arrow_backAI Act Actor Hub·National competent authority

AI Act Obligations for National Competent Authorities

A complete, article-by-article reference for AI Act national competent authorities — generated from the RuleMesh knowledge graph (CELEX 32024R1689). Covers all 22 obligation paragraphs sourced from the regulation, with relevant annexes and GDPR cross-references quoted verbatim.

CELEX 32024R1689·22 obligation paragraphs·Most obligations effective 2026-08-02

This page is generated from the RuleMesh knowledge graph — every obligation, annex block, and cross-reference is pulled from the structured graph representation of CELEX 32024R1689, not recalled from memory.

update

Pending change — the Digital Omnibus on AI. An amendment approved in June 2026 is set to move stand-alone high-risk deadlines (Annex III) to 2 December 2027, while transparency, content-marking, and two new prohibitions still apply in 2026. The dates on this page remain the currently-binding Regulation 2024/1689 dates until the amendment is published in the Official Journal. Read the briefing.

Regulation (EU) 2024/1689 — CELEX 32024R1689

This page is generated from the RuleMesh knowledge graph — every obligation, annex block, and cross-reference below is pulled from the structured graph representation of the regulation, not recalled from memory.


Who is a national competent authority?

A national competent authority under the AI Act is either a notifying authority (responsible for the assessment, designation and monitoring of conformity assessment bodies) or a market surveillance authority (responsible for ensuring AI systems on the market comply with the Regulation). For AI systems used by EU institutions, agencies, offices and bodies, the European Data Protection Supervisor fulfils this role. The concept aligns with the broader EU framework of Member State-designated authorities responsible for product safety, market surveillance and sector-specific supervision.

22 obligation paragraphs in the AI Act are addressed to the National Competent Authority role. Most obligations for high-risk AI systems apply from 2 August 2026; obligations for general-purpose AI model providers and the AI Act's governance bodies apply from 2 August 2025.


Jump to an article


Article 5 - Prohibited AI practices

Art. 5(2). (effective 2 February 2025) The use of real-time remote biometric identification systems in publicly accessible spaces for law enforcement is only permitted to confirm the identity of a specifically targeted individual, must comply with necessary and proportionate safeguards, requires a completed fundamental rights impact assessment and registration in the EU database, and must take into account the nature of the situation and consequences for rights and freedoms. In urgent cases, use may commence without prior registration provided registration follows without undue delay.

chevron_rightSource text

Source text: “The use of ‘real-time’ remote biometric identification systems in publicly accessible spaces for the purposes of law enforcement for any of the objectives referred to in paragraph 1, first subparagraph, point (h), shall be deployed for the purposes set out in that point only to confirm the identity of the specifically targeted individual, and it shall take into account the following elements: In addition, the use of ‘real-time’ remote biometric identification systems in publicly accessible spaces for the purposes of law enforcement for any of the objectives referred to in paragraph 1, first subparagraph, point (h), of this Article shall comply with necessary and proportionate safeguards and conditions in relation to the use in accordance with the national law authorising the use thereof, in particular as regards the temporal, geographic and personal limitations. The use of the ‘real-time’ remote biometric identification system in publicly accessible spaces shall be authorised only if the law enforcement authority has completed a fundamental rights impact assessment as provided for in Article 27 and has registered the system in the EU database according to Article 49. However, in duly justified cases of urgency, the use of such systems may be commenced without the registration in the EU database, provided that such registration is completed without undue delay.”

In practice: Law enforcement authorities deploying real-time remote biometric identification systems must complete a fundamental rights impact assessment (Article 27) and register the system in the EU database (Article 49) before deployment. Establish documented urgency protocols that trigger immediate post-use registration and ensure all deployments are limited in temporal, geographic and personal scope.

