Importer Under the EU AI Act: Definition, Duties, and Role Distinctions
EU AI Act importer definition (Article 3, point 6) and Article 23 duties: verify conformity, CE marking, and authorised representative before placing.
An importer, under Regulation (EU) 2024/1689, is the EU-side actor responsible for verifying that a high-risk AI system made by a third-country provider meets every obligation before it reaches the market. If a US or Asian vendor's system is going to be placed on the EU market under that vendor's name, the company doing the placing — if it is located or established in the EU — is the importer. That status comes with a checklist of verification duties under Article 23 that must be completed before a single sale.
The EU AI Act definition
Article 3 of Regulation (EU) 2024/1689 defines an importer (point 6) as:
"a natural or legal person located or established in the Union that places on the market an AI system that bears the name or trademark of a natural or legal person established in a third country."
Three conditions must be met simultaneously: the entity is established or located in the EU; it places the system on the EU market; and the system carries the name or trademark of a person established outside the EU. All three must be true — if a vendor is EU-established, the company distributing it in France is a distributor (Article 24), not an importer.
"Placing on the market" has the standard EU product-law meaning: making a product available for the first time in the EU market, whether for payment or free of charge. A reseller that moves stock from one EU country to another is not placing on the market afresh — it is distributing.
The definition sits in Article 3 alongside the full roster of supply-chain roles: provider (point 3), deployer (point 4), distributor (point 5), authorised representative (point 8). Each role attracts its own obligation set. Getting the classification right is not administrative housekeeping — it determines which compliance stack you carry.
What an importer must do
Article 23 sets out the importer's obligations. They apply to high-risk AI systems only; if the system you are importing is not high-risk under Article 6 and Annex III (or Annex I for product-embedded systems), Article 23 does not engage. The obligations:
1. Verify the provider's conformity assessment has been carried out (Article 23(1)(a))
Before placing a high-risk AI system on the market, the importer must check that the provider has carried out the conformity assessment procedure required by Article 43. For most Annex III systems (points 2–8: critical infrastructure, education, employment, services, law enforcement, migration, justice), this is the internal self-assessment route under Annex VI. For biometric identification systems (Annex III point 1, where harmonised standards are not applied), the notified-body route under Annex VII applies. The importer does not run the conformity assessment itself — but it must verify that the provider did.
2. Check that the technical documentation exists (Article 23(1)(b))
The importer must verify that the provider has drawn up the technical documentation required by Article 11 and specified in Annex IV. Annex IV lists nine content areas: a general description of the system; a description of the development process; information on the training, validation, and testing data; information on the monitoring, functioning, and control of the system; the risk management documentation; accuracy, robustness, and cybersecurity measures; human oversight measures; and post-market monitoring provisions. The importer need not audit every page, but it must satisfy itself the documentation exists and is available for authority review.
3. Confirm CE marking affixment and the EU declaration of conformity (Article 23(1)(c) and (d))
High-risk AI systems must bear CE marking under Article 48, with the underlying EU Declaration of Conformity prepared under Article 47 (content set out in Annex V). The importer checks that the CE marking has been affixed correctly and that the declaration exists. CE marking without the supporting declaration, or a declaration not signed by the provider, signals a compliance gap the importer is not permitted to overlook.
4. Verify that an authorised representative has been appointed (Article 23(1)(e))
Where the provider is established outside the EU and is not itself present in the market, Article 22 requires it to appoint an EU-based authorised representative before placing the system on the market. The importer must check that this appointment has been made. The authorised representative is the provider's formal point of contact with EU market-surveillance authorities. An importer dealing with a provider that has no authorised representative should treat it as a red flag — the compliance chain has a gap.
5. Keep records and cooperate with authorities (Article 23(2) and (3))
The importer must keep, for ten years after the system is placed on the market, a copy of the Declaration of Conformity and ensure that the technical documentation can be made available to competent authorities on request. Where the importer has reason to believe a system is not in conformity with the Act, it must not place the system on the market until the issue is resolved, and must inform the provider and, where relevant, the authorised representative. If a system already on the market poses a risk, the importer must immediately notify the competent authorities of the member states in which it made the system available.
