EU AI Act Art.24 Obligations of Distributors: Verification Duties, Non-Conformity Protocols, Market Surveillance Cooperation, and Art.24 × Art.23 × Art.25 × Art.47 Integration (2026)

Article 24 of the EU AI Act establishes the compliance framework for distributors — the entities that make high-risk AI systems available on the Union market after they have been placed on the market by a provider or imported by an importer. Distributors operate at the downstream end of the pre-deployment supply chain. They do not place AI systems on the market themselves and they do not put systems into service — but they still bear independent legal obligations that can expose them to substantial liability if not properly managed.

The distributor role is frequently underestimated in AI supply chain compliance. Companies that resell, license, or otherwise make available third-party AI systems assume that compliance is entirely the provider's responsibility. Art.24 explicitly rejects that assumption. Distributors must verify conformity before each act of making a system available, respond to identified risks, cooperate with market surveillance authorities, and maintain traceability. And under Art.24(5), a distributor that modifies a system or changes its intended purpose becomes a provider — a transformation that triggers the full Art.16-22 provider obligation stack.

The Distributor Position in the EU AI Act Supply Chain

Defining Distributor Status:

Under the EU AI Act, a distributor is any natural or legal person in the supply chain other than the provider or importer who makes a high-risk AI system available on the Union market. Three structural elements define who is a distributor:

1. Not the provider — the provider has placed the system on the market and bears Art.16-22 obligations. Distributors do not bear those obligations — unless they trigger Art.24(5) or Art.25.

2. Not the importer — the importer brought the system into the EU from a third-country provider and bears Art.23 obligations, including the full pre-placement conformity verification. The distributor is a downstream actor who operates after the importer has already cleared the system for EU market entry.

3. Makes available on the market — this means any supply of a high-risk AI system for distribution, consumption, or use on the Union market in the course of a commercial activity. "Making available" includes resale, sublicensing, bundling into a larger product or service, or distribution through channel partners.

Art.24 in the Obligation Sequence:

The EU AI Act supply chain obligation sequence is: Provider obligations (Art.16-22) → Importer obligations (Art.23) → Distributor obligations (Art.24) → Deployer obligations (Art.26). Art.24 is the final compliance checkpoint before the system reaches deployers who put it into active use. The importer has already verified the conformity assessment was completed. The distributor verifies that what they are now making available to the next downstream entity still carries proper documentation and marking.

Distributor vs Deployer:

A deployer (Art.26) puts the AI system into service for a specific use. A distributor makes the system available downstream — they may be providing it to other businesses (deployers, other distributors) or in some cases directly to end users. The key distinction is whether the entity is making the system available commercially versus actually operating it for a purpose. A company that sells an AI hiring tool to HR departments is a distributor. The HR department that operates the tool is a deployer.

Art.24(1): Pre-Availability Verification Duties

Before making a high-risk AI system available on the market, distributors shall verify that:

The system bears the CE conformity marking. Art.49 requires the CE marking to be affixed visibly, legibly, and indelibly before the system is placed on the Union market. The CE marking indicates that the provider has completed the required conformity assessment. A distributor who makes available a high-risk AI system without CE marking is making available a non-conforming product, regardless of whether they knew the marking was absent.

The system is accompanied by the required documentation. This includes the EU Declaration of Conformity (Art.47) and the instructions for use required by Art.13(3). The DoC must be accessible to market surveillance authorities and the instructions must enable deployers to implement appropriate human oversight and use the system within its design parameters.

The provider has complied with obligations under Art.16. Art.16 is the master list of provider obligations: implementing a quality management system (Art.17), maintaining technical documentation (Art.18), retaining logs where technically feasible (Art.19), taking corrective actions (Art.20), cooperating with authorities (Art.21), and appointing an authorized representative for third-country providers (Art.22). The distributor's Art.24(1) verification is a secondary check that the provider chain has completed these obligations — not an independent audit.

The importer has complied with obligations under Art.23. For third-country AI systems, the importer bears pre-placement verification duties under Art.23(1) — verifying the conformity assessment, the technical documentation, the CE marking, the DoC, the instructions, and the authorized representative. The distributor checks that the importer has completed this work. Distributors who receive systems directly from EU-established providers without an importer in the chain skip the Art.23 verification check.

