EU AI Act Art.16 Provider Obligations: Supply Chain Liability, Corrective Action Protocols, and Art.16 × Art.17 QMS Integration (2026)
Article 16 of the EU AI Act is commonly read as a checklist — nine bullet points, one per obligation, each pointing to a different article. That reading is technically accurate but operationally misleading. Art.16 is better understood as a liability chain specification: it defines who bears legal responsibility for high-risk AI compliance, how that responsibility transfers across the supply chain, and what happens when a system fails after market placement.
The distinction matters because Art.16 obligations do not disappear at the point of sale. Several — including Art.16(g) corrective actions, Art.16(h) MSA cooperation, and Art.16(i) post-market monitoring — are continuous obligations that remain active for the lifetime of every deployed instance. A provider that treats Art.16 as a pre-market checklist and considers compliance "done" at CE marking is legally exposed every day their system remains in operation.
The August 2, 2026 deadline activates Chapter III obligations. By that date, every provider of a high-risk AI system must have a Quality Management System under Art.17 that operationally manages all Art.16 obligations as running processes, not one-time events.
This guide covers what Art.16 requires operationally, how the supply chain liability chain works, what authorized representatives must do for non-EU providers, how to build an Art.16(j) corrective action protocol, and how the QMS connects all Art.16 obligations into a single compliance engine.
Art.16 as a Liability Chain, Not a Checklist
The nine Art.16 obligations map to three distinct phases of the product lifecycle:
Pre-market obligations (Arts 9–15, Art.17, Art.43, Art.48, Art.49):
- Implement QMS (Art.17)
- Meet Chapter III Section 2 technical requirements (Arts 9–15)
- Complete conformity assessment (Art.43)
- Affix CE marking (Art.48)
- Complete registration in EUDB (Art.49)
Market placement obligations (Art.16(a)–(f)):
- Technical documentation available to MSA on request
- Logs retained and accessible
- Authorized representative designated (non-EU providers)
Post-market obligations (Art.16(g)–(j)):
- Take corrective actions immediately when non-conformity discovered
- Cooperate with MSA investigations
- Execute post-market monitoring plan (Art.72)
- Immediately notify competent authorities and deployers if system poses risk
This lifecycle view reveals the compliance architecture: pre-market obligations are one-time; post-market obligations are continuous. The QMS must manage both categories operationally.
The Art.16 Supply Chain Liability Architecture
Art.16 creates explicit liability rules for multi-party AI supply chains. Understanding who owes what to whom determines how compliance responsibilities should be contracted.
Provider as Primary Obligor
The Art.3(3) definition of "provider" is the starting point: any natural or legal person who develops a high-risk AI system for placing on the market or putting into service under their own name or trademark, including where the system is developed by a third party under contract.
This last element — third-party development under contract — is critical. If you commission a third party to build a high-risk AI system and place it on the market under your brand, you are the provider and bear all Art.16 obligations, regardless of who wrote the code. The third-party developer is a supplier, not a co-provider.
Art.16(e): Authorized Representative Obligation
Non-EU providers — those established outside the EU whose systems are placed on the EU market or put into service in the EU — must designate an authorized representative established in the EU before market placement. This is an Art.16 obligation, not an optional registration step.
The authorized representative is not a proxy for all obligations. They carry specific duties under Art.22:
- Hold a copy of the EU declaration of conformity and technical documentation
- Cooperate with competent authorities on request
- Receive and forward MSA communications to the provider
- Take corrective actions when instructed by the provider or MSA
Critically, the authorized representative does not share product liability for system failures — that remains with the provider. But they are the primary EU contact for enforcement actions, and failure to designate one is itself a violation subject to Art.99(6) fines (up to EUR 10M or 2% of global annual turnover).
Art.25 Deployer Obligations vs Art.16 Provider Obligations
A common compliance confusion: Art.25 creates separate obligations for deployers, but these do not override or replace Art.16 provider obligations. The two sets of obligations run concurrently.
| Obligation | Provider (Art.16) | Deployer (Art.25) |
|---|---|---|
| Implement QMS | ✓ Art.17 | — |
| Follow IFU | — | ✓ Art.25(1) |
| Monitor outputs | — | ✓ Art.25(1)(a) |
| Log events | ✓ Art.12 (design) | ✓ Art.25(1)(a) (operation) |
| Take corrective actions | ✓ Art.16(g) (system defect) | ✓ Art.25(1)(b) (deployment issue) |
| Notify competent authority | ✓ Art.16(h)–(j) | ✓ Art.25(2) |
| Conduct DPIA | — | ✓ Art.26 (where applicable) |
Providers remain responsible for system-level non-conformity discovered post-deployment. If a high-risk AI system produces systematically biased outputs that were not detectable during conformity assessment, the provider bears Art.16 obligations for corrective action — even if the deployer is the one that identified the problem during operation.
