Article 36: Operational Obligations of Notified Bodies
Article 36 sets out the day-to-day operational duties of notified bodies performing conformity assessments under the AI Act. It covers how assessments must be conducted, what happens when non-conformity is found, reporting obligations toward notifying authorities and other notified bodies, and cooperation duties with the Commission and Member States.
Who does this apply to?
- -Notified bodies performing conformity assessments of high-risk AI systems under Article 43
- -Providers undergoing third-party conformity assessment who are subject to the body's decisions on certificates
- -Notifying authorities overseeing notified body operations and receiving status reports on certificates
Scenarios
A notified body audits a provider's quality management system for a high-risk AI recruitment tool. During the audit, the body identifies that the provider has not implemented adequate bias-testing procedures as required under Article 10.
A notified body withdraws a certificate for a critical-infrastructure AI system after finding persistent non-compliance. Another notified body in a different Member State has previously issued a certificate to the same provider for a related system.
The seven operational obligations
Article 36 imposes a structured set of duties on notified bodies:
(a) Conduct assessments properly — Carry out conformity assessments in accordance with the procedures set out in Article 43.
(b) Enforce corrective action — Where a non-conformity is found or conditions are no longer met, require the provider to take corrective action and, if necessary, suspend, restrict, or withdraw the certificate.
(c) Report to the notifying authority — Inform the notifying authority of certificates that have been refused, restricted, suspended, or withdrawn.
(d) Inform peer bodies — Notify other notified bodies of certificates refused or withdrawn. On request, also share information about certificates issued.
(e) Respond to Commission and Member State requests — Provide information on both negative and positive certification decisions when the Commission or Member States request it.
(f) Grant surveillance access — Allow the notifying authority to carry out its surveillance activities, including on-site visits.
(g) Keep documentation available — Maintain and make documentation accessible to the notifying authority for oversight purposes.
What this means for providers
Providers undergoing third-party conformity assessment should expect notified bodies to:
- Request full access to technical documentation, quality management records, and test results
- Issue corrective action requests with clear deadlines where non-conformity is found
- Suspend or withdraw certificates if corrective actions are not completed satisfactorily
- Share negative certification outcomes with other bodies and the notifying authority
Providers should build internal processes to respond rapidly to corrective-action requests, as delays can escalate to certificate suspension.
Interaction with oversight and enforcement
- Article 30 — Requirements that notified bodies must meet to be designated in the first place.
- Article 43 — The specific conformity-assessment procedures the body must follow.
- Article 44 — Certificates issued by notified bodies and their validity.
- Article 45 — Information obligations for providers toward notified bodies.
- Article 113 — Application dates.
Transparency and mutual information
Article 36 creates a network of transparency across the notified-body ecosystem. The obligation to inform peer bodies of refusals and withdrawals prevents providers from "body shopping" — seeking a more lenient assessor after failing with one body. The obligation to respond to Commission and Member State information requests ensures that enforcement authorities can build a complete picture of certification activity across the Union.
Compliance checklist
- Ensure your notified body is following Article 43 procedures — ask for a clear description of the assessment methodology.
- Establish an internal workflow to respond to corrective-action requests within the notified body's stated deadlines.
- Request written confirmation of certificate status (issued, restricted, suspended, or withdrawn) and retain records.
- If your certificate is suspended, halt placing the system on the market until the suspension is lifted.
- Maintain all documentation the notified body may request for notifying-authority surveillance visits.
- Monitor whether your notified body has had its own notification restricted or suspended — check the NANDO database periodically.
Prepare for third-party assessment — start the free compliance check.
Start Free AssessmentRelated Articles
Frequently asked questions
What happens if a notified body finds non-conformity during an assessment?
The body must require the provider to take corrective action. If the provider fails to remedy the issue or the non-conformity is severe, the body must suspend, restrict, or withdraw the certificate and report this to the notifying authority.
Can a provider switch notified bodies after a certificate refusal?
A provider can engage a different notified body, but Article 36(d) requires bodies to inform each other of refusals and withdrawals. The new body will be aware of the previous outcome and will factor it into its own assessment.
Does the notified body share assessment results with market surveillance authorities?
Yes. Under Article 36(e), the body must provide information on both positive and negative certification decisions to the Commission and Member States on request. The notifying authority also has direct surveillance access under Article 36(f).