2026-04-25·14 min read·sota.io team

EU AI Act Art.75: Mutual Assistance Between Market Surveillance Authorities and GPAI Model Supervision — NCA Cross-Border Cooperation Framework (2026)

EU AI Act Article 75 serves a dual function that is easy to miss when reading the Act sequentially after Art.74: it is simultaneously the mutual assistance mechanism for cross-border market surveillance coordination between national competent authorities (NCAs) acting as market surveillance authorities (MSAs), and the supervisory framework governing AI Office oversight of general-purpose AI (GPAI) models embedded in high-risk AI systems under investigation.

The dual structure of Art.75 reflects a structural challenge at the core of the EU AI Act's enforcement architecture. High-risk AI systems are frequently deployed across multiple Member States, but each MSA has jurisdiction only within its own territory. Separately, high-risk AI systems are increasingly built on GPAI model components developed and hosted by providers over whom national MSAs have limited direct jurisdiction — but over whom the AI Office has primary authority under Chapter V. Art.75 is the procedural bridge that connects these jurisdictional realities to enforcement outcomes.

For developers and compliance teams, Art.75 has two distinct sets of practical implications depending on what you build. If you are a high-risk AI system provider deploying across multiple EU Member States, Art.75 governs how MSAs from different Member States coordinate investigations of your system — who leads, who assists, what information must be produced to each authority. If you are a GPAI model provider whose model is embedded in high-risk AI systems, Art.75 governs how the AI Office accesses your model for evaluation during investigations of downstream high-risk applications — even investigations your organisation did not initiate.

Art.75 in the Post-Deployment Enforcement Architecture

Art.75 sits between Art.74 (MSA powers over high-risk AI systems) and Art.76 (supervision of real-world testing involving vulnerable groups) in the Chapter VIII post-deployment framework. Its position in the enforcement chain is:

Article	Role in Enforcement Chain	Art.75 Interface
Art.58	NCA investigative powers (general)	Art.75 mutual assistance is the cross-border exercise of Art.58 powers
Art.62	AI Office enforcement powers (GPAI)	Art.75 coordinates Art.62 AI Office powers into MSA-led investigations
Art.64	Access to data and documentation	Art.75 mutual assistance enables joint documentary checks across jurisdictions
Art.65	Serious incident reporting	Art.75 investigations may be triggered when Art.65 incidents cross Member State lines
Art.66	Market surveillance information exchange	Art.75 mutual assistance requests are formalised through Art.66 RAPEX/ICSMS channels
Art.74	Market surveillance of high-risk AI systems	Art.75 is the cross-border extension of the Art.74 investigation framework
Art.75	Mutual assistance + GPAI supervision	This guide
Art.76	Real-world testing supervision	Art.76 testing involving vulnerable groups triggers Art.75 coordination where cross-border
Art.91	AI Office inspection powers	Art.91 inspections of GPAI providers are conducted within the Art.75 supervisory framework

Art.75(1): The Mutual Assistance Framework

Art.75(1) establishes the foundational obligation: market surveillance authorities shall cooperate with each other and provide mutual assistance where necessary for the purpose of this Regulation. The cooperation obligation is not merely aspirational — it creates a procedural framework within which cross-border investigations must operate.

What mutual assistance covers. The Art.75(1) cooperation obligation encompasses:

Information requests: An MSA in Member State A may formally request that the MSA in Member State B provide information about a provider established in B's territory whose high-risk AI system is deployed in A.
Inspection assistance: Where an on-site investigation requires access to premises in another Member State, the requesting MSA coordinates with the host-country MSA under Art.75. The host-country MSA may conduct the inspection on behalf of the requesting MSA, or accompany it.
Joint investigations: Where a high-risk AI system is deployed across multiple Member States and the same compliance concerns arise simultaneously, MSAs may coordinate parallel investigations or designate a lead MSA under Art.75.
Enforcement coordination: Where an MSA in Member State A takes a corrective measure against a provider based in Member State B, Art.75 provides the communication channel through which Member State B's MSA is notified of the measure and its rationale.

