2026-04-25·15 min read·sota.io team

EU AI Act Art.87: Complaints to Market Surveillance Authorities — What Developers Must Prepare For (2026)

EU AI Act Article 87 is the citizen-facing enforcement trigger: it gives any natural or legal person — individuals, NGOs, competitors, or deployers — the right to lodge a formal complaint with a national Market Surveillance Authority (MSA) against any provider or deployer who fails to comply with the Regulation. For developers and companies operating in the EU AI Act's compliance ecosystem, Art.87 is not an abstract provision. It is the mechanism through which third-party enforcement pressure enters your organisation.

Art.87 complaints do not require the complainant to be the person directly affected by the AI system. A civil society organisation monitoring algorithmic hiring tools can file a complaint. A competitor who discovers a rival is deploying a high-risk AI system without CE marking can file a complaint. A research team that identifies prohibited practices in a deployed system has standing. This broad standing means that any systematic compliance failure is exposed to complaint-based enforcement regardless of whether affected individuals ever exercise their own rights.

For deployers of high-risk AI systems, Art.87 also creates a new enforcement path that begins with the Art.85 and Art.86 rights. When a person submits an Art.86 explanation request and is dissatisfied with the response — or when a deployer denies an Art.85 recourse request without adequate justification — the person's immediate next step is an Art.87 complaint to the national MSA. Understanding Art.87 therefore requires understanding the full individual-rights enforcement chain from transparency (Art.13) through recourse (Art.85) and explanation (Art.86) to formal complaint (Art.87) and whistleblower protection (Art.88).

Art.87 became applicable on 2 August 2026, aligned with the full application of the EU AI Act's high-risk obligations.

Art.87 in the Enforcement Architecture

Art.87 sits at the junction between individual rights and public enforcement. It is not the only way for MSAs to initiate investigations — MSAs can act ex officio under Art.74 market surveillance powers — but it is the primary pathway through which external parties can force MSA attention onto a specific compliance failure.

The enforcement chain that Art.87 connects:

Stage	Article	Actor	Action
Transparency	Art.13	Provider	Discloses system purpose, limitations, human oversight
Oversight	Art.14	Deployer	Implements human oversight mechanisms
Deployer obligations	Art.26	Deployer	Monitors, incidents, explanation + recourse mechanisms
Recourse rights	Art.85	Person affected	Requests explanation, challenges decision
Explanation rights	Art.86	Person affected	Requests meaningful account of AI role
Complaint	Art.87	Any person	Files complaint with MSA for enforcement
Investigation	Art.74	MSA	Investigates using Art.58 inspection powers
Corrective measures	Art.79	MSA	Orders corrective action, market withdrawal
Penalties	Art.99	MSA	Imposes fines

Art.87 is the enforcement bridge. It converts an individual's dissatisfaction with an AI system's operation into a mandatory MSA response obligation. Once a complaint is filed under Art.87, the MSA is required to act — not necessarily to investigate everything claimed, but to handle the complaint procedurally and inform the complainant of progress and outcome.

Art.87(1): The Core Right to Complain

Art.87(1) establishes the primary entitlement: any natural or legal person may lodge a complaint with the relevant market surveillance authority against a provider or deployer who does not comply with the obligations laid down in this Regulation.

Three elements define the scope:

"Any natural or legal person" — Standing under Art.87 is exceptionally broad. There is no requirement that the complainant be the person affected by the AI decision. Standing encompasses:

Natural persons: individuals affected by high-risk AI decisions (credit refusal, employment screening, law enforcement use)
Legal persons: companies, NGOs, trade associations, academic institutions, civil society organisations
Competitors: a rival company that discovers a competitor has deployed a high-risk AI system without CE marking, or without conducting a required conformity assessment
Consumer protection organisations: acting collectively on behalf of groups affected by AI deployments
Research institutions: that identify prohibited AI practices in systems they are studying
Deployers against providers: where a deployer discovers a provider has supplied a non-compliant system

"Relevant market surveillance authority" — Complaints must go to the MSA of the Member State where the non-compliance is occurring, typically where the AI system is deployed or where the provider/deployer is established. Art.75 mutual assistance mechanisms apply when non-compliance is cross-border.

