2026-04-22·14 min read·

EU AI Act Art.28 Notification of Conformity Assessment Bodies: The NANDO Procedure, Commission Challenge Period, and Notification Content Requirements (2026)

Article 28 of the EU AI Act governs the formal act of notification — the procedure through which a Member State communicates to the European Commission and to other Member States that it has designated a conformity assessment body to carry out third-party conformity assessments for high-risk AI systems. The article is procedural in character: it does not establish the eligibility criteria (those are in Art.27) or the operational obligations of notified bodies (those are in Art.31). It governs the mechanics of how a designation becomes officially recognised at Union level and what legal effects that recognition produces.

Understanding Art.28 is essential for AI system providers because notification status determines whether a conformity assessment body's certificates are legally valid for CE marking purposes. A body that meets every Art.27 requirement but has not been notified through the Art.28 procedure has no authority to issue certificates that count for EU AI Act conformity purposes. Providers who receive certificates from non-notified bodies have not satisfied third-party assessment obligations, regardless of the quality of the assessment performed.

The Position of Art.28 in the Notified Body Lifecycle

The notified body framework distributes distinct obligations across several articles:

Art.27: Requirements — eligibility criteria the body must satisfy
Art.28: Notification — the formal procedure converting a designated body into a notified body recognised at Union level
Art.29: Changes to notifications — suspension, restriction, and withdrawal when compliance fails
Art.30: Challenge of competence — the mechanism for contesting a body's qualifications in individual assessment cases
Art.31: Operational obligations — duties of notified bodies when performing assessments

Art.28 occupies the pivot point between eligibility and operation. A body that satisfies Art.27 is eligible for designation by the Member State. But only after the Member State completes the Art.28 procedure does the body become a notified body in the full legal sense — with a NANDO number, recognised across all Member States, and empowered to issue conformity assessment certificates valid throughout the Union.

The distinction between "designated" and "notified" is legally meaningful. Designation is a national administrative act. Notification is the communication of that designation to the Commission and other Member States through the NANDO system. Both steps must occur, and notification must precede the body's authority to carry out assessments with Union-wide legal effect.

The Notifying Authority: Who Notifies and Under What Conditions

Under Art.28(1), notification is performed by the notifying authority. Notifying authorities are established under Art.30 of the General Product Safety framework and are typically ministries, regulatory agencies, or technical bodies designated by each Member State for this function. In Germany, this role is performed by the Federal Ministry for Economic Affairs and Climate Action (BMWK) for most industrial product categories. In France, the Comité français d'accréditation (COFRAC) handles accreditation while notification is managed by sector-specific ministries.

The notifying authority may only notify a body after it has assessed that the body satisfies the Art.27 requirements. Where the body has obtained national accreditation from the national accreditation body under Regulation (EC) No 765/2008, the notifying authority may rely on the accreditation assessment as evidence of conformity with Art.27. However, the notifying authority retains formal responsibility: accreditation provides evidentiary weight but does not transfer the legal obligation to assess.

Where accreditation has not been obtained, the notifying authority must carry out its own technical assessment. It must document that assessment and retain the documentation. The notifying authority also establishes and maintains ongoing oversight of the notified body — including review of changes in body structure, key personnel, accreditation scope, or financial position that could affect Art.27 compliance.

This oversight obligation creates a continuing relationship between the notifying authority and the notified body. The notifying authority is not a one-time gatekeeper but an ongoing supervisor — with the power and duty to initiate suspension, restriction, or withdrawal under Art.29 when problems arise.

Notification Content: What Art.28 Requires

The Art.28(2) notification must include the following information:

Identity information:

Full legal name of the conformity assessment body
Registration number and legal form under national law
Contact details: address, telephone, electronic mail, website

Scope of designation:

The AI system categories or product types within the Annex I sectoral legislation for which the body has been designated
The specific conformity assessment procedures (Annex VIII Module D or Module H) for which the body is designated
Any limitations, restrictions, or conditions attached to the designation

Accreditation evidence:

Certificate of accreditation issued by the national accreditation body, where applicable
Name and address of the national accreditation body that issued the certificate

Notifying authority details:

Identity and contact information of the notifying authority that made the designation decision
The legal basis for the notification under national law

Date of effect:

The date from which the notified body's authority begins (which cannot precede completion of the NANDO information period unless the Commission has explicitly confirmed no objection earlier)

The scope description is particularly significant. The NANDO database entry — which becomes the authoritative public record of the body's notified status — is based on the scope specified in the notification. Providers checking a body's notified status via NANDO see the scope that was notified, not a broader or narrower version. Bodies may operate within their notified scope but cannot extend their authority to uncovered AI system categories without a scope extension notification.

