Article 74 — Market surveillance and control of AI systems in Union territory (EU AI Act)

Article 74 of Regulation (EU) 2024/1689 — Market surveillance and control of AI systems in Union territory. Official text, practical interpretation, key obligations and compliance implications.

Official Text Summary

Article 74 of Regulation (EU) 2024/1689 establishes the framework for market surveillance and control of AI systems within EU territory, forming the enforcement backbone of Title IX. It requires Member States to designate market surveillance authorities in accordance with Regulation (EU) 2019/1020 on market surveillance and compliance of products, which applies mutatis mutandis to AI systems covered by the EU AI Act except where the AI Act provides specific derogations.

The article confers on designated national authorities the power to investigate AI systems already placed on the market or put into service, whether supplied commercially or otherwise. Authorities are entitled to access technical documentation, training datasets, source code where necessary and proportionate, and any other information required to assess conformity. They may order operators — providers, deployers, importers, and distributors — to take corrective action, including restricting or prohibiting use, withdrawing a system from the market, or organising a recall.

Where an AI system presents a serious risk, national authorities must notify the Commission and all other Member States through established rapid alert mechanisms. Article 74 also addresses the situation where AI systems are embedded in products regulated by other Union harmonisation legislation, clarifying that the relevant sectoral market surveillance authority retains competence while applying the AI Act's requirements in coordination with the general surveillance framework. For general-purpose AI models, the European AI Office exercises equivalent supervisory functions at the Union level, ensuring coherent oversight for AI components that operate across national boundaries and product categories.

What This Means in Practice

For organisations that develop, import, distribute, or deploy AI systems within the EU, Article 74 transforms the conformity assessment process from a one-time gate into an ongoing compliance obligation. Achieving CE marking or completing an internal conformity assessment does not immunise a system from post-market scrutiny. Authorities can initiate investigations at any point during the system's operational life, triggered by complaints, incidents reported through the serious incident notification mechanism under Article 73, or proactive surveillance campaigns.

Providers must ensure that technical documentation remains current, accessible, and sufficiently detailed to support an authority's audit. If a system is updated — through model retraining, fine-tuning, or significant changes to intended purpose — the documentation must reflect those changes and, where required, a new conformity assessment may be needed.

Deployers of high-risk AI systems should expect that authorities may contact them directly to understand how a system is being used in practice, particularly where the deployed context differs from the provider's originally envisaged use case. Deployers must cooperate fully and should maintain operational logs and human oversight records as evidence of compliant use.

Importers and distributors bear responsibility for verifying that the products they handle carry valid documentation and markings before placing them on the EU market, since Article 74 can result in corrective orders directed at any actor in the supply chain.

Practically, organisations should establish internal procedures for responding to market surveillance inquiries, appoint a designated compliance contact, and conduct periodic internal reviews to ensure the system's real-world performance continues to match its conformity assessment baseline.

Key Obligations

• Designate cooperation points: Providers, deployers, importers, and distributors must identify internal contacts capable of engaging promptly with national market surveillance authorities and providing access to required documentation.
• Maintain accessible technical documentation: All documentation required under Article 11 and Annex IV must remain up to date and be made available to market surveillance authorities upon request, including for systems already in deployment.
• Cooperate with investigations: Operators must respond to official enquiries, grant access to premises and systems where requested, and not obstruct or delay surveillance activities — non-cooperation may itself constitute a breach subject to penalties under Article 99.
• Report serious incidents: Where providers or deployers become aware of a serious incident as defined under Article 3, they must notify the relevant market surveillance authority in accordance with Article 73, which in turn triggers coordinated action under the Article 74 framework.
• Implement corrective measures when ordered: Upon receiving an order from a market surveillance authority — whether to modify, restrict, withdraw, or recall an AI system — operators must act within the timeframe specified and inform the authority of the steps taken.
• Cross-border notification compliance: Where a system is found to present a serious risk and is the subject of a national enforcement measure, the authority notifies the Commission and other Member States; affected operators may be required to extend corrective measures simultaneously across multiple jurisdictions.

Relationship to Other Articles

Article 74 functions as the enforcement layer that gives practical effect to substantive requirements defined elsewhere in the regulation. It draws directly on Article 73 (post-market monitoring and serious incident reporting), which generates the data and notifications that trigger many surveillance investigations. It is inextricably linked to Articles 11 and 12 (technical documentation and record-keeping) and Articles 16 and 26 (obligations of providers and deployers), since these define what authorities are entitled to examine.

The article interfaces with Article 9 (risk management systems) and Article 72 (post-market monitoring plans) as the real-world performance data collected under those provisions becomes evidence in any surveillance review. For serious risk scenarios, Articles 79 through 83 govern the specific corrective and protective measures that market surveillance authorities may apply following an investigation initiated under Article 74. The article also integrates horizontally with Regulation (EU) 2019/1020, the general EU market surveillance framework, whose procedures and notification mechanisms it adopts by reference.

Compliance Timeline

The EU AI Act entered into force on 1 August 2024, following publication in the Official Journal. Application of the regulation is phased:

• 2 February 2025: Prohibitions on unacceptable-risk AI practices (Article 5) became applicable. Market surveillance authorities received competence to investigate and enforce against prohibited systems from this date.
• 2 August 2025: Provisions on general-purpose AI models (Title III, Chapter V) and the associated governance framework, including the European AI Office's supervisory role, became applicable. Market surveillance of GPAI models and systemic-risk systems falls within this regime.
• 2 December 2026: Rules applying to high-risk AI systems listed in Annex III (used by public bodies) and the associated post-market monitoring and surveillance obligations under Title IX, including the full Article 74 framework for those systems, become applicable.
• 2 August 2027: The remaining high-risk AI systems in Annex III and AI systems regulated under the Union harmonisation legislation listed in Annex I become subject to the complete conformity and surveillance regime.

Organisations should treat the phased dates as activation points — surveillance infrastructure (documentation, incident reporting, cooperation procedures) should be in place before the relevant date, not after the first inquiry arrives.