Article 92 — Whistleblowing (EU AI Act)

Article 92 of Regulation (EU) 2024/1689 — Whistleblowing. Official text, practical interpretation, key obligations and compliance implications.

Official Text Summary

Article 92 of Regulation (EU) 2024/1689 (the EU AI Act) establishes a whistleblower protection framework applicable to persons who report violations of the Regulation to competent national authorities or to relevant Union institutions, bodies, offices, or agencies. The article operates by reference to Directive (EU) 2019/1937 on the protection of persons who report breaches of Union law, extending that directive's safeguards expressly to the AI Act domain.

Under Article 92, Member States must ensure that reporting persons — defined broadly to include employees, contractors, trainees, volunteers, and former workers who acquired relevant information in a work-related context — are protected from retaliation, discrimination, and adverse treatment as a consequence of having made a report in good faith. Providers, deployers, and other operators subject to the AI Act are therefore prohibited from taking retaliatory action against individuals who raise concerns about potential non-compliance.

The article further requires that competent authorities receiving reports treat them in accordance with the procedural guarantees established under Directive 2019/1937, including obligations around confidentiality of the reporter's identity, acknowledgment of receipt, and timely follow-up. Where Union-level institutions receive reports, analogous protections under Union staff regulations and applicable Union law apply. Article 92 thereby integrates AI Act enforcement into the broader architecture of Union whistleblowing law rather than creating a parallel, sector-specific regime.

What This Means in Practice

Article 92 has direct operational implications for any organisation within scope of the EU AI Act — primarily providers placing AI systems on the Union market, deployers using high-risk AI systems, and operators of general-purpose AI models.

For organisations, the practical obligation is to ensure that internal policies, employment contracts, codes of conduct, and supplier agreements do not contain clauses that could deter, penalise, or contractually prevent individuals from reporting AI Act violations to external authorities. Non-disclosure agreements and confidentiality clauses must be reviewed to confirm they do not purport to restrict lawful whistleblowing activity. Where an organisation already has an internal reporting channel mandated under Directive 2019/1937, that channel should be confirmed as covering AI Act-related concerns, and designated compliance owners should be trained to handle such reports.

For HR and legal teams, this means updating grievance, disciplinary, and termination procedures to document that any adverse action taken against an employee who has made an AI-related report is entirely unrelated to that report — and to be able to demonstrate this in any subsequent regulatory or judicial review.

For competent national authorities, Article 92 imposes a procedural duty to handle AI-related reports with the same confidentiality safeguards and acknowledgment timelines as other whistleblowing reports received under national transposition of Directive 2019/1937.

A concrete example: an employee at a company deploying a high-risk AI system in recruitment notices that the system's outputs appear to discriminate on the basis of gender in violation of the Act's requirements. That employee reports the issue to the national market surveillance authority. Article 92 ensures they cannot lawfully be dismissed, demoted, or subjected to a hostile work environment as a result of that report.

Key Obligations

• Member States must extend whistleblower protections under Directive (EU) 2019/1937 to persons reporting violations of the EU AI Act, ensuring no gap exists between general whistleblowing law and AI-specific enforcement.
• Organisations subject to the AI Act must not retaliate against employees, contractors, or other work-related persons who report, in good faith, suspected violations to competent authorities or Union bodies.
• Internal reporting channels required under Directive 2019/1937 (applicable to organisations with 50 or more workers) must be understood to cover AI Act violations, and nominated responsible persons must be equipped to assess such reports.
• Competent authorities receiving reports are required to maintain confidentiality of the reporting person's identity throughout the investigative process, disclosing it only where legally required and with prior notice to the reporter where possible.
• Contractual clauses — including non-disclosure agreements, settlement agreements, and employment contracts — that purport to restrict or penalise external reporting of AI Act violations are unenforceable to the extent they conflict with Article 92 protections.
• Reporting persons acting in good faith retain full protection even if the reported violation is ultimately not confirmed, provided the report was not made with knowledge of its falsity.

Relationship to Other Articles

Article 92 sits within Title IX (Post-Market Monitoring, Information Sharing, and Market Surveillance) and operates as a procedural enabler for the enforcement mechanisms established throughout that title and elsewhere in the Regulation.

It connects directly to Article 74 (market surveillance and control), Article 75 (conformity of AI systems), and Articles 78–81 (obligations of notified bodies and national competent authorities), since whistleblower reports may trigger or supplement the investigations those provisions authorise. It also supports Article 87 (reporting of serious incidents), creating a complementary channel through which workers who observe incidents or near-misses can escalate concerns without fear of reprisal.

More broadly, Article 92 should be read alongside Article 4 (AI literacy) and Article 9 (risk management systems for high-risk AI), because an organisation that fosters genuine internal transparency and AI competence is better placed both to detect reportable issues and to demonstrate that any adverse HR decision is wholly independent of a protected disclosure. It also interacts with Recital 179 of the Regulation, which affirms the Union's commitment to ensuring that the Act's enforcement is not undermined by a chilling effect on legitimate reporting.

Compliance Timeline

The EU AI Act entered into force on 1 August 2024, twenty days after publication in the Official Journal. Article 92, as part of the main body of the Regulation, becomes fully applicable on 2 August 2026 — the general application date for the majority of provisions, including those governing high-risk AI systems under Annex III (Article 113(2)).

Unlike the prohibitions on unacceptable-risk AI practices, which became applicable on 2 February 2025, or the obligations specific to general-purpose AI models, which applied from 2 August 2025, Article 92 is not in an accelerated-application category. Its application aligns with the general two-year implementation period.

However, organisations that are already subject to Directive (EU) 2019/1937 — which Member States were required to transpose by 17 December 2021 — should already have compliant reporting channels in place. The practical compliance task before August 2026 is therefore to audit and extend existing channels to confirm they explicitly cover AI Act violations, retrain responsible persons, and review contractual documentation accordingly. Organisations deploying high-risk AI systems covered by the December 2026 or August 2027 transitional provisions for certain Annex I systems should align their whistleblowing readiness with the applicable date for their specific system category.