sota.io
2026-04-22·13 min read·

EU AI Act Art.23 Obligations of Importers: Conformity Verification, Due Diligence Requirements, Market Surveillance Cooperation, and Art.23 × Art.22 × Art.25 × Art.47 Integration (2026)

Article 23 of the EU AI Act establishes direct compliance obligations for importers — the EU-established entities that bring high-risk AI systems from third-country providers into the EU market. Importers are not passive logistics intermediaries under the EU AI Act. They are active compliance gatekeepers who must verify conformity before placing any system on the market, and who bear independent liability exposure if they fail those verification duties.

Art.23 sits at the intersection of the provider-to-market pipeline. A third-country provider builds the system. An authorized representative (Art.22) maintains the regulatory contact point. An importer takes physical or commercial custody and places the product on the EU market. A distributor (Art.24) then makes it available downstream. Each actor in this chain has distinct but overlapping obligations. Understanding what Art.23 requires — and how it differs from the Art.22 representative role and the Art.24 distributor role — is essential for any supply chain operating across EU borders.

The Legal Architecture of Art.23

The Importer's Position in the Supply Chain:

Under the EU AI Act, "importer" means any natural or legal person established in the Union that places on the market a high-risk AI system that bears the name or trademark of a natural or legal person established outside the Union. Three elements define importer status:

  1. Established in the Union — the importer must have a legal presence in the EU. Unlike the provider or the provider's overseas subsidiary, the importer is an EU-market actor subject to EU jurisdiction.

  2. Places on the market — the importer takes the act of making the system commercially available for the first time in the Union. This is a different act from distributing (making available downstream) or deploying (putting into use).

  3. Third-country product — the AI system bears the name or trademark of a provider established outside the EU. If the provider is EU-established, there is no importer in the Art.23 sense (the provider bears Chapter III Section 2 obligations directly).

Art.23 in the Obligation Sequence:

The market-facing obligation chain in the EU AI Act runs: Provider obligations (Art.16-22) → Importer obligations (Art.23) → Distributor obligations (Art.24) → Deployer obligations (Art.26). Art.23 is the first step in the post-provider distribution chain. Importers must complete their verification duties before the system reaches distributors or deployers.

Art.23(1): Conformity Verification Before Placing on Market

Before placing a high-risk AI system on the market, importers shall verify that:

The provider has carried out the appropriate conformity assessment. For most Annex III systems, this means the conformity assessment procedure in Art.43(1): either internal control (Annex VI) or third-party assessment through a notified body. The importer cannot independently perform the conformity assessment — that is the provider's obligation. But the importer must verify that the provider actually completed one.

The provider has drawn up the technical documentation. Art.18 requires providers to draw up and maintain technical documentation before placing the system on the market. Art.23(1) requires importers to check that this documentation exists. The importer does not need to obtain and audit the full technical documentation file, but they must have a reasonable basis to believe it exists and covers the system being imported.

The system bears the required CE marking. Art.49 requires high-risk AI systems to bear the CE conformity marking before being placed on the Union market. The CE marking must be affixed visibly, legibly, and indelibly to the AI system or its packaging. The importer must verify this before placing the system on the market.

The system is accompanied by the EU Declaration of Conformity. Art.47 requires providers to draw up an EU Declaration of Conformity (DoC) and affix the CE marking only after completing the conformity assessment. The importer must verify that the DoC accompanies the system and that it has been properly drawn up — covering the system's identity, the applicable conformity assessment procedure, the harmonised standards applied, and the notified body involvement where applicable.

The system is accompanied by the instructions for use in a language that can be easily understood by users. Art.13(3) requires providers to ensure high-risk AI systems are accompanied by instructions that enable deployers to use the system appropriately, understand its capabilities and limitations, and implement the required human oversight measures. Instructions must be in a language designated by the Member State where the system is placed on the market.

