2026-04-16·12 min read·

EU AI Act Art.34 Procedural Obligations of Notified Bodies: Developer Guide (2026)

EU AI Act Article 34 governs how notified bodies must conduct conformity assessments of high-risk AI systems. Where Art.33 defines what a notified body must be — its accreditation status, competence profile, independence requirements — Art.34 defines what a notified body must do when a provider applies for an Annex VII assessment.

For AI system providers, Art.34 is operationally significant in two phases. First, at application time: Art.34 defines the documentation package required, the declaration obligations, and the initial completeness gate before assessment begins. Second, post-certificate: Art.34 governs the surveillance obligations that determine whether a certificate remains valid throughout a product's lifecycle and what happens when non-compliance is discovered after certification.

Art.34 procedures are triggered only for the Annex VII route — the external notified body path required for Annex III point 1 biometric identification systems in publicly accessible spaces, and optionally available for any high-risk system where the provider elects external validation over the Art.31 Annex VI internal control procedure.

Art.34 in the EU AI Act Architecture

Art.34 is the procedural counterpart to Art.33 within Chapter V (Standards, Conformity Assessment, Certificates, Registration):

Article	Scope
Art.31	Which conformity route applies — Annex VI (internal control) or Annex VII (notified body)
Art.33	Who qualifies as a notified body — accreditation, competence, independence, notification
Art.34	How notified bodies conduct assessments — applications, procedures, certificates, surveillance, suspension
Art.35	How notified bodies coordinate across Member States via the coordination group
Art.48	Provider's Declaration of Conformity (triggered by successful Art.34 assessment)
Art.49	CE marking (affixed after Art.48 Declaration issues)

A certificate issued by a notified body that does not follow Art.34 procedures is procedurally defective — even if the body is properly notified under Art.33. Developers should understand Art.34 not only to prepare for their own assessment but to evaluate whether a notified body's internal procedures are legally compliant.

Art.34(1): Application Procedure

Art.34(1) establishes the application gate: providers must submit a formal application to the notified body before assessment begins. The application must contain:

Application Component	Requirement
Provider declaration	Confirmation that no application for assessment of the same AI system has been submitted to any other notified body
Technical documentation	Full Annex IV technical documentation package
System identification	Name, version, intended purpose per Art.13 transparency requirements
Annex III category	Explicit designation of which Annex III point the system falls under
Assessment type requested	Type-examination under Annex VII Appendix 1, QMS assessment under Annex VII Appendix 2, or both

The exclusivity declaration (no prior submission to another notified body) is operationally important for providers who received a negative preliminary assessment from one notified body and are considering switching to another. Such switching is permitted, but the application must accurately disclose prior submissions. Concealing a prior rejection constitutes a material false statement in the application and creates Article 99 enforcement exposure.

SME proportionality principle: Art.34(1) requires notified bodies to apply the application procedure in a proportionate manner for SMEs. In practice, this means bodies should not require documentation formats that impose disproportionate administrative burden when the technical information can be provided in an equivalent form.

Art.34(2): Assessment Activities

Art.34(2) governs what the notified body must actually do once an application is accepted. The assessment must cover:

Documentation Review

The notified body examines the complete Annex IV technical documentation package against:

Harmonised standards — where applicable standards exist under Art.40, the body assesses whether the system meets them. A presumption of conformity attaches under Art.40(3) for documented standard compliance.
Common specifications — where the Commission has issued common specifications under Art.41, compliance with those specifications is the conformity baseline.
Notified body methodology — where neither harmonised standards nor common specifications cover the system's domain, the body applies its own methodology, which must be documented and consistent with any Art.35 coordination group guidance.

