EU AI Act Art.34 Identification Numbers and Lists of Notified Bodies: NANDO Registration, Commission Publication, and Transparency Framework (2026)
Article 34 of the EU AI Act performs a function that is easy to underestimate precisely because it is so foundational: it creates the authoritative, publicly accessible record of every notified body operating within the EU AI Act conformity assessment framework. Without Art.34, the elaborate machinery of Art.27 designation requirements, Art.28 notification procedures, Art.29 suspension and withdrawal powers, and Art.31 operational obligations would operate in an informational vacuum. Providers of high-risk AI systems, market surveillance authorities, national competent authorities, and the Commission itself would have no single, Commission-maintained source of truth for which conformity assessment bodies are legitimately notified, for which domains, under which national notification, and with which unique identifier that ties each certificate back to a specific designated body. Art.34 closes that gap.
The Article does three things. First, it requires the Commission to attribute a unique identification number to each notified body. Second, it requires the Commission to publish on its website a list of all notified bodies including their identification numbers and the activities for which they have been notified. Third, it requires Member States to communicate to the Commission all changes to existing notifications, and requires the Commission to update the published list accordingly. Each of these obligations serves a distinct regulatory function, and each connects to the broader notified body chapter in ways that are not immediately obvious from the Article's relatively compact text.
The Position of Art.34 in the Notified Body Chapter
Art.34 follows Art.33 (number and resources of notified bodies) and precedes the conformity assessment procedure articles that govern how designated bodies actually carry out their assessment work. Its placement reflects its systemic function: the internal resource and operational requirements of Arts.27–33 are prerequisites for designation; Art.34 is what makes designation legible to the outside world. Once a notified body has met the Art.27 eligibility requirements, been assessed by the notifying authority, been formally designated, and been notified to the Commission and other Member States through the Art.28 procedure, Art.34 is what converts that notification into a publicly verifiable, Commission-catalogued entry in the NANDO database.
The broader chapter architecture provides the context for Art.34's role:
- Art.27 establishes designation eligibility requirements: independence, technical competence, qualified staff, quality management systems, financial resources, and liability insurance
- Art.28 establishes the formal notification procedure: the notifying authority's obligation to notify the Commission and other Member States following a positive Art.27 assessment, and the Commission's involvement through the NANDO registration system
- Art.29 governs changes to notifications: suspension, restriction, and withdrawal of notifications by notifying authorities, and the corresponding update obligation to the Commission and other Member States
- Art.30 establishes the competence challenge mechanism for persons with a legitimate interest in a particular conformity assessment body's designation
- Art.31 governs operational obligations of notified bodies in carrying out conformity assessments
- Art.32 governs subsidiaries and subcontracting arrangements
- Art.33 governs ongoing resource adequacy during the designation period
- Art.34 creates the Commission-maintained identification and publication framework that makes the entire notified body system transparent and verifiable
The Identification Number Function
Assignment and Uniqueness
The Commission's obligation under Art.34 to attribute a unique identification number to each notified body is not merely administrative housekeeping. The identification number performs a specific technical function within the conformity assessment certificate framework: it creates an unambiguous link between a conformity assessment certificate issued under the EU AI Act and the specific notified body that issued it.
Conformity assessment certificates for high-risk AI systems under Annex VI and Annex VII must identify the notified body that carried out the assessment. The identification number ensures that this identification is unambiguous — it resolves the risk that two different bodies might operate under similar names, that a body might change its corporate name while retaining its notification, or that a provider searching the Commission's NANDO database for a body referenced in a certificate might be unable to locate the corresponding record because the name in the certificate does not precisely match the current name in the database.
The uniqueness requirement also serves a market surveillance function. When a market surveillance authority investigates a high-risk AI system placed on the market with a certificate issued under the EU AI Act, the identification number enables the authority to immediately determine: which notified body issued the certificate, whether that body was legitimately notified at the time of issuance, for which domain scope it was notified, and whether the activity (the conformity assessment) fell within that notified scope. Each of these determinations is materially faster and more reliable when it can be made by reference to a unique identifier rather than by matching certificate text against a directory of body names.