The authorized representative, where applicable, has been appointed. For third-country providers, Art.22(1) requires appointment of an authorized representative before market placement. The importer must verify that this appointment has been made and that the representative is properly established in the Union.

What "Verify" Means in Practice:

Art.23(1) imposes a due diligence standard. Importers are not certifying the technical accuracy of the conformity assessment — they are verifying that the procedural prerequisites have been met. The practical steps include:

Where the importer has concerns — if documentation is missing, if the CE marking is absent, if the authorized representative cannot be verified — Art.23(1) prohibits placing the system on the market until those concerns are resolved.

Art.23(2): Non-Conformity Obligations and Notification Chain

If the Importer Has Reason to Believe Non-Conformity Exists:

Where an importer, before placing a high-risk AI system on the market, has reason to believe that the system is not in conformity with the requirements of Chapter III Section 2 (the high-risk system requirements), the importer shall not place the system on the market until conformity has been achieved.

"Reason to believe" is a lower threshold than certainty. If the importer encounters any indicator of non-conformity during their verification — missing documentation, CE marking that appears to have been applied without a completed conformity assessment, instructions for use that don't cover material capabilities — Art.23(2) applies. The importer cannot proceed and hope the issue resolves itself.

Notification Obligations:

Where the system presents a risk within the meaning of Art.79(1) — meaning the system is likely to present a risk to health, safety, or fundamental rights — the importer shall immediately inform the provider of the high-risk AI system, the authorized representative (where one has been appointed), and the market surveillance authorities of the Member State where the system was to be placed on the market.

The notification triggers three parallel responses:

  1. Provider notification — gives the provider opportunity to investigate and implement corrective actions. Art.20 governs provider corrective action obligations.

  2. Authorized representative notification — ensures the representative (who may be the primary NCA contact point) is aware of the issue.

  3. Market surveillance authority notification — activates the regulatory oversight chain under Chapter VI. Market surveillance authorities have powers including requesting technical documentation, ordering market withdrawal, and issuing prohibitions.

The importer's role in the notification chain is not advisory — it is mandatory. An importer who discovers a risk and does not notify the relevant authorities is independently liable for that failure, regardless of what the provider does or does not do.

Art.23(3): Importer Contact Information

Name and Address Requirement:

Importers shall indicate their name, registered trade name or registered trade mark, and the address at which they can be contacted on the high-risk AI system, or on its packaging, or in a document accompanying it.

This requirement ensures that market surveillance authorities, deployers, and users can identify the EU-market actor responsible for the system. Where a third-country provider is unreachable, the importer's contact details provide the enforcement access point.

Language Requirements:

The contact information must appear in a language easily understood by users and market surveillance authorities in the Member State where the system is made available.

Format Options:

The contact information may appear on:

Where the system is software-only (no physical packaging), embedding contact information in the software interface or accompanying documentation is the practical approach.

Art.23(4): Storage and Transport Obligations

Maintaining Conformity Conditions:

Importers shall ensure that, while a high-risk AI system is under their responsibility, storage or transport conditions do not jeopardise the system's conformity with the requirements of Chapter III Section 2.

For most high-risk AI systems — which are software or software-embedded products — storage and transport conditions relate to data integrity during transfer, software authenticity (preventing tampering during distribution), and version control (ensuring the system delivered corresponds to the system that completed the conformity assessment).

Practical Implications for Software-Based AI Systems:

Art.23(5): Documentation Retention

Ten-Year Retention Obligation:

Importers shall, for a period of ten years after the high-risk AI system has been placed on the market or put into service, keep a copy of the EU Declaration of Conformity and, where applicable, any certificate issued by a notified body.

This mirrors the provider's documentation retention obligation under Art.18. The importer's ten-year retention duty runs independently of the provider's. If the provider goes out of business, if the authorized representative resigns, or if the supply chain is restructured, the importer's copy of the DoC remains available to market surveillance authorities for the full ten-year period.

