EU AI Act Article 22: When Non-EU AI Providers Must Appoint an Authorised Representative
Any AI provider established outside the EU that places high-risk AI systems on the European market must appoint an EU-based authorised representative under Article 22 of the AI Act. This article explains who qualifies, what the mandate covers, and how to avoid the enforcement traps that catch most non-EU providers off guard.
If your company is headquartered outside the European Union and you supply AI systems to European customers, Article 22 of Regulation (EU) 2024/1689 — the EU AI Act — creates a direct compliance obligation you cannot delegate away: you must appoint an authorised representative established in the EU. Missing this requirement exposes you to fines and, more practically, to market access being blocked.
Who Must Appoint an Authorised Representative
Article 22(1) is precise. The obligation applies when all three of the following conditions are met:
- The provider is established outside the EU (no registered office, no subsidiary with decision-making power over the AI system in any Member State).
- The AI system is a high-risk system under Annex III or a system covered by Union harmonisation legislation listed in Annex I.
- The system is placed on the Union market or put into service in the EU — meaning it is made available to users (deployers or end users) established or located in the EU, regardless of where the contract is signed or where servers are hosted.
Pure GPAI (general-purpose AI) model providers without direct market placement may be partially outside this specific obligation, but they carry separate obligations under Articles 53–55; Article 22 is the applicable rule for high-risk system providers.
One frequent misunderstanding: a non-EU provider with a European reseller that merely distributes without modifying the system is not automatically exempted from this obligation. The reseller is an importer (see below), not a substitute for an authorised representative.
What an Authorised Representative Actually Does
The authorised representative is not a figurehead. Article 22(2) creates a genuine legal mandate with enforceable responsibilities:
Obligations of the Authorised Representative
- Point of contact for authorities: National market surveillance authorities (MSAs) and the European AI Office address queries, requests for documentation, and enforcement notices to the authorised representative, not directly to the non-EU provider.
- Maintaining and providing documentation: The representative must hold or have immediate access to the EU declaration of conformity (Article 47) and the technical documentation required under Article 11 and Annex IV. Authorities can request these at any time; the representative must be able to produce them without delay.
- Cooperating with investigations: If a market surveillance authority opens a procedure — incident investigation, post-market monitoring review, or a conformity check — the authorised representative must cooperate and ensure the provider cooperates.
- Notifying serious incidents: Under Article 73, the representative is the channel through which non-EU providers report serious incidents to the relevant national authority.
- Carrying out the mandate in the provider's name: All actions taken within the mandate's scope bind the provider as if the provider had acted directly.
The authorised representative must be given written mandate by the provider before the system is placed on the market. The mandate should specify the scope (which systems it covers), the representative's powers, and the contact information to be included in product documentation.
What the Representative Does NOT Do
The authorised representative is not responsible for the technical design or training of the system. Liability for defective AI systems under the AI Liability Directive and national product liability frameworks stays primarily with the provider. The representative's liability is procedural: failure to maintain documentation, failure to notify, failure to cooperate.
Authorised Representative vs. Importer: Key Differences
These two roles are commonly confused and the distinction matters for compliance structuring.
| Dimension | Authorised Representative (Art. 22) | Importer (Art. 23) |
|---|---|---|
| Who appoints them | The non-EU provider | Acts independently (buys and resells) |
| Legal basis | Contractual mandate | Own economic activity |
| Primary obligations | Documentation, authority liaison, incident reporting | Verify conformity before placing on market, labelling, keep logs |
| Can replace the other? | No | No — both roles may coexist |
| Must be EU-established? | Yes | Yes |
If your European distributor is buying your AI product and reselling it under their own commercial identity, they are an importer. They do not substitute for the authorised representative you are still required to appoint under Article 22.
In some structures, the same EU entity can act as both importer and authorised representative — this is legally permissible provided the mandate is explicit and the entity is genuinely capable of meeting both sets of obligations.
How to Select and Mandate an Authorised Representative
Selection Criteria
- EU establishment: The representative must have a registered office or place of business in a Member State. A virtual office or mailbox address is unlikely to satisfy regulators.
- Technical competence: The representative needs to understand the system well enough to respond to technical queries from MSAs. A legal firm with no AI expertise is a compliance risk.
- Operational availability: MSAs can contact the representative at any working hour. Ensure response capacity is built into the service agreement.
- Independence from conflicts of interest: If the representative also acts as a notified body for your conformity assessment, independence rules apply.
Mandatory Elements of the Mandate
The written mandate must include at minimum:
- Identification of the provider (name, address, country)
- Identification of the representative (name, EU address, registration number)
- List of AI systems covered (with references to model versions or product identifiers)
- Scope of authority (which obligations the representative is empowered to fulfil)
- Duration and termination conditions
- An obligation on the provider to keep the representative informed of any changes to the system that may affect conformity
The representative's contact details must appear in the technical documentation and, where applicable, on the product labelling or user documentation (Article 49(1)(b)).
Risks of Non-Compliance
Failing to appoint an authorised representative when required is not a technicality. Under Article 99(4), it constitutes a non-compliance with the obligations of providers, subject to administrative fines of up to €15 million or 3% of total worldwide annual turnover, whichever is higher.
Beyond fines:
- National MSAs can prohibit or restrict the system's availability on the EU market (Article 79).
- The absence of an authorised representative can invalidate the CE marking process since the representative's details are required on the declaration of conformity.
- Enterprise customers subject to their own AI Act obligations (deployers under Article 26) will increasingly demand proof of a valid authorised representative as part of procurement due diligence.
Practical FAQ
Our EU subsidiary uses our AI system internally — do we need an authorised representative? If the EU subsidiary is the deployer and you (the non-EU parent) are the provider placing the system at their disposal, yes — if the system is high-risk. The subsidiary's internal use does not change the provider's obligation.
Can the authorised representative be the same person/entity as the notified body? No. Article 33(10) prohibits notified bodies from acting as authorised representatives of providers whose systems they assess, to preserve assessment independence.
We only have one EU customer. Does the threshold change? No. Article 22 applies regardless of market volume. One customer is sufficient to trigger the obligation.
Does an authorised representative protect us from enforcement actions in every Member State? The representative is the contact point, but enforcement jurisdiction follows the market surveillance rules of each Member State. The representative's role is procedural; it does not create a single-jurisdiction safe harbour.
DILAIG's compliance platform includes a structured mandate template and a pre-screened network of qualified EU authorised representatives. If you are a non-EU provider preparing for market entry, contact DILAIG to configure your Article 22 obligations in under 48 hours.