Article 45 of Regulation (EU) 2024/1689 — Information obligations on notified bodies. Official text, practical interpretation, key obligations and compliance implications.
Official Text Summary
Article 45 of Regulation (EU) 2024/1689 establishes specific information obligations incumbent upon notified bodies throughout the lifecycle of their conformity assessment activities concerning high-risk AI systems listed in Annex III and, where applicable, Annex II.
Under Article 45, notified bodies are required to inform the notifying authority — the national body responsible for designating and overseeing them — of all conformity assessments carried out, including those refused or withdrawn before completion. This transparency obligation extends to circumstances that may affect the scope, conditions, or ongoing validity of the notification, such as changes in the body's structure, ownership, competence, or resources.
Notified bodies must additionally communicate to their notifying authority any requests for information received from market surveillance authorities, enabling coordinated oversight across national boundaries. They are also required to report complaints, appeals, and other relevant information concerning high-risk AI systems they have assessed, upon request or on their own initiative where the matter is of significance for regulatory action.
Article 45 further provides that notified bodies shall exchange information with one another and with the Commission on matters related to negative results of conformity assessments, thereby establishing a collective knowledge-sharing mechanism. This prevents providers from shopping for more lenient assessors after receiving a refused assessment from one notified body — a practice sometimes referred to as certificate shopping.
The article forms a cornerstone of the accountability infrastructure for the notified body system, ensuring that national authorities and the Commission maintain genuine oversight over how conformity assessments are being conducted across the Union.
What This Means in Practice
For notified bodies, Article 45 introduces a continuous, proactive disclosure culture that goes well beyond simply issuing or refusing certificates. In operational terms, a notified body must establish internal procedures to log and report all significant events to its national notifying authority, even when those events do not result in a formal certificate.
Consider a scenario where a provider of a high-risk AI system used in employment screening submits documentation for a conformity assessment, but the notified body identifies critical gaps in the technical documentation and risk management system. Even if the provider withdraws the application before a formal refusal is issued, Article 45 requires the notified body to report this withdrawal. The notifying authority and, through information exchange mechanisms, other notified bodies are thereby alerted that a non-conforming system may be re-presented elsewhere for assessment.
Similarly, if a market surveillance authority — such as a national consumer protection regulator — contacts a notified body seeking information about a previously assessed system that has caused harm, the notified body must inform its notifying authority of that request. This creates a paper trail that enables coordinated regulatory response.
Notified bodies must also review their internal resource and competence arrangements continuously. Should they determine that their staffing or technical capacity no longer covers certain categories of AI systems, they must notify this change promptly so that the scope of their designation can be adjusted — protecting market integrity by preventing assessments in areas where the body lacks genuine expertise.
For providers, this framework means that a refused or withdrawn assessment is not a confidential event. Due diligence before engaging a notified body is therefore advisable.
Key Obligations
- Report refused and withdrawn assessments: Notified bodies must inform the notifying authority of any conformity assessment that was refused or withdrawn by the provider before completion, including the reasons where ascertainable.
- Disclose scope-affecting circumstances: Any change in the body's legal status, ownership, senior personnel, organisational structure, or technical competence that could affect its notification must be communicated to the notifying authority without undue delay.
- Share information with other notified bodies: Notified bodies are required to exchange information on negative assessment outcomes and related matters with peer notified bodies and with the Commission, preventing certificate shopping across the Union.
- Report regulatory contacts: Receipt of requests for information from market surveillance authorities, national competent authorities, or other regulatory bodies must be disclosed to the notifying authority, enabling coordinated oversight.
- Communicate complaints and appeals: Significant complaints, appeals against assessment decisions, and post-market intelligence regarding assessed AI systems must be reported on request or proactively where warranted.
- Maintain readiness for audits: Notified bodies must make available to the notifying authority all relevant documentation, records, and evidence of their assessment activities to support ongoing monitoring of their designation.
Relationship to Other Articles
Article 45 operates within a dense network of provisions governing the notified body framework under Title III, Chapter 5. It is inseparable from Article 33, which establishes the general obligations and requirements that notified bodies must satisfy to obtain and maintain their designation, and from Article 34, which sets out the subsidiaries and subcontracting rules that affect organisational transparency.