Technical Testing and Verification

Depending on system type and risk profile, the assessment may include:

Activity	Application
Review of Art.9 risk management documentation	All Annex VII assessments
Review of Art.10 training data governance records	High-risk AI systems using machine learning
Review of Art.12 logging capability	Systems with automated decision outputs
Review of Art.14 human oversight mechanisms	Systems with Art.14(4) self-monitoring obligations
Review of Art.17 QMS documentation	Full QMS assessment under Annex VII Appendix 2
Functional testing of AI system outputs	Type-examination cases where output accuracy is a conformity criterion
Audit of provider's quality management processes	Annex VII Appendix 2 QMS certificate route

Cross-Regulatory Reliance

Art.34(2) permits notified bodies to rely on the results of prior assessments conducted under other EU legislation where the scope of those assessments is relevant. Specific examples:

Medical Device Regulation (MDR/IVDR): Systems that are also medical devices and have undergone MDR notified body assessment — the AI Act notified body may rely on MDR QMS certification findings as evidence for overlapping requirements (Art.17 QMS structure, Art.9 risk management process).
Machinery Regulation (2023/1230): Safety-critical AI embedded in machinery — existing CE marking assessment under the Machinery Regulation may inform conformity assessment for overlapping safety requirements.

Cross-regulatory reliance does not eliminate AI Act assessment obligations — it means the body can avoid duplicating documented work already assessed under another EU regulation.

Art.34(3): Certificate Issuance

When Certificates Are Issued

If the assessment concludes that the high-risk AI system meets the applicable requirements, the notified body issues a conformity certificate. The EU AI Act defines two certificate types under Annex VII:

Certificate Type	Route	Triggers
EU Technical Documentation Assessment Certificate	Annex VII Appendix 1	Type-examination of the AI system itself
EU Quality Management System Certificate	Annex VII Appendix 2	Assessment of the provider's QMS

For mandatory external assessment systems (Annex III point 1 biometric), the full assessment typically requires both — QMS certificate plus EU-Type Examination Certificate.

Certificate Content Requirements

A compliant Art.34 certificate must include:

Certificate Field	Content
Issuing notified body	Name, NANDO identification number, Member State
Provider identification	Legal name, registered address
AI system identification	Name, version, intended purpose, hardware/software description
Annex III reference	Which Annex III point and sub-point the certificate covers
Annex VII route	Whether Appendix 1 (type-examination) or Appendix 2 (QMS)
Standards applied	Harmonised standards, common specifications, or body methodology used
Assessment date	Date of assessment activities
Issue date	Formal certificate issuance date
Validity period	Maximum 5 years from issue date
Conditions and restrictions	Any scope limitations or operational conditions the certificate is valid under
NANDO entry reference	For cross-reference with the public NANDO database

When Certificates Are Refused

If the assessment finds non-compliance, the notified body must:

Document specific non-conformities with reference to the applicable requirements
Require the provider to take corrective measures within a defined timeframe
If corrective measures are implemented: re-assess the specific areas of non-conformity
If corrective measures are not implemented or remain insufficient: refuse to issue the certificate
Notify the relevant national competent authority of the refusal and the reasons

Practitioner note: Certificate refusals create a complex regulatory situation. The provider's subsequent application to a different notified body — permitted under Art.34(1) — must disclose the prior application. The second body will typically request the first body's non-conformity findings as part of its own assessment. Concealing a prior refusal is not only an Art.34 application breach but creates Art.99 enforcement exposure and potential reputational damage if the non-conformity becomes public through national authority notifications.

Art.34(4): Certificate Validity and Renewal

Maximum 5-Year Validity

Art.34 certificates are valid for a maximum of 5 years from the date of issue. For rapidly evolving AI systems, this creates a renewal cycle:

Year	Certification Activity
Year 1	Initial assessment, certificate issuance
Years 1–4	Ongoing surveillance (see Art.34(5))
Year 4 (latest)	Begin renewal application to allow sufficient time
Year 5	Certificate expiry — renewed certificate must be in place before expiry

Substantial modification trigger: Under Art.23, a substantial modification to a high-risk AI system may require a new conformity assessment — effectively restarting the Art.34 certification cycle before the existing certificate expires. The notified body that issued the original certificate should be the first point of contact when a modification is planned, as they can assess whether Art.34 renewal procedures apply to the specific change.