The NANDO Database: Function and Legal Status

NANDO — the New Approach Notified and Designated Organisations database — is the Commission's official register of notified bodies across all New Approach and New Legislative Framework legislation. The EU AI Act integrates into this existing infrastructure: notified bodies designated under Art.28 receive NANDO registration numbers and appear in the NANDO database alongside bodies notified under the Medical Devices Regulation, Machinery Directive, Radio Equipment Directive, and other legislation.

NANDO's legal role under the EU AI Act is significant. Art.28(4) specifies that the Commission shall publish NANDO data. This creates the public record that determines, for providers and national authorities alike, which bodies are legally empowered to issue conformity assessment certificates. A body appears in NANDO only after the notification procedure under Art.28 is complete and no objection has been sustained.

The NANDO number assigned to each notified body serves as its official identifier in all conformity assessment certificates it issues. When an AI system provider's technical documentation cites a conformity assessment certificate, the certificate must identify the notified body by its NANDO number. National market surveillance authorities, the Commission, and authorities in third countries accepting EU conformity assessments can use the NANDO number to verify the body's identity, notified scope, and current status.

NANDO records are updated when:

A new notification is submitted (new body appears)
A notified body's scope is extended or restricted
A notification is suspended (body temporarily loses authority)
A notification is withdrawn (body permanently loses notified status)

Providers should not treat NANDO status as static. A body that appears in NANDO today may be subject to suspension proceedings tomorrow. Providers with ongoing contractual relationships with notified bodies should monitor NANDO records for changes in status throughout the product lifecycle.

The Information Period: Two Weeks Before Full Authority

Art.28(3) establishes that after the Commission receives a notification, there is an information period during which other Member States and the Commission may raise concerns before the notified body begins operating with Union-wide authority. The EU AI Act structures this as an information period rather than a strict prior-approval mechanism: notification becomes effective after the information period expires without sustained objection, not upon explicit Commission approval.

The information period allows the Commission to examine whether the notification is complete and whether there are grounds for concern about the body's ability to satisfy Art.27 requirements. It also allows other Member States to raise horizontal concerns — for example, if they have information about the notifying authority's assessment process or about the body's actual compliance record.

Where no objection is raised during the information period, the notification takes effect and the body may begin operating as a notified body. Where concerns are raised, the resolution mechanism depends on their nature:

Procedural concerns (incomplete notification content, missing accreditation evidence): the notifying authority must supply the missing information before the information period clock restarts.
Substantive concerns about Art.27 compliance: the Commission may require the notifying authority to provide additional evidence of the body's compliance. If concerns cannot be resolved, the Commission may use the examination procedure under Regulation (EU) No 182/2011 to determine whether the notification should be refused.
Ongoing disputes: if Member States or the Commission maintain that a body does not satisfy Art.27 requirements after notification takes effect, the challenge mechanism under Art.30 provides the formal route for contesting the body's qualification in specific assessment cases.

The information period structure reflects the subsidiarity principle: Member States retain primary responsibility for designating and overseeing notified bodies. The Commission's role is supervisory — preventing demonstrably unsuitable bodies from operating with Union-wide authority while respecting national designation decisions that meet the legal standard.

Commission Challenge Mechanism: Grounds and Procedure

Beyond the initial information period, Art.28(4) preserves the Commission's ongoing authority to challenge a notification where it has grounds to believe the body does not or no longer satisfies the Art.27 requirements. This reflects the dynamic nature of notified body compliance: a body may satisfy Art.27 at the moment of designation but fail to maintain compliance as its structure, personnel, finances, or processes change.

The Commission challenge is not self-executing. Where the Commission has grounds for concern, it:

Requests the notifying authority to investigate whether the body continues to satisfy Art.27 and to provide evidence of ongoing compliance within a specified period.
Receives and reviews the notifying authority's response, including updated accreditation information, surveillance assessment reports, or corrective action plans.
Applies the examination procedure under Regulation (EU) No 182/2011 if it concludes, after reviewing the evidence, that the notification should be suspended or withdrawn. The examination procedure involves a standing committee composed of Member State representatives, which votes on the Commission's proposed implementing decision.
Issues an implementing decision if the committee supports the Commission's position, requiring the notifying authority to take corrective measures — which may include suspension or withdrawal of the notification.

