EU AI Act Art.35: Conformity Assessment Procedure for High-Risk AI Systems — Internal Control, Third-Party Assessment, and Notified Body Selection (2026)
Article 35 of the EU AI Act answers one of the most consequential practical questions that providers of high-risk AI systems must resolve before market access: which conformity assessment procedure do I need to follow, and does my system require external review by a notified body or can I self-certify through an internal quality management process? The answer depends on where the system sits in the EU AI Act's classification architecture — specifically, whether it falls under Annex I (AI systems embedded in products regulated by existing EU product safety legislation) or Annex III (stand-alone high-risk AI systems listed by category), and whether it performs biometric identification. Getting this determination wrong is not a minor administrative error: placing a system on the market without completing the correct conformity assessment procedure constitutes a violation that national market surveillance authorities can respond to with withdrawal orders, corrective measures, and administrative fines.
Art.35 creates the procedural gateway that connects the substantive high-risk AI requirements of Arts.8–15 (covering risk management, data governance, technical documentation, transparency, accuracy, robustness, and cybersecurity) to the market access rights that flow from a completed conformity assessment. Providers that satisfy the Arts.8–15 requirements but have not completed the Art.35 conformity assessment in accordance with the applicable procedure are not legally permitted to affix CE marking under Art.48 or issue the EU declaration of conformity required by Art.47. Art.35 is thus the bridge between building a compliant system and being authorised to sell it in the EU single market.
The Position of Art.35 in the Conformity Assessment Framework
Art.35 appears in Chapter III, Section 5 of the EU AI Act, which governs standards, conformity assessment, certificates, and registration. Its position immediately after the notified body chapter (Section 4, Arts.27–34) is deliberate: Section 4 establishes who notified bodies are, what qualifications they must have, and how they are designated and registered in NANDO; Art.35 then establishes when those bodies must be involved in the conformity assessment and what that involvement must produce.
The broader Section 5 architecture surrounding Art.35:
- Art.35: Conformity assessment procedure — the foundational procedural requirement
- Art.36: Harmonised standards that define presumption-of-conformity pathways
- Art.37: Common specifications issued by Commission when harmonised standards are absent or inadequate
- Art.38: Technical documentation supporting the conformity assessment
- Art.39: Automatic recognition of conformity assessments conducted in third countries with which the EU has mutual recognition agreements
- Art.40: Third-party conformity assessment under notified body involvement for specific categories
- Art.43: The detailed conformity assessment procedures referenced by Art.35
- Art.44: Certificates issued by notified bodies following third-party assessment
- Art.47: EU declaration of conformity — the provider's legal statement of compliance
- Art.48: CE marking — the physical or digital conformity mark affixed to the system
- Art.49: EU database registration — the registration obligation in EUAIS (EU AI systems database)
Two Conformity Assessment Tracks Under Art.35
Art.35 establishes two distinct procedural tracks for conformity assessment, differentiated by the type of high-risk AI system:
Track A: Third-Party Notified Body Assessment (Annex I Systems)
High-risk AI systems covered by Annex I — systems that are safety components of or are themselves products subject to existing EU product safety legislation such as the Machinery Regulation, the Radio Equipment Directive, the General Product Safety Regulation, or the Medical Devices Regulation — must undergo conformity assessment by a notified body. This requirement reflects the pre-existing regulatory logic of those sectoral frameworks: the sectoral legislation already required notified body involvement for the physical products concerned, and the AI Act extends that logic to the AI system component where it constitutes a safety-relevant element.
Under Track A, the notified body must assess whether the AI system's design, development process, and technical documentation satisfy the Arts.8–15 requirements. The body reviews the provider's quality management system (QMS), technical documentation, risk management file, data governance procedures, post-market monitoring plan, and accuracy benchmarks. If the assessment is satisfactory, the body issues an AI quality management system certificate and/or an AI technical documentation assessment certificate.
The certificates are valid for an initial period set by the notified body, subject to ongoing surveillance. The body retains the right to conduct unannounced audits during the certificate validity period and must suspend or withdraw the certificate if the provider ceases to meet the requirements. Suspension or withdrawal triggers the provider's Art.29 notification obligations and causes NANDO to be updated under Art.34 procedures.
