Article 22 of Regulation (EU) 2024/1689 — Authorised representatives of providers established outside the Union. Official text, practical interpretation, key obligations and compliance implications.
Official Text Summary
Article 22 of Regulation (EU) 2024/1689 establishes a mandatory gateway mechanism for providers of high-risk AI systems and general-purpose AI models who are established in third countries but who place those systems or models on the Union market or put them into service within the Union.
Such providers must, prior to making their AI system or GPAI model available in the EU, designate — by written mandate — an authorised representative established in the Union. The mandate must empower that representative to carry out a defined set of tasks in the provider's name: verifying that the EU declaration of conformity and the required technical documentation have been properly drawn up; ensuring registration in the EU database referred to in Article 71; and acting as the single identifiable point of contact for the AI Office and for national competent authorities in all matters pertaining to compliance with the Regulation.
The authorised representative must be included in the mandatory registration information and must have access to sufficient documentation to allow it to fulfil its obligations. The representative operates under a continuing duty to cooperate with competent authorities and to alert the provider immediately of any risk or non-compliance identified. Importantly, the appointment of an authorised representative does not relieve the third-country provider of its own obligations under the Regulation; both parties bear distinct responsibilities, with liability for the representative arising specifically from the tasks attributed in the mandate.
What This Means in Practice
Article 22 functions as the EU AI Act's equivalent of the "responsible person" or "authorised representative" concepts already familiar from product-safety legislation such as the Medical Device Regulation and the General Product Safety Regulation. Its practical effect is to ensure that a legally identifiable entity with a physical presence inside the EU is always reachable by regulators, regardless of where the AI system's developer is headquartered.
Who is affected. Any non-EU company — whether a US-based foundation model developer, a Singapore-based robotics software firm, or a UK-based HR-tech vendor — that offers a high-risk AI system or a GPAI model to EU customers, deployers, or users must put this structure in place. This includes companies that distribute through EU resellers or cloud marketplaces: the obligation attaches to the provider, not to the distribution channel.
What must be done. The provider must identify a natural or legal person based in an EU Member State, conclude a written mandate specifying the representative's authorised tasks, ensure the representative holds copies of (or secure access to) the relevant technical documentation and declarations of conformity, and register the representative's details in the EU database under Article 71.
Concrete example. A Canadian company developing an AI-based credit-scoring tool classified as high-risk under Annex III must contract an EU-established law firm, compliance consultancy, or a dedicated legal-entity subsidiary as its authorised representative before onboarding any EU bank as a customer. That representative's name, address, and contact details appear in the EU database and on product documentation, giving French or German market surveillance authorities an immediate domestic point of contact.
Ongoing obligation. The mandate is not a one-time filing. The representative must remain reachable, keep documentation current, and escalate any identified non-conformity to the provider promptly.
Key Obligations
- Mandatory written mandate. The provider must grant the authorised representative a formal, written mandate before placing the high-risk AI system or GPAI model on the EU market, explicitly setting out which tasks the representative is empowered to carry out on the provider's behalf.
- EU establishment requirement. The authorised representative must be a natural or legal person established inside the European Union; a representative based in a third country — including EEA EFTA states not covered by an equivalence arrangement — does not satisfy this requirement.
- Documentation access and verification. The representative must verify that the EU declaration of conformity and the technical documentation required under Articles 11 and 18 have been properly drawn up, and must retain access to those documents for the duration of the mandate.
- Registration in the EU database. The representative is responsible for ensuring that the provider's information — including the representative's own contact details — is registered in the EU database referred to in Article 71, and that registration is kept up to date.
- Point of contact for authorities. The authorised representative serves as the primary contact point for the AI Office and national competent authorities for all compliance, market surveillance, and enforcement inquiries relating to the AI system or GPAI model in scope.
- Duty to alert and cooperate. The representative must promptly inform the provider of any risk to health, safety, or fundamental rights or any suspicion of non-conformity that comes to its attention, and must cooperate fully with competent authorities upon request, including providing them with documentation and access to records.
Relationship to Other Articles
Article 22 operates within the broader Chapter 3 framework governing obligations of providers and deployers and must be read alongside several other provisions.
Article 16 sets out the full list of obligations applying to providers of high-risk AI systems; Article 22 effectively delegates the domestic execution of those obligations to the authorised representative where the provider is established outside the EU.
