Article 70 of Regulation (EU) 2024/1689 — Access to data and documentation. Official text, practical interpretation, key obligations and compliance implications.
Official Text Summary
Article 70 of Regulation (EU) 2024/1689 establishes the conditions under which national market surveillance authorities may obtain access to the data, documentation, and information held by providers and deployers of high-risk AI systems. Under Article 70(1), providers must grant competent authorities, upon a reasoned request, full access to the technical documentation required under Article 11 and to any additional documentation, source code where strictly necessary, training and validation datasets, testing data, and evaluation results needed to verify compliance with the Regulation.
Article 70(2) extends this obligation to deployers of high-risk AI systems in certain contexts, requiring them to grant access to logs automatically generated by the system that are under their control, as provided for in Article 12. Article 70(3) specifies that all information and documentation obtained by authorities in the course of their supervisory activities must be treated as confidential in accordance with Union and national law, in particular with respect to trade secrets, while simultaneously prohibiting the use of confidentiality as an absolute shield against legitimate supervisory access.
Article 70(4) addresses AI systems with dual civil and national-security dimensions, permitting Member States to designate specific oversight arrangements where classified or sensitive national security information is involved. The article thus balances transparency and effective supervision against the legitimate protection of commercially sensitive and security-sensitive information.
What This Means in Practice
Article 70 creates a concrete obligation for providers of high-risk AI systems to maintain documentation in a state that is immediately accessible to regulators — not merely archived in a form that would require significant reconstruction. Organisations that develop or place high-risk AI systems on the EU market (Annex III categories: biometric identification, critical infrastructure, education, employment, essential services, law enforcement, migration, administration of justice, and democratic processes) must treat documentation readiness as an ongoing operational requirement rather than a one-off certification exercise.
In practice, this means that when a national market surveillance authority — for example, the French CNIL acting in its AI supervisory capacity, a national financial regulator, or a product safety authority — issues a reasoned access request, the provider must be able to produce within the requested timeframe: complete technical documentation under Article 11, training and validation dataset descriptions, testing protocols and results, post-market monitoring data, and logs generated under Article 12 where those logs remain in the provider's control.
Deployers who retain control over system logs face a parallel obligation to produce those logs on request. A hospital deploying an AI-assisted diagnostic tool, for example, must be able to supply inference logs to the relevant authority if those logs remain within the hospital's infrastructure. Providers and deployers should establish internal access-management procedures, designate a regulatory liaison, and implement data retention policies aligned with the documentation periods required under the Regulation. Where trade secrets are at stake, legal counsel should prepare proportionate redaction protocols that allow meaningful access without unnecessary disclosure.
Key Obligations
- Full documentation access on request: Providers must grant competent authorities access to all technical documentation, datasets, evaluation results, and source code where strictly necessary to assess conformity, upon a reasoned supervisory request.
- Log access by deployers: Deployers of high-risk AI systems must grant access to automatically generated logs under their control, enabling authorities to reconstruct the operational history of the system.
- Confidentiality of supervisory information: Authorities receiving information under Article 70 must treat it as confidential in accordance with applicable Union and national law, protecting legitimate trade secrets and sensitive data obtained during inspections.
- No absolute trade-secret shield: Confidentiality interests cannot be invoked to entirely block supervisory access; authorities retain the right to obtain information necessary to fulfil their mandate even where commercial sensitivity is claimed.
- Special arrangements for national security: Member States may establish specific oversight channels for AI systems touching on national security or classified matters, ensuring supervision without compromising sensitive state information.
- Proactive documentation readiness: Implicit in the article is the obligation to maintain documentation in a retrievable, up-to-date condition throughout the system's lifecycle, not merely at the point of initial conformity assessment.
Relationship to Other Articles
Article 70 is the operational backbone of the market surveillance framework established in Title VII (Governance). It must be read in direct conjunction with Article 11 (technical documentation obligations), Article 12 (record-keeping and logging requirements for high-risk systems), and Article 72 (post-market monitoring obligations), which define the documents and data that authorities are entitled to access.