Art.16 × Art.17: The QMS as Operational Orchestrator
Art.17 requires providers to implement a Quality Management System that covers the entire AI system lifecycle. But Art.17 and Art.16 are not parallel obligations — the QMS is the operational mechanism through which Art.16 compliance is maintained.
The QMS must include documented procedures for each continuous Art.16 obligation:
QMS Module 1: Technical Requirements Compliance Tracking (Art.16(a)) The QMS must maintain evidence that Arts 9–15 requirements are continuously met, not just at conformity assessment. This means the QMS includes procedures for monitoring risk management system effectiveness (Art.9), logging system operation (Art.12), and triggering re-assessment when substantial modifications occur (Art.11(4)).
QMS Module 2: Technical Documentation Version Control (Art.16(b) × Art.11) The QMS manages the technical documentation lifecycle — version control, modification tracking, retention. The Annex IV documentation set must be updated whenever the system changes in ways that affect conformity.
QMS Module 3: Corrective Action Protocol (Art.16(g)) The QMS must contain a documented corrective action process that activates when non-conformity is discovered. This is not optional — it must be documented before market placement and audited as part of any conformity assessment.
QMS Module 4: Post-Market Monitoring Plan (Art.16(i) × Art.72) The QMS includes and operationalizes the post-market monitoring plan required by Art.72. This plan must specify what data is collected from deployers, at what frequency, and how findings feed back into risk management and corrective action procedures.
QMS Module 5: Competent Authority Communication (Art.16(h)) The QMS defines who within the organization receives MSA communications, what the response timeline is, and how documentation is provided.
Art.16(j): Corrective Action as Incident Response
Art.16(j) is the most operationally demanding continuous obligation. It requires providers to immediately take corrective actions when they have reason to believe a high-risk AI system placed on the market does not conform with Chapter III Section 2 requirements — and to notify competent authorities and deployers accordingly.
Three conditions trigger Art.16(j):
- Non-conformity with Arts 9–15 — the system does not meet the technical requirements it was assessed against
- Risk to health, safety, or fundamental rights — the system poses a risk even if technically conformant
- Risk to fundamental rights specifically — Art.16(j) has a separate notification obligation for fundamental rights risks
The word "immediately" is legally significant. There is no compliance window for investigation before notification. Upon discovery of non-conformity that poses a risk, notification must occur — with investigation and remediation as parallel activities, not sequential ones.
Building the Art.16(j) Protocol
An operationally sound Art.16(j) corrective action protocol has four components:
Detection trigger: What conditions constitute "reason to believe" non-conformity exists? The QMS must define these explicitly, because the "reason to believe" standard is lower than "confirmed non-conformity." Sources include post-market monitoring data, deployer reports, MSA communications, and internal test results.
Classification: Is the non-conformity a technical defect (Arts 9–15 failure), a deployment issue (deployer deviation from IFU), or a fundamental rights risk? Classification determines notification pathway and urgency.
Notification targets: Art.16(j) requires notification to: (a) competent authorities in each member state where the system is deployed, (b) all deployers in those member states. The authorized representative handles notification coordination for non-EU providers.
Corrective action scope: What constitutes adequate corrective action? Options range from software update to withdrawal from market. The corrective action must be proportionate to the risk and documented in the QMS incident record.