Track B: Internal Control Self-Assessment (Annex III Systems Without Biometric Identification)
High-risk AI systems listed in Annex III — the stand-alone category list covering areas such as biometric categorisation, critical infrastructure, education, employment, essential private and public services, law enforcement, migration and asylum management, and administration of justice — may, with one critical exception, follow an internal control conformity assessment. Under internal control, the provider prepares the required technical documentation, implements a quality management system meeting the Art.17 requirements, assesses compliance with Arts.8–15, and issues the EU declaration of conformity on its own authority without external notified body review.
The critical exception is biometric identification: Annex III systems that perform real-time or post-remote biometric identification of natural persons in publicly accessible spaces are subject to third-party notified body assessment under Track A rules, even though they fall under Annex III rather than Annex I. This reflects the EU legislator's judgment that biometric identification poses sufficiently serious risks to fundamental rights — particularly non-discrimination and privacy — that internal self-certification cannot provide adequate assurance.
Commission Authority to Mandate Third-Party Assessment
Art.35 also grants the Commission authority to mandate third-party notified body assessment for specific Annex III system categories through implementing acts, even for systems that would otherwise qualify for internal control. This authority allows the Commission to respond to emerging evidence of systematic compliance failures, novel risk patterns, or inadequate internal assessment practices in specific sectors without requiring a full legislative amendment. Providers in sectors where the Commission has exercised this authority must identify and engage a notified body under the same procedures that apply to Track A systems.
The Art.35 × Art.43 Procedural Linkage
Art.35 establishes which conformity assessment track applies; Art.43 specifies the detailed procedure that must be followed within each track. The two articles work in tandem and cannot be read in isolation.
Art.43 prescribes the specific procedural steps for:
- Third-party assessment: the notified body's quality management system review, technical documentation assessment, surveillance audit obligations, and certificate issuance and update procedures
- Internal control: the provider's documentation obligations, QMS implementation requirements, self-assessment protocol, and declaration of conformity format
Providers must identify both their applicable Art.35 track and the specific Art.43 procedure within that track before beginning their conformity assessment. Starting documentation preparation without confirming the Art.43 procedure creates the risk of preparing documentation that satisfies the wrong procedure, requiring rework that can delay market entry by months.
Annex I vs. Annex III: The Decision Tree
The threshold question for every provider of a system classified as high-risk under Art.6 is whether the system falls under Annex I or Annex III. The answer determines the conformity assessment track.
Step 1: Is the system a safety component of, or itself, a product regulated by existing EU product safety legislation listed in Annex I?
Annex I currently references eight sectoral legislative instruments: the Machinery Regulation, the Radio Equipment Directive, the General Product Safety Regulation, the Pressure Equipment Directive, recreational craft and personal watercraft legislation, civil aviation safety regulation, automotive safety regulation, and the Medical Devices Regulation and In Vitro Diagnostic Medical Devices Regulation. If the high-risk AI system is embedded in a product covered by any of these instruments and the AI system constitutes a safety component of that product, Annex I applies and Track A (notified body) is mandatory.
Step 2: If Annex I does not apply, does the system fall within one of the eight categories listed in Annex III?
Annex III covers: (1) biometric systems, (2) critical infrastructure management, (3) education and vocational training, (4) employment and workers management, (5) access to essential private and public services and benefits, (6) law enforcement, (7) migration, asylum and border control management, and (8) administration of justice and democratic processes. Classification requires careful review of the Annex III category descriptions and any Commission guidelines on interpretation.
Step 3: If the system falls under Annex III, does it perform biometric identification of natural persons in publicly accessible spaces?
If yes, Track A (notified body) applies regardless of which Annex III category the system falls under. If no, Track B (internal control) is available unless the Commission has issued an implementing act mandating third-party assessment for the relevant category.
Step 4: Check for Commission implementing acts mandating third-party assessment
Search the EU Official Journal for any implementing acts adopted under Art.35 that apply to the relevant system category. This check must be repeated at regular intervals because the Commission can adopt new implementing acts without amending the AI Act itself.
Selecting and Engaging a Notified Body for Track A Assessment
Providers that must undergo Track A third-party assessment need to identify a notified body that holds NANDO-listed designation for the specific type of AI system assessment required. The selection process has several layers:
Scope verification: Confirm that the notified body's NANDO entry covers the specific Annex I product category or the relevant AI Act assessment activity. A notified body designated for medical device conformity assessment is not automatically designated for AI Act assessment, even if the product concerned is a medical device incorporating an AI system. Both designations must be present.
Identification number confirmation: Verify the notified body's Art.34 identification number in NANDO and confirm that the number remains active — not suspended, restricted, or withdrawn under Art.29 procedures. An identification number that was valid at the time of contract signature may be suspended before the assessment is completed, creating a situation where the assessment result lacks legal standing.
Geographic and language capacity: Consider whether the notified body can conduct audits at the provider's development and manufacturing sites, whether the body's staff have capacity to assess systems in the relevant technical domain, and whether communication can be conducted in a language compatible with the provider's technical documentation.
Certificate validity planning: Understand the body's standard certificate validity period and surveillance audit schedule before signing the assessment contract. Certificate expiry during a product's commercial lifecycle requires reassessment, and surveillance audits require resource allocation for document updates and site access.
Multi-regulation bodies: For Annex I systems already subject to sectoral conformity assessment requirements, consider whether the same notified body can conduct both the sectoral assessment (e.g., under the Medical Devices Regulation) and the EU AI Act assessment. Using a single body reduces documentation duplication and audit scheduling complexity, though it is not legally required.
Documentation Requirements for Both Tracks
Regardless of which track applies, providers must prepare technical documentation that satisfies the requirements of Annex IV of the EU AI Act. The documentation must:
- Describe the general characteristics, capabilities, and limitations of the AI system
- Describe the algorithms, training methodologies, and training data used
- Include the results of testing and validation performed
- Document the risk management system implemented under Art.9
- Include the post-market monitoring plan required by Art.72
- Describe quality management system procedures and controls
- Document the measures taken to achieve accuracy, robustness, and cybersecurity
For Track A (notified body) assessment, this documentation is provided to the notified body as the primary input to its review. The body will request supplementary information and may conduct on-site audits of development facilities, data pipelines, and quality management implementation.
For Track B (internal control), the documentation must be retained by the provider for at least 10 years after the system is placed on the market and must be made available to national competent authorities on request.
The Conformity Assessment Timeline and Market Entry Sequence
The Art.35 conformity assessment must be completed before the provider:
- Affixes CE marking under Art.48
- Issues the EU declaration of conformity under Art.47
- Places the system on the EU market or puts it into service in the EU
The sequence is:
- Complete the conformity assessment (Art.35 track determination → Art.43 procedure execution)
- Register the system in the EUAIS EU database under Art.49
- Issue the EU declaration of conformity (Art.47)
- Affix CE marking (Art.48)
- Begin market placement or service operation
Providers that skip or abbreviate the conformity assessment sequence and place the system on the market without completing these steps are subject to market surveillance enforcement under Chapter VII, including withdrawal orders, fines, and publication of enforcement decisions.
Post-Certification Obligations
Completing the Art.35 conformity assessment does not exhaust the provider's compliance obligations. Several post-certification requirements activate upon market entry:
Substantial modification: If the provider makes a substantial modification to the high-risk AI system after market entry — a modification that changes the system's performance, purpose, or risk profile — a new conformity assessment must be conducted for the modified version before the modified system is placed on the market or put into service. What constitutes a "substantial modification" is defined in Art.6(4) and must be assessed against the baseline established in the original conformity assessment.
Post-market monitoring: Art.72 requires providers to actively monitor the performance of deployed systems, collect data from operators and deployers, and update the risk management system and technical documentation in response to monitoring findings. The conformity assessment certificate or documentation must be updated to reflect material changes identified through monitoring.
Incident reporting: Art.73 requires providers to report serious incidents involving high-risk AI systems to market surveillance authorities. Incidents that reveal a systemic failure in the Art.35 conformity assessment — for example, a testing deficiency that allowed a materially non-compliant system to pass assessment — must be reported and may trigger reassessment obligations.
Certificate maintenance (Track A): Providers holding notified body certificates must cooperate with the body's ongoing surveillance audits, provide updated documentation when the system or its development processes change, and notify the body of any changes that may affect compliance. Failure to cooperate with surveillance audits can lead to certificate suspension.
Art.35 × Art.6: The High-Risk Classification Gateway
Art.35 applies only to systems that have been classified as high-risk under Art.6. Art.6 establishes the classification rules: systems listed in Annex I are high-risk per se; systems listed in Annex III are high-risk unless the Commission has determined through implementing act that a specific Annex III category or system does not pose significant risk. A provider that has not first confirmed its system's high-risk classification under Art.6 cannot correctly determine its Art.35 conformity assessment obligations.