6. Ensure storage and transport conditions do not compromise compliance (Article 23(4))
While the system is under the importer's responsibility — between receipt from the provider and delivery to the distributor or end customer — the importer must ensure that storage and transport conditions do not jeopardise its compliance. For software-delivered AI systems this obligation is largely about maintaining version integrity and not permitting unauthorised modifications. For embedded systems (hardware plus AI), physical storage conditions matter.
A practical point on timing: all of these verification steps are pre-market duties. The importer cannot retrospectively tick the boxes after selling the first unit. If the provider's conformity package is incomplete on the date the importer intends to place the system on the market, the placing must wait.
Importer vs distributor vs authorised representative
These three roles are frequently conflated. They are distinct in the Act and the distinction matters.
| Importer | Distributor | Authorised representative | |
|---|---|---|---|
| Defined in | Article 3(6) | Article 3(7) | Article 3(8) / Article 22 |
| Who they are | EU-established entity placing a third-country-branded system on the market | Any supply-chain actor making an already-marketed system available in the EU | EU-established entity mandated in writing by a third-country provider |
| Core duties | Pre-market verification (Art 23): conformity assessment, documentation, CE marking, authorised representative | Due diligence checks; verify CE marking and documentation on receipt; cooperate with authorities (Art 24) | Single point of contact with EU authorities; hold and make available the Declaration of Conformity and technical documentation (Art 22) |
| Who appoints them | Self-identified by role | Self-identified by role | The provider (by written mandate) |
| Can they be the same entity? | Importer and authorised representative can, in practice, be the same EU company — Article 22 does not exclude it | Distributor and importer can overlap if a single entity both places and then further distributes | Separate legal functions, but the same legal person may hold both |
The key practical difference between importer and distributor: an importer is the first EU actor to bring the product to market; a distributor takes a system that is already on the market and makes it available further down the chain. The distributor's due diligence under Article 24 is lighter — it checks that the CE marking is present and that the required documents accompany the system, but it does not re-run the provider's conformity verification.
An authorised representative is the provider's EU proxy. Unlike the importer, the authorised representative does not commercially place the system on the market. Its function is to carry out tasks delegated by the provider — principally to interface with market-surveillance authorities and to hold documentation — rather than to trade in the system. Article 22(3) makes the authorised representative jointly and severally liable with the provider for compliance of the high-risk system, which is a substantial exposure worth noting in any mandate agreement.
Role conversion under Article 25: if an importer puts its own name or trademark on the system, substantially modifies it, or changes its intended purpose, it ceases to be an importer and becomes the provider under Article 25. That conversion triggers the full Article 16 provider obligations — including running the conformity assessment itself, preparing the Annex IV technical documentation, and taking on the post-market monitoring duties under Article 72. An importer that rebrands a third-country vendor's model under its own label is, in law, the provider. The original vendor's CE marking and declaration of conformity become irrelevant.
Examples
EU reseller placing a US vendor's risk-assessment tool on the market
A Netherlands-based HR-tech reseller purchases the rights to market a US vendor's automated candidate-screening platform in Europe. The tool ranks job applicants on a combined profile score — it falls squarely within Annex III, point 4(a) (recruitment and selection). Before the reseller lists the product on its website or sells a single licence, it is the importer under Article 3(6) and must satisfy every Article 23 obligation.
That means: confirming the US vendor completed the Annex VI internal self-assessment; obtaining and reviewing the Annex IV technical documentation; checking that the CE marking is correctly affixed; verifying the EU Declaration of Conformity exists and is properly signed; and confirming that the US vendor has appointed an EU-based authorised representative. If the vendor has not yet appointed an authorised representative — common with US firms new to the EU AI Act — the reseller cannot place the product on the market. The reseller should factor Article 23 compliance into its vendor contracts and due diligence process before signing any distribution agreement.
Japanese manufacturing-robotics firm entering the EU
A Japanese supplier of computer-vision quality-control systems for automotive production lines wants to sell into Germany. The system is a safety component of a regulated product under Annex I (Machinery Regulation (EU) 2023/1230), which makes it high-risk via Article 6(1) — with an application date of 2 August 2028 rather than 2 December 2027. A German distributor takes on the role of importer for this supply chain. Before the first shipment crosses into Germany, it must work through the Article 23 checklist with the Japanese supplier, including verifying the integrated conformity assessment under Article 43(3) and the Annex VII notified-body involvement that may be required.
Frequently Asked Questions
Q: Does the importer have to carry out its own conformity assessment?
