AI Act Obligations for Market Surveillance Authorities
A complete, article-by-article reference for AI Act market surveillance authorities — generated from the RuleMesh knowledge graph (CELEX 32024R1689). Covers all 26 obligation paragraphs sourced from the regulation, with relevant annexes and GDPR cross-references quoted verbatim.
This page is generated from the RuleMesh knowledge graph — every obligation, annex block, and cross-reference is pulled from the structured graph representation of CELEX 32024R1689, not recalled from memory.
Pending change — the Digital Omnibus on AI. An amendment approved in June 2026 is set to move stand-alone high-risk deadlines (Annex III) to 2 December 2027, while transparency, content-marking, and two new prohibitions still apply in 2026. The dates on this page remain the currently-binding Regulation 2024/1689 dates until the amendment is published in the Official Journal. Read the briefing.
Regulation (EU) 2024/1689 — CELEX 32024R1689
This page is generated from the RuleMesh knowledge graph — every obligation, annex block, and cross-reference below is pulled from the structured graph representation of the regulation, not recalled from memory.
Who is a market surveillance authority?
A market surveillance authority is a national authority designated by a Member State to carry out market surveillance activities and take measures to ensure that products (including AI systems) placed on the market comply with applicable Union harmonisation legislation, thereby protecting public interests such as health, safety, and fundamental rights. In the AI Act context, this role is explicitly anchored to Regulation (EU) 2019/1020.
26 obligation paragraphs in the AI Act are addressed to the Market Surveillance Authority role. Most obligations for high-risk AI systems apply from 2 August 2026; obligations for general-purpose AI model providers and the AI Act's governance bodies apply from 2 August 2025.
Jump to an article
- Article 5 - Prohibited AI practices
- Article 43 - Conformity assessment
- Article 46 - Derogation from conformity assessment procedure
- Article 57 - AI regulatory sandboxes
- Article 60 - Testing of high-risk AI systems in real world conditions outside AI regulatory sandboxes
- Article 68 - Scientific panel of independent experts
- Article 73 - Reporting of serious incidents
- Article 74 - Market surveillance and control of AI systems in the Union market
- Article 75 - Mutual assistance, market surveillance and control of general-purpose AI systems
- Article 80 - Procedure for dealing with AI systems classified by the provider as non-high-risk in application of Annex III
- Article 82 - Compliant AI systems which present a risk
- Frequently asked questions
Article 5 - Prohibited AI practices
Art. 5(6). (effective 2 February 2025) National market surveillance and data protection authorities must submit annual reports to the Commission on the use of real-time remote biometric identification systems in publicly accessible spaces for law enforcement, using a Commission-provided template that includes data on judicial/administrative authorisation decisions and their outcomes.
chevron_rightSource text
Source text: “National market surveillance authorities and the national data protection authorities of Member States that have been notified of the use of ‘real-time’ remote biometric identification systems in publicly accessible spaces for law enforcement purposes pursuant to paragraph 4 shall submit to the Commission annual reports on such use. For that purpose, the Commission shall provide Member States and national market surveillance and data protection authorities with a template, including information on the number of the decisions taken by competent judicial authorities or an independent administrative authority whose decision is binding upon requests for authorisations in accordance with paragraph 3 and their result.”
In practice: Authorities should establish internal data collection processes to track all authorisation requests and outcomes throughout the year, ensuring the annual report can be compiled accurately using the Commission template. Designate a reporting officer responsible for aggregating this data.
Article 43 - Conformity assessment
Art. 43(1). Providers of high-risk AI systems listed in Annex III point 1 must choose between an internal control procedure or a third-party assessment involving a notified body, depending on whether harmonised standards or common specifications exist. Where law enforcement, immigration, or asylum authorities are the intended deployers, the relevant market surveillance authority acts as the notified body.
chevron_rightSource text
Source text: “For high-risk AI systems listed in point 1 of Annex III, where, in demonstrating the compliance of a high-risk AI system with the requirements set out in Section 2, the provider has applied harmonised standards referred to in Article 40, or, where applicable, common specifications referred to in Article 41, the provider shall opt for one of the following conformity assessment procedures based on: In demonstrating the compliance of a high-risk AI system with the requirements set out in Section 2, the provider shall follow the conformity assessment procedure set out in Annex VII where: For the purposes of the conformity assessment procedure referred to in Annex VII, the provider may choose any of the notified bodies. However, where the high-risk AI system is intended to be put into service by law enforcement, immigration or asylum authorities or by Union institutions, bodies, offices or agencies, the market surveillance authority referred to in Article 74(8) or (9), as applicable, shall act as a notified body.”
