2026-04-23·14 min read·

EU AI Act Art.33 Number and Resources of Notified Bodies: Staffing Requirements, Technical Capacity, and Commission Oversight (2026)

Article 33 of the EU AI Act addresses a structural tension that runs through every conformity assessment regime: the gap between the static moment of designation and the continuous operational reality that follows. A notified body may be designated on the basis of a thorough Art.27 assessment carried out at a specific point in time, demonstrating adequate staff qualifications, technical equipment, financial stability, and quality management systems. Six months later, three senior assessors may have resigned, a key testing laboratory contract may have expired, and the body's professional indemnity insurance may not have been renewed on equivalent terms. Art.33 exists precisely because Art.27 compliance cannot be treated as a one-time certification — it is an ongoing operational obligation, and Art.33 provides the framework for maintaining and verifying that obligation across the full period of a notified body's designation.

The Article imposes two concurrent requirements. Notified bodies must at all times maintain adequate numbers of qualified staff. They must also maintain technical and financial resources commensurate with their scope of designation. Both requirements are assessed not against a general standard but against the specific domain — or domains — for which the body has been notified. A body notified exclusively for high-risk AI systems in the area of medical devices operates in a technical domain with different staffing depth requirements than a body notified across multiple high-risk categories. Art.33 is therefore not a flat-rate requirement but a proportional one, calibrated to the scope the notifying authority has granted.

The Position of Art.33 in the Notified Body Framework

Art.33 sits immediately after Art.32 (subsidiaries of and subcontracting by notified bodies) in the EU AI Act's notified body chapter. The sequencing reflects the regulatory logic: Art.32 addressed the circumstances under which notified bodies may extend operational capacity through delegation — Art.33 addresses the circumstances under which they must maintain it internally. Together, the two articles define the perimeter of operational capacity management for notified bodies: what can be delegated and under what conditions, and what must be sustained in-house regardless of delegation.

The broader chapter architecture provides the context:

Art.27 establishes the eligibility requirements a conformity assessment body must meet to be designated: independence, technical competence, a quality management system, financial stability, adequate liability insurance, and sufficient numbers of qualified staff
Art.28 establishes the formal notification procedure: designation, NANDO registration, notification to other Member States and the Commission
Art.29 governs changes to notifications: the notifying authority's powers to suspend, restrict, or withdraw notification when Art.27 compliance fails, and the conditions under which the Commission may challenge notification validity
Art.30 establishes the competence challenge procedure through which any person with a legitimate interest may contest a notified body's technical competence in relation to a specific conformity assessment
Art.31 governs the operational conduct of notified bodies: conformity assessment procedure fidelity, proportionality, independence in each assessment, certificate management and lifecycle, documentation retention, and reporting obligations
Art.32 governs the specific circumstances under which notified bodies may extend their operational capacity through subsidiaries and subcontractors, and the conditions under which that extension is lawful
Art.33 governs the internal resource floor that notified bodies must maintain throughout the period of their designation — the ongoing obligation that mirrors and sustains the Art.27 eligibility showing

The Two Dimensions of Art.33 Compliance

Adequate Numbers of Qualified Staff

The first Art.33 requirement — adequate numbers of qualified staff — has both a quantitative and a qualitative dimension. The quantitative dimension is the most visible: does the notified body have enough assessors, auditors, reviewers, and support personnel to carry out its scope of designation without structural backlogs, reliance on single-point-of-failure experts, or processing timelines that compromise the proportionality obligation Art.31 imposes?

The qualitative dimension is embedded in the phrase "qualified staff." This is not a general competence requirement — it is a requirement that staff qualifications align with the Art.27 technical competence criteria for the specific domains covered by the body's notification. A body notified for high-risk AI systems in critical infrastructure must have staff with documented competence in the technical characteristics of such systems, including the embedded AI components, the safety-critical software architecture, and the sector-specific regulatory framework those systems must satisfy. A body notified across a broader range of high-risk categories under Annex III must demonstrate proportional competence depth across each category.