The Art.6 and Art.35 analyses must be conducted in sequence, not in parallel. Beginning Art.35 documentation preparation before completing the Art.6 classification analysis creates wasted effort when the Art.6 analysis reveals that the system is not high-risk and Art.35 does not apply.
Python Implementation: ConformityAssessmentPathFinder
from dataclasses import dataclass, field
from enum import Enum
from typing import Optional
import datetime
class AnnexClassification(Enum):
ANNEX_I = "annex_i_product_safety"
ANNEX_III = "annex_iii_standalone"
NOT_HIGH_RISK = "not_high_risk"
UNCLEAR = "unclear"
class AssessmentTrack(Enum):
TRACK_A_THIRD_PARTY = "track_a_notified_body"
TRACK_B_INTERNAL_CONTROL = "track_b_internal_control"
NOT_APPLICABLE = "not_applicable"
@dataclass
class ConformityAssessmentDetermination:
system_name: str
annex_classification: AnnexClassification
performs_biometric_identification: bool
commission_implementing_act_applies: bool
assessment_track: AssessmentTrack
notified_body_required: bool
reasoning: list[str] = field(default_factory=list)
documentation_requirements: list[str] = field(default_factory=list)
determination_date: str = field(
default_factory=lambda: datetime.date.today().isoformat()
)
class ConformityAssessmentPathFinder:
"""
EU AI Act Art.35 conformity assessment track determination.
Implements the decision logic for selecting the correct conformity
assessment procedure under Art.35 and Art.43 of Reg. (EU) 2024/1689.
"""
ANNEX_I_SECTORS = [
"machinery_regulation",
"radio_equipment_directive",
"general_product_safety_regulation",
"pressure_equipment_directive",
"recreational_craft_legislation",
"civil_aviation_safety",
"automotive_safety",
"medical_devices_regulation",
"in_vitro_diagnostic_devices",
]
ANNEX_III_CATEGORIES = [
"biometric_categorisation",
"critical_infrastructure",
"education_vocational_training",
"employment_workers_management",
"essential_services_benefits",
"law_enforcement",
"migration_asylum_border",
"justice_democratic_processes",
]
def __init__(self, system_name: str):
self.system_name = system_name
self._reasoning: list[str] = []
def determine_assessment_track(
self,
annex_i_sector: Optional[str] = None,
annex_iii_category: Optional[str] = None,
performs_biometric_identification: bool = False,
commission_implementing_act_applies: bool = False,
) -> ConformityAssessmentDetermination:
"""
Determine the Art.35 conformity assessment track for a high-risk AI system.
Args:
annex_i_sector: If the system is a safety component in an Annex I product,
the relevant product safety legislation sector.
annex_iii_category: If the system falls under a stand-alone Annex III
category, the relevant category identifier.
performs_biometric_identification: True if the system performs real-time
or post-remote biometric identification
in publicly accessible spaces.
commission_implementing_act_applies: True if a Commission implementing act
has mandated third-party assessment for
the relevant Annex III category.
"""
self._reasoning = []
# Step 1: Determine Annex classification
annex_classification, classification_reasoning = self._classify_annex(
annex_i_sector, annex_iii_category
)
self._reasoning.extend(classification_reasoning)
if annex_classification == AnnexClassification.NOT_HIGH_RISK:
return self._build_result(
annex_classification,
performs_biometric_identification,
commission_implementing_act_applies,
AssessmentTrack.NOT_APPLICABLE,
notified_body_required=False,
)
# Step 2: Determine assessment track
track, track_reasoning = self._determine_track(
annex_classification,
performs_biometric_identification,
commission_implementing_act_applies,
)
self._reasoning.extend(track_reasoning)
return self._build_result(
annex_classification,
performs_biometric_identification,
commission_implementing_act_applies,
track,
notified_body_required=(track == AssessmentTrack.TRACK_A_THIRD_PARTY),
)
def _classify_annex(
self,
annex_i_sector: Optional[str],
annex_iii_category: Optional[str],
) -> tuple[AnnexClassification, list[str]]:
reasoning = []
if annex_i_sector:
if annex_i_sector in self.ANNEX_I_SECTORS:
reasoning.append(
f"System is a safety component in an Annex I product "
f"({annex_i_sector}). Annex I classification confirmed."
)
return AnnexClassification.ANNEX_I, reasoning
else:
reasoning.append(
f"Sector '{annex_i_sector}' is not listed in Annex I. "
f"Check against current Annex I text before concluding."
