EU AI Act Art.32 Subsidiaries of and Subcontracting by Notified Bodies: Qualification Requirements, Provider Agreement, and Responsibility Framework (2026)
Article 32 of the EU AI Act addresses a structural reality of the conformity assessment market: most notified bodies are not self-sufficient in every domain relevant to the high-risk AI systems they assess. A notified body designated for medical AI systems may lack in-house expertise in the specific embedded systems architecture of a particular cardiovascular monitoring device. A notified body covering safety components for industrial automation may need specialist testing laboratory capacity it cannot maintain on a permanent basis. The question Art.32 answers is not whether notified bodies can delegate—they can—but under what conditions delegation is lawful and how liability is allocated when it occurs.
The answer the EU AI Act gives is precise and demanding. Subcontracting and use of subsidiaries are permitted, but subject to four concurrent requirements: the delegate must meet the same qualification requirements the notified body itself must meet under Art.27; the notifying authority must be informed; the provider whose AI system is being assessed must agree; and the notified body retains full legal responsibility for the work regardless of who performs it. Art.32 is therefore simultaneously a competence rule, a transparency rule, a consent rule, and a liability rule—each of which has practical implications for how notified bodies organise their assessment operations and how providers should manage their relationships with them.
The Position of Art.32 in the Notified Body Framework
Art.32 sits immediately after Art.31 (operational obligations of notified bodies) in the EU AI Act's notified body chapter. The sequencing reflects a deliberate regulatory architecture:
- Art.27 establishes the requirements a conformity assessment body must meet to be designated and notified: independence, technical competence across relevant domains, a quality management system, financial stability, and adequate liability insurance
- Art.28 establishes the formal notification procedure by which a notifying authority registers a designated body with the Commission and other Member States via the NANDO database
- Art.29 addresses changes to notifications—how notifying authorities suspend, restrict, or withdraw notification when Art.27 compliance fails
- Art.30 establishes the challenge procedure by which parties with a legitimate interest can contest the technical competence of a notified body in relation to a specific assessment
- Art.31 governs the operational conduct of notified bodies: conformity assessment procedure fidelity, proportionality, independence in each assessment, certificate management and lifecycle, documentation retention, and reporting obligations
- Art.32 governs the specific circumstances under which notified bodies may extend their operational capacity through subsidiaries and subcontractors, and the conditions under which that extension is lawful
Art.31 touches on subcontracting as one element of the broader operational framework; Art.32 dedicates a full article to it, signalling that the EU legislator regarded delegation of conformity assessment tasks as sufficiently consequential to warrant dedicated regulatory treatment.
The Subsidiary-Subcontractor Distinction
Art.32 applies to two categories of delegate: subsidiaries and subcontractors. The distinction matters both legally and practically.
Subsidiaries are legal entities in which the notified body holds a controlling interest—typically majority ownership under the definitions in EU company law. A subsidiary relationship involves a structural and ongoing governance link: the parent notified body exercises control over the subsidiary's management, quality system, and operational direction. This control relationship creates both an opportunity and a risk: the opportunity is that the notified body can more directly maintain quality standards in the subsidiary; the risk is that the Art.27 requirements applicable to the parent must be satisfied independently by the subsidiary, not merely inherited through corporate ownership.
A subsidiary that has a common management structure with the parent notified body must demonstrate its own independence from economic operators whose systems it assesses. Corporate ownership by a notified body parent does not itself create a conflict of interest with assessment candidates, but subsidiary-level commercial relationships might. Art.32's requirement that subsidiaries meet Art.27 ensures that the independence assessment is conducted at the level of the entity actually performing the assessment tasks, not merely at the group level.
Subcontractors are external legal entities engaged under contract to perform specific tasks. Unlike subsidiaries, they are not under the governance control of the notified body—they operate independently and bring services to the notified body as part of a commercial relationship. This makes subcontractor governance more challenging: the notified body cannot control the subcontractor's QMS or internal processes in the way it can direct a subsidiary, but Art.32 nonetheless requires that the subcontractor meets Art.27 requirements.
In practice, this means the notified body must assess subcontractor qualifications before engagement, not merely execute a contract with a testing laboratory because it has the requisite equipment. Art.27 compliance for a subcontractor means: demonstrable independence from the provider whose system is being assessed, technical competence in the specific domain being subcontracted, a quality management system covering the subcontracted activities, and adequate liability insurance.
