EU AI Act Art.44 Certificates of Conformity: Notified Body Certification — Developer Guide (2026)
EU AI Act Article 44 defines what a notified body actually delivers at the end of a successful Annex VII conformity assessment: a certificate of conformity. This certificate is the formal output that bridges the notified body assessment process and the provider's Declaration of Conformity under Art.48. For developers building high-risk AI systems that require third-party assessment — biometric identification systems, components of regulated products covered by Annex I legislation, or systems where the Commission has mandated third-party assessment by implementing act — understanding Art.44 is essential.
The practical significance of Art.44 extends beyond its four short paragraphs. The certificate is the foundation on which CE marking and EU database registration rest for Track 2 systems. It has a defined lifespan, carries conditions and restrictions, must be kept current through post-market surveillance reporting, and can be suspended or revoked when the underlying system no longer meets the assessed requirements. For providers who went through the investment of Annex VII assessment, managing the certificate lifecycle is an ongoing compliance obligation — not a one-time event.
For most SaaS developers, Art.44 is academic: Art.43(1) allows self-certification under Annex VI (internal control) for the majority of high-risk Annex III systems. But for the subset of developers building biometric systems or regulated product components, Art.44 governs the centerpiece of their compliance evidence. And for any developer integrating third-party high-risk AI components, verifying the Art.44 certificate status of those components is part of due diligence.
Art.44 in the Conformity Certification Chain
Art.44 sits between the Annex VII assessment procedure (triggered by Art.43(2)) and the Declaration of Conformity (Art.48). It is the output of notified body assessment and the input for subsequent market placement obligations:
| Step | Article | Actor | Output |
|---|---|---|---|
| Risk Management | Art.9 | Provider | Risk management file |
| Technical Documentation | Annex IV | Provider | Tech doc package |
| QMS | Art.17 | Provider | Quality management system |
| Conformity Assessment Request | Art.43(2) | Provider | Submission to notified body |
| Annex VII Assessment | Art.43 + Annex VII | Notified body | Assessment report |
| Certificate of Conformity | Art.44 | Notified body | EU certificate |
| Declaration of Conformity | Art.48 | Provider | EU Declaration referencing Art.44 certificate |
| CE Marking | Art.49 | Provider | CE affixed to system/documentation |
| EU Database Registration | Art.32 | Provider | Public registration before market placement |
Art.44 is only reached via Art.43 Track 2 (Annex VII). If a provider uses Art.43 Track 1 (Annex VI internal control), no notified body is involved and no Art.44 certificate is issued — the provider draws up the Declaration of Conformity directly after the internal assessment.
Art.44(1): Certificate Issuance After Annex VII Assessment
Art.44(1) establishes the basic rule: when a notified body has carried out a conformity assessment in accordance with Annex VII and has found that the AI system complies with the applicable requirements, it issues a certificate of conformity.
Key elements of Art.44(1):
- Conditionality: The certificate is issued only when compliance has been found. If the Annex VII assessment reveals non-conformities, the notified body cannot issue the certificate until the provider remedies the deficiencies.
- Completeness requirement: The assessment under Annex VII must be complete — partial assessments (e.g., QMS assessment only, without technical documentation review) do not entitle the provider to a full certificate.
- Notified body authority: Only a body designated under Art.33 and currently active (not suspended under Art.36) can issue a valid Art.44 certificate. Certificates issued by bodies whose designation has been suspended have unclear legal status — treat them as requiring verification.
Annex VII assessment scope — what the notified body must evaluate before issuing the certificate:
| Annex VII Element | What Is Assessed |
|---|---|
| QMS examination (Annex VII §3.3) | Art.17 quality management system — whether QMS is documented, implemented, and adequate for the AI system |
| Technical documentation review (Annex VII §3.4) | Annex IV package completeness and consistency with the system as submitted |
| Prototype inspection (Annex VII §3.4 where applicable) | Functional testing of system prototypes where documentary evidence is insufficient |
| QMS certification (Annex VII §4) | Periodic audits to maintain certification status post-issuance |
The notified body issues a QMS certification certificate and may additionally issue a technical documentation assessment certificate. Art.44 encompasses both types of certificates.