In practice: Map your AI system to Annex III point 1 and check whether applicable harmonised standards under Article 40 or common specifications under Article 41 exist. If they do, you may use internal control (Annex VI); if not, engage a notified body under Annex VII. For law enforcement use cases, contact the designated market surveillance authority early as it will serve as the notified body.
Article 46 - Derogation from conformity assessment procedure
Art. 46(1). A market surveillance authority may grant a time-limited authorisation to place a high-risk AI system on the market without completing the normal conformity assessment, but only for exceptional reasons such as public security, protection of life and health, environmental protection, or protection of key infrastructure. The conformity assessment must still be completed without undue delay.
chevron_rightSource text
Source text: “By way of derogation from Article 43 and upon a duly justified request, any market surveillance authority may authorise the placing on the market or the putting into service of specific high-risk AI systems within the territory of the Member State concerned, for exceptional reasons of public security or the protection of life and health of persons, environmental protection or the protection of key industrial and infrastructural assets. That authorisation shall be for a limited period while the necessary conformity assessment procedures are being carried out, taking into account the exceptional reasons justifying the derogation. The completion of those procedures shall be undertaken without undue delay.”
In practice: Operators seeking emergency authorisation should document the exceptional justification thoroughly and immediately initiate the conformity assessment procedure in parallel, tracking progress to ensure timely completion.
Art. 46(3). Authorisation under paragraph 1 may only be issued if the market surveillance authority concludes the AI system complies with Section 2 requirements. The authority must inform the Commission and other Member States of any authorisation issued, except for sensitive operational data related to law enforcement activities.
chevron_rightSource text
Source text: “The authorisation referred to in paragraph 1 shall be issued only if the market surveillance authority concludes that the high-risk AI system complies with the requirements of Section 2. The market surveillance authority shall inform the Commission and the other Member States of any authorisation issued pursuant to paragraphs 1 and 2. This obligation shall not cover sensitive operational data in relation to the activities of law-enforcement authorities.”
In practice: Market surveillance authorities should establish a standardised notification template for communicating authorisations to the Commission and other Member States, and maintain a clear register of what constitutes sensitive operational data exempt from disclosure.
Art. 46(6). If the European Commission determines that an authorisation granted under the derogation from conformity assessment is not justified, the market surveillance authority of the relevant Member State must withdraw that authorisation. This ensures that derogations from standard conformity procedures are subject to Commission oversight and can be revoked.
chevron_rightSource text
Source text: “Where the Commission considers the authorisation unjustified, it shall be withdrawn by the market surveillance authority of the Member State concerned.”
In practice: Market surveillance authorities should establish clear internal procedures for receiving and acting on Commission decisions to withdraw derogation authorisations, including timelines and notification mechanisms to affected providers.
Art. 46(7). For high-risk AI systems that are part of products covered by Union harmonisation legislation listed in Section A of Annex I, only the derogation rules established in that specific Union harmonisation legislation apply, not the general derogation rules of the AI Act. This ensures that sector-specific product safety regimes govern derogations for those product categories.
chevron_rightSource text
Source text: “For high-risk AI systems related to products covered by Union harmonisation legislation listed in Section A of Annex I, only the derogations from the conformity assessment established in that Union harmonisation legislation shall apply.”
In practice: Providers of high-risk AI systems embedded in products covered by Annex I Section A legislation (e.g., medical devices, machinery) should consult the applicable sectoral Union harmonisation legislation to identify the correct derogation procedures, rather than relying on the general AI Act derogation provisions.
