EU AI Act Art.54: Authorised Representatives for Non-EU GPAI Model Providers — Mandate, Commission Notification, and AI Office Cooperation (2026)
Art.53 establishes the enhanced obligations — adversarial testing, incident reporting, cybersecurity, energy efficiency — that apply to all GPAI model providers with systemic risk, regardless of where they are established. Article 54 adds a fourth structural requirement that applies exclusively to the subset of systemic risk providers established outside the European Union: the obligation to appoint an EU Authorised Representative before placing the model on the EU market.
Art.54 is the jurisdictional gateway rule for non-EU frontier AI. If you are a GPAI model provider established in the United States, the United Kingdom, Canada, or any third country, and your model crosses the Art.51 systemic risk threshold, Art.54 requires you to establish an EU legal presence — through an Authorised Representative — before your model is available on the EU market. The mechanism mirrors the GDPR Art.27 representative obligation and EU product safety law: where a non-EU entity creates legal exposure in the EU market, a designated EU-established point of contact must exist.
Art.54 became applicable on 2 August 2025 as part of Chapter V of the EU AI Act (Regulation (EU) 2024/1689). Its interaction with Art.53's ongoing operational obligations creates a sustained compliance structure: the Authorised Representative is not a one-time appointment but a continuously active compliance channel that must function across the entire duration of the model's market presence.
Art.54 in the Chapter V GPAI Obligation Cascade
Art.54 sits as the fourth article of Chapter V, applied after the systemic risk classification and obligation framework is established by Art.51-53:
| Article | Title | Applies To |
|---|---|---|
| Art.51 | Systemic risk classification | All GPAI providers (EU + non-EU) |
| Art.52 | Baseline GPAI obligations | All GPAI providers (EU + non-EU) |
| Art.53 | Enhanced systemic risk obligations | All systemic risk providers (EU + non-EU) |
| Art.54 | Authorised Representative appointment | Non-EU systemic risk providers only |
For EU-established systemic risk GPAI providers — those incorporated under EU member state law — Art.54 does not apply. They are already legally present in the EU and subject to direct AI Office jurisdiction. The obligation falls exclusively on providers that lack an EU establishment and therefore need a structural mechanism to ensure regulatory reachability.
Art.54 is cumulative with Art.53. A non-EU systemic risk GPAI provider must comply with all of Art.52, all of Art.53, and additionally Art.54. The Authorised Representative appointment does not replace or satisfy any Art.53 obligation — it adds a jurisdictional access mechanism to an already-demanding compliance regime.
Art.54(1): The Core Appointment Obligation
Art.54(1) states the fundamental requirement:
"Providers of general-purpose AI models with systemic risk that are established in third countries shall, by written mandate, appoint an authorised representative established in the Union."
Three elements define the obligation:
Third-country establishment. Art.54 applies to providers established in countries outside the European Union. EU member state incorporation — even if a company has US parent shareholders — places the provider under direct AI Office jurisdiction and outside Art.54's scope. The determining factor is the provider's own legal establishment, not its ownership structure.
Written mandate. The appointment must be formalised through a written mandate — not an informal arrangement, not a policy reference in terms of service, not an implied designation. The written mandate is the legal instrument that defines the scope of the Authorised Representative's authority and triggers the cooperation obligations that follow.
Authorised Representative establishment in the Union. The Representative must itself be established in a member state of the European Union. A UK entity, a Swiss entity, or a US entity with European offices does not satisfy Art.54. The Representative must be incorporated or otherwise legally established within EU territory.
Timing. Art.54(1) requires appointment before placing the model on the EU market. This is a pre-market obligation: a non-EU provider that makes a systemic risk GPAI model available to EU users or businesses without a compliant Authorised Representative in place is in breach of Art.54 from the moment of market entry.
