Article 77 of Regulation (EU) 2024/1689 — Powers of authorities protecting fundamental rights. Official text, practical interpretation, key obligations and compliance implications.
Official Text Summary
Article 77 of Regulation (EU) 2024/1689 establishes specific powers for national public authorities whose mandate encompasses the protection of fundamental rights, enabling them to act as an additional layer of oversight over high-risk AI systems deployed within their jurisdiction.
Under Article 77(1), any national public authority or body competent for supervising or enforcing obligations relating to fundamental rights — including data protection authorities under Regulation (EU) 2016/679, equality bodies, consumer protection authorities, and similar agencies — is granted the power to request from deployers of high-risk AI systems access to the documentation generated and maintained in accordance with the Regulation. In particular, these authorities may request the fundamental rights impact assessment required from certain deployers under Article 27, the logs automatically generated by the AI system kept pursuant to Article 26(6), and any other relevant documentation demonstrating compliance.
Under Article 77(2), where such an authority has reasonable grounds to believe that a high-risk AI system presents a risk to fundamental rights or to the health and safety of persons, it shall inform the relevant market surveillance authority designated under Article 70 and may provide it with all relevant information at its disposal. The market surveillance authority is then responsible for taking appropriate investigative and corrective action in accordance with its competences under Chapter VII.
Article 77 thus creates a structured cooperation mechanism between sector-specific fundamental rights bodies and the primary market surveillance infrastructure, without conferring direct enforcement powers over AI system compliance on these authorities independently of the established market surveillance framework.
What This Means in Practice
Article 77 has direct operational consequences for deployers of high-risk AI systems — particularly those operating in sensitive domains such as employment, education, access to essential services, law enforcement, migration, and the administration of justice, where fundamental rights exposure is most acute.
Deployers must be prepared to respond to documentation requests from a broader range of public authorities than the primary market surveillance authority alone. A data protection authority conducting an inquiry into an AI-assisted recruitment tool, an equality body investigating an automated benefits-eligibility system, or a consumer protection agency scrutinising an AI-powered credit-scoring platform may all invoke Article 77 to obtain the deployer's fundamental rights impact assessment and system logs.
Practically, this means deployers should ensure their Article 27 fundamental rights impact assessment is completed, up to date, and readily accessible before deployment — not treated as a post-hoc exercise. Similarly, the logging obligations under Article 26 must be operationally active so that records can be produced on request without delay.
For providers, Article 77 underscores the importance of producing and maintaining comprehensive technical documentation under Article 11 and instructions for use under Article 13 that are sufficiently detailed to support deployer compliance. If a fundamental rights authority raises concerns and notifies the market surveillance authority, the provider's documentation will be central to any subsequent investigation.
Organisations deploying high-risk AI systems should map which fundamental rights authorities hold jurisdiction over their activities and proactively assess how those authorities are likely to interpret their mandate in relation to AI oversight.
Key Obligations
- Deployers must produce documentation on request: Upon a request from a competent fundamental rights authority, deployers of high-risk AI systems must provide access to the fundamental rights impact assessment (Article 27), automatically generated logs (Article 26(6)), and any other documentation relevant to the authority's assessment.
- Fundamental rights authorities must notify market surveillance authorities: Where a fundamental rights authority has reasonable grounds to believe a high-risk AI system poses risks to fundamental rights or to health and safety, it is obliged to inform the relevant market surveillance authority designated under Article 70 and share all relevant information.
- Fundamental rights impact assessments must be current and accessible: Because Article 77 creates a live documentation request right, deployers subject to Article 27 cannot defer or neglect the impact assessment — it must exist and be retrievable when an authority exercises its powers.
- Log retention must be operational before deployment: Deployers must ensure the logging mechanisms required under Article 26(6) are active and records are preserved in a manner that allows timely production to authorities invoking Article 77.
- Cooperation across authority boundaries is required: Deployers and providers must be prepared to engage simultaneously with multiple competent bodies — the fundamental rights authority initiating the inquiry and the market surveillance authority to which it reports — without creating contradictions in the information provided to each.
Relationship to Other Articles
Article 77 sits at the intersection of the post-market monitoring framework (Chapter IX) and the broader market surveillance architecture (Chapter VII), and must be read in conjunction with several other provisions.
Article 26 (Obligations of deployers) establishes the core monitoring and logging duties that produce the documentation Article 77 authorities are empowered to access. Article 27 (Fundamental rights impact assessment for high-risk AI systems) creates the primary document that fundamental rights authorities will seek; the two articles are operationally coupled.
