EU AI Act Art.22 Authorized Representatives: Mandatory Appointment for Non-EU Providers, Mandate Requirements, Documentation Retention, Joint Liability Under Art.93, and Art.22 × Art.21 × Art.25 × Art.47 Integration (2026)

Article 22 of the EU AI Act is the market access gateway for non-EU providers. Any provider established outside the Union who wants to place a high-risk AI system on the EU market or put it into service must appoint an authorised representative established in a Member State — before the product crosses the EU border. Without that representative in place, the product cannot legally enter the EU market.

Art.22 sits at the intersection of several critical compliance chains. It connects to Art.21 (cooperation with competent authorities) because the authorized representative is the contact point for NCAs when the provider is unreachable. It connects to Art.25 (importers) because importers bear additional compliance duties that partially overlap with but do not replace the authorized representative role. It connects to Art.47 (EU Declaration of Conformity) because the authorized rep must hold copies of the DoC. And it connects to Art.93 (penalties) because the representative shares liability exposure for non-compliance.

This guide covers the full scope of Art.22: who must appoint, who qualifies as a representative, what the mandate must contain, what documentation the representative must hold, how liability is allocated, and what happens when the provider fails to comply or when the representative wants to exit the relationship.

The Legal Architecture of Art.22

Art.22 follows a structural pattern common to EU product regulation: when a producer is outside the jurisdiction, the Union requires a designated in-market responsible party. This pattern appears in the General Product Safety Regulation, the Medical Devices Regulation, and the Machinery Regulation. The EU AI Act adapts it to AI systems.

The logic is straightforward: if a provider in a third country (the US, China, India, or anywhere outside the EEA) places a high-risk AI system on the EU market, the national competent authority needs a person it can actually reach — someone physically in the Union, subject to EU law, and capable of responding to requests within working hours. The authorized representative fills that gap.

Art.22 in the Provider Obligation Sequence:

The post-market obligations sequence for Chapter III Section 2 providers runs: Art.17 (QMS) → Art.18 (documentation keeping) → Art.19 (log retention) → Art.20 (corrective actions) → Art.21 (cooperation with authorities) → Art.22 (authorized representatives) → Art.23 (obligations upon identifying non-conformity). Art.22 is explicitly positioned as the mechanism that makes Art.21 cooperation functional for non-EU providers. Without the representative, Art.21's cooperation obligation would be structurally unenforceable against providers beyond EU jurisdiction.

Art.22(1): The Appointment Obligation

Before Placing on the Market:

Providers established in third countries that intend to place high-risk AI systems on the Union market, or put them into service in the Union, shall, prior to such placing on the market or putting into service, appoint, by written mandate, an authorised representative which is established in the Union.

Three timing elements are critical:

"Prior to placing on the market" means the appointment must be completed before the first unit enters EU commerce. This is not a grace period or a post-entry registration requirement. It is a precondition for market access. If a provider ships a high-risk AI system to an EU customer before the representative is appointed, every unit in that shipment is in violation of Art.22(1).

"By written mandate" means a verbal agreement or informal understanding is legally insufficient. The mandate must be a written document that specifies the scope and terms of the representative's authority. Art.22(3) specifies what the mandate must contain.

"Established in the Union" means the representative must have a registered place of business, a branch, or a legal presence in a Member State — not merely a postal address. A P.O. box in Berlin does not satisfy "established in the Union." The representative must be reachable through normal business operations in EU jurisdiction.

Who Must Appoint:

The obligation applies to any provider not established in the Union who places a high-risk AI system on the Union market — regardless of whether the provider has EU customers through direct sales, distribution agreements, or licensing arrangements. The trigger is the intent to place on the Union market, not the provider's subjective knowledge of where end users are located. If a provider knows their system is being used in the EU or can reasonably foresee EU use through normal commercial channels, Art.22(1) applies.

What Counts as "High-Risk":

The appointment obligation is scoped to high-risk AI systems under Art.6 and Annex III. General-purpose AI systems, unless also classified as high-risk under Art.6, do not trigger Art.22. Providers offering AI systems to EU customers solely as general-purpose AI (with no high-risk classification under Annex III) are not subject to Art.22, though they may face separate obligations under Art.53-55.

