Article 37 of Regulation (EU) 2024/1689 — Challenge to the competence of notified bodies. Official text, practical interpretation, key obligations and compliance implications.
Official Text Summary
Article 37 of Regulation (EU) 2024/1689 (the EU AI Act) establishes a supervisory mechanism through which the competence and continued compliance of notified bodies may be formally challenged. Where the Commission or a Member State has concerns that a notified body does not meet, or no longer meets, the requirements for notification set out in Article 31 — or is failing to fulfil its obligations — it may bring the matter to the attention of the notifying authority responsible for that body.
Upon receiving such a challenge, the notifying authority is required to investigate the matter without undue delay. It must examine the evidence presented and, where the investigation reveals deficiencies, take proportionate corrective measures, which may include imposing conditions, restricting the scope of the notification, suspending the notification, or withdrawing it entirely, depending on the gravity of the non-compliance.
The notifying authority must inform the Commission and all other Member States of any restrictive measures taken and of their outcome. This information-sharing obligation ensures transparency and prevents divergent treatment across the single market. The notified body concerned retains the right to submit observations before measures are imposed, safeguarding procedural fairness. Certificates already issued by a body whose notification has been suspended or withdrawn remain subject to separate provisions governing their continued validity or revocation.
What This Means in Practice
Article 37 is the enforcement backbone of the notified body framework established under Title III, Chapter 4. It creates a live accountability channel that operates throughout the lifecycle of a notified body — not just at the point of initial designation.
For providers of high-risk AI systems, the article has direct practical consequences. Conformity assessments carried out by notified bodies are a prerequisite for placing many high-risk AI systems on the EU market (see Annex III and Article 43). If the body that performed your conformity assessment has its notification suspended or withdrawn following an Article 37 challenge, you must assess whether previously issued certificates remain valid and whether re-assessment by a compliant body is required before continued market access.
For notified bodies themselves, Article 37 means that designation is not a permanent status. Any Member State or the Commission can trigger a formal review at any time based on evidence of non-compliance. Bodies should therefore maintain continuous compliance with the requirements of Articles 31 to 36 — not only when seeking initial designation. Robust quality management systems, transparent documentation practices, and proactive communication with the notifying authority are the primary safeguards against a successful challenge.
For notifying authorities, the article creates a mandatory investigative duty. Receipt of a credible challenge is not discretionary; the authority must act, document its findings, apply proportionate measures, and report to the Commission and peers. This places a premium on having clear internal procedures for handling inter-Member State notifications and Commission referrals.
A practical example: if a German notified body is found to have certified a high-risk AI recruitment tool without conducting the required technical file review, France or the Commission could raise the matter under Article 37, prompting the relevant German notifying authority to investigate and potentially suspend the body's right to issue further certificates in that product category.
Key Obligations
- Any Member State or the Commission may challenge the competence of a notified body at any time by bringing substantiated concerns to the notifying authority, triggering a mandatory investigation.
- The notifying authority must investigate without undue delay, examine evidence of non-compliance with Articles 31 to 36, and reach a reasoned conclusion.
- Proportionate corrective measures must be applied where deficiencies are confirmed, ranging from imposition of conditions and scope restrictions to full suspension or withdrawal of notification.
- Procedural fairness must be observed — the notified body must be given a meaningful opportunity to submit observations before any restrictive measure is finalised.
- All restrictive measures and outcomes must be communicated to the Commission and all other Member States to ensure transparency and consistent market oversight across the EU.
- Notified bodies whose notifications are suspended or withdrawn must cease the relevant conformity assessment activities immediately, and the status of certificates issued during the affected period must be addressed in accordance with applicable provisions.
Relationship to Other Articles
Article 37 cannot be read in isolation and is tightly coupled with several other provisions of the Regulation. The substantive requirements whose non-fulfilment triggers a challenge under Article 37 are laid down in Article 31 (requirements for notified bodies) and Articles 32 to 36 (the notification procedure, NANDO information systems, changes to notifications, and subsidiary obligations of notified bodies). The conformity assessment procedures that notified bodies must correctly perform are specified in Article 43 and the relevant sections of Annex VII.
