Article 32: Subsidiaries of and Subcontracting by Notified Bodies
Article 32 allows notified bodies to subcontract specific conformity assessment tasks or use subsidiaries to perform them, but imposes strict conditions: the provider (client) must consent, the subcontractor or subsidiary must meet the Article 30 requirements, and the notified body remains fully responsible for all subcontracted work. Complete outsourcing of the conformity assessment activity is not permitted. The notified body must maintain a list of subsidiaries and subcontractors, available to the notifying authority upon request. Always verify on EUR-Lex.
Who does this apply to?
- -Notified bodies using subcontractors or subsidiaries for specific conformity assessment tasks
- -Subcontractors and subsidiaries performing conformity assessment tasks on behalf of notified bodies
- -Providers (clients) whose consent is required before subcontracting of their conformity assessment
Scenarios
A notified body with strong QMS audit capability but limited deep learning testing expertise subcontracts the adversarial robustness testing of a high-risk AI system to a specialised AI testing lab.
A notified body attempts to subcontract the entire conformity assessment of a high-risk biometric system to a third-party lab, retaining only administrative oversight.
What Article 32 does (plain terms)
Article 32 recognises that conformity assessment of high-risk AI systems may require specialised expertise that a single notified body does not possess in-house. Rather than blocking all use of external resources, it allows limited subcontracting and the use of subsidiaries under strict conditions.
The key rules are:
1. Provider consent — Before subcontracting any task, the notified body must obtain the explicit consent of the provider (the client commissioning the conformity assessment).
2. Article 30 compliance — Every subcontractor and subsidiary performing conformity assessment tasks must meet the relevant requirements of Article 30, including independence, competence, documented procedures, and confidentiality.
3. Full responsibility — The notified body remains fully responsible for all tasks performed by subcontractors or subsidiaries. It cannot delegate away its legal accountability.
4. No complete outsourcing — Subcontracting the entire conformity assessment activity to a third party is not allowed. The notified body must retain substantive control over the overall assessment.
5. List of subcontractors/subsidiaries — The notified body must keep an up-to-date list and make it available to the notifying authority upon request.
Verify the complete text on EUR-Lex Article 32.
Practical implications for providers and notified bodies
For providers seeking conformity assessment: - You have a right to know who is performing the assessment work. If the notified body proposes to subcontract, it must obtain your consent. - Ask for the subcontractor's credentials and verify they meet Article 30 requirements, particularly for AI-specific competence. - Your contractual relationship remains with the notified body, which bears full legal responsibility.
For notified bodies: - Subcontracting can help fill specialised gaps (e.g., adversarial ML testing, bias auditing, domain-specific risk assessment) without requiring every capability in-house. - You must establish oversight mechanisms to ensure subcontracted work meets your quality standards and Article 30 requirements. - Document all subcontracting arrangements and maintain the required list for the notifying authority.
How Article 32 connects to the rest of the Act
- Article 30 — Requirements that subcontractors and subsidiaries must independently satisfy.
- Article 33 — The notification process; the notifying authority may consider subcontracting arrangements when assessing a notified body's capacity.
- Article 43 — Conformity assessment procedures during which subcontracting may occur.
- Article 28 — The notifying authority that can request the subcontractor/subsidiary list.
- Article 113 — Application dates and staged entry into force.
Compliance checklist
- As a notified body, assess whether any conformity assessment tasks require subcontracting or subsidiary involvement and document the rationale.
- Verify that each subcontractor and subsidiary meets Article 30 requirements before engaging them.
- Obtain explicit written consent from the provider (client) before subcontracting any conformity assessment task.
- Ensure that the complete conformity assessment activity is not fully outsourced — retain substantive control over the core assessment.
- Maintain an up-to-date list of all subsidiaries and subcontractors used for conformity assessment tasks.
- Establish quality oversight mechanisms for subcontracted work, including review of subcontractor deliverables.
- Make the subsidiaries and subcontractors list available to the notifying authority upon request.
Map your conformity assessment obligations—start the free assessment.
Start Free AssessmentRelated Articles
Frequently asked questions
Can a notified body subcontract to a body outside the EU?
Article 32 does not explicitly restrict subcontracting to EU-based entities, but the subcontractor must meet Article 30 requirements, including independence and competence standards. The notifying authority would need to be satisfied that oversight is adequate regardless of the subcontractor's location.
What if the provider does not consent to subcontracting?
The notified body cannot proceed with subcontracting for that provider's assessment. It must either perform the task in-house or the provider may choose a different notified body with the necessary in-house capabilities.
Does the subcontractor list need to be public?
Article 32 requires the list to be available to the notifying authority upon request. It does not mandate public disclosure, but providers involved in assessments should be informed of relevant subcontracting.