Art.22(2): The Mandate Scope

What the Representative Must Be Empowered to Do:

The authorised representative shall perform the tasks specified in the mandate received from the provider. The mandate shall empower the authorised representative to carry out the following tasks:

The core task specification under Art.22(2) requires the representative to be empowered — not merely informed — to act on the provider's behalf. A representative who has knowledge of the provider's systems but no authority to take action does not satisfy Art.22.

Task 1: Verify the EU Declaration of Conformity and Technical Documentation:

The representative must verify that the EU Declaration of Conformity (Art.47) and technical documentation (Art.18) have been drawn up. This is not a passive receipt function. The representative must actively confirm that these documents exist, are current, and cover the specific systems being placed on the EU market.

Task 2: Keep Documentation Available for Market Surveillance:

The representative must keep copies of the EU Declaration of Conformity and technical documentation available for national competent authorities for 10 years after placing on the market. This mirrors Art.18's 10-year retention obligation on providers directly, but places it additionally within EU jurisdiction where authorities can access it without cross-border legal process.

Task 3: Cooperate with Competent Authorities:

The representative must cooperate with national competent authorities on any action required under Art.21, Art.74 (market surveillance), and Art.79 (corrective actions). This includes providing documentation on request, making systems available for inspection, and responding to NCA inquiries within required timelines.

Task 4: Provide Contact Point Function:

The representative serves as the primary point of contact for NCAs when the provider cannot be reached directly or when the NCA prefers to engage with an EU-based party. This function is particularly critical for systems under active market surveillance review.

Art.22(3): The Written Mandate Requirements

Minimum Mandatory Content:

The mandate must at minimum specify: the identity and contact information of both the provider and the representative; the scope of systems covered (by model, version, or product line); the representative's specific powers and limitations; the process for updating documentation when systems are modified; the process for notifying the representative of serious incidents; and the termination conditions.

Provider Obligations that Flow Through the Mandate:

The mandate creates a compliance chain: the provider must supply the representative with all documents the representative needs to perform their tasks. This includes: complete technical documentation per Art.11-17; the EU Declaration of Conformity per Art.47; post-market monitoring data from Art.72; serious incident notifications per Art.73; and any updates to the system that change the conformity status.

A mandate that does not establish the provider's duty to supply these documents in real time is structurally deficient — the representative cannot perform their obligations if the provider fails to share compliance information.

Language and Jurisdiction:

The mandate should be drafted in a language accessible to EU authorities in the Member State where the representative is established, and should specify which Member State's law governs the relationship. This matters because the representative's liability exposure (Art.22(5)) is assessed under EU law, but the internal contractual relationship between provider and representative may be governed by a separate choice of law.

Art.22(4): Documentation Retention by the Representative

The 10-Year Holding Obligation:

The authorised representative shall keep a copy of the EU declaration of conformity, technical documentation, and, where applicable, any certificate, including its updates, issued by a notified body. The retention period runs for 10 years after the last unit of the system was placed on the market or put into service in the EU.

Practical Implications:

The representative must maintain document management infrastructure capable of:

• Retaining original versions and all subsequent updates to each document
• Tracking which version was current at any given point in the 10-year window (needed for historical conformity assessment during market surveillance reviews)
• Making documents available to NCAs within reasonable timeframes on request
• Maintaining chain of custody records demonstrating document authenticity

This is not trivial for organizations acting as authorized representatives for multiple providers across multiple AI system product lines. The administrative burden of Art.22(4) is frequently underestimated during representative appointment negotiations.

Notified Body Certificates:

Where a system required a notified body assessment (under Art.43), the representative must also hold copies of the conformity assessment certificate and all updates. Since certificates may be revised, suspended, or withdrawn during the 10-year window, the representative must maintain an audit trail of certificate status changes.

Art.22(5): Joint and Several Liability

The Liability Exposure:

The authorised representative shall be considered the provider under this Regulation and shall be subject to the obligations incumbent upon providers under this Regulation.

This is the most commercially significant provision in Art.22. The representative is not merely a passive document holder or administrative contact — they are legally equivalent to the provider for purposes of the AI Act's compliance and enforcement framework.

What "Considered the Provider" Means in Practice:

Under Art.93, administrative fines for providers reach €30 million or 6% of total worldwide annual turnover (whichever is higher) for violations of prohibited AI practices (Art.5), and €20 million or 4% of turnover for violations of high-risk AI requirements. The representative, as "considered the provider," is exposed to these fines in addition to the provider itself.