What Verification Looks Like in Practice:

Art.24(1) is a documentation review obligation, not an independent conformity assessment. The distributor cannot be expected to conduct their own technical assessment of whether the AI system meets the Art.9-15 high-risk requirements. What they can and must do:

• Confirm CE marking is affixed to the system or its packaging
• Request and review the EU Declaration of Conformity
• Confirm instructions for use exist in the required language(s) for the target market
• Confirm the provider is identified (name, registered address, contact) in the documentation
• For third-country systems: confirm an importer has cleared the system and can be identified

The verification must occur before each act of making the system available. A distributor who verified a system in Q1 and then continues distributing in Q2 should confirm that the documentation remains current — particularly if the provider has made updates to the system that would require a new conformity assessment or updated DoC.

Art.24(2): Non-Conformity Response and Risk Notification

Non-Conformity Identified Before Making Available:

Where a distributor considers or has reason to consider that a high-risk AI system is not in conformity with the requirements of Chapter III Section 2, the distributor shall not make the system available on the market until it has been brought into conformity.

"Reason to consider" tracks the same threshold as Art.23(2) — below certainty, above mere suspicion. If the distributor finds indicators of non-conformity during their verification (CE marking absent, DoC covers a different system version, instructions incomplete), Art.24(2) requires them to stop distribution. They cannot proceed on the basis that someone earlier in the chain should have caught the problem.

Risk Notification Obligations:

Where the non-conforming system presents a risk within the meaning of Art.79(1) — a system likely to present a risk to health, safety, or fundamental rights — the distributor shall inform the provider or the importer as appropriate. The notification obligation at the distributor level is narrower than at the importer level. Art.23(2) requires the importer to notify the provider, the authorized representative, and the market surveillance authority. Art.24(2) requires the distributor to notify only the provider or importer.

This reflects the distributor's downstream position. The importer is the entity that has already cleared the system through EU market entry. The provider has the technical capability to implement corrective actions. The distributor's role in the risk chain is to stop distribution and trigger a response from those who have the authority and capability to remediate.

Art.24(2) Notification Chain:

The risk notification at the distributor level creates an upward information flow:

• Distributor → Provider (or Importer) notification triggers Art.20 corrective action obligations on the provider
• Provider responds: corrective actions, withdrawal, recall as appropriate under Art.20(1)
• Market surveillance authority involvement follows if corrective actions are insufficient

Art.24(3): Post-Market Obligations and Market Surveillance Cooperation

Cooperation with Market Surveillance Authorities:

Distributors shall, upon request by a national competent authority, provide all the information and documentation in their possession to demonstrate the conformity of the high-risk AI system with the requirements of Chapter III Section 2. The information and documentation must be in a language that can be easily understood by the national competent authority.

This imposes a positive cooperation obligation. Distributors who receive market surveillance requests cannot respond by claiming ignorance of the provider's documentation. They should maintain records of what documentation they received when they acquired the system, who they received it from, and to whom they have made the system available downstream.

Corrective Measures Upon Post-Market Awareness:

Where a distributor considers or has been made aware that a system already made available no longer complies with Chapter III Section 2, the distributor must immediately inform the provider or the importer, work with competent authorities, and take all corrective measures available — including withdrawing the system from the market, recalling it if made available to deployers, or alerting the deployers to whom they have distributed the system.

Backward Traceability Obligations:

Distributors must be able to identify, at the request of market surveillance authorities, the importer from whom they received the high-risk AI system. This backward traceability requirement means distributors must maintain records sufficient to trace each unit of a high-risk AI system back to the supplier from whom they received it. The requirement is not time-limited in Art.24 itself — but the 10-year documentation retention periods in Art.18 and Art.22(4) for providers and authorized representatives respectively provide reference context for what "adequate" records retention means in the AI Act framework.

Art.24(4): Documentation Retention and Record-Keeping

Distributors who make high-risk AI systems available must retain records that enable them to fulfil their Art.24(3) cooperation and traceability obligations. While Art.24 does not specify a retention period as explicitly as Art.18 (10 years for technical documentation) or Art.22(4) (10 years for DoC and notified body certificates), the practice standard in the EU market for supply chain compliance follows the highest applicable retention period — which for AI Act documentation is 10 years from the system's last placement on the market.

Minimum Record-Keeping for Distributors:

• Acquisition records: who supplied the system, when, which version
• Conformity documentation received: CE marking confirmation, DoC, instructions for use
• Distribution records: who received the system downstream, when, which version
• Risk communication records: any Art.24(2) notifications sent to provider or importer

Art.24(5): The Transformation to Provider — The Critical Risk

Art.24(5) is the provision most commonly overlooked by distributors, and the one with the most significant compliance consequences:

Where a distributor:

• Makes a substantial modification to a high-risk AI system already placed on the market or put into service, or
• Changes the intended purpose of a high-risk AI system already placed on the market or put into service

Then the distributor shall be considered to be a provider for the purposes of this Regulation and shall be subject to the obligations of the provider set out in Art.16.

