Article 78 — Confidentiality (EU AI Act)

Article 78 of Regulation (EU) 2024/1689 — Confidentiality. Official text, practical interpretation, key obligations and compliance implications.

Official Text Summary

Article 78 of Regulation (EU) 2024/1689 establishes a binding confidentiality framework governing the handling of information obtained by competent authorities — including national market surveillance authorities, notifying authorities, notified bodies, and the Commission — in the course of their duties under the EU AI Act.

The article requires all parties exercising functions under the Regulation to protect information that is subject to professional secrecy obligations. This encompasses business secrets, commercially sensitive data, intellectual property, and personal data encountered during audits, investigations, conformity assessments, corrective action procedures, or any other supervisory activity. The obligation applies both to the authorities themselves and to their staff, including external experts assisting in enforcement tasks.

Article 78 nonetheless permits the exchange of information between competent authorities within a Member State, across Member States, and with the Commission where such exchange is necessary for the performance of tasks under the Regulation. Any information so shared retains its confidential character and the receiving body assumes the same protection obligations.

The article does not prevent authorities from publishing aggregate, anonymised, or non-sensitive findings, nor does it override mandatory disclosure requirements arising from judicial proceedings. It operates in conjunction with Regulation (EU) 2016/679 (GDPR) and sector-specific confidentiality regimes where applicable, without displacing them.

What This Means in Practice

For AI providers and deployers, Article 78 provides a meaningful procedural protection. When a national market surveillance authority opens an investigation — for example, because a high-risk AI system has been flagged for non-compliance with the conformity assessment requirements of Article 43, or because a serious incident has been reported under Article 73 — the provider must cooperate and supply technical documentation, algorithmic details, and test results. Article 78 ensures that this commercially sensitive information does not leave the regulatory sphere without legal justification.

Who is affected. The direct obligations fall on competent authorities and their personnel. Providers and deployers are the indirect beneficiaries, gaining assurance that trade secrets disclosed during enforcement are protected. Notified bodies, which assess conformity of high-risk AI systems and therefore receive detailed technical submissions, are equally bound.

Concrete scenarios. A provider of a high-risk AI system used in credit scoring submits its technical documentation to the national market surveillance authority following a complaint. Under Article 78, the authority cannot share that documentation with a competitor or publish it in a way that reveals proprietary model architecture. Similarly, an employee of a notified body who reviews training data composition during a conformity assessment is bound by professional secrecy with respect to that data.

Practical steps for providers. Organisations should label commercially sensitive documents submitted to authorities and maintain a log of what was disclosed, to whom, and under which regulatory obligation. Where a disclosure request seems to exceed the authority's powers, providers retain the right to object before competent courts.

Key Obligations

• Competent authorities, notifying authorities, notified bodies, the Commission, and their personnel must treat as confidential all information obtained in the exercise of their duties that qualifies as a business secret, commercially sensitive data, or personal data.
• Confidentiality obligations extend to external experts and any other persons participating in regulatory tasks under the AI Act, such as technical assessors or scientific advisors.
• Information exchange between authorities — within a Member State, across Member States, and with the Commission — is permitted where necessary for enforcement, but shared information retains its confidential status and the receiving body assumes equivalent protection duties.
• Authorities may not disclose to third parties, including the public, any information that could harm the commercial interests of providers or deployers unless a specific legal basis, such as a court order or an overriding public interest, justifies disclosure.
• Confidentiality obligations must be reconciled with, but do not displace, applicable data protection rules under GDPR; personal data contained in supervisory files must be handled in compliance with both frameworks simultaneously.
• Authorities retain the ability to publish non-sensitive, anonymised, or aggregated findings — such as sectoral trend reports or market surveillance statistics — provided that no individual provider's confidential information can be derived from the published content.

Relationship to Other Articles

Article 78 is structurally connected to the broader market surveillance and enforcement architecture of the EU AI Act. It supports Article 74 (market surveillance at national level), Article 75 (Union-level market surveillance and coordination), and Article 76 (oversight of general-purpose AI models), all of which require authorities to collect and process sensitive operational and technical information. The confidentiality regime it establishes is a precondition for effective cooperation under Article 101 (AI Office cooperation with Member States).

It also intersects directly with Article 73 (serious incident reporting) and Article 72 (post-market monitoring), since both mechanisms generate disclosures of potentially sensitive technical and commercial data to supervisory bodies.

Within the conformity assessment chain, Article 78 reinforces the obligations of notified bodies designated under Articles 33–39, who regularly receive detailed technical documentation. Finally, it must be read alongside Article 70 (confidentiality obligations on operators more broadly) and Recital 145, which clarifies that the Regulation's transparency objectives cannot be used to justify disclosure of genuinely confidential commercial information.

Compliance Timeline

Article 78 entered into force on 1 August 2024, twenty days after publication of Regulation (EU) 2024/1689 in the Official Journal of the European Union. However, its practical relevance is tied to the phased application schedule of the broader Regulation.

The first binding obligations under the AI Act — the prohibitions on unacceptable-risk AI practices under Article 5 — became applicable on 2 February 2025. From that date, market surveillance authorities began exercising active enforcement powers, making Article 78's confidentiality protections immediately operational for any investigations initiated.

The framework for general-purpose AI models (Title IV) applied from 2 August 2025, extending Article 78 protections to information gathered in the oversight of GPAI providers and the AI Office's supervisory activities.

The most substantial wave of obligations — covering high-risk AI systems listed in Annex III — applies from 2 August 2026, with certain systems in Annex I sectors subject to a further transition until 2 August 2027. As conformity assessment activity and post-market monitoring under Articles 72–73 intensify through 2026–2027, Article 78 will become a frequently invoked provision in the day-to-day relationship between regulators and the AI industry.