Relationship to Art.66. Mutual assistance under Art.75 uses the same information exchange infrastructure as Art.66 (RAPEX/ICSMS). Formal mutual assistance requests are communicated through the single contact points designated by each Member State under Art.57(7). The Art.66 RAPEX notifications handle urgency escalation; Art.75 mutual assistance handles the lower-level coordination of non-urgent cross-border investigations.

The requesting MSA's role. When an MSA sends a mutual assistance request under Art.75, it must:

Identify the specific information needed, the legal basis (including the Art.74 powers being exercised), and the investigation to which the request relates
Specify a reasonable response deadline (typically 30 days for routine requests; shorter for urgent investigations)
Justify why the information cannot be obtained through direct means available to the requesting MSA

The requested MSA's obligations. The host-country MSA receiving a mutual assistance request must:

Provide the requested information within the agreed timeframe if it is available and lawfully obtainable
Conduct requested inspections within a reasonable period
Inform the requesting MSA if it cannot comply, with reasons
Maintain confidentiality of information received at least at the same level as would apply in the requesting MSA's jurisdiction

Art.75(2): Grounds for Declining Mutual Assistance

Art.75(2) limits the obligation to cooperate to avoid transforming mutual assistance into a mechanism for circumventing national procedural protections. A requested MSA may decline a mutual assistance request where:

Complying would be contrary to the host Member State's legal system or fundamental rights obligations
The same matter is already subject to proceedings in the host Member State's courts
The investigation in the requesting Member State has been concluded or abandoned

Significance for developers. Art.75(2) is the provision that creates procedural unpredictability for providers facing cross-border investigations. A provider established in a Member State whose legal system provides strong procedural protections (for example, robust administrative hearing rights before inspection access is granted) cannot rely on those protections preventing an investigation — but those protections do affect the pace and modality of the investigation when conducted through mutual assistance.

The key practical point: where a provider has a principal establishment in a Member State with robust procedural protections and deploys systems cross-border, the Art.75(2) grounds for declining can create asymmetries between MSAs' timelines. Compliance infrastructure that anticipates mutual assistance requests — centralised documentation, designated contacts in each Member State, clear escalation protocols — reduces the variables.

Art.75(3)-(4): AI Office Coordination for GPAI Components

Art.75(3) and (4) address the structural challenge that arises when a high-risk AI system under MSA investigation incorporates a GPAI model. The MSA has jurisdiction over the high-risk AI system (Art.74); the AI Office has jurisdiction over the GPAI model itself (Chapter V, Art.55, Art.62). Art.75(3)-(4) creates the coordination bridge.

Art.75(3): MSA-to-AI Office referral. Where an MSA conducting a market surveillance investigation of a high-risk AI system identifies that a GPAI component may be responsible for the non-compliance or risk at issue, the MSA shall inform the AI Office. The AI Office then determines whether:

The issue is attributable to the GPAI model itself (triggering AI Office's Chapter V powers over the GPAI provider)
The issue is attributable to the way the GPAI model was integrated into the high-risk system (remaining within MSA jurisdiction under Art.74)
Both apply, requiring joint MSA-AI Office investigation

Art.75(4): AI Office coordination in practice. Where the AI Office takes up a referral from an MSA under Art.75(3), it coordinates with the referring MSA to:

Avoid duplication of investigation activities
Establish information-sharing protocols between the MSA and AI Office
Designate a lead authority for specific enforcement actions
Ensure that the GPAI model provider is not subjected to conflicting demands from the MSA (regarding the high-risk system) and the AI Office (regarding the GPAI model)

For GPAI model providers, Art.75(4) coordination means that an enforcement action that began as an MSA investigation of a downstream high-risk AI system can draw in the GPAI provider through AI Office engagement — even though the GPAI provider had no notice of the original MSA investigation and no direct relationship with the MSA.