)
if annex_iii_category:
if annex_iii_category in self.ANNEX_III_CATEGORIES:
reasoning.append(
f"System falls under Annex III category: {annex_iii_category}."
)
return AnnexClassification.ANNEX_III, reasoning
else:
reasoning.append(
f"Category '{annex_iii_category}' is not in Annex III. "
f"Verify classification under Art.6."
)
reasoning.append(
"No Annex I sector or Annex III category provided. "
"Classification unclear — complete Art.6 analysis before proceeding."
)
return AnnexClassification.UNCLEAR, reasoning
def _determine_track(
self,
annex_classification: AnnexClassification,
performs_biometric_identification: bool,
commission_implementing_act_applies: bool,
) -> tuple[AssessmentTrack, list[str]]:
reasoning = []
if annex_classification == AnnexClassification.ANNEX_I:
reasoning.append(
"Annex I system requires Track A (third-party notified body) "
"assessment under Art.35(1)."
)
return AssessmentTrack.TRACK_A_THIRD_PARTY, reasoning
# Annex III
if performs_biometric_identification:
reasoning.append(
"System performs biometric identification in publicly accessible spaces. "
"Track A (third-party notified body) mandatory for Annex III biometric "
"systems under Art.35(1) exception."
)
return AssessmentTrack.TRACK_A_THIRD_PARTY, reasoning
if commission_implementing_act_applies:
reasoning.append(
"Commission implementing act mandates third-party assessment for this "
"Annex III category. Track A applies despite internal control default."
)
return AssessmentTrack.TRACK_A_THIRD_PARTY, reasoning
reasoning.append(
"Annex III system without biometric identification and no Commission "
"implementing act override. Track B (internal control self-assessment) "
"applies under Art.35(1) second subparagraph."
)
return AssessmentTrack.TRACK_B_INTERNAL_CONTROL, reasoning
def _build_result(
self,
annex_classification: AnnexClassification,
performs_biometric_identification: bool,
commission_implementing_act_applies: bool,
track: AssessmentTrack,
notified_body_required: bool,
) -> ConformityAssessmentDetermination:
doc_requirements = self._get_documentation_requirements(track)
return ConformityAssessmentDetermination(
system_name=self.system_name,
annex_classification=annex_classification,
performs_biometric_identification=performs_biometric_identification,
commission_implementing_act_applies=commission_implementing_act_applies,
assessment_track=track,
notified_body_required=notified_body_required,
reasoning=list(self._reasoning),
documentation_requirements=doc_requirements,
)
def _get_documentation_requirements(
self, track: AssessmentTrack
) -> list[str]:
base = [
"Technical documentation (Annex IV) — system characteristics, algorithms, training data",
"Risk management system documentation (Art.9)",
"Data governance procedures (Art.10)",
"Post-market monitoring plan (Art.72)",
"Quality management system documentation (Art.17)",
]
if track == AssessmentTrack.TRACK_A_THIRD_PARTY:
base.extend([
"Notified body assessment application and supporting materials",
"Site audit preparation documentation",
"Certificate surveillance cooperation procedures",
])
elif track == AssessmentTrack.TRACK_B_INTERNAL_CONTROL:
base.extend([
"Internal self-assessment record",
"Declaration of conformity (Art.47) draft",
"10-year document retention plan",
])
return base
# Usage example
if __name__ == "__main__":
# Scenario 1: Medical device AI system (Annex I)
finder_medical = ConformityAssessmentPathFinder("DiagnosticAI v3.2")
result_medical = finder_medical.determine_assessment_track(
annex_i_sector="medical_devices_regulation",
performs_biometric_identification=False,
)
print(f"System: {result_medical.system_name}")
print(f"Track: {result_medical.assessment_track.value}")
print(f"Notified Body Required: {result_medical.notified_body_required}")
for r in result_medical.reasoning:
print(f" - {r}")
print()
# Scenario 2: Employment screening AI (Annex III, no biometrics)
finder_hr = ConformityAssessmentPathFinder("HireScore AI")
result_hr = finder_hr.determine_assessment_track(
annex_iii_category="employment_workers_management",
performs_biometric_identification=False,
commission_implementing_act_applies=False,
)
print(f"System: {result_hr.system_name}")
print(f"Track: {result_hr.assessment_track.value}")
print(f"Notified Body Required: {result_hr.notified_body_required}")
for r in result_hr.reasoning:
print(f" - {r}")
print()
# Scenario 3: Biometric identification system (Annex III, biometrics)
finder_biometric = ConformityAssessmentPathFinder("FaceGate Security")
result_biometric = finder_biometric.determine_assessment_track(
annex_iii_category="law_enforcement",
performs_biometric_identification=True,
)
print(f"System: {result_biometric.system_name}")
