Article 20 — Corrective actions and duty of information (EU AI Act)

Article 20 of Regulation (EU) 2024/1689 — Corrective actions and duty of information. Official text, practical interpretation, key obligations and compliance implications.

Official Text Summary

Article 20 of Regulation (EU) 2024/1689 establishes a mandatory corrective action and information duty for providers of high-risk AI systems. Where a provider has reason to believe that a high-risk AI system it has placed on the market or put into service is no longer in conformity with the requirements set out in Chapter 2 of Title III, that provider must immediately take the necessary corrective actions to bring the system back into conformity, to withdraw it, or to recall it, as appropriate.

The provider is simultaneously obliged to inform the distributors of the system and, where applicable, the authorised representative, deployers, and any other relevant third parties of the non-conformity and the corrective measures taken. Where the AI system presents a risk within the meaning of Article 79(1), the provider must also immediately notify the competent national authorities of the Member States in which it made the system available and, where applicable, the notified body that issued a certificate for the system, providing details of the non-conformity and the corrective actions undertaken.

The article therefore combines two distinct but linked obligations: an operational obligation to act and restore conformity, and an informational obligation to ensure that all actors in the supply and deployment chain — including market surveillance authorities — are made aware of the situation and the steps being taken to address it. This dual structure ensures that risks do not remain siloed within the provider's organisation but are surfaced promptly across the regulatory and commercial ecosystem.

What This Means in Practice

For organisations that develop or place high-risk AI systems on the EU market, Article 20 creates a standing obligation that is permanently active throughout the system's lifecycle. Compliance cannot be treated as a point-in-time exercise limited to the initial conformity assessment.

Who is affected: Any provider of a high-risk AI system within the scope of Annex III, or systems subject to the high-risk classification rules of Article 6. This includes manufacturers, importers placing a third-party system on the EU market under their own name, and legal entities in third countries whose systems are used in the EU via an authorised representative.

What triggers action: The threshold is "reason to believe" — a deliberately low evidentiary bar. A provider does not need certainty of non-conformity; a credible basis for concern, whether arising from internal post-market monitoring data, a deployer's report, a user complaint, or a regulator's inquiry, is sufficient to activate the obligation.

Concrete example: A provider of a high-risk AI system used in credit scoring detects through its post-market monitoring process (required under Article 72) that the system's accuracy has degraded significantly for a protected demographic group, raising a potential violation of the bias and robustness requirements under Articles 9 and 15. Under Article 20, the provider must promptly assess corrective options (retraining, parameter adjustment, temporary suspension), implement the chosen action, notify all deployers currently using the system, and inform the relevant national market surveillance authority if the degradation constitutes a risk under Article 79(1).

Documentation: All corrective actions and notifications should be recorded in the technical documentation maintained under Article 18 and the logs retained under Article 19, as these will be the primary evidence reviewed by authorities.

Key Obligations

Immediate corrective action: Take all necessary measures to restore conformity, withdraw the system from the market, or recall it from deployers and users, proportionate to the nature and severity of the non-conformity identified.
Supply chain notification: Inform distributors, authorised representatives, and deployers of the non-conformity and the corrective actions taken, without undue delay.
Authority notification: Where the non-conformity presents a risk within the meaning of Article 79(1), notify the competent market surveillance authorities of all affected Member States and any notified body that issued a certificate for the system.
Provision of information: Supply national authorities and notified bodies with full details of the non-conformity, its potential consequences, and the corrective measures implemented or planned.
Ongoing vigilance: Maintain the post-market monitoring systems required under Article 72 to ensure that circumstances giving rise to non-conformity are detected promptly and do not persist unaddressed.
Documentation of actions: Record all corrective decisions, notifications issued, and authority communications as part of the ongoing technical and quality management obligations under Articles 17, 18, and 19.

Relationship to Other Articles

Article 20 sits at the operational heart of the provider's lifecycle obligations and connects to several other provisions.

It is upstream of Article 73 (serious incident reporting), which applies specifically when a high-risk AI system causes or contributes to a serious incident; the two regimes may be triggered simultaneously and must be managed in parallel. It is downstream of Article 72 (post-market monitoring), which is the primary mechanism through which providers will detect the non-conformities that activate Article 20.