GPAI Model Provider Documentation Obligations. The Art.75(3)-(4) framework makes certain documentation obligations at the GPAI model level directly relevant to MSA-led investigations:

GPAI Provider Obligation	Relevance to Art.75 Investigation
Art.53(1)(a): Technical documentation	AI Office requests this documentation in Art.75(3) referrals to assess GPAI model responsibility
Art.53(1)(b): Copyright compliance	May be relevant if non-compliance in downstream system relates to GPAI output generation
Art.53(1)(c): Post-market monitoring (GPAI)	AI Office evaluates whether GPAI monitoring detected the issue that triggered MSA investigation
Art.55: Systemic risk evaluation	Where Art.75(3) referral involves a model with systemic risk characteristics, Art.55 evaluation may be initiated in parallel
Art.62: AI Office corrective measures	Art.75(4) coordination may result in Art.62 corrective measure against GPAI provider, separate from any MSA measure against high-risk system provider

Art.75(5): Scientific Panel Referral for GPAI Model Assessment

Art.75(5) connects the mutual assistance and GPAI supervision functions of Art.75 to the Scientific Panel of Independent Experts established under Art.61. Where the AI Office, in the course of Art.75(3)-(4) coordination, identifies questions about a GPAI model's systemic risk characteristics that require independent scientific assessment, it may refer those questions to the Scientific Panel.

When Scientific Panel referral occurs. The referral mechanism under Art.75(5) is activated when:

The AI Office cannot conclusively determine whether a GPAI model contributes systemic risk based on available documentation
Technical evaluation of the GPAI model requires expertise beyond the AI Office's standing capacity
The GPAI provider disputes the AI Office's preliminary assessment of systemic risk
Consistency with prior GPAI model evaluations requires Panel input to establish precedent

Timeline implications. Scientific Panel referral under Art.75(5) extends the investigation timeline. The Panel operates on its own procedures (established under Art.61(5)) and produces opinions, not binding determinations. However, the AI Office gives significant weight to Panel opinions, and Panel findings of systemic risk trigger the Art.55 evaluation pathway.

For developers building on GPAI model APIs. The Art.75(5) pathway creates an indirect risk: if the GPAI model you build on is referred to the Scientific Panel, the resulting evaluation process may take months, during which uncertainty about the GPAI model's regulatory status affects your own system's compliance posture. Contractual due diligence with GPAI providers — covering model stability guarantees, notification obligations in case of AI Office investigation, and access continuity commitments — is warranted.

Art.75(6): Enforcement Measures Following Art.75 Proceedings

Art.75(6) closes the Art.75 loop by establishing what enforcement measures can result from mutual assistance proceedings and GPAI model investigations. The measures available include:

For high-risk AI systems (following cross-border MSA coordination):

Joint corrective measures taken simultaneously by MSAs in all affected Member States
Designation of a lead MSA to take a measure with recognition effect in other Member States
Market withdrawal in all Member States where the system is deployed, coordinated through Art.66 RAPEX
Prohibition on making the system available in specific Member States pending investigation completion

For GPAI models (following Art.75(3)-(4) AI Office coordination):

AI Office corrective measure under Art.62 directed at the GPAI provider
Modification or withdrawal of the GPAI model from the market
Restriction on GPAI model deployment in high-risk AI system contexts
Mandatory red-teaming, evaluation, or documentation update obligations

Relationship to Art.67 (Union Safeguard Procedure). Where a coordinated Art.75 measure involves a provider challenging the basis for the measure, the Art.67 Union Safeguard Procedure provides the mechanism for Commission review. Art.67 applies equally to measures taken following Art.75 cross-border coordination as it does to unilateral Art.74 measures.

CLOUD Act Implications for Art.75 Cross-Border Data Requests

Art.75 mutual assistance creates a specific CLOUD Act exposure scenario that Art.74 national market surveillance does not. Where an MSA requests technical documentation, model access, or operational data from a provider established in another Member State, and that provider's infrastructure is hosted on US cloud services subject to the Clarifying Lawful Overseas Use of Data (CLOUD) Act, a three-way jurisdictional conflict can emerge:

Scenario	EU Obligation	US CLOUD Act	Conflict
MSA requests model weights stored on US cloud	Provider must produce to MSA under Art.75	US government can compel same provider to produce under CLOUD Act	Same data subject to two sovereign access regimes simultaneously
AI Office requests GPAI model documentation hosted on AWS/Azure	GPAI provider must comply under Art.75(4) coordination	CLOUD Act exposure for GPAI model provider to US DOJ demand	Documentation produced to EU authority simultaneously accessible to US authority
MSA requests operational logs stored cross-border	Host-country MSA assists under Art.75(1)	If logs on US infrastructure, CLOUD Act applies regardless of where data "is"	EU mutual assistance and US compelled disclosure occur in parallel
Cross-border investigation of GPAI model weights in US jurisdiction	AI Office + requesting MSA joint demand	CLOUD Act bilateral executive agreement (US-EU MLAT) governs priority	No definitive priority rule; both compelled access mechanisms apply