Python ProviderObligationsManager
The following implementation integrates Art.16 continuous obligations into an operational compliance system.
from dataclasses import dataclass, field
from datetime import datetime, date
from enum import Enum
from typing import Optional
import json
import hashlib
class ObligationStatus(Enum):
ACTIVE = "active"
TRIGGERED = "triggered"
RESOLVED = "resolved"
OVERDUE = "overdue"
class CorrectiveActionCategory(Enum):
TECHNICAL_NON_CONFORMITY = "technical_non_conformity" # Arts 9-15 failure
FUNDAMENTAL_RIGHTS_RISK = "fundamental_rights_risk" # Art.16(j)(ii)
HEALTH_SAFETY_RISK = "health_safety_risk" # Art.16(j)(i)
DEPLOYMENT_DEVIATION = "deployment_deviation" # Deployer IFU breach
class NotificationTarget(Enum):
COMPETENT_AUTHORITY = "competent_authority"
DEPLOYER = "deployer"
AUTHORIZED_REPRESENTATIVE = "authorized_representative"
INTERNAL = "internal"
@dataclass
class CorrectiveActionEvent:
event_id: str
system_id: str
category: CorrectiveActionCategory
discovery_timestamp: datetime
discovery_source: str # "deployer_report" | "post_market_monitoring" | "msa" | "internal"
description: str
affected_member_states: list[str]
affected_deployers: list[str]
notifications_sent: list[dict] = field(default_factory=list)
corrective_actions_taken: list[str] = field(default_factory=list)
resolved: bool = False
resolution_timestamp: Optional[datetime] = None
def time_to_notification(self) -> Optional[float]:
"""Returns hours from discovery to first notification."""
if not self.notifications_sent:
return None
first_notif = min(
datetime.fromisoformat(n["timestamp"])
for n in self.notifications_sent
)
return (first_notif - self.discovery_timestamp).total_seconds() / 3600
@dataclass
class PostMarketMonitoringData:
system_id: str
reporting_period_start: date
reporting_period_end: date
deployer_id: str
total_uses: int
anomaly_events: int
human_oversight_interventions: int
user_complaints: int
performance_drift_detected: bool
reported_at: datetime = field(default_factory=datetime.now)
class ProviderObligationsManager:
"""
Operationalises Art.16 continuous obligations as running processes.
Integrates with Art.12 logging, Art.17 QMS, and Art.72 post-market monitoring.
"""
def __init__(self, system_id: str, provider_name: str, eu_established: bool = True):
self.system_id = system_id
self.provider_name = provider_name
self.eu_established = eu_established
self.authorized_representative: Optional[str] = None
self.corrective_action_log: list[CorrectiveActionEvent] = []
self.post_market_data: list[PostMarketMonitoringData] = []
self.deployer_registry: dict[str, dict] = {} # deployer_id → {member_state, contact}
def register_authorized_representative(
self,
representative_name: str,
member_state: str,
contact_email: str,
mandate_document_ref: str
) -> dict:
"""
Art.16(e): Non-EU providers must designate an EU-established authorized representative.
"""
if self.eu_established:
raise ValueError("EU-established providers do not require an authorized representative under Art.22.")
self.authorized_representative = representative_name
record = {
"representative": representative_name,
"member_state": member_state,
"contact": contact_email,
"mandate_ref": mandate_document_ref,
"registered_at": datetime.now().isoformat(),
"art16_obligation": "Art.16(e) × Art.22"
}
self._log_qms_event("authorized_representative_registered", record)
return record
def register_deployer(
self,
deployer_id: str,
member_state: str,
contact_email: str,
deployment_date: date
) -> None:
"""
Art.16(i): Provider must maintain deployer registry for post-market monitoring.
Required to execute Art.16(j) notification obligations when non-conformity is discovered.
"""
self.deployer_registry[deployer_id] = {
"member_state": member_state,
"contact": contact_email,
"deployment_date": deployment_date.isoformat(),
"active": True
}
def trigger_corrective_action(
self,
category: CorrectiveActionCategory,
description: str,
discovery_source: str,
affected_deployer_ids: Optional[list[str]] = None
) -> CorrectiveActionEvent:
"""
Art.16(g)+(j): Trigger corrective action upon discovery of non-conformity.
Notification to competent authorities and deployers must occur IMMEDIATELY.
"""
# Determine affected member states from deployer registry
if affected_deployer_ids is None:
affected_deployer_ids = list(self.deployer_registry.keys())
affected_states = list(set(
self.deployer_registry[d]["member_state"]
for d in affected_deployer_ids
if d in self.deployer_registry
))
event_id = hashlib.sha256(
f"{self.system_id}{datetime.now().isoformat()}{description}".encode()
).hexdigest()[:16]
event = CorrectiveActionEvent(
event_id=event_id,
system_id=self.system_id,
category=category,
discovery_timestamp=datetime.now(),
discovery_source=discovery_source,
description=description,
affected_member_states=affected_states,
affected_deployers=affected_deployer_ids
)
# Art.16(j): Immediate notification — do not wait for investigation to complete
self._send_notifications(event)
self.corrective_action_log.append(event)
self._log_qms_event("corrective_action_triggered", {
"event_id": event_id,
"category": category.value,
"affected_states": affected_states,
"notification_sent_within": event.time_to_notification()
})
return event
def _send_notifications(self, event: CorrectiveActionEvent) -> None:
"""
Art.16(j): Notify competent authorities in each affected member state + all affected deployers.