Art.27(1) requires notified bodies to have "necessary staff with the technical knowledge and sufficient and appropriate experience to perform the conformity assessment activities." Art.33 translates this into an ongoing obligation: the same level of staff qualification that justified designation must be maintained throughout the designation period. Personnel changes — resignations, retirements, reductions-in-force, transfers — that erode this base require active remediation, not passive acknowledgment.

The practical implication is that notified bodies must treat staffing as a compliance function, not merely an HR function. When a senior assessor in a notified domain leaves, the body must either recruit a qualified replacement, retrain existing staff to an equivalent qualification level, or — if neither is possible within a reasonable timeframe — notify the notifying authority that its scope of designation has become temporarily or permanently misaligned with its staff capacity. Failure to take any of these steps is a direct Art.33 violation, and one that the notifying authority may identify through its ongoing monitoring obligations.

Technical and Financial Resources

The second Art.33 requirement — adequate technical and financial resources — encompasses the full operational infrastructure a notified body needs to carry out conformity assessments that comply with the Annex VI and Annex VII procedures.

Technical resources include the physical and digital testing equipment, laboratory facilities, software tools for AI system evaluation, access to relevant standards and technical references, and the organisational infrastructure (quality management systems, record management, document control) that ensures assessment activities meet the Art.31 operational standards. Where the notified body relies on subcontractors for specific technical capabilities (as Art.32 permits), the notified body remains responsible under Art.33 for ensuring those subcontracted capabilities are genuine and continuously available — not merely contractually promised on paper.

Financial resources have two components. The first is operational: the notified body must have the financial capacity to employ and retain qualified staff, maintain its technical infrastructure, operate its quality management system, and continue functioning as an independent assessment body without financial pressure that could compromise its impartiality. The second is liability: Art.27(6) requires notified bodies to take out appropriate professional indemnity insurance, and Art.33 requires that this insurance remain in force and at appropriate coverage levels throughout the designation period. A notified body whose professional indemnity insurance has lapsed, been materially reduced in scope, or been replaced with coverage that does not extend to the categories for which it has been notified has a direct Art.33 deficiency, even if its staff qualifications and technical resources remain intact.

The Ongoing Obligation: Designation versus Operation

The critical distinction Art.33 draws — and one that is frequently underestimated in conformity assessment practice — is the difference between the resource showing made at the time of designation and the resource maintenance obligation that runs continuously thereafter.

At the time of designation, the notifying authority carries out an assessment of the conformity assessment body's compliance with Art.27. This assessment is thorough and structured: the body submits documentation, the notifying authority may carry out on-site assessments, and the process may involve peer review or co-assessment by other Member State notifying authorities. The outcome is a formal designation decision that forms the basis of the notification to the Commission and other Member States through the NANDO database.

What Art.33 makes explicit is that the Art.27 assessment carried out at designation time is not a permanent clearance. It is a finding that, at a specific point in time, the body's resources were adequate. The notifying authority retains ongoing monitoring responsibilities — and Art.33 creates the corresponding obligation on the notified body's side: to maintain the resource adequacy that the designation assessment found, not merely to have demonstrated it once.

This has several practical implications:

Internal monitoring obligation: Notified bodies must maintain internal systems capable of identifying resource deterioration before it becomes an external compliance failure. Staff qualification tracking, equipment maintenance and calibration records, insurance policy review calendars, and financial resource monitoring are all Art.33 compliance functions.

Proactive notification obligation: When a notified body identifies that its resources have fallen below the Art.27-aligned threshold — or are at foreseeable risk of doing so — it must notify the notifying authority. Passive non-disclosure of resource deficiencies is a violation of the transparency obligations that underlie the entire notified body framework.