What Must Be Retained:

  1. The EU Declaration of Conformity — the document drawn up under Art.47 that certifies conformity with the applicable requirements. If the DoC is updated (because the system is modified, because applicable standards change, or because the provider revises it), the importer should retain all versions relevant to the systems they placed on the market.

  2. Notified body certificates — where the conformity assessment involved a third-party notified body (required for certain Annex III systems and biometric systems under Art.43(1)), the certificate issued by the notified body must be retained. If the certificate is updated, suspended, or withdrawn during the ten-year period, the importer should document those changes.

Cooperation with Market Surveillance Authorities:

Importers shall, on request by a national competent authority, provide that authority with all information and documentation necessary to demonstrate the conformity of a high-risk AI system with the requirements of Chapter III Section 2. This includes access to retained documentation.

The cooperation obligation is not limited to providing documents the importer has. If the authority needs access to the provider's technical documentation (which the importer may not hold), the importer must facilitate that access — connecting the authority with the provider or authorized representative.

Art.23(6): Cooperation in Risk-Reduction Actions

Active Cooperation Obligation:

Importers shall cooperate with the competent authorities and with the provider and, where applicable, the provider's authorised representative, to ensure that the necessary corrective actions are taken for the high-risk AI systems they have placed on the market, withdrawn, or recalled, or to comply with applicable requirements.

This cooperation obligation runs throughout the system's lifecycle, not just at the point of market placement. If a system that the importer placed on the market is later found to present risks — whether discovered through post-market monitoring (Art.72), incident reports (Art.73), or market surveillance — the importer must cooperate in the corrective action response.

Practical Cooperation Steps:

Art.23 × Art.22: The Importer-Representative Relationship

Overlap and Distinction:

Art.22 (authorized representative) and Art.23 (importer) address related but distinct compliance functions. Their relationship is frequently misunderstood in supply chain mapping.

The authorized representative is appointed by the provider, acts on the provider's behalf, and serves as the provider's regulatory contact point for NCAs. The representative does not place the system on the market — they are the compliance anchor for the provider's obligations.

The importer is an independent EU-market actor who takes the act of placing the system on the market. The importer has their own independent verification duties, contact information requirements, documentation retention obligations, and cooperation duties.

Can the Same Entity Be Both?

Yes. Art.22(1) does not prohibit an importer from also serving as the authorized representative, provided the mandate requirements of Art.22(2)-(3) are met and the importer is properly appointed. However, holding both roles creates dual liability exposure:

In practice, many non-EU providers appoint their EU import partner as authorized representative. This simplifies the supply chain but concentrates compliance risk on the EU-market actor.

Where They Interact Under Art.23(2):

When an importer identifies a potential non-conformity, Art.23(2) requires notifying the authorized representative (alongside the provider and market surveillance authority). This notification creates a three-party response: the provider determines the technical fix; the representative coordinates with authorities; the importer manages the market-side response (holding inventory, managing downstream notification).

Art.23 × Art.47: Declaration of Conformity Mechanics

The Importer's DoC Obligations:

Under Art.23(1), importers must verify the DoC exists before placing the system on the market. Under Art.23(5), they must retain a copy for ten years. But importers do not draw up the DoC — that is the provider's obligation under Art.47.

What the Importer Checks in the DoC:

When reviewing the DoC under Art.23(1), importers should verify:

A DoC that covers a different model, references a superseded version of the system, or fails to identify the applicable conformity assessment procedure is deficient and should trigger Art.23(2) non-conformity notification.

Art.23 × Art.93: Importer Liability Exposure

Independent Liability Framework:

Importers are not shielded from Art.93 penalties by the fact that they are not the AI system provider. Art.93(3) imposes fines for non-compliance with obligations under the Regulation, and importer obligations under Art.23 are obligations under the Regulation.

Specific Penalty Exposure:

Fines Under Art.93:

The 2% threshold is the same penalty band as provider violations under Art.93(3) — importers face the same financial exposure as the providers whose systems they import.

