2026-04-16·12 min read·

EU AI Act Art.45 Information Obligations on Notified Bodies: Reporting, Cross-Notification & Market Surveillance Cooperation — Developer Guide (2026)

EU AI Act Article 45 is a short article with a long reach. Its five paragraphs define the information architecture that keeps the notified body system honest: who learns what, when, and from whom, when a notified body makes a decision about a certificate of conformity. For providers who have gone through Annex VII assessment and hold an Art.44 certificate, Art.45 is the hidden mechanism that determines how certificate problems — suspension, revocation, post-certification non-conformity — flow through the system to reach market surveillance authorities, peer notified bodies, and ultimately the Commission.

The practical significance for developers is asymmetric. Art.45 imposes obligations directly on notified bodies, not on providers. But the consequences of Art.45 activating flow immediately to providers: if your notified body reports a certificate suspension to the notifying authority under Art.45(1), if it cross-notifies peer bodies under Art.45(2), if it finds post-certification non-conformity and triggers Art.45(4), the provider's CE marking, Declaration of Conformity, and market placement rights are all directly affected. Understanding Art.45 means understanding what triggers your notified body to act — and what you must do in response.

For most SaaS developers, Art.45 is academic in the same sense as Art.44: if you are using Art.43(1) Annex VI internal control (no notified body involved), there is no notified body to impose Art.45 obligations on. But for providers building biometric identification systems, regulated product safety components, or systems where a Commission implementing act under Art.43(3) mandates Annex VII assessment, Art.45 defines the information environment in which your Art.44 certificate lives.

Art.45 in the Notified Body Obligation Framework

Art.45 is one of several articles that govern notified body conduct after designation. The full obligation framework for notified bodies runs from Art.33 through Art.38:

Article	Obligation	Who Is Subject
Art.33	Notified body requirements: independence, competence, impartiality	Notified bodies
Art.34	Procedural obligations: application handling, subsidiary, assessment conduct	Notified bodies
Art.35	Notified bodies coordination group: cooperation mechanisms	Notified bodies + Commission
Art.36	Suspension/withdrawal of designation by notifying authority	Notifying authority
Art.45	Information obligations: reporting, cross-notification, MSA cooperation	Notified bodies

Art.45 is distinct from Art.36: Art.36 governs what the notifying authority does to a notified body's designation; Art.45 governs what the notified body does with certificate information it generates during its assessment work. The two articles interact: Art.45(1) reporting to the notifying authority is the trigger that enables Art.36 enforcement if a pattern of problematic certificates emerges.

Art.45 also sits between Art.44 (certificate issuance) and Art.44(4) (certificate suspension/revocation by the notified body). The information flows required by Art.45 are the mechanism that makes the certificate lifecycle visible to regulators — without Art.45, certificate problems could remain siloed within individual notified body relationships with no systemic visibility.

Art.45(1): Reporting to the Notifying Authority

Art.45(1) requires notified bodies to inform the notifying authority (the Member State body that designated them) about specific certificate decisions. This is a proactive reporting obligation — the notified body must report without being asked.

What must be reported under Art.45(1):

Decision Type	Trigger	Reporting Obligation
Certificate issued	Successful Annex VII assessment	Report to notifying authority
Certificate refused	Assessment finds non-compliance, no certificate issued	Report refusal + grounds to notifying authority
Certificate restricted	Certificate issued with added conditions/limitations	Report restriction + basis to notifying authority
Certificate suspended	Temporary suspension pending provider corrective action	Report suspension + trigger to notifying authority
Certificate withdrawn	Permanent withdrawal of previously issued certificate	Report withdrawal + grounds to notifying authority
Supplement issued	Significant change assessment covered by supplemental certificate	Report supplement to notifying authority

Why this matters for providers:

Refusal, restriction, suspension, and withdrawal are not confidential events between the provider and the notified body. They flow immediately to the notifying authority. If a provider attempts to work around a certificate refusal by approaching another notified body without disclosing the prior refusal, Art.45(1) reporting creates a discoverable trail — the first notified body's refusal is on record with the notifying authority.

