Is Your Organization Required to Appoint an Authorized Representative Under the EU AI Act?

The European Union’s Artificial Intelligence Act (AI Act) establishes a harmonized legal framework governing artificial intelligence across the European Union. The regulation introduces a risk-based system of obligations for providers and deployers of AI systems, with heightened requirements for high-risk AI systems and general-purpose AI (GPAI) models.

For organizations established outside the EU, one of the most significant obligations under the regulation is the requirement to appoint an authorized representative in the EU. This article explains who must appoint an EU AI Act authorized representative, what the representative must do, and when the obligation takes effect.

Why the AI Act Requires an Authorized Representative

The AI Act is designed to allow EU regulators to effectively supervise AI systems and models made available in the EU. For enforcement to work in practice, authorities must be able to access compliance documentation and communicate with a responsible entity located within the EU.

Where a provider is established outside the EU and places high-risk AI systems or GPAI models on the EU market, that provider must appoint, by written mandate, an authorized representative established in the EU.

This requirement is consistent with other EU frameworks. For example, under the GDPR, certain non-EU controllers and processors must appoint an EU data protection representative. Similarly, NIS 2 requires non-EU operators of essential and important services to designate an EU-based NIS 2 representative.

Failure to appoint an AI representative may result in market authorities restricting or prohibiting a high-risk AI system from being made available in the EU, or requiring it to be withdrawn or recalled. Administrative fines may reach up to €15 million, or 3% of the provider’s total worldwide annual turnover for the preceding financial year, whichever is higher.

Who Must Appoint an EU AI Act Representative?

The obligation applies to specific categories of non-EU providers of AI systems.

1. Non-EU Providers of High-Risk AI Systems

Regulated Products

This includes all non-EU providers that develop and place on the EU market an AI system that is either a safety component of, or is itself, a product covered by certain EU legislation, where the product is required to undergo third-party conformity assessment under that legislation:

  • Machinery Directive  
  • Toy Safety Directive  
  • Recreational Craft Directive  
  • Lifts Directive  
  • ATEX Directive 
  • Radio Equipment Directive (RED Directive) 
  • Pressure Equipment Directive (PED Directive) 
  • Cableway Installations Regulation  
  • Personal Protective Equipment Regulation (PPE Regulation) 
  • Gas Appliances Regulation  
  • Medical Devices Regulation (MDR)  
  • In Vitro Diagnostic Medical Devices Regulation (IVDR) 
  • Civil Aviation Security Regulation 
  • Two- and Three-Wheel Vehicles and Quadricycles Regulation 
  • Agricultural and Forestry Vehicles Regulation 
  • Marine Equipment Directive 
  • Rail Interoperability Directive  
  • Motor Vehicle Type-Approval Regulation  
  • General Safety Regulation for Motor Vehicles  
  • Civil Aviation Safety Regulation (EASA Basic Regulation).

AI Systems Used in Sensitive Areas

High-risk AI systems also include those listed in Annex III to the AI Act, namely AI systems intended for use in areas such as:

  • Biometric identification and categorization of natural persons 
  • Critical infrastructure management 
  • Education and vocational training 
  • Employment, worker management, and access to self-employment 
  • Access to essential private and public services 
  • Law enforcement 
  • Migration, asylum and border control management 
  • Administration of justice and democratic processes.

If you are a provider established outside the EU and your AI system falls within the high-risk categories described above, you must appoint an authorized representative in the Union before placing the system on the EU market.

2. Non-EU Providers of General-Purpose AI Models

Providers of general-purpose AI models established outside the EU must also appoint an authorized representative before placing their model on the EU market.

A GPAI model is an AI model trained on large amounts of data using self-supervision at scale, that displays significant generality and can competently perform a wide range of distinct tasks. These models can be integrated into various downstream systems or applications. Large language models are a common example.

The obligation applies regardless of whether the provider directly controls the final downstream use of the model. However, providers that release a GPAI model under a free and open-source license are exempt from the obligation to appoint an authorized representative.