Certificate Renewal Process

Renewal follows the same Art.34(1)–(3) procedure as initial certification, but with important differences:

Notified body can rely on prior assessment findings for areas that have not changed
Renewal assessment scope can be focused on modifications and changes since last assessment
Providers should initiate renewal 12–18 months before expiry to allow adequate assessment time for complex systems

Art.34(5): Post-Certification Surveillance

Provider Obligations During Surveillance

After certificate issuance, Art.34(5) creates ongoing obligations for both the notified body and the provider:

Provider obligations:

Inform the notified body of any changes planned for the certified system
Give the notified body access to the AI system, documentation, and facilities on request
Report any serious incidents under Art.73 that may indicate conformity issues
Maintain Annex IV technical documentation and update it to reflect any changes

Notified body surveillance activities:

Periodic surveillance assessments at intervals appropriate to the system's risk profile
Review of post-market monitoring reports received from the provider (Art.30)
Examination of changes to the AI system or its operating context
Review of incident and near-miss data where available

Surveillance Frequency Considerations

Art.34 does not prescribe specific surveillance intervals but requires assessments at "appropriate" intervals. Factors influencing interval:

Factor	Typical Effect
Annex III category risk level	Higher risk (biometric ID) → shorter interval (12–18 months)
Active incident reports	Known incidents → triggered surveillance outside standard cycle
System modification frequency	Rapidly evolving systems → more frequent review
Prior non-conformity history	Systems with prior corrections → enhanced surveillance
Market surveillance authority request	Art.21 MSA requests trigger additional notified body review

Art.34(6): Suspension and Withdrawal of Certificates

Grounds for Suspension

Art.34(6) defines when a notified body must act on post-issuance non-compliance:

Suspension triggers:

Provider fails to implement required corrective measures within the agreed timeline
Evidence of ongoing non-compliance in surveillance assessment
Provider fails to cooperate with surveillance activities (denies access, withholds documentation)
Provider fails to inform the body of material changes to the certified system

Withdrawal triggers:

Non-compliance is fundamental to the conformity assessment basis (the system was found to not meet core requirements)
Provider supplied false or misleading information in the original application
Provider has abandoned the product or ceased to exist without transfer of obligations
Certificate was initially issued in error by the notified body

Notification Obligations

When a notified body suspends or withdraws a certificate:

Notification Recipient	Timeline	Content
Provider	Immediate	Reasons, corrective measure requirements, right of appeal
National competent authority (Member State of the notified body)	Without undue delay	Certificate reference, grounds, effective date
Commission (via NANDO update)	Without undue delay	Certificate status change — to inform market surveillance database
Other Member State competent authorities	Via Commission/NANDO notification chain	Where the AI system was placed on the market

Provider Response to Suspension

When a certificate is suspended:

Immediate market actions: Provider should assess whether systems already placed on the market continue to comply with requirements under Art.23. Active deployments may need to be paused depending on the scope of the non-conformity.
Corrective measures: Implement the notified body's required changes within the agreed timeline.
Re-assessment submission: Submit evidence of corrections for the notified body's re-assessment.
Market surveillance notification: If the non-conformity creates a safety risk, provider's own Art.73 serious incident reporting obligations may be triggered.

If the suspension is resolved, the notified body lifts the suspension and the certificate is restored. If not resolved within the specified period, the certificate transitions to withdrawal.

Art.34(7): Proportionality and SME Provisions

Art.34(7) requires notified bodies to ensure their procedures remain proportionate throughout the certification lifecycle. Key SME-specific provisions:

Provision	SME Application
Fees	Must reflect actual costs; bodies cannot apply rates designed for large-system certifications uniformly to SME products
Documentation format	Bodies cannot require specific proprietary formats that create disproportionate compliance burden
Assessment timelines	Bodies must engage with SMEs on realistic timelines that do not require SMEs to maintain large standing readiness teams
Surveillance frequency	Risk-proportionate — a lower-risk SME product should not face the same surveillance cadence as a large-scale biometric system

Practical implication: SMEs that believe a notified body is applying disproportionate procedures have a formal avenue to raise this with the national competent authority. Bodies that systematically fail to apply proportionality face accreditation review under Art.33.