Art.54(2): Mandate Scope and Representative Functions
Art.54(2) specifies what the written mandate must cover. The Authorised Representative, acting under the mandate, must be authorised to:
"act on behalf of the provider as regards obligations under this Regulation and be available to cooperate with the AI Office and national competent authorities"
The mandate must therefore cover two functions:
Acting on the provider's behalf. The Representative is not merely a postal address or a registered contact point. They are authorised to act — to receive regulatory communications, respond to AI Office requests, represent the provider in cooperation procedures, and take actions on the provider's behalf in regulatory contexts. The mandate must confer sufficient authority for these actions to bind the provider.
Cooperation availability. The Representative must be genuinely available to cooperate with the AI Office and with national competent authorities in member states. This is an operational requirement, not just a structural one: the Representative must have the internal capacity to respond to information requests, participate in evaluations, and maintain communication channels with regulatory bodies.
Mandate content in practice. A compliant written mandate typically specifies:
| Mandate Element | Content |
|---|---|
| Identity | Legal name and establishment address of both provider and representative |
| Scope of authority | Specific regulatory acts the representative is authorised to perform |
| Communication protocol | How the provider will inform the representative of regulatory developments |
| Response timeline | Agreed timescales for representative responses to regulatory requests |
| Confidentiality arrangements | Handling of proprietary information disclosed in cooperation procedures |
| Duration | Term of appointment and renewal or termination provisions |
| Governing law | Which member state's law governs the mandate relationship |
The mandate is a legal instrument with regulatory consequence: a defective mandate — one that lacks the necessary authority or contains scope limitations that prevent the Representative from cooperating effectively — is equivalent to no mandate at all.
Art.54(3): Commission Notification Obligation
Art.54(3) adds a notification obligation that makes the appointment visible to EU regulators:
"Providers shall communicate the name, address and contact details of the authorised representative to the Commission and to the AI Office."
What must be notified:
- Name of the Authorised Representative (legal entity name)
- Address (EU establishment address)
- Contact details (sufficient for regulatory communication)
Notification recipients:
- The European Commission
- The European AI Office (established under Art.88 of the EU AI Act)
Timing. Art.54(3) links the notification to the appointment itself: the communication should accompany or immediately follow the mandate execution, prior to EU market entry. Regulatory visibility is part of the obligation structure, not an optional disclosure.
Purpose. The Commission notification creates a registry function: the AI Office can identify who is responsible for Art.53 cooperation obligations for each non-EU systemic risk model. This is operationally important for Art.55's investigation and enforcement powers — without knowing the Authorised Representative's identity, the AI Office cannot enforce the Art.53 cooperation obligations that the Representative must facilitate.
Art.54 and the Art.53 Cooperation Interface
Art.54 does not create new substantive obligations — it operationalises the Art.53 obligations for the non-EU context. The connection is direct:
Under Art.53, systemic risk GPAI providers must:
- Submit to AI Office adversarial testing evaluations (Art.53(1)(a))
- Report serious incidents to the AI Office (Art.53(1)(b))
- Cooperate with AI Office information requests
For a non-EU provider, these obligations require a legally capable EU interlocutor. The Art.54 Authorised Representative serves this function. When the AI Office issues an information request under Art.55, it is the Representative who receives and must respond to that request on the provider's behalf.
Joint responsibility. The Authorised Representative's mandate creates a form of joint responsibility: by accepting the mandate, the Representative assumes obligations toward EU regulators. This means the Representative must understand the provider's model, its systemic risk profile, its Art.53 compliance programs, and the status of any ongoing AI Office inquiries. A Representative who accepts the mandate but lacks this operational knowledge cannot fulfil the cooperation function.
Practical cooperation flow:
Non-EU Provider (e.g., US AI lab)
↓ written mandate
EU Authorised Representative
↓ receives
AI Office information request (Art.55)
↓ coordinates
Provider → Representative → AI Office response
↓ or in enforcement context
AI Office → Representative → Provider notification
The Representative is both a channel and a responsible party in this flow. They cannot act as a pure pass-through: the mandate structure requires that they are capable of cooperative engagement, not just message forwarding.