"Does not comply with the obligations" — The complaint must allege a specific non-compliance with the Regulation. This covers the full spectrum of Art.87's potential triggers:

Violation category	Examples	Complainant type typically
Prohibited practices (Art.5)	Subliminal manipulation, social scoring, real-time biometric in public spaces	Individual, NGO, regulator
Provider obligations (Art.9-18)	Missing risk management system, inadequate training data governance, no conformity assessment	Competitor, NGO
CE marking absent (Art.48)	High-risk AI deployed without CE mark	Competitor, MSA ex officio
Transparency failures (Art.13)	No transparency information provided to deployer	Deployer against provider
Deployer failures (Art.26)	No human oversight, no explanation mechanism	Individual, NGO
Art.85 recourse denial	Deployer refused explanation without adequate justification	Individual
Art.86 explanation deficiency	Explanation provided was not meaningful	Individual

Who Files Art.87 Complaints in Practice

Individuals file complaints when they receive an AI-assisted decision that causes them harm and the deployer's response under Art.85/86 is inadequate. A loan refusal with a non-meaningful explanation and a dismissive recourse response is the archetypal trigger.

NGOs and civil society file complaints about systematic patterns — employment screening tools that discriminate by proxy, predictive policing systems that are racially skewed, or biometric systems deployed without legal basis. Their standing under Art.87 allows collective complaint about practices affecting groups.

Competitors file complaints about missing CE marking, undisclosed AI use in Annex III contexts, or providers who skip conformity assessment. Competition law is not Art.87's domain, but compliance deficiencies that disadvantage compliant competitors create real complaint incentives.

Deployers against providers file complaints when a provider has supplied a system that turns out not to meet the Regulation's requirements and the provider refuses to remediate. The deployer may be liable under Art.26 for deploying the system, but Art.87 gives them a channel to surface the provider's underlying non-compliance.

Art.87(2): MSA Obligations in Complaint Handling

Art.87(2) imposes a procedural obligation on MSAs: the market surveillance authority shall inform the complainant of the progress and the outcome of the complaint within a reasonable time frame.

This obligation is significant for two reasons:

First, it converts the MSA's complaint handling from a discretionary act into a mandatory response obligation. An MSA cannot receive an Art.87 complaint and simply ignore it. The authority must acknowledge receipt, process the complaint, and communicate its outcome.

Second, it creates a closed feedback loop for the complainant. An individual who files a complaint about an Art.86 explanation failure must be told whether the MSA investigated, what it found, and what measures — if any — were taken. This transparency obligation is a deliberate counterbalance to the risk that complaints disappear into administrative silence.

"Reasonable time frame" is left to Member State national procedural law (Art.87(3)), but the constraint is real. Member States with existing MSA procedural frameworks typically set complaint response timelines of 30-90 days for administrative complaints. Complainants who receive no response within nationally specified periods may have administrative or judicial remedies available.

The MSA is not required to investigate every complaint in full. Where a complaint is manifestly unfounded, duplicates an existing investigation, or falls outside Art.87's scope, the MSA may dismiss it while still informing the complainant of this outcome. But the dismissal decision itself is subject to the information obligation — the complainant must be told that the complaint was not pursued and why.

Art.87(3): No Prejudice to Other Remedies

Art.87(3) confirms that an Art.87 complaint does not preclude other remedies: the complaint shall not prejudice any available civil or criminal enforcement measures.

This non-exclusivity principle has three practical implications:

First, filing an Art.87 complaint does not bar parallel civil litigation. An individual who files an MSA complaint about an unfair AI credit decision can simultaneously pursue a civil claim for damages against the deployer. GDPR Art.82 provides an independent damages mechanism for data protection violations, and national civil law may provide additional remedies.

Second, Art.87 does not exhaust the complainant's remedies. If the MSA takes corrective measures but the complainant believes they are insufficient, judicial review of the MSA decision may be available under national administrative law.

Third, Art.87 operates separately from GDPR complaint mechanisms. A high-risk AI decision that also violates GDPR Art.22 (automated decision-making) can generate parallel complaints — an Art.87 complaint to the MSA and a GDPR Art.77 complaint to the DPA. The two authorities may investigate independently and may coordinate under Art.74(10) where their jurisdictions overlap.

