arrow_backAI Act Actor Hub·Authorised representative

AI Act Obligations for Authorised Representatives

A complete, article-by-article reference for AI Act authorised representatives — generated from the RuleMesh knowledge graph (CELEX 32024R1689). Covers all 7 obligation paragraphs sourced from the regulation, with relevant annexes and GDPR cross-references quoted verbatim.

CELEX 32024R1689·7 obligation paragraphs·Most obligations effective 2026-08-02

This page is generated from the RuleMesh knowledge graph — every obligation, annex block, and cross-reference is pulled from the structured graph representation of CELEX 32024R1689, not recalled from memory.

update

Pending change — the Digital Omnibus on AI. An amendment approved in June 2026 is set to move stand-alone high-risk deadlines (Annex III) to 2 December 2027, while transparency, content-marking, and two new prohibitions still apply in 2026. The dates on this page remain the currently-binding Regulation 2024/1689 dates until the amendment is published in the Official Journal. Read the briefing.

Regulation (EU) 2024/1689 — CELEX 32024R1689

This page is generated from the RuleMesh knowledge graph — every obligation, annex block, and cross-reference below is pulled from the structured graph representation of the regulation, not recalled from memory.


Who is an authorised representative?

An authorised representative is a natural or legal person located or established in the EU who has received and accepted a written mandate from a provider of an AI system or general-purpose AI model to perform and carry out, on the provider's behalf, the obligations and procedures established by the AI Act.

7 obligation paragraphs in the AI Act are addressed to the Authorised Representative role. Most obligations for high-risk AI systems apply from 2 August 2026; obligations for general-purpose AI model providers and the AI Act's governance bodies apply from 2 August 2025.


Jump to an article


Article 22 - Authorised representatives of providers of high-risk AI systems

Art. 22(3). The authorised representative must perform the tasks in the mandate, including verifying conformity documentation, retaining key documents for 10 years, providing information to authorities upon request, and serving as the contact point for compliance matters.

chevron_rightSource text

Source text: “The authorised representative shall perform the tasks specified in the mandate received from the provider. It shall provide a copy of the mandate to the market surveillance authorities upon request, in one of the official languages of the institutions of the Union, as indicated by the competent authority. For the purposes of this Regulation, the mandate shall empower the authorised representative to carry out the following tasks: The mandate shall empower the authorised representative to be addressed, in addition to or instead of the provider, by the competent authorities, on all issues related to ensuring compliance with this Regulation.”

In practice: Authorised representatives should establish document management systems to retain EU declarations of conformity, technical documentation, and certificates for 10 years, and ensure they can provide access to AI system logs to competent authorities upon reasoned request.

Art. 22(4). If the authorised representative has reason to believe the provider is acting contrary to its obligations under the AI Act, it must terminate the mandate and immediately notify the relevant market surveillance authority and, where applicable, the notified body.

chevron_rightSource text

Source text: “The authorised representative shall terminate the mandate if it considers or has reason to consider the provider to be acting contrary to its obligations pursuant to this Regulation. In such a case, it shall immediately inform the relevant market surveillance authority, as well as, where applicable, the relevant notified body, about the termination of the mandate and the reasons therefor.”

In practice: Authorised representatives should establish internal monitoring procedures to detect provider non-compliance and maintain a clear escalation protocol for notifying market surveillance authorities and notified bodies promptly upon mandate termination.


Article 48 - CE marking

Art. 48(4). Where a notified body is involved in the conformity assessment, its identification number must follow the CE marking and be included in any promotional material claiming CE marking compliance; the number is affixed by the notified body itself or under its instructions.

chevron_rightSource text

Source text: “Where applicable, the CE marking shall be followed by the identification number of the notified body responsible for the conformity assessment procedures set out in Article 43. The identification number of the notified body shall be affixed by the body itself or, under its instructions, by the provider or by the provider’s authorised representative. The identification number shall also be indicated in any promotional material which mentions that the high-risk AI system fulfils the requirements for CE marking.”

In practice: After obtaining a notified body certificate, ensure the notified body's identification number is placed immediately after the CE marking on the product, packaging, and documentation, and is also included in all marketing materials referencing CE compliance.


Article 49 - Registration

Art. 49(1). Before placing a high-risk AI system listed in Annex III on the market or putting it into service, the provider or their authorised representative must register themselves and the system in the EU database under Article 71. This obligation does not apply to high-risk AI systems referred to in point 2 of Annex III.

chevron_rightSource text

Source text: “Before placing on the market or putting into service a high-risk AI system listed in Annex III, with the exception of high-risk AI systems referred to in point 2 of Annex III, the provider or, where applicable, the authorised representative shall register themselves and their system in the EU database referred to in Article 71.”

In practice: Establish an internal pre-launch checklist that includes EU database registration as a mandatory gate before any high-risk AI system (Annex III, excluding point 2) is released to market. Assign a dedicated compliance officer or authorised representative to manage and maintain registration records.