The GDPR Art.27 Analogy
Art.54's structure deliberately mirrors the GDPR Art.27 representative mechanism. The parallels are instructive:
| Dimension | GDPR Art.27 | EU AI Act Art.54 |
|---|---|---|
| Trigger | Non-EU controllers/processors targeting EU individuals | Non-EU GPAI providers with systemic risk on EU market |
| Mechanism | Written mandate to EU-established representative | Written mandate to EU-established authorised representative |
| Notification | Must be designated in privacy policy and communicated to supervisory authorities on request | Must be communicated to Commission and AI Office |
| Cooperation | Must cooperate with supervisory authorities | Must cooperate with AI Office and national competent authorities |
| Liability | Representative does not exempt controller from GDPR liability | Representative does not exempt provider from Art.53 obligations |
| Sanctions | Failure is independent GDPR infringement | Failure is independent AI Act infringement |
The analogy is not accidental: EU product and data governance law consistently uses the representative mechanism to extend regulatory jurisdiction to non-EU entities operating in the single market. Art.54 applies this established legislative technique to frontier AI.
The key parallel. Under GDPR Art.27, appointing a representative does not substitute for GDPR compliance — it is an addition to it. The representative cannot be used as a liability shield. The same logic applies to Art.54: the Authorised Representative appointment does not reduce the non-EU provider's Art.53 obligations. It makes those obligations enforceable.
CLOUD Act Jurisdiction Risk for Art.54 Mandate Records
For non-EU providers appointing Authorised Representatives — particularly US-incorporated AI laboratories — there is a CLOUD Act dimension that deserves attention.
The written mandate itself is a legal document. Cooperation correspondence between the non-EU provider and the Authorised Representative — including AI Office communications relayed through the Representative, adversarial testing findings shared with the Representative, serious incident reports in draft or final form — may be stored on systems subject to US government compelled access under the CLOUD Act (Clarifying Lawful Overseas Use of Data Act, 18 U.S.C. § 2713).
The structural risk. If the non-EU provider stores its Art.53 compliance records, adversarial testing documentation, and Art.54 mandate records on US cloud infrastructure operated by a US-incorporated cloud provider, those records are potentially subject to CLOUD Act orders regardless of whether they are physically stored in EU datacentres. The provider's AI Act compliance program creates a corpus of sensitive documentation — model capabilities, vulnerability assessments, incident reports — that CLOUD Act exposure puts outside the provider's unilateral control.
For the EU Authorised Representative, this exposure is different but real. If the Representative's communications with the non-EU provider are stored on US-incorporated service providers' infrastructure, correspondence about AI Office cooperation — including pre-disclosure strategy, incident classification decisions, and testing remediation plans — is potentially subject to non-EU government access.
Mitigation architecture. Representative and compliance correspondence should be maintained on EU-incorporated infrastructure with no US parent entity CLOUD Act obligations. Mandate documents, AI Office correspondence, Art.53 program documentation, and cooperation records are compliance-sensitive materials that warrant EU-jurisdiction storage by default.
For EU providers — including EU-native PaaS operators such as sota.io — this jurisdiction exposure is absent by structural design. EU incorporation and EU-resident infrastructure eliminate the CLOUD Act access vector for compliance documentation. This is not a marketing claim but a structural consequence of EU legal establishment: the compliance records of an EU-incorporated provider are not subject to US government compelled access through the CLOUD Act.
Art.54 Decision Tree: Do You Need an Authorised Representative?
Is your GPAI model available to users or businesses in the EU?
│
├── NO → Art.54 does not apply (no EU market presence)
│
└── YES
│
Is your company legally established in an EU member state?
│
├── YES → Art.54 does not apply (direct AI Office jurisdiction)
│
└── NO (third-country establishment)
│
Does your model cross the Art.51 systemic risk threshold?
(cumulative training compute > 10²⁵ FLOPs, or Commission decision)
│
├── NO → Art.54 does not apply (baseline Art.52 applies but not Art.53-54)
│
└── YES
│
Art.54 applies. You must:
1. Appoint an EU-established Authorised Representative by written mandate
2. Ensure mandate covers acting on provider's behalf + cooperation availability
3. Notify Commission and AI Office of representative's name, address, contacts
4. Maintain representative availability for ongoing Art.53 cooperation
Edge case: EU subsidiaries. A non-EU parent with an EU subsidiary does not automatically satisfy Art.54. The question is whether the subsidiary has the mandate and authority to act as Authorised Representative under Art.54(1) and (2). An EU subsidiary that is merely a commercial entity, without the written mandate scope required by Art.54(2), does not satisfy the obligation. The written mandate requirement must be explicitly satisfied regardless of corporate group structure.