What Constitutes a "Substantial Modification":

The EU AI Act defines substantial modification in Art.3(23) as a change to a high-risk AI system after its placing on the market or putting into service which affects the compliance of the high-risk AI system with the requirements set out in Chapter III Section 2, or which results in a modification to the intended purpose for which the AI system has been assessed.

For distributors, the risk scenarios include:

• Configuration changes that exceed the provider's specified parameters — a distributor that configures an AI hiring tool with screening logic that goes beyond the provider's documented intended purpose has potentially triggered Art.25 transformation
• Fine-tuning or retraining a third-party AI model — even partial fine-tuning can constitute a substantial modification if it changes the system's behavior in ways not covered by the original conformity assessment
• Integration that changes intended purpose — a distributor who takes a medical imaging AI tool and integrates it into a broader diagnostic workflow that changes how the system is used triggers provider obligations if the integration constitutes a new intended purpose
• Bundling with decision logic — adding rule-based decision layers on top of a third-party AI system can constitute modification if the combined output represents a new AI system capability

Transformation Consequences:

A distributor that becomes a provider must:

• Implement a quality management system (Art.17)
• Draw up technical documentation (Art.18)
• Complete a conformity assessment procedure (Art.43)
• Affix CE marking (Art.49)
• Draw up an EU Declaration of Conformity (Art.47)
• Register in the EU database (Art.71)
• Appoint an authorized representative if established outside the EU (Art.22)

These obligations cannot be partially satisfied. A distributor operating under Art.24 has relatively contained obligations. A distributor who has triggered Art.24(5) but continues operating under the Art.24 framework is non-compliant — and exposed to Art.93 penalties that apply to providers.

Art.24 × Art.23: Distributor–Importer Integration in the Supply Chain

Complementary Verification Layers:

Art.23 and Art.24 create a two-stage downstream verification structure. The importer's Art.23(1) verification is comprehensive: it covers the conformity assessment procedure, the technical documentation, the CE marking, the DoC, the instructions, and the authorized representative. The distributor's Art.24(1) verification is narrower: it verifies that the outputs of those checks — the CE marking and required documentation — are still present and current.

This design reflects the EU AI Act's risk allocation logic. The importer is closest to the third-country provider and bears the heaviest pre-placement duties. The distributor is further downstream and bears lighter ongoing verification duties. But "lighter" does not mean "absent."

Risk Notification Chain Differences:

Art.23(2) requires the importer to notify provider + authorized representative + market surveillance authority. Art.24(2) requires the distributor to notify only provider or importer. The distributor's notification reaches back up the chain to the entity with regulatory authority and technical capability, rather than going directly to the supervisory authority — because the importer or provider is already under obligations to notify the authority under Art.23(2) and Art.20.

Traceability Architecture:

Together, Art.23 and Art.24 create a traceable supply chain. The importer records where the system came from (third-country provider) and maintains documentation for 10 years (Art.23(5)). The distributor records where they received the system from (importer or provider) and maintains their own records. A market surveillance authority can request information at any point in the chain and reconstruct the full supply chain path from system to provider.

Art.24 × Art.25: Obligations along AI Value Chains

Art.25 addresses situations where entities in the supply chain take actions that trigger expanded obligations. The key Art.25 scenarios that interact with Art.24:

Art.25(1): Distributor-as-Provider Transformation:

Art.25(1) mirrors Art.24(5) — it covers the same transformation scenario. A distributor that makes a substantial modification or changes the intended purpose is treated as a provider under Art.25(1). Art.24(5) and Art.25(1) operate as overlapping provisions that reinforce the same rule: modification triggers provider obligations.

Art.25(2): Own-Name or Own-Trademark Placement:

A distributor that places a high-risk AI system on the market under its own name or trademark is treated as a provider. This scenario applies to white-labeling and OEM arrangements. A distributor who takes a third-party AI system, removes the provider's branding, and markets it as their own product becomes the provider under the EU AI Act — even if the underlying system was built and assessed by the original manufacturer.

Art.25(3): Significant Change of Intended Purpose:

Even without making technical modifications, a distributor who knowingly allows a system to be used for a significantly changed intended purpose — beyond the scope of the provider's conformity assessment — may trigger provider obligations if the change results in placing what is effectively a new AI system on the market.

