notified body's status changes — including suspension, restriction, or withdrawal of authorisation. The Commission updates the official list accordingly, and the body must cease carrying out conformity assessments within the scope affected by the change.
No. If a body is already notified under other Union harmonisation legislation, it retains its existing identification number. The AI Act system is designed for interoperability with existing frameworks so that a single number identifies the body across all applicable EU acts.
Stay ahead of AI Act changes
Get compliance alerts when deadlines or obligations change.
No spam. One-click unsubscribe.