Art.44(2): Minimum Certificate Content — Annex VIII
Art.44(2) requires that the certificate contain at least the information set out in Annex VIII. This is not a discretionary list — every required element must be present for the certificate to be valid. The Annex VIII minimum content includes:
| Annex VIII Element | What It Covers |
|---|---|
| Certificate reference number | Unique identifier assigned by the notified body |
| Certificate issue date | Start of the certificate's validity period |
| Certificate expiry date | End of validity (maximum 5 years from issue for initial certificates) |
| Notified body name and number | The NANDO-registered identity of the issuing body |
| AI system identification | Name, version, and intended purpose of the assessed system |
| Annex III category | Which high-risk category or categories the system falls under |
| Applicable requirements | Reference to the EU AI Act Articles and Annexes assessed |
| Harmonised standards applied | Standards used under Art.40 (if any) with their reference numbers and dates |
| Common specifications applied | Implementing acts under Art.41 (if any) |
| Conditions and restrictions | Any limitations on the scope of certification (e.g., specific deployment contexts, excluded use cases) |
| Notified body authorised signatory | Name and signature of the person authorised to sign on behalf of the body |
Practical implications for developers:
- The conditions and restrictions element is critical. A certificate that is valid only for a specific version or deployment configuration does not cover modified versions or extended use cases. Providers must read certificate conditions carefully — using an AI system outside the certified scope is non-compliance.
- The harmonised standards applied element creates an implicit conformity map — comparing this list to the current Art.40 standard versions helps identify whether re-assessment may be needed as standards are updated.
- The Annex III category element defines the scope of third-party oversight. If your system spans multiple Annex III categories, the certificate must address all applicable categories.
Art.44(3): Certificate Copies to Designating Authority and Commission
Art.44(3) requires that the notified body transmit a copy of each certificate to the relevant national designating authority and to the Commission. This transparency obligation serves the EU's centralised oversight architecture:
- National designating authority (typically the market surveillance authority or the body that designated the notified body) receives copies for national oversight purposes.
- The Commission receives copies for EU-level monitoring, enabling cross-border consistency checks and identifying patterns of non-compliance.
- The AI Act database (Art.32) — providers must separately register their systems in the EU database, and the EAIB (European AI Board) or AI Office may cross-reference Art.44 certificates against Art.32 registrations.
From a developer perspective, this means Art.44 certificates are not confidential documents — they exist in a regulatory oversight network. The certificate's contents (including any conditions and restrictions) are accessible to authorities across Member States.
Art.44(4): Continuous Compliance Obligations
Art.44(4) establishes that the notified body must suspend, restrict, or revoke the certificate where it concludes that the AI system has ceased to comply with the applicable requirements. This creates an ongoing relationship between the provider and the notified body after certificate issuance.
Revocation triggers under Art.44(4):
| Trigger | Description |
|---|---|
| Substantial modification | Art.3(23) defines substantial modification as a change that affects compliance with requirements or alters the intended purpose — triggers re-assessment under Art.23 |
| Post-market surveillance findings | Art.30 post-market monitoring discovers a serious risk or compliance gap not previously identified |
| Serious incident data | Art.73/74 incident reporting reveals systemic failures across multiple deployments |
| New harmonised standard version | Updated Art.40 standard that introduces requirements not covered in the original assessment |
| QMS breakdown | Notified body annual audit (Annex VII §4.4) reveals the QMS is no longer maintained |
| Notified body designation suspension | Art.36 — if the issuing body's designation is suspended, outstanding certificates may require re-assessment by a new body |
Certificate revocation vs. restriction vs. suspension:
- Revocation: Certificate permanently invalidated. Provider must cease CE marking and must remove system from the market if it was already placed.