NCA enforcement actions can be directed at the representative when the third-country provider cannot be reached or when directing action at an EU-based entity is procedurally simpler. The representative cannot disclaim liability by pointing to the provider's instructions — they bear direct, first-party compliance obligations under the Regulation.

What the Representative Can Do to Limit Exposure:

The Art.22(6) resignation right (below) is the primary contractual protection mechanism. Commercially, representatives should structure their mandates to:

• Include comprehensive indemnification from the provider for any fines, penalties, or costs arising from the provider's non-compliance
• Maintain the right to audit the provider's compliance status at any time
• Include automatic suspension or termination triggers when the provider fails to supply required documentation
• Carry professional indemnity insurance appropriate to the liability exposure

Without these contractual protections, the role of authorized representative carries significant financial and reputational risk.

Art.22(6): The Representative's Right to Resign

The Termination Right:

Without prejudice to other provisions of Union law, where the authorised representative considers that the provider concerned is acting contrary to its obligations under this Regulation, the authorised representative may terminate the mandate by notifying the provider and the relevant national competent authority.

The Dual Notification Requirement:

Termination requires notification to two parties: the provider and the NCA in the Member State where the representative is established. This dual notification ensures that NCAs are immediately aware when a high-risk AI system loses its authorized representative — at which point the system cannot legally remain on the EU market unless a new representative is appointed.

What Triggers Termination:

The representative "considers that the provider is acting contrary to its obligations" — this is a subjective threshold triggered by the representative's reasonable belief, not a formal finding of non-compliance. Grounds for termination include: the provider's refusal to supply required documentation, the provider's failure to notify serious incidents, the provider's modification of systems without updating conformity documentation, or the provider's failure to honor the indemnification obligations in the mandate.

The Gap Period and NCA Notification Obligations:

When a representative terminates their mandate, the provider must appoint a replacement before the system can continue in EU commerce. The terminating representative's notification to the NCA creates a compliance clock — NCAs may initiate market surveillance action against systems whose representative has resigned without a replacement being appointed.

Art.22 × Art.21: The Cooperation Chain

Art.21 requires providers of high-risk AI systems to cooperate with NCAs on request. For non-EU providers, this obligation is operationalized through Art.22: the authorized representative is the first point of NCA contact, the documentation holder, and the entity that can respond to Art.21(1) documentation requests within EU jurisdiction.

Source Code Access Under Art.21(2):

Art.21(2) enables NCAs to request source code access via a "reasoned request" when documentation is insufficient to assess conformity. For non-EU providers, this request flows through the authorized representative — but the representative typically does not have direct access to source code. The representative's mandate should establish the provider's obligation to respond to Art.21(2) requests within the timelines required by the NCA, with the representative coordinating the response.

The Documentation Package:

When an NCA issues an Art.21(1) documentation request, the representative should be able to respond immediately from their Art.22(4) retained documentation. The Art.21 and Art.22 obligations together create a two-layer documentation infrastructure: the provider maintains the authoritative copy, the representative holds an accessible EU-jurisdiction copy for NCA access without international legal process.

Art.22 × Art.25: Importers as a Separate but Related Role

Importers Under Art.25:

Importers (companies that physically bring non-EU AI systems into the EU market) bear separate compliance obligations under Art.25: verifying that the provider's conformity assessment has been carried out, checking that the CE marking and DoC are present, ensuring that the provider has appointed an authorized representative. Importers must also refuse to place on the market any system they have reason to believe presents a risk (Art.25(5)).

The Relationship Between Representative and Importer:

The authorized representative and the importer may be the same legal entity or different entities. When the same entity acts as both, the compliance obligations stack — all of Art.22's documentation and cooperation duties, plus all of Art.25's pre-market verification obligations. When they are different entities, importers must verify that a valid authorized representative has been appointed before placing the system on the market (Art.25(1)(b)).

Practical Supply Chain Architecture:

A common model for non-EU providers entering the EU market:

1. Provider appoints authorized representative (Art.22) — establishes compliance infrastructure
2. Distributor or importer verifies representative appointment (Art.25(1)(b)) before accepting product
3. Importer places product on EU market after Art.25 verification checklist
4. Representative holds documentation for NCA access under Art.22(4)
5. If NCA requests documentation: Art.21 request → representative responds from Art.22(4) holdings

This chain breaks if any link is missing: no representative means importers cannot legally bring the product in; no importer verification means Art.25 violations accumulate; no documentation holdings means Art.21 cooperation becomes impossible.