The Art.86 → Art.87 Escalation Chain

The most operationally important Art.87 pathway for deployers is the escalation chain from Art.86 explanation failure. The chain works as follows:

Step 1 — AI decision with legal or significant effects (Art.86(1) scope met): Person is subject to a high-risk Annex III AI decision (credit, employment, essential services, biometric).

Step 2 — Art.86 explanation request: Person requests a meaningful explanation of the AI system's role in the decision from the deployer.

Step 3 — Deployer response (30-day typical SLA):

✅ Adequate response: explanation provided, chain ends
❌ Trade secret invoked without output-level explanation: Art.87 trigger
❌ Explanation non-responsive (generic, not decision-specific): Art.87 trigger
❌ No response within national time limit: Art.87 trigger

Step 4 — Art.87 complaint to MSA: Person files complaint with MSA citing the specific deficiency in the Art.86 response.

Step 5 — MSA investigation: MSA uses Art.58 inspection powers to assess whether the deployer's explanation mechanism meets Art.86 requirements.

Step 6 — Corrective measures (Art.79): If deployer's Art.86 compliance is found deficient, MSA can require remediation, suspend deployment pending correction, or order market withdrawal of the specific AI system.

Step 7 — Art.99 penalties: Where the Art.86 failure stems from systematic non-compliance with Art.26 (deployer obligations), Art.99 Tier 2 penalties (€15M / 3% global turnover) may be imposed.

For deployers, this chain means that a single inadequate explanation response creates direct exposure to Art.99 Tier 2 fines through the Art.87 channel. The scale of the non-compliance does not determine the fine ceiling — a deployer operating a single high-risk AI system that cannot generate Art.86-compliant explanations faces the same Tier 2 ceiling as a large-scale deployer.

Art.87 vs Art.88: Complaint vs. Whistleblower Report

Art.87 and Art.88 address different reporting mechanisms and provide different protections:

Dimension	Art.87 (Complaint)	Art.88 (Whistleblower Report)
Who files	Any natural or legal person	Person within organisation (employee, contractor, former employee)
Filed with	National MSA	Internal channel first (if available), then MSA or AI Office
About	Any non-compliance with the Regulation	Any breach of the Regulation
Protection for filer	None specified in Art.87	Retaliation protection, burden-shifting rule (Art.88 + Directive 2019/1937)
Confidentiality	MSA may protect complainant identity under national law	Anonymisation obligations for internal channel
Scope	Providers and deployers	Any person or entity covered by the Regulation
Employer relationship	Not required	Required for Art.88 protection

The distinction matters for compliance design. An employee who discovers their employer is operating a prohibited AI practice (Art.5) and reports it to the MSA can invoke Art.88 whistleblower protections — the report is not just an Art.87 complaint but a protected disclosure under Directive 2019/1937. An external NGO filing about the same system uses Art.87 without the Art.88 protection layer.

For organisations building compliance infrastructure:

Internal reporting channels (required for ≥50-employee organisations under Art.88) must be kept separate from Art.87 complaint response workflows
An employee who uses an internal Art.88 channel and escalates externally under Art.87 retains full whistleblower protection throughout
Treating an employee's Art.88 internal report as an Art.87 competitor complaint — and responding with disciplinary action — triggers the Art.88 burden-shifting rule (employer must prove the adverse action was not retaliation)

CLOUD Act Exposure: Documentation Under MSA Investigation

When an Art.87 complaint triggers an MSA investigation, the MSA will use Art.58 inspection powers and Art.64 data access rights to request documentation. For companies operating on US cloud infrastructure (AWS, Azure, GCP), this creates a dual-compellability risk: the EU MSA can compel production of documentation, and the US government can independently compel the same documentation under the CLOUD Act (18 U.S.C. § 2713).