Practical Implementation: Importer Compliance Framework

from dataclasses import dataclass, field
from enum import Enum
from datetime import date, datetime
from typing import Optional

class ConformityStatus(Enum):
    VERIFIED = "verified"
    PENDING_REVIEW = "pending_review"
    NON_CONFORMITY_IDENTIFIED = "non_conformity_identified"
    BLOCKED = "blocked"

class NotificationStatus(Enum):
    NOT_REQUIRED = "not_required"
    PENDING = "pending"
    SENT_TO_PROVIDER = "sent_to_provider"
    SENT_TO_AUTHORITY = "sent_to_authority"
    COMPLETE = "complete"

@dataclass
class ImporterDossier:
    """Art.23 compliance dossier per imported high-risk AI system."""
    system_id: str
    provider_name: str
    provider_country: str
    authorized_rep_name: Optional[str]
    authorized_rep_address: Optional[str]
    ce_marking_verified: bool = False
    doc_obtained: bool = False
    doc_date: Optional[date] = None
    doc_version: Optional[str] = None
    notified_body_certificate: Optional[str] = None
    instructions_language_verified: bool = False
    conformity_assessment_procedure: Optional[str] = None
    placement_date: Optional[date] = None
    retention_deadline: Optional[date] = None
    conformity_status: ConformityStatus = ConformityStatus.PENDING_REVIEW
    notification_status: NotificationStatus = NotificationStatus.NOT_REQUIRED
    contact_info_embedded: bool = False
    cooperation_log: list = field(default_factory=list)

    def verify_pre_placement_checklist(self) -> dict:
        """Art.23(1) verification checklist before market placement."""
        checks = {
            "ce_marking": self.ce_marking_verified,
            "doc_obtained": self.doc_obtained,
            "authorized_representative": bool(self.authorized_rep_name),
            "instructions_language": self.instructions_language_verified,
            "conformity_assessment_procedure": bool(self.conformity_assessment_procedure),
            "contact_info_ready": self.contact_info_embedded,
        }
        all_passed = all(checks.values())
        return {
            "can_place_on_market": all_passed,
            "checks": checks,
            "blocking_items": [k for k, v in checks.items() if not v]
        }

    def set_placement_date(self, placement_date: date) -> None:
        """Record placement date and compute Art.23(5) retention deadline."""
        self.placement_date = placement_date
        # Art.23(5): 10-year retention from placement or service date
        self.retention_deadline = date(
            placement_date.year + 10,
            placement_date.month,
            placement_date.day
        )

    def report_non_conformity(self, description: str, risk_to_health_safety: bool) -> dict:
        """Art.23(2): Non-conformity identified — notification chain."""
        self.conformity_status = ConformityStatus.NON_CONFORMITY_IDENTIFIED
        notifications_required = []
        # Always: do not place on market until resolved
        if risk_to_health_safety:
            # Art.23(2): notify provider, authorized rep, and market surveillance authority
            notifications_required = ["provider", "authorized_representative", "market_surveillance_authority"]
            self.notification_status = NotificationStatus.PENDING
        action_log = {
            "timestamp": datetime.now().isoformat(),
            "type": "non_conformity_report",
            "description": description,
            "risk_level": "high" if risk_to_health_safety else "standard",
            "notifications_required": notifications_required,
            "market_placement_blocked": True
        }
        self.cooperation_log.append(action_log)
        return action_log

    def log_authority_cooperation(self, authority: str, request_type: str, response: str) -> None:
        """Art.23(4)/(6): Log market surveillance authority cooperation."""
        self.cooperation_log.append({
            "timestamp": datetime.now().isoformat(),
            "type": "authority_cooperation",
            "authority": authority,
            "request_type": request_type,
            "response": response
        })

    def check_retention_status(self, as_of: date = None) -> dict:
        """Art.23(5): Check documentation retention compliance."""
        if as_of is None:
            as_of = date.today()
        if not self.retention_deadline:
            return {"status": "no_placement_date_recorded", "compliant": False}
        days_remaining = (self.retention_deadline - as_of).days
        return {
            "placement_date": self.placement_date.isoformat() if self.placement_date else None,
            "retention_deadline": self.retention_deadline.isoformat(),
            "days_remaining": days_remaining,
            "compliant": days_remaining > 0,
            "doc_retained": self.doc_obtained,
            "certificate_retained": bool(self.notified_body_certificate)
        }