Art.34 × Regulatory Intersection Matrix

Art.34 Activity	Intersecting Article	Effect
Application documentation	Art.33(2)	Body's competence to review Annex IV must match system's ML architecture
QMS assessment (Annex VII Appendix 2)	Art.17	Body reviews provider's quality management system against Art.17(1)(a)–(j)
Risk management review	Art.9	Body verifies risk management process completeness as part of Annex IV review
Training data documentation review	Art.10	Body examines data governance records for Annex IV data management obligations
Logging capability verification	Art.12	Body confirms logging mechanisms meet Art.12(1) automated log requirements
Human oversight verification	Art.14	Body confirms human oversight mechanisms are technically implemented
Certificate issuance	Art.48	Successful Art.34 certificate → provider can complete Declaration of Conformity
Declaration of Conformity	Art.49	Art.48 declaration → CE marking affixation
Post-certification surveillance	Art.30	PMM data is primary evidence source for surveillance assessments
Substantial modification	Art.23	Art.23 change assessment by provider triggers Art.34 re-assessment obligation
Serious incident	Art.73	Art.73 serious incident report may trigger unscheduled Art.34 surveillance
Non-compliance found	Art.99(4)(b)	Placing system on market during suspension = up to €15M or 3% global turnover fine
Coordination group	Art.35	Body must apply assessment methodologies consistent with Art.35 guidance

CLOUD Act and Infrastructure Jurisdiction in Art.34 Assessments

Art.34 assessment activities generate a significant volume of sensitive technical documentation:

Document Type	Source	CLOUD Act Risk
Provider's Annex IV technical documentation submitted for assessment	Provider → notified body	High — contains IP, architecture details, training data specifications
Notified body's assessment report	Notified body	Medium — contains confidentiality-protected assessment findings (Annex VII(3))
Test results and evaluation data	Notified body	Medium — may contain system performance data relevant to competitive intelligence
QMS audit findings	Notified body	High — reveals internal quality and compliance processes
Non-conformity documentation	Notified body	High — regulatory-sensitive; disclosure could trigger market withdrawal orders
Certificate with technical scope	Notified body → provider	Low — public record via NANDO, but scope details may reveal product capabilities

Where a notified body stores assessment records on US-controlled cloud infrastructure (AWS, Azure, Google Cloud), those records are subject to the US CLOUD Act (18 U.S.C. § 2713). This means US law enforcement can compel the cloud provider to produce the records without the knowledge of the EU notified body or the AI system provider.

This creates a dual-jurisdiction risk:

EU MSA access (Art.34 × Art.21): EU market surveillance authorities have legal access to notified body assessment records
US CLOUD Act access: US authorities can compel the same records via US cloud infrastructure operator

For providers of systems in sensitive Annex III categories — particularly biometric identification (point 1), law enforcement (point 6), migration and border management (point 7) — assessment records being accessible to US authorities creates a sovereignty exposure that is difficult to remediate post-assessment.

Mitigation: Require notified bodies to store assessment records exclusively on EU-sovereign infrastructure, and include this as a contractual condition before submitting the Annex IV documentation package.

Python Implementation

Class 1: AssessmentProcedureRecord

Tracks a provider's application to a notified body and assessment procedure progress.

from dataclasses import dataclass, field
from datetime import date, timedelta
from typing import Optional
from enum import Enum

class AssessmentStatus(Enum):
    APPLICATION_SUBMITTED = "application_submitted"
    APPLICATION_ACCEPTED = "application_accepted"
    DOCUMENTATION_REVIEW = "documentation_review"
    TECHNICAL_ASSESSMENT = "technical_assessment"
    CORRECTIVE_MEASURES_REQUIRED = "corrective_measures_required"
    CORRECTIVE_MEASURES_SUBMITTED = "corrective_measures_submitted"
    CERTIFICATE_ISSUED = "certificate_issued"
    APPLICATION_REFUSED = "application_refused"