The specific documentation that Art.64 + Art.58 investigations reach:

Documentation category	Art. authority	CLOUD Act exposure
Risk management system records (Art.9)	Art.64(1)	High — if stored on US cloud
Training data governance logs (Art.10)	Art.64(1)(a)	High
Technical documentation (Annex IV)	Art.64(1)(c)	High
Post-market monitoring data (Art.72)	Art.64(1)(d)	High
Explanation records (Art.86)	Art.64(1)	High — directly relevant to complaint
AI system logs and decision outputs	Art.64(1)(e)	High
Conformity assessment records	Art.64(1)(b)	Medium

The CLOUD Act creates a conflict of laws risk: an EU MSA requires production of documentation under Art.64, while simultaneously the documentation sits on a US cloud provider subject to US government compulsion. A US national security request for the same documentation would require the EU company to disclose it to the US government regardless of EU confidentiality obligations.

The EU-sovereign infrastructure advantage: A company operating on EU-incorporated, EU-domiciled infrastructure without US parent companies (like sota.io) faces only a single legal order — the EU MSA's Art.64 request. US national security compulsion under the CLOUD Act does not apply because the infrastructure operator is not subject to US jurisdiction. When an Art.87 complaint triggers an MSA investigation, EU-sovereign infrastructure means one investigative authority, one legal order, no cross-border disclosure conflict.

For companies on US cloud that are subject to Art.87 complaint risk:

Consider migrating compliance documentation (risk management records, training data logs, explanation records) to EU-sovereign infrastructure
Assess whether data processing agreements include provisions addressing conflicting government access orders
Map which documentation categories are most likely to be requested in an Art.87/Art.64 investigation and prioritise those for sovereign hosting

Python Implementation: Art87ComplaintManager

from dataclasses import dataclass, field
from datetime import date, timedelta
from enum import Enum
from typing import Optional


class ComplaintStatus(Enum):
    FILED = "filed"
    ACKNOWLEDGED = "acknowledged"
    UNDER_INVESTIGATION = "under_investigation"
    MSA_REQUESTS_DOCS = "msa_requests_docs"
    OUTCOME_NOTIFIED = "outcome_notified"
    CLOSED = "closed"


class ComplaintOutcome(Enum):
    INVESTIGATION_OPENED = "investigation_opened"
    CORRECTIVE_MEASURES_ORDERED = "corrective_measures_ordered"
    COMPLAINT_DISMISSED = "complaint_dismissed"
    REFERRED_TO_AI_OFFICE = "referred_to_ai_office"
    RESOLVED_VOLUNTARILY = "resolved_voluntarily"


@dataclass
class Art87Complaint:
    complaint_id: str
    filed_date: date
    msa_member_state: str
    complainant_type: str  # individual / ngo / competitor / deployer / other
    complaint_category: str  # art5_prohibited / high_risk_provider / deployer_art26 / art86_failure / etc.
    respondent_type: str  # provider / deployer / both
    respondent_id: str
    ai_system_id: Optional[str] = None
    art86_escalation: bool = False  # True if this complaint escalated from Art.86 denial
    status: ComplaintStatus = ComplaintStatus.FILED
    outcome: Optional[ComplaintOutcome] = None
    msa_acknowledgement_date: Optional[date] = None
    msa_outcome_date: Optional[date] = None
    documents_requested: list[str] = field(default_factory=list)
    documents_produced: list[str] = field(default_factory=list)

    def days_since_filed(self) -> int:
        return (date.today() - self.filed_date).days

    def is_response_overdue(self, national_deadline_days: int = 60) -> bool:
        return self.days_since_filed() > national_deadline_days and self.outcome is None

    def art99_fine_ceiling(self) -> str:
        if self.complaint_category == "art5_prohibited":
            return "€35M or 7% global annual turnover (Tier 1)"
        elif self.complaint_category in ("high_risk_provider", "deployer_art26", "art86_failure"):
            return "€15M or 3% global annual turnover (Tier 2)"
        elif self.complaint_category == "misleading_information":
            return "€7.5M or 1% global annual turnover (Tier 3)"
        return "Unknown — assess based on specific violation"


class Art87ComplaintManager:
    """Tracks complaint exposure and manages documentation response for Art.87 investigations."""

