EU AI Act Art.90: AI Office Information Requests to GPAI Providers — Developer Response Guide (2026)
EU AI Act Article 90 is the AI Office's primary documentary investigation tool for general-purpose AI (GPAI) models. Before the AI Office moves to an on-site inspection under Art.91, before it issues interim measures under Art.93, and before it adopts any enforcement measure that triggers the Art.89 right to be heard, it almost always begins with an Art.90 information request. For GPAI model providers, an Art.90 request is the first formal signal that the AI Office is examining their model — and the response to that request often determines whether the investigation escalates.
Art.90 operates in two modes. A simple request is a non-binding information demand that nevertheless carries the implicit pressure of a future binding decision if ignored. A decision is binding, carries penalty exposure under Art.99(4)(d) and Art.101 for non-compliance or false information, and is reviewable before the Court of Justice of the European Union. Both modes are available to the AI Office and the choice between them reflects both the stage of investigation and the AI Office's assessment of the provider's likely cooperation.
For compliance teams, the Art.90 response window is not just about supplying documents. It is a strategic moment: what you provide, how you frame it, what you protect under legal professional privilege, and how quickly you respond all affect the trajectory of what follows.
Art.90 became applicable on 2 August 2025, concurrent with GPAI obligations in Chapter V.
Art.90 in the GPAI Enforcement Chain
Art.90 sits at the investigation stage of the AI Office's enforcement sequence for GPAI models. It is preceded only by the Scientific Panel's monitoring function and followed by progressively more intrusive enforcement tools.
| Stage | Article | Authority | Trigger |
|---|---|---|---|
| GPAI classification and registration | Art.51 | Provider | Self-assessment at model release |
| Systemic risk designation | Art.51(2) | AI Office | FLOP threshold or Commission decision |
| Technical documentation and reporting | Art.53 | Provider | Ongoing obligation |
| Scientific Panel model evaluation | Art.55 | Scientific Panel | Ex-officio or qualified alert from Panel |
| Information request (documentary) | Art.90 | AI Office | Investigation initiation or Panel alert |
| Inspection (on-site/remote access) | Art.91 | AI Office | After Art.90 or where docs insufficient |
| Interim measures | Art.93 | AI Office | Urgency — bypasses standard sequence |
| Right to be heard | Art.89 | AI Office | Before any enforcement decision |
| Corrective measures / penalties | Art.99 | AI Office | Final enforcement phase |
Art.90 does not apply to high-risk AI system providers supervised by NCAs — those authorities use Art.74 market surveillance powers. Art.90 is exclusively an AI Office tool for GPAI model supervision under Chapter V.
Art.90(1) — The Information Request Power
Art.90(1) establishes the legal basis for the AI Office's information demand. The AI Office may request information from:
- Providers of general-purpose AI models — the primary addressees, regardless of systemic risk designation
- Providers of general-purpose AI systems built upon those models — downstream integrators when the underlying model is under investigation
- Any other natural or legal person — when the information is necessary and cannot be obtained from the provider directly
The phrase "carry out the tasks of the AI Office under Chapter V" is intentionally broad. Chapter V covers GPAI model obligations (Art.51–Art.55), AI Office evaluation powers (Art.55), and the GPAI enforcement regime. In practice, Art.90 requests have been used to investigate:
- Technical documentation completeness (Art.53(1)(a))
- Training data governance and copyright compliance (Art.53(1)(c))
- Systematic evaluation results including adversarial testing (Art.55(1)(a))
- Incident and near-miss reports from the Art.65 chain
- Post-training modification records relevant to systemic risk designation
The breadth of "necessary to carry out tasks" means providers cannot predict in advance which documents are in scope. The practical implication: maintain comprehensive, retrievable GPAI documentation at all times.
