EU AI Act Art. 43 Conformity Assessment Routes: When Your SaaS Needs a Notified Body
Post #1459 in the sota.io EU Regulatory Compliance Series — EU AI Act Conformity Assessment Sprint 2026 #3/5
One of the most common questions SaaS providers ask when preparing for August 2, 2026 is: do we need a notified body, or can we self-certify? The answer depends on Article 43 of the EU AI Act, which sets out two distinct conformity assessment routes. Choosing the wrong one — or misunderstanding which applies — is not a minor procedural error. It is a compliance failure that can block your EU declaration of conformity and delay market entry.
This is the third post in our five-part conformity assessment series. We covered what triggers conformity assessment in post one, and what Annex IV technical documentation requires in post two. Here we focus on the assessment procedure itself: which route applies to your SaaS, what each route demands, and why the notified body landscape matters even if you never need to engage one directly.
The Two Routes Under Article 43
Article 43 establishes that high-risk AI systems listed in Annex III are subject to one of two conformity assessment procedures, depending on the nature of the system and its regulatory context.
Route 1: Internal Control (Annex VI)
Internal control is the default route for the majority of Annex III high-risk AI systems — including AI used in employment decisions, creditworthiness assessments, biometric categorization, access to public services, and most other Annex III categories.
Under the internal control route, the provider conducts the conformity assessment themselves. There is no external auditor, no notified body sign-off, and no certificate issued by a third party. The provider compiles the technical documentation specified in Annex IV, applies the quality management system required under Article 17, verifies that the system meets all applicable requirements in Articles 9 through 15, and issues the EU declaration of conformity under Article 47.
The internal control route is not a lesser form of compliance. It places the full burden of evidence on the provider. You are asserting, under legal liability, that your system meets every requirement the Act imposes. The EU declaration of conformity is a legally binding document. Issuing it without completing the Annex VI procedure — or issuing it based on incomplete documentation — exposes you to enforcement action by national market surveillance authorities.
Route 2: Notified Body Assessment (Annex VII)
The notified body route is required when your high-risk AI system is intended to be used as a safety component in a product already covered by existing EU product safety legislation listed in Annex I of the EU AI Act — primarily the Machinery Regulation, the Radio Equipment Directive, the Low Voltage Directive, the Medical Devices Regulation, the In Vitro Diagnostic Medical Devices Regulation, the Civil Aviation Regulation, and a small number of other sectoral regulations.
Under the notified body route, the provider must engage an accredited notified body designated under the relevant sectoral legislation or under the EU AI Act itself. The notified body assesses the provider's quality management system and/or the technical documentation and issues a certificate. The provider then issues the EU declaration of conformity based on that certificate.
Article 43 is explicit: if your Annex III system is a safety component of an Annex I product category, internal control is not available to you. You must go through a notified body. This is a hard requirement, not a compliance option.
Which Route Applies to Your SaaS
The practical question for most SaaS providers is whether their AI system falls into the notified body requirement. Here is how to evaluate it.
Start with your Annex III category
First, confirm which Annex III category your system falls under. Annex III lists eight areas:
- Biometric identification and categorization
- Critical infrastructure management
- Education and vocational training
- Employment, workers management, and access to self-employment
- Access to essential private and public services and benefits
- Law enforcement
- Migration, asylum, and border control management
- Administration of justice and democratic processes
If your system falls under one of these categories and is not embedded in or used as a safety component of a product listed in Annex I, you follow the internal control route (Annex VI). This applies to the vast majority of SaaS-delivered AI systems.
Then check for Annex I product overlap
Annex I of the EU AI Act lists specific EU product safety directives and regulations. The most relevant for software companies are the Medical Devices Regulation (MDR, 2017/745) and the In Vitro Diagnostic Medical Devices Regulation (IVDR, 2017/746). If your AI system is marketed as a clinical decision support tool or functions as software as a medical device (SaMD), you are almost certainly in notified body territory — both because the MDR/IVDR already require notified body involvement and because the EU AI Act's notified body route aligns with that existing requirement.
For pure SaaS applications in HR, finance, legal, or public administration: if your system is not embedded in any physical product and is not classified as a medical device, you follow internal control. No notified body is required.
Biometric identification: a special case
Article 43 contains one additional rule for biometric identification systems used for real-time remote identification in publicly accessible spaces. These systems — already subject to the strict authorization requirements elsewhere in the Act — are subject to notified body assessment even if they are not embedded in an Annex I product. If your SaaS includes any real-time remote biometric identification functionality in public spaces, the notified body route applies regardless of whether an Annex I product is involved.
The Notified Body Landscape in June 2026
If the notified body route applies to your system, you need to understand the current state of notified body designation under the EU AI Act.
The EU AI Act requires member states to designate notified bodies that have the technical competence to assess AI systems. As of mid-2026, the designation process is underway but the number of designated notified bodies remains limited. The European Commission maintains a database of notified bodies (NANDO), and the AI Office has published guidance on the competency requirements for notified bodies under the Act.
The practical implication for SaaS providers: if you need a notified body, engage one early. The August 2, 2026 deadline is a hard compliance date for providers of high-risk AI systems. If designated notified bodies are capacity-constrained — a real risk given how new the designation process is — late engagement may mean you cannot complete your conformity assessment in time.
For SaaS providers following the internal control route, notified body capacity is irrelevant to your August 2026 timeline. Your assessment is entirely self-conducted.