    def __init__(self, organisation_id: str, msa_contact_registry: dict[str, str]):
        self.organisation_id = organisation_id
        self.msa_contacts = msa_contact_registry  # {member_state: msa_contact_email}
        self.active_complaints: list[Art87Complaint] = []
        self.art86_requests_log: list[dict] = []  # Log of Art.86 requests to detect escalation risk

    def register_complaint(self, complaint: Art87Complaint) -> None:
        self.active_complaints.append(complaint)

    def log_art86_request(
        self,
        request_id: str,
        person_id: str,
        decision_id: str,
        response_date: Optional[date],
        response_adequate: bool,
    ) -> None:
        """Track Art.86 explanation requests — inadequate responses predict Art.87 escalation."""
        self.art86_requests_log.append({
            "request_id": request_id,
            "person_id": person_id,
            "decision_id": decision_id,
            "response_date": response_date,
            "response_adequate": response_adequate,
            "escalation_risk": not response_adequate,
        })

    def high_escalation_risk_requests(self) -> list[dict]:
        """Returns Art.86 requests where inadequate response creates Art.87 complaint risk."""
        return [r for r in self.art86_requests_log if r["escalation_risk"]]

    def documentation_readiness_check(self, ai_system_id: str) -> dict[str, bool]:
        """Pre-emptive check: is documentation ready if MSA requests it under Art.64?"""
        # In production, this would check actual document storage systems
        return {
            "risk_management_system_documented": False,  # Art.9 — placeholder
            "training_data_governance_logged": False,    # Art.10
            "technical_documentation_current": False,   # Annex IV
            "conformity_assessment_completed": False,   # Art.43
            "post_market_monitoring_active": False,     # Art.72
            "explanation_records_retained": False,      # Art.86 + Art.64
            "incident_reports_accessible": False,       # Art.65 + Art.73
        }

    def complaint_response_playbook(self, complaint: Art87Complaint) -> list[str]:
        """Returns ordered response steps for an active Art.87 complaint."""
        steps = [
            f"1. Acknowledge complaint internally — assign compliance lead within 24h",
            f"2. Notify legal counsel — Art.99 fine ceiling: {complaint.art99_fine_ceiling()}",
            f"3. Retrieve all documentation for AI system {complaint.ai_system_id or 'UNKNOWN'}",
            f"4. Conduct internal compliance audit against alleged violation: {complaint.complaint_category}",
            f"5. Identify any Art.64 documentation request from MSA {complaint.msa_member_state}",
            f"6. Assess CLOUD Act exposure — check if relevant docs on US cloud infrastructure",
            f"7. Prepare MSA response — do not produce documents without legal review",
            f"8. If art86_escalation=True: review Art.86 explanation adequacy and remediate",
            f"9. Monitor MSA progress — Art.87(2) requires MSA to inform of outcome",
            f"10. Document all steps — creates compliance evidence trail",
        ]
        return steps

    def active_complaint_summary(self) -> dict:
        return {
            "total_active": len(self.active_complaints),
            "art5_complaints": sum(1 for c in self.active_complaints if c.complaint_category == "art5_prohibited"),
            "art86_escalations": sum(1 for c in self.active_complaints if c.art86_escalation),
            "overdue": sum(1 for c in self.active_complaints if c.is_response_overdue()),
            "art86_high_risk_requests": len(self.high_escalation_risk_requests()),
        }


# Usage example
if __name__ == "__main__":
    manager = Art87ComplaintManager(
        organisation_id="acme-corp",
        msa_contact_registry={"DE": "bnetza@bnetza.de", "FR": "cnil@cnil.fr"},
    )

    # Log an Art.86 request with inadequate response
    manager.log_art86_request(
        request_id="EXP-2026-001",
        person_id="user-42",
        decision_id="credit-dec-789",
        response_date=date(2026, 9, 15),
        response_adequate=False,  # Generic explanation provided — Art.87 escalation risk
    )