Edge case: API access only. A non-EU GPAI provider that provides API access to EU customers without a physical EU presence is still placing the model on the EU market within the meaning of the EU AI Act. API availability to EU persons constitutes market placement; Art.54 applies to the API-access model just as to models deployed through physical infrastructure.
Edge case: Open-source systemic risk models. Art.52(2) provides that open-source GPAI models with publicly available weights may have certain documentation obligations reduced. However, the systemic risk classification under Art.51 remains based on the model's training compute — not its openness. A genuinely open-source systemic risk model from a non-EU provider still triggers Art.54 to the extent Art.53 applies to that model. The open-source condition does not create an Art.54 exemption.
Python Implementation: Authorised Representative Management
The following implementation provides structured tracking for Art.54 mandate and notification compliance:
from dataclasses import dataclass, field
from datetime import date, datetime
from enum import Enum
from typing import Optional
import uuid
class MandateStatus(Enum):
DRAFT = "draft"
EXECUTED = "executed"
NOTIFIED_COMMISSION = "notified_commission"
NOTIFIED_AI_OFFICE = "notified_ai_office"
FULLY_COMPLIANT = "fully_compliant"
EXPIRED = "expired"
TERMINATED = "terminated"
class CooperationRequestType(Enum):
INFORMATION_REQUEST = "information_request"
EVALUATION_COOPERATION = "evaluation_cooperation"
INCIDENT_INQUIRY = "incident_inquiry"
DOCUMENT_REQUEST = "document_request"
MEETING_REQUEST = "meeting_request"
@dataclass
class AuthorisedRepresentativeMandate:
"""Art.54(1)-(2): Written mandate record."""
mandate_id: str = field(default_factory=lambda: str(uuid.uuid4()))
# Provider details (Art.54(1))
provider_name: str = ""
provider_country: str = "" # must be non-EU
provider_contact: str = ""
# Representative details (Art.54(1))
representative_name: str = ""
representative_eu_member_state: str = "" # must be EU member state
representative_address: str = ""
representative_contact_email: str = ""
representative_contact_phone: str = ""
# Mandate scope (Art.54(2))
authority_to_act_on_behalf: bool = False # must be True for compliance
cooperation_availability: bool = False # must be True for compliance
mandate_scope_description: str = ""
communication_protocol: str = ""
response_timeline_days: int = 5
# Mandate lifecycle
execution_date: Optional[date] = None
expiry_date: Optional[date] = None
governing_law_member_state: str = ""
status: MandateStatus = MandateStatus.DRAFT
# Art.54(3) notification tracking
commission_notified: bool = False
commission_notification_date: Optional[date] = None
ai_office_notified: bool = False
ai_office_notification_date: Optional[date] = None
# GPAI model reference
model_name: str = ""
model_version: str = ""
def mandate_compliant(self) -> bool:
"""Check Art.54(1)-(2) mandate requirements."""
return (
bool(self.representative_eu_member_state) and
bool(self.execution_date) and
self.authority_to_act_on_behalf and
self.cooperation_availability and
self.status not in (MandateStatus.EXPIRED, MandateStatus.TERMINATED)
)
def notification_compliant(self) -> bool:
"""Check Art.54(3) notification requirements."""
return self.commission_notified and self.ai_office_notified
def art_54_compliant(self) -> bool:
"""Full Art.54 compliance check."""