The notifying authority also receives this information as a check on the notified body's own conduct: if a notified body issues a certificate that the notifying authority considers questionable, the Art.45(1) reporting creates the basis for scrutiny under Art.36.

Practical consequence: Treat every significant development in your notified body relationship as potentially visible to the notifying authority. There is no confidential back-channel for certificates.

Art.45(2): Cross-Notification to Peer Notified Bodies

Art.45(2) requires each notified body to inform other notified bodies carrying out similar conformity assessment activities covering the same AI systems of relevant cases — including both negative and positive assessment outcomes.

The Art.45(2) information duty:

Information Type	Direction	Scope
Negative assessment outcomes	To peer notified bodies	Refused certificates, suspended/withdrawn certificates, major non-conformities found
Positive assessment outcomes (on request)	To peer notified bodies on request	Issued certificates, supplement decisions, QMS certifications
Relevant cases	To peer notified bodies	Cases that inform peer bodies about compliance standards, new technical interpretations, material non-conformities in a product category

The multi-application prevention mechanism:

Art.45(2) is designed to prevent a practice known in other EU conformity regimes as "forum shopping" — approaching multiple notified bodies for the same assessment and choosing the one that issues a favourable certificate. When a notified body refuses or suspends a certificate, peer bodies receive notification. If a provider then approaches a peer body for the same system, the peer body is informed of the prior negative outcome.

This does not automatically bar the provider from a second assessment, but it means the second notified body enters the assessment with knowledge of the first body's concerns. If the second body proceeds and issues a certificate despite the known negative history, that decision is subject to scrutiny — and the Commission and notifying authority can request information under Art.45(3).

For providers: If a notified body declines to issue your Art.44 certificate, do not assume you can simply move to another body without disclosure. The Art.45(2) cross-notification system means the prior refusal is likely already known to your alternative notified body candidates. Transparent disclosure of prior assessment history — including the grounds for any refusal — is the legally sound approach.

Art.45(3): Information Access by Commission and Member States

Art.45(3) requires each notified body to make available to the Commission and to Member States, on request, all information held by it relevant to conformity assessment activities carried out under the Regulation.

What this means in practice:

Requester	Information Available	Basis
Commission	All conformity assessment information, certificate records, assessment reports	Art.45(3) on request
Member States (any)	All conformity assessment information relevant to the requesting state	Art.45(3) on request
Market surveillance authorities	Certificate and assessment information relating to their supervisory functions	Art.45(5) cooperation
Notifying authority	Certificate decisions, reports	Art.45(1) proactive reporting

The Art.45(3) right extends beyond the Member State that designated the notified body — any Member State can request information from any notified body. This reflects the single market dimension: a high-risk AI system certified in Germany may be deployed across all 27 Member States, and market surveillance authorities in Poland or Spain need access to the certification evidence.

Practical implication: Technical documentation, QMS audits, assessment reports, and certificate records held by your notified body are accessible to EU-wide regulatory infrastructure on request. This is another reason to ensure that the underlying technical documentation and QMS are genuinely compliant — not optimistically drafted for assessment purposes only.

Art.45(4): Post-Certification Non-Conformity Response

Art.45(4) is the most consequential provision for providers. It establishes what a notified body must do when — after issuing an Art.44 certificate — it discovers or is informed that the certified AI system is no longer in conformity with the applicable requirements.

The Art.45(4) escalation sequence:

Step	Action	Actor	Condition
1	Require corrective measures	Notified body → Provider	Non-conformity discovered or reported
2	Set reasonable deadline	Notified body	For provider to implement corrective measures
3	Assess corrective measures	Notified body	Are measures sufficient to restore conformity?
4a	Certificate suspended	Notified body	If measures are insufficient or not implemented
4b	Certificate withdrawn	Notified body	If measures are not sufficient, not implemented, or non-conformity is irreparable
5	Report to notifying authority	Notified body	Under Art.45(1)
6	Cross-notify peer bodies	Notified body	Under Art.45(2)

Triggers for Art.45(4):

Art.45(4) can be activated by several pathways:

Notified body's own surveillance audits — Annex VII §4 requires periodic QMS audits. If a post-certification audit reveals the provider's QMS has deteriorated or the system has been substantially modified without re-assessment, the notified body must act under Art.45(4).
Post-market monitoring data from the provider — Art.30 requires providers to implement and maintain post-market monitoring systems. If the provider's own PMS data reveals the system is underperforming on safety metrics, and the provider submits this data under Art.30, the notified body may conclude conformity has been lost.
Market surveillance authority findings — If a market surveillance authority investigates a complaint or serious incident and finds non-conformity, it can inform the notified body, triggering Art.45(4).
Serious incident reports — Art.73 requires providers to report serious incidents. If a serious incident reveals a fundamental deficiency in the certified system, the notified body must assess whether conformity is maintained.
Third-party information — A competitor, academic researcher, or civil society organization may provide evidence of non-conformity to the notified body or market surveillance authority.

Provider obligations when Art.45(4) activates:

When a notified body requires corrective measures under Art.45(4):

Implement measures within the timeline set by the notified body
Document all corrective actions in the QMS (Art.17)
Report substantial modifications to the notified body for re-assessment if the fix involves changes to the system (Art.3(23) substantial modification test)
Do not continue placing the system on the market if the certificate has been suspended — CE marking loses its legal basis when the underlying Art.44 certificate is suspended

What cannot be done: CE marking a system whose Art.44 certificate has been suspended. The CE marking under Art.49 requires a valid Art.44 certificate as its prerequisite for Track 2 systems. A suspended certificate means no valid CE marking, which means the system cannot be placed on the EU market (Art.16(a) requires CE marking for high-risk AI systems).

Art.45(5): Cooperation with Market Surveillance Authorities

Art.45(5) requires notified bodies to cooperate with market surveillance authorities (MSAs) and exchange information relating to AI systems covered by certificates the notified body has issued, in particular regarding cases of non-compliance.

The Art.45(5) cooperation model:

Information Channel	Direction	Content
MSA request to notified body	MSA → Notified body	Certificate records, assessment reports, PMS data submitted by provider
Notified body to MSA	Notified body → MSA	Non-conformity findings, Art.45(4) actions taken, certificate status changes
Joint investigation support	Bidirectional	Notified body assists MSA investigation of certified system
Art.74 market surveillance access	MSA ← Provider (via notified body)	Technical documentation (Art.18), QMS records, incident reports

Why Art.45(5) matters for providers:

Art.45(5) creates a direct information bridge between your notified body and national market surveillance authorities (the national competent authorities designated under Art.70). If a German market surveillance authority is investigating a certified biometric AI system, it can request the German-designated notified body's assessment records and certificate history.

This cooperation extends to serious incident investigations. Art.73 requires providers to report serious incidents to market surveillance authorities. Art.45(5) means that the same MSA can simultaneously request the notified body's assessment records to determine whether the incident reveals a systematic certification failure — not just an isolated operational problem.

CLOUD Act angle: Art.45(5) cooperation covers certificate records and technical documentation held by or accessible to the notified body. If a notified body is a US-headquartered organization (or a subsidiary of one), Art.45(5) information — including provider technical documentation submitted for assessment — could theoretically be accessible under US law via CLOUD Act compellability orders. Providers building biometric AI systems that submit detailed technical documentation to US-linked notified bodies face the same CLOUD Act documentation exposure as providers storing compliance evidence in US-headquartered cloud infrastructure. EU-native notified bodies (designated bodies headquartered and controlled entirely within the EU) eliminate this exposure.

Art.45 Intersection Matrix

Art.45 connects to provider obligations through a network of cross-references:

Art.45 Provision	Intersects With	How They Connect
Art.45(1) reporting	Art.36	Notifying authority uses Art.45(1) reports to exercise Art.36 suspension/withdrawal of designation
Art.45(1) refusals	Art.35	Coordination group aggregates refusal data to identify systemic assessment issues
Art.45(2) cross-notification	Art.34	Art.34 subsidiary assessment rules connect to cross-notified peer body decisions
Art.45(3) Commission access	Art.85	Commission's supervisory powers backed by Art.45(3) information right
Art.45(4) corrective action	Art.44(4)	Art.45(4) is the mechanism that activates Art.44(4) suspension/revocation
Art.45(4) non-conformity	Art.3(23)	Substantial modification test determines whether Art.45(4) fix requires new certificate
Art.45(4) suspension	Art.49	Suspended Art.44 certificate invalidates CE marking under Art.49
Art.45(4) suspension	Art.48	Suspended certificate invalidates Declaration of Conformity under Art.48
Art.45(4) suspension	Art.16(a)	CE marking requirement for market placement — cannot be met with suspended certificate
Art.45(4) triggers	Art.30	Provider PMS data (Art.30) can be the evidence triggering Art.45(4)
Art.45(4) triggers	Art.73	Serious incident reports (Art.73) can trigger Art.45(4) notified body review
Art.45(5) MSA cooperation	Art.74	MSA market surveillance powers backed by Art.45(5) notified body information duty
Art.45(5) cooperation	Art.75	Mutual assistance between MSAs extended to notified body records via Art.45(5)

What Art.45 Means for Providers

Article 45 imposes obligations on notified bodies, not providers. But every Art.45 provision has a provider consequence:

From Art.45(1) — Assume your certificate status is visible: Certificate decisions — including refusals, restrictions, suspensions, and withdrawals — are reported to the notifying authority. There is no private certificate problem. Plan your compliance posture assuming certificate status is regulatory-visible from the moment of any adverse decision.

From Art.45(2) — Prior assessment history follows you: If a notified body refuses your Art.44 certificate, peer notified bodies are informed. The approach of seeking multiple opinions to find an accommodating body is structurally counteracted by Art.45(2). Disclose prior assessment history proactively; attempting to conceal it risks the integrity of any subsequently issued certificate.

From Art.45(3) — Technical documentation must be defensible everywhere: Any EU Member State can request your technical documentation package from your notified body. Compliance documentation that is calibrated to satisfy only the designated assessment body — rather than representing the actual system accurately — is legally exposed. Draft documentation as if it will be read by every Member State's market surveillance authority.

From Art.45(4) — Post-certification compliance is a continuing obligation: Receiving an Art.44 certificate does not conclude the compliance obligation. The certificate's validity depends on continued conformity with the requirements. Post-market monitoring (Art.30), quality management system maintenance (Art.17), and the Art.3(23) substantial modification test for system updates are all mechanisms for demonstrating continued conformity — the data these generate can trigger or prevent Art.45(4) activation.

From Art.45(5) — Notified body is a regulatory information conduit: Your notified body is not a private compliance partner. It is a regulated body with direct information obligations to market surveillance authorities. Technical documentation and QMS records submitted for Annex VII assessment flow through the Art.45(5) cooperation channel into the regulatory enforcement system. Structure your compliance records accordingly.

Python Implementation

from dataclasses import dataclass, field
from datetime import date, datetime
from enum import Enum
from typing import Optional, List
import json

class CertificateDecisionType(Enum):
    ISSUED = "issued"
    REFUSED = "refused"
    RESTRICTED = "restricted"
    SUSPENDED = "suspended"
    WITHDRAWN = "withdrawn"
    SUPPLEMENT_ISSUED = "supplement_issued"

class NonConformityTrigger(Enum):
    SURVEILLANCE_AUDIT = "surveillance_audit"
    PROVIDER_PMS_DATA = "provider_pms_data"
    MSA_FINDING = "msa_finding"
    SERIOUS_INCIDENT_REPORT = "serious_incident_report"
    THIRD_PARTY_INFORMATION = "third_party_information"
    MARKET_SURVEILLANCE_REQUEST = "market_surveillance_request"

@dataclass
class NotifiedBodyInformationRecord:
    """
    Art.45(1) — Tracks what a notified body must report to the notifying authority.
    For providers: each entry here represents a potential regulatory visibility event.
    """
    certificate_reference: str
    decision_type: CertificateDecisionType
    decision_date: date
    reported_to_notifying_authority: bool
    reporting_date: Optional[date]
    grounds: str  # Legal and technical basis for the decision
    peer_bodies_notified: bool  # Art.45(2) cross-notification done
    peer_notification_date: Optional[date]
    commission_request_received: bool  # Art.45(3) information request
    msa_cooperation_request: bool  # Art.45(5) MSA information request