The Art.27 Qualification Requirement for Delegates
The most demanding structural provision in Art.32 is that subsidiaries and subcontractors must meet the requirements set out in Art.27. This is not a proportionality-adjusted or task-specific version of Art.27—it is the full requirement applied to the notified body itself, now extended downstream to any entity performing conformity assessment tasks on its behalf.
Independence. Art.27 independence requirements prohibit the notified body from having economic interests that could affect its impartiality. For subcontractors, this means the notified body must verify that the subcontractor is not a legal entity affiliated with the provider, that subcontractor personnel have no commercial relationships with the provider that would compromise their assessment of its documentation or systems, and that the subcontractor's fee structure is not contingent on the outcome of the assessment.
This is structurally harder to verify for subcontractors than for the notified body itself, because the notified body does not have visibility into all of the subcontractor's commercial relationships. Art.32 places the verification burden on the notified body: it must obtain sufficient information from the subcontractor to confirm independence before delegating assessment tasks.
Technical competence. Art.27 requires that notified bodies have the technical knowledge and experience to assess the specific AI system categories for which they are designated. For subcontractors engaged for their specialist expertise, this requirement is typically the reason for engaging them in the first place—the subcontractor has domain knowledge the notified body lacks in-house. The Art.32 requirement is that this competence be demonstrably verified, not merely assumed.
Verification means: reviewing the subcontractor's personnel qualifications in the relevant domain, examining their track record of similar work, and confirming that their technical infrastructure (test facilities, equipment, software tools) is appropriate to the assessment tasks being delegated. A subcontractor that has relevant equipment but lacks personnel with documented expertise in the specific AI system domain does not satisfy the Art.27 technical competence requirement.
Quality management system. The subcontractor must have a QMS covering the activities being performed on behalf of the notified body. This QMS must include controls for document management, non-conformance handling, corrective action, internal audit, and—critically—the handover of outputs back to the notified body in a form that allows the notified body to exercise its supervisory responsibility over the delegated work.
A subcontractor testing laboratory that operates under ISO 17025 accreditation satisfies the QMS requirement for its accredited testing scope. A specialist consultant engaged to review a specific element of an AI system's technical documentation satisfies the QMS requirement only if their consultancy practice has appropriate controls over document handling, confidentiality, and work quality verification.
The Provider Agreement Requirement
Art.32 introduces a requirement that is absent from most analogous delegated assessment frameworks in EU product regulation: the activities may be subcontracted or carried out by a subsidiary only with the agreement of the provider. This consent requirement gives AI system providers a meaningful voice in how their conformity assessments are structured.
The consent is provider-specific. A notified body cannot obtain a general consent from providers at the point of contracting for notified body services that covers all possible future subcontracting. Art.32 requires agreement for the specific subcontracting activities in the specific assessment. A provider that has agreed to subcontracting of laboratory testing in one assessment retains the right to object to subcontracting of technical documentation review in a subsequent assessment for a modified system.
The rationale for provider agreement. The provider agreement requirement reflects several considerations. First, the provider has a direct interest in the qualifications of the entity examining its AI system and documentation—subcontracting to an entity the provider considers unqualified or potentially conflicted is a legitimate concern. Second, the provider may have confidentiality concerns about its technical documentation, trade secrets, and QMS processes being disclosed to third parties beyond the notified body under contract. Subcontracting without consent removes the provider's control over this information sharing.
Third, the provider needs to understand the structure of the conformity assessment it is engaging to understand what guarantees it is receiving and from whom. A provider that believes it has engaged a notified body with specific domain expertise may find that expertise is actually being sourced from a subcontractor with different qualifications—which affects the provider's ability to evaluate the quality of the assessment it is paying for.
Objection rights and consequences. Where a provider withholds agreement to subcontracting, the notified body must either: conduct the assessment using only in-house resources, or decline the assessment engagement. Art.32 does not create an obligation on the provider to accept subcontracting, and a notified body cannot proceed with delegated assessment activities over a provider's objection.
This creates a practical commercial tension: a notified body that routinely relies on subcontractors for specific technical domains must either build or acquire in-house expertise in those domains, secure provider agreement as part of the initial assessment contracting process, or risk being unable to complete assessments where providers object. The market-level consequence is that notified bodies with genuinely broad internal competence have a competitive advantage over those that rely heavily on subcontractors, particularly for providers who are sensitive about information disclosure.
Full Responsibility: The Liability Principle
The most important liability provision in Art.32 is unambiguous: notified bodies shall take full responsibility for the tasks performed by subcontractors or subsidiaries wherever these are established. The "wherever established" language is significant—it applies regardless of whether the subsidiary or subcontractor is located in the EU or a third country.
