Article 23 — Obligations of importers (EU AI Act)

Article 23 of Regulation (EU) 2024/1689 — Obligations of importers. Official text, practical interpretation, key obligations and compliance implications.

Official Text Summary

Article 23 of Regulation (EU) 2024/1689 (the EU AI Act) establishes the compliance obligations incumbent upon importers of high-risk AI systems. The article sits within Title III, Chapter 3, which governs the obligations of providers, deployers, importers, and distributors.

Under Article 23, before placing a high-risk AI system on the market, an importer must verify that:

1. the relevant conformity assessment procedure has been carried out by the provider;
2. the provider has drawn up the technical documentation required by Annex IV;
3. the system bears the required CE marking and is accompanied by the EU Declaration of Conformity and instructions for use;
4. the provider has appointed an authorised representative in the Union pursuant to Article 22.

Where an importer has reason to believe that a system is not in conformity with the Regulation, they are prohibited from placing it on the market until conformity is established. If the system presents an unacceptable risk as referred to in Article 6, the importer must inform the provider, the authorised representative, and the relevant market surveillance authorities.

Importers must also ensure that, while a high-risk AI system is under their responsibility, storage and transport conditions do not jeopardise its conformity. They must indicate their name, registered trade name or mark, and postal address on the system or its packaging. Finally, importers must keep a copy of the EU Declaration of Conformity and technical documentation for ten years and cooperate fully with competent authorities.

What This Means in Practice

Article 23 has direct, concrete implications for any EU-established entity that sources and places on the EU market a high-risk AI system developed by a provider based outside the Union.

Who is affected. A European distributor that imports a high-risk AI hiring tool developed by a US software company is an importer under this article. Similarly, an EU subsidiary that places the parent company's (third-country) high-risk AI medical diagnostic system on the European market will be treated as an importer and bear the obligations described below. By contrast, if the non-EU provider appoints an authorised representative who acts on their behalf, the importer role and the associated obligations remain distinct from that representative's role.

What actions are required before placing the system on the market. Importers must conduct a due-diligence review of the provider's compliance package: they need to confirm the conformity assessment is complete, review the Declaration of Conformity, verify the CE marking, and check that the technical documentation (Annex IV) exists and is accessible. This is not a superficial tick-box exercise — if the documentation is missing or there are credible grounds for doubt about conformity, the importer must halt the process.

Ongoing obligations. Once the system is on the market, importers must maintain their own copy of the declaration and documentation for a decade, affix their contact details to the system or packaging, and report serious incidents or non-conformities to market surveillance authorities. They must also cooperate with any post-market surveillance or investigation requested by national authorities, and ensure that any storage or logistical handling does not degrade the system's conformity properties.

A practical example: an EU-based healthcare technology importer bringing in a third-country AI-powered triage system listed under Annex III must complete the full documentation review, confirm CE marking, label the product with their EU address, and retain records for ten years — before a single hospital is approached as a customer.

Key Obligations

• Pre-market conformity verification. Confirm that the provider has completed the applicable conformity assessment procedure under Article 43 and that all required documentation — technical file (Annex IV) and EU Declaration of Conformity — is available and up to date.
• CE marking and labelling check. Verify that the high-risk AI system bears a valid CE marking and that the importer's own name, trademark or mark, and postal address appear on the system or its packaging or accompanying documentation.
• Prohibition on placing non-conforming systems on the market. Refrain from placing any high-risk AI system on the market if there are reasonable grounds to believe it does not conform to the Regulation or poses an unacceptable risk; notify the provider, authorised representative, and relevant market surveillance authorities accordingly.
• Retention of documentation. Keep copies of the EU Declaration of Conformity and technical documentation for ten years from the date of placement on the market or entry into service, and make them available to competent authorities upon request.
• Incident and non-conformity reporting. Immediately inform the relevant national market surveillance authorities and the provider if a system already placed on the market is found to be non-conforming or presents a risk, and cooperate with any corrective or investigative action required.
• Preservation of conformity conditions. Ensure that storage, handling, and transport arrangements under the importer's responsibility do not jeopardise the conformity of the high-risk AI system with the requirements set out in Chapter 2 of Title III.

Relationship to Other Articles

Article 23 cannot be read in isolation. It is closely linked to Article 16 (Obligations of providers), which sets out the foundational compliance duties that the importer is verifying compliance with before market placement. Article 22 (Authorised representatives) is directly referenced: the importer must confirm that such a representative has been appointed, distinguishing the importer's role from that of the representative. Article 43 (Conformity assessment) defines the procedures whose completion the importer must verify.

On the documentation side, Annex IV specifies the technical documentation the importer must check exists, and Article 47 governs the EU Declaration of Conformity that must accompany the system. For post-market obligations, Article 72 (Post-market monitoring) and Article 73 (Reporting of serious incidents) provide the framework within which importer reporting duties operate. Article 25 (Obligations of distributors) is the natural companion provision, clarifying how obligations differ once the system moves further down the supply chain beyond the importer.

Compliance Timeline

The EU AI Act entered into force on 1 August 2024, twenty days after publication in the Official Journal. However, its provisions apply in phases:

• February 2, 2025 — Prohibitions on unacceptable-risk AI practices (Title II, Article 5) became applicable. Importers are not directly implicated by these prohibitions but must be aware that systems they import cannot fall within these categories.
• August 2, 2025 — Provisions on general-purpose AI models (Title VIII) and governance structures became applicable. Article 23 does not govern GPAI models directly.
• August 2, 2026 — The high-risk AI system obligations under Title III, including Article 23, become fully applicable for systems covered by Annex III (the main category of high-risk AI systems). Importers of these systems must be fully compliant from this date.
• August 2, 2027 — Extended deadline for high-risk AI systems covered by Annex I (safety components under existing Union harmonisation legislation) that were already placed on the market before August 2, 2026.

Importers should treat August 2, 2026 as the hard deadline for establishing their due-diligence and documentation processes for all Annex III high-risk AI systems currently in their supply chain.