The EU infrastructure advantage. For high-risk AI system providers and GPAI model providers, hosting technical documentation, model weights, and operational logs on EU-jurisdiction infrastructure — specifically under an EU-incorporated entity with no US parent — eliminates the CLOUD Act conflict scenario entirely. The compelled disclosure risk that US cloud infrastructure creates is not a theoretical concern: it is a predictable consequence of cross-border market surveillance investigations reaching infrastructure that is accessible to US government authority.

For developers: the Art.75 mutual assistance framework and GPAI model supervision architecture are directly relevant to infrastructure decisions made at system design time. An MSA investigation triggered in Member State A, assisted by Member State B's MSA through Art.75, reaching GPAI model infrastructure hosted on US services, creates four layers of simultaneous legal exposure — EU MSA A, EU MSA B, AI Office, and US CLOUD Act. EU-incorporated, EU-hosted infrastructure reduces this to a tractable EU regulatory engagement.

Art.75 Compliance Checklist

For High-Risk AI System Providers (Cross-Border Deployment)

Cross-border MSA coordination readiness:

Designated contacts in each Member State — You have named contacts in each Member State where the system is deployed who are authorised to receive and respond to mutual assistance requests forwarded by local MSAs.
Centralised documentation repository — Technical documentation, incident logs, conformity assessment records, and post-market monitoring data are accessible from a single repository that can produce information to any MSA on request.
Art.75 response procedure — You have a documented procedure for responding to mutual assistance requests (information to be produced, timeline for response, legal review trigger) that does not require ad hoc escalation each time.
Cross-border corrective measure protocol — You have a procedure for implementing coordinated corrective measures simultaneously in multiple Member States (product recall, usage restriction, update deployment).

GPAI component investigation readiness:

GPAI provider contracts — Contracts with GPAI model providers include notification obligations if the GPAI provider becomes subject to an AI Office investigation or Art.75(3) referral that may affect your system.
GPAI component technical file — Your Art.11 technical documentation includes a GPAI component section covering model identity, version, provider, API access terms, and the provider's Art.53 documentation references.
GPAI model provider access channel — You have a named technical contact at your GPAI model provider who can facilitate AI Office access requests under Art.75(4) coordination.

For GPAI Model Providers

Mutual assistance response capacity:

Controlled review environment — You have a controlled technical review environment (isolated API instance, documentation access portal, or equivalent) through which MSAs and the AI Office can access model capabilities without obtaining model weights or source code directly.
Art.75(4) coordination procedure — You have a documented procedure for responding when the AI Office initiates Art.75(4) coordination following an MSA referral, including designated AI Office liaison, documentation production workflow, and legal review process.
Scientific Panel referral protocol — You have a procedure for engaging with the Scientific Panel under Art.75(5) if AI Office assessment of your model's systemic risk characteristics is referred for independent review.

Python Implementation: `MutualAssistanceRequest`

from dataclasses import dataclass, field
from enum import Enum
from datetime import datetime, timedelta
from typing import Optional


class AssistanceType(Enum):
    INFORMATION_REQUEST = "information_request"
    INSPECTION_ASSISTANCE = "inspection_assistance"
    JOINT_INVESTIGATION = "joint_investigation"
    GPAI_REFERRAL_TO_AI_OFFICE = "gpai_referral_to_ai_office"
    ENFORCEMENT_COORDINATION = "enforcement_coordination"


class RequestStatus(Enum):
    PENDING = "pending"
    ACKNOWLEDGED = "acknowledged"
    IN_PROGRESS = "in_progress"
    COMPLETED = "completed"
    DECLINED = "declined"
    ESCALATED_TO_AI_BOARD = "escalated_to_ai_board"


class DeclineReason(Enum):
    CONTRARY_TO_LEGAL_SYSTEM = "contrary_to_legal_system"
    PARALLEL_NATIONAL_PROCEEDINGS = "parallel_national_proceedings"
    INVESTIGATION_CONCLUDED = "investigation_concluded"


