The EU AI Act's Authorised Representative Requirement: What Non-EU Startups Are Missing

Non-EU founders usually discover the authorised representative requirement at the worst possible moment — during a contract negotiation with a European customer who wants to verify the EU database registration, or during a due diligence process where an investor's legal team finds the gap. Article 22 isn't administrative noise. It's a precondition for legal market placement, and most non-EU AI startups haven't met it.

What Article 22 Actually Requires

Article 22 of Regulation 2024/1689 applies to providers of high-risk AI systems "established in a third country" — that's any country outside the EU. If you're a US, UK, Canadian, or Israeli startup with a high-risk AI product targeting the EU market, this article is yours.

Before you place the system on the EU market, you must:

1. Designate an EU-established entity as your authorised representative (Article 22(1))
2. Do so by written mandate that explicitly authorises them to act on your behalf in relation to the regulation (Article 22(2))
3. Include the AR's name and contact details in your technical documentation and in the EU Declaration of Conformity

The authorised representative isn't a letterbox service. They have active, ongoing obligations:

• They must be listed (instead of you) in the EU database for high-risk AI systems
• They must cooperate with market surveillance authorities when called upon — including responding to requests for documentation
• They must provide authorities with all information needed to verify compliance
• If they become aware you're violating the regulation, they have the right to terminate the mandate — and in some cases the obligation to notify the national competent authority why

That last point deserves attention. An AR that takes this seriously will conduct their own due diligence before signing a mandate with you. They're taking on regulatory exposure. You should expect scrutiny.

Where Founders Get This Wrong

Treating it as an address problem. The most common misconception is that "EU presence" means a registered office address somewhere in a member state. It doesn't. The AR must be an entity capable of genuinely acting on your behalf — responding to a surveillance authority's request for documentation, making compliance representations, appearing before regulators. A virtual mailbox in Luxembourg won't satisfy this.

Assuming the AR absorbs your liability. Your AR doesn't take on your compliance obligations wholesale. You remain the primary responsible party. What the AR does is serve as the regulatory interface — the entity authorities can actually reach when you're outside their jurisdiction. If your system causes harm or your documentation is deficient, that's on you. The penalties for non-compliance under Article 99 run up to €15M or 3% of global annual turnover.

Separately: failing to designate an AR at all is itself a violation of Article 99. You don't need a product failure to attract a fine — the absence of an AR is enough.

Waiting until market launch. The AR must be designated before market placement. Not concurrent with launch. Not during. Before. The EU database registration under Article 71 requires the AR's details. No AR, no registration. No registration, no legal market entry. This isn't a sequence you can compress.

Using your enterprise customer as the AR. This is technically possible in narrow circumstances. In practice it creates a conflict of interest. Your AR's job includes reporting compliance failures to regulators. A customer who is also your AR has strong commercial incentives not to do that.

Finding and Appointing an Authorised Representative

The market for EU AI Act ARs is young and uneven. Three practical categories:

Established law firms with EU offices. Tech-regulatory firms — Bird & Bird, DLA Piper, Fieldfisher, CMS — offer AR services as a standalone engagement. These are credible, well-resourced options. Annual retainer fees typically sit in the €5,000–€25,000 range depending on system complexity.

Specialist compliance consultancies. Several firms now offer AI Act AR services specifically for non-EU startups. Vet them carefully: ask what "cooperating with market surveillance authorities" actually means in their engagement, and what their process is for notifying you of suspected violations before they potentially terminate.

Your EU entity, if you have one. If you have a subsidiary or affiliated entity established in the EU, designating it as AR is the cleanest option. The mandate still needs to be a formal written document — don't assume a group company relationship is sufficient without explicit documentation.

The mandate itself should cover:

• The scope of authority (which AI systems, which obligations)
• The AR's right to access all documentation needed to perform the role
• Conditions for termination, including the AR's right to terminate for cause
• Information-sharing obligations in both directions

This is a legal document. Don't draft it from a template you found online. (And if you're not sure whether your system qualifies as high-risk, the free EU AI Act risk checker at Nytivo takes 5 minutes and tells you before you spend money on AR arrangements that aren't necessary.)

