2026-04-16·12 min read·

EU AI Act Art.38 Bodies Notified Under Union Harmonisation Legislation: Developer Guide (2026)

EU AI Act Article 38 addresses one of the most practical questions in multi-regulation AI compliance: when your AI system is already subject to another EU product regulation, does it need a separate notified body assessment for the EU AI Act? The answer is no — if the body already notified under the other regulation also qualifies under Art.33 EU AI Act criteria, member states can designate it to perform EU AI Act conformity assessments without requiring a full, independent designation process.

Art.38 is a streamlining mechanism. It prevents the compliance paradox where a medical device manufacturer must hire one notified body for the Medical Device Regulation (MDR), a second for the EU AI Act, coordinate parallel assessments of the same underlying system, and resolve inconsistencies between two separate certification timelines. Instead, a single qualified body covers the entire regulatory scope of the product.

For developers building AI systems in regulated industries — medical diagnostics, industrial automation, telecommunications, in vitro diagnostics, radio equipment — Art.38 defines the landscape of who can certify your system, which body to approach first, and how the dual-regulation assessment lifecycle actually works. For cloud infrastructure providers, Art.38 creates a compliance architecture where the hosting of a certified AI system on EU sovereign infrastructure is a documented factor in body selection — because cross-regulation assessment records fall under multiple retention obligations and CLOUD Act exposure must be assessed as part of body selection.

Art.38 in the EU AI Act Notified Body Framework

Art.38 sits in Chapter III, Section 4 of the EU AI Act, which governs the entire notified body ecosystem:

Article	Content
Art.33	Notified bodies — baseline qualification criteria
Art.34	Operational obligations of notified bodies
Art.35	Designation process for new notified bodies
Art.36	Suspension and withdrawal of designation
Art.37	Subsidiaries, subcontracting, and group structures
Art.38	Bodies notified under other Union harmonisation legislation
Art.39	Coordination and cooperation of notified bodies

The chain matters for developers because Art.38 is not a standalone provision — it is a conditional shortcut. A body using the Art.38 pathway must still satisfy Art.33 criteria; it is just not required to go through the Art.35 designation application from zero. Art.36 and Art.34 apply equally regardless of whether designation came via Art.35 or Art.38.

What Art.38 Actually Requires

Art.38(1) — Cross-designation authority. Member states may designate bodies that have already been notified under other Union harmonisation legislation as notified bodies under the EU AI Act. The list of eligible base regulations includes but is not limited to:

Regulation (EU) 2017/745 (Medical Device Regulation — MDR)
Regulation (EU) 2017/746 (In Vitro Diagnostic Regulation — IVDR)
Directive 2006/42/EC (Machinery Directive)
Directive 2014/53/EU (Radio Equipment Directive — RED)
Regulation (EU) 2016/425 (Personal Protective Equipment)
Regulation (EU) No 305/2011 (Construction Products Regulation)

The word "may" in Art.38(1) gives member states discretion. Germany, the Netherlands, and France have active notified body ecosystems under these base regulations with bodies that have stated intent to seek EU AI Act designation. Developers building products that fall under multiple regulations should check national authority registries (BNetzA in Germany, CIBG in the Netherlands, LNE in France) for designation status.

Art.38(2) — Qualification requirement. The cross-designated body must still comply with the requirements applicable to the scope of activities for which it seeks designation under the EU AI Act. This means Art.33 criteria — independence, technical competence, impartiality, insurance, internal management — apply in full. The Art.38 shortcut is administrative (no need to file a fresh Art.35 notification application from zero), not substantive. If the body lacks the AI-specific competences required for the conformity assessment method relevant to your system, it cannot be designated regardless of its MDR or Machinery Directive status.

Art.38(3) — Competence-scope limits. Where a body is designated for a conformity assessment method under the EU AI Act that it does not currently perform under any other harmonisation legislation, the full Art.35 notification procedure applies for that specific activity. For example, a body with strong MDR Annex IX certification experience (quality management system audit) may still need to go through partial Art.35 procedures if the EU AI Act conformity assessment method required for your system is Annex VII (conformity assessment based on technical documentation only), which has no direct MDR equivalent.