Articles 11 and 18 define the technical documentation and record-keeping obligations that the representative must verify have been fulfilled before the system is placed on the market.
Article 71 establishes the EU database in which the representative's details must be registered, making Article 22 a prerequisite for lawful registration by third-country providers.
Article 53 governs obligations specific to providers of general-purpose AI models; Article 22 extends the authorised representative requirement to this category, reinforcing that GPAI providers outside the EU face equivalent gatekeeping obligations.
Articles 74 and 75 on market surveillance are directly served by Article 22: competent authorities exercise their supervisory powers toward the authorised representative as a domestic enforcement anchor when the actual provider is unreachable.
Compliance Timeline
The EU AI Act (Regulation 2024/1689) entered into force on 1 August 2024, twenty days after publication in the Official Journal. Application is phased:
- 2 February 2025 — Provisions on prohibited AI practices (Article 5) became applicable. Article 22 does not yet apply in isolation at this stage, but providers should already be assessing whether their systems fall within high-risk or GPAI scope.
- 2 August 2025 — Obligations applying to general-purpose AI models (Title V, including Article 53) become applicable. Because Article 22 explicitly covers GPAI model providers, third-country GPAI providers must have their authorised representative in place by this date.
- 2 December 2026 — High-risk AI systems listed in Annex III that are already subject to existing EU product-safety legislation must comply with the full provider obligation chain, including Article 22 authorised representative requirements.
- 2 August 2027 — All remaining high-risk AI systems listed in Annex III become subject to the full set of obligations. Third-country providers of those systems who have not yet designated an authorised representative will be in breach as of this date.
Providers placing high-risk systems on the EU market for the first time after 2 August 2024 should treat the authorised representative requirement as a market-access prerequisite from the outset, rather than waiting for the relevant application date for their system category.
Official AI Act Compliance Deadline Calendar
Updated · Sources: Regulation (EU) 2024/1689 and the 2026 Digital Omnibus on AI.
| Obligation | Applies to | Original date | New date | Status | Countdown | Legal basis |
|---|---|---|---|---|---|---|
| Prohibited Practices (Art. 5) | All providers and deployers | active | — | AI Act Art. 5 | ||
| GPAI Rules (Chapter 5) | GPAI model providers | active | — | AI Act Art. 51-56 | ||
| High-risk AI — Annex III (standalone) | Providers of standalone Annex III systems | deferred | — | AI Omnibus 2026 Art. 6(2) | ||
| High-risk AI — Annex I (embedded) | AI embedded in Annex I regulated products | deferred | — | AI Omnibus 2026 Art. 6(1) | ||
| AI-Generated Content Marking | Providers of generative GPAI systems | active | — | AI Act Art. 50(2) | ||
| Regulatory Sandboxes | National competent authorities | active | — | AI Act Art. 57 |
⬇ Download JSON · CC BY 4.0
AI Act meets DORA and NIS2
Is your organisation subject to both the AI Act and DORA? The two regulations intersect on the operational resilience of financial AI systems. Our sister site regulation-dora.eu covers DORA in depth.
Explore regulation-dora.eu ↗Frequently Asked Questions
Any provider of a high-risk AI system or a general-purpose AI model who is established outside the European Union and places that system or model on the EU market or puts it into service within the Union must designate an authorised representative established in the EU before making the system available.
The authorised representative is mandated in writing by the provider to perform specific tasks on their behalf. These include verifying that the EU declaration of conformity and technical documentation have been drawn up, registering required information in the EU database, and serving as the contact point for national competent authorities and the AI Office on all compliance matters.
The authorised representative acts on behalf of the provider and can be held responsible by national competent authorities for non-compliance where the provider fails to fulfil its obligations. The mandate must explicitly set out the scope of the representative's tasks and the representative must cooperate fully with competent authorities.
Yes. Article 22 explicitly covers providers of general-purpose AI models (GPAI) placed on the Union market in addition to providers of high-risk AI systems. This extension reflects the broad market-access reach of GPAI models, many of which originate from non-EU jurisdictions.
Failure to designate an authorised representative where required constitutes a breach of Chapter 3 obligations. National market surveillance authorities can prohibit or restrict market access for the system concerned, and the provider may be subject to administrative fines under Article 99 of the Regulation.
Stay ahead of AI Act changes
Get compliance alerts when deadlines or obligations change.
No spam. One-click unsubscribe.