AI Act Obligations for Distributors

A complete, article-by-article reference for AI Act distributors — generated from the RuleMesh knowledge graph (CELEX 32024R1689). Covers all 7 obligation paragraphs sourced from the regulation, with relevant annexes and GDPR cross-references quoted verbatim.

CELEX 32024R1689·7 obligation paragraphs·Most obligations effective 2026-08-02

This page is generated from the RuleMesh knowledge graph — every obligation, annex block, and cross-reference is pulled from the structured graph representation of CELEX 32024R1689, not recalled from memory.

update

Pending change — the Digital Omnibus on AI. An amendment approved in June 2026 is set to move stand-alone high-risk deadlines (Annex III) to 2 December 2027, while transparency, content-marking, and two new prohibitions still apply in 2026. The dates on this page remain the currently-binding Regulation 2024/1689 dates until the amendment is published in the Official Journal. Read the briefing.

Regulation (EU) 2024/1689 — CELEX 32024R1689

This page is generated from the RuleMesh knowledge graph — every obligation, annex block, and cross-reference below is pulled from the structured graph representation of the regulation, not recalled from memory.


Who is a distributor?

A distributor is a natural or legal person in the supply chain — other than the provider (manufacturer) or importer — that makes an AI system available on the Union market, without modifying the system in a way that would alter its compliance status.

7 obligation paragraphs in the AI Act are addressed to the Distributor role. Most obligations for high-risk AI systems apply from 2 August 2026; obligations for general-purpose AI model providers and the AI Act's governance bodies apply from 2 August 2025.


Jump to an article


Article 24 - Obligations of distributors

Art. 24(1). Before making a high-risk AI system available on the market, distributors must verify that it bears the CE marking, is accompanied by the EU declaration of conformity and instructions for use, and that the provider and importer have fulfilled their respective obligations.

chevron_rightSource text

Source text: “Before making a high-risk AI system available on the market, distributors shall verify that it bears the required CE marking, that it is accompanied by a copy of the EU declaration of conformity referred to in Article 47 and instructions for use, and that the provider and the importer of that system, as applicable, have complied with their respective obligations as laid down in Article 16, points (b) and (c) and Article 23(3).”

In practice: Distributors should establish a pre-distribution checklist that confirms CE marking presence, availability of the EU declaration of conformity (Article 47), instructions for use, and documented evidence that the provider has met Article 16(b)/(c) and the importer has met Article 23(3) obligations before any product is released to market.

Art. 24(2). If a distributor has reason to believe a high-risk AI system does not meet conformity requirements, it must withhold it from the market until compliant; if the system presents a risk under Article 79(1), the distributor must also inform the provider or importer.

chevron_rightSource text

Source text: “Where a distributor considers or has reason to consider, on the basis of the information in its possession, that a high-risk AI system is not in conformity with the requirements set out in Section 2, it shall not make the high-risk AI system available on the market until the system has been brought into conformity with those requirements. Furthermore, where the high-risk AI system presents a risk within the meaning of Article 79(1), the distributor shall inform the provider or the importer of the system, as applicable, to that effect.”

In practice: Distributors should implement a non-conformity escalation procedure: if any evidence of non-compliance is identified, immediately halt distribution and notify the provider or importer in writing, documenting the basis for the concern and any risk indicators under Article 79(1).

Art. 24(3). Distributors must ensure that while a high-risk AI system is under their responsibility, storage and transport conditions do not compromise the system's compliance with the applicable requirements.

chevron_rightSource text

Source text: “Distributors shall ensure that, while a high-risk AI system is under their responsibility, storage or transport conditions, where applicable, do not jeopardise the compliance of the system with the requirements set out in Section 2.”

In practice: Distributors should document and enforce storage and transport protocols for high-risk AI systems, including environmental controls (temperature, humidity, physical security) and handling procedures, and verify these conditions are maintained throughout the distribution chain.

Art. 24(4). If a distributor believes a high-risk AI system it has made available is non-conforming, it must take corrective actions including withdrawal or recall, and if the system presents a risk under Article 79(1), must immediately inform the provider or importer and the competent authorities with details of the non-compliance.

chevron_rightSource text

Source text: “A distributor that considers or has reason to consider, on the basis of the information in its possession, a high-risk AI system which it has made available on the market not to be in conformity with the requirements set out in Section 2, shall take the corrective actions necessary to bring that system into conformity with those requirements, to withdraw it or recall it, or shall ensure that the provider, the importer or any relevant operator, as appropriate, takes those corrective actions. Where the high-risk AI system presents a risk within the meaning of Article 79(1), the distributor shall immediately inform the provider or importer of the system and the authorities competent for the high-risk AI system concerned, giving details, in particular, of the non-compliance and of any corrective actions taken.”

In practice: Distributors should establish a product recall and corrective action procedure that includes immediate notification channels to both the provider/importer and relevant competent authorities, with templates for documenting non-compliance details and corrective measures taken, triggered automatically when a risk under Article 79(1) is identified.