NANDO Database Integration
The Commission's publication obligation under Art.34 is implemented through the NANDO database — the New Approach Notified and Designated Organisations database maintained by the European Commission's internal market directorate. NANDO has served as the central registry for conformity assessment bodies notified under EU harmonisation legislation for more than two decades, and the EU AI Act's Art.34 framework builds on this established infrastructure.
The NANDO database entry for an EU AI Act notified body records:
Identity information: The body's legal name, the Member State that has notified it, the national competent authority (notifying authority) responsible for the notification, the Art.34 identification number, and contact information.
Notification scope: The specific high-risk AI system categories under Annex III for which the body has been notified, and — where the notification covers conformity assessment under specific procedures — the applicable Annex VI (third-party conformity assessment) or Annex VII (conformity assessment based on assessment of the quality management system) procedures.
Notification status: Whether the notification is current and active, suspended, restricted, or withdrawn, with the date of any status change. This is the Art.34 update obligation in action: every notification change communicated by a Member State under Art.29 or Art.28 must be reflected in the NANDO database entry, creating a real-time status record that providers, market surveillance authorities, and the Commission itself can query.
Notification date and history: The date of the original notification and, where applicable, dates of subsequent scope changes, suspensions, or reinstatements.
The Publication and Update Obligation
Commission's Obligation to Publish
Art.34 places the publication obligation on the Commission, not on Member States or notified bodies themselves. This is a structural choice with regulatory significance: it means that the authoritative public record of notified body status is Commission-maintained, not self-reported by the bodies or reported by potentially inconsistent Member State channels.
The Commission's publication obligation is not a one-time event triggered by each new notification. It is a continuous obligation to maintain an up-to-date list that accurately reflects the current status of every notified body. The "publishes on its website" formulation in Art.34 implies that the NANDO database is always accessible and always reflects the current authoritative picture — not a periodic report or an annual register update.
This has practical consequences. A provider of a high-risk AI system engaging a notified body for conformity assessment should be able, at any point in the engagement, to verify the body's NANDO status. If the notifying authority has restricted the body's scope after the provider's engagement began but before the certificate was issued, the NANDO database should reflect that restriction. The provider's reliance on the body's continued notification validity must be based on current NANDO status, not on the status as of the date the engagement was initiated.
Member State Update Communication Obligation
The counterpart to the Commission's publication obligation is the Member State obligation to communicate all changes to existing notifications. This communication obligation flows from the Art.29 framework: whenever a notifying authority suspends, restricts, or withdraws a notification — whether on its own initiative in response to Art.33 resource deficiency findings, in response to a successful Art.30 competence challenge, or in response to Commission action under Art.29(3) — it must communicate that change to the Commission so that Art.34's publication requirement can be fulfilled.
The communication obligation also covers positive changes: scope extensions, reinstatements following suspension, and modifications to the activities covered by an existing notification. Art.34's transparency function extends to the full lifecycle of a notification, not only to its creation and termination.
This creates a dependency chain: the quality of the NANDO database as an Art.34 transparency tool depends on the promptness and accuracy of Member State communications. A notifying authority that suspends a notified body's designation but delays notifying the Commission creates an Art.34 compliance gap — during that delay, the NANDO database shows the body as fully notified when its actual legal status has changed. Providers who rely on the NANDO database during that gap period have a legitimate claim to have acted in good faith, which may affect the liability analysis for any conformity assessment certificates issued during the gap period.
Art.34 × Art.28: The Notification Pipeline
The relationship between Art.34 and Art.28 is foundational. Art.28 establishes the initial notification procedure: when a Member State has designated a conformity assessment body following a positive Art.27 assessment, the notifying authority notifies the Commission and other Member States of that designation. The notification includes all the information the Commission needs to create the NANDO database entry: the body's identity, its Art.34 identification number, and the activities for which it has been notified.
Art.28 also establishes a waiting period before the notified body may begin to carry out conformity assessments. This waiting period — during which the Commission and other Member States may review the notification and raise concerns — is relevant to the Art.34 publication timeline. The body may be listed in NANDO as "under review" or with a status that reflects the Art.28 waiting period, with its active status updating when the waiting period expires without objection.
