Article 21 of Regulation (EU) 2024/1689 — Cooperation with competent authorities. Official text, practical interpretation, key obligations and compliance implications.
Official Text Summary
Article 21 of Regulation (EU) 2024/1689 (the EU AI Act) establishes a general obligation for providers of high-risk AI systems to cooperate with competent national authorities upon request. Under this provision, providers — and, where applicable, their authorised representatives — must supply competent authorities with all information and documentation necessary to demonstrate that the high-risk AI system in question complies with the requirements set out in Chapter 2 of Title III. This cooperation obligation extends to granting access to the AI system itself where the competent authority considers such access necessary to fulfil its supervisory or market surveillance duties.
The article operates within the broader market surveillance framework of the Regulation and must be read in conjunction with the enforcement powers conferred on national authorities under Title X. It does not create a proactive disclosure obligation in the ordinary course of business; rather, it activates upon a formal or informal request from a supervisory body. The obligation is unconditional in scope: providers cannot refuse cooperation on grounds of commercial confidentiality, trade secrecy, or proprietary concern, though the Regulation provides separate safeguards for the handling of confidential information by authorities. Article 21 effectively functions as the bridge between the conformity obligations imposed on providers and the enforcement capacity of the regulatory infrastructure established by the Member States and the European AI Office.
What This Means in Practice
For providers of high-risk AI systems, Article 21 demands that a structured, audit-ready compliance posture be maintained at all times — not merely at the point of conformity assessment. When a national market surveillance authority, a notified body acting under delegation, or the European AI Office initiates an inquiry, the provider must be in a position to respond promptly with comprehensive technical documentation, conformity assessment results, risk management records, and post-market monitoring data.
Who is affected. Providers placing high-risk AI systems (listed in Annex III or covered by Annex I sector legislation) on the EU market are the primary duty-bearers. Authorised representatives acting on behalf of third-country providers carry the same obligation within their mandate. Deployers are not the primary addressees of Article 21, but may be drawn into cooperation procedures where their operational data or access to the deployed system is required by an authority.
Concrete examples. A medical device manufacturer integrating an AI-driven diagnostic tool must, upon request, hand over the full technical file including training data descriptions, validation protocols, and post-deployment monitoring logs. A recruiter deploying an AI-assisted CV-screening tool categorised as high-risk under Annex III must facilitate authority access to the system's decision logic and configuration parameters if an investigation is opened.
Operational preparation. Organisations should designate a regulatory liaison function, maintain version-controlled technical documentation, and establish an internal protocol for authority requests, including legal review timelines that do not impede timely cooperation.
Key Obligations
- Supply documentation on request. Providers must furnish competent authorities with all information and technical documentation necessary to assess compliance with Chapter 2 of Title III, including the technical file required under Article 11 and logs maintained under Article 12.
- Grant access to the AI system. Where a competent authority determines that inspection of or interaction with the AI system is necessary, providers must facilitate such access without undue delay or obstruction.
- Cooperate through authorised representatives. Third-country providers must ensure their EU-established authorised representative is empowered to fulfil cooperation obligations fully on their behalf, as required under Article 22.
- Maintain information in retrievable form. The practical utility of Article 21 depends on documentation being current, accurate, and retrievable. Providers must not allow technical records to become outdated or inaccessible at the point a request is received.
- Refrain from obstruction. Any act or omission that impedes, delays, or frustrates a supervisory inquiry — including selective disclosure, destruction of records, or withholding access credentials — constitutes a breach of Article 21 and may trigger penalties under Article 99.
- Extend cooperation to post-market surveillance activities. Article 21 cooperation is not limited to pre-placement conformity checks; it encompasses ongoing supervisory oversight throughout the lifecycle of the high-risk AI system.