The Multi-Regulation AI System Reality

The most common developer scenario that Art.38 directly affects is an AI system that simultaneously falls under:

A sectoral product regulation (MDR class IIa+, IVDR class C+, Machinery category IV) that requires notified body involvement, AND
EU AI Act Annex III as a high-risk AI system (healthcare diagnosis, workplace safety monitoring, critical infrastructure management)

In these cases, without Art.38, developers face dual assessment:

System under MDR + EU AI Act (without Art.38 streamlining):
  
  ┌─ MDR Notified Body ─────────────────────────┐
  │  Technical documentation (Annex II)          │
  │  QMS audit (Annex IX)                        │
  │  Performance evaluation (Annex X/XIV)        │
  │  Certificate issuance                        │
  └─────────────────────────────────────────────┘
  
  ┌─ EU AI Act Notified Body (separate) ────────┐
  │  Art.43 conformity assessment               │
  │  Art.9 risk management review               │
  │  Art.10 data governance review              │
  │  Art.13/14/15 review                        │
  │  Separate certification timeline            │
  └─────────────────────────────────────────────┘

With Art.38 streamlining:

System under MDR + EU AI Act (Art.38 streamlined):
  
  ┌─ Single Cross-Designated Body ──────────────┐
  │  MDR: Technical documentation, QMS, cert   │
  │  EU AI Act: Art.43 assessment scope        │
  │  Combined audit program                    │
  │  Single assessment timeline                │
  │  Coordinated documentation review         │
  │  One interface for non-conformity findings │
  └─────────────────────────────────────────────┘

The practical benefit is not just reduced cost. It is coherence: a single body identifies overlapping requirements (MDR Annex II clinical evaluation × EU AI Act Art.10 data governance), resolves conflicts between what MDR requires you to document and what Art.11 requires you to document, and issues coordinated certificates that cover both regulatory dimensions.

Art.38 and Conformity Assessment Method Selection

EU AI Act conformity assessment for high-risk AI systems follows Art.43, which offers two routes:

Route	Method	When Available
Internal Control	Annex VI (self-assessment, no notified body)	Most Annex III systems EXCEPT certain biometric systems
Third-Party Assessment	Annex VII (notified body involved)	Biometric identification systems; systems under Annex III Annex I sectors (e.g., medical devices, vehicles)

For systems already subject to a sectoral regulation requiring notified body involvement (MDR Class IIa+, RED equipment, Machinery Directive Annex II), Art.43(3) explicitly requires notified body involvement for the EU AI Act conformity assessment as well. This is where Art.38 becomes directly relevant: the body you select for the sectoral assessment is likely the only Art.38-eligible body for the EU AI Act assessment — and the choice must be made early in the product development timeline, not at the certification stage.

Selecting a Notified Body Under Art.38: Decision Framework

Step 1: Regulation inventory
├── Does your product fall under MDR/IVDR/RED/Machinery/other?
│   ├── YES → Identify notified bodies already designated under that regulation
│   │         with stated intent to seek or already holding EU AI Act designation
│   └── NO  → Use standard Art.33/35 notified body selection

Step 2: AI Act designation check
├── Is your target body already designated under EU AI Act?
│   ├── YES (Art.38 pathway) → Proceed with combined assessment request
│   └── NO  → Check designation timeline; consider alternative body
│             or request preliminary opinion from member state authority

Step 3: Competence scope verification
├── Does the body's EU AI Act scope cover your Annex III category?
│   ├── YES → Confirm assessment method (Annex VI vs Annex VII)
│   └── NO  → Partial Art.35 procedure may be required; body may not be available

Step 4: Combined assessment scoping
├── Define overlapping documentation requirements
├── Agree combined audit program
├── Align certificate timelines
└── Establish single non-conformity resolution process

Key Notified Bodies Pursuing Art.38 Cross-Designation

While the official NANDO (New Approach Notified and Designated Organisations) database is the authoritative source, the following bodies have publicly indicated EU AI Act designation intent as of early 2026:

BSI (British Standards Institution) — via EU subsidiary: MDR, IVDR, RED, Machinery
TÜV SÜD Product Service GmbH: MDR, IVDR, Machinery, RED — EU AI Act designation process initiated
TÜV Rheinland LGA Products GmbH: MDR, Machinery — announced AI Act assessment services
SGS Belgium NV: MDR, IVDR, RED
Lloyd's Register EMEA: Machinery, pressure equipment
Bureau Veritas: Machinery, PPE, RED
Kiwa: MDR, RED

Developers should verify current designation status in NANDO before making selection decisions. Art.38 designation is member-state-specific: a body designated in Germany under MDR may not yet be designated in Germany under the EU AI Act, even if another member state has already cross-designated it.