18-Item Art.23 Compliance Checklist

Before Placing on Market (Art.23(1)):

  1. ☐ Obtain EU Declaration of Conformity from provider — verify it covers this system model and version
  2. ☐ Verify CE marking is affixed visibly and legibly to system or packaging
  3. ☐ Confirm the applicable conformity assessment procedure is documented (Annex VI or notified body procedure)
  4. ☐ Where notified body was involved, obtain notified body certificate number and verify certificate status
  5. ☐ Verify instructions for use exist in appropriate Member State language(s)
  6. ☐ Verify authorized representative is appointed, established in the Union, and identifiable by name and address
  7. ☐ Complete internal pre-placement conformity verification record

Contact Information and System Marking (Art.23(3)):

  1. ☐ Importer name, trade name, and contact address embedded in system, packaging, or accompanying documentation
  2. ☐ Contact information in a language understood by users in the target Member State
  3. ☐ Contact information visible and accessible to deployers and market surveillance authorities

Documentation Retention (Art.23(5)):

  1. ☐ Retain copy of EU Declaration of Conformity from placement date
  2. ☐ Retain copy of any notified body certificate(s) from placement date
  3. ☐ Record placement date and compute ten-year retention deadline
  4. ☐ Establish document retention process (updated DoC versions if provider revises)

Non-Conformity Response (Art.23(2)):

  1. ☐ Non-conformity identification triggers immediate market placement block
  2. ☐ Where risk to health/safety/fundamental rights: notify provider within same business day
  3. ☐ Where risk: notify authorized representative and market surveillance authority
  4. ☐ Log all notifications with timestamps, recipient, and response

Key Distinctions: Importer vs Provider vs Distributor

ObligationProvider (Art.16-22)Importer (Art.23)Distributor (Art.24)
Conformity assessmentPerformsVerifiesVerifies outcome
Technical documentationDraws up and holdsDoes not hold (unless also Rep)Does not hold
EU Declaration of ConformityDraws upObtains and retains 10yrVerifies existence
CE markingAffixesVerifiesVerifies
Contact informationProvider detailsImporter details addedDistributor details added
Non-conformity notificationImplements fixNotifies provider + authorityNotifies provider/importer
Market surveillance cooperationArt.21Art.23(4)/(6)Art.24(5)

Conclusion

Art.23 makes importers active compliance participants in the EU AI Act supply chain — not passive intermediaries who simply forward third-country products to EU distributors. The Art.23(1) verification obligation requires importers to check the full conformity paperwork before any system crosses into the EU market. The Art.23(2) notification obligation makes importers mandatory participants in the risk response chain. The Art.23(5) documentation retention obligation creates a ten-year paper trail independent of the provider.

For supply chains where a US, Chinese, or other third-country provider distributes through EU-based import partners, Art.23 changes the legal calculus: the EU importer cannot disclaim responsibility by pointing to the provider's conformity assessment. They must verify it. And if they fail to verify it, or if they place a non-conforming system on the market, they face the same 2% worldwide turnover penalty exposure as the provider whose system they imported.

The practical response is a structured importer compliance program: standardized DoC verification checklists, contact information embedding protocols, documentation retention procedures, and a defined non-conformity escalation process. Systems that pass Art.23 verification at the import stage have cleared the first distribution-chain compliance gate. Systems that fail Art.23 verification must be held until conformity is achieved — regardless of commercial pressure to deliver.

See Also: