Article 24 of Regulation (EU) 2024/1689 — Obligations of distributors. Official text, practical interpretation, key obligations and compliance implications.
Official Text Summary
Article 24 of Regulation (EU) 2024/1689 establishes the obligations incumbent upon distributors of high-risk AI systems within the meaning of Article 3(7). Before making a high-risk AI system available on the market, distributors must verify that it carries the required CE conformity marking, that it is accompanied by a copy of the EU declaration of conformity issued by the provider, and that the necessary instructions for use are provided in a language that can be readily understood by users in the Member State where the system is being made available.
Distributors are required to verify that the provider and, where applicable, the importer have complied with their respective obligations under Articles 16 and 23. Where a distributor has reason to believe that a high-risk AI system is not in conformity with the requirements of the Regulation, it must refrain from making the system available until conformity has been restored. If the system presents a risk, the distributor must inform the provider or importer and the competent market surveillance authorities accordingly.
Distributors must also cooperate with providers, importers, and competent authorities upon request, and must provide all information and documentation in their possession that is necessary to demonstrate the conformity of a high-risk AI system. Retention obligations for relevant documentation apply for a period of ten years after the system has been made available. Crucially, the article establishes the conditions under which a distributor assumes the full obligations of a provider: when it places a system on the market under its own name, modifies the system substantially, or changes its intended purpose in a way that meets the high-risk classification threshold.
What This Means in Practice
Article 24 directly affects any business that distributes high-risk AI systems without developing them — retailers of AI-powered medical devices, resellers of AI-based biometric systems, or platform operators supplying third-party AI tools to enterprise customers. The article imposes a due-diligence checkpoint before any distribution act.
Concretely, a distributor must carry out a compliance check before each placement: confirm the CE marking is present and valid, obtain and retain a copy of the EU declaration of conformity, and ensure product documentation and instructions for use are translated or otherwise accessible in the relevant Member State language. These are not one-time tasks — they apply each time the system is made available.
If an audit, customer complaint, or internal review surfaces a conformity concern, the distributor may not continue distribution and must escalate immediately to the provider or importer and, if a risk to health, safety, or fundamental rights is present, to market surveillance authorities such as national AI authorities designated under Article 70.
The role-escalation provision is particularly consequential. A distributor that rebrands a high-risk AI system, makes functional modifications that alter performance or intended purpose, or changes the deployment context in a material way will be reclassified as a provider. At that point, it inherits the full obligation set under Article 16, including conformity assessment, registration in the EU database, post-market monitoring, and technical documentation. Businesses should conduct a legal mapping exercise before modifying any acquired AI system to determine whether the modification threshold is crossed.
Key Obligations
- Pre-distribution conformity verification: Before making a high-risk AI system available, confirm the CE marking, the EU declaration of conformity, and accessible instructions for use are all present and complete.
- Suspending non-compliant systems: If there is reason to believe a system does not conform with Regulation (EU) 2024/1689, halt distribution immediately and notify the provider, importer, and, where a risk exists, the competent market surveillance authority.
- Cooperation with authorities: Upon request, provide all information and documentation held by the distributor to demonstrate conformity, and cooperate with investigations conducted by competent authorities.
- Ten-year documentation retention: Maintain all relevant compliance documentation for ten years from the date the high-risk AI system was made available on the market.
- Provider obligation assumption: Where a distributor places a system on the market under its own name or trademark, substantially modifies it, or changes its intended purpose to a high-risk use case, it must assume all provider obligations under Article 16.
- Risk reporting: If a distributed system poses a risk to health, safety, or fundamental rights, the distributor must immediately inform the provider or importer and the relevant market surveillance authorities, providing details of the non-conformity and any corrective action taken.
Relationship to Other Articles
Article 24 sits within Title III, Chapter 3, which governs the full chain of responsibility for high-risk AI systems. It is closely linked to Article 16 (obligations of providers), as Article 24 repeatedly uses provider obligations as the compliance baseline that distributors must verify and, in certain circumstances, assume directly. Article 23 (obligations of importers) is a direct counterpart: distributors must verify that importers have fulfilled their own pre-distribution checks. Article 3 provides the definitions of distributor, provider, importer, and substantial modification that determine which obligations apply.