Art.22 × Art.47: EU Declaration of Conformity

The DoC as the Representative's Core Document:

The EU Declaration of Conformity under Art.47 is the document by which a provider declares that a high-risk AI system conforms with the requirements of Chapter III Section 2. It must be drawn up before placing on the market, must accompany the system (or be made available digitally), and must be updated whenever conformity status changes.

Representative's DoC Obligations:

The representative must: verify that the DoC exists before market placement; hold a copy for 10 years under Art.22(4); notify the NCA if the DoC is withdrawn or if the representative learns that the underlying conformity basis has changed; and provide the DoC to NCAs within the timeframes required under Art.21(1).

DoC Update Management:

When a provider modifies a system in a way that affects conformity (a "significant change" under Art.83), the DoC must be updated or reissued. The representative must track these updates and ensure their retained copy is current. A representative who holds a superseded DoC while the provider circulates an updated version is in violation of Art.22(4) even if the failure was the provider's — because the mandate requires the provider to supply updates, the representative's contractual enforcement of that obligation is part of their compliance duty.

Art.22 × Art.93: Penalty Exposure

The Penalty Ladder for Art.22 Violations:

Failure to appoint an authorized representative as required by Art.22(1) constitutes non-compliance with the obligations for providers of high-risk AI systems. Under Art.93(3), this carries administrative fines up to €10 million or 2% of total worldwide annual turnover, whichever is higher.

Providing false or misleading information to NCAs (including through the authorized representative role) carries fines up to €20 million or 4% of turnover under Art.93(2).

Prohibited AI practices (Art.5) carry the highest tier: up to €35 million or 7% of turnover.

Representative's Direct Fine Exposure:

Because Art.22(5) makes the representative "considered the provider," the representative faces fines at the provider tier — not merely as an accessory. An authorized representative who fails to respond to NCA requests, fails to hold required documentation, or fails to notify of serious incidents can be directly fined without the enforcement action needing to reach the third-country provider at all.

This is the core commercial risk in the authorized representative role: EU jurisdiction, provider-level liability, provider-level fines, with only the contractual indemnification from the provider as protection.

Python Implementation: AuthorizedRepresentativeManager

from dataclasses import dataclass, field
from datetime import datetime, timedelta
from enum import Enum
from typing import Optional
import uuid


class ComplianceStatus(Enum):
    COMPLIANT = "compliant"
    DOCUMENTATION_INCOMPLETE = "documentation_incomplete"
    MANDATE_EXPIRED = "mandate_expired"
    PROVIDER_NON_RESPONSIVE = "provider_non_responsive"
    TERMINATION_PENDING = "termination_pending"
    TERMINATED = "terminated"


class DocumentType(Enum):
    EU_DECLARATION_OF_CONFORMITY = "eu_doc"
    TECHNICAL_DOCUMENTATION = "technical_doc"
    NOTIFIED_BODY_CERTIFICATE = "nb_certificate"
    CONFORMITY_ASSESSMENT_REPORT = "ca_report"
    POST_MARKET_MONITORING_DATA = "pmm_data"


@dataclass
class RepresentedSystem:
    system_id: str
    provider_name: str
    provider_country: str
    system_name: str
    version: str
    annex_iii_classification: str
    placed_on_market_date: datetime
    documents: dict = field(default_factory=dict)
    compliance_status: ComplianceStatus = ComplianceStatus.DOCUMENTATION_INCOMPLETE

    @property
    def retention_deadline(self) -> datetime:
        return self.placed_on_market_date + timedelta(days=365 * 10)

    def add_document(
        self,
        doc_type: DocumentType,
        version: str,
        content_ref: str,
        valid_from: datetime,
        valid_until: Optional[datetime] = None,
    ):
        if doc_type not in self.documents:
            self.documents[doc_type] = []
        self.documents[doc_type].append({
            "version": version,
            "content_ref": content_ref,
            "valid_from": valid_from,
            "valid_until": valid_until,
            "added_at": datetime.utcnow(),
        })

    def current_document(self, doc_type: DocumentType) -> Optional[dict]:
        if doc_type not in self.documents or not self.documents[doc_type]:
            return None
        return max(self.documents[doc_type], key=lambda d: d["valid_from"])

    def has_complete_documentation(self) -> bool:
        required = [DocumentType.EU_DECLARATION_OF_CONFORMITY, DocumentType.TECHNICAL_DOCUMENTATION]
        return all(self.current_document(dt) is not None for dt in required)