Scope management obligation: If a notified body cannot maintain Art.33-compliant resources for a particular domain within its scope of designation, it must seek a scope restriction from the notifying authority rather than continuing to accept conformity assessment requests in that domain. Continuing to issue certificates in a domain where the body's Art.33 compliance is deficient creates certificates with a validity question — potentially triggering Art.29 action and, for the AI systems certified, potentially triggering market surveillance authority attention.

Art.33 and the Notifying Authority's Ongoing Monitoring Role

Art.33 does not operate in isolation from the notifying authority's ongoing supervision function. The notifying authority is responsible not only for carrying out the Art.27 assessment at designation time but for monitoring — on an ongoing basis — whether designated bodies continue to meet the Art.27 requirements that Art.33 operationalises.

This monitoring function manifests in several ways:

Periodic re-assessment: Notifying authorities are expected to carry out periodic assessments of designated bodies' continued compliance — not only when a body self-reports a deficiency, but as a routine element of the supervisory relationship. The frequency and depth of these assessments will typically reflect the notifying authority's risk model: bodies operating across a wide scope of high-risk categories may be assessed more frequently than those with a narrow, well-established designation scope.

Incident-triggered review: When a notified body's certificate is challenged under Art.30, when a market surveillance authority identifies a systemic problem with that body's assessments, or when the Commission raises concerns about the body's notification validity under Art.29(3), the notifying authority may carry out a targeted review of Art.33 compliance as part of the broader investigation.

Information requests: Under the framework Art.29 and the general supervisory architecture of the EU AI Act, notifying authorities may request documentation from notified bodies to verify Art.33 compliance at any time. Notified bodies must maintain documentation adequate to respond to such requests without significant delay — the practical implication being that resource adequacy records must be current, organised, and accessible, not reconstructed retrospectively.

Art.33 × Art.27: The Downstream Qualification Cascade

The relationship between Art.33 and Art.27 creates what might be described as a downstream qualification cascade. Art.27 sets the requirements a body must meet to be designated. Art.33 requires that those requirements be maintained throughout the designation. When Art.33 compliance fails — when a body's staff numbers fall below the adequate threshold, its technical resources become inadequate, or its financial resources no longer support the independence Art.27 requires — the body is in Art.27 non-compliance, not merely Art.33 non-compliance.

This matters because Art.29 — the article that governs changes to notifications and the suspension, restriction, or withdrawal of notified body status — is triggered by Art.27 compliance failures. An Art.33 deficiency that is sufficiently serious therefore creates the conditions for an Art.29 enforcement action by the notifying authority. In practice, the sequence is:

Notified body fails to maintain adequate staff numbers or technical resources
Body is therefore in ongoing Art.27 non-compliance (specifically the competence and resource requirements)
Notifying authority identifies the deficiency (through its own monitoring, through a notification from the body, or through a third-party trigger)
Notifying authority initiates Art.29 procedures: initially remediation with time-bound corrective actions; if remediation fails, scope restriction or suspension; if suspension does not result in remediation, withdrawal of notification

The certificates issued by a notified body that was in Art.33 non-compliance at the time of issuance retain their formal validity unless and until a specific administrative action withdraws or invalidates them — but the validity question is live, and market surveillance authorities that discover the underlying Art.33 deficiency may investigate whether the assessments behind those certificates were carried out at the required competence level.

Art.33 × Art.31: Resource Adequacy and Operational Performance

Art.31 requires notified bodies to carry out conformity assessments proportionately — avoiding unnecessary burden on providers while maintaining the rigour the regulatory framework requires. The proportionality obligation in Art.31 and the resource adequacy obligation in Art.33 are structurally linked: a notified body cannot achieve Art.31 proportionality if it lacks the qualified staff and technical resources Art.33 requires.

The link runs in both directions. A body with adequate Art.33 resources can properly calibrate the depth of its conformity assessment against the specific risk characteristics of the AI system under review. A body with inadequate Art.33 resources — whether because of staffing shortfalls or technical infrastructure gaps — faces structural pressure either to over-simplify assessments (failing Art.31 rigour) or to over-extend timelines (failing Art.31 proportionality). Either outcome is a regulatory compliance failure, and tracing its root cause often leads back to an Art.33 resource deficiency.