- Restriction: Certificate remains valid but with reduced scope — e.g., excluding a specific deployment context that was found non-compliant.
- Suspension: Temporary invalidity pending provider remediation — certificate may be reinstated if the notified body confirms the issue has been resolved.
Art.44 Intersection Matrix
| Article | Relationship to Art.44 |
|---|---|
| Art.43 | Gateway: Art.43(2) Annex VII assessment is the prerequisite for Art.44 certificate |
| Art.43(1) | Track 1 self-cert — no Art.44 certificate issued (Annex VI internal control instead) |
| Art.48 | Declaration of Conformity drawn up by provider referencing the Art.44 certificate |
| Art.49 | CE marking affixed after Declaration of Conformity (which references Art.44 certificate) |
| Art.32 | EU database registration — provider registers Art.44 certificate details before market placement |
| Art.23 | Substantial modification — triggers new Art.43(2) assessment and new Art.44 certificate |
| Art.30 | Post-market monitoring — provider must report to notified body findings that affect certificate validity |
| Art.33 | Notified body designation — only Art.33-designated bodies can issue Art.44 certificates |
| Art.34 | Notified body obligations — defines the obligations the body must meet to issue and maintain certificates |
| Art.36 | Notified body suspension — affects certificate validity when issuing body designation is suspended |
| Art.73 | Serious incident reporting — market surveillance authority may use incident data to trigger Art.44(4) revocation |
| Art.74 | Market surveillance — authorities can request access to Art.44 certificate for compliance verification |
Certificate Lifecycle Management for Developers
For teams that have undergone Annex VII assessment, certificate lifecycle management is an ongoing operational task:
Phase 1: Certificate Issuance
- Complete Annex VII assessment process with designated notified body
- Receive Art.44 certificate — verify all Annex VIII elements are present
- Record expiry date and set renewal reminder (90 days before expiry minimum)
- Document any conditions and restrictions — integrate into system governance
- File certificate with Declaration of Conformity (Art.48) documentation
- Proceed to EU database registration (Art.32) and CE marking (Art.49)
Phase 2: Post-Market Certificate Maintenance
- Annual QMS audit (Annex VII §4.4): Notified body conducts surveillance audit of the QMS. Prepare by reviewing QMS documentation currency, incident logs, and any system changes since last audit.
- Post-market monitoring reporting (Art.30): Systematically collect and report performance data, user feedback, and incident data to the notified body as specified in the post-market monitoring plan.
- Substantial modification assessment (Art.23): Before deploying any significant system update, run the Art.3(23) substantial modification test. Changes that meet the threshold require new Art.43(2) assessment and a new Art.44 certificate.
- Harmonised standard version monitoring: When Art.40 standards are updated, assess whether the new version introduces requirements not covered in the original assessment — may trigger voluntary re-assessment.
Phase 3: Certificate Renewal
Certificates issued under Art.44 have a maximum validity period (typically 5 years for initial certificates). Renewal requires:
- Initiating a renewal assessment with the notified body 90–120 days before expiry
- Demonstrating continued compliance through post-market monitoring data
- Addressing any gaps identified through surveillance audits
- Receiving a new certificate with updated dates and reference number
Phase 4: Certificate Suspension or Revocation
If the notified body triggers Art.44(4):
- Cease CE marking immediately
- Notify the market surveillance authority
- Assess scope of non-compliance
- If restriction: adjust deployment to remain within certified scope
- If suspension: implement remediation and request notified body re-assessment
- If revocation: withdraw system from market; re-assessment from scratch
CLOUD Act × Art.44 Certificate Records
Art.44 certificates and the underlying Annex VII assessment records (including QMS documentation, technical documentation packages, and assessment reports) represent some of the most sensitive IP in an AI provider's compliance file. When these records are stored on infrastructure subject to US jurisdiction — including services from major US cloud providers — they are potentially subject to compelled disclosure under the CLOUD Act (18 U.S.C. § 2713).