Article 57 - AI regulatory sandboxes
Art. 57(7). Competent authorities must provide regulatory guidance to sandbox participants, issue written proof of successfully completed activities upon request, and produce exit reports; these documents must be positively considered by market surveillance authorities and notified bodies to accelerate conformity assessment.
chevron_rightSource text
Source text: “Competent authorities shall provide providers and prospective providers participating in the AI regulatory sandbox with guidance on regulatory expectations and how to fulfil the requirements and obligations set out in this Regulation. Upon request of the provider or prospective provider of the AI system, the competent authority shall provide a written proof of the activities successfully carried out in the sandbox. The competent authority shall also provide an exit report detailing the activities carried out in the sandbox and the related results and learning outcomes. Providers may use such documentation to demonstrate their compliance with this Regulation through the conformity assessment process or relevant market surveillance activities. In this regard, the exit reports and the written proof provided by the national competent authority shall be taken positively into account by market surveillance authorities and notified bodies, with a view to accelerating conformity assessment procedures to a reasonable extent.”
In practice: Request written proof and an exit report from the competent authority upon completing sandbox activities, and include these documents in your conformity assessment dossier to demonstrate compliance and potentially expedite third-party review.
Article 60 - Testing of high-risk AI systems in real world conditions outside AI regulatory sandboxes
Art. 60(4). Providers or prospective providers may only conduct real-world testing if they have drawn up and submitted a testing plan to the relevant market surveillance authority, obtained (or are deemed to have obtained) approval within 30 days, and registered the testing in the EU database with a unique identification number and required information.
chevron_rightSource text
Source text: “Providers or prospective providers may conduct the testing in real world conditions only where all of the following conditions are met:”
In practice: Submit the real-world testing plan to the competent market surveillance authority well in advance of the planned testing start date; track the 30-day approval window and check whether national law provides for tacit approval or requires explicit authorisation. Register the testing in the EU database (or secure non-public section for law enforcement/migration/asylum/border control systems) before commencing.
Art. 60(6). Member States must grant their market surveillance authorities the powers to require information, conduct unannounced inspections, and check real-world testing of high-risk AI systems. These powers must be used to ensure the safe development of such testing.
chevron_rightSource text
Source text: “In accordance with Article 75, Member States shall confer on their market surveillance authorities the powers of requiring providers and prospective providers to provide information, of carrying out unannounced remote or on-site inspections, and of performing checks on the conduct of the testing in real world conditions and the related high-risk AI systems. Market surveillance authorities shall use those powers to ensure the safe development of testing in real world conditions.”
In practice: Ensure your real-world testing plan and related documentation are readily accessible to market surveillance authorities at any time. Maintain up-to-date records of testing activities, system configurations, and safety measures to facilitate unannounced inspections.
Article 68 - Scientific panel of independent experts
Art. 68(3). (effective 2 August 2025) The scientific panel advises and supports the AI Office, particularly on implementing and enforcing rules for general-purpose AI models and systems, including supporting market surveillance authorities and cross-border activities.
chevron_rightSource text
Source text: “The scientific panel shall advise and support the AI Office, in particular with regard to the following tasks:”
In practice: Providers of general-purpose AI models should be aware that the scientific panel may be called upon to assist market surveillance authorities investigating their systems; maintain comprehensive technical documentation to facilitate such reviews.
Article 73 - Reporting of serious incidents
Art. 73(7). When a market surveillance authority receives a serious incident notification under Article 3(49)(c), it must inform relevant national public authorities; additionally, the Commission must issue guidance on compliance with Article 73(1) obligations by 2 August 2025, to be regularly reviewed.
chevron_rightSource text
Source text: “Upon receiving a notification related to a serious incident referred to in Article 3, point (49)(c), the relevant market surveillance authority shall inform the national public authorities or bodies referred to in Article 77(1). The Commission shall develop dedicated guidance to facilitate compliance with the obligations set out in paragraph 1 of this Article. That guidance shall be issued by 2 August 2025, and shall be assessed regularly.”
In practice: Market surveillance authorities should establish internal escalation procedures to notify national public authorities promptly upon receipt of Article 3(49)(c) incident notifications. Compliance teams should monitor the Commission's guidance publication by 2 August 2025 and integrate it into their incident reporting frameworks.
Art. 73(8). The market surveillance authority must take appropriate measures within seven days of receiving a serious incident notification and follow the notification procedures set out in Regulation (EU) 2019/1020.
chevron_rightSource text
Source text: “The market surveillance authority shall take appropriate measures, as provided for in Article 19 of Regulation (EU) 2019/1020, within seven days from the date it received the notification referred to in paragraph 1 of this Article, and shall follow the notification procedures as provided in that Regulation.”
