Article 44 of Regulation (EU) 2024/1689 — Certificates. Official text, practical interpretation, key obligations and compliance implications.
Official Text Summary
Article 44 of Regulation (EU) 2024/1689 establishes the rules governing certificates issued by notified bodies in connection with the conformity assessment of high-risk AI systems. Under this article, certificates issued by notified bodies must be drafted in one of the official languages of the EU Member State in which the notified body is established, or in a language acceptable to that body.
The article sets a maximum validity period of four years for any certificate issued, with the possibility of renewal following a new conformity assessment. Notified bodies are required to keep registers of all certificates they issue, including those that have been refused, suspended, or withdrawn. These registers must be made available to national competent authorities upon request.
Article 44 further mandates that when a notified body suspends, restricts, or withdraws a certificate, it must notify the relevant market surveillance authority of the Member State in which the provider is established, as well as the other notified bodies operating under the same conformity assessment procedures. The European Commission must also be informed where certificates concern systems with cross-border implications.
Importantly, the article establishes a principle of mutual recognition: certificates issued by notified bodies in one Member State are valid throughout the European Union without requiring re-certification, underpinning the functioning of the EU single market for high-risk AI systems.
What This Means in Practice
Article 44 is central to the practical administration of third-party conformity assessment for high-risk AI systems covered under Annex III of the EU AI Act. It directly affects providers of high-risk AI systems who are required to undergo conformity assessment by a notified body rather than self-assessment.
For providers, the four-year validity ceiling means that ongoing market access depends on periodic re-certification. Providers must track certificate expiry dates and initiate renewal procedures in advance to avoid gaps in conformity status that would prevent lawful market placement. A suspended or withdrawn certificate requires immediate action: the system cannot be placed on the market or put into service until the situation is resolved.
For notified bodies, the article imposes strict record-keeping and notification obligations. Any adverse decision — refusal, restriction, suspension, or withdrawal — must be communicated systematically to national authorities and peer notified bodies, ensuring coordinated enforcement across the EU.
Concrete example: A provider of a biometric identification AI system certified in Germany by a German notified body can lawfully market that system in France, Spain, and all other EU Member States without obtaining separate national certificates. However, if the notified body finds during surveillance that the system no longer meets the requirements of Articles 9–15 and suspends the certificate, the provider must immediately halt distribution across the entire EU and notify downstream deployers.
The mutual recognition principle is a practical trade facilitation measure, but it places significant commercial stakes on maintaining a single certificate in good standing.
Key Obligations
- Certificates must have a defined validity period not exceeding four years; renewal requires a fresh conformity assessment demonstrating continued compliance with the applicable requirements.
- Notified bodies must maintain complete registers of all certificates issued, refused, suspended, restricted, or withdrawn, and make those registers accessible to national competent authorities on request.
- Adverse certificate decisions must be notified immediately to the relevant national market surveillance authority, other notified bodies operating under the same procedures, and, where applicable, the European Commission.
- Providers must cease market activities if a certificate is suspended or withdrawn, until conformity is re-established and a valid certificate is obtained.
- Mutual recognition applies across the EU: a certificate issued by any properly designated notified body in one Member State is valid in all Member States, without re-certification requirements.
- Certificates must be drawn up in a language of the issuing notified body's Member State or another mutually agreed official EU language, ensuring accessibility to national authorities.
Relationship to Other Articles
Article 44 sits within Title III, Chapter 5 (Standards, Conformity Assessment, Certificates, and Registration) and must be read in close conjunction with the surrounding provisions. Article 43 defines the applicable conformity assessment procedures — including the conditions under which third-party notified body involvement is mandatory versus optional — establishing the upstream process that Article 44 governs in terms of certificate management.
Articles 31–39 define the requirements that notified bodies themselves must satisfy to be designated, and the obligations they carry as accredited conformity assessment bodies. The integrity of the Article 44 certificate regime depends entirely on the competence of those bodies.
Articles 9–15 set out the substantive requirements for high-risk AI systems — risk management, data governance, transparency, human oversight, accuracy, and robustness — against which certificates are assessed. A certificate under Article 44 is essentially a notified body's attestation that these provisions are met.
Article 45 addresses appeal procedures available to providers where a notified body refuses, suspends, or withdraws a certificate, providing the procedural complement to Article 44's substantive rules. Article 51 governs the registration obligations that follow certification, linking certificates to the EU database of high-risk AI systems.
Compliance Timeline
Article 44 became part of EU law upon the entry into force of Regulation (EU) 2024/1689 on 2 August 2024. However, its practical application is governed by the phased implementation schedule:
- 2 February 2025 — Provisions on prohibited AI practices (Title II) began to apply. Article 44 was not yet operative.
- 2 August 2025 — Rules on general-purpose AI models (Title VIII) and governance obligations began to apply.
- 2 December 2026 — Article 44 becomes fully operative for the majority of high-risk AI systems listed in Annex III, including those in areas such as education, employment, essential services, law enforcement, and border management. Providers placing such systems on the market or into service must hold a valid certificate where third-party conformity assessment is required.
- 2 August 2027 — Extended deadline for high-risk AI systems covered by existing EU product safety legislation (Annex I systems), giving those sectors additional time to align existing notified body relationships and conformity frameworks with the new AI Act certificate regime.
Providers who anticipate requiring a certificate under Article 44 should engage with notified bodies well before the December 2026 deadline, given the expected demand on assessment capacity and the time required to conduct a thorough conformity assessment under Articles 9–15.
Official AI Act Compliance Deadline Calendar
Updated · Sources: Regulation (EU) 2024/1689 and the 2026 Digital Omnibus on AI.
| Obligation | Applies to | Original date | New date | Status | Countdown | Legal basis |
|---|---|---|---|---|---|---|
| Prohibited Practices (Art. 5) | All providers and deployers | active | — | AI Act Art. 5 | ||
| GPAI Rules (Chapter 5) | GPAI model providers | active | — | AI Act Art. 51-56 | ||
| High-risk AI — Annex III (standalone) | Providers of standalone Annex III systems | deferred | — | AI Omnibus 2026 Art. 6(2) | ||
| High-risk AI — Annex I (embedded) | AI embedded in Annex I regulated products | deferred | — | AI Omnibus 2026 Art. 6(1) | ||
| AI-Generated Content Marking | Providers of generative GPAI systems | active | — | AI Act Art. 50(2) | ||
| Regulatory Sandboxes | National competent authorities | active | — | AI Act Art. 57 |
⬇ Download JSON · CC BY 4.0
AI Act meets DORA and NIS2
Is your organisation subject to both the AI Act and DORA? The two regulations intersect on the operational resilience of financial AI systems. Our sister site regulation-dora.eu covers DORA in depth.
Explore regulation-dora.eu ↗Frequently Asked Questions
Certificates issued by notified bodies under Article 44 are valid for a maximum of four years. They may be renewed following a new conformity assessment, provided the high-risk AI system continues to meet the applicable requirements.
Only notified bodies designated by EU Member States and officially listed in the NANDO (New Approach Notified and Designated Organisations) database are authorised to issue, renew, suspend, or withdraw certificates under Article 44.
The notified body must inform the relevant market surveillance authority and the European Commission. The provider must immediately cease making the affected AI system available on the market or placing it into service until conformity is restored or a new certificate is obtained.
No. Certificates are issued by a specific notified body and are not automatically transferable. If a provider changes notified body, a new conformity assessment must be initiated. However, the new body may take prior assessments into account to avoid unnecessary duplication.
Stay ahead of AI Act changes
Get compliance alerts when deadlines or obligations change.
No spam. One-click unsubscribe.