    def is_adverse_decision(self) -> bool:
        """Returns True if this decision restricts the certificate in any way."""
        return self.decision_type in (
            CertificateDecisionType.REFUSED,
            CertificateDecisionType.RESTRICTED,
            CertificateDecisionType.SUSPENDED,
            CertificateDecisionType.WITHDRAWN,
        )

    def reporting_compliant(self) -> bool:
        """Art.45(1) compliance: adverse decisions must be reported to notifying authority."""
        if self.is_adverse_decision():
            return self.reported_to_notifying_authority and self.reporting_date is not None
        # Issued certificates must also be reported
        return self.reported_to_notifying_authority

    def peer_notification_compliant(self) -> bool:
        """
        Art.45(2) compliance: negative outcomes must be cross-notified to peer bodies.
        Positive outcomes must be provided on request — track separately.
        """
        if self.is_adverse_decision():
            return self.peer_bodies_notified and self.peer_notification_date is not None
        return True  # Positive: on-request only, not proactive obligation


@dataclass
class PostCertificationNonConformityCase:
    """
    Art.45(4) — Manages the post-certification non-conformity escalation sequence.
    For providers: this is the object the notified body creates when triggering Art.45(4).
    """
    certificate_reference: str
    trigger: NonConformityTrigger
    trigger_date: date
    non_conformity_description: str
    corrective_measures_required: List[str]
    corrective_deadline: date
    measures_implemented: bool = False
    measures_implementation_date: Optional[date] = None
    measures_assessed_sufficient: Optional[bool] = None
    certificate_suspended: bool = False
    suspension_date: Optional[date] = None
    certificate_withdrawn: bool = False
    withdrawal_date: Optional[date] = None
    notifying_authority_notified: bool = False  # Art.45(1)
    peer_bodies_notified: bool = False  # Art.45(2)

    def ce_marking_valid(self) -> bool:
        """
        Art.49 + Art.48 — CE marking requires valid Art.44 certificate.
        Suspended or withdrawn certificate = invalid CE marking.
        """
        return not self.certificate_suspended and not self.certificate_withdrawn

    def provider_market_placement_permitted(self) -> bool:
        """
        Art.16(a) — High-risk AI systems require CE marking for market placement.
        Invalid CE marking = market placement prohibited.
        """
        return self.ce_marking_valid()

    def escalation_required(self) -> bool:
        """Returns True if corrective measures deadline has passed without sufficient action."""
        today = date.today()
        if today > self.corrective_deadline:
            if not self.measures_implemented or self.measures_assessed_sufficient is False:
                return True
        return False

    def generate_provider_action_list(self) -> List[str]:
        """Generates the provider's required responses to an Art.45(4) activation."""
        actions = []
        actions.append(f"Implement corrective measures by {self.corrective_deadline}")
        actions.append("Document all corrective actions in Art.17 QMS records")
        actions.append("Run Art.3(23) substantial modification test on all proposed fixes")
        if self.certificate_suspended:
            actions.append("CRITICAL: Cease market placement — CE marking invalid (Art.49 + Art.16)")
            actions.append("Update Declaration of Conformity (Art.48) — suspend pending certificate restoration")
            actions.append("Notify deployers and distributors of suspension status")
        return actions


@dataclass
class MSACooperationTracker:
    """
    Art.45(5) — Tracks information exchanges between notified body and market surveillance authorities.
    For providers: visibility into regulatory information flows affecting your certificate.
    """
    certificate_reference: str
    msa_requests: List[dict] = field(default_factory=list)
    information_provided: List[dict] = field(default_factory=list)
    joint_investigations: List[dict] = field(default_factory=list)

    def add_msa_request(
        self,
        requesting_msa: str,
        request_date: date,
        information_type: str,
        response_date: Optional[date] = None
    ):
        """Record an Art.45(5) information request from a market surveillance authority."""
        self.msa_requests.append({
            "requesting_msa": requesting_msa,
            "request_date": request_date.isoformat(),
            "information_type": information_type,
            "response_date": response_date.isoformat() if response_date else None,
            "status": "responded" if response_date else "pending"
        })