In practice: Market surveillance authorities should implement a triage and escalation workflow that is triggered immediately upon receipt of a serious incident notification, ensuring that appropriate measures are identified and initiated within the seven-day deadline and that all steps are documented in accordance with Regulation (EU) 2019/1020 procedures.
Art. 73(11). National competent authorities must immediately notify the European Commission of any serious incident involving an AI system, regardless of whether they have taken any action on it, following the procedure set out in Article 20 of Regulation (EU) 2019/1020.
chevron_rightSource text
Source text: “National competent authorities shall immediately notify the Commission of any serious incident, whether or not they have taken action on it, in accordance with Article 20 of Regulation (EU) 2019/1020.”
In practice: Establish an internal escalation and notification workflow that triggers an immediate report to the Commission upon identification of a serious AI-related incident. Ensure your national competent authority has a direct communication channel with the Commission aligned with the Article 20 procedure of Regulation (EU) 2019/1020, and document all incidents even if no corrective action was taken.
Article 74 - Market surveillance and control of AI systems in the Union market
Art. 74(1). This paragraph extends the application of the EU Market Surveillance Regulation (2019/1020) to AI systems covered by the AI Act, ensuring that references to 'economic operators' and 'products' in that regulation are interpreted to include all AI system operators and AI systems within the AI Act's scope.
chevron_rightSource text
Source text: “Regulation (EU) 2019/1020 shall apply to AI systems covered by this Regulation. For the purposes of the effective enforcement of this Regulation:”
In practice: Operators of AI systems should familiarise themselves with Regulation (EU) 2019/1020 obligations (e.g., cooperation with market surveillance authorities, product traceability) as these now apply to them. Map your AI system supply chain roles (provider, deployer, importer, distributor) to the economic operator definitions.
Art. 74(2). Market surveillance authorities must annually report to the Commission and national competition authorities any information from surveillance activities relevant to EU competition law, and must also report on prohibited AI practices and measures taken during that year.
chevron_rightSource text
Source text: “As part of their reporting obligations under Article 34(4) of Regulation (EU) 2019/1020, the market surveillance authorities shall report annually to the Commission and relevant national competition authorities any information identified in the course of market surveillance activities that may be of potential interest for the application of Union law on competition rules. They shall also annually report to the Commission about the use of prohibited practices that occurred during that year and about the measures taken.”
In practice: Market surveillance authorities should establish internal processes to flag and document competition-relevant findings and prohibited AI practice incidents throughout the year, enabling timely and accurate annual reporting to the Commission and competition authorities.
Art. 74(7). By derogation, Member States may designate another authority as market surveillance authority where coordination is ensured; additionally, national authorities supervising credit institutions under the Single Supervisory Mechanism must report relevant market surveillance findings to the European Central Bank without delay.
chevron_rightSource text
Source text: “By way of derogation from paragraph 6, in appropriate circumstances, and provided that coordination is ensured, another relevant authority may be identified by the Member State as market surveillance authority for the purposes of this Regulation. National market surveillance authorities supervising regulated credit institutions regulated under Directive 2013/36/EU, which are participating in the Single Supervisory Mechanism established by Regulation (EU) No 1024/2013, should report, without delay, to the European Central Bank any information identified in the course of their market surveillance activities that may be of potential interest for the prudential supervisory tasks of the European Central Bank specified in that Regulation.”
In practice: Member States designating an alternative market surveillance authority should establish formal coordination protocols. National supervisors of SSM credit institutions should implement procedures to promptly share AI-related market surveillance findings with the ECB, including defining what constitutes 'potential interest' for prudential supervision.
Art. 74(14). Any information or documentation obtained by market surveillance authorities in the course of their activities must be treated in accordance with the confidentiality obligations set out in Article 78 of the AI Act.
chevron_rightSource text
Source text: “Any information or documentation obtained by market surveillance authorities shall be treated in accordance with the confidentiality obligations set out in Article 78.”
In practice: Market surveillance authorities should implement internal information handling policies aligned with Article 78 confidentiality requirements, including access controls, data classification, and staff training on handling commercially sensitive or classified information obtained during investigations.
