Article 31 of the AI Act provides useful information regarding the various requirements that notified bodies are subject to.
A notified body shall be established as a legal entity under the national law of each EU member state. Notified bodies will be required to satisfy all relevant organizational, quality management, resources, and process requirements necessary to fulfill their tasks and other suitable cybersecurity requirements.
The organizational structure, allocation of responsibilities, reporting lines and operation of notified bodies shall ensure confidence in their performance and in the results of their conformity assessment activities.
The notified bodies shall be independent of the provider of a high-risk AI system in relation to which they perform conformity assessment procedures. Similarly, they shall be independent of any other operator with economic interests in the high-risk AI system being assessed or any of the provider’s competitors. However, this requirement does not extend to the use of high-risk AI systems that are necessary for the operations of the conformity assessment body or are strictly used for personal purposes.
The top-level management of the conformity assessment body or its personnel responsible for carrying out conformity assessment tasks shall not be involved in the design, development, marketing, or use of high-risk AI systems, nor shall they represent the parties that may be involved in those activities. Such individuals shall be required to refrain from engaging in any activity that may compromise their independence of judgment or integrity with respect to the performance of conformity assessment activities for which they are notified. This obligation applies to consultancy services in particular.
The notified bodies shall be organized and operated to safeguard the objectivity, independence, and impartiality of their activities. They shall have a comprehensive documentation mechanism and necessary structure and procedures in place to safeguard impartiality throughout their organization, personnel, and assessment activities.
The aforementioned documentation mechanism shall also ensure the confidentiality of any information that comes into the possession of the notified bodies’ personnel, committees, subsidiaries, subcontractors, or any associated body or personnel. Confidentiality shall be maintained as per Article 78 requirements during the conformity assessment activities, except when the disclosure of the information is required by law. The staff of the notified bodies shall also be bound to observe professional secrecy concerning all information obtained in carrying out their tasks under the EU’s AI Act, except in relation to the notifying authorities of the EU member state in which their activities are carried out.
The notified bodies’ procedures must take due account the size of the provider subject to the conformity assessment, its sector of operation, structure, and the degree of complexity of the AI system being assessed.
Additionally, notified bodies shall ensure their participation in coordination activities as required under Article 38 and take necessary steps to ensure their due participation in European standardization organizations or ensure that they are aware of and up to date with relevant standards.
The notified body must take out appropriate liability insurance for all their conformity assessment activities unless the member state in which they are established assumes liability in accordance with the relevant national law or that the member state is itself directly responsible for the conformity assessment.
Lastly, the notified bodies shall be capable of carrying out their tasks under the AI Act with the highest degree of professional integrity and competence, whether those tasks are carried out by the notified bodies themselves or on their behalf and under their responsibility. The notified bodies shall also be required to have sufficient internal competency to assess any tasks conducted by external parties on their behalf.
To that end, they shall ensure the permanent availability of sufficient administrative, technical, legal, and scientific personnel with the appropriate experience and knowledge regarding the relevant types of AI systems, data and data computing, and regarding the requirements set out in Section 2 of the EU’s AI Act.