The CLOUD Act conflict for Art.44 records:
| Document | AI Act Requirement | CLOUD Act Risk |
|---|---|---|
| Annex VIII certificate | Notified body issues; provider retains (Art.18, 10 years) | If stored on US cloud: compellable |
| Annex IV technical documentation | Provider retains (Art.18, 10 years; Art.74 disclosure to authorities) | If stored on US cloud: compellable |
| Annex VII assessment report | Provider and notified body retain | If stored on US cloud: compellable |
| QMS documentation (Art.17) | Provider retains as part of QMS | If stored on US cloud: compellable |
| Post-market monitoring data (Art.30) | Provider retains; disclosed to notified body | If stored on US cloud: compellable |
The jurisdiction conflict: EU AI Act Art.74 gives market surveillance authorities the right to access conformity records. If a US authority compels disclosure of the same records under CLOUD Act before EU authorities have reviewed them, the provider may face a dual-access scenario with incompatible legal obligations — US compliance compels disclosure while EU confidentiality obligations may require restriction.
EU-native PaaS infrastructure — storing Art.44 certificate records, Annex IV technical documentation, and assessment reports on EU-incorporated, EU-operated infrastructure eliminates the CLOUD Act exposure. Under EU law, only EU market surveillance authorities and the notified body have designated access rights. There is no US-law compellability vector when the infrastructure is genuinely EU-native.
For providers subject to Art.44 (i.e., those who went through Annex VII assessment), infrastructure jurisdiction for compliance records is not an abstract concern — it is a directly audited element of the QMS and technical documentation.
Python Implementation
1. NotifiedBodyCertificate — Certificate Record and Validation
from dataclasses import dataclass, field
from datetime import date, timedelta
from enum import Enum
from typing import Optional
import json
class CertificateStatus(Enum):
VALID = "valid"
SUSPENDED = "suspended"
RESTRICTED = "restricted"
REVOKED = "revoked"
EXPIRED = "expired"
RENEWAL_DUE = "renewal_due"
@dataclass
class NotifiedBodyCertificate:
"""
Art.44 Certificate of Conformity tracking.
Annex VIII minimum content requirements enforced.
"""
# Annex VIII required fields
reference_number: str
issue_date: date
expiry_date: date
notified_body_name: str
notified_body_nando_number: str
ai_system_name: str
ai_system_version: str
intended_purpose: str
annex_iii_categories: list[str] # e.g., ["Annex III Point 1(a)", "Annex III Point 6"]
applicable_requirements: list[str] # e.g., ["Art.9", "Art.10", "Art.11", "Art.13"]
harmonised_standards_applied: list[dict] # [{"standard": "ISO/IEC 42001:2023", "date": "2023-12"}]
common_specifications_applied: list[dict] # EU implementing acts
conditions_and_restrictions: list[str] # limitations on scope
authorised_signatory: str
# Operational fields
status: CertificateStatus = CertificateStatus.VALID
restriction_details: Optional[str] = None
suspension_date: Optional[date] = None
revocation_date: Optional[date] = None
renewal_started: bool = False
RENEWAL_NOTICE_DAYS = 90
@property
def is_valid(self) -> bool:
return (
self.status == CertificateStatus.VALID
and date.today() <= self.expiry_date
)
@property
def days_until_expiry(self) -> int:
return (self.expiry_date - date.today()).days
def check_validity(self) -> dict:
today = date.today()
if self.status == CertificateStatus.REVOKED:
return {
"status": "REVOKED",
"action_required": "CEASE CE MARKING IMMEDIATELY. Notify market surveillance authority. Re-assessment from scratch required.",
"revocation_date": str(self.revocation_date)
}
if self.status == CertificateStatus.SUSPENDED:
return {
"status": "SUSPENDED",
"action_required": "Cease CE marking. Implement remediation. Request notified body re-assessment.",
"suspension_date": str(self.suspension_date)
}
if today > self.expiry_date:
return {
"status": "EXPIRED",
"action_required": "Certificate expired. Commence renewal assessment immediately. Cease CE marking if renewal not in progress."