    # Register the resulting Art.87 complaint
    complaint = Art87Complaint(
        complaint_id="ART87-2026-001",
        filed_date=date(2026, 10, 1),
        msa_member_state="DE",
        complainant_type="individual",
        complaint_category="art86_failure",
        respondent_type="deployer",
        respondent_id="acme-corp",
        ai_system_id="credit-scoring-v2",
        art86_escalation=True,
    )
    manager.register_complaint(complaint)

    summary = manager.active_complaint_summary()
    print(f"Active complaints: {summary}")
    print(f"Fine ceiling: {complaint.art99_fine_ceiling()}")
    playbook = manager.complaint_response_playbook(complaint)
    for step in playbook:
        print(step)

Art.87 × Art.99: The Fine Exposure Chain

Art.87 is the complaint gateway; Art.99 is the penalty ceiling. The chain from complaint to fine:

Art.87 complaint → Art.74 market surveillance investigation → Art.79 corrective measures → non-compliance confirmed → Art.99 penalties

What the complaint reveals	Art.99 tier	Maximum fine
Prohibited AI practice (Art.5)	Tier 1	€35M or 7% global annual turnover
High-risk AI non-compliance (provider)	Tier 2	€15M or 3% global annual turnover
Deployer obligation failures (Art.26)	Tier 2	€15M or 3% global annual turnover
Misleading information to MSA	Tier 3	€7.5M or 1% global annual turnover
GPAI model obligations (AI Office)	Tier 2	€15M or 3% global annual turnover

The fine trigger does not require that the original complaint was filed by the person directly harmed. A competitor complaint about missing CE marking, if it reveals a failure to conduct a conformity assessment, exposes the provider to Tier 2 fines. The Art.87 complaint activates the MSA's Art.74 powers, and from that point forward the investigation can reach violations beyond the original complaint's scope.

Proportionality factors that MSAs apply under Art.99(2) when setting the specific fine within the tier ceiling:

Nature, gravity, and duration of the infringement
Intentional versus negligent breach
Size of the operator and market share
Damage caused to affected persons
Measures taken to mitigate harm
Prior infringement history

SME provisions in Art.99(6) apply the lower of the flat amount or percentage cap — but the lower figure still represents material exposure for smaller companies with high margins.

Series Table: EU AI Act Final Provisions Individual Rights

Art.87 sits within the EU AI Act's closing individual-rights and enforcement architecture:

Article	Topic	Core obligation
Art.85	Right of recourse	Deployer must provide explanation and challenge mechanism for AI decisions
Art.86	Right to explanation	Deployer must provide meaningful account of AI system's role in specific decision
Art.87	Complaints	Any person can lodge complaint with MSA against non-compliant provider/deployer
Art.88	Whistleblower protection	Organisations ≥50 employees must maintain internal reporting channels; retaliation prohibited
Art.89	Right to be heard	Provider/deployer must have opportunity to present observations before enforcement measures

Art.87 is the transition point between individual rights (Art.85, Art.86) and public enforcement (Art.88, Art.89 and beyond to Art.99 penalties). It is where a person's exercise of individual rights converts into institutional regulatory action.

10-Item Art.87 Complaint-Readiness Checklist

C1 — Art.86 explanation mechanism implemented and tested: explanations are decision-specific, non-generic, and accessible without trade-secret blanket refusal
C2 — Art.85 recourse mechanism implemented: intake process, acknowledgement workflow, human review escalation, and response SLA documented
C3 — Art.86 response log maintained: every explanation request, response provided, and adequacy assessment retained for MSA access under Art.64
C4 — Annex IV technical documentation current: risk management system, training data governance, conformity assessment records accessible on 24h notice
C5 — Post-market monitoring operational: Art.72 monitoring plan active, incident tracking logs available for Art.64 inspection
C6 — CLOUD Act risk assessed: documentation relevant to Art.87/Art.64 investigations mapped to hosting jurisdiction; EU-sovereign migration plan in place for high-risk docs
C7 — MSA contact details documented for all deployment Member States; Art.87 complaint response playbook exists
C8 — CE marking and registration verified: Art.48 CE mark present, Art.49 EUAIDB registration completed for all high-risk deployments
C9 — Art.88 internal reporting channel separate from Art.87 complaint response: employees directed to internal channel; external Art.87 complaints handled by compliance function
C10 — Art.99 fine exposure calculated per deployment: Tier 1/2/3 assessment for each Annex III system; exposure documented in risk register