What full responsibility means. If a subcontractor conducts a testing activity and produces results that are incorrect—whether due to equipment calibration failure, inadequate testing protocol, or personnel error—the legal consequence is attributed to the notified body that engaged the subcontractor, not to the subcontractor itself. The provider whose system was assessed, the national market surveillance authority, and the Commission deal with the notified body. The notified body's contractual relationship with the subcontractor is a matter between those two parties; it does not alter the notified body's regulatory liability.
This full-responsibility principle is what distinguishes Art.32's framework from a mere supply chain arrangement. The notified body does not transfer regulatory risk to the subcontractor—it retains it. This structure creates a strong incentive for notified bodies to conduct rigorous subcontractor qualification assessments before delegation, to maintain ongoing oversight of subcontractor work quality during the assessment, and to verify the outputs produced by subcontractors before incorporating them into the conformity assessment record.
Third-country subcontractors. The "wherever established" language explicitly extends Art.32 to situations where notified bodies engage testing laboratories, technical consultants, or subsidiary operations outside the EU. This is practically significant: some specialist testing capabilities are disproportionately concentrated in non-EU jurisdictions, and notified bodies may face commercial pressure to engage those facilities. Art.32 makes clear that geographic location does not alter the liability framework—the notified body remains fully responsible for the work quality and compliance of the third-country delegate.
Insurance implications. The notified body's liability insurance coverage, required under Art.27, must be adequate to cover the full scope of the notified body's responsibilities—including those arising from subcontracted or subsidiary activities. A notified body that sub-contracts significant portions of its assessment work to poorly-insured subcontractors is not protected from the financial consequences of those subcontractors' errors by the subcontractors' own (insufficient) insurance coverage.
Notification to the Notifying Authority
Art.32 requires that notified bodies inform their notifying authority when they use subsidiaries or subcontractors. This notification obligation serves the oversight function of the national authority: notifying authorities need to understand the structure of the conformity assessment market in their jurisdiction and specifically how notified bodies under their oversight are organised.
Notification content. While Art.32 does not prescribe the format of the notification, the underlying purpose—enabling national authority oversight—implies that notifications must contain enough information to allow the authority to assess compliance with Art.32's requirements. At minimum, this means: identification of the subsidiary or subcontractor, description of the tasks delegated, confirmation that the Art.27 qualification assessment has been conducted, and any jurisdiction considerations where third-country delegates are involved.
Ongoing versus case-by-case notification. Art.32 does not specify whether notification should occur on a case-by-case basis (each time a subcontractor is engaged) or at a framework level (when a standing subcontracting relationship is established). Notifying authorities may issue implementing guidance on notification format and frequency. Where guidance is absent, the notified body should err toward more frequent notification—a standing framework notification that is updated as the subcontractor roster changes serves the authority's oversight function better than a single general notification that becomes stale as subcontracting arrangements evolve.
Documentation and transparency. Notifying authorities must have access to the documents the notified body maintains on subcontractor qualifications and the work performed. Art.32 requires notified bodies to keep these documents available for the national authority. This is a facilitated access requirement, not a pro-active disclosure requirement—the notified body need not submit subcontractor qualification assessments to the authority unprompted, but must be able to produce them on request without delay.
What Can and Cannot Be Delegated
Art.32 does not provide an explicit list of delegable and non-delegable conformity assessment activities. The limits must be inferred from the structure of Art.32 itself and from the broader notified body framework.
Non-delegable activities. The issuance of a conformity assessment certificate is definitively non-delegable. The certificate is a legal instrument bearing the notified body's identity, NANDO number, and authorised signature. Delegation of the decision to issue—or the legal authority to issue—would be inconsistent with the entire framework of notified body designation, notification, and liability under Art.32. This prohibition applies to subsidiaries as well as subcontractors: a subsidiary that issues certificates under its own name would require its own designation and notification as a notified body.
The final conformity decision—the determination that an AI system's QMS and technical documentation satisfy the applicable requirements—similarly cannot be delegated. That determination must be made by the notified body's qualified personnel on the basis of all assessment evidence assembled. Subcontractors may produce technical inputs to that determination, but the synthesis and conclusion must rest with the notified body.