The corrective action obligation is also closely linked to Article 9 (risk management system) and Articles 15 and 17 (accuracy, robustness, and quality management), since the adequacy of those systems will determine whether non-conformity is detected and remedied in a timely manner. Article 26 creates a complementary duty on deployers to report suspected non-conformities back to providers, making deployers an important upstream source of information feeding into the Article 20 trigger. Finally, Article 21 addresses the cooperation obligations of providers once authorities have formally intervened, and should be read as the regulatory enforcement counterpart to the voluntary corrective action duty under Article 20.

Compliance Timeline

The EU AI Act entered into force on 1 August 2024 (twenty days after publication in the Official Journal on 12 July 2024). Article 20 falls within Title III, Chapter 3 and applies to high-risk AI systems. The phased application schedule is as follows:

February 2025: Provisions on prohibited AI practices (Title II) became applicable.
August 2025: Rules on general-purpose AI models (Title VIII, Chapter 2) became applicable.
August 2026: Obligations for high-risk AI systems listed in Annex III used by public authorities became applicable.
December 2026 (primary high-risk deadline): The full suite of Title III obligations — including Article 20 — became applicable to providers of high-risk AI systems covered by Annex III. Providers whose systems were already on the market prior to this date benefited from a transitional period but must now comply fully.
August 2027: Extended deadline for certain high-risk AI systems that are components of large-scale EU IT systems or are subject to harmonised standards not yet published at the time of entry into force.

For most providers of Annex III high-risk AI systems, Article 20 is fully applicable from December 2026, and corrective action and information processes should already be operational.

Official AI Act Compliance Deadline Calendar

Updated 2026-06-22 · Sources: Regulation (EU) 2024/1689 and the 2026 Digital Omnibus on AI.

Obligation	Applies to	Original date	New date	Status	Countdown	Legal basis
Prohibited Practices (Art. 5)	All providers and deployers	2 February 2025	2 February 2025	active	—	AI Act Art. 5
GPAI Rules (Chapter 5)	GPAI model providers	2 August 2025	2 August 2025	active	—	AI Act Art. 51-56
High-risk AI — Annex III (standalone)	Providers of standalone Annex III systems	2 August 2026	2 December 2027	deferred	—	AI Omnibus 2026 Art. 6(2)
High-risk AI — Annex I (embedded)	AI embedded in Annex I regulated products	2 August 2026	2 August 2028	deferred	—	AI Omnibus 2026 Art. 6(1)
AI-Generated Content Marking	Providers of generative GPAI systems	2 August 2025	2 August 2025	active	—	AI Act Art. 50(2)
Regulatory Sandboxes	National competent authorities	2 August 2026	2 August 2026	active	—	AI Act Art. 57

⬇ Download JSON · CC BY 4.0

AI Act meets DORA and NIS2

Is your organisation subject to both the AI Act and DORA? The two regulations intersect on the operational resilience of financial AI systems. Our sister site regulation-dora.eu covers DORA in depth.

Explore regulation-dora.eu ↗

Frequently Asked Questions

What triggers the corrective action obligation under Article 20?

Article 20 is triggered when a provider has reason to believe that a high-risk AI system it has placed on the market or put into service is no longer in conformity with the requirements of Chapter 2 of Title III. This includes situations where non-conformity is identified by the provider itself, reported by a deployer, or flagged through post-market monitoring activities.

Who must providers notify under Article 20?

Providers must notify the competent national market surveillance authorities of the Member States in which they made the system available, as well as any notified body involved in the conformity assessment, distributors, and deployers of the affected high-risk AI system. The notification must cover both the non-conformity identified and any corrective actions taken.

Does Article 20 apply to deployers as well as providers?

Article 20 places the primary obligation on providers. However, deployers have a complementary duty under Article 26 to inform providers when they have reason to believe that use of a high-risk AI system presents a risk or that the system is no longer in conformity. Article 20 and Article 26 therefore work in tandem across the supply chain.

What corrective actions can a provider be required to take under Article 20?

Corrective actions include bringing the AI system back into conformity, withdrawing it from the market, recalling it from deployers and users, and disabling access to the system where technically feasible. The appropriate action depends on the nature and severity of the non-conformity and the risk presented to health, safety, or fundamental rights.

How does Article 20 interact with the serious incident reporting obligation?

Article 20 addresses structural non-conformity with the Chapter 2 requirements, while Article 73 specifically governs reporting of serious incidents. In practice, a serious incident may reveal systemic non-conformity that triggers the Article 20 corrective action duty simultaneously. Providers must manage both obligations in parallel when the facts warrant it.

Stay ahead of AI Act changes

Get compliance alerts when deadlines or obligations change.

No spam. One-click unsubscribe.