This multi-step process creates a significant lead time between identification of a compliance concern and mandatory corrective action. The practical implication for AI system providers is that evidence of a notified body's Art.27 compliance problems may exist before the formal challenge process concludes. Providers conducting risk management under Art.9 who become aware of concerns about their notified body's compliance should document the information and consider proactive engagement with the body and the notifying authority.

Horizontal Opposition by Other Member States

Art.28(4) also provides a mechanism for Member States (not just the Commission) to raise concerns about notifications submitted by other Member States. Where a Member State has grounds to believe that a notified body does not satisfy the Art.27 requirements, it may request the Commission to investigate.

This horizontal oversight function reflects the cross-border effects of notification: a body notified by Germany can issue certificates accepted throughout the EU. All Member States therefore have a legitimate interest in the quality of each other's notification decisions.

The Member State raising concerns does not directly challenge the notifying authority. Instead, it refers the matter to the Commission, which then applies the investigation and escalation procedure described above. This preserves the Commission's central coordination role while giving all Member States a formal voice in the quality assurance of the notified body system.

Scope of Notification and the Authority to Assess

The scope of a notification is not an administrative formality. It defines the legal boundary of the notified body's authority. A body notified to assess AI systems functioning as safety components in medical devices under Annex I does not acquire authority to assess AI systems in other Annex I categories — such as vehicles under Directive 2007/46/EC or civil aviation products under Regulation (EU) 2018/1139 — without a separate scope extension notification.

Scope extension requires the same process as initial notification: the notifying authority assesses the body's competence for the additional scope, submits a scope extension notification, and the information period applies. The Commission and other Member States have the same rights to raise concerns about scope extension notifications as they do about initial notifications.

Scope restrictions — whether initiated by the notifying authority (for example, in response to concerns about competence in a particular technical area) or by the notified body itself (for commercial or resource reasons) — must also be notified. NANDO records must reflect the current authorised scope at all times.

Art.28 × Art.29 Integration: Modification and Withdrawal

Art.28 notifications are not permanent in the sense that the notified status cannot be changed. Art.29 governs three categories of change:

Suspension: The notifying authority temporarily restricts the body's authority — typically when the body has experienced a significant compliance failure that is being investigated and remediated. During suspension, the body cannot initiate new assessment engagements, though it may complete assessments already underway depending on the terms of suspension. Suspension is reflected immediately in NANDO.

Restriction of scope: The notifying authority narrows the scope of the notification — for example, removing specific AI system categories where the body has lost competence or where concerns have been identified. The body retains authority for the remaining scope. Scope restriction is reflected in NANDO.

Withdrawal: The notifying authority fully withdraws the notification — when the body no longer satisfies Art.27 requirements in any material respect, when the body surrenders its designation, or when persistent serious compliance failures cannot be remediated. Withdrawn bodies disappear from NANDO's active register. Certificates issued before withdrawal remain valid (they were lawfully issued at the time) but the body cannot issue new certificates.

The Art.29 procedures must themselves be communicated to the Commission via the NANDO system, maintaining real-time accuracy of the Union-level register.

Practical Compliance Matrix: Notification Lifecycle

Phase	Actor	Key Action	Art.28 Reference
Pre-notification	Notifying authority	Assess Art.27 compliance, obtain/review accreditation	Art.28(1)
Notification submission	Notifying authority	Submit complete notification via NANDO	Art.28(2)
Information period	Commission, Member States	Review notification, raise concerns if any	Art.28(3)
NANDO registration	Commission	Register body, assign NANDO number, publish	Art.28(4)
Ongoing monitoring	Notifying authority	Supervise body, report changes	Art.28(1)
Commission challenge	Commission	Request investigation if grounds for concern	Art.28(4)
Horizontal concern	Member State	Refer concern to Commission	Art.28(4)
Scope change	Notifying authority	Submit scope extension or restriction notification	Art.28(2)
Status change	Notifying authority	Notify suspension or withdrawal under Art.29	Art.29

Verification Tool: Checking Notified Body Status

For AI system providers, NANDO verification should be a standard due diligence step before engaging a conformity assessment body and at key points during the engagement.