Art. 5(3). (effective 2 February 2025) Each use of a real-time remote biometric identification system in publicly accessible spaces for law enforcement requires prior authorisation from a judicial or independent administrative authority, based on objective evidence that the use is necessary and proportionate. In urgent situations, use may begin without prior authorisation provided authorisation is requested within 24 hours; if rejected, use must stop immediately and all data must be deleted. No adverse legal decision may be based solely on the system's output.

chevron_rightSource text

Source text: “For the purposes of paragraph 1, first subparagraph, point (h) and paragraph 2, each use for the purposes of law enforcement of a ‘real-time’ remote biometric identification system in publicly accessible spaces shall be subject to a prior authorisation granted by a judicial authority or an independent administrative authority whose decision is binding of the Member State in which the use is to take place, issued upon a reasoned request and in accordance with the detailed rules of national law referred to in paragraph 5. However, in a duly justified situation of urgency, the use of such system may be commenced without an authorisation provided that such authorisation is requested without undue delay, at the latest within 24 hours. If such authorisation is rejected, the use shall be stopped with immediate effect and all the data, as well as the results and outputs of that use shall be immediately discarded and deleted. The competent judicial authority or an independent administrative authority whose decision is binding shall grant the authorisation only where it is satisfied, on the basis of objective evidence or clear indications presented to it, that the use of the ‘real-time’ remote biometric identification system concerned is necessary for, and proportionate to, achieving one of the objectives specified in paragraph 1, first subparagraph, point (h), as identified in the request and, in particular, remains limited to what is strictly necessary concerning the period of time as well as the geographic and personal scope. In deciding on the request, that authority shall take into account the elements referred to in paragraph 2. No decision that produces an adverse legal effect on a person may be taken based solely on the output of the ‘real-time’ remote biometric identification system.”

In practice: Law enforcement authorities must establish a formal authorisation request process with documented objective evidence for each deployment. Create automated data deletion workflows triggered by authorisation rejection. Ensure decision-making processes include human review and never rely solely on biometric system output for adverse legal decisions. Maintain audit logs of all authorisation requests and outcomes.

Art. 5(4). (effective 2 February 2025) Each use of a real-time remote biometric identification system in publicly accessible spaces for law enforcement must be notified to the relevant market surveillance authority and the national data protection authority in accordance with national rules, with the notification containing at minimum the information specified in paragraph 6 but excluding sensitive operational data.

chevron_rightSource text

Source text: “Without prejudice to paragraph 3, each use of a ‘real-time’ remote biometric identification system in publicly accessible spaces for law enforcement purposes shall be notified to the relevant market surveillance authority and the national data protection authority in accordance with the national rules referred to in paragraph 5. The notification shall, as a minimum, contain the information specified under paragraph 6 and shall not include sensitive operational data.”

In practice: Law enforcement authorities should establish a standardised notification template aligned with paragraph 6 requirements and national rules. Create a notification workflow that is triggered automatically upon each deployment, ensuring notifications are sent to both the market surveillance authority and the national data protection authority. Implement data classification controls to ensure sensitive operational data is excluded from notifications.


Article 21 - Cooperation with competent authorities

Art. 21(3). Any information that a competent authority obtains under Article 21 must be handled in accordance with the confidentiality obligations set out in Article 78 of the AI Act.

chevron_rightSource text

Source text: “Any information obtained by a competent authority pursuant to this Article shall be treated in accordance with the confidentiality obligations set out in Article 78.”

In practice: Competent authorities should establish internal data handling procedures and access controls ensuring that all information received from providers under Article 21 is classified and processed in line with the confidentiality requirements of Article 78, including restricting access to authorised personnel only.


Article 36 - Changes to notifications

Art. 36(9). When a notified body's designation is withdrawn, certificates (excluding unduly issued ones) remain valid for nine months if the national competent authority confirms no risk to health, safety, or fundamental rights and another notified body confirms it will assume responsibility and complete its assessment within 12 months; the validity may be extended by three-month periods up to a maximum of 12 months total.

chevron_rightSource text

Source text: “With the exception of certificates unduly issued, and where a designation has been withdrawn, the certificates shall remain valid for a period of nine months under the following circumstances: In the circumstances referred to in the first subparagraph, the national competent authority of the Member State in which the provider of the system covered by the certificate has its place of business may extend the provisional validity of the certificates for additional periods of three months, which shall not exceed 12 months in total. The national competent authority or the notified body assuming the functions of the notified body affected by the change of designation shall immediately inform the Commission, the other Member States and the other notified bodies thereof.”

In practice: Maintain a registry of all active certificates linked to each notified body so that upon withdrawal, the national competent authority can immediately assess validity conditions; pre-identify candidate replacement notified bodies and establish written assumption-of-responsibility agreements to avoid gaps in certificate coverage.


Article 46 - Derogation from conformity assessment procedure

Art. 46(2). In urgent situations involving imminent threats to life or physical safety, law enforcement or civil protection authorities may put a high-risk AI system into service without prior authorisation, provided they request authorisation during or immediately after use. If authorisation is refused, use must stop immediately and all results must be discarded.

chevron_rightSource text

Source text: “In a duly justified situation of urgency for exceptional reasons of public security or in the case of specific, substantial and imminent threat to the life or physical safety of natural persons, law-enforcement authorities or civil protection authorities may put a specific high-risk AI system into service without the authorisation referred to in paragraph 1, provided that such authorisation is requested during or after the use without undue delay. If the authorisation referred to in paragraph 1 is refused, the use of the high-risk AI system shall be stopped with immediate effect and all the results and outputs of such use shall be immediately discarded.”

In practice: Law enforcement agencies should establish internal protocols for emergency AI system deployment that include automatic triggers for post-use authorisation requests and immediate data deletion procedures in case of refusal.


Article 55 - Obligations of providers of general-purpose AI models with systemic risk

Art. 55(3). (effective 2 August 2025) All information and documentation obtained under Article 55, including trade secrets, must be treated in accordance with the confidentiality obligations set out in Article 78 of the AI Act.

chevron_rightSource text

Source text: “Any information or documentation obtained pursuant to this Article, including trade secrets, shall be treated in accordance with the confidentiality obligations set out in Article 78.”

In practice: Implement information classification and handling procedures that align with Article 78 confidentiality requirements. Ensure that any information shared with or received from the AI Office or national competent authorities under Article 55 is subject to strict access controls, non-disclosure agreements, and secure storage protocols. Train staff on trade secret protection obligations.


Article 57 - AI regulatory sandboxes

Art. 57(5). AI regulatory sandboxes must provide a controlled environment that fosters innovation and facilitates the development, training, testing and validation of innovative AI systems for a limited time before market placement, based on a specific sandbox plan agreed between providers and the competent authority. Sandboxes may include supervised real-world condition testing.

chevron_rightSource text

Source text: “AI regulatory sandboxes established under paragraph 1 shall provide for a controlled environment that fosters innovation and facilitates the development, training, testing and validation of innovative AI systems for a limited time before their being placed on the market or put into service pursuant to a specific sandbox plan agreed between the providers or prospective providers and the competent authority. Such sandboxes may include testing in real world conditions supervised therein.”

In practice: Providers seeking to enter a sandbox should prepare a detailed sandbox plan covering the AI system's intended purpose, testing methodology, risk mitigation measures, timeline, and data governance arrangements before approaching the competent authority.

Art. 57(6). Competent authorities must provide guidance, supervision, and support within AI regulatory sandboxes to help identify risks—especially to fundamental rights, health, and safety—and to test and evaluate mitigation measures against the obligations of the AI Act and other applicable law.

chevron_rightSource text

Source text: “Competent authorities shall provide, as appropriate, guidance, supervision and support within the AI regulatory sandbox with a view to identifying risks, in particular to fundamental rights, health and safety, testing, mitigation measures, and their effectiveness in relation to the obligations and requirements of this Regulation and, where relevant, other Union and national law supervised within the sandbox.”

In practice: Establish a structured sandbox engagement protocol that includes regular check-ins with the competent authority, a risk log covering fundamental rights impacts, and documented evidence of mitigation measures tested during the sandbox period.

