v2.4.0 | Report Errata
docs governance docs governance

Article 43(1) establishes the conformity assessment regime for high-risk AI systems referred to in Annex III, point 1 (biometric identification), in so far as those systems are used for the purposes of law enforcement, migration, asylum, and border control management. Where the provider has applied harmonised standards or common specifications, the provider may choose between internal control under Annex VI or third-party assessment under Annex VII involving a notified body. Where harmonised standards have not been applied, or do not exist, or common specifications are unavailable, the provider must follow the Annex VII procedure, which requires notified body involvement. Biometric identification systems used outside of these specific domains follow the standard Annex VI internal control procedure applicable to other Annex III high-risk systems.

For Annex VII assessments where the system is intended for use by law enforcement, immigration or asylum authorities, or EU institutions, the market surveillance authority acts as the notified body rather than a freely chosen one. This does not exempt such systems from third-party assessment; it designates a specific entity to perform it. For all other Annex III high-risk systems (points 2 to 8), internal control under Annex VI is the required procedure, without notified body involvement.

The designation of notified bodies under the AI Act is proceeding gradually. As of early 2026, only a small number of bodies have been formally designated. Organisations anticipating mandatory or voluntary third-party assessment should monitor the NANDO database for AI Act-designated bodies and engage early to understand assessment methodology, timeline, and fees.

Key outputs

  • Annex III point 1 (biometrics): Annex VI or Annex VII depending on harmonised standard application
  • Annex VII mandatory where harmonised standards not applied or unavailable
  • Law enforcement systems: market surveillance authority acts as notified body
  • Annex III points 2–8: internal control under Annex VI (no NB involvement)
  • NANDO database monitoring for designated bodies
  • Voluntary NB engagement available for non-biometric high-risk systems
On This Page