Introduction

As the EU AI Act reshapes regulatory requirements for AI products, certain organisations outside the European Union must designate an EU Authorised Representative (EU AR) as part of their compliance efforts. This is a mandatory step for high-risk AI systems and certain other AI products entering the EU market. The EU Authorised Representative acts as a critical bridge between non-EU providers and EU regulatory bodies, taking on specific obligations to ensure adherence to the stringent standards of the AI Act (AIA).

This article explores the obligations of an EU Authorised Representative under Articles 22 and 54 of the AI Act, the contents of the representative’s mandate, and how businesses can streamline compliance with expert guidance.

Who needs an EU Authorised Representative?

Not all providers of AI products are required to appoint an EU Authorised Representative. In fact, it is only providers that are established outside of the EU and that are making available High-Risk AI (HRAI) systems or Article 54 for General Purpose AI (GPAI) models on the EU market.

This would imply that products that do not fall under either HRAI or GPAI will not be required to appoint an EU AR in accordance with this legislation. However, such other products may be required to do so under other EU legislation, such as the General Product Safety Regulation.

Obligations of the EU Authorised Representative

The AIA describes the obligations of the AR in Article 22 for HRAI systems and Article 54 for GPAI models. The main idea of the AR’s obligations is the same in both of these articles: the EU Authorised Representative will play a pivotal role in ensuring that AI products comply with the requirements of the AI Act.

Providers of GPAI models that meet the following criteria are not required to appoint an EU AR:

• GPAI model is released under a free and open-source licenses that allow for the access, use, modification, and distribution of the model.
• Parameters (including weights), and information on architecture and model usage are publicly available.
• The GPAI model does not present systemic risks.

The AR must be appointed by the provider prior to making their product available on the EU market. The appointment will typically take the form of a written mandate / agreement that shall be signed by both parties and that shall enable the AR to perform certain tasks as specified in the Act.

The mandate shall allow competent authorities to address the AR directly in addition to or instead of the provider, on all matters relating to ensuring compliance with the AIA.

HRAI Systems [Article 22]

ARs for HRAI systems shall provide a copy of the mandate to market surveillance authorities upon their request in an official Union language as indicated by the requesting competent authority.

Their tasks include:

Verification

Prior to the provider placing the AI product on the EU market, the AR must verify that a Declaration of Conformity and appropriate technical documentation have been drawn up. The extent of this verification process shall depend on the AR itself.

The AR must also verify that the provider has followed the appropriate conformity assessment procedure and thus that the classification applied is correct.

Access to Documentation

The provider must give the AR continued access to their relevant documentation which must be kept for at least 10 years after the product has been placed on the EU market, at the disposal of the competent authorities. This documentation and information includes:

• The provider’s contact details.
• A copy of the Declaration of Conformity.
• Technical documentation.
• Certificate issued by Notified Body, if applicable.

Facilitate Communication

One of the key responsibilities of an AR will be to serve as a contact point between the competent authorities in the EU and the provider. During the product’s time on the EU market, a competent authority may request access to the abovementioned documentation or event logs. The AR would then be responsible for either contacting the provider directly or for providing the requested documentation to the Competent Authority.

In the event that a provider is no longer trading, the Competent Authority could still request such information, for which the AR should retain access to.

Vigilance

In general, the AR should be able to assist the provider in reporting incidents in the EU or conducting corrective measures should the AI product. The AR shall communicate and cooperate with the relevant competent authorities during any actions being taken in relation to the AI product in an effort to reduce and mitigate any risks being posed by the product.

Registration

Prior to placing the AI product on the market, in certain circumstances, the AR may be need to meet registration requirements outlined in Article 49 of the AI Act.

Termination

In the event that the AR has reason to believe that the provider is acting contrary to its obligations under the EU AI Act, then the AR must immediately inform the relevant market surveillance authority, and if applicable, their Notified Body, that they shall be terminating the mandate with the provider.

In reality, if an AR has such concerns, they would discuss these failings with the provider. However, in the event the provider is not forthcoming with relevant information or does not have a desire to comply, the AR shall immediately take the necessary steps to terminate the mandate.

GPAI Models [Article 54]

ARs for GPAI models shall provide a copy of the mandate to the AI Office upon their request in an official Union language. The AR’s tasks shall include:

Verification

Prior to the provider placing the AI product on the EU market, the AR must verify that the appropriate technical documentation has been drawn up in accordance with Annex XI. The extent of this verification process shall depend on the AR itself.

Furthermore, the AR must also verify that the provider has met their obligations as indicated in Article 53 and, where applicable, Article 55.

Access to Documentation

The AR must keep a copy of the technical documentation specific in Annex XI at the disposal of the AI Office and competent authorities for at least 10 years after the GPAI has been placed on the EU market. This documentation and information must include the contact details of the provider.

Facilitate Communication

One of the key responsibilities of a GPAI AR will be to serve as a contact point between the AI Office and competent authorities in the EU, and the provider. Upon reasoned request, the AR shall provide the AI Office with the abovementioned documentation.

Vigilance

In the case of GPAI models, the AR must assist the provider in reporting incidents in the EU or conducting corrective measures should the AI product. The AR shall communicate and cooperate with the AI Office and relevant competent authorities during any actions being taken in relation to the AI product to reduce and mitigate any risks being posed by the product.

This shall also apply for models that are integrated into AI systems placed on or put into service in the EU market.

Termination

In the event that the AR has reason to believe that the provider is acting contrary to its obligations under the EU AI Act, then the AR must immediately terminate the agreement and inform the AI Office providing a reason for the termination.

Mandate Contents

The mandate between the provider and the EU Authorised Representative must be comprehensive and specific. As a minimum, it should include:

1. Identification Details: The names and addresses of both the provider and the EU Authorised Representative.
2. Authorised Actions: A clear definition of the actions the EU AR is authorised to perform on behalf of the provider.
3. Obligations: The mandate shall clearly identify the obligations of both the AR and the provider. This ensures that both parties understand their AI Act obligations.
4. Access to Documentation: Authority to maintain and provide access to technical files, the EU declaration of conformity, and records of post-market monitoring. The exact arrangements for keeping the documentation available can be decided outside of the mandate.
5. Communication Authority: The ability to liaise with EU regulators on compliance issues and respond to queries or inspections.
6. Incident Management: The mandate may contain explicit permission to assist with corrective actions, incident reporting, and addressing regulatory breaches. Otherwise, the AR can only provide assistance and guidance on such actions.
7. Termination: Authority to terminate based on non-compliance with the obligations laid out in the AI Act.
8. Liability: The mandate should discuss liability and require the provider to demonstrate that they have sufficient cover for the product they are placing on the market. The cover should be commensurate with the potential risk or impact the product could have.

The mandate ensures that the EU Authorised Representative has the necessary tools and authority to fulfil its responsibilities effectively.

How can Blue Arrow assist?

Navigating the complexities of the EU AI Act can be daunting, especially for providers outside the EU. At Blue Arrow, we specialise in providing seamless, end-to-end support for AI product compliance, including acting as your EU Authorised Representative.

Our services include:

• Managing your technical documentation and EU declarations of conformity.
• Liaising with EU regulators and responding to their requests.
• Ensuring compliance with Articles 22 and 54 of the AI Act.
• Providing expert advice on post-market surveillance and corrective actions.

Partner with Blue Arrow to ensure your AI products meet the highest regulatory standards. Contact us today to take the stress out of compliance and confidently bring your products to the EU market.

See our service page or get in touch today.