Article 47 (EU declaration of conformity) and Article 48 (CE marking) define the documentation and marking that distributors are required to check. Articles 72 to 74 on post-market monitoring and serious incident reporting intersect with distributor obligations when a risk materialises after distribution. Market surveillance and enforcement obligations under Articles 74 to 83 govern how competent authorities interact with distributors when investigating non-compliance.
Compliance Timeline
The EU AI Act entered into force on 1 August 2024 (20 days after publication in the Official Journal on 12 July 2024). The phased application schedule is as follows:
- 2 February 2025 — Prohibitions on unacceptable-risk AI practices (Title II, Article 5) became applicable.
- 2 August 2025 — General-purpose AI model obligations (Title VIII) and governance provisions became applicable.
- 2 August 2026 — Article 24 obligations apply in full to distributors of high-risk AI systems listed in Annex III (standalone high-risk AI systems across sectors such as education, employment, law enforcement, and access to essential services).
- 2 August 2027 — Article 24 obligations apply to distributors of high-risk AI systems embedded in products governed by the Union harmonisation legislation listed in Annex I (e.g. machinery, medical devices, civil aviation equipment).
Distributors placing Annex III systems on the market should already be engaged in compliance preparation, given the 2 August 2026 deadline. Those dealing exclusively with Annex I product-embedded systems have additional time but should begin supply-chain due diligence and documentation processes without delay.
Official AI Act Compliance Deadline Calendar
Updated · Sources: Regulation (EU) 2024/1689 and the 2026 Digital Omnibus on AI.
| Obligation | Applies to | Original date | New date | Status | Countdown | Legal basis |
|---|---|---|---|---|---|---|
| Prohibited Practices (Art. 5) | All providers and deployers | active | — | AI Act Art. 5 | ||
| GPAI Rules (Chapter 5) | GPAI model providers | active | — | AI Act Art. 51-56 | ||
| High-risk AI — Annex III (standalone) | Providers of standalone Annex III systems | deferred | — | AI Omnibus 2026 Art. 6(2) | ||
| High-risk AI — Annex I (embedded) | AI embedded in Annex I regulated products | deferred | — | AI Omnibus 2026 Art. 6(1) | ||
| AI-Generated Content Marking | Providers of generative GPAI systems | active | — | AI Act Art. 50(2) | ||
| Regulatory Sandboxes | National competent authorities | active | — | AI Act Art. 57 |
⬇ Download JSON · CC BY 4.0
AI Act meets DORA and NIS2
Is your organisation subject to both the AI Act and DORA? The two regulations intersect on the operational resilience of financial AI systems. Our sister site regulation-dora.eu covers DORA in depth.
Explore regulation-dora.eu ↗Frequently Asked Questions
A distributor is any natural or legal person in the supply chain, other than the provider or the importer, that makes a high-risk AI system available on the Union market without modifying it. Retailers, resellers, and wholesalers who supply AI systems downstream without altering them typically fall within this definition.
Distributors must verify, before making a high-risk AI system available, that it bears the required CE marking, is accompanied by the EU declaration of conformity, and has the required instructions for use in a language accessible to users in the Member State where it is made available.
Yes. If a distributor places a high-risk AI system on the market under its own name or trademark, makes a substantial modification to the system, or changes its intended purpose in a way that triggers the high-risk classification, it assumes the obligations of a provider under Article 16.
A distributor that has reason to believe that a high-risk AI system is not in conformity with the EU AI Act must not make it available until conformity is established. It must inform the provider or importer and, where necessary, the relevant market surveillance authorities.
Article 24 applies to high-risk AI systems listed in Annex III from 2 August 2026, and to high-risk AI systems covered by Annex I (product safety legislation) from 2 August 2027. The EU AI Act entered into force on 1 August 2024.
Stay ahead of AI Act changes
Get compliance alerts when deadlines or obligations change.
No spam. One-click unsubscribe.