EU AI Act for Importers and Distributors: The Overlooked Obligations (Articles 23-24)
While EU AI Act compliance discussions focus on providers and deployers, importers and distributors carry their own binding obligations under Articles 23 and 24. Learn the precise definitions, the verification duties, and the critical rule that can transform a distributor into a provider overnight.
The EU AI Act compliance conversation has largely focused on two roles: providers who develop and place AI systems on the market, and deployers who integrate them into products or processes. A third and fourth category — importers and distributors — appear in far fewer compliance programs, despite carrying legally binding obligations under Articles 23 and 24. For companies distributing AI systems developed outside the EU, or reselling third-party AI products within the EU, these obligations are not optional and not delegable.
Definitions: Who Is an Importer and Who Is a Distributor?
Before assigning obligations, you need to know which role applies to you. The regulation provides precise definitions in Article 3.
Importer (Article 3(26)): "any natural or legal person established in the Union who places on the market a high-risk AI system that bears the name or trademark of a natural or legal person established outside the Union."
Three elements are required simultaneously: you must be established in the EU, you must be placing the system on the market (i.e., making it available for the first time in the EU), and the system must bear the name or trademark of a non-EU entity. A European subsidiary that brings its US parent's AI product into the EU for sale is an importer. An EU company that white-labels a non-EU AI tool under its own brand is a provider, not an importer — because the product bears its own name.
Distributor (Article 3(27)): "any natural or legal person in the supply chain, other than the provider or the importer, that makes a high-risk AI system available on the Union market."
A distributor is any entity that moves the system further down the supply chain after it has first been placed on the market. Resellers, value-added resellers (VARs), marketplace operators, and system integrators who bundle third-party AI components typically fall into this category. The critical qualifier is "other than the provider or the importer" — these roles are mutually exclusive at any given point in the supply chain.
Importer Obligations (Article 23)
Article 23 assigns importers a set of verification and due diligence duties that go well beyond simple pass-through. Before placing a high-risk AI system on the EU market, an importer must:
1. Verify Conformity Assessment Completion (Art. 23(1)(a))
The importer must verify that the provider has carried out the relevant conformity assessment procedure under Article 43. This means checking whether the system falls into a category requiring third-party assessment by a notified body (primarily Annex III, point 1 — biometric identification systems) or whether self-assessment under Annex VI is sufficient. It is not sufficient to take the provider's word for it — the importer needs to review and retain evidence of the completed assessment.
2. Verify Technical Documentation and Instructions (Art. 23(1)(b))
The importer must verify that the provider has drawn up the required technical documentation (Annex IV) and the instructions for use (Article 13). The importer is not required to reproduce or approve this documentation — but they must confirm it exists, is complete, and covers the intended use for which the importer is placing the system on the market.
3. Verify EU Declaration of Conformity and CE Marking (Art. 23(1)(c))
The EU Declaration of Conformity (Article 47) must have been drawn up and the CE marking affixed. Importers must verify both.
4. Verify the Authorized Representative (Art. 23(1)(d))
If the provider is not established in the EU, they must designate an EU-authorized representative under Article 22. The importer must verify this designation is in place before proceeding.
5. Storage and Contact Obligations (Art. 23(2) and (3))
Importers must:
- Keep a copy of the EU Declaration of Conformity for 10 years after placing the system on the market
- Ensure the technical documentation can be made available to competent authorities upon request
- Provide their name, registered trade name, and address on the system, its packaging, or accompanying documentation
- Pass on contact details to the market surveillance authority if needed
6. Corrective Action and Withdrawal (Art. 23(4) and (5))
If an importer has reason to believe that a high-risk AI system is not in conformity, they must not place it on the market. If a non-conformity is identified after placement, the importer must inform the provider and take corrective action, including withdrawal or recall if necessary. The importer must also immediately notify the competent national authorities if the system presents a risk.