The Art.28 notification is thus the trigger for the Art.34 identification number attribution and NANDO listing. The pipeline runs: Art.27 positive assessment → Art.28 notification to Commission and Member States → Art.34 identification number assignment → NANDO publication. This pipeline makes the Commission's Art.34 publication obligation derivative of — and dependent on — the quality and completeness of Art.28 notifications submitted by Member States.
Art.34 × Art.29: Change Management in the NANDO Record
Art.29's notification change framework — suspension, restriction, withdrawal by notifying authorities; Commission challenge under Art.29(3); reinstatement following remediation — generates the category of changes that Art.34's Member State communication obligation exists to transmit. Every Art.29 action that modifies the legal status of an existing notification must flow through the Art.34 communication and update mechanism to be reflected in the publicly accessible NANDO record.
The Art.29 → Art.34 pipeline creates a traceability requirement. If a market surveillance authority discovers a conformity assessment certificate issued by a notified body whose notification was suspended before the certificate issuance date, it can use the NANDO audit trail to determine: when the suspension was communicated to the Commission, when the NANDO database was updated, and whether there is a gap between the suspension decision and the NANDO update that might affect the legal position of the certificate and the provider that relied on it.
For notified bodies, this means that an Art.29 action — especially suspension — has immediate commercial consequences beyond the operational restriction itself. Once the NANDO database reflects the suspension, providers in the market can see it in real time. Providers who had engaged the suspended body for pending conformity assessments must decide whether to proceed (if the suspension is partial and does not cover their specific assessment type) or to engage an alternative body. Certificates that were in preparation at the time of suspension require legal analysis as to their validity.
What AI Providers Must Verify Before Engaging a Notified Body
Art.34's transparency framework creates practical verification obligations for providers of high-risk AI systems that require third-party conformity assessment under Art.43. Before engaging a notified body, providers should verify:
Current NANDO status: The body must appear in the NANDO database as currently notified — not suspended, restricted in a way that excludes the provider's system type, or withdrawn. The Art.34 identification number provides a precise search key.
Scope alignment: The body's NANDO listing must cover the specific high-risk AI system category under Annex III that applies to the provider's system. A body notified for high-risk AI systems in the area of employment and worker management (Annex III, point 4) cannot lawfully issue a certificate for a high-risk AI system in the area of administration of justice (Annex III, point 8) simply because both are high-risk categories.
Procedure coverage: The body's notification must cover the specific conformity assessment procedure that applies to the provider's system — either the Annex VI third-party assessment procedure or the Annex VII quality management system assessment procedure, depending on which procedure the provider proposes to follow.
Identification number consistency: When the notified body issues the conformity assessment certificate, the identification number on the certificate must match the NANDO-listed identification number for that body. A mismatch is not merely an administrative error — it is a certificate integrity issue that market surveillance authorities will investigate.
Status monitoring through the engagement: NANDO status should be re-verified at key points during the conformity assessment engagement — not only before the engagement begins. An Art.29 action during the assessment period could affect the legal validity of the resulting certificate.
import urllib.request
import json
from dataclasses import dataclass, field
from datetime import datetime
from typing import Optional
@dataclass
class NotifiedBodyRecord:
"""Art.34 notified body NANDO record representation."""
identification_number: str
legal_name: str
member_state: str
notifying_authority: str
notified_activities: list[str]
status: str # "active", "suspended", "restricted", "withdrawn"
notification_date: str
last_status_change: Optional[str] = None
status_change_reason: Optional[str] = None
@dataclass
class VerificationResult:
"""Result of Art.34-based pre-engagement verification."""
body_id: str
verification_date: str
nando_found: bool
status_active: bool
scope_match: bool
procedure_covered: bool
issues: list[str] = field(default_factory=list)
recommendations: list[str] = field(default_factory=list)
@property
def verification_passed(self) -> bool:
return self.nando_found and self.status_active and self.scope_match and self.procedure_covered
class NotifiedBodyVerifier:
"""
Art.34 compliance verification for AI providers engaging notified bodies.