@dataclass
class AssessmentProcedureRecord:
    system_id: str
    system_name: str
    annex_iii_category: str  # e.g. "point_1_biometric_id", "point_5_employment"
    notified_body_nando_id: str
    notified_body_name: str
    assessment_type: str  # "type_examination", "qms", "both"
    application_date: date
    prior_application_disclosure: bool  # Art.34(1) exclusivity declaration
    status: AssessmentStatus = AssessmentStatus.APPLICATION_SUBMITTED
    corrective_measure_deadline: Optional[date] = None
    non_conformities: list[str] = field(default_factory=list)
    application_reference: str = ""

    def accept_application(self) -> None:
        """Notified body accepts the application — assessment begins."""
        if self.status != AssessmentStatus.APPLICATION_SUBMITTED:
            raise ValueError(f"Cannot accept from status {self.status}")
        self.status = AssessmentStatus.APPLICATION_ACCEPTED

    def begin_documentation_review(self) -> None:
        self.status = AssessmentStatus.DOCUMENTATION_REVIEW

    def begin_technical_assessment(self) -> None:
        self.status = AssessmentStatus.TECHNICAL_ASSESSMENT

    def require_corrective_measures(
        self,
        non_conformities: list[str],
        deadline_days: int = 90
    ) -> None:
        """Art.34(3): notified body finds non-compliance, requires corrective measures."""
        self.non_conformities = non_conformities
        self.corrective_measure_deadline = date.today() + timedelta(days=deadline_days)
        self.status = AssessmentStatus.CORRECTIVE_MEASURES_REQUIRED

    def submit_corrective_measures(self) -> None:
        self.status = AssessmentStatus.CORRECTIVE_MEASURES_SUBMITTED

    def is_corrective_deadline_passed(self) -> bool:
        if self.corrective_measure_deadline is None:
            return False
        return date.today() > self.corrective_measure_deadline

    def assessment_summary(self) -> dict:
        return {
            "system": self.system_name,
            "system_id": self.system_id,
            "notified_body": f"{self.notified_body_name} (NANDO: {self.notified_body_nando_id})",
            "annex_iii_category": self.annex_iii_category,
            "assessment_type": self.assessment_type,
            "status": self.status.value,
            "application_date": self.application_date.isoformat(),
            "prior_disclosure": self.prior_application_disclosure,
            "open_non_conformities": len(self.non_conformities),
            "corrective_deadline": (
                self.corrective_measure_deadline.isoformat()
                if self.corrective_measure_deadline else None
            ),
            "corrective_deadline_passed": self.is_corrective_deadline_passed(),
        }

Class 2: CertificateLifecycleManager

Manages certificate issuance, validity tracking, renewal planning, and suspension/withdrawal.

from dataclasses import dataclass, field
from datetime import date, timedelta
from typing import Optional
from enum import Enum

class CertificateStatus(Enum):
    VALID = "valid"
    SUSPENDED = "suspended"
    WITHDRAWN = "withdrawn"
    EXPIRED = "expired"
    RENEWAL_REQUIRED = "renewal_required"

@dataclass
class ConformityCertificate:
    certificate_id: str
    certificate_type: str  # "type_examination" | "qms"
    notified_body_nando_id: str
    notified_body_name: str
    provider_name: str
    system_name: str
    system_version: str
    annex_iii_reference: str
    issue_date: date
    validity_years: int = 5
    scope_conditions: list[str] = field(default_factory=list)
    status: CertificateStatus = CertificateStatus.VALID
    suspension_date: Optional[date] = None
    suspension_reason: Optional[str] = None
    withdrawal_date: Optional[date] = None
    withdrawal_reason: Optional[str] = None

    @property
    def expiry_date(self) -> date:
        return date(
            self.issue_date.year + self.validity_years,
            self.issue_date.month,
            self.issue_date.day
        )

