Authorised Representative Under the EU AI Act
Article 3(5) definition, when Article 22 and Article 54 require one, what the representative does, and why non-EU providers must appoint before market access.
An authorised representative is a natural or legal person located or established in the EU who holds a written mandate from a provider of an AI system or a general-purpose AI (GPAI) model to carry out that provider's obligations under Regulation (EU) 2024/1689 on their behalf. The role exists because the EU AI Act imposes obligations on providers regardless of where they are based — and an in-EU representative gives regulators a reachable contact point for enforcement.
The EU AI Act definition
Article 3 of Regulation (EU) 2024/1689, point 5, defines an authorised representative as "any natural or legal person established or located in the Union who has received and accepted a written mandate from a provider of an AI system or a general-purpose AI model to, respectively, perform and carry out on its behalf the obligations and procedures established by this Regulation."
Three elements follow directly from that definition. First, the representative must be established or located in the EU — a non-EU entity cannot serve as the representative. Second, the mandate must be in writing; a verbal arrangement does not satisfy the requirement. Third, acceptance is required — the representative takes on the obligations actively, not by default.
This is a role appointment rather than a mere administrative filing. Once the mandate is accepted, the representative becomes the legal interface between the provider and EU authorities for the matters covered by the Regulation.
When a provider needs one
Not every provider must appoint an authorised representative. The requirement targets providers established outside the EU who intend to make their systems available on the EU market or put them into service in the EU.
For high-risk AI systems, the obligation sits in Article 22. A provider established in a third country must appoint an authorised representative established in the EU before placing the system on the market or putting it into service. The appointment is a prerequisite — it must be in place before the system reaches EU users or operators, not after. The representative's name and contact details must be included in the registration under Article 49 and on the system's documentation, so competent authorities can reach them directly.
For GPAI model providers, Article 54 creates a parallel requirement: a provider of a general-purpose AI model who is not established in the EU must appoint an authorised representative in the EU. GPAI model obligations under Chapter V have applied since 2 August 2025, so any non-EU GPAI provider that has been offering a model to EU-based downstream providers or deployers since that date is already in scope.
The two obligations are structurally the same — a written EU-based mandate — but they trace back to different articles and serve different compliance tracks. The Article 22 representative accompanies the high-risk system's conformity package; the Article 54 representative is part of the GPAI model provider's standing regulatory relationship with the AI Office.
EU-based providers do not need to appoint an authorised representative for either track, because they are already within the reach of EU authority.
What the representative does
An authorised representative appointed under Article 22 for a high-risk system must, at minimum, hold the technical documentation required by Article 11 and Annex IV, and hold the EU Declaration of Conformity issued under Article 47, and keep both available to national competent authorities on request. They must cooperate with competent authorities on any action those authorities take regarding the system — including inquiries, requests for information, and corrective measures. They can be the contact point for authorities initiating a market-surveillance action under Article 74 onwards.
What the representative does not do is absorb the provider's substantive compliance obligations. The provider retains full responsibility for the system's design, its conformity assessment under Article 43, the accuracy of its technical documentation, its post-market monitoring under Article 72, and its serious-incident reporting under Article 73. Appointing a representative does not delegate those duties. It gives regulators a reachable address; it does not create a compliance shield.
In practical terms, a representative handling several mandates from different providers would maintain a file for each system — the Article 11 / Annex IV documentation pack and the Article 47 Declaration — and manage the regulatory correspondence that arises. For a high-risk system, that correspondence may include notifications from market-surveillance authorities, requests to investigate complaints, or demands to produce conformity evidence following a reported incident.
The Article 54 representative for a GPAI model provider operates in a similar posture: accessible to the AI Office for the provider's obligations under Article 53 (technical documentation, downstream information, copyright policy, training-data summary) and Article 55 (systemic-risk obligations, if the model is classified under Article 51).
Why it matters
The EU AI Act explicitly applies to providers and deployers outside the EU under Article 2. A provider in the United States, South Korea, or the United Kingdom places a high-risk AI system on the EU market for a German hospital deployer — that provider is in scope regardless of having no EU office. The authorised representative is the mechanism that makes that extraterritorial reach operational: it converts a jurisdiction gap into a direct enforcement contact.