Art.33 × Art.32: Resources and Delegation

The Art.33 minimum is the floor below which delegation under Art.32 cannot substitute. Art.32 permits notified bodies to extend their operational capacity through subcontractors and subsidiaries — but only for specific tasks, under conditions that preserve the notified body's responsibility and the Art.27 qualification requirements for delegates.

What Art.33 makes clear is that the ability to delegate does not reduce the notified body's own resource obligations to zero for the delegated domains. The notified body must retain sufficient internal competence to:

Evaluate the qualifications of its subcontractors and subsidiaries under Art.32(1)'s Art.27 alignment requirement
Monitor the technical quality of work performed by delegates
Exercise the oversight responsibility Art.32(4) attributes to the notified body for all delegated work
Issue, manage, and where necessary withdraw certificates that reflect assessments performed partly through delegation

Notified bodies that attempt to substitute subcontractor relationships for internal staff capacity as a means of appearing Art.33-compliant while operating with structural staff deficiencies are in breach of both Art.33 and the oversight requirements Art.32 imposes. The supervisory reality is that notifying authorities and the Commission have sufficient visibility — through the documentation and reporting obligations across Arts.31-33 — to identify this pattern.

Commission and EU AI Board Oversight

The Commission and the EU AI Board play a supervisory role with respect to notified body capacity that operates above the Member State level. While the primary relationship for Art.33 compliance is between the notified body and its national notifying authority, the Commission retains the power under Art.29(3) to investigate the validity of notifications and to require Member States to take corrective action if a notified body fails to meet the Art.27 and Art.33 requirements.

The EU AI Board's notified bodies sub-group has a coordination function: identifying cross-border patterns in notified body capacity, flagging sector-specific expertise gaps that may affect the availability of conformity assessment capacity across the EU, and developing guidance that harmonises the interpretation of Art.33's adequacy requirements across Member States whose notifying authorities may apply different assessment methodologies.

From a practical standpoint, this EU-level oversight means that Art.33 compliance failures in one Member State may trigger Commission scrutiny that extends to the notifying authority's monitoring practices — not just the notified body's internal resources. This creates incentives for notifying authorities to maintain robust ongoing monitoring of designated bodies' Art.33 status, not merely to carry out thorough assessments at designation time.

Documentation and Demonstrability

Art.33 compliance must be documentable. This is not an explicit statutory requirement in the Article's text but follows necessarily from the broader documentation and reporting framework across Arts.27-35 and from the notifying authority's monitoring function.

In practice, a notified body with Art.33 documentation adequate for supervisory review would maintain:

Staff competence registry: For each domain within the scope of designation, a documented record of the qualified staff whose competence underpins the body's capability in that domain — including qualification evidence, domain-specific training records, ongoing professional development, and assessment experience logs. The registry must be current (reflecting actual current staff) and include succession information that demonstrates organisational resilience rather than single-point-of-failure expertise.

Technical resource inventory: A documented inventory of testing equipment, laboratory facilities, software tools, and data access arrangements relevant to the body's scope of designation, including calibration records, maintenance schedules, software version and access histories, and the contractual basis for resources obtained externally.

Financial resource documentation: Current financial accounts demonstrating the body's operational financial capacity, evidence of current professional indemnity insurance coverage (policy document, scope confirmation, coverage limits), and — where relevant — documentation of financial relationships that might bear on the body's independence from the AI system providers whose products it assesses.

Resource adequacy reviews: Internal periodic reviews of the body's Art.33 compliance status — ideally conducted by the quality management function Art.27(9) requires — with findings documented and corrective actions tracked through to resolution.

