Article 86 — Power to request measures from providers of general-purpose AI models (EU AI Act)

Article 86 of Regulation (EU) 2024/1689 — Power to request measures from providers of general-purpose AI models. Official text, practical interpretation, key obligations and compliance implications.

Official Text Summary

Article 86 of Regulation (EU) 2024/1689 (the EU AI Act) confers upon the AI Office the power to request that providers of general-purpose AI models take specific measures where necessary to ensure compliance with the obligations established under Chapter V of the Regulation, or to address systemic risks identified in connection with a GPAI model.

Where the AI Office has sufficient grounds to consider that a provider of a general-purpose AI model has failed to fulfil its obligations, or that a GPAI model — in particular one with systemic risk designation under Article 51 — presents a serious risk to health, safety, fundamental rights, or critical infrastructure, the AI Office may formally request the provider to adopt corrective or preventive measures. Such measures may include updates to technical documentation, changes to model capabilities or access conditions, implementation of additional risk-mitigation safeguards, or restrictions on certain deployment modalities.

The article operates within the broader market surveillance and enforcement architecture of Title IX, complementing the investigative powers granted to the AI Office under Articles 88 through 94. Requests issued under Article 86 are distinct from formal enforcement decisions but carry legal weight and serve as a prerequisite or precursor to more stringent enforcement actions if the provider fails to act in good faith or within the timeframes indicated. The provision reflects the EU legislator's intention to prioritise cooperative resolution of compliance gaps before escalating to coercive enforcement.

What This Means in Practice

Article 86 establishes a supervisory dialogue mechanism between the AI Office and providers of general-purpose AI models. In practical terms, it means that any organisation placing a GPAI model on the EU market — whether as an open-weight model released publicly or as a proprietary model accessed via API — must be prepared to receive and respond to formal requests from the AI Office.

For compliance purposes, this requires GPAI providers to maintain responsive governance structures capable of engaging with regulatory requests within short timeframes. Where the AI Office identifies a potential compliance gap — for example, inadequate technical documentation under Article 53, insufficient adversarial testing for systemic-risk models under Article 55, or failure to report incidents under Article 55(1)(b) — it may issue a request under Article 86 before initiating formal proceedings.

Concretely, a provider of a large language model deployed across multiple EU member states could receive a request to: update its model card to reflect newly identified risks; implement additional rate-limiting or access controls for sensitive use cases; or provide the AI Office with access to evaluation results from internal red-teaming exercises. The provider would be expected to confirm receipt, indicate the actions it intends to take, and demonstrate implementation within the timeframe specified.

Organisations that have established a dedicated GPAI compliance function, with clear ownership of AI Office correspondence and an internal escalation path, are significantly better positioned to respond effectively. Smaller providers accessing the market via upstream licensing arrangements should clarify contractually which party bears responsibility for responding to Article 86 requests.

Key Obligations

• Responsiveness to AI Office requests: Providers must be capable of receiving, acknowledging, and responding to formal requests from the AI Office within the timeframes specified, which may be short in cases involving potential systemic risks.
• Implementation of requested corrective measures: Where the AI Office identifies a compliance gap or emerging risk, providers are required to implement the measures requested, which may include technical, organisational, or access-related changes to the GPAI model or its deployment conditions.
• Documentation and evidence of compliance: Providers must be able to demonstrate to the AI Office that requested measures have been implemented, maintaining records of actions taken in response to each request.
• Ongoing risk monitoring: Article 86 requests may arise from the continuous monitoring obligations applicable to GPAI providers; providers must maintain ongoing risk awareness so that they are not caught unaware by AI Office findings.
• Cooperation with the AI Office: The article implies a duty of good-faith cooperation; providers must not obstruct, delay, or provide misleading information in the context of Article 86 interactions, as this could accelerate escalation to formal enforcement proceedings.
• Escalation readiness: Where an Article 86 request relates to a GPAI model with systemic risk designation, providers must be prepared for heightened scrutiny and should ensure that senior leadership is engaged in the response process.

Relationship to Other Articles

Article 86 sits at the intersection of the GPAI obligations in Chapter V and the market surveillance powers in Title IX. It should be read alongside Article 88 (general powers of the AI Office to conduct investigations), Article 89 (requests for information), and Article 94 (interim measures), which together constitute the escalating ladder of supervisory intervention available to the AI Office.

The substantive obligations whose enforcement Article 86 supports are primarily those in Articles 53 (obligations for all GPAI providers, including technical documentation, copyright compliance, and transparency) and Article 55 (additional obligations for GPAI models with systemic risk, including model evaluation, adversarial testing, and incident reporting). Article 51 governs the classification of GPAI models as presenting systemic risk, and providers so designated should treat Article 86 as a particularly live risk.

Article 101 sets out the penalty framework applicable where providers fail to comply with Article 86 requests or the underlying obligations they concern.

Compliance Timeline

The EU AI Act entered into force on 1 August 2024, twenty days after its publication in the Official Journal of the European Union. The Regulation applies in a phased manner across different obligation categories:

• 2 February 2025: Provisions on prohibited AI practices (Article 5) became applicable.
• 2 August 2025: Chapter V obligations applicable to general-purpose AI models — including Articles 53 and 55 — became applicable. Article 86 became operative at this same date, as the supervisory powers it confers are designed to enforce the GPAI obligations that entered into application concurrently. Providers of GPAI models should therefore have had compliant documentation, governance, and risk-management frameworks in place by this date.
• 2 August 2026: Obligations for high-risk AI systems listed in Annex I become fully applicable.
• 2 August 2027: Obligations for high-risk AI systems listed in Annex III (excluding those already covered by earlier dates) become fully applicable.

For GPAI providers, Article 86 is a live and present compliance concern as of August 2025. Any provider that has not yet established the governance infrastructure necessary to respond to AI Office requests is already operating outside the expected compliance posture.