Art.24 × Art.47: Declaration of Conformity Verification

The EU Declaration of Conformity (DoC) is the central document in the Art.24(1) verification process. Distributors must verify that the DoC:

Covers the specific system being distributed. The DoC identifies the AI system by name, version, and applicable conformity assessment procedure. A distributor making available a later version of a system should confirm the DoC has been updated to cover that version. Where the provider has issued updated technical documentation under Art.18(3) for a modified system, the DoC should reflect the updated conformity status.

Has been signed by the provider. Art.47(3) requires the DoC to be signed by a person with authority to act on behalf of the provider. The distributor should confirm that a signed version of the DoC is accessible — either provided with the system or accessible via the provider's documentation portal.

Contains the required elements. Art.47(2) specifies the required DoC content: the AI system's identity, the applicable requirements and standards applied, the conformity assessment procedure followed, the notified body involved where applicable, the provider's name and address, and the date and place of issuance. A distributor who receives an incomplete DoC is receiving a non-compliant document — and their Art.24(1) verification has not been satisfied.

Art.24 × Art.93: Penalty Exposure for Distributors

Distributors who violate Art.24 obligations are subject to the penalties in Art.93(3):

Fines up to €15 million or 3% of worldwide annual turnover for violations of obligations applicable to operators (including distributors) under the EU AI Act. Art.93(3)(d) specifically covers violations of the obligations on importers and distributors under Art.23 and Art.24.

Prohibited Practice Violations (Art.93(1)): If a distributor makes available a high-risk AI system that they know constitutes a prohibited AI practice under Art.5 (e.g., manipulation, social scoring, biometric categorization), fines rise to €35 million or 7% of worldwide annual turnover.

Key Penalty Risk Scenarios for Distributors:

• Making available a high-risk system without verifying CE marking — Art.24(1) violation
• Continuing to distribute after identifying non-conformity without stopping — Art.24(2) violation
• Failing to notify provider/importer upon identifying a risk — Art.24(2) violation
• Failing to cooperate with market surveillance authority information requests — Art.24(3) violation
• Triggering Art.24(5) provider transformation but continuing to operate as a distributor — Art.16 provider obligation violations

Proportionality in Enforcement:

Art.93(5) requires competent authorities to apply proportionality criteria when imposing fines: the nature, gravity, duration, intentional or negligent character, actions taken to mitigate harm, degree of responsibility considering technical and organizational measures, and prior violations. A distributor who conducted reasonable Art.24(1) verifications but missed a certification issue may face lighter enforcement than one who knowingly distributed a system flagged for non-conformity.

Python Implementation: DistributorRecord

from dataclasses import dataclass, field
from enum import Enum
from typing import Optional
from datetime import date, timedelta


class VerificationStatus(Enum):
    NOT_STARTED = "not_started"
    PASSED = "passed"
    FAILED = "failed"
    PENDING_CLARIFICATION = "pending_clarification"


class RiskNotificationStatus(Enum):
    NOT_REQUIRED = "not_required"
    REQUIRED_PENDING = "required_pending"
    NOTIFIED_PROVIDER = "notified_provider"
    NOTIFIED_IMPORTER = "notified_importer"


@dataclass
class DistributorRecord:
    system_id: str
    system_name: str
    system_version: str
    supplier_name: str  # importer or provider
    supplier_type: str  # "importer" or "provider"
    received_date: date
    ce_marking_present: bool = False
    doc_verified: bool = False
    instructions_available: bool = False
    supplier_compliance_confirmed: bool = False
    verification_status: VerificationStatus = VerificationStatus.NOT_STARTED
    risk_notification_status: RiskNotificationStatus = RiskNotificationStatus.NOT_REQUIRED
    distribution_blocked: bool = False
    downstream_recipients: list[dict] = field(default_factory=list)
    modification_log: list[str] = field(default_factory=list)
    intended_purpose_changes: list[str] = field(default_factory=list)

    def run_pre_availability_check(self) -> dict:
        """Art.24(1): Verify CE marking, DoC, instructions, supplier compliance."""
        checks = {
            "ce_marking_present": self.ce_marking_present,
            "doc_verified": self.doc_verified,
            "instructions_available": self.instructions_available,
            "supplier_compliance_confirmed": self.supplier_compliance_confirmed,
        }
        all_passed = all(checks.values())
        self.verification_status = (
            VerificationStatus.PASSED if all_passed else VerificationStatus.FAILED
        )
        self.distribution_blocked = not all_passed
        return {
            "status": self.verification_status.value,
            "checks": checks,
            "distribution_blocked": self.distribution_blocked,
            "failed_checks": [k for k, v in checks.items() if not v],
        }