The Art.33 Resource Adequacy Tracker: A Python Implementation

The following Python class implements a systematic Art.33 resource adequacy tracking framework. It tracks staff qualification coverage by domain, technical resource availability, financial resource status, and insurance coverage, generating compliance status assessments against Art.33's requirements:

from __future__ import annotations
from dataclasses import dataclass, field
from datetime import date, timedelta
from enum import Enum
from typing import Optional
import json


class ComplianceStatus(str, Enum):
    COMPLIANT = "COMPLIANT"
    AT_RISK = "AT_RISK"
    NON_COMPLIANT = "NON_COMPLIANT"
    UNKNOWN = "UNKNOWN"


@dataclass
class StaffMember:
    name: str
    role: str
    domains: list[str]
    qualification_verified: bool
    qualification_expiry: Optional[date]
    active: bool = True

    def is_qualified(self, domain: str, as_of: date = None) -> bool:
        if not self.active or not self.qualification_verified:
            return False
        if as_of is None:
            as_of = date.today()
        if self.qualification_expiry and self.qualification_expiry < as_of:
            return False
        return domain in self.domains


@dataclass
class TechnicalResource:
    resource_id: str
    description: str
    domains: list[str]
    available: bool
    last_verified: date
    next_review: date
    calibration_current: bool = True


@dataclass
class InsuranceCoverage:
    policy_reference: str
    insurer: str
    scope_domains: list[str]
    coverage_start: date
    coverage_expiry: date
    coverage_limit_eur: float

    def is_current(self, as_of: date = None) -> bool:
        if as_of is None:
            as_of = date.today()
        return self.coverage_start <= as_of <= self.coverage_expiry

    def days_to_expiry(self, as_of: date = None) -> int:
        if as_of is None:
            as_of = date.today()
        return (self.coverage_expiry - as_of).days


@dataclass
class ResourceAdequacyTracker:
    """
    Tracks Art.33 EU AI Act resource adequacy for a notified body.
    Art.33 requires notified bodies to maintain adequate numbers of
    qualified staff and technical/financial resources at all times.
    """
    notified_body_id: str
    designated_domains: list[str]
    staff: list[StaffMember] = field(default_factory=list)
    technical_resources: list[TechnicalResource] = field(default_factory=list)
    insurance: Optional[InsuranceCoverage] = None
    minimum_staff_per_domain: int = 2

    def add_staff(self, member: StaffMember) -> None:
        self.staff.append(member)

    def add_technical_resource(self, resource: TechnicalResource) -> None:
        self.technical_resources.append(resource)

    def set_insurance(self, coverage: InsuranceCoverage) -> None:
        self.insurance = coverage

    def qualified_staff_count(self, domain: str, as_of: date = None) -> int:
        if as_of is None:
            as_of = date.today()
        return sum(
            1 for s in self.staff
            if s.is_qualified(domain, as_of)
        )

    def domain_staff_status(self, domain: str, as_of: date = None) -> ComplianceStatus:
        count = self.qualified_staff_count(domain, as_of)
        if count == 0:
            return ComplianceStatus.NON_COMPLIANT
        if count < self.minimum_staff_per_domain:
            return ComplianceStatus.AT_RISK
        return ComplianceStatus.COMPLIANT

    def technical_resource_status(self, domain: str, as_of: date = None) -> ComplianceStatus:
        if as_of is None:
            as_of = date.today()
        domain_resources = [
            r for r in self.technical_resources
            if domain in r.domains
        ]
        if not domain_resources:
            return ComplianceStatus.NON_COMPLIANT
        available = [
            r for r in domain_resources
            if r.available and r.calibration_current and r.next_review >= as_of
        ]
        if not available:
            return ComplianceStatus.NON_COMPLIANT
        if len(available) < len(domain_resources):
            return ComplianceStatus.AT_RISK
        return ComplianceStatus.COMPLIANT