The Responsibilities of the Authorized Representative

The authorized representative does not replace the provider’s responsibilities under the AI Act. The provider remains fully accountable for substantive compliance. However, the representative assumes defined duties.

1. Acting as Regulatory Liaison

The representative serves as the official contact point for EU competent authorities and, where applicable, the AI Office.

Authorities may request documentation, clarification, or cooperation through the representative. This function ensures effective regulatory engagement without jurisdictional barriers.

2. Verifying Technical Documentation and Conformity

For high-risk AI systems, the authorized representative must verify that the EU declaration of conformity and the technical documentation required by the AI Act have been drawn up and that an appropriate conformity assessment procedure has been carried out by the provider. The representative must also provide national competent authorities and notified bodies with the information necessary to assess the AI system’s compliance, presented in a clear and comprehensive manner.

For GPAI models, the representative must confirm that the provider has prepared and maintains technical documentation appropriate to the model’s size and risk profile, including:

  • A general description of the general-purpose AI model 
  • A detailed description of the elements of the model, and relevant information of the process for the development.

Where the model presents systemic risk, additional documentation may include:

  • A detailed description of the evaluation strategies, including evaluation results, on the basis of available public evaluation protocols and tools or otherwise of other evaluation methodologies.  
  • Where applicable, a detailed description of the measures put in place for the purpose of conducting internal and/or external adversarial testing  
  • Where applicable, a detailed description of the system architecture explaining how software components build or feed into each other and integrate into the overall processing. 
  • Perform model evaluation in accordance with standardized protocols and tools reflecting the state of the art, including conducting and documenting adversarial testing of the model with a view to identifying and mitigating systemic risks.

3. Record Retention Obligations

The authorized representative must retain required documentation for 10 years after the high-risk AI system or GPAI model has been placed on the market or put into service. This includes:

  • Provider contact details 
  • The EU declaration of conformity 
  • Technical documentation 
  • Any notified body certificates, where applicable.

4. Supporting Enforcement and Corrective Actions

The representative must cooperate with competent authorities and the AI Office, upon reasoned request, in any actions relating to the AI system or GPAI model. This includes cooperating in measures intended to reduce or mitigate risks and, where necessary, supporting corrective actions.

5. Registration Obligations

Representatives for high-risk providers must also comply with registration obligations or, where the registration is carried out by the provider, ensure that registration details are correct.

Timing and Transitional Considerations

The obligation to appoint an authorized representative for general-purpose AI (GPAI) models applies from August 2025, while the obligation for high-risk AI systems applies from August 2, 2026.

Organizations planning to enter the EU market or launch AI systems within it should treat the appointment of a representative as a core compliance requirement. The role involves a formal written mandate, clearly defined responsibilities, and coordinated management of technical documentation and (where applicable) conformity procedures.

Preparing in advance allows providers to align governance structures, documentation practices, and regulatory processes before introducing AI systems or models to the EU market.

Summary

Non-EU organizations placing high-risk AI systems or GPAI models on the EU market are required to appoint an authorized representative under the AI Act. For GPAI models, this obligation applies from August 2025, and for high-risk AI systems, from August 2, 2026. The appointment must be made by written mandate, and the representative must be established within the European Union.

Evaluating whether your organization falls within scope, confirming system classification, and designating a qualified representative are essential compliance steps. VeraSafe can serve as your AI Act authorized representative. Book a free consultation to discuss your obligations and explore how VeraSafe can support your EU market entry and ongoing compliance.

You may also like:
What Are the Privacy Concerns With AI?
AI Governance: Why It Matters and How to Implement It Internally
The Critical Role of Privacy Due Diligence in M&A Success

Related topics: AI, Compliance Tools and Advice

Monthly Newsletter

Contact VeraSafe to discuss your data security management and privacy program today.

Get a Quote Now

Related Posts