AI Act Obligations for Importers

A complete, article-by-article reference for AI Act importers — generated from the RuleMesh knowledge graph (CELEX 32024R1689). Covers all 8 obligation paragraphs sourced from the regulation, with relevant annexes and GDPR cross-references quoted verbatim.

CELEX 32024R1689·8 obligation paragraphs·Most obligations effective 2026-08-02

This page is generated from the RuleMesh knowledge graph — every obligation, annex block, and cross-reference is pulled from the structured graph representation of CELEX 32024R1689, not recalled from memory.

update

Pending change — the Digital Omnibus on AI. An amendment approved in June 2026 is set to move stand-alone high-risk deadlines (Annex III) to 2 December 2027, while transparency, content-marking, and two new prohibitions still apply in 2026. The dates on this page remain the currently-binding Regulation 2024/1689 dates until the amendment is published in the Official Journal. Read the briefing.

Regulation (EU) 2024/1689 — CELEX 32024R1689

This page is generated from the RuleMesh knowledge graph — every obligation, annex block, and cross-reference below is pulled from the structured graph representation of the regulation, not recalled from memory.


Who is an importer?

An importer is a natural or legal person established within the EU that places on the Union market an AI system (or product) originating from a third country, typically bearing the name or trademark of a third-country entity, thereby assuming responsibility for the product's compliance with applicable Union law.

8 obligation paragraphs in the AI Act are addressed to the Importer role. Most obligations for high-risk AI systems apply from 2 August 2026; obligations for general-purpose AI model providers and the AI Act's governance bodies apply from 2 August 2025.


Jump to an article


Article 23 - Obligations of importers

Art. 23(1). Before placing a high-risk AI system on the market, importers must verify that the provider has completed the required conformity assessment, prepared technical documentation per Article 11 and Annex IV, and that the system bears the CE marking and is accompanied by the EU declaration of conformity and instructions for use.

chevron_rightSource text

Source text: “Before placing a high-risk AI system on the market, importers shall ensure that the system is in conformity with this Regulation by verifying that:”

In practice: Importers should establish a pre-market checklist covering: (1) confirmation that the conformity assessment under Article 43 was completed, (2) review of technical documentation per Annex IV, and (3) physical verification of CE marking and EU declaration of conformity before any product is released to market.

Art. 23(2). If an importer has sufficient reason to believe a high-risk AI system is non-conforming or falsified, it must not place it on the market until conformity is achieved; if the system presents a risk under Article 79(1), the importer must notify the provider, authorised representative, and market surveillance authorities.

chevron_rightSource text

Source text: “Where an importer has sufficient reason to consider that a high-risk AI system is not in conformity with this Regulation, or is falsified, or accompanied by falsified documentation, it shall not place the system on the market until it has been brought into conformity. Where the high-risk AI system presents a risk within the meaning of Article 79(1), the importer shall inform the provider of the system, the authorised representative and the market surveillance authorities to that effect.”

In practice: Importers should implement a documented non-conformity escalation procedure: if red flags are identified (e.g., inconsistent documentation, missing CE marking), halt market placement and trigger notifications to the provider, authorised representative, and relevant market surveillance authority using a standardised incident report template.

Art. 23(3). Importers must display their name, registered trade name or trademark, and contact address on the high-risk AI system itself, its packaging, or accompanying documentation where applicable, to ensure traceability.

chevron_rightSource text

Source text: “Importers shall indicate their name, registered trade name or registered trade mark, and the address at which they can be contacted on the high-risk AI system and on its packaging or its accompanying documentation, where applicable.”

In practice: Importers should ensure their name and contact details are clearly printed on product labels, packaging inserts, or accompanying documentation. For software-only AI systems, this information should appear in the user interface, documentation, or product metadata.

Art. 23(4). While a high-risk AI system is under the importer's responsibility, the importer must ensure that storage and transport conditions do not jeopardise the system's compliance with the requirements set out in Section 2 of the AI Act.

chevron_rightSource text

Source text: “Importers shall ensure that, while a high-risk AI system is under their responsibility, storage or transport conditions, where applicable, do not jeopardise its compliance with the requirements set out in Section 2.”

In practice: Importers should document storage and transport protocols for high-risk AI systems, including environmental controls (e.g., temperature, humidity for hardware components) and cybersecurity measures for software (e.g., secure transfer, integrity verification). Maintain records of these conditions as evidence of compliance.

Art. 23(5). Importers must retain copies of the notified body certificate (where applicable), instructions for use, and the EU declaration of conformity for 10 years after the high-risk AI system has been placed on the market or put into service.

chevron_rightSource text

Source text: “Importers shall keep, for a period of 10 years after the high-risk AI system has been placed on the market or put into service, a copy of the certificate issued by the notified body, where applicable, of the instructions for use, and of the EU declaration of conformity referred to in Article 47.”

In practice: Importers should establish a document retention policy specifically for high-risk AI systems, ensuring that certificates, instructions for use, and EU declarations of conformity are stored securely (physically or digitally) for a minimum of 10 years from the date of market placement or service commencement, with clear retrieval procedures for regulatory inspections.