The notification and designation process governed by Articles 35 and 36 provides the institutional context for Article 45: the notifying authority that receives information under Article 45 is the same body that may suspend or withdraw a notification under Article 35 if the disclosed information reveals non-compliance.
Article 44 (certificates of conformity) and Article 46 (derogation from conformity assessment procedures) should be read alongside Article 45, as they establish the outputs of the conformity assessment process whose integrity Article 45's information obligations are designed to protect.
At the market surveillance level, Articles 74 to 76 rely implicitly on the information flows created by Article 45 to function effectively, as do the coordination mechanisms involving the European Artificial Intelligence Board (EAIB) established under Article 65.
Compliance Timeline
The EU AI Act entered into force on 1 August 2024, twenty days after its publication in the Official Journal of the European Union (OJ L 2024/1689, 12 July 2024). Article 45 falls within the provisions applicable to high-risk AI systems under Title III.
The phased application schedule is as follows:
- 1 August 2024 — Entry into force; preparatory obligations begin for Member States and Commission.
- 2 February 2025 — Prohibited AI practices (Title II, Article 5) became applicable.
- 2 August 2025 — GPAI model obligations (Title VIII) and governance provisions became applicable; notified body designation processes were expected to be operationally advanced by this date.
- 2 August 2026 — Article 45, along with the full set of Title III Chapter 5 obligations relating to notified bodies and conformity assessments for high-risk AI systems listed in Annex III, becomes fully applicable. Notified bodies must be fully compliant with their information obligations from this date.
- 2 August 2027 — Extended deadline for certain high-risk AI systems covered by existing Union harmonisation legislation listed in Annex II, Section 1, giving manufacturers in those regulated sectors additional time to adapt conformity assessment processes.
Organisations seeking designation as notified bodies should have their information management and disclosure procedures in place well in advance of the August 2026 deadline to ensure they can demonstrate compliance from day one of full application.
Official AI Act Compliance Deadline Calendar
Updated · Sources: Regulation (EU) 2024/1689 and the 2026 Digital Omnibus on AI.
| Obligation | Applies to | Original date | New date | Status | Countdown | Legal basis |
|---|---|---|---|---|---|---|
| Prohibited Practices (Art. 5) | All providers and deployers | active | — | AI Act Art. 5 | ||
| GPAI Rules (Chapter 5) | GPAI model providers | active | — | AI Act Art. 51-56 | ||
| High-risk AI — Annex III (standalone) | Providers of standalone Annex III systems | deferred | — | AI Omnibus 2026 Art. 6(2) | ||
| High-risk AI — Annex I (embedded) | AI embedded in Annex I regulated products | deferred | — | AI Omnibus 2026 Art. 6(1) | ||
| AI-Generated Content Marking | Providers of generative GPAI systems | active | — | AI Act Art. 50(2) | ||
| Regulatory Sandboxes | National competent authorities | active | — | AI Act Art. 57 |
⬇ Download JSON · CC BY 4.0
AI Act meets DORA and NIS2
Is your organisation subject to both the AI Act and DORA? The two regulations intersect on the operational resilience of financial AI systems. Our sister site regulation-dora.eu covers DORA in depth.
Explore regulation-dora.eu ↗Frequently Asked Questions
Notified bodies must inform the notifying authority of any conformity assessment activities refused or withdrawn, any circumstances affecting the scope or conditions of their notification, any request for information received from market surveillance authorities, and any post-market monitoring activities or complaints relating to high-risk AI systems they have assessed.
Article 45 applies exclusively to notified bodies — the conformity assessment organisations designated by EU Member States under Article 33 to carry out third-party assessments of high-risk AI systems. Providers of high-risk AI systems are not directly subject to Article 45, though they interact with notified bodies during the conformity assessment process.
Failure to comply may lead the notifying authority to restrict, suspend, or withdraw the notification of that body under Article 35. This would prevent the body from conducting further conformity assessments and could affect the validity of certificates already issued.
By requiring notified bodies to proactively share information with authorities, Article 45 creates a flow of intelligence from conformity assessors to regulators. This allows market surveillance authorities to identify systemic issues, track refused or withdrawn assessments, and coordinate oversight activities across Member States through the EADB and EU database.
Stay ahead of AI Act changes
Get compliance alerts when deadlines or obligations change.
No spam. One-click unsubscribe.