return self.mandate_compliant() and self.notification_compliant()
def days_until_expiry(self) -> Optional[int]:
if not self.expiry_date:
return None
return (self.expiry_date - date.today()).days
def compliance_gaps(self) -> list[str]:
gaps = []
if not self.representative_eu_member_state:
gaps.append("Representative EU establishment not confirmed")
if not self.execution_date:
gaps.append("Written mandate not executed")
if not self.authority_to_act_on_behalf:
gaps.append("Mandate missing authority to act on provider's behalf")
if not self.cooperation_availability:
gaps.append("Mandate missing cooperation availability confirmation")
if not self.commission_notified:
gaps.append("Commission not notified (Art.54(3))")
if not self.ai_office_notified:
gaps.append("AI Office not notified (Art.54(3))")
if self.expiry_date and self.days_until_expiry() < 90:
gaps.append(f"Mandate expiring in {self.days_until_expiry()} days — renewal required")
return gaps
@dataclass
class CooperationRequest:
"""Tracks AI Office or national authority cooperation requests."""
request_id: str = field(default_factory=lambda: str(uuid.uuid4()))
request_type: CooperationRequestType = CooperationRequestType.INFORMATION_REQUEST
requesting_authority: str = "" # "AI Office" or member state authority
received_date: date = field(default_factory=date.today)
due_date: Optional[date] = None
description: str = ""
# Response tracking
acknowledged: bool = False
acknowledgement_date: Optional[date] = None
response_submitted: bool = False
response_date: Optional[date] = None
response_summary: str = ""
# Provider coordination
provider_informed: bool = False
provider_informed_date: Optional[date] = None
def days_until_due(self) -> Optional[int]:
if not self.due_date:
return None
return (self.due_date - date.today()).days
def is_overdue(self) -> bool:
if not self.due_date:
return False
return date.today() > self.due_date and not self.response_submitted
def is_acknowledged_timely(self, acknowledgement_window_days: int = 2) -> Optional[bool]:
if not self.acknowledged or not self.acknowledgement_date:
return None
return (self.acknowledgement_date - self.received_date).days <= acknowledgement_window_days
class Art54ComplianceManager:
"""Art.54 Authorised Representative compliance management."""
def __init__(self, mandate: AuthorisedRepresentativeMandate):
self.mandate = mandate
self.cooperation_requests: list[CooperationRequest] = []
def register_cooperation_request(self, request: CooperationRequest) -> str:
self.cooperation_requests.append(request)
return request.request_id
def pending_requests(self) -> list[CooperationRequest]:
return [r for r in self.cooperation_requests if not r.response_submitted]
def overdue_requests(self) -> list[CooperationRequest]:
return [r for r in self.cooperation_requests if r.is_overdue()]
def requests_without_provider_notification(self) -> list[CooperationRequest]:
return [r for r in self.cooperation_requests if not r.provider_informed]
def notify_commission(self, notification_date: date = None) -> None:
self.mandate.commission_notified = True
self.mandate.commission_notification_date = notification_date or date.today()
if self.mandate.ai_office_notified:
self.mandate.status = MandateStatus.FULLY_COMPLIANT
else:
self.mandate.status = MandateStatus.NOTIFIED_COMMISSION
def notify_ai_office(self, notification_date: date = None) -> None:
self.mandate.ai_office_notified = True
self.mandate.ai_office_notification_date = notification_date or date.today()
if self.mandate.commission_notified:
self.mandate.status = MandateStatus.FULLY_COMPLIANT
else:
self.mandate.status = MandateStatus.NOTIFIED_AI_OFFICE
def compliance_report(self) -> dict:
return {
"mandate": {
"mandate_id": self.mandate.mandate_id,
"model": f"{self.mandate.model_name} v{self.mandate.model_version}",
"representative": self.mandate.representative_name,
"member_state": self.mandate.representative_eu_member_state,
"status": self.mandate.status.value,
},
"art_54_1_2_mandate": {
"compliant": self.mandate.mandate_compliant(),
"gaps": self.mandate.compliance_gaps(),
},
"art_54_3_notification": {
"commission_notified": self.mandate.commission_notified,
"ai_office_notified": self.mandate.ai_office_notified,
"notification_compliant": self.mandate.notification_compliant(),
},
"full_art_54_compliant": self.mandate.art_54_compliant(),