}
if self.days_until_expiry <= self.RENEWAL_NOTICE_DAYS:
return {
"status": "RENEWAL_DUE",
"days_remaining": self.days_until_expiry,
"action_required": f"Initiate renewal assessment with {self.notified_body_name}. Target completion: {self.expiry_date - timedelta(days=30)}."
}
if self.status == CertificateStatus.RESTRICTED:
return {
"status": "RESTRICTED",
"restriction": self.restriction_details,
"action_required": "Verify all deployments are within restricted scope. Update QMS to document restriction compliance."
}
return {
"status": "VALID",
"days_until_expiry": self.days_until_expiry,
"expiry": str(self.expiry_date),
"notified_body": f"{self.notified_body_name} ({self.notified_body_nando_number})"
}
def validate_annex_viii_completeness(self) -> dict:
"""Verify all Annex VIII minimum content elements are present."""
missing = []
if not self.reference_number:
missing.append("reference_number")
if not self.notified_body_nando_number:
missing.append("notified_body_nando_number (required for NANDO verification)")
if not self.annex_iii_categories:
missing.append("annex_iii_categories")
if not self.conditions_and_restrictions and not self._confirmed_no_restrictions:
missing.append("conditions_and_restrictions (or explicit confirmation of none)")
if not self.authorised_signatory:
missing.append("authorised_signatory")
return {
"annex_viii_complete": len(missing) == 0,
"missing_elements": missing,
"note": "All Annex VIII elements required for Art.44 certificate validity"
}
def _confirmed_no_restrictions(self) -> bool:
return self.conditions_and_restrictions == ["NONE"]
def to_dict(self) -> dict:
return {
"reference_number": self.reference_number,
"status": self.status.value,
"ai_system": f"{self.ai_system_name} v{self.ai_system_version}",
"notified_body": f"{self.notified_body_name} ({self.notified_body_nando_number})",
"valid_from": str(self.issue_date),
"valid_until": str(self.expiry_date),
"days_until_expiry": self.days_until_expiry,
"annex_iii_categories": self.annex_iii_categories,
"conditions": self.conditions_and_restrictions,
"validity_check": self.check_validity()
}
2. CertificateValidityMonitor — Lifecycle Alerts and Renewal Tracking
from dataclasses import dataclass
from datetime import date, timedelta
from typing import Optional
@dataclass
class SubstantialModificationEvent:
"""Track system changes that may affect certificate validity (Art.3(23), Art.23)."""
change_date: date
description: str
affects_intended_purpose: bool
affects_performance_characteristics: bool
affects_risk_level: bool
assessment_conclusion: str # "substantial" | "not_substantial" | "pending"
re_assessment_required: bool
re_assessment_initiated: bool = False
class CertificateValidityMonitor:
"""
Monitor Art.44 certificate lifecycle for ongoing compliance.
Art.30 post-market surveillance + Art.23 substantial modification integration.
"""
def __init__(self, certificate: 'NotifiedBodyCertificate'):
self.certificate = certificate
self.modification_log: list[SubstantialModificationEvent] = []
self.surveillance_audit_dates: list[date] = []
self.pms_report_dates: list[date] = []
def log_system_change(
self,
description: str,
affects_purpose: bool = False,
affects_performance: bool = False,
affects_risk: bool = False
) -> dict:
"""
Record a system modification and assess Art.3(23) substantial modification status.
"""
# Art.3(23): substantial modification = change affecting compliance or intended purpose
is_substantial = any([affects_purpose, affects_performance, affects_risk])
event = SubstantialModificationEvent(
change_date=date.today(),
description=description,
affects_intended_purpose=affects_purpose,
affects_performance_characteristics=affects_performance,
affects_risk_level=affects_risk,
assessment_conclusion="substantial" if is_substantial else "not_substantial",
re_assessment_required=is_substantial
)
self.modification_log.append(event)
result = {
"change": description,
"art_3_23_assessment": event.assessment_conclusion,
"re_assessment_required": is_substantial
}
if is_substantial:
result["action"] = (
"SUBSTANTIAL MODIFICATION (Art.3(23)). New conformity assessment required under Art.23. "
"Notify notified body immediately. Current Art.44 certificate may not cover this version. "
"Do NOT CE mark modified system until new certificate issued."
