EU AI Act Importer and Distributor Obligations: What Article 23 and 24 Require

If you bring a high-risk AI system into the EU from outside — or if you pass one further down the supply chain — you are not a bystander to the EU AI Act. Regulation (EU) 2024/1689 assigns specific, enumerated duties to importers under Article 23 and to distributors under Article 24. Get them wrong and the penalty ceiling is €15 million or 3% of worldwide annual turnover, whichever is higher (Article 99(4)).

The deadline for high-risk obligations is 2 December 2027 for stand-alone Annex III systems, under the Digital Omnibus political agreement reached in May 2026. That replaces the original August 2026 date. It is not an excuse to start late — the verification steps below take time, and non-compliant products must not reach the market regardless of when the formal deadline lands.

Importer vs. Distributor: Two Distinct Roles

The Act defines both roles precisely.

An importer (Article 23) is any natural or legal person established in the EU that places on the EU market a high-risk AI system bearing the name or trademark of a person established outside the Union. The importer is the entity that crosses the border, commercially speaking. It is not the end user; it is not the shipping agent.

A distributor (Article 24) is any natural or legal person in the supply chain, other than the provider or the importer, that makes a high-risk AI system available on the EU market. Distributors sit between importer and deployer — resellers, value-added resellers, and channel partners typically fall here.

Both roles are real, named, and obligated. The old framing that the Act only recognises "providers" and "deployers" is wrong; Articles 23 and 24 create distinct duties for each supply-chain actor.

What Importers Must Do (Article 23)

Before you place a high-risk AI system on the EU market, Article 23 requires you to verify that the provider has done its work. Specifically:

Check the conformity assessment. The provider must have completed the relevant conformity assessment under Article 43. For most Annex III categories this means internal control (Annex VI); for biometric identification systems it requires a notified body (Annex VII). You cannot place the system on the market without evidence that this assessment happened.

Check the technical documentation. Article 11 requires the provider to draw up technical documentation in line with Annex IV — a structured record of the system's design, data, risk management, testing, and intended use. Confirm it exists and is current.

Check the CE marking. Article 48 requires high-risk AI systems to carry CE marking before market placement. No marking, no import.

Check the EU Declaration of Conformity. Article 47 requires the provider to draw up a written declaration that the system meets the Act's requirements. Obtain a copy and keep it.

Check the instructions for use. Article 13 requires providers to supply clear, accurate instructions enabling deployers to understand what the system does, its limitations, and how to exercise human oversight. Verify these accompany the system.

Check that an authorised representative is appointed where required. Under Article 22, providers established outside the EU must appoint an EU-based authorised representative before placing a high-risk system on the market. Confirm this appointment is in place.

Put your name on the system. Article 23 requires importers to indicate their name, registered trade name or trademark, and postal address on the system itself or, where that is not possible, on its packaging or accompanying documentation. This is not optional.

Storage and transport. While the product is in your custody, you must ensure storage and transport conditions do not jeopardise compliance with the Act's requirements — particularly any technical integrity conditions in the provider's instructions.

Keep records for ten years. Article 23 requires importers to keep a copy of the EU Declaration of Conformity, the conformity assessment certificate (where one was issued by a notified body), and the instructions for use for ten years after the system is placed on the market.

Cooperate with market surveillance. If a competent authority requests information or documentation, you must supply it promptly. If you discover the system presents a risk or is non-conforming, you must immediately inform the provider and the relevant market surveillance authority, and must not place — or continue placing — the system on the market.

Do not place a non-conforming system. If, having done all of the above, you conclude the system is not compliant or poses an unacceptable risk, you must not place it on the market. Full stop.

What Distributors Must Do (Article 24)

Distributors carry a lighter but still real verification burden. Before making a high-risk AI system available on the market, you must verify:

• The system bears the required CE marking (Article 48).
• The EU Declaration of Conformity (Article 47) accompanies the system.
• Instructions for use in a language the deployers in the target market can understand are present (Article 13).
• The provider has fulfilled its obligations under Article 16 and — where relevant — the importer has fulfilled its obligations under Article 23.

If you have reason to believe the system is non-conforming or presents a risk, you must not make it available. You must inform the provider or importer and cooperate with market surveillance authorities.

Distributors who modify packaging or documentation in a way that affects compliance, or who store and transport in conditions that degrade the system, take on responsibility for those consequences.

When Importers and Distributors Become Providers (Article 25)

This is the clause that catches companies off guard. Article 25 provides that an importer or distributor is treated as a provider — with the full provider obligation stack — if it does any of the following:

1. Places the high-risk AI system on the market under its own name or trademark.
2. Substantially modifies the system (as defined in Article 3(23) — a change that affects the system's compliance with the requirements or changes its intended purpose).
3. Modifies the intended purpose of a system already placed on the market, in a way that makes it high-risk.

A concrete example: a European distributor of an employment-screening tool from a US provider decides to rebrand the tool and expand its scope to include promotion decisions as well as recruitment. That is both a name change and a scope change. Under Article 25, the distributor is now a provider and must carry out a conformity assessment, draw up technical documentation, affix the CE marking, and issue a Declaration of Conformity — the entire provider checklist.