Article 75 - Mutual assistance, market surveillance and control of general-purpose AI systems
Art. 75(2). Where market surveillance authorities have sufficient reason to believe that a general-purpose AI system used directly by deployers for at least one high-risk purpose is non-compliant, they must cooperate with the AI Office to conduct compliance evaluations and inform the Board and other market surveillance authorities.
chevron_rightSource text
Source text: “Where the relevant market surveillance authorities have sufficient reason to consider general-purpose AI systems that can be used directly by deployers for at least one purpose that is classified as high-risk pursuant to this Regulation to be non-compliant with the requirements laid down in this Regulation, they shall cooperate with the AI Office to carry out compliance evaluations, and shall inform the Board and other market surveillance authorities accordingly.”
In practice: Market surveillance authorities should establish clear internal protocols for escalating suspected non-compliance of general-purpose AI systems to the AI Office, including documentation of the evidence threshold and notification procedures to the Board.
Art. 75(3). Where a market surveillance authority cannot complete its investigation of a high-risk AI system due to inability to access information related to the underlying general-purpose AI model, it may submit a reasoned request to the AI Office, which must supply relevant information within 30 days; the authority must keep that information confidential in accordance with Article 78, and the mutual assistance procedure of Regulation (EU) 2019/1020 Chapter VI applies mutatis mutandis.
chevron_rightSource text
Source text: “Where a market surveillance authority is unable to conclude its investigation of the high-risk AI system because of its inability to access certain information related to the general-purpose AI model despite having made all appropriate efforts to obtain that information, it may submit a reasoned request to the AI Office, by which access to that information shall be enforced. In that case, the AI Office shall supply to the applicant authority without delay, and in any event within 30 days, any information that the AI Office considers to be relevant in order to establish whether a high-risk AI system is non-compliant. Market surveillance authorities shall safeguard the confidentiality of the information that they obtain in accordance with Article 78 of this Regulation. The procedure provided for in Chapter VI of Regulation (EU) 2019/1020 shall apply mutatis mutandis.”
In practice: Market surveillance authorities should document all efforts made to obtain information before submitting a reasoned request to the AI Office, and implement confidentiality protocols aligned with Article 78 of the AI Act to handle any information received from the AI Office.
Article 80 - Procedure for dealing with AI systems classified by the provider as non-high-risk in application of Annex III
Art. 80(1). Where a market surveillance authority has sufficient reason to believe that an AI system self-classified as non-high-risk is actually high-risk, it must conduct an evaluation of that system's classification based on Article 6(3) conditions and Commission guidelines.
chevron_rightSource text
Source text: “Where a market surveillance authority has sufficient reason to consider that an AI system classified by the provider as non-high-risk pursuant to Article 6(3) is indeed high-risk, the market surveillance authority shall carry out an evaluation of the AI system concerned in respect of its classification as a high-risk AI system based on the conditions set out in Article 6(3) and the Commission guidelines.”
In practice: Providers should maintain thorough documentation justifying their non-high-risk classification under Article 6(3) and Commission guidelines, as market surveillance authorities may challenge that classification at any time.
Art. 80(2). If the market surveillance authority finds during evaluation that the AI system is indeed high-risk, it must without undue delay require the provider to bring the system into compliance with all applicable requirements and take corrective action within a prescribed period.
chevron_rightSource text
Source text: “Where, in the course of that evaluation, the market surveillance authority finds that the AI system concerned is high-risk, it shall without undue delay require the relevant provider to take all necessary actions to bring the AI system into compliance with the requirements and obligations laid down in this Regulation, as well as take appropriate corrective action within a period the market surveillance authority may prescribe.”
In practice: Providers should have a compliance readiness plan for high-risk AI requirements so that if reclassified, they can act swiftly within the authority-prescribed timeframe to avoid penalties.
Art. 80(3). If the market surveillance authority considers that the use of the AI system is not restricted to its national territory, it must without undue delay inform the Commission and other Member States of the evaluation results and required actions.
chevron_rightSource text
Source text: “Where the market surveillance authority considers that the use of the AI system concerned is not restricted to its national territory, it shall inform the Commission and the other Member States without undue delay of the results of the evaluation and of the actions which it has required the provider to take.”
In practice: Market surveillance authorities should establish clear internal procedures for determining when an AI system's use extends beyond national borders and triggering cross-border notification workflows promptly.
Art. 80(6). If a provider of an AI system classified as non-high-risk fails to take adequate corrective action within the required period, the escalated enforcement procedures set out in Article 79(5) to (9) shall apply automatically.
chevron_rightSource text
Source text: “Where the provider of the AI system concerned does not take adequate corrective action within the period referred to in paragraph 2 of this Article, Article 79(5) to (9) shall apply.”