@dataclass
class MutualAssistanceRequest:
    request_id: str
    requesting_msa_member_state: str
    requested_msa_member_state: str
    assistance_type: AssistanceType
    ai_system_id: str
    investigation_reference: str
    information_requested: list[str]
    legal_basis: str = "Art.75(1) EU AI Act 2024/1689"
    created_at: datetime = field(default_factory=datetime.now)
    deadline_days: int = 30
    gpai_component: bool = False
    gpai_provider_id: Optional[str] = None
    status: RequestStatus = RequestStatus.PENDING
    decline_reason: Optional[DeclineReason] = None
    response_received_at: Optional[datetime] = None
    ai_office_referral_made: bool = False
    scientific_panel_referred: bool = False

    @property
    def deadline(self) -> datetime:
        return self.created_at + timedelta(days=self.deadline_days)

    @property
    def is_overdue(self) -> bool:
        return (
            datetime.now() > self.deadline
            and self.status not in (RequestStatus.COMPLETED, RequestStatus.DECLINED)
        )

    def acknowledge(self) -> None:
        """Host-country MSA acknowledges receipt of mutual assistance request."""
        self.status = RequestStatus.ACKNOWLEDGED

    def complete(self, response_at: Optional[datetime] = None) -> None:
        """Mark request as completed with information provided."""
        self.status = RequestStatus.COMPLETED
        self.response_received_at = response_at or datetime.now()

    def decline(self, reason: DeclineReason) -> None:
        """Host-country MSA declines request under Art.75(2) grounds."""
        self.status = RequestStatus.DECLINED
        self.decline_reason = reason

    def escalate_to_ai_board(self) -> None:
        """Escalate unresolved mutual assistance to AI Board (Art.66 channel)."""
        self.status = RequestStatus.ESCALATED_TO_AI_BOARD

    def refer_gpai_to_ai_office(self) -> None:
        """Art.75(3): Refer GPAI component issue to AI Office for coordination."""
        if not self.gpai_component:
            raise ValueError("Art.75(3) referral requires gpai_component=True")
        self.ai_office_referral_made = True

    def refer_to_scientific_panel(self) -> None:
        """Art.75(5): Refer GPAI model systemic risk question to Scientific Panel."""
        if not self.ai_office_referral_made:
            raise ValueError("Scientific Panel referral requires prior AI Office referral")
        self.scientific_panel_referred = True

    def summary(self) -> dict:
        return {
            "request_id": self.request_id,
            "type": self.assistance_type.value,
            "from": self.requesting_msa_member_state,
            "to": self.requested_msa_member_state,
            "system_id": self.ai_system_id,
            "status": self.status.value,
            "deadline": self.deadline.isoformat(),
            "overdue": self.is_overdue,
            "gpai_component": self.gpai_component,
            "ai_office_referral": self.ai_office_referral_made,
            "scientific_panel": self.scientific_panel_referred,
            "decline_reason": self.decline_reason.value if self.decline_reason else None,
        }


class CrossBorderInvestigationCoordinator:
    """Art.75 coordinator for a provider subject to multi-MSA investigation."""

    def __init__(self, provider_id: str, ai_system_id: str):
        self.provider_id = provider_id
        self.ai_system_id = ai_system_id
        self.requests: list[MutualAssistanceRequest] = []
        self.lead_msa: Optional[str] = None

    def add_request(self, request: MutualAssistanceRequest) -> None:
        self.requests.append(request)

    def set_lead_msa(self, member_state: str) -> None:
        """Designate lead MSA for coordinated Art.75 investigation."""
        self.lead_msa = member_state

    def active_requests(self) -> list[MutualAssistanceRequest]:
        return [r for r in self.requests if r.status not in (
            RequestStatus.COMPLETED, RequestStatus.DECLINED
        )]

    def overdue_requests(self) -> list[MutualAssistanceRequest]:
        return [r for r in self.requests if r.is_overdue]

    def gpai_referrals(self) -> list[MutualAssistanceRequest]:
        """Art.75(3): Requests that have been referred to AI Office."""
        return [r for r in self.requests if r.ai_office_referral_made]