The original provider does not disappear from the picture, but the new "provider" takes on primary responsibility for the modified or rebranded system. This is not a theoretical risk: any reseller that customises, white-labels, or extends the intended use of a third-party high-risk AI system should assume it is a provider and plan accordingly.

Penalties

Breaches of the importer and distributor obligations under Articles 23 and 24 fall under Article 99(4): up to €15 million or 3% of total worldwide annual turnover for the preceding financial year, whichever is higher. For companies below SME thresholds, Article 99(6) applies a proportionality protection — the fine is capped at the lower of the percentage and the fixed amount.

Triggering Article 25 and then failing to meet provider obligations exposes a company to the same tier, since the provider obligations (Article 16 et seq.) are also governed by Article 99(4).

The Practical Verification Sequence

When a shipment of high-risk AI systems is coming in, an importer's pre-market checklist looks like this:

1. Confirm the system falls in an Annex III category (or is a safety component under Annex I — noting the different 2 August 2028 deadline applies to Annex I products).
2. Obtain and review the conformity assessment record (Annex VI internal control or Annex VII notified-body certificate).
3. Obtain the technical documentation in line with Annex IV and confirm it covers the current version of the system.
4. Confirm CE marking is affixed (Article 48) and verify the EU Declaration of Conformity (Article 47) is on hand.
5. Confirm instructions for use (Article 13) accompany the product in the relevant language.
6. Confirm the authorised representative under Article 22 is appointed if the provider is established outside the EU.
7. Mark the system with your name and address.
8. File the DoC, certificate, and instructions — retain for ten years.
9. Document that you ran this checklist.

Distributors run a shorter version of steps 3–5, confirm the importer completed steps 6–8, and document their own review.

How Confir Helps

Importer and distributor compliance reduces to two problems: knowing which role you actually hold, and running the right verification checklist against the right obligations.

Confir's role-derivation flow asks plain-English questions about your supply chain position, your branding decisions, and any modifications you make — and maps those answers to Art 23, Art 24, or Art 25 provider status using deterministic rules. There is no ambiguity in the output: you see which article governs you, which obligations apply, and which documents you must hold. For importers whose suppliers send partial documentation, the verification checklist flags exactly which items are missing. The entire logic is rule-based, not an AI model — the same intake answers produce the same finding, and the rule that fired is shown in plain language.

Frequently Asked Questions

Does the EU AI Act actually use the words "importer" and "distributor"?

Yes. Articles 23 and 24 of Regulation (EU) 2024/1689 name importers and distributors as distinct supply-chain roles with specific obligations. The Act is not limited to providers and deployers. Any article or summary suggesting importers and distributors are simply "providers" or that these roles do not exist in the Act is incorrect.

What must an importer check before placing a high-risk AI system on the EU market?

Under Article 23, an importer must verify: the provider completed the applicable conformity assessment (Article 43); the system carries a CE marking (Article 48); the EU Declaration of Conformity (Article 47) exists; technical documentation compliant with Article 11 and Annex IV has been drawn up; instructions for use are present (Article 13); and, where the provider is non-EU, an authorised representative is appointed (Article 22). The importer must also add its own name and contact details to the system or packaging and retain the DoC and certificate for ten years.

When does a distributor become a provider under Article 25?

A distributor — or an importer — is treated as a provider if it puts its own name or trademark on the system, substantially modifies the system as defined in Article 3(23), or changes the intended purpose in a way that brings it into high-risk scope. In any of these cases, the entity must carry out the full provider obligations: conformity assessment, technical documentation, CE marking, and Declaration of Conformity.

How long must importers keep the Declaration of Conformity and conformity assessment certificate?

Ten years after the system is placed on the EU market, per Article 23. This is longer than the five-year retention often cited for other documents — the ten-year figure is specific to the importer's DoC, certificate, and instructions obligation.

What happens if an importer discovers a non-conforming system after it is already placed?

Article 23 requires the importer to immediately inform the provider and the relevant market surveillance authorities. If the system poses a risk, the importer must cooperate with authorities and, where necessary, withdraw the product from the market or ensure it is recalled.

What is the penalty for importers and distributors who breach their obligations?

Article 99(4) sets the ceiling at €15 million or 3% of total worldwide annual turnover for the preceding financial year, whichever is higher. For SMEs and start-ups, Article 99(6) caps the fine at the lower of the two figures.

When does the deadline for high-risk AI obligations apply?

For stand-alone high-risk AI systems in the Annex III categories (recruitment, credit scoring, biometrics, etc.), the deadline is 2 December 2027 under the Digital Omnibus agreement reached in May 2026. For high-risk AI embedded in safety components of regulated products under Annex I (medical devices, machinery, etc.), the deadline is 2 August 2028. The original 2 August 2026 date has been deferred for both.

Related guides

• SMB compliance timeline
• Article 23 distributor obligations
• Article 3 AI system definitions
• Article 13 transparency standards
• Article 2 scope requirements
• SaaS provider compliance pathway
• Article 26 deployer responsibilities
• Article 49 EU database registration