Art.90(2) — Simple Request: Six Mandatory Elements
When the AI Office sends a simple request, it must include six specific elements. A request missing any of them is procedurally defective — though challenging it on that basis requires engaging EU administrative law counsel.
| Element | Content | Practical meaning |
|---|---|---|
| Legal basis | Reference to Art.90 EU AI Act | Identifies the request as Art.90, not Art.91 or Art.74 |
| Purpose | Stated objective of the information demand | Defines the investigation scope — read carefully |
| Information required | Specific documents, data, formats | Determines what you must provide |
| Time limit | Deadline for response | Starts the clock — note whether working days or calendar days |
| Format requirement | Structured, unstructured, or specified schema | May specify machine-readable format |
| Penalty notice | Reference to Art.99(4)(d) and Art.101 | Alerts provider that false/incomplete responses are sanctionable |
A simple request does not carry immediate legal enforceability. However, Art.90(3) allows the AI Office to escalate to a binding decision if the simple request is not complied with. The simple request is therefore best understood as a first formal step that the AI Office expects will be honoured — non-response is not a safe option.
Response timeline best practice: Do not wait until the deadline. Acknowledge receipt within 48 hours. If the time limit is insufficient for the volume of information requested, contact the AI Office immediately to negotiate an extension. Extensions are available under Art.90 but must be requested proactively — the AI Office will not grant them retroactively.
Art.90(3) — Binding Decision: Escalation and Additional Elements
When the AI Office requires information by binding decision rather than simple request, it must include everything required under Art.90(2) plus:
| Additional element | Content |
|---|---|
| CJEU review right | The addressee's right to challenge the decision before the Court of Justice of the European Union under Art.263 TFEU |
| Enhanced penalty reference | Specific citation of Art.99(4)(d) and Art.101 with penalty quantum |
The existence of the CJEU review right does not suspend the obligation to respond. A provider challenging an Art.90 decision before the CJEU must also apply for interim measures under Art.279 TFEU to suspend the response obligation during proceedings — otherwise the deadline runs regardless of the appeal.
When does the AI Office choose a decision over a simple request?
The AI Office will typically escalate to a decision when:
- A simple request was previously sent and not (or incompletely) complied with
- The AI Office has reason to believe voluntary compliance is unlikely
- The investigation involves a systemic risk model where urgency is elevated
- The Scientific Panel has issued a qualified alert (Art.90(4) pathway, discussed below)
A binding decision is also more likely where the provider is not EU-established and the AI Office needs a legally enforceable instrument that can be transmitted to the provider's authorised EU representative under Art.90(4).
Art.90(4) — Provider Obligation and Authorised Representatives
Art.90(4) creates the provider's affirmative obligation: GPAI model providers must supply the requested information. For undertakings (companies and organisations), this obligation is discharged through "duly authorised representatives."
The authorised representative requirement has two dimensions:
For EU-established providers: Any director, officer, or employee with authority to bind the company in regulatory matters. Typically the DPO, Chief Compliance Officer, or General Counsel — whoever has been designated in the model's technical documentation as the regulatory contact.
For non-EU providers (e.g., US hyperscalers): Art.54 requires GPAI model providers without EU establishment to designate an authorised representative in an EU Member State. This representative is the legal addressee of Art.90 requests and decisions. The representative must have sufficient authority to access and supply the requested information — a representative with no access to technical documentation cannot fulfil the Art.90 obligation.
Key risk: If a non-EU provider's EU representative cannot supply complete information because the relevant documentation sits in US systems, this creates both an Art.90 compliance gap and a CLOUD Act exposure problem (discussed below). The solution is to pre-position GPAI compliance documentation in EU-accessible storage before an Art.90 request arrives.
Art.90(5) — Notification Chain: Scientific Panel and NCAs
After sending any Art.90 request or decision, the AI Office must transmit a copy to:
- The Scientific Panel — ensuring Panel members are aware of active investigations and can provide technical input if relevant
- The competent authorities of the Member States in which the provider is established or has a representative — ensuring NCAs are informed even though they have no supervisory role over GPAI models
The NCA notification under Art.90(5) does not give NCAs enforcement jurisdiction over GPAI models. However, it means that the NCA of the country where the provider operates will know an investigation is underway. For large providers, this creates reputational and investor-relations considerations beyond the immediate regulatory exposure.
