Article 80 — Powers of the market surveillance authority in relation to supervision of general-purpose AI models with systemic risk (EU AI Act)

Article 80 of Regulation (EU) 2024/1689 — Powers of the market surveillance authority in relation to supervision of general-purpose AI models with systemic risk. Official text, practical interpretation, key obligations and compliance implications.

Official Text Summary

Article 80 of Regulation (EU) 2024/1689 establishes the specific supervisory powers available to national market surveillance authorities when overseeing general-purpose AI models (GPAI models) that carry systemic risk. The article operates within the broader post-market monitoring and market surveillance framework set out in Title IX of the Regulation.

Under Article 80, market surveillance authorities are empowered to request access to documentation, technical specifications, and the outcomes of internal evaluations carried out by providers in relation to their systemic risk GPAI models. Authorities may initiate assessments and evaluations to verify compliance with the obligations set out in Articles 55 and 56, which govern systemic risk management and adversarial testing requirements for such models. Where an authority identifies that a provider has failed to fulfil its obligations, it may order corrective measures, including modifications to the model, restrictions on deployment, or, in serious cases, withdrawal from the Union market.

The article explicitly acknowledges the primary supervisory competence of the AI Office at Union level, as established under Articles 88 to 94, and requires national authorities to coordinate their actions accordingly to avoid duplication or conflicting requirements. Article 80 thus functions as a complementary layer of oversight, ensuring that national enforcement capacity remains available and operational for addressing systemic risks that manifest within individual Member State jurisdictions, while remaining consistent with Union-level supervision.

What This Means in Practice

For providers of GPAI models that have been designated as posing systemic risk — either by exceeding the 10^25 FLOPs training compute threshold or through a Commission designation following a case-by-case evaluation — Article 80 creates a concrete obligation to engage with national market surveillance authorities upon request.

In practice, this means providers must maintain a compliance infrastructure capable of responding to authority inquiries within the timeframes established by Union and national procedural law. Documentation packages prepared under Article 53 (general GPAI transparency obligations) and Article 55 (systemic risk-specific obligations, including adversarial testing results, incident reporting records, and cybersecurity assessments) must be readily accessible to market surveillance authorities, not only to the AI Office.

Consider a scenario in which a provider deploys a systemic risk GPAI model accessible to business users and consumers across the EU. If the national market surveillance authority of a Member State receives credible reports of harmful outputs linked to systemic failures of that model, Article 80 authorises the authority to open a formal investigation, compel the provider to submit its internal evaluation records, and order interim mitigations — such as output filtering or deployment restrictions in that jurisdiction — pending a full Union-level review by the AI Office.

Providers should designate internal points of contact specifically for market surveillance authority communications, ensure their technical documentation is continuously updated, and build escalation protocols that allow rapid coordination between national authority requests and any concurrent AI Office proceedings.

Key Obligations

• Document accessibility: Providers of systemic risk GPAI models must ensure that all technical documentation, evaluation records, and risk assessments required under Articles 53 and 55 are accessible to market surveillance authorities upon request.
• Cooperation with investigations: Providers must actively cooperate with market surveillance authority assessments, including granting access to model parameters, safety testing outcomes, and adversarial testing reports as specified under Article 55(1)(c).
• Implementation of corrective measures: Where a market surveillance authority orders corrective actions — including model modifications, deployment restrictions, or market withdrawal — providers must implement those measures within the prescribed timeframes.
• Incident reporting alignment: Providers must ensure that serious incident reports submitted under Article 73 are also made available to market surveillance authorities exercising powers under Article 80, enabling coordinated oversight responses.
• Coordination with AI Office proceedings: When national market surveillance authority actions under Article 80 run concurrently with AI Office supervisory proceedings, providers must maintain consistent and non-contradictory communications with both bodies.
• Non-obstruction: Providers must not obstruct, delay, or impede market surveillance authority access to personnel, facilities, technical systems, or documentation relevant to a systemic risk assessment.

Relationship to Other Articles

Article 80 cannot be read in isolation. It is directly linked to Article 51, which defines the criteria for classifying a GPAI model as posing systemic risk — the threshold condition that triggers Article 80's supervisory regime. The obligations that market surveillance authorities are empowered to enforce through Article 80 originate primarily in Articles 55 and 56, covering systemic risk management and adversarial testing.

At the procedural level, Article 80 must be read alongside Articles 88 to 94, which establish the AI Office's Union-level supervisory competence and delineate the division of responsibilities between national authorities and the AI Office. Article 73 on serious incident reporting and Article 74 on market surveillance more broadly provide the procedural context within which Article 80 powers are exercised.

Article 53 establishes the baseline transparency and documentation obligations applicable to all GPAI models, which form the evidentiary foundation that authorities draw upon when exercising Article 80 powers. Finally, Articles 99 to 101 on penalties are the downstream consequence of non-compliance with measures ordered under Article 80.

Compliance Timeline

The EU AI Act entered into force on 2 August 2024, following publication in the Official Journal of the European Union. The Regulation applies in a phased manner:

• 2 February 2025: Provisions on prohibited AI practices (Title II) became applicable.
• 2 August 2025: Provisions governing general-purpose AI models, including those applicable to systemic risk GPAI models under Articles 51–56 and the associated supervisory framework including Article 80, became applicable. Providers of systemic risk GPAI models were required to be fully compliant with their obligations under Articles 55 and 56 from this date, and national market surveillance authorities acquired full operational powers under Article 80 from the same date.
• 2 August 2026: Rules applicable to general-purpose AI systems embedded in high-risk AI systems that were placed on the market before August 2024 begin to apply.
• 2 December 2026 and 2 August 2027: Full application of high-risk AI system obligations under Annex I and Annex III respectively.

For providers of systemic risk GPAI models, 2 August 2025 is the critical compliance date for Article 80 purposes. Any provider whose model meets or exceeded the systemic risk threshold at or before that date was required to have its documentation, evaluation records, and cooperation infrastructure in place from that date forward.