It connects to Articles 74–79, which establish the powers and procedures of market surveillance authorities, including corrective measures and enforcement actions that are triggered when access is refused or documentation is found to be deficient. Penalty provisions under Article 99 apply when providers obstruct supervisory access.
For GPAI model providers, Articles 53 and 55 impose parallel documentation and transparency obligations toward the AI Office, creating a complementary upstream documentation regime. Article 78 addresses the confidentiality duties of authorities in more detail, reinforcing the confidentiality protections mentioned in Article 70(3).
Compliance Timeline
The EU AI Act entered into force on 1 August 2024, twenty days after its publication in the Official Journal of the European Union.
Article 70, as part of Title VII (Governance), falls under the general application date of 2 August 2026 — the date from which the majority of the Regulation's substantive obligations become fully enforceable for high-risk AI systems. Providers and deployers of high-risk AI systems listed in Annex III must be fully compliant with documentation, logging, and access-readiness requirements by that date.
For high-risk AI systems covered by Annex I (product safety legislation), full application is extended to 2 August 2027, giving manufacturers in regulated product sectors (medical devices, machinery, civil aviation) additional time to align with EU AI Act obligations including Article 70 documentation access requirements.
Prohibited AI practice rules became applicable on 2 February 2025, and GPAI model obligations under Title VIII became applicable on 2 August 2025. Organisations should note that even before the August 2026 general application date, national supervisory bodies are being established and documentation frameworks should be treated as a live compliance priority from mid-2025 onward.
Official AI Act Compliance Deadline Calendar
Updated · Sources: Regulation (EU) 2024/1689 and the 2026 Digital Omnibus on AI.
| Obligation | Applies to | Original date | New date | Status | Countdown | Legal basis |
|---|---|---|---|---|---|---|
| Prohibited Practices (Art. 5) | All providers and deployers | active | — | AI Act Art. 5 | ||
| GPAI Rules (Chapter 5) | GPAI model providers | active | — | AI Act Art. 51-56 | ||
| High-risk AI — Annex III (standalone) | Providers of standalone Annex III systems | deferred | — | AI Omnibus 2026 Art. 6(2) | ||
| High-risk AI — Annex I (embedded) | AI embedded in Annex I regulated products | deferred | — | AI Omnibus 2026 Art. 6(1) | ||
| AI-Generated Content Marking | Providers of generative GPAI systems | active | — | AI Act Art. 50(2) | ||
| Regulatory Sandboxes | National competent authorities | active | — | AI Act Art. 57 |
⬇ Download JSON · CC BY 4.0
AI Act meets DORA and NIS2
Is your organisation subject to both the AI Act and DORA? The two regulations intersect on the operational resilience of financial AI systems. Our sister site regulation-dora.eu covers DORA in depth.
Explore regulation-dora.eu ↗Frequently Asked Questions
Article 70 requires providers and, where applicable, deployers of high-risk AI systems to grant market surveillance authorities access to their technical documentation, training data, testing data, and any other information necessary to assess conformity with the Regulation. This access must be provided upon reasoned request and within a defined timeframe.
Article 70 primarily targets high-risk AI systems under Annex III and III-listed systems. However, providers of general-purpose AI (GPAI) models may face overlapping documentation obligations under Title VIII (Articles 53–56). Market surveillance authorities can also request information from GPAI providers where those models are integrated into high-risk systems.
Authorities can request technical documentation prepared under Article 11, logs kept under Article 12, information on post-market monitoring under Article 72, and any datasets, evaluation results, or testing records used to demonstrate conformity. Trade secrets are protected subject to applicable national and Union law, but that protection cannot be used to block legitimate supervisory access.
Refusal or obstruction of access constitutes a breach of the Regulation and can trigger enforcement action by the competent national authority, including corrective measures, market withdrawal orders, and administrative fines under Article 99 of the EU AI Act.
Stay ahead of AI Act changes
Get compliance alerts when deadlines or obligations change.
No spam. One-click unsubscribe.