Article 44 of the EU AI Act governs the certificates that notified bodies issue after third-party conformity assessment of high-risk AI systems. Certificates are valid for up to five years for Annex I systems and four years for Annex III systems, can be extended after re-assessment, and must be suspended or withdrawn if the system stops meeting the requirements.
EU AI Act Article 44: Certificates Issued by Notified Bodies
What Article 44 Covers
Article 44 of Regulation (EU) 2024/1689 sets the rules for certificates issued by notified bodies under the AI Act. A certificate in this context is the formal document a notified body issues when a high-risk AI system has passed the third-party conformity assessment procedure based on the assessment of the quality management system and of the technical documentation set out in Annex VII. It is the regulated counterpart to self-assessment: where the regulation requires an independent check, the certificate is its tangible output.
Not every high-risk AI system needs one. Under Article 43, most Annex III systems follow the internal control procedure of Annex VI without a notified body. Third-party assessment is required notably for certain biometric systems under Annex III point 1 in defined circumstances, and for high-risk AI systems that are safety components of Annex I products, where the sectoral conformity assessment procedures involve notified bodies. Where a notified body is involved, Article 44 governs the paperwork that results.
Form and Language
Article 44(1) requires that certificates issued by notified bodies in accordance with Annex VII shall be drawn up in a language which can be easily understood by the relevant authorities in the Member State in which the notified body is established. This practical rule ensures that supervisors can read the certificates they may need to rely on or challenge.
Validity Periods: Five Years or Four
Article 44(2) sets the validity regime. Certificates shall be valid for the period they indicate, which shall not exceed five years for AI systems covered by Annex I, and four years for AI systems covered by Annex III. The distinction reflects the structure of the act: Annex I systems are embedded in products covered by established Union harmonisation legislation with mature assessment ecosystems, while standalone Annex III systems operate in faster-moving contexts and get the shorter leash.
At the request of the provider, the validity of a certificate may be extended on the basis of a re-assessment in accordance with the applicable conformity assessment procedures, for further periods, each not exceeding five years for Annex I systems and four years for Annex III systems. Any supplement to a certificate remains valid provided that the certificate it supplements is valid.
Suspension and Withdrawal
Article 44(3) addresses what happens when conformity lapses. Where a notified body finds that an AI system no longer meets the requirements set out in Section 2 of Chapter III, it shall, taking account of the principle of proportionality, suspend or withdraw the certificate issued or impose restrictions on it, unless compliance with those requirements is ensured by appropriate corrective action taken by the provider within an appropriate deadline set by the notified body. The notified body shall give reasons for its decision.
An appeal procedure against decisions of the notified bodies, including on certificates issued, shall be available. This gives providers a formal route to contest suspension, withdrawal or refusal decisions.
How to Manage Certificates in Practice
- Determine early whether your conformity assessment route involves a notified body at all, since this changes timelines and budgets substantially; Annex VII assessment includes scrutiny of the Article 17 quality management system and the Annex IV technical documentation.
- Plan around the validity clock. For an Annex III system, a four-year maximum validity means the re-assessment cycle must be in the compliance calendar from day one, with lead time for the notified body's availability.
- Keep the certified state stable. The certificate attaches to the assessed system and QMS; substantial modifications outside any predetermined-change envelope can require new assessment, so change management under the QMS is what protects the certificate.
- Maintain the document set: Article 18 requires the provider to keep notified body decisions and documents for ten years, the authorised representative holds copies under Article 22, and importers keep a copy of the certificate under Article 23.
- Respond to findings fast. The corrective-action window in Article 44(3) is the difference between continuity and a suspended certificate, which in practice interrupts the lawful placing on the market of the system.
- Know the appeal route of your notified body, and document all correspondence, since suspension decisions and their reasons may also reach market surveillance authorities through the information duties of Article 45.
A Concrete Example
A provider of a remote biometric identification system follows the Annex VII procedure with a notified body. The body assesses the provider's quality management system and technical documentation and issues a certificate valid for four years, written in a language the authorities of its Member State easily understand. Three years in, the provider books the re-assessment; the notified body re-examines the QMS and the updated documentation, and extends validity for a further period of up to four years. When an interim audit later finds that the provider's data governance procedures have drifted from the documented process, the body sets a sixty-day corrective deadline; the provider remediates within it, and the certificate survives without suspension.
How Article 44 Connects to Other Provisions
Article 44 operates inside the conformity assessment framework of Article 43 and Annex VII, downstream of the notified body rules in Articles 29 to 39. Article 45 obliges notified bodies to inform their notifying authority, and in defined cases other notified bodies, about certificates issued, refused, suspended, withdrawn or restricted. A valid certificate underpins the EU declaration of conformity under Article 47 and the CE marking under Article 48, where the marking is followed by the identification number of the notified body responsible. Derogations exist in Article 46, under which market surveillance authorities can authorise placing specific high-risk systems on the market for exceptional reasons before assessment is completed.
Actions to Take Before August 2, 2026
Providers whose systems will need notified body involvement face the tightest calendar in the AI Act, because notified bodies for AI are still being designated and capacity will be scarce in the first cycles. Identify your assessment route now, prepare the QMS and technical documentation to assessment-ready standard, and engage a notified body as early as possible. Providers on the internal-control route should still understand Article 44, since reclassification, future Annex changes or customer requirements can bring third-party assessment into scope. This article provides general information about Regulation (EU) 2024/1689 and is not advice on any specific assessment.
Check your AI compliance readiness — free.
Take the Readiness Check 3 minutes · 10 questions · no signup requiredThis article is for informational purposes only and does not constitute legal advice. Regulatory requirements change frequently — verify current rules with official sources. Built by Sawai Gyoseishoshi Office, Hiroshima, Japan.