CLOUD Act Implications: Cross-Regulation Assessment Records

When a notified body performs a combined MDR + EU AI Act assessment, it generates assessment records that are subject to multiple retention requirements:

Regulation	Retention Period	Trigger
MDR Art.52(9)	10 years after last product placed on market	Certificate issuance
EU AI Act Art.46	5 years after notification of activity	Assessment completion
EU AI Act Art.18	Lifecycle of deployment + post-market	Continuous

If your notified body stores assessment records in US-cloud infrastructure (AWS us-east, Azure, GCP), those records are subject to CLOUD Act compelled disclosure regardless of EU GDPR protections. For medical AI or high-risk industrial AI, assessment records contain technical documentation, test methodologies, and risk analysis — exactly the materials that constitute competitive intelligence and IP.

Art.38 body selection should include:

Data residency verification: Does the body use EU-sovereign infrastructure for assessment records?
CLOUD Act disclosure policy: Has the body published its response policy for US government requests?
Subcontractor chain: Does the body use US-parented software for document management (SharePoint 365, ServiceNow)?
Contractual protection: Can you negotiate EU-only data processing for assessment records?

For AI systems hosted on EU-sovereign cloud platforms (where the operator can certify EU-jurisdiction data storage), providing the notified body with access to documentation via the host platform's document management system rather than transferring files to body-controlled infrastructure reduces CLOUD Act exposure.

Practical Compliance Architecture for Art.38 Scenarios

from dataclasses import dataclass, field
from enum import Enum
from typing import Optional
import datetime


class EUHarmonisationRegulation(Enum):
    MDR = "Medical Device Regulation (EU) 2017/745"
    IVDR = "In Vitro Diagnostic Regulation (EU) 2017/746"
    MACHINERY = "Machinery Directive 2006/42/EC"
    RED = "Radio Equipment Directive 2014/53/EU"
    PPE = "Personal Protective Equipment (EU) 2016/425"
    CPR = "Construction Products Regulation (EU) 305/2011"


class DesignationPathway(Enum):
    ART_35_FULL = "Full designation (Art.35)"
    ART_38_CROSS = "Cross-designation (Art.38)"
    UNKNOWN = "Designation status unknown"


@dataclass
class NotifiedBodyRecord:
    """Tracks a notified body's designation status across regulations."""
    body_id: str  # NANDO notification number
    body_name: str
    member_state: str
    base_regulation_designations: list[EUHarmonisationRegulation] = field(default_factory=list)
    eu_ai_act_designated: bool = False
    eu_ai_act_designation_pathway: DesignationPathway = DesignationPathway.UNKNOWN
    eu_ai_act_annex_iii_categories: list[str] = field(default_factory=list)
    uses_eu_sovereign_infrastructure: Optional[bool] = None
    cloud_act_disclosure_policy_url: Optional[str] = None
    
    def is_art38_eligible(self) -> bool:
        """Body is eligible for Art.38 cross-designation."""
        return len(self.base_regulation_designations) > 0
    
    def covers_combined_assessment(
        self, 
        base_regulation: EUHarmonisationRegulation,
        annex_iii_category: str
    ) -> bool:
        """Check if body can perform combined assessment for given scope."""
        return (
            base_regulation in self.base_regulation_designations
            and self.eu_ai_act_designated
            and (
                annex_iii_category in self.eu_ai_act_annex_iii_categories
                or not self.eu_ai_act_annex_iii_categories  # covers all categories
            )
        )


@dataclass
class ProductRegulatoryScope:
    """Regulatory scope of an AI product that may require Art.38 assessment."""
    product_name: str
    base_regulation: Optional[EUHarmonisationRegulation]
    base_regulation_class: Optional[str]  # e.g., "MDR Class IIb", "Machinery Category IV"
    annex_iii_category: str  # EU AI Act category
    requires_notified_body_base: bool  # NB required under base regulation
    requires_notified_body_ai_act: bool  # NB required under Art.43
    
    def requires_combined_assessment(self) -> bool:
        return (
            self.base_regulation is not None
            and self.requires_notified_body_base
            and self.requires_notified_body_ai_act
        )


@dataclass
class NotifiedBodySelectionMatrix:
    """Selects optimal notified body for dual-regulation AI systems."""
    product: ProductRegulatoryScope
    candidate_bodies: list[NotifiedBodyRecord]
    
    def art38_eligible_bodies(self) -> list[NotifiedBodyRecord]:
        """Bodies that can perform combined Art.38 assessment."""
        if not self.product.requires_combined_assessment():
            return []
        return [
            b for b in self.candidate_bodies
            if self.product.base_regulation is not None
            and b.covers_combined_assessment(
                self.product.base_regulation,
                self.product.annex_iii_category
            )
        ]
    
    def cloud_act_safe_bodies(self) -> list[NotifiedBodyRecord]:
        """Bodies with confirmed EU-sovereign infrastructure."""
        return [
            b for b in self.art38_eligible_bodies()
            if b.uses_eu_sovereign_infrastructure is True
        ]
    
    def generate_selection_report(self) -> dict:
        art38_bodies = self.art38_eligible_bodies()
        safe_bodies = self.cloud_act_safe_bodies()
        return {
            "product": self.product.product_name,
            "requires_combined_assessment": self.product.requires_combined_assessment(),
            "art38_eligible_count": len(art38_bodies),
            "cloud_act_safe_count": len(safe_bodies),
            "recommendation": (
                safe_bodies[0].body_name if safe_bodies
                else art38_bodies[0].body_name if art38_bodies
                else "No qualified body found — check NANDO for updates"
            ),
            "risk_level": (
                "LOW" if safe_bodies
                else "MEDIUM" if art38_bodies
                else "HIGH"
            )
        }

Art.38 × Art.43 Interaction: What the Combined Assessment Covers

When a single Art.38-designated body performs both the sectoral regulation assessment and the EU AI Act Art.43 assessment, the combined scope includes:

From EU AI Act Art.43 (high-risk AI system assessment):

Art.9: Risk management system documentation review
Art.10: Data governance and training data governance
Art.11 + Annex IV: Technical documentation completeness
Art.12: Record-keeping (logging) architecture
Art.13: Transparency and instructions for use
Art.14: Human oversight design and testing
Art.15: Accuracy, robustness, cybersecurity specifications

From MDR (example — Class IIb medical device):

Annex II: Technical documentation (clinical evaluation, device description)
Annex IX: Quality management system audit
Annex X or XIV: Clinical performance evaluation
Art.52: Surveillance reporting obligations

Overlap zones where combined assessment creates efficiency:

Technical documentation: MDR Annex II § 6.1 clinical evaluation + EU AI Act Art.10 training data → single dataset governance review
Performance: MDR Annex XIV clinical investigation + EU AI Act Art.15 accuracy metrics → coordinated specification
Risk: MDR Annex I safety requirements + EU AI Act Art.9 risk management → integrated risk register
Post-market: MDR Art.83 PMCF + EU AI Act Art.18 post-market monitoring → unified plan

30-Item Art.38 Notified Body Compliance Checklist

Regulation Scope (Items 1–7)

1. Listed all EU regulations applicable to the product (MDR/IVDR/RED/Machinery/etc.)
2. Identified Annex III EU AI Act category for the AI component
3. Confirmed whether notified body involvement is required under base regulation
4. Confirmed whether Art.43(3) triggers mandatory notified body under EU AI Act
5. Determined whether Art.38 combined assessment is available for this scope
6. Verified combined assessment not precluded by Art.38(3) competence-scope limits
7. Documented dual-regulation compliance strategy in Art.9 risk register