)
result["certificate_impact"] = f"Certificate {self.certificate.reference_number} may be invalidated for this version"
else:
result["action"] = (
"Change assessed as non-substantial. Document decision rationale in QMS (Art.17). "
"Notify notified body per post-market monitoring plan (Art.30)."
)
return result
def check_pms_reporting_status(self) -> dict:
"""Check Art.30 post-market monitoring reporting obligations."""
today = date.today()
last_report = max(self.pms_report_dates) if self.pms_report_dates else self.certificate.issue_date
days_since_report = (today - last_report).days
# PMS reporting frequency depends on QMS plan — annual minimum typical
pms_alert_threshold = 300 # ~10 months
status = {
"last_pms_report": str(last_report),
"days_since_last_report": days_since_report,
}
if days_since_report > pms_alert_threshold:
status["alert"] = "PMS report overdue. Submit post-market monitoring report to notified body."
status["obligation"] = "Art.30 + Annex VII §4.4 QMS surveillance"
else:
status["next_report_due"] = str(last_report + timedelta(days=365))
# Check for unresolved substantial modifications
unresolved = [m for m in self.modification_log if m.re_assessment_required and not m.re_assessment_initiated]
if unresolved:
status["unresolved_substantial_modifications"] = len(unresolved)
status["critical"] = "New Art.43(2) assessment required. Certificate may not cover modified system versions."
return status
def generate_lifecycle_report(self) -> dict:
return {
"certificate": self.certificate.reference_number,
"ai_system": self.certificate.ai_system_name,
"validity": self.certificate.check_validity(),
"pms_status": self.check_pms_reporting_status(),
"modification_events": len(self.modification_log),
"substantial_modifications_pending": sum(
1 for m in self.modification_log
if m.re_assessment_required and not m.re_assessment_initiated
),
"surveillance_audits_completed": len(self.surveillance_audit_dates),
"conditions": self.certificate.conditions_and_restrictions
}
3. CertificateRevocationChecker — NANDO Monitoring and Revocation Risk
from dataclasses import dataclass
from datetime import date
from typing import Optional
@dataclass
class NotifiedBodyStatus:
"""Current designation status from NANDO monitoring."""
nando_number: str
body_name: str
designation_status: str # "active" | "suspended" | "restricted" | "withdrawn"
last_checked: date
suspension_date: Optional[date] = None
restriction_scope: Optional[str] = None
class CertificateRevocationChecker:
"""
Monitor certificate revocation risk from:
1. Notified body designation status (Art.36)
2. Market surveillance findings (Art.73/74)
3. QMS surveillance audit outcomes (Annex VII §4.4)
4. Harmonised standard updates (Art.40)
"""
def __init__(self, certificate: 'NotifiedBodyCertificate'):
self.certificate = certificate
self.nando_checks: list[NotifiedBodyStatus] = []
self.standard_versions: dict[str, str] = {} # {standard_ref: current_version}
self.incident_reports: list[dict] = []
def record_nando_check(
self,
designation_status: str,
suspension_date: Optional[date] = None,
restriction_scope: Optional[str] = None
) -> dict:
"""
Record result of NANDO database check for the issuing notified body.