    @property
    def days_until_expiry(self) -> int:
        return (self.expiry_date - date.today()).days

    def is_currently_valid(self) -> bool:
        if self.status != CertificateStatus.VALID:
            return False
        return date.today() <= self.expiry_date

    def requires_renewal_soon(self, advance_months: int = 12) -> bool:
        """Flag when renewal should be initiated (default: 12 months before expiry)."""
        renewal_threshold = self.expiry_date - timedelta(days=advance_months * 30)
        return date.today() >= renewal_threshold and self.is_currently_valid()

    def suspend(self, reason: str) -> None:
        """Art.34(6): suspend certificate for non-compliance."""
        if self.status != CertificateStatus.VALID:
            raise ValueError(f"Cannot suspend from status {self.status}")
        self.status = CertificateStatus.SUSPENDED
        self.suspension_date = date.today()
        self.suspension_reason = reason

    def lift_suspension(self) -> None:
        """Corrective measures resolved — restore certificate validity."""
        if self.status != CertificateStatus.SUSPENDED:
            raise ValueError("Cannot lift suspension: certificate not suspended")
        self.status = CertificateStatus.VALID
        self.suspension_date = None
        self.suspension_reason = None

    def withdraw(self, reason: str) -> None:
        """Art.34(6): withdraw certificate — non-compliance not remedied."""
        self.status = CertificateStatus.WITHDRAWN
        self.withdrawal_date = date.today()
        self.withdrawal_reason = reason

    def certificate_status_report(self) -> dict:
        return {
            "certificate_id": self.certificate_id,
            "type": self.certificate_type,
            "system": f"{self.system_name} v{self.system_version}",
            "issuer": f"{self.notified_body_name} (NANDO: {self.notified_body_nando_id})",
            "issue_date": self.issue_date.isoformat(),
            "expiry_date": self.expiry_date.isoformat(),
            "days_until_expiry": self.days_until_expiry,
            "status": self.status.value,
            "valid": self.is_currently_valid(),
            "renewal_required_soon": self.requires_renewal_soon(),
            "suspension_active": self.status == CertificateStatus.SUSPENDED,
            "suspension_reason": self.suspension_reason,
            "withdrawal_active": self.status == CertificateStatus.WITHDRAWN,
            "withdrawal_reason": self.withdrawal_reason,
        }


class CertificateLifecycleManager:
    def __init__(self):
        self.certificates: dict[str, ConformityCertificate] = {}

    def register_certificate(self, cert: ConformityCertificate) -> None:
        self.certificates[cert.certificate_id] = cert

    def get_expiring_certificates(self, advance_months: int = 12) -> list[ConformityCertificate]:
        return [
            cert for cert in self.certificates.values()
            if cert.requires_renewal_soon(advance_months)
        ]

    def get_suspended_certificates(self) -> list[ConformityCertificate]:
        return [
            cert for cert in self.certificates.values()
            if cert.status == CertificateStatus.SUSPENDED
        ]

    def compliance_dashboard(self) -> dict:
        all_certs = list(self.certificates.values())
        valid = [c for c in all_certs if c.is_currently_valid()]
        suspended = [c for c in all_certs if c.status == CertificateStatus.SUSPENDED]
        withdrawn = [c for c in all_certs if c.status == CertificateStatus.WITHDRAWN]
        renewal_needed = [c for c in all_certs if c.requires_renewal_soon()]
        return {
            "total_certificates": len(all_certs),
            "valid": len(valid),
            "suspended": len(suspended),
            "withdrawn": len(withdrawn),
            "renewal_required_in_12_months": len(renewal_needed),
            "compliance_status": "OK" if not suspended and not withdrawn else "ACTION_REQUIRED",
            "action_items": [
                f"SUSPENDED: {c.certificate_id} — {c.suspension_reason}"
                for c in suspended
            ] + [
                f"RENEWAL_NEEDED: {c.certificate_id} — expires {c.expiry_date.isoformat()}"
                for c in renewal_needed
            ],
        }