Relationship to Other Articles
Article 21 sits at the intersection of provider obligations and regulatory enforcement and cannot be read in isolation. It depends directly on Article 11 (technical documentation) and Article 12 (record-keeping and logging), since those provisions define the corpus of information a provider must be able to supply. It connects to Article 17 (quality management system), which governs the organisational processes underpinning documentary readiness. Article 22 (authorised representatives) operationalises Article 21 for third-country providers by designating who bears cooperation duties in the EU. On the enforcement side, Article 21 feeds into the market surveillance regime of Title X (Articles 74–76), the powers of the European AI Office under Title VIII, and the penalty framework of Article 99, which attaches sanctions to non-cooperation. Article 9 (risk management) is also relevant, as authorities may probe whether risk identification and mitigation records are adequate. Reading Article 21 alongside Articles 13 (transparency) and 14 (human oversight) gives a complete picture of the information environment providers must maintain.
Compliance Timeline
The EU AI Act entered into force on 1 August 2024, twenty days after publication in the Official Journal. Its provisions apply on a phased schedule:
- 2 February 2025 — Prohibitions on unacceptable-risk AI practices (Title II) became applicable. Article 21 itself was not yet in force for high-risk systems.
- 2 August 2025 — Provisions on general-purpose AI models (Title VIII) and obligations of the European AI Office became applicable.
- 2 August 2026 — Article 21, together with the full suite of Title III obligations for high-risk AI systems listed in Annex III (other than those covered by earlier sectoral law), becomes applicable. Providers whose systems fall under this category must be fully cooperation-ready by this date.
- 2 August 2027 — High-risk AI systems governed by the Union harmonisation legislation listed in Annex I (e.g., medical devices, machinery, aviation) that are already subject to conformity assessment procedures have until this date before the full AI Act high-risk obligations, including Article 21, apply to legacy products.
Providers should treat the period leading up to their applicable date not as a grace period but as implementation time: technical documentation, logging infrastructure, and internal cooperation protocols should be operational well in advance of the deadline.
Official AI Act Compliance Deadline Calendar
Updated · Sources: Regulation (EU) 2024/1689 and the 2026 Digital Omnibus on AI.
| Obligation | Applies to | Original date | New date | Status | Countdown | Legal basis |
|---|---|---|---|---|---|---|
| Prohibited Practices (Art. 5) | All providers and deployers | active | — | AI Act Art. 5 | ||
| GPAI Rules (Chapter 5) | GPAI model providers | active | — | AI Act Art. 51-56 | ||
| High-risk AI — Annex III (standalone) | Providers of standalone Annex III systems | deferred | — | AI Omnibus 2026 Art. 6(2) | ||
| High-risk AI — Annex I (embedded) | AI embedded in Annex I regulated products | deferred | — | AI Omnibus 2026 Art. 6(1) | ||
| AI-Generated Content Marking | Providers of generative GPAI systems | active | — | AI Act Art. 50(2) | ||
| Regulatory Sandboxes | National competent authorities | active | — | AI Act Art. 57 |
⬇ Download JSON · CC BY 4.0
AI Act meets DORA and NIS2
Is your organisation subject to both the AI Act and DORA? The two regulations intersect on the operational resilience of financial AI systems. Our sister site regulation-dora.eu covers DORA in depth.
Explore regulation-dora.eu ↗Frequently Asked Questions
Article 21 applies primarily to providers of high-risk AI systems, as well as their authorised representatives established in the EU. Deployers may also be subject to cooperation obligations where competent authorities require information or access relevant to a deployed high-risk AI system.
Providers must supply competent authorities with all information and documentation requested to demonstrate conformity with the requirements of Title III, Chapter 2. This includes access to technical documentation, logs, and test results. Cooperation must be timely and complete — withholding relevant information or obstructing an inquiry constitutes a breach of Article 21.
High-risk AI systems placed on the market or put into service before the relevant application dates may benefit from transitional provisions, but once those periods expire, full cooperation obligations apply. Providers should not assume legacy systems are exempt from supervisory scrutiny.
Yes. Article 21 is broad enough to encompass requests for access to the AI system, its components, and its operational environment where this is necessary for the authority to fulfil its supervisory mandate. Providers should be prepared for both documentary and technical forms of cooperation.
Stay ahead of AI Act changes
Get compliance alerts when deadlines or obligations change.
No spam. One-click unsubscribe.