    def handle_non_conformity(
        self, issue: str, presents_risk: bool, notified_party: str
    ) -> dict:
        """Art.24(2): Block distribution and notify provider/importer if risk present."""
        self.distribution_blocked = True
        self.modification_log.append(
            f"{date.today()}: Non-conformity identified — {issue}"
        )
        if presents_risk:
            self.risk_notification_status = (
                RiskNotificationStatus.NOTIFIED_PROVIDER
                if notified_party == "provider"
                else RiskNotificationStatus.NOTIFIED_IMPORTER
            )
        return {
            "distribution_blocked": True,
            "risk_notification_required": presents_risk,
            "notification_sent_to": notified_party if presents_risk else None,
            "art24_2_compliant": True,
        }

    def record_downstream_distribution(
        self, recipient_name: str, recipient_type: str, distribution_date: date
    ) -> None:
        """Art.24(3): Traceability record for market surveillance cooperation."""
        self.downstream_recipients.append(
            {
                "recipient": recipient_name,
                "type": recipient_type,  # "deployer" or "distributor"
                "date": str(distribution_date),
                "system_version": self.system_version,
            }
        )

    def assess_provider_transformation_risk(
        self, modification_description: str
    ) -> dict:
        """Art.24(5) + Art.25: Check if modification triggers provider transformation."""
        transformation_indicators = [
            "intended_purpose_change",
            "own_name_trademark",
            "substantial_modification",
            "fine_tuning",
            "retraining",
        ]
        risk_flags = [
            ind for ind in transformation_indicators
            if ind.replace("_", " ") in modification_description.lower()
        ]
        self.modification_log.append(
            f"{date.today()}: Modification assessed — {modification_description}"
        )
        return {
            "transformation_risk": len(risk_flags) > 0,
            "risk_flags": risk_flags,
            "action_required": (
                "Seek legal advice on Art.24(5)/Art.25 provider transformation"
                if risk_flags
                else "Modification appears within distributor scope"
            ),
        }

    def generate_market_surveillance_response(self) -> dict:
        """Art.24(3): Documentation package for market surveillance authority request."""
        return {
            "system_id": self.system_id,
            "system_version": self.system_version,
            "supplier_name": self.supplier_name,
            "supplier_type": self.supplier_type,
            "received_date": str(self.received_date),
            "verification_status": self.verification_status.value,
            "ce_marking_confirmed": self.ce_marking_present,
            "doc_verified": self.doc_verified,
            "downstream_recipients_count": len(self.downstream_recipients),
            "downstream_recipients": self.downstream_recipients,
        }

Art.24 Compliance Checklist for Distributors

Pre-Availability Verification (Art.24(1))

• CE conformity marking present on system or packaging
• EU Declaration of Conformity available and covers the specific system version
• Instructions for use present in required language for target market
• Provider's Art.16 compliance confirmed (quality management system, technical documentation, authorized representative where applicable)
• Importer's Art.23 compliance confirmed (where system entered EU via importer)
• Documentation review completed before each act of making the system available

Non-Conformity Response (Art.24(2))

• Distribution blocked immediately upon identification of non-conformity indicator
• Non-conformity documented with date, nature, and identified gap
• Provider or importer notified where system presents risk under Art.79(1)
• Distribution blocked until conformity restored

Market Surveillance Cooperation (Art.24(3))

• Acquisition records maintained: supplier identity, supply date, system version
• Conformity documentation file: CE marking confirmation, DoC copy, instructions
• Downstream distribution records: each recipient, distribution date, system version
• Ability to provide complete package to national competent authority upon request

Provider Transformation Assessment (Art.24(5) / Art.25)

• Any system modifications assessed against "substantial modification" threshold
• Intended purpose changes documented and assessed against conformity assessment scope
• Own-name or own-trademark placement scenarios flagged for Art.25(2) review
• Legal review obtained before making technical changes or purpose changes to any high-risk AI system

Post-Market Obligations

• Procedures in place to receive and act on non-conformity alerts from downstream deployers
• Process to implement corrective measures (withdrawal, recall) for systems already made available
• Backward traceability: can identify importer/provider for each system unit distributed

Supply Chain Liability Summary: Art.23 vs Art.24

Distributors sit at the intersection of provider-chain accountability and deployer-chain risk management. Art.24 creates enough substantive obligation that distribution cannot be treated as compliance-neutral — particularly for the Art.24(5) transformation risk, which is the provision most capable of converting a distributorship into full provider exposure across an entire portfolio of distributed AI systems.