The classic trap
Article 34 targets notified bodies, but the trap snaps shut on providers of high-risk AI systems who feel safe because they hold a certificate. In reality, the notified body must be able to hand over all your documentation to the notifying authority (Article 28) upon simple request, including your internal technical evidence. If your file is incomplete, scattered or not reproducible on the day the authority starts monitoring, the non-conformity is attributed to you, not to the body. At European level, the EU AI Office (Brussels) oversees the consistency of this framework, and the CNPD remains competent as soon as personal data feeds training or inference.
What the notified body can demand from you at any time
Paragraph 2 does require the body to take account of your size and to ease the burden on micro and small enterprises within the meaning of Recommendation 2003/361/EC. But it keeps the same degree of rigour on substance. In practice you must be able to produce, continuously and reproducibly:
- The full technical file aligned with the Article 43 conformity assessment procedure, version by version.
- The training, validation and test datasets with their traceability and governance.
- The risk management logs, the robustness, accuracy and cybersecurity metrics.
- The documentation of upstream subcontractors and suppliers (base models, third-party datasets, cloud infrastructure).
- The post-market monitoring evidence and the version chain of the system.
The operational risk is not the initial audit: it is the surprise request from the notifying authority, months later, where you must reconstruct the exact state of the system at a given date.
How Luxgap automates this risk
Our Luxgap Notified Body Dossier makes a documentation gap impossible on the day a notifying authority requests it: it continuously maintains a timestamped, versioned and reproducible technical file, ready to be transmitted to the notified body within minutes. The tool plugs into your MLOps pipelines (Azure ML, AWS SageMaker, MLflow, GitLab CI, Hugging Face Hub) and automatically captures every model version, dataset and metric without asking your data team to fill in a single form.
- Automatically captures every training run, dataset and hyperparameter from MLflow, SageMaker and Azure ML, and freezes a reproducible snapshot per version.
- Generates the technical file structured along Annex IV and the Article 43 assessment procedure, ready for the notified body.
- Traces the upstream chain of base models and third-party datasets (Hugging Face, cloud providers) and alerts on traceability breaks.
- Computes and archives the required robustness, accuracy and cybersecurity metrics, with their full history.
- Adapts the documentation depth to your status as a micro or small enterprise within the meaning of Recommendation 2003/361/EC, without lowering the degree of rigour on substance.
- Produces a timestamped and sealed PDF package, enforceable before the Article 28 notifying authority, reconstructing the exact state of the system at any requested date.
Available as a complement to a Luxgap DPO or CISO mandate or as a dedicated SaaS module depending on your scope. Request a tailored quote and our teams prepare a demonstration on your real scope, with a free blank audit within 48h to measure your exposure before any commitment.