Where a challenge leads to withdrawal of a notification, the consequences for certificates already issued connect to Article 44 (certificates issued by notified bodies) and Article 46 (obligations of notified bodies regarding information). Article 38 complements Article 37 by addressing the coordination and advisory role of the AI Board in ensuring consistent supervisory practice across notifying authorities. Market surveillance provisions under Articles 74 to 76 provide parallel enforcement tools at the product level, while Article 37 focuses on the institutional level — the body itself rather than any individual AI system.
Compliance Timeline
Article 37 falls within the provisions governing notified bodies and the high-risk AI system conformity assessment framework. The EU AI Act entered into force on 1 August 2024, twenty days after publication in the Official Journal.
The provisions of Title III, Chapter 4 — including Article 37 — become fully applicable on 2 August 2026, the general application date for obligations relating to high-risk AI systems listed in Annex III (with the exception of systems covered by Annex I, certain of which apply from 2 August 2027). Notifying authorities and prospective notified bodies should have been operationally ready from mid-2025 onwards, given that the designation and notification process under Articles 31 to 36 must be completed before bodies can legally perform conformity assessments for products reaching the market on the 2026 application date.
The challenge mechanism under Article 37 is operative from the moment notified bodies are formally designated and begin issuing certificates. Providers relying on third-party conformity assessments should monitor the status of their notified body via the NANDO database throughout the product lifecycle, as a challenge lodged after market placement can have retrospective consequences for certificate validity.
Official AI Act Compliance Deadline Calendar
Updated · Sources: Regulation (EU) 2024/1689 and the 2026 Digital Omnibus on AI.
| Obligation | Applies to | Original date | New date | Status | Countdown | Legal basis |
|---|---|---|---|---|---|---|
| Prohibited Practices (Art. 5) | All providers and deployers | active | — | AI Act Art. 5 | ||
| GPAI Rules (Chapter 5) | GPAI model providers | active | — | AI Act Art. 51-56 | ||
| High-risk AI — Annex III (standalone) | Providers of standalone Annex III systems | deferred | — | AI Omnibus 2026 Art. 6(2) | ||
| High-risk AI — Annex I (embedded) | AI embedded in Annex I regulated products | deferred | — | AI Omnibus 2026 Art. 6(1) | ||
| AI-Generated Content Marking | Providers of generative GPAI systems | active | — | AI Act Art. 50(2) | ||
| Regulatory Sandboxes | National competent authorities | active | — | AI Act Art. 57 |
⬇ Download JSON · CC BY 4.0
AI Act meets DORA and NIS2
Is your organisation subject to both the AI Act and DORA? The two regulations intersect on the operational resilience of financial AI systems. Our sister site regulation-dora.eu covers DORA in depth.
Explore regulation-dora.eu ↗Frequently Asked Questions
Any Member State or the European Commission may challenge the competence or continued fulfilment of requirements by a notified body. The challenge triggers a formal investigation by the notifying authority responsible for that body.
The notifying authority must investigate the matter and, where warranted, restrict, suspend, or withdraw the notification of the body. The Commission and other Member States are informed of the outcome. If the body is found non-compliant, it must cease conformity assessment activities in the relevant area.
By establishing a cross-border mechanism for scrutinising notified bodies, Article 37 ensures that conformity assessments issued for high-risk AI systems are reliable. A body whose notification is suspended or withdrawn loses the authority to issue new certificates, protecting deployers and providers from relying on assessments issued by an unqualified body.
Yes. Before a notifying authority takes restrictive measures, it must give the notified body an opportunity to state its case. The principle of audi alteram partem applies throughout the procedure, ensuring procedural fairness before any suspension or withdrawal is enacted.
Stay ahead of AI Act changes
Get compliance alerts when deadlines or obligations change.
No spam. One-click unsubscribe.