Art. 24(5). Upon a reasoned request from a competent authority, distributors must provide all information and documentation about their actions under paragraphs 1 to 4 necessary to demonstrate the system's conformity with Section 2 requirements.

chevron_rightSource text

Source text: “Upon a reasoned request from a relevant competent authority, distributors of a high-risk AI system shall provide that authority with all the information and documentation regarding their actions pursuant to paragraphs 1 to 4 necessary to demonstrate the conformity of that system with the requirements set out in Section 2.”

In practice: Distributors should maintain a comprehensive compliance dossier for each high-risk AI system they distribute, including records of pre-market verification, storage/transport conditions, and any corrective actions taken, so that this documentation can be promptly provided to competent authorities upon request.

Art. 24(6). Distributors of high-risk AI systems must cooperate with competent authorities in any action taken to address risks posed by those systems on the market. This includes actively supporting efforts to reduce or mitigate identified risks.

chevron_rightSource text

Source text: “Distributors shall cooperate with the relevant competent authorities in any action those authorities take in relation to a high-risk AI system made available on the market by the distributors, in particular to reduce or mitigate the risk posed by it.”

In practice: Distributors should establish a clear internal process for responding to requests from market surveillance authorities, including designating a point of contact, maintaining records of distributed high-risk AI systems, and having documented risk-mitigation procedures ready to activate upon authority request.


Article 25 - Responsibilities along the AI value chain

Art. 25(1). Any distributor, importer, deployer, or third party becomes legally treated as a provider of a high-risk AI system—and must meet all provider obligations—if they rebrand it, substantially modify it, or change its purpose so that it becomes high-risk.

chevron_rightSource text

Source text: “Any distributor, importer, deployer or other third-party shall be considered to be a provider of a high-risk AI system for the purposes of this Regulation and shall be subject to the obligations of the provider under Article 16, in any of the following circumstances:”

In practice: Organisations that rebrand, substantially modify, or repurpose AI systems should conduct a legal review before doing so to determine whether they will assume full provider obligations under Article 16. Document all modifications and purpose changes in writing.


Bridge to product

Across the AI Act, the obligations that touch personal data converge on the same engineering controls GDPR already requires — and RuleMesh ships those as a ready-to-implement Jira backlog today.

  • Risk management (AI Act Art. 9) ↔ GDPR Art. 32 (technical & organisational measures)
  • Data governance / bias detection (Art. 10) ↔ GDPR Art. 9 (special categories) + Art. 32
  • Automated logging (Art. 12) ↔ GDPR Art. 32 (audit trail / breach detection)
  • Human oversight (Art. 14) ↔ GDPR Art. 22 (automated-decision safeguards)
  • Deployer DPIA / FRIA (Arts. 26–27) ↔ GDPR Art. 35 (data protection impact assessment)

RuleMesh is not an AI Act compliance product — it implements GDPR control modules. But because the AI Act routes you to the exact GDPR articles RuleMesh already covers, starting with GDPR is your AI Act head start.

Explore GDPR control modules in RuleMesh →


Frequently asked questions

Who is a distributor under the EU AI Act?

A distributor is a natural or legal person in the supply chain — other than the provider (manufacturer) or importer — that makes an AI system available on the Union market, without modifying the system in a way that would alter its compliance status. (Source: AI Act definitions, CELEX 32024R1689.)

How many obligations does the AI Act place on distributors?

The RuleMesh knowledge graph identifies 7 obligation paragraphs addressed to the Distributor role, across Articles 24, 25.

When do AI Act distributors obligations apply?

Most obligations relating to high-risk AI systems apply from 2 August 2026. Obligations for providers of general-purpose AI models and the AI Act's governance framework apply from 2 August 2025, and the Article 5 prohibitions applied from 2 February 2025.

Do the AI Act distributors obligations overlap with GDPR?

Yes. The AI Act repeatedly references specific GDPR articles and does not override GDPR — for example special-category data for bias detection (GDPR Art. 9), data protection impact assessments (GDPR Art. 35), and the technical and organisational measures of GDPR Art. 32. The two regulations require the same engineering controls.



Source data: RuleMesh knowledge graph — Fuseki legalrules dataset, CELEX 32024R1689 (EU AI Act), with cross-references resolved into CELEX 32016R0679 (GDPR). This page is education and reference only — it is not legal advice. RuleMesh's product offer is GDPR control modules in Jira.

GDPR Article 32 is your AI Act head start.

The AI Act and GDPR call for the same engineering work: risk management (Art. 9 ↔ GDPR Art. 32), data governance (Art. 10 ↔ GDPR Art. 9), logging (Art. 12 ↔ GDPR Art. 32), human oversight (Art. 14 ↔ GDPR Art. 22), incident reporting (Arts. 72/73 ↔ GDPR Arts. 33/34). RuleMesh delivers the GDPR side today: structured IT requirements your engineers and AI agents implement through the MCP. The AI Act's requirements are coming to the same MCP.