Art. 57(7). Competent authorities must provide regulatory guidance to sandbox participants, issue written proof of successfully completed activities upon request, and produce exit reports; these documents must be positively considered by market surveillance authorities and notified bodies to accelerate conformity assessment.

chevron_rightSource text

Source text: “Competent authorities shall provide providers and prospective providers participating in the AI regulatory sandbox with guidance on regulatory expectations and how to fulfil the requirements and obligations set out in this Regulation. Upon request of the provider or prospective provider of the AI system, the competent authority shall provide a written proof of the activities successfully carried out in the sandbox. The competent authority shall also provide an exit report detailing the activities carried out in the sandbox and the related results and learning outcomes. Providers may use such documentation to demonstrate their compliance with this Regulation through the conformity assessment process or relevant market surveillance activities. In this regard, the exit reports and the written proof provided by the national competent authority shall be taken positively into account by market surveillance authorities and notified bodies, with a view to accelerating conformity assessment procedures to a reasonable extent.”

In practice: Request written proof and an exit report from the competent authority upon completing sandbox activities, and include these documents in your conformity assessment dossier to demonstrate compliance and potentially expedite third-party review.

Art. 57(9). AI regulatory sandboxes must be designed to achieve three objectives: improving legal certainty for regulatory compliance, supporting the sharing of best practices through cooperation, and fostering innovation and competitiveness to develop an AI ecosystem.

chevron_rightSource text

Source text: “The establishment of AI regulatory sandboxes shall aim to contribute to the following objectives:”

In practice: When designing or participating in an AI regulatory sandbox, document how each activity contributes to the three statutory objectives—legal certainty, best practice sharing, and innovation—to demonstrate alignment with Article 57 requirements.

Art. 57(10). National competent authorities must ensure that, where AI systems in the sandbox involve personal data processing or fall under other supervisory remits, the relevant data protection authorities and other competent authorities are associated with and involved in the sandbox's operation and supervision.

chevron_rightSource text

Source text: “National competent authorities shall ensure that, to the extent the innovative AI systems involve the processing of personal data or otherwise fall under the supervisory remit of other national authorities or competent authorities providing or supporting access to data, the national data protection authorities and those other national or competent authorities are associated with the operation of the AI regulatory sandbox and involved in the supervision of those aspects to the extent of their respective tasks and powers.”

In practice: Before launching a sandbox involving personal data, map all relevant supervisory authorities (e.g., national DPA, sectoral regulators) and establish formal cooperation arrangements to ensure they are involved in sandbox governance from the outset.

Art. 57(11). National competent authorities retain full supervisory and corrective powers over AI regulatory sandboxes, including the ability to suspend or terminate testing if significant risks to health, safety, or fundamental rights cannot be mitigated. Authorities must exercise these powers with the objective of supporting AI innovation in the Union.

chevron_rightSource text

Source text: “The AI regulatory sandboxes shall not affect the supervisory or corrective powers of the competent authorities supervising the sandboxes, including at regional or local level. Any significant risks to health and safety and fundamental rights identified during the development and testing of such AI systems shall result in an adequate mitigation. National competent authorities shall have the power to temporarily or permanently suspend the testing process, or the participation in the sandbox if no effective mitigation is possible, and shall inform the AI Office of such decision. National competent authorities shall exercise their supervisory powers within the limits of the relevant law, using their discretionary powers when implementing legal provisions in respect of a specific AI regulatory sandbox project, with the objective of supporting innovation in AI in the Union.”

In practice: Sandbox participants should establish a real-time risk monitoring protocol and escalation path so that any significant risk identified during testing is immediately reported to the competent authority, with documented mitigation measures ready to present, to avoid suspension of the sandbox project.

Art. 57(13). AI regulatory sandboxes must be designed and implemented in a way that facilitates cross-border cooperation between national competent authorities where relevant. This ensures that sandbox activities can be coordinated across Member States.

chevron_rightSource text

Source text: “The AI regulatory sandboxes shall be designed and implemented in such a way that, where relevant, they facilitate cross-border cooperation between national competent authorities.”

In practice: When establishing an AI regulatory sandbox, national competent authorities should include cross-border cooperation mechanisms in the sandbox governance framework from the outset, such as shared reporting templates and joint oversight protocols with counterpart authorities in other Member States.