Class 3: ConformityDecisionTracker

Tracks assessment decisions, non-conformity notices, and authority notification obligations.

from dataclasses import dataclass, field
from datetime import date, timedelta
from typing import Optional
from enum import Enum

class DecisionType(Enum):
    CERTIFICATE_ISSUED = "certificate_issued"
    CERTIFICATE_REFUSED = "certificate_refused"
    CORRECTIVE_MEASURES_REQUIRED = "corrective_measures_required"
    CERTIFICATE_SUSPENDED = "certificate_suspended"
    SUSPENSION_LIFTED = "suspension_lifted"
    CERTIFICATE_WITHDRAWN = "certificate_withdrawn"

@dataclass
class ConformityDecision:
    decision_id: str
    decision_type: DecisionType
    decision_date: date
    system_id: str
    notified_body_nando_id: str
    grounds: str
    national_authority_notified: bool = False
    commission_nando_updated: bool = False
    provider_notified: bool = False
    notification_deadline: Optional[date] = None

    def authority_notification_overdue(self) -> bool:
        if self.notification_deadline is None:
            return False
        return (
            not self.national_authority_notified
            and date.today() > self.notification_deadline
        )


class ConformityDecisionTracker:
    def __init__(self, system_id: str):
        self.system_id = system_id
        self.decisions: list[ConformityDecision] = []

    def record_decision(self, decision: ConformityDecision) -> None:
        self.decisions.append(decision)

    def record_certificate_issuance(
        self,
        notified_body_nando_id: str,
        grounds: str = "All Annex VII requirements met"
    ) -> ConformityDecision:
        d = ConformityDecision(
            decision_id=f"DEC-{len(self.decisions)+1:04d}",
            decision_type=DecisionType.CERTIFICATE_ISSUED,
            decision_date=date.today(),
            system_id=self.system_id,
            notified_body_nando_id=notified_body_nando_id,
            grounds=grounds,
            provider_notified=True,
        )
        self.decisions.append(d)
        return d

    def record_suspension(
        self,
        notified_body_nando_id: str,
        grounds: str,
        notification_days: int = 3  # "without undue delay" = typically 3 working days
    ) -> ConformityDecision:
        """Art.34(6): certificate suspension — national authority must be notified."""
        d = ConformityDecision(
            decision_id=f"DEC-{len(self.decisions)+1:04d}",
            decision_type=DecisionType.CERTIFICATE_SUSPENDED,
            decision_date=date.today(),
            system_id=self.system_id,
            notified_body_nando_id=notified_body_nando_id,
            grounds=grounds,
            notification_deadline=date.today() + timedelta(days=notification_days),
        )
        self.decisions.append(d)
        return d

    def pending_authority_notifications(self) -> list[ConformityDecision]:
        return [
            d for d in self.decisions
            if not d.national_authority_notified
            and d.decision_type in {
                DecisionType.CERTIFICATE_REFUSED,
                DecisionType.CERTIFICATE_SUSPENDED,
                DecisionType.CERTIFICATE_WITHDRAWN,
            }
        ]

    def overdue_notifications(self) -> list[ConformityDecision]:
        return [
            d for d in self.pending_authority_notifications()
            if d.authority_notification_overdue()
        ]

    def decision_history(self) -> list[dict]:
        return [
            {
                "decision_id": d.decision_id,
                "type": d.decision_type.value,
                "date": d.decision_date.isoformat(),
                "grounds": d.grounds,
                "authority_notified": d.national_authority_notified,
                "nando_updated": d.commission_nando_updated,
                "notification_overdue": d.authority_notification_overdue(),
            }
            for d in self.decisions
        ]

    def compliance_status(self) -> dict:
        pending = self.pending_authority_notifications()
        overdue = self.overdue_notifications()
        return {
            "system_id": self.system_id,
            "total_decisions": len(self.decisions),
            "pending_authority_notifications": len(pending),
            "overdue_notifications": len(overdue),
            "compliance_status": "BREACH" if overdue else ("ACTION_REQUIRED" if pending else "OK"),
            "overdue_items": [
                f"{d.decision_id}: {d.decision_type.value} — notification deadline {d.notification_deadline}"
                for d in overdue
            ],
        }

Art.34 40-Item Compliance Checklist for Providers

Checklist for AI system providers navigating the Art.34 procedure.