Delegable activities. Testing activities that require specialist equipment or domain-specific laboratory infrastructure can be delegated—provided the subcontractor meets Art.27 and provider agreement is obtained. Review of specific technical documentation subsections where specialised domain knowledge is needed (e.g., reviewing a cardiovascular algorithm's clinical validation data, reviewing an embedded system's cybersecurity architecture) can be delegated as a technical input to the overall assessment. On-site inspection activities in locations where the notified body lacks logistical presence can be delegated to a geographically appropriate subsidiary or qualified subcontractor.
The key principle is that delegated activities are technical inputs, not legal outputs. The notified body uses delegated outputs as evidence in its assessment; it does not pass through delegated conclusions as its own legal determination without independent review.
Art.32 × Art.31 Integration: Subcontracting Rules Across Both Articles
Art.31 addresses subcontracting as one element of the general operational obligations framework. Art.32 provides the dedicated subcontracting governance framework. The two articles must be read together:
Art.31 establishes the operational conditions under which subcontracting is conducted—the notified body's obligation to verify that each assessment is conducted independently, that assessment personnel (including subcontractor personnel) have declared conflicts of interest, and that the notified body exercises oversight over all work contributing to the conformity assessment record. Art.32 establishes the structural preconditions for delegation: qualification of the delegate, provider agreement, authority notification, and liability allocation.
A practical consequence: even where Art.32's structural conditions are fully satisfied (subcontractor meets Art.27, provider agreed, authority notified), a notified body that fails to verify subcontractor outputs under Art.31's operational requirements—that simply passes through subcontractor test results without independent review—fails its Art.31 obligations. Compliance with Art.32 is a necessary but not sufficient condition for lawful use of subcontractors.
Art.32 × Art.27 Downstream Qualification Chain
The requirement that subcontractors meet Art.27 creates a downstream qualification chain. The EU AI Act designates and notifies bodies at the top of that chain; Art.32 extends the qualification requirements down to entities that are not themselves notified but are performing notified body work.
This creates a practical compliance obligation for subcontractors that are not themselves seeking notified status: they must nonetheless be able to demonstrate Art.27 compliance on request. A testing laboratory that engages primarily in non-conformity-assessment commercial work and supplements this with ad-hoc subcontracting for notified bodies must maintain Art.27-equivalent documentation of its independence, technical competence, and QMS—specifically for the assessment activities it performs under subcontract.
Notified bodies that engage the same subcontractors repeatedly should maintain current qualification assessments for those subcontractors, updated to reflect any changes in the subcontractor's personnel, commercial relationships, or QMS. A qualification assessment conducted two years ago does not automatically remain valid today if the subcontractor has experienced significant management changes, expanded into commercial domains that create potential independence concerns, or had its QMS certification lapse.
SubcontractingComplianceTracker: Python Implementation
from dataclasses import dataclass, field
from datetime import date, timedelta
from typing import Optional
@dataclass
class DelegateQualification:
entity_name: str
entity_type: str # "subsidiary" or "subcontractor"
jurisdiction: str
qualified_domains: list[str]
art27_independence_verified: bool
art27_competence_verified: bool
art27_qms_verified: bool
art27_insurance_verified: bool
qualification_date: date
qualification_valid_until: Optional[date]
notifying_authority_informed: bool
notification_date: Optional[date]
def is_art32_compliant(self) -> bool:
return (
self.art27_independence_verified
and self.art27_competence_verified
and self.art27_qms_verified
and self.art27_insurance_verified
and self.notifying_authority_informed
)
def is_qualification_current(self, check_date: date = None) -> bool:
if check_date is None:
check_date = date.today()
if self.qualification_valid_until is None:
return True
return check_date <= self.qualification_valid_until
def days_until_requalification(self, check_date: date = None) -> Optional[int]:
if check_date is None:
check_date = date.today()
if self.qualification_valid_until is None:
return None
return (self.qualification_valid_until - check_date).days
@dataclass
class DelegationRecord:
assessment_id: str
delegate: DelegateQualification
delegated_tasks: list[str]
provider_name: str
provider_agreement_obtained: bool
provider_agreement_date: Optional[date]
delegation_date: date
output_reviewed_by_nb: bool
output_review_date: Optional[date]
nb_responsible_personnel: str
def is_delegation_lawful(self) -> tuple[bool, list[str]]:
issues = []
if not self.delegate.is_art32_compliant():