For non-EU providers: authorized representative coordinates notification.
"""
now = datetime.now().isoformat()
# Notify competent authorities
for state in event.affected_member_states:
notification = {
"target": NotificationTarget.COMPETENT_AUTHORITY.value,
"member_state": state,
"timestamp": now,
"channel": "authorized_representative" if not self.eu_established else "direct",
"art16_basis": "Art.16(j)"
}
event.notifications_sent.append(notification)
# Notify all affected deployers
for deployer_id in event.affected_deployers:
if deployer_id in self.deployer_registry:
notification = {
"target": NotificationTarget.DEPLOYER.value,
"deployer_id": deployer_id,
"contact": self.deployer_registry[deployer_id]["contact"],
"timestamp": now,
"art16_basis": "Art.16(j)"
}
event.notifications_sent.append(notification)
def ingest_post_market_data(self, data: PostMarketMonitoringData) -> dict:
"""
Art.16(i) × Art.72: Process post-market monitoring data.
Triggers corrective action evaluation if anomaly threshold exceeded.
"""
self.post_market_data.append(data)
anomaly_rate = data.anomaly_events / max(data.total_uses, 1)
analysis = {
"deployer_id": data.deployer_id,
"period": f"{data.reporting_period_start} to {data.reporting_period_end}",
"anomaly_rate": round(anomaly_rate, 4),
"oversight_intervention_rate": round(
data.human_oversight_interventions / max(data.total_uses, 1), 4
),
"performance_drift": data.performance_drift_detected,
"corrective_action_triggered": False
}
# Threshold: >5% anomaly rate or detected performance drift triggers evaluation
if anomaly_rate > 0.05 or data.performance_drift_detected:
event = self.trigger_corrective_action(
category=CorrectiveActionCategory.TECHNICAL_NON_CONFORMITY,
description=f"Post-market monitoring: anomaly_rate={anomaly_rate:.2%}, drift={data.performance_drift_detected}",
discovery_source="post_market_monitoring",
affected_deployer_ids=[data.deployer_id]
)
analysis["corrective_action_triggered"] = True
analysis["corrective_action_event_id"] = event.event_id
return analysis
def resolve_corrective_action(
self,
event_id: str,
actions_taken: list[str],
resolution_notes: str
) -> dict:
"""Document corrective action resolution in QMS."""
event = next((e for e in self.corrective_action_log if e.event_id == event_id), None)
if not event:
raise ValueError(f"No corrective action event found: {event_id}")
event.corrective_actions_taken = actions_taken
event.resolved = True
event.resolution_timestamp = datetime.now()
record = {
"event_id": event_id,
"resolved_at": event.resolution_timestamp.isoformat(),
"time_to_resolution_hours": (
event.resolution_timestamp - event.discovery_timestamp
).total_seconds() / 3600,
"actions_taken": actions_taken,
"notes": resolution_notes
}
self._log_qms_event("corrective_action_resolved", record)
return record
def generate_msa_audit_package(self) -> dict:
"""
Art.16(h): Generate documentation package for MSA investigation.
Must be producible on-demand without delay.