    def insurance_status(self, as_of: date = None) -> ComplianceStatus:
        if as_of is None:
            as_of = date.today()
        if self.insurance is None:
            return ComplianceStatus.NON_COMPLIANT
        if not self.insurance.is_current(as_of):
            return ComplianceStatus.NON_COMPLIANT
        days_left = self.insurance.days_to_expiry(as_of)
        if days_left <= 30:
            return ComplianceStatus.AT_RISK
        missing_coverage = [
            d for d in self.designated_domains
            if d not in self.insurance.scope_domains
        ]
        if missing_coverage:
            return ComplianceStatus.AT_RISK
        return ComplianceStatus.COMPLIANT

    def overall_status(self, as_of: date = None) -> dict:
        if as_of is None:
            as_of = date.today()
        domain_results = {}
        for domain in self.designated_domains:
            staff_s = self.domain_staff_status(domain, as_of)
            tech_s = self.technical_resource_status(domain, as_of)
            domain_results[domain] = {
                "staff": staff_s,
                "technical_resources": tech_s,
                "qualified_staff_count": self.qualified_staff_count(domain, as_of),
            }
        ins_s = self.insurance_status(as_of)
        statuses = [
            v["staff"] for v in domain_results.values()
        ] + [
            v["technical_resources"] for v in domain_results.values()
        ] + [ins_s]
        if ComplianceStatus.NON_COMPLIANT in statuses:
            overall = ComplianceStatus.NON_COMPLIANT
        elif ComplianceStatus.AT_RISK in statuses:
            overall = ComplianceStatus.AT_RISK
        else:
            overall = ComplianceStatus.COMPLIANT
        return {
            "assessed_date": as_of.isoformat(),
            "notified_body_id": self.notified_body_id,
            "overall": overall,
            "insurance": ins_s,
            "domains": domain_results,
        }

    def generate_art33_report(self, as_of: date = None) -> str:
        status = self.overall_status(as_of)
        lines = [
            f"=== Art.33 Resource Adequacy Report ===",
            f"Notified Body: {self.notified_body_id}",
            f"Assessment Date: {status['assessed_date']}",
            f"Overall Status: {status['overall'].value}",
            f"Insurance Status: {status['insurance'].value}",
            "",
            "Domain-Level Assessment:",
        ]
        for domain, result in status["domains"].items():
            lines.append(
                f"  {domain}: Staff={result['staff'].value} "
                f"({result['qualified_staff_count']} qualified), "
                f"TechResources={result['technical_resources'].value}"
            )
        if self.insurance:
            lines.append(
                f"\nInsurance: {self.insurance.policy_reference} "
                f"(expires {self.insurance.coverage_expiry.isoformat()}, "
                f"{self.insurance.days_to_expiry():+d}d)"
            )
        return "\n".join(lines)


# Example usage
if __name__ == "__main__":
    tracker = ResourceAdequacyTracker(
        notified_body_id="NB-DE-0472",
        designated_domains=["medical_ai", "biometrics"],
        minimum_staff_per_domain=2,
    )

    tracker.add_staff(StaffMember(
        name="Dr. Schmidt",
        role="Lead Assessor",
        domains=["medical_ai", "biometrics"],
        qualification_verified=True,
        qualification_expiry=date(2027, 6, 30),
    ))
    tracker.add_staff(StaffMember(
        name="Dr. Weber",
        role="Technical Assessor",
        domains=["medical_ai"],
        qualification_verified=True,
        qualification_expiry=date(2026, 12, 31),
    ))
    tracker.add_staff(StaffMember(
        name="M. Hoffmann",
        role="Assessor",
        domains=["biometrics"],
        qualification_verified=True,
        qualification_expiry=date(2027, 3, 31),
    ))

    tracker.add_technical_resource(TechnicalResource(
        resource_id="LAB-001",
        description="AI performance testing environment",
        domains=["medical_ai", "biometrics"],
        available=True,
        last_verified=date(2026, 4, 1),
        next_review=date(2026, 10, 1),
        calibration_current=True,
    ))

    tracker.set_insurance(InsuranceCoverage(
        policy_reference="PI-2026-DE-0472",
        insurer="Allianz SE",
        scope_domains=["medical_ai", "biometrics"],
        coverage_start=date(2026, 1, 1),
        coverage_expiry=date(2027, 1, 1),
        coverage_limit_eur=5_000_000.0,
    ))

    print(tracker.generate_art33_report())