issues.append("Delegate does not meet Art.27 requirements")
if not self.delegate.is_qualification_current(self.delegation_date):
issues.append("Delegate qualification expired at time of delegation")
if not self.provider_agreement_obtained:
issues.append("Provider agreement not obtained before delegation")
if not self.delegate.notifying_authority_informed:
issues.append("Notifying authority not informed of subcontracting")
return len(issues) == 0, issues
def is_delegation_complete(self) -> tuple[bool, list[str]]:
issues = []
lawful, lawful_issues = self.is_delegation_lawful()
if not lawful:
issues.extend(lawful_issues)
if not self.output_reviewed_by_nb:
issues.append("NB has not reviewed delegate outputs before incorporating in assessment")
return len(issues) == 0, issues
class SubcontractingComplianceTracker:
def __init__(self, notified_body_nando: str):
self.notified_body_nando = notified_body_nando
self.qualified_delegates: list[DelegateQualification] = []
self.delegation_records: list[DelegationRecord] = []
def register_delegate(self, delegate: DelegateQualification) -> None:
self.qualified_delegates.append(delegate)
def record_delegation(self, record: DelegationRecord) -> None:
self.delegation_records.append(record)
def get_non_compliant_delegations(self) -> list[tuple[DelegationRecord, list[str]]]:
results = []
for record in self.delegation_records:
complete, issues = record.is_delegation_complete()
if not complete:
results.append((record, issues))
return results
def get_expiring_qualifications(self, days_ahead: int = 90) -> list[DelegateQualification]:
threshold = date.today() + timedelta(days=days_ahead)
return [
d for d in self.qualified_delegates
if d.qualification_valid_until is not None
and d.qualification_valid_until <= threshold
]
def get_third_country_delegates(self) -> list[DelegateQualification]:
eu_jurisdictions = {
"AT", "BE", "BG", "HR", "CY", "CZ", "DK", "EE", "FI", "FR",
"DE", "GR", "HU", "IE", "IT", "LV", "LT", "LU", "MT", "NL",
"PL", "PT", "RO", "SK", "SI", "ES", "SE",
}
return [d for d in self.qualified_delegates if d.jurisdiction not in eu_jurisdictions]
def compliance_report(self) -> dict:
non_compliant = self.get_non_compliant_delegations()
expiring = self.get_expiring_qualifications()
third_country = self.get_third_country_delegates()
return {
"notified_body_nando": self.notified_body_nando,
"total_qualified_delegates": len(self.qualified_delegates),
"total_delegations": len(self.delegation_records),
"non_compliant_delegations": len(non_compliant),
"non_compliant_details": [
{"assessment_id": r.assessment_id, "issues": issues}
for r, issues in non_compliant
],
"expiring_qualifications_90d": len(expiring),
"expiring_details": [
{"entity": d.entity_name, "expires": d.qualification_valid_until.isoformat()}
for d in expiring
],
"third_country_delegates": len(third_country),
"third_country_details": [
{"entity": d.entity_name, "jurisdiction": d.jurisdiction}
for d in third_country
],
}
Art.32 Compliance Matrix
| Requirement | Trigger | Responsible Party | Documentation Required | Consequence of Non-Compliance |
|---|---|---|---|---|
| Art.27 qualification of delegate | Before engaging any subsidiary or subcontractor | Notified body management | Qualification assessment record for each delegate | Delegation unlawful; NB liable for delegate's unqualified work |
| Independence verification | Before each engagement (ongoing for standing arrangements) | Assessment team lead | Independence declaration from delegate + NB verification record | Art.30 challenge grounds; potential Art.29 action |
| Technical competence verification | Before delegating specific tasks | Notified body technical director | Competence evidence (CVs, accreditations, track record) | Certificate may be challenged for competence deficiency |
| QMS verification | Before engagement; monitoring during relationship | Notified body quality manager | QMS documentation review record | NB's Art.31 QMS obligations extend to delegate activities |
| Provider agreement | Before delegation commences | Assessment relationship manager | Written agreement (or documented consent) from provider | Delegation procedurally unlawful; provider can challenge |
| Notifying authority notification | When subsidiary/subcontractor relationship established | Notified body management | Notification record + authority acknowledgment | Regulatory non-compliance; oversight gap |
| Full responsibility retention | Continuous (not a one-time obligation) | Notified body | Assessment records incorporating delegate outputs | NB liable for delegate errors regardless of contract terms |
| Output review | Before incorporating delegate outputs in assessment | NB responsible assessor | Output review checklist or memo | Art.31 obligation to exercise oversight of all assessment work |
| Documentation retention | Duration of certificate + post-expiry period per Art.31 | Notified body document manager | Delegation records, qualification assessments, delegate outputs | National authority cannot conduct oversight; Art.31 breach |
| Third-country compliance | When engaging non-EU delegates | Notified body management | Confirmation that Art.27 requirements met in non-EU jurisdiction | Same liability as EU delegates; no geographic exception |