"""
open_events = [e for e in self.corrective_action_log if not e.resolved]
resolved_events = [e for e in self.corrective_action_log if e.resolved]
return {
"system_id": self.system_id,
"provider": self.provider_name,
"eu_established": self.eu_established,
"authorized_representative": self.authorized_representative,
"generated_at": datetime.now().isoformat(),
"art16_compliance_summary": {
"deployers_registered": len(self.deployer_registry),
"active_deployers": sum(
1 for d in self.deployer_registry.values() if d.get("active")
),
"post_market_reports_received": len(self.post_market_data),
"corrective_action_events_total": len(self.corrective_action_log),
"open_corrective_actions": len(open_events),
"resolved_corrective_actions": len(resolved_events),
"avg_resolution_hours": self._avg_resolution_hours(resolved_events)
},
"open_corrective_actions": [
{
"event_id": e.event_id,
"category": e.category.value,
"discovery": e.discovery_timestamp.isoformat(),
"notifications_sent": len(e.notifications_sent),
"time_to_first_notification_hours": e.time_to_notification()
}
for e in open_events
]
}
def _avg_resolution_hours(self, events: list[CorrectiveActionEvent]) -> Optional[float]:
if not events:
return None
hours = [
(e.resolution_timestamp - e.discovery_timestamp).total_seconds() / 3600
for e in events
if e.resolution_timestamp
]
return round(sum(hours) / len(hours), 1) if hours else None
def _log_qms_event(self, event_type: str, data: dict) -> None:
record = {
"qms_event_type": event_type,
"system_id": self.system_id,
"timestamp": datetime.now().isoformat(),
"art17_qms_log": True,
**data
}
print(json.dumps(record))
Post-Market Monitoring: Art.16(i) × Art.72
Art.16(i) requires providers to execute a post-market monitoring plan. Art.72 specifies what that plan must contain. Together, they create a continuous data collection obligation that runs for the lifetime of every deployed instance.
The Art.72 post-market monitoring plan must specify:
Data collection scope: What data is collected from deployers, what events are reportable, and at what frequency. The plan cannot be silent on how deployers contribute monitoring data — this must be contractually required in the supply agreement.
Serious incident threshold: Art.72(1) requires providers to collect and record data about serious incidents and non-compliances. "Serious incident" under Art.3(49) means any incident that directly or indirectly leads to the death of a person, serious damage to health, serious and irreversible disruption to critical infrastructure, or breach of fundamental rights.
Feeding into Art.9 risk management: Post-market data must feed back into the risk management system. The monitoring plan must document how findings trigger risk assessment updates — closing the loop between Art.72 monitoring and Art.9 risk management.
Frequency and format: The plan must specify reporting cadence (typically quarterly from deployers for high-risk systems) and how data is standardized for aggregation across multiple deployment contexts.
Deployer Contractual Requirements
Providers cannot execute post-market monitoring without deployer cooperation. The supply agreement with each deployer must include:
- Obligation to report anomalous outputs and system failures within a defined timeframe
- Obligation to report any serious incident immediately (aligning with Art.25(2))
- Minimum log retention requirements consistent with Art.12
- Right of provider access to operational logs for investigation purposes
- Requirement to maintain a register of use consistent with Art.25(1)(d)
If the deployer agreement does not include these terms, the provider cannot meet Art.16(i) and Art.72 obligations — the monitoring plan has no data.
Art.16 Enforcement: What MSAs Audit First
Market Surveillance Authorities conducting Art.16 investigations under Chapter VIII follow a predictable audit sequence. Understanding this sequence allows providers to prioritize documentation readiness.
Audit sequence (empirically observed from CE marking enforcement patterns):
-
Does the EU declaration of conformity exist? Art.48 × Art.47. First checkpoint — without it, the system should not be on the market.
-
Is the authorized representative designated? For non-EU providers, this is verifiable in EUDB registration.
-
Is the technical documentation producible within the deadline? Art.74(10) gives MSAs the right to request documentation on short notice. The QMS must have documentation retrievable in hours, not weeks.
-
Are corrective action records available? MSAs specifically look for whether the provider has a documented process and whether it has been used — prior corrective actions demonstrate an active compliance program.
-
Are post-market monitoring reports archived? Art.72 reports must be available for MSA inspection.
-
Is the risk management system (Art.9) a living document? MSAs check whether the risk register has been updated in response to operational experience — a static risk register from conformity assessment time is a red flag.
The Art.99 penalty regime creates significant downside asymmetry: serious violations can attract fines up to EUR 30M (for prohibited AI) or EUR 15M / 3% of global turnover (for Chapter III non-conformity). The cost of documentation readiness is negligible by comparison.