print(f"Track: {result_biometric.assessment_track.value}")
print(f"Notified Body Required: {result_biometric.notified_body_required}")
Art.35 Conformity Assessment Track Selection Matrix
| System Type | Annex | Biometric ID | Commission IA | Track | Notified Body |
|---|---|---|---|---|---|
| Medical device AI safety component | I | No | N/A | A | Required |
| Machinery AI safety component | I | No | N/A | A | Required |
| Automotive AI safety component | I | No | N/A | A | Required |
| Real-time facial recognition — law enforcement | III | Yes | N/A | A | Required |
| Post-remote biometric ID — border control | III | Yes | N/A | A | Required |
| Credit scoring AI — essential services | III | No | No | B | Not required |
| Employment screening AI | III | No | No | B | Not required |
| Education assessment AI | III | No | No | B | Not required |
| Critical infrastructure AI | III | No | No | B | Not required |
| Any Annex III — Commission IA mandates 3rd party | III | No | Yes | A | Required |
| System not classified as high-risk under Art.6 | N/A | N/A | N/A | None | Not applicable |
26-Item Provider Checklist for Art.35 Compliance
Phase 1: Classification (before assessment)
- Confirm high-risk classification under Art.6 and determine which Annex (I or III) applies
- For Annex I: identify the specific EU product safety legislation covering the product and confirm the AI system is a safety component
- For Annex III: identify the specific Annex III category and review any Commission guidelines on category scope
- Assess whether the system performs real-time or post-remote biometric identification in publicly accessible spaces
- Search the EU Official Journal for any Commission implementing acts mandating third-party assessment for the relevant Annex III category
- Document the Art.6 and Art.35 classification analysis in a formal determination record signed by responsible personnel
Phase 2: Track A preparation (if notified body required)
- Generate NANDO scope requirements: identify the assessment activity type and required notified body designation
- Verify Art.34 identification numbers for candidate notified bodies in NANDO
- Confirm NANDO listing is current and not suspended, restricted, or withdrawn under Art.29
- Obtain evidence of the notified body's specific designation for AI Act assessment activities
- Evaluate candidate bodies on geographic capacity, technical domain competence, language capability, and fee structure
- Execute notified body assessment contract with defined scope, timeline, and document delivery schedule
- Prepare Art.43 technical documentation package meeting the body's specific intake requirements
- Schedule site audit readiness review at development and testing facilities
- Establish internal process for cooperating with certificate surveillance audits
Phase 3: Track B preparation (if internal control)
- Prepare Annex IV technical documentation covering all required elements
- Implement and document the Art.17 quality management system
- Conduct internal conformity assessment against Arts.8–15 requirements
- Record the self-assessment findings, gaps identified, and remediation taken
- Prepare EU declaration of conformity draft in accordance with Art.47
- Establish 10-year document retention system and access controls
Phase 4: Post-assessment obligations
- Register the system in the EUAIS EU database under Art.49 before market placement
- Issue EU declaration of conformity (Art.47) and affix CE marking (Art.48) only after assessment completion and EUAIS registration
- Implement post-market monitoring system per Art.72 before deployment
- Establish incident reporting process for Art.73 obligations
- Define substantial modification assessment trigger criteria for determining when reassessment under Art.35 is required for a modified version
See Also
- EU AI Act Art.36: Harmonised Standards and Presumption of Conformity for High-Risk AI Systems (2026) — harmonised standards define the technical compliance pathways available after Art.35 assessment track selection
- EU AI Act Art.37: Common Specifications for High-Risk AI Systems — Commission Implementing Acts as Technical Compliance Backstop (2026) — mandatory technical requirements that apply when harmonised standards are absent or inadequate
- EU AI Act Art.34: Identification Numbers and Lists of Notified Bodies — NANDO Registration and Commission Publication Framework (2026)
- EU AI Act Art.33: Number and Resources of Notified Bodies — Staffing Requirements and Technical Capacity (2026)
- EU AI Act Art.31: Operational Obligations of Notified Bodies — Assessment Procedures and Certificate Management (2026)