Provider Checklist: Managing Art.32 Subcontracting in Your Conformity Assessment
Pre-Assessment: Understanding the Delegation Structure
- Request the notified body's disclosure of any planned use of subsidiaries or subcontractors for your assessment before signing the assessment contract
- Review the identity, jurisdiction, and described qualifications of any proposed delegates before providing agreement
- Verify that proposed subcontractors or subsidiaries are not entities with whom you have direct commercial relationships that could create Art.27 independence concerns at the delegate level
- Confirm whether the proposed delegate holds any relevant accreditation (e.g., ISO 17025 for testing activities) that corroborates Art.27 technical competence
- Understand which specific tasks will be delegated and which will be performed in-house by the notified body
- Obtain written confirmation of provider agreement terms—document what you agreed to and what scope of delegation was accepted
Exercising the Agreement Right
- You may withhold agreement to any subcontracting without being required to justify your objection—the agreement requirement is your right, not a formality requiring consent upon adequate explanation
- Where you have confidentiality concerns about a specific subcontractor having access to your technical documentation or QMS processes, state those concerns explicitly and in writing
- Where the notified body cannot perform the assessment without a subcontractor you have objected to, you may need to engage a different notified body—evaluate this as a commercial risk before the assessment process begins
- If the notified body proceeds with delegation after you have withheld agreement, this is a procedural violation of Art.32 that may constitute grounds for an Art.30 challenge or regulatory complaint
Assessment Conduct Monitoring
- Request identification of all personnel—whether in-house NB staff or delegate personnel—who will have access to your technical documentation and QMS records
- Confirm that delegate personnel have made conflict-of-interest declarations covering your organisation and your AI system
- Ensure your assessment contract specifies that the notified body takes full responsibility for all delegate work—Art.32 requires this, but explicit contractual confirmation protects your position in disputes
- Monitor whether the notified body is exercising genuine oversight of delegate outputs, rather than simply passing through results without independent review
- If you become aware that a subcontractor is operating outside the scope of tasks disclosed to you and agreed, notify the notified body in writing and preserve a record
Certificate and Post-Assessment
- Verify that the final certificate is issued by the notified body itself (NANDO number, authorised signatory) and not by any subsidiary under a different identity
- Confirm that the notified body has registered the certificate in the EU AI database and that the registration accurately reflects any scope conditions arising from the assessment
- If the notified body's assessment relied heavily on subcontracted specialist work, evaluate whether the resulting certificate accurately reflects the scope and depth of the assessment actually conducted
- Preserve records of all communications about subcontracting, including your agreement and any objections raised, as these may be relevant if the certificate is subsequently challenged
- At certificate renewal, request disclosure of whether the same subcontracting structure will be used and whether the delegates' Art.27 qualifications remain current
- If you identify evidence that a subcontractor performed work without adequate qualifications—for example, if the testing facility's accreditation was lapsed at the time of testing—this may constitute grounds for an Art.30 challenge
- Understand that a notified body's bankruptcy or withdrawal of notification (under Art.29) does not automatically invalidate certificates issued during the period subcontracting occurred, but may affect your ability to pursue liability claims
Third-Country Subcontracting
- Where the notified body discloses use of a third-country subsidiary or subcontractor, confirm that the notified body has verified Art.27 compliance in the non-EU jurisdiction and that full responsibility is retained by the notified body under EU law
- Consider the information governance implications of technical documentation being transmitted to a third-country entity—confirm applicable data protection and confidentiality protections before providing agreement
See Also
- EU AI Act Art.31 Operational Obligations of Notified Bodies: Conformity Assessment Conduct, Certificate Management, Subcontracting, and Coordination (2026)
- EU AI Act Art.30 Challenge of Competence of Notified Bodies: Procedure, Rights, and Regulatory Response (2026)
- EU AI Act Art.29 Changes to Notifications: Suspension, Restriction, and Withdrawal of Notified Body Status (2026)
- EU AI Act Art.28 Notification of Conformity Assessment Bodies: The NANDO Procedure, Commission Challenge Period, and Notification Content Requirements (2026)
- EU AI Act Art.27 Requirements Relating to Notified Bodies: Independence, Technical Competence, Quality Management, and the Notified Body Designation Framework (2026)