@dataclass
class NCARequest:
    request_id: str
    nca_name: str
    member_state: str
    request_type: str  # "documentation", "source_code", "system_access", "information"
    system_id: str
    received_at: datetime
    response_deadline: datetime
    responded_at: Optional[datetime] = None
    status: str = "pending"


class AuthorizedRepresentativeManager:
    """
    Manages Art.22 authorized representative obligations for a collection of
    non-EU provider AI systems placed on the EU market.
    """

    def __init__(self, representative_name: str, member_state: str):
        self.representative_name = representative_name
        self.member_state = member_state
        self.systems: dict[str, RepresentedSystem] = {}
        self.nca_requests: list[NCARequest] = []
        self.termination_notices: list[dict] = []

    def register_system(self, system: RepresentedSystem) -> str:
        self.systems[system.system_id] = system
        return system.system_id

    def verify_pre_market_readiness(self, system_id: str) -> dict:
        """Art.22(2): Verify DoC and technical documentation exist before market placement."""
        system = self.systems.get(system_id)
        if not system:
            return {"ready": False, "reason": "system_not_registered"}

        missing = []
        if not system.current_document(DocumentType.EU_DECLARATION_OF_CONFORMITY):
            missing.append("EU Declaration of Conformity (Art.47)")
        if not system.current_document(DocumentType.TECHNICAL_DOCUMENTATION):
            missing.append("Technical Documentation (Art.18)")

        return {
            "ready": len(missing) == 0,
            "missing_documents": missing,
            "retention_deadline": system.retention_deadline.isoformat(),
        }

    def handle_nca_request(
        self,
        nca_name: str,
        member_state: str,
        request_type: str,
        system_id: str,
        response_deadline_hours: int = 72,
    ) -> NCARequest:
        """Art.22(2)(c) + Art.21: Handle NCA documentation or information requests."""
        request = NCARequest(
            request_id=str(uuid.uuid4()),
            nca_name=nca_name,
            member_state=member_state,
            request_type=request_type,
            system_id=system_id,
            received_at=datetime.utcnow(),
            response_deadline=datetime.utcnow() + timedelta(hours=response_deadline_hours),
        )
        self.nca_requests.append(request)
        return request

    def prepare_documentation_package(self, system_id: str) -> dict:
        """Art.22(4): Compile documentation package for NCA access."""
        system = self.systems.get(system_id)
        if not system:
            return {"error": "system_not_found"}

        package = {
            "system_id": system_id,
            "system_name": system.system_name,
            "provider": system.provider_name,
            "prepared_at": datetime.utcnow().isoformat(),
            "documents": {},
        }

        for doc_type in DocumentType:
            current = system.current_document(doc_type)
            if current:
                package["documents"][doc_type.value] = {
                    "version": current["version"],
                    "valid_from": current["valid_from"].isoformat(),
                    "content_ref": current["content_ref"],
                }

        return package

    def initiate_termination(self, provider_name: str, reason: str, system_ids: list[str]) -> dict:
        """
        Art.22(6): Initiate mandate termination when provider acts contrary to obligations.
        Dual notification to provider and NCA required.
        """
        notice = {
            "notice_id": str(uuid.uuid4()),
            "initiated_at": datetime.utcnow().isoformat(),
            "provider": provider_name,
            "reason": reason,
            "affected_systems": system_ids,
            "nca_notified": False,
            "provider_notified": False,
            "notification_required_by": (datetime.utcnow() + timedelta(hours=24)).isoformat(),
        }
        self.termination_notices.append(notice)

        for system_id in system_ids:
            if system_id in self.systems:
                self.systems[system_id].compliance_status = ComplianceStatus.TERMINATION_PENDING

        return notice

    def audit_retention_obligations(self) -> list[dict]:
        """Art.22(4): Check which systems have documentation gaps or approaching deadlines."""
        findings = []
        now = datetime.utcnow()

        for system_id, system in self.systems.items():
            days_to_deadline = (system.retention_deadline - now).days
            if days_to_deadline < 365:
                findings.append({
                    "system_id": system_id,
                    "issue": "retention_deadline_approaching",
                    "days_remaining": days_to_deadline,
                })

            if not system.has_complete_documentation():
                findings.append({
                    "system_id": system_id,
                    "issue": "documentation_incomplete",
                    "status": "art_22_4_violation_risk",
                })

        return findings

    def overdue_nca_responses(self) -> list[NCARequest]:
        """Identify NCA requests past their response deadline."""
        now = datetime.utcnow()
        return [r for r in self.nca_requests if r.status == "pending" and r.response_deadline < now]

Art.22 Compliance Checklist (20 Items)

Provider Obligations Before Market Placement (Items 1-6):

1. Identify whether each AI system intended for EU market is classified as high-risk under Art.6 and Annex III — Art.22 applies only to high-risk systems.