Validates that a proposed notified body engagement meets Art.34 transparency
requirements: NANDO listing, identification number assignment, scope alignment,
and procedure coverage.
Usage: verify before engaging, re-verify at certificate issuance.
"""
NANDO_BASE_URL = "https://ec.europa.eu/growth/tools-databases/nando/"
# Annex III high-risk categories (Art.34 scope alignment check)
ANNEX_III_CATEGORIES = {
"1a": "Biometric identification and categorisation (real-time remote)",
"1b": "Biometric identification and categorisation (post-remote)",
"2a": "Critical infrastructure safety components",
"3a": "Education and vocational training assessment",
"4a": "Employment, worker management, self-employment access",
"5a": "Essential private services and public benefits",
"6a": "Law enforcement — individual risk assessment",
"6b": "Law enforcement — polygraphs",
"6c": "Law enforcement — deep fake detection",
"6d": "Law enforcement — crime analytics",
"6e": "Law enforcement — facial recognition databases",
"7a": "Migration, asylum, border control",
"7b": "Migration — lie detection",
"7c": "Migration — risk assessment",
"8a": "Administration of justice — judicial assistance",
"8b": "Administration of justice — alternative dispute resolution",
}
def verify_pre_engagement(
self,
body_record: NotifiedBodyRecord,
system_category: str,
proposed_procedure: str, # "annex_vi" or "annex_vii"
) -> VerificationResult:
"""
Art.34 pre-engagement verification for high-risk AI providers.
Checks NANDO status, scope, and procedure before engaging a notified body.
"""
result = VerificationResult(
body_id=body_record.identification_number,
verification_date=datetime.now().strftime("%Y-%m-%d"),
nando_found=True, # Record provided implies NANDO lookup succeeded
status_active=body_record.status == "active",
scope_match=False,
procedure_covered=False,
)
# Status check
if body_record.status != "active":
result.issues.append(
f"Notified body {body_record.identification_number} NANDO status: "
f"'{body_record.status}'. Engagement not permissible until "
f"status restored to active."
)
if body_record.status_change_reason:
result.issues.append(f"Status change reason: {body_record.status_change_reason}")
result.recommendations.append(
"Monitor NANDO for status restoration before re-engaging."
)
# Scope alignment check
if system_category in self.ANNEX_III_CATEGORIES:
category_desc = self.ANNEX_III_CATEGORIES[system_category]
scope_matched = any(
system_category in activity or category_desc.lower() in activity.lower()
for activity in body_record.notified_activities
)
result.scope_match = scope_matched
if not scope_matched:
result.issues.append(
f"System category '{system_category}' ({category_desc}) not found "
f"in body's NANDO-listed notified activities: "
f"{body_record.notified_activities}"
)
result.recommendations.append(
"Identify a notified body with explicit NANDO scope coverage "
f"for Annex III category {system_category}."
)
else:
result.issues.append(
f"Unknown system category '{system_category}'. "
f"Verify against current Annex III category list."
)
# Procedure coverage check
procedure_desc = (
"Annex VI third-party conformity assessment"
if proposed_procedure == "annex_vi"
else "Annex VII quality management system assessment"
)
procedure_matched = any(
proposed_procedure.replace("_", " ") in activity.lower()
or ("annex vi" in activity.lower() and proposed_procedure == "annex_vi")
or ("annex vii" in activity.lower() and proposed_procedure == "annex_vii")
for activity in body_record.notified_activities
)
result.procedure_covered = procedure_matched
if not procedure_matched:
result.issues.append(
f"Proposed procedure '{procedure_desc}' not covered in NANDO listing. "
f"Body's activities: {body_record.notified_activities}"
)
result.recommendations.append(
f"Confirm with the notified body whether {procedure_desc} "
f"is within their actual notified scope before proceeding."