NANDO: https://ec.europa.eu/growth/tools-databases/nando/
"""
status = NotifiedBodyStatus(
nando_number=self.certificate.notified_body_nando_number,
body_name=self.certificate.notified_body_name,
designation_status=designation_status,
last_checked=date.today(),
suspension_date=suspension_date,
restriction_scope=restriction_scope
)
self.nando_checks.append(status)
if designation_status == "active":
return {
"status": "OK",
"notified_body": self.certificate.notified_body_name,
"designation": "active",
"certificate_impact": "None — issuing body remains active"
}
elif designation_status == "suspended":
return {
"status": "ALERT",
"notified_body": self.certificate.notified_body_name,
"designation": "suspended",
"suspension_date": str(suspension_date),
"certificate_impact": (
"Issuing body designation suspended (Art.36). "
"Existing certificates retain presumptive validity pending investigation. "
"Do NOT proceed with renewal or new assessment with this body. "
"Identify replacement notified body from NANDO."
),
"action": "Contact national designating authority for guidance on outstanding certificate status."
}
elif designation_status in ["restricted", "withdrawn"]:
return {
"status": "CRITICAL",
"notified_body": self.certificate.notified_body_name,
"designation": designation_status,
"certificate_impact": "Certificate validity in question. Seek legal guidance and contact market surveillance authority.",
"action": "Identify new notified body and assess re-assessment requirement urgency."
}
def check_standard_currency(self, standard_ref: str, current_version: str) -> dict:
"""
Compare applied standard version (from certificate) against current version.
Art.40 harmonised standards — certificate may reference an outdated version.
"""
certificate_standard = next(
(s for s in self.certificate.harmonised_standards_applied if s.get("standard") == standard_ref),
None
)
if not certificate_standard:
return {"standard": standard_ref, "status": "NOT_APPLIED", "note": "Standard not referenced in certificate"}
cert_version = certificate_standard.get("date", "unknown")
if cert_version == current_version:
return {"standard": standard_ref, "status": "CURRENT", "cert_version": cert_version}
else:
return {
"standard": standard_ref,
"status": "OUTDATED",
"cert_version": cert_version,
"current_version": current_version,
"risk": (
f"Standard {standard_ref} has been updated. "
"Assess whether new version introduces requirements not covered in original assessment. "
"If yes: voluntary re-assessment recommended before mandatory enforcement action."
)
}
def assess_revocation_risk(self) -> dict:
"""Aggregate revocation risk from all monitoring sources."""
risks = []
# NANDO status
if self.nando_checks:
latest = self.nando_checks[-1]
if latest.designation_status != "active":
risks.append({
"source": "NANDO",
"severity": "HIGH",
"finding": f"Issuing body designation status: {latest.designation_status}"
})
# Outdated standards
for s in self.certificate.harmonised_standards_applied:
std_ref = s.get("standard")
if std_ref in self.standard_versions:
cert_ver = s.get("date", "")
curr_ver = self.standard_versions[std_ref]
if cert_ver != curr_ver:
risks.append({
"source": "STANDARD_UPDATE",
"severity": "MEDIUM",
"finding": f"{std_ref}: certificate version {cert_ver}, current version {curr_ver}"
})
# Incident reports
if self.incident_reports:
serious = [i for i in self.incident_reports if i.get("severity") == "serious"]
if serious:
risks.append({
"source": "INCIDENT_REPORTS",
"severity": "HIGH",
"finding": f"{len(serious)} serious incidents — may trigger Art.44(4) revocation review"
})
return {
"certificate": self.certificate.reference_number,
"overall_risk": "HIGH" if any(r["severity"] == "HIGH" for r in risks) else
"MEDIUM" if risks else "LOW",
"risk_factors": risks,
"recommendation": (
"Immediate notified body contact required" if any(r["severity"] == "HIGH" for r in risks)
else "Schedule standard review with notified body at next QMS audit"
if risks else "Certificate revocation risk low — continue routine monitoring"
)
}
Art.44 Compliance Checklist for Developers (40 Items)
Pre-Assessment
- 1. Confirm AI system requires Annex VII assessment (Art.43(2) criteria apply)
- 2. Verify selected notified body is NANDO-designated and currently active
- 3. Confirm notified body scope covers your Annex III category
