Article 85 of Regulation (EU) 2024/1689 — Investigative powers of the AI Office regarding general-purpose AI models. Official text, practical interpretation, key obligations and compliance implications.
Official Text Summary
Article 85 of Regulation (EU) 2024/1689 confers on the AI Office specific investigative powers in relation to providers of general-purpose AI models. The AI Office may, on its own initiative or following a reasoned request from a national competent authority, initiate evaluations of general-purpose AI models to assess compliance with the obligations set out in Chapter V of the Regulation. Where the AI Office has reasonable grounds to suspect that a particular GPAI model — including a GPAI model with systemic risk — presents risks to health, safety, fundamental rights, or critical infrastructure, it is empowered to request any information and documentation it deems necessary, including technical specifications, model architecture descriptions, training data summaries, and performance evaluation results.
Beyond documentary requests, Article 85 authorises the AI Office to conduct or commission on-site inspections at the premises of the provider or any third party involved in the development, training, or deployment of the model. The AI Office may also appoint independent experts — notified in advance to the provider — to carry out technical evaluations of the model, including access to model weights and source code where strictly necessary and subject to confidentiality obligations. Providers must cooperate fully and within the timeframes specified in each request. The article reflects the legislature's intent to endow the AI Office with genuine investigative teeth proportionate to the opacity and systemic significance of large-scale AI models.
What This Means in Practice
For providers of general-purpose AI models operating in or serving the EU market, Article 85 creates a standing obligation of investigative cooperation with the AI Office that goes well beyond ordinary reporting duties.
In concrete terms, a GPAI model provider — whether a large foundation model developer, a fine-tuning entity that modifies a base model substantially, or a provider that releases open-weight models — must be prepared at any point to respond to formal requests for documentation. These requests may cover model cards, training data provenance records, red-teaming and evaluation reports, incident logs, and technical architecture descriptions.
Where the AI Office escalates to a formal evaluation, providers should expect to host or facilitate on-site inspections. This requires that internal governance structures are capable of mobilising the relevant technical and legal personnel quickly. The appointment of independent experts by the AI Office means that sensitive intellectual property — including weights and training pipelines — may be reviewed by third parties, making confidentiality agreements and access protocols a practical necessity to negotiate in advance with the Office.
Providers of GPAI models with systemic risk face a heightened exposure, given that Article 85 powers are explicitly calibrated to the risk profile of the model. Organisations should therefore maintain audit-ready technical files, establish clear internal escalation procedures for regulatory requests, and appoint a designated regulatory contact capable of coordinating responses across legal, engineering, and data governance teams within short notice windows.
Key Obligations
- Full cooperation with information requests: Providers must supply all documentation, technical records, and information requested by the AI Office within the deadlines specified, including model architecture details, training data descriptions, and evaluation results.
- Facilitation of on-site inspections: Providers must grant the AI Office and any designated independent experts access to their premises, systems, and relevant personnel when a formal inspection is initiated.
- Access to model weights and source code: Where the AI Office determines access is necessary to assess systemic risk, providers must make model weights, source code, and training data available, subject to confidentiality protections agreed with the Office.
- Appointment of an accessible regulatory contact: Providers must ensure a point of contact is in place and reachable for the purposes of coordinating investigative procedures without undue delay.
- Confidentiality of investigation proceedings: Providers and any third parties involved in evaluations must treat information exchanged during investigations as confidential in accordance with the terms set by the AI Office.
- Non-obstruction: Providers must not obstruct, delay, or interfere with the AI Office's investigative activities; any such conduct may be treated as a breach of the Regulation independently of the underlying substantive issue.
Relationship to Other Articles
Article 85 operates within a broader supervisory and enforcement architecture. It is intrinsically linked to Article 88, which sets out the powers of national market surveillance authorities and establishes the division of competence between those authorities and the AI Office specifically with respect to GPAI models. The investigative powers under Article 85 feed directly into the enforcement chain codified in Articles 99 and 101, which govern administrative fines for non-compliance, including refusal to cooperate.