Article 70 (Designation of national competent authorities and single points of contact) identifies the market surveillance authorities to which fundamental rights bodies must report under Article 77(2). Articles 74 and 75 define the investigative and corrective powers those market surveillance authorities may then exercise following notification.
Article 13 (Transparency and provision of information to deployers) and Article 11 (Technical documentation) are relevant because the adequacy of provider-supplied documentation directly conditions a deployer's ability to respond to Article 77 requests. Article 9 (Risk management system) provides the upstream analytical framework that should inform the fundamental rights impact assessment referenced in Article 77.
For organisations subject to the GDPR, Article 77 should also be read alongside Articles 35 and 51–59 of Regulation (EU) 2016/679, which govern data protection impact assessments and the powers of supervisory authorities — competences that overlap substantially with the Article 77 framework in AI deployments involving personal data processing.
Compliance Timeline
The EU AI Act entered into force on 1 August 2024, twenty days after publication in the Official Journal of the European Union.
The phased application schedule is as follows:
- 2 February 2025: Prohibition on unacceptable-risk AI practices (Article 5) became applicable.
- 2 August 2025: Rules on general-purpose AI models (Title VIII, Articles 51–56) and governance obligations (Title VII) became applicable.
- 2 August 2026: Article 77, along with the full framework for high-risk AI systems listed in Annex III (including employment, education, essential services, law enforcement, migration, and justice applications), becomes applicable. This is the primary compliance deadline for most deployers likely to face Article 77 requests from fundamental rights authorities.
- 2 August 2027: The Article 77 framework — and the broader high-risk AI system obligations — becomes applicable to AI systems governed by Union harmonisation legislation listed in Annex I (including medical devices, machinery, civil aviation, and motor vehicle components).
Deployers operating high-risk AI systems in fundamental-rights-sensitive domains should complete their Article 27 fundamental rights impact assessments and verify their Article 26 logging infrastructure is operational well in advance of the 2 August 2026 deadline.
Official AI Act Compliance Deadline Calendar
Updated · Sources: Regulation (EU) 2024/1689 and the 2026 Digital Omnibus on AI.
| Obligation | Applies to | Original date | New date | Status | Countdown | Legal basis |
|---|---|---|---|---|---|---|
| Prohibited Practices (Art. 5) | All providers and deployers | active | — | AI Act Art. 5 | ||
| GPAI Rules (Chapter 5) | GPAI model providers | active | — | AI Act Art. 51-56 | ||
| High-risk AI — Annex III (standalone) | Providers of standalone Annex III systems | deferred | — | AI Omnibus 2026 Art. 6(2) | ||
| High-risk AI — Annex I (embedded) | AI embedded in Annex I regulated products | deferred | — | AI Omnibus 2026 Art. 6(1) | ||
| AI-Generated Content Marking | Providers of generative GPAI systems | active | — | AI Act Art. 50(2) | ||
| Regulatory Sandboxes | National competent authorities | active | — | AI Act Art. 57 |
⬇ Download JSON · CC BY 4.0
AI Act meets DORA and NIS2
Is your organisation subject to both the AI Act and DORA? The two regulations intersect on the operational resilience of financial AI systems. Our sister site regulation-dora.eu covers DORA in depth.
Explore regulation-dora.eu ↗Frequently Asked Questions
Article 77 empowers national public authorities responsible for protecting fundamental rights — such as data protection authorities, equality bodies, and consumer protection agencies — to request access to documentation and to carry out market surveillance activities when they have reason to believe a high-risk AI system may pose risks to fundamental rights.
Article 77 applies to any national public authority or body responsible for supervising or enforcing obligations related to fundamental rights, including supervisory authorities under the GDPR, equality bodies, and other competent authorities whose mandate concerns areas where high-risk AI systems are deployed.
These authorities may request deployers to provide the fundamental rights impact assessment conducted under Article 27, access to logs kept by deployers under Article 26, and any other documentation necessary to assess compliance. They may also notify the market surveillance authority if they identify potential non-compliance.
Data protection authorities acting as supervisory authorities under the GDPR are among the authorities explicitly envisaged under Article 77. When AI systems process personal data and may affect fundamental rights, these authorities can exercise the powers granted by Article 77 in coordination with their existing GDPR enforcement competences.
Article 77 applies from 2 August 2026 for most high-risk AI systems listed in Annex III, and from 2 August 2027 for high-risk AI systems covered by existing sectoral Union harmonisation legislation listed in Annex I. The general provisions of the EU AI Act entered into force on 1 August 2024.
Stay ahead of AI Act changes
Get compliance alerts when deadlines or obligations change.
No spam. One-click unsubscribe.