No. The conformity assessment under Article 43 is the provider's obligation. The importer's duty under Article 23(1)(a) is to verify that the provider has completed it — not to conduct one independently. If the provider has not completed the assessment, the importer must not place the system on the market. In practice this means requiring the provider to produce its conformity assessment records as a condition of the distribution agreement, before any stock is shipped or licences activated.
Q: What happens if the importer discovers a problem after the system is already on the market?
Article 23(3) requires the importer to immediately inform the provider and the authorised representative, and to cooperate with the provider to address the non-compliance. If the system poses a risk to health, safety, or fundamental rights, the importer must also notify the competent authorities of every member state in which it made the system available. In serious cases the importer should withdraw the system from the market. "Immediately" is not defined further in Article 23, but given the Article 73 incident-reporting timelines that apply to providers (15 days, 2 days, 10 days depending on severity), the importer should treat its own notification obligation as similarly urgent.
Q: Can an EU company act as both importer and authorised representative for the same system?
Yes. Nothing in Article 22 or Article 23 prevents one EU entity from holding both roles simultaneously. Some third-country providers find it commercially and operationally efficient to appoint a single EU partner to handle both the commercial placing on the market (importer) and the regulatory liaison function (authorised representative). The dual-role entity carries the liabilities of both: the importer's pre-market verification duties under Article 23 and the authorised representative's joint-and-several liability under Article 22(3).
Q: Does Article 23 apply to AI systems that are not high-risk?
No. Article 23 sits in Chapter III, Section 3 (obligations of importers), which applies to high-risk AI systems within the meaning of Article 6 (classification rules) and Annex III, or systems made high-risk via Annex I product law. If the system does not meet the Article 6 threshold — and particularly if the Article 6(3) filter applies — Article 23 does not impose obligations on the importer. For limited-risk systems (Article 50 transparency duties apply) or minimal-risk systems, the importer has no Article 23 compliance duties, though ordinary product-law and contractual due diligence remain good practice.
Q: What are the penalties for importer non-compliance?
Violations of the Article 23 obligations fall within the €15,000,000 or 3% of total worldwide annual turnover tier under Article 99(4) of Regulation (EU) 2024/1689 — whichever is higher. For companies that qualify as SMEs or start-ups, Article 99(6) caps the fine at the lower of the percentage or the fixed amount, a genuine proportionality protection. The fine ceiling applies per violation; a market-surveillance authority could cite multiple Article 23 failures arising from a single placement.
Q: When do the high-risk obligations, including Article 23, actually apply?
Under the Digital Omnibus agreed in May 2026, the application of the high-risk regime was deferred from the original August 2026 date. Stand-alone high-risk AI systems listed in Annex III apply from 2 December 2027. High-risk AI systems embedded in regulated products covered by Annex I apply from 2 August 2028. The importer's Article 23 pre-market duties become enforceable from those dates respectively. That is breathing room, not a reprieve — a US vendor's conformity documentation, authorised-representative appointment, and CE marking all take time to organise, and the importer should be pressing for that paperwork now.
How Confir helps importers
Determining whether your organisation is an importer — or whether a role shift under Article 25 has made you the provider — requires working through a fact-specific scenario. Confir's rule-based, deterministic classification engine asks plain-English questions about how your company interacts with the system (did you place it on the market under a third-country name? did you modify it? did you put your own trademark on it?) and derives the role from the answers. The same engine flags when the Article 25 conversion conditions are met.
Once the importer role is confirmed, Confir's structured assessment tracks the Article 23 verification checklist — conformity assessment status, Annex IV documentation, CE marking, Declaration of Conformity, authorised-representative appointment — and generates the documentation records required for authority review. Pricing starts at €600/year for companies beginning their compliance programme. No consultants, no implementation project.
Related terms
- Article 23 — Obligations of Importers
- Importer obligations in practice
- Distributor — the Article 24 role for supply-chain actors making an already-marketed system available
- Provider — the Article 16 role for entities placing a system on the market under their own name
- Authorised representative — the EU proxy appointed by a third-country provider under Article 22
- Extraterritorial scope of the EU AI Act — how the Act reaches non-EU providers and why the importer role exists
Manage your EU AI Act compliance in one place
Confir automates risk classification, technical documentation, and audit trails for any company. No consultants. No 6-month projects. 7-day free trial.
Start free trial →