The obligations that Article 85 enforces originate primarily in Articles 53 and 55, which impose documentation, transparency, and systemic risk management duties on GPAI model providers. Article 56 on codes of practice is relevant because voluntary adherence to an approved code may inform the AI Office's risk-based prioritisation of investigations. Article 74 on market surveillance and Article 75 on the procedure for handling risks at EU level provide the wider institutional context in which Article 85 investigations are embedded.
Compliance Timeline
The EU AI Act entered into force on 1 August 2024, twenty days after publication in the Official Journal. Application is phased:
- 2 February 2025: Provisions on prohibited AI practices (Article 5) became applicable.
- 2 August 2025: Provisions applicable to general-purpose AI models — including Chapter V (Articles 51–56) and the obligations that Article 85 enforces — became applicable. From this date, the AI Office holds its full investigative mandate under Article 85 in respect of GPAI model providers.
- 2 August 2026: Governance provisions and the obligations of notified bodies apply fully.
- 2 December 2026 / 2 August 2027: High-risk AI system obligations under Annex I and Annex III apply in full.
Providers of GPAI models were therefore required to be investigation-ready under Article 85 from 2 August 2025. Organisations that had not yet established compliant technical documentation, audit trails, and regulatory cooperation procedures by that date were exposed to enforcement action from that date forward.
Official AI Act Compliance Deadline Calendar
Updated · Sources: Regulation (EU) 2024/1689 and the 2026 Digital Omnibus on AI.
| Obligation | Applies to | Original date | New date | Status | Countdown | Legal basis |
|---|---|---|---|---|---|---|
| Prohibited Practices (Art. 5) | All providers and deployers | active | — | AI Act Art. 5 | ||
| GPAI Rules (Chapter 5) | GPAI model providers | active | — | AI Act Art. 51-56 | ||
| High-risk AI — Annex III (standalone) | Providers of standalone Annex III systems | deferred | — | AI Omnibus 2026 Art. 6(2) | ||
| High-risk AI — Annex I (embedded) | AI embedded in Annex I regulated products | deferred | — | AI Omnibus 2026 Art. 6(1) | ||
| AI-Generated Content Marking | Providers of generative GPAI systems | active | — | AI Act Art. 50(2) | ||
| Regulatory Sandboxes | National competent authorities | active | — | AI Act Art. 57 |
⬇ Download JSON · CC BY 4.0
AI Act meets DORA and NIS2
Is your organisation subject to both the AI Act and DORA? The two regulations intersect on the operational resilience of financial AI systems. Our sister site regulation-dora.eu covers DORA in depth.
Explore regulation-dora.eu ↗Frequently Asked Questions
Under Article 85, the AI Office may request documentation and information from providers of general-purpose AI models, conduct evaluations of those models, and — where there is reason to suspect a serious risk — request access to model weights, training data, source code, and other relevant technical information. It may also conduct on-site inspections and appoint independent experts to carry out evaluations on its behalf.
Article 85 applies to providers of general-purpose AI models (GPAI models), including providers of GPAI models with systemic risk, regardless of where they are established, provided their models are placed on the market or put into service in the European Union.
Yes. Where the AI Office has reasonable grounds to suspect that a GPAI model poses a systemic risk, it may request access to model weights, training methodologies, source code, and training data, subject to appropriate confidentiality safeguards. Providers must comply within the timeframes specified in the request.
Non-cooperation with an AI Office investigation under Article 85 may expose a provider to enforcement measures including fines. Refusal to grant access or to provide required information can constitute a breach of the Regulation, triggering the sanctioning regime set out in Articles 99 and 101.
Participation in a code of practice under Article 56 is one mechanism by which GPAI model providers can demonstrate compliance and build a cooperative relationship with the AI Office. However, adherence to a code of practice does not exempt a provider from investigative procedures under Article 85 if the AI Office identifies grounds for concern.
Stay ahead of AI Act changes
Get compliance alerts when deadlines or obligations change.
No spam. One-click unsubscribe.