Art.33 Compliance Matrix

Requirement	Art.33 Standard	Compliance Threshold	Non-Compliance Trigger
Qualified staff — number	Adequate numbers for designated scope	Minimum 2 per domain; no single-point-of-failure	Staff count falls below adequate threshold in any designated domain
Qualified staff — qualifications	Art.27-aligned competence maintained	All staff qualifications current; expiry tracked	Expired qualification not remediated within defined period
Qualified staff — continuity	Organisational resilience	Succession capability for key assessor roles	Single assessor holds sole competence in designated domain
Technical resources — equipment	Current, calibrated, available	Calibration current; availability documented	Key equipment unavailable, uncalibrated, or not maintained
Technical resources — scope alignment	Resources match designated domains	No designated domain without supporting technical infrastructure	Technical infrastructure gap in any designated domain
Financial resources — operational	Adequate to sustain independent operation	No financial pressure compromising impartiality	Financial instability identified or disclosed
Financial resources — insurance	Professional indemnity in force and scope-adequate	Policy current; coverage extends to all designated domains	Policy lapsed, expired, or domain coverage gap identified
Resource documentation	Auditable records supporting notifying authority oversight	Current, organised, accessible records across all resource categories	Records unavailable or reconstructed retrospectively on request
Self-monitoring	Proactive internal assessment of resource adequacy	Periodic documented review; Art.27 alignment verified	No systematic internal monitoring; deficiencies identified externally
Proactive notification	Report resource deterioration to notifying authority	Notification within defined period of identified deficiency	Passive non-disclosure of known Art.33 deficiency

Intersection with Art.29 Enforcement

The Art.33 resource adequacy obligation is directly linked to the Art.29 enforcement architecture. Art.29 empowers notifying authorities to suspend, restrict, or withdraw a notified body's notification when that body no longer meets the Art.27 requirements. Since Art.33 defines the ongoing obligation to maintain Art.27-aligned resources, an Art.33 deficiency that is not remediated becomes the predicate for Art.29 action.

The practical enforcement sequence has several stages:

Stage 1 — Identification: The notifying authority identifies an Art.33 deficiency, whether through its routine monitoring, a self-report by the notified body, an Art.30 challenge, or a Commission inquiry under Art.29(3).

Stage 2 — Corrective action period: The notifying authority typically allows a defined remediation period — the specific timeframe is not mandated by Art.33 but follows from the notifying authority's supervisory framework and the severity of the deficiency. During this period, the notified body must demonstrate active remediation steps: recruitment in progress, replacement technical resources being procured, insurance coverage being renewed.

Stage 3 — Suspension: If the corrective action period passes without adequate remediation, Art.29 suspension follows. Suspension does not retroactively invalidate previously issued certificates but does halt new conformity assessment activity in the affected domain.

Stage 4 — Withdrawal: If suspension does not result in remediation, the notifying authority withdraws the notification — the most severe Art.29 outcome, which terminates the body's notified status and requires the Commission to update the NANDO database accordingly.

26-Item Art.33 Operational Readiness Checklist

Staff Adequacy

For each designated domain, document the number of qualified staff whose competence covers that domain specifically
Verify that no designated domain relies on a single qualified assessor (single-point-of-failure risk)
Review each staff member's domain qualifications against Art.27 technical competence requirements for that domain
Track expiry dates for all staff qualifications and initiate renewal processes at least 90 days before expiry
Maintain succession plans for senior assessors covering each designated domain
Document all staff qualification evidence in a centralised registry accessible to the quality management function and notifying authority
Define and enforce a minimum staff-per-domain threshold that reflects the volume of assessment activity and the proportionality requirements of Art.31

