Article 31 — Requirements Relating to Notified Bodies

Article 31

Requirements relating to notified bodies

1. A notified body shall be established under the national law of a Member State and shall have legal personality.

2. Notified bodies shall satisfy the organisational, quality management, resources and process requirements that are
necessary to fulfil their tasks, as well as suitable cybersecurity requirements.

3. The organisational structure, allocation of responsibilities, reporting lines and operation of notified bodies shall
ensure confidence in their performance, and in the results of the conformity assessment activities that the notified bodies
conduct.

ELI: http://data.europa.eu/eli/reg/2024/1689/oj 71/144
EN OJ L, 12.7.2024

4. Notified bodies shall be independent of the provider of a high-risk AI system in relation to which they perform
conformity assessment activities. Notified bodies shall also be independent of any other operator having an economic
interest in high-risk AI systems assessed, as well as of any competitors of the provider. This shall not preclude the use of
assessed high-risk AI systems that are necessary for the operations of the conformity assessment body, or the use of such
high-risk AI systems for personal purposes.

5. Neither a conformity assessment body, its top-level management nor the personnel responsible for carrying out its
conformity assessment tasks shall be directly involved in the design, development, marketing or use of high-risk AI systems,
nor shall they represent the parties engaged in those activities. They shall not engage in any activity that might conflict with
their independence of judgement or integrity in relation to conformity assessment activities for which they are notified.
This shall, in particular, apply to consultancy services.

6. Notified bodies shall be organised and operated so as to safeguard the independence, objectivity and impartiality of
their activities. Notified bodies shall document and implement a structure and procedures to safeguard impartiality and to
promote and apply the principles of impartiality throughout their organisation, personnel and assessment activities.

7. Notified bodies shall have documented procedures in place ensuring that their personnel, committees, subsidiaries,
subcontractors and any associated body or personnel of external bodies maintain, in accordance with Article 78, the
confidentiality of the information which comes into their possession during the performance of conformity assessment
activities, except when its disclosure is required by law. The staff of notified bodies shall be bound to observe professional

secrecy with regard to all information obtained in carrying out their tasks under this Regulation, except in relation to the
notifying authorities of the Member State in which their activities are carried out.

8. Notified bodies shall have procedures for the performance of activities which take due account of the size of

a provider, the sector in which it operates, its structure, and the degree of complexity of the AI system concerned.

9. Notified bodies shall take out appropriate liability insurance for their conformity assessment activities, unless liability

is assumed by the Member State in which they are established in accordance with national law or that Member State is itself
directly responsible for the conformity assessment.

10. Notified bodies shall be capable of carrying out all their tasks under this Regulation with the highest degree of

professional integrity and the requisite competence in the specific field, whether those tasks are carried out by notified
bodies themselves or on their behalf and under their responsibility.

11. Notified bodies shall have sufficient internal competences to be able effectively to evaluate the tasks conducted by
external parties on their behalf. The notified body shall have permanent availability of sufficient administrative, technical,
legal and scientific personnel who possess experience and knowledge relating to the relevant types of AI systems, data and
data computing, and relating to the requirements set out in Section 2.

12. Notified bodies shall participate in coordination activities as referred to in Article 38. They shall also take part
directly, or be represented in, European standardisation organisations, or ensure that they are aware and up to date in
respect of relevant standards.