    def scientific_panel_referrals(self) -> list[MutualAssistanceRequest]:
        """Art.75(5): Requests that have reached Scientific Panel."""
        return [r for r in self.requests if r.scientific_panel_referred]

    def investigation_dashboard(self) -> dict:
        """Cross-border investigation status for compliance reporting."""
        return {
            "provider_id": self.provider_id,
            "system_id": self.ai_system_id,
            "lead_msa": self.lead_msa,
            "total_requests": len(self.requests),
            "active": len(self.active_requests()),
            "overdue": len(self.overdue_requests()),
            "member_states_involved": list({r.requesting_msa_member_state for r in self.requests}),
            "gpai_referrals_to_ai_office": len(self.gpai_referrals()),
            "scientific_panel_referrals": len(self.scientific_panel_referrals()),
            "declined_requests": len([r for r in self.requests if r.status == RequestStatus.DECLINED]),
            "generated_at": datetime.now().isoformat(),
        }

Art.75 in the Series: Chapter VIII Market Surveillance

Article	Topic	Status
Art.57	National Competent Authorities	Guide
Art.58	NCA Investigative Powers	Guide
Art.59	European AI Board	Guide
Art.60	EU AI Database	Guide
Art.61	Scientific Panel	Guide
Art.62	AI Office Enforcement Powers	Guide
Art.63	Advisory Forum	Guide
Art.64	Access to Data and Documentation	Guide
Art.65	Serious Incident Reporting	Guide
Art.66	Market Surveillance Information Exchange	Guide
Art.67	Union Safeguard Procedure	Guide
Art.68	AI Regulatory Sandboxes	Guide
Art.69	Codes of Conduct	Guide
Art.70	Penalties	Guide
Art.71	Exercise of the Delegation	Guide
Art.72	Post-Market Monitoring	Guide
Art.73	Obligations of Deployers	Guide
Art.74	Market Surveillance and Control	Guide
Art.75	Mutual Assistance and GPAI Supervision	This guide

10-Item Art.75 Compliance Checklist

Cross-border MSA contact registry — A registry of designated MSA contacts exists for each Member State where the system is deployed, accessible to compliance personnel without IT escalation. Contact details are reviewed quarterly.
Mutual assistance response procedure — A documented procedure exists for receiving, routing, and responding to Art.75(1) mutual assistance requests, including legal review triggers, documentation production workflow, and a maximum internal response time commitment.
GPAI component technical file — Where the system incorporates a GPAI model, the Art.11 technical documentation includes a dedicated GPAI component section with model identity, API version, provider contact, and a reference to the provider's Art.53 documentation.
GPAI provider notification clause — Provider contract with GPAI model supplier includes a notification obligation requiring the supplier to inform the system provider within 5 business days if the GPAI model becomes subject to an AI Office Art.75(3) referral or Art.55 evaluation.
Controlled access procedure — Where the system or a GPAI component requires MSA or AI Office access under Art.75, a controlled access environment (test API, documentation portal, or equivalent) is operational and can be activated without requiring development work at investigation time.
Cross-border corrective measure protocol — An emergency procedure exists for implementing a coordinated corrective measure (restriction, recall, update) across all Member States simultaneously, with designated decision authority, communication templates for deployers, and evidence preservation steps.
Art.75(2) grounds assessment — For providers established in Member States with robust procedural protections, legal has assessed whether any Art.75(2) grounds for declining mutual assistance apply to the system's investigation scenario, and documented the assessment.
Scientific Panel engagement procedure — If GPAI component characteristics could trigger Art.75(5) Scientific Panel referral, a procedure exists for engaging with Panel proceedings, including designating expert witnesses, preparing model evaluation documentation, and managing Panel access to sensitive model details.
CLOUD Act infrastructure assessment — All technical documentation, model weights, training data, incident logs, and operational records have been assessed for CLOUD Act exposure. Sensitive compliance data is hosted on EU-jurisdiction infrastructure with no US parent entity.
Art.75 investigation timeline model — A timeline model exists estimating the expected duration of an Art.75 mutual assistance investigation given the number of Member States involved, the presence or absence of a GPAI component, and the likelihood of Scientific Panel referral, to support business continuity planning.