2. Appoint an authorized representative by written mandate before the first unit is placed on the EU market or put into service in the Union — Art.22(1). "Before" means no grace period; shipment without representative in place is an immediate violation.

3. Ensure the mandate is in written form and specifies: scope of systems covered, representative's powers and obligations, provider's documentation supply obligations, and termination conditions — Art.22(3).

4. Grant the representative access to all compliance documentation they need to perform their Art.22(2) obligations: EU Declaration of Conformity, technical documentation, notified body certificates, PMM data, serious incident notifications.

5. Establish an internal process for notifying the representative of any system modifications that affect conformity status — required for the representative to maintain current documentation under Art.22(4).

6. Establish an indemnification provision in the mandate covering fines, penalties, and costs arising from the provider's non-compliance — without this, the representative carries direct Art.93 liability without recourse.

Representative Verification Obligations (Items 7-12):

1. Verify that the EU Declaration of Conformity under Art.47 has been drawn up and covers the specific systems being placed on the market — Art.22(2)(a).

2. Verify that the technical documentation under Art.11 and Art.18 has been drawn up and is current — Art.22(2)(b).

3. Confirm that any notified body assessment required under Art.43 has been completed and the certificate is current before accepting the mandate for that system — Art.22(2)(c).

4. Establish a document management system capable of retaining all required documents for 10 years with version tracking, access logging, and NCA-response-ready retrieval — Art.22(4).

5. Register with the relevant national competent authority in the Member State where established as an authorized representative — check Member State implementation regulations for specific registration requirements.

6. Establish a contact point function capable of receiving and responding to NCA requests within normal business hours — Art.22(2)(d).

Ongoing Compliance Obligations (Items 13-17):

1. Maintain current copies of all documentation for each represented system under Art.22(4) — update within 30 days whenever the provider issues a new version of the EU DoC, technical documentation, or notified body certificate.

2. Respond to NCA documentation requests under Art.21(1) within the timeframe specified by the authority — typically 15 working days, but some authorities may specify shorter deadlines.

3. Coordinate Art.21(2) source code access requests with the provider when NCAs require source code inspection — the representative cannot unilaterally provide source code they do not hold, but must facilitate the provider's response.

4. Notify NCAs immediately if the provider fails to supply required compliance documentation — the representative's Art.22(6) termination right may be triggered, and NCAs need to know the system may lack compliant oversight.

5. Monitor the represented systems' post-market monitoring data (Art.72) for incidents that might trigger Art.20 (corrective actions) or Art.73 (serious incident reporting) obligations — the representative's mandate should include a clear notification duty from the provider for such events.

Termination and Exit Management (Items 18-20):

1. Monitor provider compliance on a periodic basis (quarterly recommended) — if the provider fails to supply updated documentation, fails to notify serious incidents, or modifies systems without informing the representative, these are grounds for Art.22(6) termination.

2. If termination is necessary: notify both the provider and the competent authority simultaneously — Art.22(6). Do not terminate without NCA notification; doing so may itself constitute non-compliance.

3. After termination: retain all documentation held under Art.22(4) for the full 10-year retention period from the date the system was last placed on the market — termination of the mandate does not end the documentation retention obligation for units already in commerce.

See Also

• EU AI Act Art.21 Cooperation with Competent Authorities 2026 — The cooperation obligations that authorized representatives must operationalize for NCA requests
• EU AI Act Art.20 Corrective Actions for Non-Conforming Systems 2026 — How the corrective action notification chain flows through the authorized representative
• EU AI Act Art.18 Documentation Keeping Obligations 2026 — The 10-year documentation retention that Art.22(4) mirrors in the representative's holding obligation
• EU AI Act Art.19 Automatically Generated Logs 2026 — Log retention that authorized representatives must be able to produce on NCA request