    def cloud_act_risk_assessment(self, notified_body_headquarters: str) -> dict:
        """
        Art.45(5) + CLOUD Act: Assess whether MSA cooperation requests
        could expose provider technical documentation to US jurisdiction.
        """
        us_linked = notified_body_headquarters.lower() in [
            "united states", "us", "usa"
        ] or "inc." in notified_body_headquarters.lower()

        return {
            "notified_body_headquarters": notified_body_headquarters,
            "us_jurisdiction_risk": us_linked,
            "risk_description": (
                "Technical documentation submitted for Annex VII assessment is held by "
                "this US-linked notified body and may be subject to CLOUD Act compellability "
                "orders independently of Art.45(5) MSA cooperation requests."
                if us_linked
                else
                "EU-native notified body: Art.45(5) information flows remain within EU "
                "jurisdiction and are not subject to CLOUD Act compellability."
            ),
            "mitigation": (
                "Consider designating an EU-native notified body for future assessments. "
                "EU-native PaaS for compliance record storage eliminates dual-jurisdiction exposure."
                if us_linked
                else "Single-regime jurisdiction: Art.45(5) cooperation is fully EU-governed."
            )
        }


class Art45ComplianceAuditor:
    """
    End-to-end Art.45 compliance checker for providers holding Art.44 certificates.
    """
    def __init__(
        self,
        certificate_reference: str,
        notified_body_headquarters: str
    ):
        self.certificate_reference = certificate_reference
        self.information_records: List[NotifiedBodyInformationRecord] = []
        self.non_conformity_cases: List[PostCertificationNonConformityCase] = []
        self.msa_tracker = MSACooperationTracker(certificate_reference)
        self.notified_body_headquarters = notified_body_headquarters

    def audit(self) -> dict:
        """Run full Art.45 compliance audit."""
        reporting_gaps = [
            r for r in self.information_records
            if not r.reporting_compliant()
        ]
        peer_notification_gaps = [
            r for r in self.information_records
            if not r.peer_notification_compliant()
        ]
        active_non_conformities = [
            c for c in self.non_conformity_cases
            if not c.certificate_withdrawn
        ]
        ce_marking_invalid = [
            c for c in self.non_conformity_cases
            if not c.ce_marking_valid()
        ]
        escalation_required = [
            c for c in self.non_conformity_cases
            if c.escalation_required()
        ]

        cloud_act = self.msa_tracker.cloud_act_risk_assessment(
            self.notified_body_headquarters
        )

        return {
            "certificate_reference": self.certificate_reference,
            "audit_date": date.today().isoformat(),
            "art_45_1_reporting_compliant": len(reporting_gaps) == 0,
            "reporting_gaps": len(reporting_gaps),
            "art_45_2_peer_notification_compliant": len(peer_notification_gaps) == 0,
            "peer_notification_gaps": len(peer_notification_gaps),
            "active_non_conformity_cases": len(active_non_conformities),
            "ce_marking_currently_valid": len(ce_marking_invalid) == 0,
            "market_placement_permitted": len(ce_marking_invalid) == 0,
            "escalation_required": len(escalation_required) > 0,
            "msa_requests_pending": sum(
                1 for r in self.msa_tracker.msa_requests
                if r["status"] == "pending"
            ),
            "cloud_act_risk": cloud_act["us_jurisdiction_risk"],
            "cloud_act_detail": cloud_act["risk_description"],
            "overall_status": (
                "CRITICAL" if ce_marking_invalid
                else "ACTION_REQUIRED" if escalation_required or reporting_gaps
                else "COMPLIANT"
            )
        }

Art.45 Compliance Checklist for Providers

While Art.45 directly obliges notified bodies, providers should verify these items to ensure the Art.45 information environment around their Art.44 certificate is correctly managed.