Application (Art.34(1))

Confirm selected notified body has active NANDO status covering your Annex III category
Prepare Annex IV technical documentation package before application submission
Obtain legal confirmation that no prior application to a different notified body was submitted for this system version
If prior application exists: prepare disclosure document for new notified body
Confirm assessment type required: type-examination (Annex VII App.1), QMS (App.2), or both
Identify the specific Annex III point(s) your system falls under for the application declaration
Prepare SME declaration if applicable — request proportionate procedure under Art.34(7)
Verify Annex IV documentation completeness across all 8 required sections before submission
Include hardware/software environment description matching Art.13 transparency requirements
Obtain legal sign-off on application declaration before submission — false statements = Art.99 exposure

Documentation Review (Art.34(2))

Confirm notified body's documentation review scope covers all Annex IV sections
Identify which harmonised standards (Art.40) or common specifications (Art.41) apply to your system
Request body's written methodology where no harmonised standards exist
Prepare cross-regulatory reliance documentation if prior MDR or Machinery Regulation assessment exists
Ensure Art.9 risk management documentation is complete and consistent with Annex IV
Ensure Art.10 training data governance records are complete and current at time of submission
Confirm Art.12 logging capability documentation describes automated log format and retention
Confirm Art.14 human oversight mechanism documentation maps to technical implementation
Prepare Art.17 QMS documentation if QMS route (Annex VII Appendix 2) is being used
Set 30-day milestone for documentation completeness review before application deadline

Certificate Issuance (Art.34(3)–(4))

Review draft certificate before finalisation — verify all content fields are accurate
Confirm certificate identifies the correct Annex III point and sub-point
Confirm certificate references the correct Annex VII route (Appendix 1, 2, or both)
Verify NANDO identification number is included in the certificate
Confirm validity period: maximum 5 years, note exact expiry date in compliance calendar
Record any scope conditions or operational restrictions stated on the certificate
File certificate in Art.18 10-year retention system immediately upon receipt
Store certificate reference for inclusion in Art.48 Declaration of Conformity
Insert certificate expiry date into renewal calendar with 12-month advance reminder
Confirm with body that NANDO entry will be updated to reflect new certificate

Post-Certification Surveillance (Art.34(5))

Confirm surveillance schedule and first surveillance date with notified body post-certificate
Establish internal process for informing notified body of planned system changes
Build Art.30 PMM data feed into surveillance readiness — body will request this data
Designate technical contact responsible for responding to surveillance access requests
Establish Art.23 change assessment process — flag substantial modifications for body notification
Implement quarterly NANDO status check to verify certificate remains listed as valid
Set internal policy: any Art.73 serious incident to be evaluated for certificate impact before filing

Suspension/Withdrawal (Art.34(6))

Build internal response protocol for notified body suspension notice — 48h response initiation
Establish corrective measures documentation standard — deficiencies must be addressed with traceable evidence
Ensure authority notification obligations are tracked: suspension notices to national authority within 3 working days

Art.34 Enforcement Exposure

Scenario	Provider Risk
Placing system on market after certificate suspension	Art.99(4)(b): up to €15M or 3% global turnover for placing without valid conformity procedure
Failure to inform notified body of substantial modification	Art.23 × Art.99 risk: certificate may be invalidated retroactively
False declaration in Art.34(1) application	Art.99 enforcement exposure + potential certificate invalidity
Denying notified body surveillance access	Certificate suspension trigger; market surveillance escalation risk
Certificate expiry with no renewal initiated	System continues on market without valid conformity procedure = Art.99 exposure