Art.16 × Art.9 × Art.12 × Art.13 × Art.17 Integration Matrix
| Art.16 Obligation | Primary Integration | Operational Mechanism |
|---|---|---|
| Art.16(a): Meet Arts 9–15 | Art.9 Risk Management | QMS Module 1: continuous technical requirements monitoring |
| Art.16(b): QMS | Art.17 QMS | QMS is the mechanism, not a separate obligation |
| Art.16(c): Technical documentation | Art.11 Annex IV | QMS Module 2: documentation version control |
| Art.16(d): Logging capability | Art.12 | LoggingEventRegistry; Art12RetentionManager |
| Art.16(e): IFU to deployers | Art.13 | TransparencyDisclosureManager; deployer handoff package |
| Art.16(f): Conformity assessment | Art.43 | Pre-market; notified body involvement where required |
| Art.16(g): CE marking | Art.48 | Affix after conformity assessment + DoC signature |
| Art.16(h): Registration | Art.49 × Art.71 | EUDB entry before first market placement |
| Art.16(i): Post-market monitoring | Art.72 | Post-market monitoring plan; deployer data collection |
| Art.16(j): Corrective action | Art.9 + Art.12 + Art.13 | CorrectiveActionEvent; immediate MSA + deployer notification |
Implementation Checklist
Pre-Market (Complete Before First Market Placement)
- Quality Management System documented per Art.17, with modules for all Art.16 continuous obligations
- Arts 9–15 technical requirements verified and documented in Annex IV technical file
- Conformity assessment completed per Art.43 (self-assessment or notified body depending on Annex VI pathway)
- EU declaration of conformity (DoC) signed per Art.47
- CE marking affixed per Art.48 (physically on product or documentation)
- System registered in EU AI Act database (EUDB) per Art.49 before first placement
- Authorized representative designated and mandated (non-EU providers only, Art.16(e) × Art.22)
- Post-market monitoring plan drafted per Art.72 with data collection specification
- Deployer agreement template includes Art.72 monitoring cooperation obligations
- Corrective action protocol documented in QMS with escalation path and notification targets
Post-Market (Continuous Obligations)
- Deployer registry maintained and updated as new deployments occur
- Post-market monitoring data collected from deployers at specified intervals
- Post-market data reviewed against Art.9 risk register — updates triggered when new risks identified
- Technical documentation version-controlled and updated for substantial modifications (Art.11(4))
- Corrective action events logged with time-to-notification and resolution timestamps
- MSA audit package generatable on demand (target: < 4 hours from request)
- Authorized representative mandate current and representative contactable
- Serious incident log maintained per Art.72(1) with MSA reporting where required
- QMS internal audit schedule active (annual minimum)
- Conformity re-assessment triggered for substantial modifications per Art.43(4)
Common Failure Modes
1. Treating Art.16 as pre-market only. The most frequent compliance failure: the provider completes conformity assessment, affixes CE marking, and considers Art.16 done. Post-market obligations under Art.16(g)–(j) and Art.72 are never operationalized.
2. No deployer contract terms for monitoring cooperation. The post-market monitoring plan specifies data collection, but the deployer agreement does not require deployers to provide it. The plan cannot be executed.
3. Corrective action protocol exists but has never been tested. MSAs specifically look for whether the corrective action process has been activated — a documented-but-unused protocol is a weak signal. Tabletop exercises and a documented test activation strengthen the QMS audit record.
4. Non-EU provider without authorized representative. Art.22 requires the mandate before first market placement. Placing a system without a designated authorized representative is a standalone violation under Art.99(6), separate from any technical non-conformity.
5. Technical documentation not retrievable within regulatory deadline. Art.74(10) allows MSAs to request documentation under short timelines. Documentation stored in systems that require weeks to compile is non-compliant with the effective cooperation obligation under Art.16(h).
6. Risk management system frozen at conformity assessment date. Art.9 requires a living risk management system. A risk register that has not been updated since market placement — despite operational data indicating new risks — is evidence of Art.9 non-compliance, which in turn is Art.16(a) non-compliance.
See Also
- EU AI Act Art.9: Risk Management System as a Living Document
- EU AI Act Art.11: Technical Documentation Lifecycle and Substantial Modification Triggers (2026)
- EU AI Act Art.12: Logging Obligations and Operational Compliance (2026)
- EU AI Act Art.13: Transparency Disclosure Management and IFU Lifecycle (2026)
- EU AI Act Art.14: Human Oversight Requirements and Automation Bias Defence (2026)
- EU AI Act Art.15: Accuracy, Robustness and Cybersecurity (2026)
- EU AI Act Article 16: The Complete Provider Obligations Checklist for High-Risk AI