- 4. Ensure Annex IV technical documentation package is complete
- 5. Ensure Art.17 QMS is documented and implemented
- 6. Ensure Art.9 risk management file is complete
Certificate Verification on Receipt
- 7. Confirm all Annex VIII minimum content elements are present
- 8. Verify reference number is unique and matches notified body records
- 9. Record issue date and expiry date in compliance management system
- 10. Read all conditions and restrictions carefully — document deployment constraints
- 11. Verify Annex III categories match your system's intended use
- 12. Verify harmonised standards referenced are the versions you applied
- 13. Confirm notified body NANDO number matches NANDO database
- 14. Confirm authorised signatory matches notified body authorisation
Post-Issuance Compliance
- 15. File Art.44 certificate with Declaration of Conformity (Art.48) documentation
- 16. Register Art.44 certificate details in EU AI Act database (Art.32)
- 17. Affix CE marking only after Declaration of Conformity is drawn up (Art.49)
- 18. Set renewal reminder 90 days before expiry date
- 19. Configure NANDO monitoring for issuing body designation status
- 20. Document Art.30 post-market monitoring plan and reporting schedule
Ongoing Surveillance
- 21. Prepare for annual notified body QMS audit (Annex VII §4.4)
- 22. Submit post-market monitoring reports per QMS plan
- 23. Run Art.3(23) substantial modification test before every significant update
- 24. Document modification decisions in QMS regardless of conclusion
- 25. Report substantial modifications to notified body before deploying
- 26. Monitor harmonised standards (Art.40) for version updates
- 27. Report serious incidents to notified body and market surveillance (Art.73)
- 28. Maintain 10-year record retention for all certificate-related documentation (Art.18)
- 29. Ensure Art.44 certificate records are accessible to market surveillance authorities (Art.74)
- 30. Ensure certificate records stored on EU-native infrastructure (CLOUD Act risk management)
Renewal
- 31. Initiate renewal assessment 90–120 days before expiry
- 32. Prepare PMS data package demonstrating continued compliance
- 33. Identify and remediate any QMS gaps before renewal submission
- 34. Obtain new Art.44 certificate before existing one expires
- 35. Update Declaration of Conformity (Art.48) to reference new certificate
Revocation and Remediation
- 36. If restricted: identify non-compliant deployment contexts and cease immediately
- 37. If suspended: cease CE marking, notify market surveillance authority
- 38. If revoked: withdraw system from market, notify all deployers and distributors
- 39. Maintain business continuity plan for certificate suspension/revocation scenarios
- 40. For revocation: document root cause and remediation before initiating new Art.43(2) assessment
Art.44 for SaaS Developers: Do You Need This?
The honest answer for most SaaS AI developers is: no, Art.44 does not apply to you. The majority of high-risk AI systems built by SaaS providers fall under Art.43(1) Track 1 — internal control under Annex VI — which involves no notified body and produces no Art.44 certificate.
Art.44 applies if either of these is true:
-
Your system is a safety component embedded in a product regulated under Annex I legislation — medical devices (MDR), machinery (Machinery Regulation 2023/1230), in vitro diagnostics (IVDR), automotive (Vehicle Type Approval), or other Annex I sector regulations that require notified body involvement in their own conformity assessment.
-
Your system performs real-time remote biometric identification in publicly accessible spaces — where the Commission has issued an implementing act under Art.43(3) requiring Annex VII assessment. As of 2026, this track applies to law enforcement use cases under strict conditions (Art.5 exemptions).
If neither applies: proceed with Art.43(1) Annex VI internal control. You will draw up a Declaration of Conformity (Art.48) without referencing an Art.44 certificate, because no certificate was issued.
If either applies: Art.44 is not optional. The certificate is the legal prerequisite for your Declaration of Conformity and CE marking, and the absence of a valid Art.44 certificate while claiming conformity constitutes non-compliance with the AI Act (enforcement exposure: up to €15M or 3% of global annual turnover under Art.99).