)
return result
def generate_verification_report(
self,
result: VerificationResult,
body_name: str,
) -> str:
"""Generate Art.34 pre-engagement verification report for compliance file."""
status = "PASSED" if result.verification_passed else "FAILED"
lines = [
f"=== Art.34 Pre-Engagement Verification Report ===",
f"Date: {result.verification_date}",
f"Body: {body_name} (ID: {result.body_id})",
f"Overall Status: {status}",
f"",
f"Checks:",
f" NANDO Found: {'YES' if result.nando_found else 'NO'}",
f" Status Active: {'YES' if result.status_active else 'NO'}",
f" Scope Match: {'YES' if result.scope_match else 'NO'}",
f" Procedure Covered: {'YES' if result.procedure_covered else 'NO'}",
]
if result.issues:
lines += ["", "Issues:"]
for issue in result.issues:
lines.append(f" - {issue}")
if result.recommendations:
lines += ["", "Recommendations:"]
for rec in result.recommendations:
lines.append(f" - {rec}")
lines += [
"",
"Art.34 Obligation: Keep this report in the technical documentation.",
"Re-verify NANDO status at certificate issuance.",
]
return "\n".join(lines)
NANDO in Practice: What the Art.34 List Contains
For practitioners working with the EU AI Act's conformity assessment framework, the NANDO database is the operational implementation of Art.34. The database is publicly accessible through the European Commission's website and can be searched by notified body name, country, activity, or — most precisely — identification number.
A typical NANDO listing for an EU AI Act notified body includes:
Body identity: The legal entity name under which the body is designated. Where the body has changed its corporate name since notification, the current name and any historical names may be reflected in the record.
Identification number: The Art.34 identification number, which is a numeric string assigned by the Commission. This number is the canonical reference for the body in any certificate it issues.
Notifying Member State: The country whose national notifying authority is responsible for the body's designation. This determines which national authority has the Art.29 powers of supervision, suspension, restriction, and withdrawal relative to the body.
Notifying authority: The specific national competent authority — typically a national standardisation or accreditation body or a designated market surveillance authority — that carried out the Art.27 assessment and issued the notification.
Notified activities: The specific conformity assessment activities the body is authorised to carry out, mapped to the relevant directive or regulation (in this case, the EU AI Act), the relevant Annexes (Annex VI and/or Annex VII), and the relevant Annex III high-risk categories.
Notification status and dates: The date of the initial notification, current status (active, suspended, restricted, withdrawn), and dates of any status changes.
The Identification Number in Certificates and Market Surveillance
When a notified body issues a conformity assessment certificate under the EU AI Act, the certificate must identify the issuing body in a way that enables verification. The Art.34 identification number is the mechanism for this verification link. A conformity assessment certificate that references the body's identification number can be verified against the NANDO database in seconds, establishing: whether the body was legitimately notified at the certificate issuance date, whether the certificate activity falls within the body's notified scope, and whether the body's notification has subsequently been suspended or withdrawn in ways that might affect the certificate's ongoing validity.
For market surveillance authorities carrying out product compliance checks under the EU AI Act's Chapter VII market surveillance framework, the identification number is a first-line verification tool. Where a high-risk AI system is presented with a conformity assessment certificate, the authority can:
- Extract the notified body identification number from the certificate
- Query NANDO for the body's current and historical status
- Verify that the body was actively notified for the relevant Annex III category at the time the certificate was issued
- Verify that the certificate activity falls within the body's notified scope
- Determine whether any subsequent Art.29 action has affected the body's status
An identification number mismatch — where the number on the certificate does not correspond to any NANDO record, or corresponds to a body that was not notified for the relevant activity at the certificate issuance date — is a significant market surveillance finding that may trigger investigation of both the certificate and the AI system it purports to cover.
Art.34 Compliance Matrix
| Obligation | Holder | Trigger | Output |
|---|---|---|---|
| Assign identification number | Commission | Art.28 notification received | Unique ID assigned, NANDO record created |
| Publish notified bodies list | Commission | Ongoing — real-time NANDO maintenance | Publicly accessible NANDO database |
| Communicate new notification | Member State | Art.27 positive assessment + designation | Art.28 notification to Commission + Art.34 NANDO entry |
| Communicate notification change | Member State | Art.29 suspension/restriction/withdrawal | Commission updates NANDO record |
| Communicate notification reinstatement | Member State | Art.29 remediation completed | Commission updates NANDO status to active |
| Verify NANDO status before engagement | AI provider | Pre-engagement due diligence | Verification record in technical documentation |
| Reference identification number in certificate | Notified body | Certificate issuance | Certificate contains Art.34 ID number |
| Verify ID number match | Market surveillance | Compliance check of high-risk AI system | Certificate validation record |
The NANDO Database and the Single Market
Art.34's publication obligation serves the single market function that underlies the entire EU AI Act conformity assessment framework. The EU AI Act is a regulation — directly applicable across all Member States without transposition — and the conformity assessment certificates issued by notified bodies under the Act create market access rights that are valid across the single market, not merely within the notifying Member State's territory.