What Internal Control Actually Requires
Because the majority of SaaS-delivered high-risk AI systems follow the internal control route, it is worth being precise about what Annex VI requires. The regulation's language is brief but the obligations are substantial.
Under Annex VI, internal control consists of three elements:
Element 1: Technical documentation
The provider shall draw up the technical documentation specified in Annex IV and maintain it for ten years after the system is placed on the market. We covered this in detail in post two of this series. The documentation must exist and be complete before you issue the EU declaration of conformity — not concurrently, not after the fact.
Element 2: Quality management system
The provider shall implement the quality management system described in Article 17. This system must cover the entire AI system lifecycle, from design and development through deployment and post-market monitoring. It must include documented procedures for risk management, testing, data governance, logging, and human oversight implementation. The quality management system is the organizational backbone that enables you to make credible assertions about compliance.
Element 3: EU declaration of conformity
Once the technical documentation is complete and the quality management system is in place, the provider issues the EU declaration of conformity under Article 47 and affixes the CE marking. The declaration must identify the system, list the applicable legal requirements it is declared to conform with, identify the provider and their representative if applicable, and bear the provider's signature and date.
This is the full internal control procedure. There is no additional step, no submission to a government body for pre-market approval, and no certificate to obtain. The act of issuing the declaration of conformity, supported by your documentation, completes the procedure.
Common Mistakes in Route Selection
Mistake 1: Assuming all biometric systems require a notified body
Notified body assessment for biometric systems is limited to real-time remote identification in publicly accessible spaces. Offline biometric verification, biometric categorization for employment screening, or biometric data processing that does not involve real-time public space identification all follow the internal control route. The distinction matters because many SaaS providers in HR and identity verification assume they need a notified body when they do not.
Mistake 2: Treating internal control as a lighter compliance burden
Internal control means the provider bears the entire evidentiary burden. The technical documentation, the quality management system, and the declaration of conformity must all be complete and defensible. Market surveillance authorities can request your documentation at any time. If they find gaps, the internal control procedure does not shield you from enforcement — it establishes your direct liability for the compliance assertion you made.
Mistake 3: Starting the notified body process too late
If your system requires a notified body, begin engagement no later than three months before your target compliance date. Notified bodies under the EU AI Act are new, capacity is uncertain, and the assessment process — covering both quality management system documentation review and technical documentation audit — can take six to twelve weeks depending on system complexity.
Mistake 4: Using the MDR notified body for EU AI Act assessment without verification
If you have an existing CE mark under the MDR and your AI system is a software as a medical device, your MDR notified body may or may not be designated to assess AI systems under the EU AI Act. Verify designation status before assuming your existing NB relationship covers EU AI Act compliance.
Registration Under Article 49
After completing conformity assessment — whether internal control or notified body — and before placing the system on the market in the EU, providers must register the high-risk AI system in the EU database under Article 49. The EU database is managed by the European Commission and is publicly accessible for Annex III systems (with exceptions for law enforcement and similar sensitive categories).
Registration is not optional and is not part of the assessment procedure itself. It is a separate post-assessment obligation that must be completed before the system enters the EU market. The registration requirement applies to both conformity assessment routes.
Preparing for August 2, 2026: A Route-Specific Timeline
If you follow the internal control route:
| Weeks Before August 2 | Action |
|---|---|
| 10–8 weeks | Complete Annex IV technical documentation |
| 8–6 weeks | Finalize quality management system documentation |
| 6–4 weeks | Conduct internal conformity assessment |
| 4–3 weeks | Issue EU declaration of conformity |
| 3–2 weeks | Register in EU AI Act database (Article 49) |
| 1 week | Affix CE marking, prepare market documentation |
If you follow the notified body route:
| Weeks Before August 2 | Action |
|---|---|
| 16+ weeks | Identify and engage designated notified body |
| 14–10 weeks | Submit Annex IV documentation for review |
| 10–6 weeks | NB quality management system assessment |
| 6–4 weeks | NB technical documentation audit |
| 4–3 weeks | Receive NB certificate, issue EU declaration |
| 3–2 weeks | Register in EU AI Act database |
| 1 week | CE marking and market documentation |
The notified body timeline assumes a cooperative, well-prepared submission. Complex systems, incomplete documentation, or limited NB capacity can extend each phase.
What Comes Next in This Series
This series covers the full conformity assessment lifecycle for high-risk AI systems:
- Post 1: What triggers conformity assessment for high-risk AI systems
- Post 2: Annex IV technical documentation requirements in detail
- Post 3 (this post): Art. 43 assessment routes — internal control vs. notified body
- Post 4: Post-market surveillance and monitoring obligations after conformity assessment
- Post 5: Complete conformity assessment checklist and timeline for SaaS providers
If your SaaS product deploys high-risk AI, the internal control route is almost certainly your path. The documentation burden is real, the quality management system requirement is substantive, and the declaration of conformity carries legal weight. The next post covers what happens after you issue that declaration — the ongoing post-market surveillance obligations under the Act that continue for the life of the system.
sota.io provides EU-native managed deployment infrastructure. All EU AI Act compliance content reflects editorial analysis of the regulation text. Providers should obtain qualified legal advice for their specific compliance situation.
EU-Native Hosting
Ready to move to EU-sovereign infrastructure?
sota.io is a German-hosted PaaS — no CLOUD Act exposure, no US jurisdiction, full GDPR compliance by design. Deploy your first app in minutes.