Before Obtaining an Art.44 Certificate

1. Verify the selected notified body is NANDO-designated and its designation is currently active (not suspended under Art.36)
2. Confirm there is no prior assessment refusal for this system that must be disclosed to the new notified body
3. If prior refusal exists: disclose fully to the new notified body — Art.45(2) cross-notification means it may already be known
4. Confirm the notified body's headquarters jurisdiction — EU-native eliminates CLOUD Act exposure for submitted technical documentation
5. Ensure technical documentation package (Annex IV) is accurate and complete — it will be accessible to any EU Member State under Art.45(3)

After Certificate Issuance

6. Confirm from notified body that Art.45(1) certificate issuance reporting has been made to the notifying authority
7. Document Art.44 certificate reference, issue date, expiry date, and any conditions in your compliance management system
8. Cross-reference certificate conditions against deployment constraints — any violation risks Art.45(4) non-conformity finding
9. Implement Art.30 post-market monitoring system — PMS data gaps are a leading indicator for Art.45(4) triggers
10. Maintain Art.17 QMS — surveillance audits under Annex VII §4 are the most common Art.45(4) trigger for ongoing certificates

Ongoing Post-Certification Compliance

11. Prepare for and fully cooperate with notified body's annual QMS surveillance audits (Annex VII §4)
12. Run Art.3(23) substantial modification test before any significant system update
13. Submit substantial modification notifications to notified body before deploying changes that require re-assessment
14. Report serious incidents to market surveillance authority (Art.73) — MSA findings can trigger Art.45(4)
15. Monitor Art.44 certificate expiry — initiate renewal 90–120 days before expiry to prevent gap

If Art.45(4) Is Activated (Notified Body Requests Corrective Action)

16. Implement corrective measures within the notified body's stated deadline
17. Document all corrective actions in Art.17 QMS immediately
18. Provide corrective measure documentation to notified body for sufficiency assessment
19. If certificate suspended: immediately cease market placement of affected system (Art.16(a))
20. If certificate suspended: cease affixing CE marking — Art.49 CE marking requires valid Art.44 certificate
21. Notify all deployers and distributors of suspension status — their Art.26 obligations depend on your certificate status
22. If suspension: update Declaration of Conformity (Art.48) to suspend pending certificate restoration
23. Do not submit Declaration of Conformity referencing a suspended certificate to any authority
24. If withdrawn: withdraw system from EU market, notify all supply chain parties
25. If corrective action resolves the non-conformity: obtain written confirmation from notified body that certificate is reinstated

Market Surveillance Authority Cooperation

26. If an MSA requests information from your notified body under Art.45(5): cooperate fully — do not attempt to limit what the notified body provides
27. Maintain Art.18 10-year retention for all technical documentation and certificate-related records
28. Ensure Art.74 market surveillance access rights to your documentation are not obstructed
29. If MSA investigation opens: treat Art.45(5) notified body cooperation as a parallel information channel — align your responses
30. Conduct Art.45 risk audit at least annually: cloud act exposure, certificate status, surveillance audit schedule, MSA requests

Art.45 for SaaS Developers: The Honest Assessment

If you use Art.43(1) Annex VI internal control: Art.45 does not apply to your compliance obligations. There is no notified body in your conformity chain, so there is no body on which Art.45 obligations fall. You are responsible for maintaining your own Declaration of Conformity (Art.48) and CE marking (Art.49) without a notified body intermediary.

If you use Art.43(2) Annex VII notified body assessment (biometric systems, regulated product safety components, or Commission-mandated track): Art.45 governs the information environment in which your Art.44 certificate lives. Key implications:

Certificate problems are publicly visible: Refusals, suspensions, and withdrawals are reported to the notifying authority (Art.45(1)) and peer notified bodies (Art.45(2)) proactively. Assume any adverse certificate decision is known to regulators within days.
Prior refusals follow you: Art.45(2) cross-notification means shopping for a more accommodating notified body after a refusal is detectable. Disclose prior assessment history.
Technical documentation is EU-wide accessible: Submitted documentation can reach any Member State's market surveillance authority (Art.45(3)). Draft it to withstand multi-jurisdiction scrutiny.
Post-certification compliance is continuous: Art.45(4) means the certificate can be suspended or withdrawn at any point after issuance. Maintained QMS, post-market monitoring, and transparent incident reporting are the ongoing inputs that protect certificate validity.
Choose your notified body jurisdiction carefully: EU-native notified bodies eliminate CLOUD Act exposure for technical documentation submitted for Annex VII assessment. If your notified body is US-linked, the documentation you submitted for assessment may face dual-jurisdiction legal demands independently of your own hosting choices.