In practice: Providers should establish internal escalation protocols and timelines for responding to market surveillance authority requests; failure to act within the specified period triggers full Article 79 enforcement, including potential market withdrawal orders.
Art. 80(7). If a market surveillance authority finds during evaluation that a provider deliberately misclassified an AI system as non-high-risk to avoid Chapter III Section 2 requirements, the provider is subject to fines under Article 99.
chevron_rightSource text
Source text: “Where, in the course of the evaluation pursuant to paragraph 1 of this Article, the market surveillance authority establishes that the AI system was misclassified by the provider as non-high-risk in order to circumvent the application of requirements in Chapter III, Section 2, the provider shall be subject to fines in accordance with Article 99.”
In practice: Providers must ensure their risk classification decisions are documented, objective, and defensible; intentional misclassification to avoid high-risk obligations constitutes a sanctionable infringement under Article 99 and should be treated as a serious compliance risk.
Art. 80(8). Market surveillance authorities may perform appropriate checks when monitoring the application of Article 80, taking into account information stored in the EU AI database referred to in Article 71, in accordance with Article 11 of Regulation (EU) 2019/1020.
chevron_rightSource text
Source text: “In exercising their power to monitor the application of this Article, and in accordance with Article 11 of Regulation (EU) 2019/1020, market surveillance authorities may perform appropriate checks, taking into account in particular information stored in the EU database referred to in Article 71 of this Regulation.”
In practice: Providers should ensure that all information registered in the EU database under Article 71 is accurate, complete, and up to date, as market surveillance authorities will actively use this data when conducting checks on AI systems classified as non-high-risk.
Article 82 - Compliant AI systems which present a risk
Art. 82(1). Even if a high-risk AI system complies with the AI Act, if a market surveillance authority finds it still poses a risk to health, safety, fundamental rights, or public interest, it must require the operator to take all appropriate measures to eliminate that risk without undue delay.
chevron_rightSource text
Source text: “Where, having performed an evaluation under Article 79, after consulting the relevant national public authority referred to in Article 77(1), the market surveillance authority of a Member State finds that although a high-risk AI system complies with this Regulation, it nevertheless presents a risk to the health or safety of persons, to fundamental rights, or to other aspects of public interest protection, it shall require the relevant operator to take all appropriate measures to ensure that the AI system concerned, when placed on the market or put into service, no longer presents that risk without undue delay, within a period it may prescribe.”
In practice: Operators should maintain a risk register that goes beyond regulatory compliance checklists and includes residual risk assessments. Establish a rapid-response protocol for receiving and acting on market surveillance authority directives, including a designated contact point and escalation path.
Related
This page covers the AI Act obligations of an oversight/governance role. If you build or supply AI systems, see the actor pages for providers and deployers — where the AI Act's requirements map onto the GDPR control modules RuleMesh delivers.
Frequently asked questions
Who is a market surveillance authority under the EU AI Act?
A market surveillance authority is a national authority designated by a Member State to carry out market surveillance activities and take measures to ensure that products (including AI systems) placed on the market comply with applicable Union harmonisation legislation, thereby protecting public interests such as health, safety, and fundamental rights. In the AI Act context, this role is explicitly anchored to Regulation (EU) 2019/1020. (Source: AI Act definitions, CELEX 32024R1689.)
How many obligations does the AI Act place on market surveillance authorities?
The RuleMesh knowledge graph identifies 26 obligation paragraphs addressed to the Market Surveillance Authority role, across Articles 5, 43, 46, 57, 60, 68, 73, 74, 75, 80, 82.
When do AI Act market surveillance authorities obligations apply?
Most obligations relating to high-risk AI systems apply from 2 August 2026. Obligations for providers of general-purpose AI models and the AI Act's governance framework apply from 2 August 2025, and the Article 5 prohibitions applied from 2 February 2025.
Source data: RuleMesh knowledge graph — Fuseki legalrules dataset, CELEX 32024R1689 (EU AI Act), with cross-references resolved into CELEX 32016R0679 (GDPR). This page is education and reference only — it is not legal advice. RuleMesh's product offer is GDPR control modules in Jira.