from dataclasses import dataclass, field
from typing import Optional
from datetime import date
import json

@dataclass
class NotifiedBodyStatus:
    body_name: str
    nando_number: Optional[str]
    notifying_member_state: str
    notification_date: Optional[date]
    notified_scope: list[str]
    current_status: str  # "active", "suspended", "restricted", "withdrawn"
    accreditation_body: Optional[str]
    last_nando_check: date
    concerns_identified: list[str] = field(default_factory=list)

@dataclass
class NotifiedBodyVerification:
    body: NotifiedBodyStatus
    system_category: str
    assessment_procedure: str  # "annex_viii_module_d" or "annex_viii_module_h"

    def verify_authority(self) -> dict:
        issues = []

        if not self.body.nando_number:
            issues.append("CRITICAL: Body has no NANDO number — not a notified body")

        if self.body.current_status != "active":
            issues.append(
                f"CRITICAL: Body status is '{self.body.current_status}' — "
                "not authorised to issue new certificates"
            )

        if self.system_category not in self.body.notified_scope:
            issues.append(
                f"CRITICAL: System category '{self.system_category}' "
                "is outside the body's notified scope"
            )

        if self.assessment_procedure not in self.body.notified_scope:
            issues.append(
                f"WARNING: Assessment procedure '{self.assessment_procedure}' "
                "may not be within the body's designated procedures — verify scope"
            )

        if self.body.concerns_identified:
            issues.append(
                f"WARNING: Concerns identified for this body: "
                f"{'; '.join(self.body.concerns_identified)}"
            )

        stale_threshold = 90  # days
        days_since_check = (date.today() - self.body.last_nando_check).days
        if days_since_check > stale_threshold:
            issues.append(
                f"WARNING: NANDO status was last verified {days_since_check} days ago — "
                "refresh from nando.nqa.com before proceeding"
            )

        return {
            "body_name": self.body.body_name,
            "nando_number": self.body.nando_number,
            "system_category": self.system_category,
            "authority_confirmed": len([i for i in issues if i.startswith("CRITICAL")]) == 0,
            "issues": issues,
            "recommendation": (
                "PROCEED" if not issues
                else "BLOCKED" if any(i.startswith("CRITICAL") for i in issues)
                else "PROCEED WITH CAUTION"
            ),
        }

def check_pre_engagement_status(body: NotifiedBodyStatus, system_category: str, procedure: str) -> str:
    verification = NotifiedBodyVerification(body, system_category, procedure)
    result = verification.verify_authority()
    return json.dumps(result, indent=2, default=str)

# Example usage
example_body = NotifiedBodyStatus(
    body_name="TÜV SÜD Product Service GmbH",
    nando_number="0123",
    notifying_member_state="Germany",
    notification_date=date(2025, 8, 1),
    notified_scope=[
        "high_risk_ai_safety_components_medical_devices",
        "annex_viii_module_d",
        "annex_viii_module_h",
    ],
    current_status="active",
    accreditation_body="DAkkS",
    last_nando_check=date.today(),
)

print(check_pre_engagement_status(
    example_body,
    "high_risk_ai_safety_components_medical_devices",
    "annex_viii_module_d",
))

Practical Compliance Checklist: Art.28 for Providers

Before engaging a conformity assessment body:

Verify body appears in NANDO with active status
Confirm body's notified scope covers the specific AI system category
Confirm body's notified scope covers the required assessment procedure (Module D or H)
Check notification date — is the body recently notified or established?
Review whether any Commission challenge or Member State concern has been raised
Document NANDO verification with date and URL reference

During the assessment engagement:

Confirm the body's NANDO status has not changed since pre-engagement check
Ensure the certificate being issued will carry the correct NANDO number
Monitor NANDO for any status changes (suspension, scope restriction)

After receiving the conformity assessment certificate:

Record the notified body's NANDO number in the technical documentation
Include the NANDO number in the Declaration of Conformity
Establish a monitoring process for NANDO status throughout the product lifecycle
If NANDO status changes post-certification, assess impact on CE marking validity and consult legal counsel

For notifying authorities (if acting in that capacity):

Complete Art.27 compliance assessment before submission
Include all Art.28(2) required content in the notification
Submit via NANDO system and monitor information period
Respond to any Commission or Member State concerns during the information period
Maintain ongoing oversight obligations and reflect status changes in NANDO