Art. 23(6). Importers of high-risk AI systems must provide competent authorities with all necessary information and documentation—including technical documentation—to demonstrate conformity with Section 2 requirements, in a language easily understood by those authorities. They must also ensure that technical documentation remains accessible to those authorities upon reasoned request.

chevron_rightSource text

Source text: “Importers shall provide the relevant competent authorities, upon a reasoned request, with all the necessary information and documentation, including that referred to in paragraph 5, to demonstrate the conformity of a high-risk AI system with the requirements set out in Section 2 in a language which can be easily understood by them. For this purpose, they shall also ensure that the technical documentation can be made available to those authorities.”

In practice: Importers should maintain a readily accessible repository of technical documentation (in the official language(s) of the relevant Member State) and establish an internal process to respond promptly to reasoned requests from market surveillance authorities. Consider translating key conformity documents proactively.

Art. 23(7). Importers must actively cooperate with competent authorities in any action taken regarding a high-risk AI system they have placed on the market, particularly to reduce and mitigate risks posed by that system. This includes supporting investigations, recalls, or other corrective measures initiated by authorities.

chevron_rightSource text

Source text: “Importers shall cooperate with the relevant competent authorities in any action those authorities take in relation to a high-risk AI system placed on the market by the importers, in particular to reduce and mitigate the risks posed by it.”

In practice: Importers should designate a responsible contact point for regulatory affairs and establish internal escalation procedures to ensure swift cooperation with market surveillance authorities, including readiness to support product recalls or risk mitigation actions when required.


Article 25 - Responsibilities along the AI value chain

Art. 25(1). Any distributor, importer, deployer, or third party becomes legally treated as a provider of a high-risk AI system—and must meet all provider obligations—if they rebrand it, substantially modify it, or change its purpose so that it becomes high-risk.

chevron_rightSource text

Source text: “Any distributor, importer, deployer or other third-party shall be considered to be a provider of a high-risk AI system for the purposes of this Regulation and shall be subject to the obligations of the provider under Article 16, in any of the following circumstances:”

In practice: Organisations that rebrand, substantially modify, or repurpose AI systems should conduct a legal review before doing so to determine whether they will assume full provider obligations under Article 16. Document all modifications and purpose changes in writing.


Bridge to product

Across the AI Act, the obligations that touch personal data converge on the same engineering controls GDPR already requires — and RuleMesh ships those as a ready-to-implement Jira backlog today.

  • Risk management (AI Act Art. 9) ↔ GDPR Art. 32 (technical & organisational measures)
  • Data governance / bias detection (Art. 10) ↔ GDPR Art. 9 (special categories) + Art. 32
  • Automated logging (Art. 12) ↔ GDPR Art. 32 (audit trail / breach detection)
  • Human oversight (Art. 14) ↔ GDPR Art. 22 (automated-decision safeguards)
  • Deployer DPIA / FRIA (Arts. 26–27) ↔ GDPR Art. 35 (data protection impact assessment)

RuleMesh is not an AI Act compliance product — it implements GDPR control modules. But because the AI Act routes you to the exact GDPR articles RuleMesh already covers, starting with GDPR is your AI Act head start.

Explore GDPR control modules in RuleMesh →


Frequently asked questions

Who is an importer under the EU AI Act?

An importer is a natural or legal person established within the EU that places on the Union market an AI system (or product) originating from a third country, typically bearing the name or trademark of a third-country entity, thereby assuming responsibility for the product's compliance with applicable Union law. (Source: AI Act definitions, CELEX 32024R1689.)

How many obligations does the AI Act place on importers?

The RuleMesh knowledge graph identifies 8 obligation paragraphs addressed to the Importer role, across Articles 23, 25.

When do AI Act importers obligations apply?

Most obligations relating to high-risk AI systems apply from 2 August 2026. Obligations for providers of general-purpose AI models and the AI Act's governance framework apply from 2 August 2025, and the Article 5 prohibitions applied from 2 February 2025.

Do the AI Act importers obligations overlap with GDPR?

Yes. The AI Act repeatedly references specific GDPR articles and does not override GDPR — for example special-category data for bias detection (GDPR Art. 9), data protection impact assessments (GDPR Art. 35), and the technical and organisational measures of GDPR Art. 32. The two regulations require the same engineering controls.



Source data: RuleMesh knowledge graph — Fuseki legalrules dataset, CELEX 32024R1689 (EU AI Act), with cross-references resolved into CELEX 32016R0679 (GDPR). This page is education and reference only — it is not legal advice. RuleMesh's product offer is GDPR control modules in Jira.

GDPR Article 32 is your AI Act head start.

The AI Act and GDPR call for the same engineering work: risk management (Art. 9 ↔ GDPR Art. 32), data governance (Art. 10 ↔ GDPR Art. 9), logging (Art. 12 ↔ GDPR Art. 32), human oversight (Art. 14 ↔ GDPR Art. 22), incident reporting (Arts. 72/73 ↔ GDPR Arts. 33/34). RuleMesh delivers the GDPR side today: structured IT requirements your engineers and AI agents implement through the MCP. The AI Act's requirements are coming to the same MCP.