This cross-border validity depends on the cross-border legibility that Art.34 enables. A conformity assessment certificate issued by a German-notified body, bearing a Commission-attributed identification number, can be read and verified by a market surveillance authority in Spain, France, or any other Member State by querying the Commission-maintained NANDO database. The Art.34 framework prevents a situation where national notified body registries operate independently, creating information asymmetries that would effectively partition the conformity assessment market.
The Commission's role as the Art.34 publication authority — rather than delegating publication to a network of national databases — reflects this single market rationale. One authoritative database, maintained by the supranational institution responsible for the Act's implementation, creates a level of reliability and accessibility that a coordinated network of national registries could not consistently achieve.
Art.34 Compliance Checklist (24 Items)
For Notified Bodies:
- Confirm Art.34 identification number has been received from Commission following Art.28 notification
- Verify NANDO entry accurately reflects body's legal name as currently registered
- Verify NANDO entry accurately reflects notified activities scope
- Verify NANDO entry accurately reflects notifying authority
- Include Art.34 identification number on all conformity assessment certificates issued
- Include Art.34 identification number on all internal quality management references to the body's notification status
- Notify notifying authority immediately of any change that may affect NANDO accuracy (name change, scope change request, resource deficiency)
- Verify NANDO entry following any notifying authority communication to the Commission
For AI Providers Engaging Notified Bodies:
- Conduct NANDO lookup using body's Art.34 identification number before engagement
- Verify NANDO status is "active" — not suspended, restricted, or withdrawn
- Verify NANDO scope covers the specific Annex III category of the provider's high-risk AI system
- Verify NANDO scope covers the specific procedure (Annex VI or Annex VII) the provider proposes to follow
- Document NANDO verification result in technical documentation file
- Retain screenshot or download of NANDO record as of verification date
- Re-verify NANDO status at engagement contract signature
- Re-verify NANDO status at certificate issuance
- Verify Art.34 identification number on received certificate matches NANDO database record
- Monitor NANDO status for any changes during post-certification product lifecycle
For Notifying Authorities:
- Communicate new notifications to Commission promptly following designation — do not delay Art.34 NANDO publication
- Communicate all Art.29 changes (suspensions, restrictions, withdrawals) to Commission without delay
- Communicate reinstatements to Commission once Art.29 remediation is confirmed
- Verify NANDO reflects current notification status before confirming to any third party that a body is "actively notified"
- Maintain record of all Art.34-triggering communications to Commission with timestamps
- Include NANDO verification step in ongoing Art.33 monitoring protocol for designated bodies
Conclusion
Art.34 is the connective tissue of the EU AI Act's notified body framework. Without the Commission-maintained NANDO list, without the unique identification numbers that tie each certificate to a specific designated body, and without the Member State obligation to communicate notification changes in real time, the Article's substantive requirements for designation eligibility, operational obligations, and supervisory powers would operate without the transparency infrastructure needed to make them meaningful in practice.
For AI providers, Art.34 means that verifying a notified body's legitimacy is always possible — and always required. The NANDO database provides the information; Art.34 provides the legal obligation to consult it and to treat the result as the authoritative statement of a body's notification status. For notified bodies, the identification number is both a credential and a compliance anchor: every certificate, every internal reference, and every external communication must reflect it accurately. For notifying authorities, the communication obligation is the mechanism by which the Art.29 oversight function reaches its full market-wide effect. And for the Commission, Art.34 is the obligation that makes the single market rationale of the EU AI Act's conformity assessment framework operational.