Article 22: The EU Authorised Representative Non-EU Providers Have to Appoint

Most EU AI Act obligations describe something you have to do — write a document, run a test, set up a process. Article 22 describes someone you have to hire. If your company is based outside the EU and you place a high-risk AI system on the EU market, you must appoint an authorised representative inside the EU before the system goes on sale. You also have to give that representative real legal authority over your compliance.

This is the one obligation you cannot satisfy with engineering or paperwork. It requires another organisation to agree to stand in for you, and to take on duties it will only accept if it believes you are actually compliant.

Does this apply to you?

Article 22 is narrow. It applies if both of these are true:

You are a provider: you build the AI system, or you have it built and put it on the market under your own name or brand. The trap here is the word system. If you wrap someone else’s model — the OpenAI or Claude API — inside your own high-risk product and ship it under your brand, you have built an AI system, and you are its provider. The model vendor is not. You are only a deployer if you take someone else’s finished AI system and use it as-is, and then this article is not your obligation. Teams that assume the API vendor carries this fall straight into the provider trap.

You are established outside the EU: the Act calls this being established in a third country. An EU-based provider does not need an authorised representative, because it is already inside the EU’s reach.

And the system has to be high-risk. If your product is a high-risk system under Annex III, Article 22 is in play. That list covers recruitment screening, credit scoring, biometric identification, and more. A limited-risk chatbot covered only by Article 50 transparency does not trigger it.

Take Recruiton, a fictional Toronto company that sells an AI tool ranking job candidates for employers. CV screening for recruitment is high-risk, and Recruiton built the tool, so Recruiton is a provider of a high-risk system. Before that tool reaches a single EU employer, Recruiton has to appoint an authorised representative in the EU. Compare that to Meridian, a German logistics firm that buys Recruiton’s tool and uses it on its own hiring. Meridian is a deployer, already established in the EU. It appoints no one. The duty to appoint a representative falls on Recruiton, the provider, while Meridian carries its own separate deployer obligations.

One nuance worth checking with a lawyer: if your non-EU company has a genuine EU establishment that is the entity placing the system on the market, you may be treated as an EU provider and fall outside Article 22. A sales office is not automatically an establishment for this purpose. Don’t assume. Confirm it.

What the representative actually does

The appointment has to be made “by written mandate”, and the mandate has to give the representative the power to carry out a specific set of tasks. In plain English:

Check your paperwork exists. The representative has to verify that your EU declaration of conformity and your technical documentation have been drawn up and that the right conformity assessment was done. They are confirming the file exists and is in order. They are not signing off on the engineering.

Hold the file for ten years. They keep your declaration of conformity, technical documentation, and any notified-body certificate available for authorities for ten years after the system is placed on the market. That is a long retention obligation sitting with a party that is not you.

Answer the regulator. On a reasoned request, they hand a national authority the information needed to show the system is compliant, including access to logs that are under your control.

Cooperate on corrective action. If an authority moves to reduce or mitigate a risk from the system, the representative has to work with them on it.

Handle registration. Where the system needs to be registered in the EU database, the representative either does it or checks that your own registration details are correct.

A key sentence in Article 22(3) empowers the representative “to be addressed, in addition to or instead of the provider, by the competent authorities, on all issues related to ensuring compliance with this Regulation.” That is the point of the whole exercise. The EU now has a party it can reach, serve, and hold to account on its own soil, even though your company, your servers, and your staff are an ocean away.

The part most people miss: the representative can end the mandate

Article 22(4) is short and has teeth. The representative “shall terminate the mandate if it considers or has reason to consider the provider to be acting contrary to its obligations” under the Act. And on termination, it must “immediately inform the relevant market surveillance authority” about the termination and the reasons for it. Where a notified body is involved, it has to tell them too.

Read that carefully. Your EU representative is not a passive forwarding address. If they come to believe you are non-compliant, they are legally obliged to resign and to tell the regulator why. A resigning representative is a flare sent up over your product, and it leaves you without the EU presence the Act requires you to have.

This is why a credible representative will do diligence before signing, and why you cannot leave the appointment to the week before launch. They are agreeing to put their name on your compliance. If your declaration of conformity is thin or your technical file has gaps, a serious representative will either decline the mandate or accept it and then have grounds to walk. Either way, the representative is a check on whether you have actually done the work.

It is not your GDPR representative

If you sell into the EU, you may already have an EU representative under GDPR Article 27. It is tempting to assume that person covers this too. They do not, automatically.

The two roles are separate. The GDPR representative deals with data protection: handling subject requests, liaising with data protection authorities. The Article 22 representative deals with AI Act conformity — technical documentation, declarations of conformity, conformity assessment, market surveillance. The same firm can hold both mandates, but only if it has the competence for the AI Act side. Many privacy-focused representatives do not. If you reuse your GDPR provider, get the AI Act tasks written explicitly into a separate mandate, and confirm they can actually perform them. (For more on where the two regimes meet and diverge, see GDPR and the AI Act.)

If you only provide a general-purpose AI model

There is a parallel obligation for model providers. If you are based outside the EU and place a general-purpose AI model on the EU market, Article 54 requires you to appoint an authorised representative too, by written mandate, before the model goes on the market. This is the layer that sits underneath a lot of GPT-wrapper products. The tasks mirror Article 22, but the representative answers to the EU’s AI Office rather than to national market surveillance authorities.

Article 54 has a carve-out that Article 22 does not. The model-provider obligation does not apply where the model is released under a genuine free and open-source licence, with weights, architecture, and usage information made public. That carve-out falls away if the model presents systemic risk. If you ship a high-risk system, though, there is no equivalent open-source escape hatch in Article 22. Releasing your code openly does not remove the representative requirement for the system.

When you need it in place

The wording is “prior to” making the system available. The representative has to exist before the product reaches the EU market, rather than as a clean-up step once it is already on sale.

The timing matters because the underlying high-risk deadline has moved. Under the agreed AI Act Omnibus, obligations for Annex III high-risk systems now apply from 2 December 2027 rather than 2 August 2026. That date is still pending formal adoption and publication in the Official Journal, so treat it as the working baseline, not a settled fact. The extra time is real, but it does not change the sequence: the representative goes in before the system, not after.

Appointing one is a recurring cost rather than a one-off. Specialist firms offer EU representative services on an annual retainer, typically in the low thousands of euros a year and broadly comparable to a GDPR representative. You also pay for their time when an authority actually comes knocking. Budget for it as an ongoing line item for as long as the system is on the EU market.

What to do now

If you are a non-EU company building AI:

1. Confirm your role and risk tier. Are you a provider, and is the system high-risk under Annex III? If yes to both, Article 22 applies. If you provide a general-purpose model instead, check Article 54.

2. Start the search early. A representative will want to see your declaration of conformity and technical file before signing. Begin the conversation while you still have time to fix what they flag. Don’t leave it to the week of launch.

3. Write a proper mandate. The appointment must be in writing and must give the representative the Article 22(3) tasks. If you are reusing a GDPR representative, put the AI Act duties in their own mandate and confirm they can perform them.

4. Name them in the declaration of conformity. The representative’s details belong in your EU declaration of conformity. Leaving them out is a visible gap.

5. Keep the relationship live. The representative holds your file for ten years and can resign if they think you have drifted out of compliance. Keep them current on changes to the system, so the day a regulator calls, they can answer instead of walk.

The authorised representative is the rare AI Act requirement you cannot complete alone. Someone inside the EU has to agree to carry your compliance, and they will only agree if the work behind it holds up. That makes Article 22 less a piece of admin and more an external audit you are required to pass before you sell.