Art. 49(2). If a provider has concluded under Article 6(3) that their AI system is not high-risk, they must still register themselves and the system in the EU database before placing it on the market or putting it into service. This ensures traceability even for systems self-assessed as non-high-risk.

chevron_rightSource text

Source text: “Before placing on the market or putting into service an AI system for which the provider has concluded that it is not high-risk according to Article 6(3), that provider or, where applicable, the authorised representative shall register themselves and that system in the EU database referred to in Article 71.”

In practice: Providers who invoke the Article 6(3) derogation to classify their system as non-high-risk should document their assessment thoroughly and ensure EU database registration is completed before market placement, as this registration is mandatory regardless of the non-high-risk conclusion.


General-purpose AI model obligations (Articles 51–56)

These articles apply specifically where a general-purpose AI (GPAI) model is involved — a model trained on broad data and usable across many tasks.

Article 54 - Authorised representatives of providers of general-purpose AI models

Art. 54(3). (effective 2 August 2025) The authorised representative must perform the tasks in the mandate, provide the mandate copy to the AI Office on request, verify that technical documentation and obligations under Articles 53 and 55 are fulfilled, keep documentation for 10 years, and provide all necessary information to the AI Office upon reasoned request.

chevron_rightSource text

Source text: “The authorised representative shall perform the tasks specified in the mandate received from the provider. It shall provide a copy of the mandate to the AI Office upon request, in one of the official languages of the institutions of the Union. For the purposes of this Regulation, the mandate shall empower the authorised representative to carry out the following tasks:”

In practice: Authorised representatives should maintain a secure, up-to-date repository of all technical documentation per Annex XI, set up a 10-year retention schedule from the date of market placement, and establish a clear process for responding to AI Office information requests promptly.

Art. 54(5). (effective 2 August 2025) If the authorised representative has reason to believe the provider is acting contrary to its obligations under the Regulation, it must terminate the mandate and immediately inform the AI Office of the termination and the reasons for it.

chevron_rightSource text

Source text: “The authorised representative shall terminate the mandate if it considers or has reason to consider the provider to be acting contrary to its obligations pursuant to this Regulation. In such a case, it shall also immediately inform the AI Office about the termination of the mandate and the reasons therefor.”

In practice: Authorised representatives should establish a clear internal monitoring and escalation process to detect provider non-compliance, and maintain a documented procedure for mandate termination and immediate notification to the AI Office, including template communications for such scenarios.


Bridge to product

Across the AI Act, the obligations that touch personal data converge on the same engineering controls GDPR already requires — and RuleMesh ships those as a ready-to-implement Jira backlog today.

  • Risk management (AI Act Art. 9) ↔ GDPR Art. 32 (technical & organisational measures)
  • Data governance / bias detection (Art. 10) ↔ GDPR Art. 9 (special categories) + Art. 32
  • Automated logging (Art. 12) ↔ GDPR Art. 32 (audit trail / breach detection)
  • Human oversight (Art. 14) ↔ GDPR Art. 22 (automated-decision safeguards)
  • Deployer DPIA / FRIA (Arts. 26–27) ↔ GDPR Art. 35 (data protection impact assessment)

RuleMesh is not an AI Act compliance product — it implements GDPR control modules. But because the AI Act routes you to the exact GDPR articles RuleMesh already covers, starting with GDPR is your AI Act head start.

Explore GDPR control modules in RuleMesh →


Frequently asked questions

Who is an authorised representative under the EU AI Act?

An authorised representative is a natural or legal person located or established in the EU who has received and accepted a written mandate from a provider of an AI system or general-purpose AI model to perform and carry out, on the provider's behalf, the obligations and procedures established by the AI Act. (Source: AI Act definitions, CELEX 32024R1689.)

How many obligations does the AI Act place on authorised representatives?

The RuleMesh knowledge graph identifies 7 obligation paragraphs addressed to the Authorised Representative role, across Articles 22, 48, 49, 54.

When do AI Act authorised representatives obligations apply?

Most obligations relating to high-risk AI systems apply from 2 August 2026. Obligations for providers of general-purpose AI models and the AI Act's governance framework apply from 2 August 2025, and the Article 5 prohibitions applied from 2 February 2025.

Do the AI Act authorised representatives obligations overlap with GDPR?

Yes. The AI Act repeatedly references specific GDPR articles and does not override GDPR — for example special-category data for bias detection (GDPR Art. 9), data protection impact assessments (GDPR Art. 35), and the technical and organisational measures of GDPR Art. 32. The two regulations require the same engineering controls.



Source data: RuleMesh knowledge graph — Fuseki legalrules dataset, CELEX 32024R1689 (EU AI Act), with cross-references resolved into CELEX 32016R0679 (GDPR). This page is education and reference only — it is not legal advice. RuleMesh's product offer is GDPR control modules in Jira.

GDPR Article 32 is your AI Act head start.

The AI Act and GDPR call for the same engineering work: risk management (Art. 9 ↔ GDPR Art. 32), data governance (Art. 10 ↔ GDPR Art. 9), logging (Art. 12 ↔ GDPR Art. 32), human oversight (Art. 14 ↔ GDPR Art. 22), incident reporting (Arts. 72/73 ↔ GDPR Arts. 33/34). RuleMesh delivers the GDPR side today: structured IT requirements your engineers and AI agents implement through the MCP. The AI Act's requirements are coming to the same MCP.