Body Selection (Items 8–15)

8. Searched NANDO for bodies with base regulation designation in relevant member state
9. Verified EU AI Act designation status for candidate bodies
10. Confirmed Art.38 designation pathway (not Art.35) where applicable
11. Verified candidate body's EU AI Act Annex III category scope matches product
12. Confirmed body has competence for required Art.43 assessment method (Annex VI/VII)
13. Checked body's assessment capacity and current queue (backlog risk)
14. Reviewed body's publicly stated CLOUD Act / data residency policy
15. Verified body does not use US-parented cloud for assessment record storage

Combined Assessment Planning (Items 16–22)

16. Agreed combined assessment scope with body (MDR + EU AI Act document map)
17. Defined which team prepares which documentation sections
18. Established overlap resolution process (e.g., Art.10 vs MDR Annex II conflict)
19. Aligned certificate timelines (MDR cert + EU AI Act cert synchronized)
20. Agreed single non-conformity finding process (avoid parallel deficiency lists)
21. Confirmed body's Art.38(2) obligation awareness (full Art.33 criteria apply)
22. Planned for Art.36 suspension contingency (alternative body identified)

Documentation and Records (Items 23–30)

23. Mapped all assessment records to applicable retention periods (MDR 10yr, EU AI Act 5yr)
24. Confirmed records stored in EU-jurisdiction infrastructure
25. Established contractual clause for EU-only data processing of assessment records
26. Prepared version-controlled technical documentation accessible to combined body
27. Documented Art.38 combined assessment decision in QMS (Art.17)
28. Planned annual surveillance audit scope under both regulations
29. Established Art.18 post-market monitoring → PMCF feedback pipeline
30. Confirmed notified body contact details included in EU AI Act database registration (Art.49)

Common Developer Mistakes Under Art.38

Mistake 1: Assuming Art.38 eliminates full Art.33 compliance. Art.38 is an administrative shortcut, not a qualification waiver. A body designated for MDR but lacking AI-specific technical competence (Art.33(2)(c)) cannot perform EU AI Act conformity assessments regardless of Art.38 status. Verify actual AI expertise, not just cross-designation filing.

Mistake 2: Treating Art.38 as automatic in all member states. Cross-designation is member state discretion ("may designate"). A body designated in Germany under MDR may not yet be cross-designated in Germany for EU AI Act. Check NANDO regularly — the registry is updated as member states issue designations.

Mistake 3: Starting with the base regulation body before confirming EU AI Act scope. Engaging a body early for MDR assessment without confirming its EU AI Act Annex III category coverage creates a commitment to a body that may not be able to complete the combined assessment. Confirm EU AI Act scope before signature.

Mistake 4: Ignoring Art.38(3) partial-procedure risk. If your system requires an Art.43 assessment method for which your Art.38 body has no equivalent base-regulation experience, the partial Art.35 procedure adds 3–9 months to the timeline. Map the assessment method early.

Mistake 5: Not requesting CLOUD Act policy before engagement. Once a notified body holds your technical documentation and assessment correspondence, the information has left your perimeter. Request the body's CLOUD Act response policy, data residency commitment, and subcontractor infrastructure disclosures before document transfer — not after.

Summary

EU AI Act Article 38 is the regulatory mechanism that prevents double-certification overhead for AI systems that already fall under MDR, Machinery Directive, IVDR, RED, or other Union harmonisation legislation. Bodies already notified under those regulations can be cross-designated for EU AI Act assessments under an expedited process — but must still meet all Art.33 qualification criteria, and their competence scope must match the specific EU AI Act conformity assessment method and Annex III category your product requires.

For developers: Art.38 means your notified body selection decision is made once, not twice. It means a single body manages the assessment timeline for both the base product regulation and the EU AI Act. And it means the CLOUD Act exposure of your technical documentation is concentrated in one body's infrastructure rather than two — making data residency diligence for that single body a first-priority item in the selection process.

The Art.38 landscape is evolving. Bodies are filing for cross-designation on different timelines in different member states. Monitor NANDO, confirm designation scope, and factor Art.38(3) partial-procedure risk into your product certification roadmap.