Distributor Obligations (Article 24)
Distributors bear a lighter but still substantive set of obligations. Before making a high-risk AI system available on the market, a distributor must:
1. Verify CE Marking and Declaration of Conformity (Art. 24(1)(a))
The distributor must verify that the CE marking is affixed and that the EU Declaration of Conformity accompanies the system. This is a documentary check, not a technical assessment.
2. Verify Instructions for Use (Art. 24(1)(b))
The distributor must verify that the instructions for use are present and, crucially, available in a language that can be understood by deployers in the Member States where the system is made available. This is a practical compliance point that is frequently overlooked: if you are distributing an AI system in France and the instructions are only in English, Article 24 creates a compliance issue.
3. Verify Registration in the EU Database (Art. 24(1)(c))
High-risk AI systems must be registered in the EU database under Article 71. Distributors must verify this registration exists before making the system available.
4. Non-Conformity Reporting and Corrective Action (Art. 24(2) and (3))
If a distributor has reason to believe that a high-risk AI system is not in conformity with the requirements, they must not make it available until it is brought into conformity. If a non-conformity is identified after distribution, the distributor must:
- Inform the provider or importer
- Cooperate with corrective actions including withdrawal or recall
- Notify competent national authorities if there is a risk
The Critical Rule: When Does a Distributor Become a Provider?
Article 25 sets out the circumstances under which a distributor (or importer, or any other third party) assumes the obligations of a provider. This is the rule that most companies in distribution roles fail to account for.
A distributor becomes a provider when they:
| Trigger | Legal basis |
|---|---|
| Place the system on the market or put it into service under their own name or trademark | Art. 25(1)(a) |
| Make a substantial modification to a high-risk AI system already placed on the market | Art. 25(1)(b) |
| Modify the intended purpose such that the system falls into the high-risk category | Art. 25(1)(c) |
Substantial modification is defined in Article 3(23) as a change that affects compliance with the essential requirements or results in a change to the intended purpose. Practically, this covers:
- Retraining or fine-tuning the model on new data
- Changing the input or output interfaces in ways that affect system behavior
- Integrating the system with other components that alter its risk profile
- Deploying the system for a use-case materially different from the one validated in the conformity assessment
A distributor who customizes a third-party AI tool for a client — adding domain-specific training data, adjusting decision thresholds, or re-labeling it as their own product — almost certainly triggers Article 25. At that point, all provider obligations under Articles 8-15 apply, including the requirement to carry out a new or updated conformity assessment.
Comparative Overview: Roles and Obligations
| Obligation | Provider | Importer | Distributor |
|---|---|---|---|
| Conformity assessment | Full (Art. 43) | Verify only | Verify CE mark |
| Technical documentation | Produce (Annex IV) | Verify + retain | N/A |
| EU Declaration of Conformity | Produce (Art. 47) | Verify + copy 10y | Verify |
| CE Marking | Affix | Verify | Verify |
| Instructions for use | Produce (Art. 13) | Verify | Verify (language) |
| EU Database registration | Register (Art. 71) | Verify | Verify |
| Authorized representative | Designate if non-EU | Verify | N/A |
| Corrective action / withdrawal | Full | Yes | Yes |
| Post-market monitoring | Full (Art. 72) | N/A | N/A |
| Incident reporting | Full (Art. 73) | N/A | Inform provider |
Practical Takeaways
Map your supply chain role explicitly. Do not assume you are "just a reseller." The definitions are precise; apply them to your specific contractual and operational position.
Build a compliance checklist into your procurement process. Before importing or distributing a high-risk AI system, run the Article 23/24 verification checklist. Document every check and retain the evidence.
Review your customization contracts. Any contractual commitment to modify, fine-tune, or adapt a third-party AI system should be assessed against the Article 25 substantial modification test before execution.
Ensure language compliance. Distributing in multiple Member States means verifying that instructions for use exist in each relevant national language. This is a distributor obligation, not the provider's responsibility once the system is in the distributor's hands.
DILAIG's compliance platform maps your specific role in the AI supply chain and generates the verification checklists, documentation templates, and Article 25 substantial modification assessment tools relevant to your position as importer or distributor. Start your role assessment at dilaig.com.