Without an authorised representative, the market-surveillance authority in, say, France has no in-EU party to serve notices on, request documents from, or hold accountable under the Regulation. The representative gives the authority that handle. Failure to appoint one when required is itself a breach of the provider obligations under Article 16 — and non-compliance with provider obligations falls within the €15,000,000 or 3% of total worldwide annual turnover penalty tier under Article 99(4).
For non-EU companies assessing their exposure, the practical implication is this: if your AI system, or the GPAI model you offer, is used in the EU, the question of whether you need a representative is not advisory — it is part of your pre-market checklist. Appointment before market access, not after, is the statutory requirement.
For companies already established in the EU, the concept still matters in reverse: if you use a high-risk AI system from a non-EU provider, you should verify that the provider has appointed a representative. Under Article 23, importers must check that providers have fulfilled their obligations, which includes the Article 22 representative requirement. A missing representative is a compliance gap in the provider's file that an importer should not overlook.
Appointing an authorised representative early — before documentation review, before conformity assessment — also means the representative can be named consistently across all required filings: the Article 49 EU-database registration, the Article 11 technical documentation, and the Article 47 Declaration of Conformity. Retrofitting a representative name across a completed documentation pack after the fact is avoidable friction.
Frequently Asked Questions
Who can serve as an authorised representative — does it need to be a law firm or compliance body?
No specific professional qualification is required by Regulation (EU) 2024/1689. The representative must be a natural or legal person established or located in the EU, and must have accepted the written mandate. In practice, many providers appoint a specialised EU-based compliance firm, an importer, or a local subsidiary. The key requirement is establishment in the EU, the written mandate, and the practical capacity to hold the required documentation and cooperate with authorities.
Does an authorised representative replace the need for an importer or distributor?
No. The roles are separate. An authorised representative under Article 22 is a regulatory contact appointed by the provider. An importer under Article 23 is the EU-based party that physically places the system on the market. They may be the same legal entity — for example, an EU-based importer may also hold the provider's mandate as authorised representative — but the obligations are distinct and both must be satisfied. The same applies to distributors under Article 24.
If a non-EU provider already has an EU subsidiary, does the subsidiary count as the authorised representative?
Not automatically. The subsidiary is a separate legal entity; it needs to receive and accept a written mandate from the provider to act as authorised representative. Simply existing as a related company in the EU does not satisfy Article 22 or Article 54. The mandate must be documented and the representative named in the required filings.
Does the representative bear personal liability if the provider's system is non-compliant?
The representative can be a point of enforcement — competent authorities may direct actions through them — but the substantive obligations (design, conformity, documentation, incident reporting) remain with the provider. The representative's exposure depends on the scope of the mandate and applicable national law, but the Regulation's primary accountability sits with the provider. Providers and representatives commonly address liability allocation in the mandate agreement itself.
For a GPAI model, does the Article 54 representative need to be separate from any Article 22 representative for a high-risk system built on that model?
Yes, in principle — because the obligations they represent are on different legal persons. The GPAI model provider and the provider of a high-risk system built on that model may be different companies, each with its own representative requirement. If the same company is both a GPAI model provider and a high-risk system provider, it would typically need one representative covering both mandates, but the mandates themselves are grounded in two distinct articles (Article 54 for the GPAI model, Article 22 for the high-risk system).
When exactly must the appointment be in place?
For high-risk AI systems under Article 22, before the system is placed on the EU market or put into service. For GPAI model providers under Article 54, the GPAI obligations have applied since 2 August 2025, so a non-EU model provider already offering its model in the EU should have a representative in place now.
Related terms
- EU AI Act extraterritorial scope — how Article 2 reaches non-EU providers and deployers
- Provider obligations under the EU AI Act — the full Article 16 obligation stack that the provider retains
- Importer obligations: Article 23 — the parallel supply-chain role and its verification duties
- What is the EU AI Act? — the Regulation's structure, scope, and timeline
- Serious incident reporting — Article 73 reporting obligations that the provider retains regardless of the representative
- Notified body — the conformity-assessment body relevant for Annex III point 1 biometrics systems
Manage your EU AI Act compliance in one place
Confir automates risk classification, technical documentation, and audit trails for any company. No consultants. No 6-month projects. 7-day free trial.
Start free trial →