Technical Resource Adequacy

Inventory all technical resources (equipment, software, laboratory access, data infrastructure) relevant to each designated domain
Maintain calibration records for physical testing equipment and verify calibration is current
For software-based evaluation tools, document version histories, access credentials, and vendor support status
For externally contracted laboratory or technical access, verify contractual continuity and assess dependency risk
Schedule and document periodic technical resource reviews — at least annually, or on any material change in the body's scope or operational arrangements
Identify technical resource gaps that would prevent assessment of specific high-risk AI system types within designated domains and address them proactively

Financial Resource Adequacy

Maintain current financial accounts demonstrating operational financial capacity independent of AI system provider relationships
Review the professional indemnity insurance policy for current validity, scope coverage across all designated domains, and coverage limits adequate to the body's assessment volumes
Flag insurance renewal at least 90 days before policy expiry — not 30, to allow scope renegotiation if the policy terms need to be adjusted to match any change in designated scope
Document financial resource evidence in a form that can be provided to the notifying authority within 5 business days of any request
Assess whether any financial relationship with an AI system provider (investment, contractual, fee dependency) creates independence risks that Art.27(1) and Art.33 require to be managed

Internal Monitoring and Self-Assessment

Establish a documented periodic Art.33 self-assessment process — quarterly at minimum — conducted by the quality management function and producing a written output
Define internal escalation thresholds: at what staff count or resource availability level does an Art.33 risk trigger mandatory management review and notification planning?
Maintain a log of Art.33 self-assessments, findings, and corrective actions with date and outcome records
Review Art.33 compliance status following any material organisational change: staff departures, M&A activity, scope changes, or changes in the designated domain regulatory framework

Notifying Authority Interface

Define the internal process and timeline for notifying the notifying authority when an Art.33 deficiency is identified — before it becomes externally apparent through an Art.30 challenge or Commission inquiry
Maintain all Art.33-relevant documentation in a format and location that enables complete disclosure within 5 business days of a notifying authority request
Where the notified body has sought, or is considering seeking, a scope change through Art.29's notification amendment process due to an Art.33 resource constraint, document the decision and its timeline

Art.32 Integration

Where subcontracting or subsidiary use under Art.32 substitutes for internal capacity in any domain, verify that the Art.33 minimum internal oversight capability is maintained — the body must retain sufficient qualified staff to evaluate delegate qualifications, oversee delegated work, and manage certificates, even where technical assessment tasks are delegated

Conclusion

Art.33 translates the Art.27 eligibility requirements into a continuously operative obligation. Its effect is to make designation not a one-time clearance but the starting point of an ongoing compliance relationship between the notified body and its notifying authority — and, through the notifying authority, between the notified body and the broader EU supervisory architecture that the Commission and the EU AI Board operate.

For notified bodies, the practical implication is that Art.33 compliance is a quality management function as much as a legal one. The resource adequacy the Article requires cannot be monitored passively or addressed reactively — it must be tracked through systematic internal processes, documented to auditable standards, and proactively disclosed when deficiencies emerge. Bodies that treat Art.33 as an administrative formality addressed at designation time will find, when staff depart, equipment lapses, or insurance coverage narrows, that the Art.29 enforcement architecture responds with material consequences.

For AI system providers whose conformity assessments are carried out by notified bodies, Art.33 is the provision that most directly affects the durable value of the certificates they obtain. A certificate issued by a body that was in Art.33 non-compliance at the time of issuance carries a validity risk that providers have a legitimate interest in understanding — which is why Art.30's competence challenge mechanism exists and why Art.31's documentation retention obligations create the evidentiary basis for assessing that risk after the fact.

The Art.33 framework, understood correctly, is the EU AI Act's mechanism for ensuring that the conformity assessment market remains genuinely capable — not merely formally populated — throughout the period in which the regulation's high-risk AI system requirements are enforced.