Art. 57(14). National competent authorities must coordinate their activities and cooperate within the framework of the European Artificial Intelligence Board. This ensures consistent application of sandbox rules across Member States.

chevron_rightSource text

Source text: “National competent authorities shall coordinate their activities and cooperate within the framework of the Board.”

In practice: National competent authorities should designate a specific liaison or coordination function responsible for engaging with the Board on sandbox-related matters, ensuring that national sandbox activities are reported and aligned with Board guidance and recommendations.

Art. 57(15). National competent authorities must inform the AI Office and the Board when establishing a sandbox and may request their support and guidance. The AI Office must maintain and publicly publish an up-to-date list of planned and existing sandboxes to encourage interaction and cross-border cooperation.

chevron_rightSource text

Source text: “National competent authorities shall inform the AI Office and the Board of the establishment of a sandbox, and may ask them for support and guidance. The AI Office shall make publicly available a list of planned and existing sandboxes and keep it up to date in order to encourage more interaction in the AI regulatory sandboxes and cross-border cooperation.”

In practice: National competent authorities should establish a formal notification procedure for sandbox establishment that includes submission to the AI Office and the Board, and should monitor the AI Office's public sandbox list to identify opportunities for cross-border collaboration and alignment with other Member States' sandbox activities.

Art. 57(16). National competent authorities must submit annual reports to the AI Office and the Board on the progress and results of AI regulatory sandboxes, including best practices, incidents, lessons learned, and recommendations. These reports must be made publicly available online, and the Commission must take them into account when exercising its tasks under the Regulation.

chevron_rightSource text

Source text: “National competent authorities shall submit annual reports to the AI Office and to the Board, from one year after the establishment of the AI regulatory sandbox and every year thereafter until its termination, and a final report. Those reports shall provide information on the progress and results of the implementation of those sandboxes, including best practices, incidents, lessons learnt and recommendations on their setup and, where relevant, on the application and possible revision of this Regulation, including its delegated and implementing acts, and on the application of other Union law supervised by the competent authorities within the sandbox. The national competent authorities shall make those annual reports or abstracts thereof available to the public, online. The Commission shall, where appropriate, take the annual reports into account when exercising its tasks under this Regulation.”

In practice: Establish a structured reporting template and internal review cycle to capture sandbox outcomes, incidents, and lessons learned on an annual basis. Ensure reports or abstracts are published on the authority's official website and submitted to the AI Office and Board on schedule.


Article 58 - Detailed arrangements for, and functioning of, AI regulatory sandboxes

Art. 58(2). The implementing acts must ensure that AI regulatory sandboxes are open, fair, and accessible to all eligible providers and prospective providers, with national competent authorities required to respond to applications within three months, and that sandboxes can accommodate partnerships and maintain flexibility for national authorities.

chevron_rightSource text

Source text: “The implementing acts referred to in paragraph 1 shall ensure:”

In practice: Providers and prospective providers, including SMEs and start-ups, should submit sandbox applications in partnerships where possible and track the three-month decision deadline from national competent authorities to plan their development timelines.

Art. 58(3). Prospective providers in AI regulatory sandboxes, especially SMEs and start-ups, should be directed to pre-deployment support services such as regulatory guidance, standardisation assistance, certification support, testing facilities, and European Digital Innovation Hubs.

chevron_rightSource text

Source text: “Prospective providers in the AI regulatory sandboxes, in particular SMEs and start-ups, shall be directed, where relevant, to pre-deployment services such as guidance on the implementation of this Regulation, to other value-adding services such as help with standardisation documents and certification, testing and experimentation facilities, European Digital Innovation Hubs and centres of excellence.”

In practice: SMEs and start-ups entering AI regulatory sandboxes should proactively seek referrals to European Digital Innovation Hubs and testing and experimentation facilities for technical and regulatory support, reducing compliance costs and accelerating time-to-market.

Art. 58(4). When national competent authorities authorise real-world condition testing within an AI regulatory sandbox, they must agree specific terms and safeguards with participants to protect fundamental rights, health, and safety, and cooperate with other national authorities to ensure consistent practices across the EU.

chevron_rightSource text

Source text: “Where national competent authorities consider authorising testing in real world conditions supervised within the framework of an AI regulatory sandbox to be established under this Article, they shall specifically agree the terms and conditions of such testing and, in particular, the appropriate safeguards with the participants, with a view to protecting fundamental rights, health and safety. Where appropriate, they shall cooperate with other national competent authorities with a view to ensuring consistent practices across the Union.”

In practice: Organisations seeking to conduct real-world testing within an AI regulatory sandbox should negotiate and document specific safeguards for fundamental rights, health, and safety with the national competent authority before testing begins, and anticipate cross-border coordination requirements.


Article 59 - Further processing of personal data for developing certain AI systems in the public interest in the AI regulatory sandbox

Art. 59(2). For law enforcement purposes including prevention, investigation, detection or prosecution of criminal offences, personal data processing in AI regulatory sandboxes must be based on a specific Union or national law and must satisfy the same cumulative conditions as set out in paragraph 1.

chevron_rightSource text

Source text: “For the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including safeguarding against and preventing threats to public security, under the control and responsibility of law enforcement authorities, the processing of personal data in AI regulatory sandboxes shall be based on a specific Union or national law and subject to the same cumulative conditions as referred to in paragraph 1.”

In practice: Ensure that any sandbox processing of personal data for law enforcement AI development is grounded in a specific statutory legal basis (Union or national law), and apply all conditions from paragraph 1 cumulatively, including necessity assessment, monitoring mechanisms, and risk response procedures.


Article 74 - Market surveillance and control of AI systems in the Union market

Art. 74(6). For high-risk AI systems used by regulated financial institutions, the national authority responsible for financial supervision under Union financial services law acts as the market surveillance authority under the AI Act, provided the AI system's use is directly connected to the provision of financial services.

chevron_rightSource text

Source text: “For high-risk AI systems placed on the market, put into service, or used by financial institutions regulated by Union financial services law, the market surveillance authority for the purposes of this Regulation shall be the relevant national authority responsible for the financial supervision of those institutions under that legislation in so far as the placing on the market, putting into service, or the use of the AI system is in direct connection with the provision of those financial services.”

In practice: Financial institutions deploying high-risk AI systems should identify their relevant national financial supervisory authority (e.g., banking or insurance regulator) as their primary AI Act market surveillance contact, and ensure AI governance frameworks align with both AI Act and sectoral financial regulation requirements.


Related

This page covers the AI Act obligations of an oversight/governance role. If you build or supply AI systems, see the actor pages for providers and deployers — where the AI Act's requirements map onto the GDPR control modules RuleMesh delivers.


Frequently asked questions

Who is a national competent authority under the EU AI Act?

A national competent authority under the AI Act is either a notifying authority (responsible for the assessment, designation and monitoring of conformity assessment bodies) or a market surveillance authority (responsible for ensuring AI systems on the market comply with the Regulation). For AI systems used by EU institutions, agencies, offices and bodies, the European Data Protection Supervisor fulfils this role. The concept aligns with the broader EU framework of Member State-designated authorities responsible for product safety, market surveillance and sector-specific supervision. (Source: AI Act definitions, CELEX 32024R1689.)

How many obligations does the AI Act place on national competent authorities?

The RuleMesh knowledge graph identifies 22 obligation paragraphs addressed to the National Competent Authority role, across Articles 5, 21, 36, 46, 55, 57, 58, 59, 74.

When do AI Act national competent authorities obligations apply?

Most obligations relating to high-risk AI systems apply from 2 August 2026. Obligations for providers of general-purpose AI models and the AI Act's governance framework apply from 2 August 2025, and the Article 5 prohibitions applied from 2 February 2025.



Source data: RuleMesh knowledge graph — Fuseki legalrules dataset, CELEX 32024R1689 (EU AI Act), with cross-references resolved into CELEX 32016R0679 (GDPR). This page is education and reference only — it is not legal advice. RuleMesh's product offer is GDPR control modules in Jira.