"cooperation_status": {
"pending_requests": len(self.pending_requests()),
"overdue_requests": len(self.overdue_requests()),
"requests_needing_provider_notification": len(
self.requests_without_provider_notification()
),
},
}
Art.54 Compliance Checklist
| # | Requirement | Art.54 Reference | Implementation |
|---|---|---|---|
| 1 | Confirm third-country establishment triggers Art.54 | Art.54(1) | Legal assessment of provider's EU establishment status |
| 2 | Confirm model crosses Art.51 systemic risk threshold | Art.51 | FLOPs calculation or Commission decision |
| 3 | Identify candidate EU Authorised Representatives | Art.54(1) | Legal entities established in EU member states |
| 4 | Execute written mandate with sufficient authority scope | Art.54(1)-(2) | Mandate document with acting-on-behalf + cooperation terms |
| 5 | Ensure mandate grants authority to act on provider's behalf | Art.54(2) | Explicit authority clause in mandate document |
| 6 | Ensure mandate guarantees representative cooperation availability | Art.54(2) | SLA-equivalent response commitment in mandate |
| 7 | Define communication protocol between provider and representative | Art.54(2) | Bilateral communication procedure in mandate |
| 8 | Notify Commission of representative name, address, contacts | Art.54(3) | Formal written notification to Commission |
| 9 | Notify AI Office of representative name, address, contacts | Art.54(3) | Formal written notification to AI Office |
| 10 | Establish mandate pre-market entry (before EU market placement) | Art.54(1) | Pre-launch compliance gate: mandate + notification complete |
| 11 | Brief representative on Art.53 compliance programs | Art.54(2) + Art.53 | Technical briefings on adversarial testing, incident reporting, cybersecurity |
| 12 | Establish cooperation request tracking between representative and provider | Art.54(2) | Shared system or protocol for AI Office requests |
| 13 | Monitor mandate expiry and initiate renewal before expiry | Art.54(1) | Calendar alerts ≥90 days before expiry; renewal mandate pre-signed |
| 14 | Update Commission and AI Office notification on representative change | Art.54(3) | Notification protocol for any change in representative identity |
| 15 | Maintain mandate documentation in EU-jurisdiction storage | Best practice | Mandate + correspondence on EU-incorporated infrastructure |
Interaction with Art.52 and Art.53
Art.54 does not create substantive compliance obligations of its own — it creates the institutional precondition for Art.53 obligations to be enforceable in the non-EU context. The interaction works as follows:
Art.52 obligations require technical documentation, downstream information, and copyright compliance — obligations fulfilled before or at model launch. The Authorised Representative may receive regulatory requests related to these documentation sets.
Art.53 obligations require ongoing adversarial testing, incident reporting, cybersecurity controls, and energy efficiency documentation — obligations that run continuously after launch. The Authorised Representative is the AI Office's point of contact for these ongoing obligations. When the AI Office requests cooperation on adversarial testing evaluation (Art.53(1)(a)), or follows up on a serious incident report (Art.53(1)(b)), it communicates with the Representative acting under the Art.54 mandate.
The compliance chain for non-EU systemic risk providers:
Art.51 → Systemic risk classification
Art.52 → Documentation and transparency obligations
Art.53 → Enhanced operational obligations (adversarial testing, incidents, cybersecurity)
Art.54 → EU point of contact for enforcement of Art.52-53
For EU-established systemic risk providers, this chain ends at Art.53: the AI Office has direct jurisdiction. For non-EU providers, Art.54 closes the jurisdictional gap.
See Also
- EU AI Act Art.53: Additional Obligations for Providers of GPAI Models with Systemic Risk — Adversarial Testing, Incident Reporting, and Cybersecurity
- EU AI Act Art.52: Obligations for Providers of GPAI Models — Documentation, Copyright, Transparency
- EU AI Act Art.51: Classification of GPAI Models with Systemic Risk — The 10²⁵ FLOPs Threshold
- EU AI Act Art.50: Transparency Obligations — Chatbot Disclosure and AI-Generated Content Labeling