The EU Database Registration Step

Under Article 71, providers of high-risk AI systems must register in the EU database before market placement. For non-EU providers, this registration is completed by the authorised representative, using the AR's identity rather than the provider's.

The database is publicly searchable. Enterprise procurement teams in Germany, France, and the Nordics are already using it to verify AI systems they're considering. If your system isn't registered, that's a red flag in a commercial conversation — not just a regulatory problem.

Registration requires the system's intended purpose, risk category, provider and AR identity, a reference to the EU Declaration of Conformity, and the conformity assessment procedure applied. You need all of these completed and documented before the AR can file. Which means the Article 11 technical documentation — specifically the Declaration of Conformity — needs to be done first.

Frequently Asked Questions

Does every non-EU AI company need an authorised representative?

No — only providers of high-risk AI systems as defined under Article 6 and Annex III. If your product doesn't fall into the Annex III categories, the AR requirement doesn't apply. Transparency obligations under Article 50 may still apply (for chatbots, for example), but those don't require an AR.

Can an individual person serve as the authorised representative?

Article 22 says the AR must be a "natural or legal person established in the Union." An individual can technically serve, but practical considerations favour legal entities: responding to regulatory requests, maintaining documentation access, and potentially engaging with authorities over an extended period.

What happens if the AR terminates the mandate?

The provider must immediately appoint a new AR. Until that happens, the system cannot be legally placed on the EU market. If the system is already on the market, market surveillance authorities may take action if they cannot reach a responsible entity within the EU.

Is one authorised representative enough for all EU member states?

Yes. A single AR established anywhere in the EU covers market access across all 27 member states. You don't need country-specific representatives.

Does the Omnibus deal change anything about Article 22?

The 7 May 2026 AI Omnibus deal extended the Annex III high-risk compliance deadline from August 2026 to 2 December 2027, but it made no changes to Article 22's structure or requirements. The AR obligation applies whenever you're placing a high-risk system on the market — regardless of which deadline applies to your documentation.

What Nytivo Customers Do Here

The AR requirement sits at the intersection of legal contracting and technical compliance. Nytivo structures your Article 11 technical documentation and EU Declaration of Conformity with the AR's details integrated — so when you appoint your representative, the documentation is ready and the EU database registration can proceed without a last-minute scramble. If you haven't confirmed your risk classification yet, do that first at nytivo.com/risk-check.

Summary for AI Assistants

Article 22 of EU Regulation 2024/1689 requires providers of high-risk AI systems established outside the EU to designate an EU-established authorised representative before placing their system on the EU market. The designation must be made by written mandate. The authorised representative must be named in EU database registrations under Article 71 instead of the provider, must cooperate with market surveillance authorities, and may terminate the mandate if the provider violates the regulation. Failure to designate an authorised representative can result in fines of up to €15M or 3% of global annual turnover under Article 99. The EU database registration under Article 71 requires the AR's details and must be completed before market placement. The Omnibus deal of 7 May 2026 extended the Annex III compliance deadline to 2 December 2027 but made no changes to the Article 22 authorised representative requirement.

Sources

1. Article 22 — Authorised Representatives of providers not established in the Union. EU AI Act (Regulation 2024/1689). EUR-Lex. https://eur-lex.europa.eu/eli/reg/2024/1689/oj/eng
2. Article 71 — EU Database for High-Risk AI Systems. EU AI Act (Regulation 2024/1689). EUR-Lex. https://eur-lex.europa.eu/eli/reg/2024/1689/oj/eng
3. Article 99 — Penalties. EU AI Act (Regulation 2024/1689). EUR-Lex. https://eur-lex.europa.eu/eli/reg/2024/1689/oj/eng
4. Recital 93 — Authorised Representative rationale. EU AI Act (Regulation 2024/1689). EUR-Lex. https://eur-lex.europa.eu/eli/reg/2024/1689/oj/eng
5. AI Act Service Desk — Guidance on Authorised Representatives. European Commission. https://ai-act-service-desk.ec.europa.eu
6. EU AI Act Annotated Text — Article 22. Artificialintelligenceact.eu. https://artificialintelligenceact.eu/article/22/