Art.90 vs Art.91 — Investigation Mode Distinction
Art.90 and Art.91 are complementary but distinct investigation powers. Providers receiving an Art.90 request should understand what escalation to Art.91 would mean.
| Dimension | Art.90 Information Request | Art.91 Inspection |
|---|---|---|
| Mode | Documentary — provider submits information | Access — AI Office enters provider's premises or systems |
| Trigger | Investigation initiation or Panel alert | Insufficient Art.90 response or serious concern |
| Scope | Documents, data, reports, technical specs | Physical and digital access to systems, models, infrastructure |
| Timing | Provider controls the submission within deadline | AI Office controls timing and access scope |
| Legal basis | Art.90 decision or simple request | Commission decision authorising inspection |
| NCA involvement | Notification only | National authorities assist with access |
| CLOUD Act exposure | Information supplied from US systems | Physical access to EU-located infrastructure required |
| Penalty for obstruction | Art.99(4)(d) — incorrect/incomplete information | Art.99(4)(e) — refusal to submit to inspection |
A well-managed Art.90 response that is complete, accurate, and well-organised reduces the probability of Art.91 escalation. Art.91 is substantially more disruptive: it involves AI Office officials (and potentially national officials) accessing infrastructure, examining models directly, and potentially copying data. An Art.90 response that answers the AI Office's questions completely is always preferable to an Art.91 inspection.
The Scientific Panel Qualified Alert Pathway
Art.90's connection to the Scientific Panel creates a distinct trigger pathway. Under Art.55, the Scientific Panel can:
- Request the AI Office to conduct evaluations of specific GPAI models
- Issue "qualified alerts" when Panel members have reasonable grounds to believe a GPAI model poses systemic risks not adequately addressed in the provider's technical documentation
When the Scientific Panel issues a qualified alert about a specific model, the AI Office is empowered (and effectively expected) to initiate an Art.90 information request to investigate the Panel's concerns. This pathway differs from the standard Art.90 initiation because:
- The Panel's alert defines the scope: The information request will typically focus on the specific concern the Panel has identified (e.g., adversarial testing gaps, training data risks, capability evaluations)
- The provider's technical report is already in focus: If the qualified alert arises from the provider's Art.53 technical report, the Art.90 request will probe inconsistencies or gaps in that report
- The Panel receives the Art.90 copy: Under Art.90(5), the Panel is informed — it can then provide additional technical input to the AI Office during the investigation
Provider response to a Panel-triggered Art.90 request: Because the Panel's qualified alert is the trigger, providers should request a copy of the qualified alert (if not already disclosed) and tailor their Art.90 response to address the Panel's specific technical concerns. A generic document dump that does not engage with the Panel's findings will not close the investigation.
Penalties for Art.90 Non-Compliance
Art.90 is backed by two penalty provisions:
Art.99(4)(d) — Penalties for providers that fail to provide information or provide incorrect, incomplete or misleading information in response to an Art.90 request. Maximum: EUR 3 million or 1% of total worldwide annual turnover (whichever is higher). For undertakings.
Art.101 — Periodic penalty payments to compel compliance. Maximum: 1.5% of average daily turnover per day, calculated from the date set in the AI Office decision. This is a coercive tool — it runs until the provider complies.
The combination creates significant financial pressure. A large GPAI provider with annual turnover of EUR 10 billion faces:
- Art.99(4)(d): up to EUR 100 million for the information failure itself
- Art.101: up to EUR 150 million per day if it refuses to comply with a binding decision
In practice, Art.99(4)(d) penalties are more likely to be graduated — the AI Office applies proportionality and considers the provider's cooperation record. Providers that respond promptly but incompletely are treated differently from providers that ignore requests entirely.
CLOUD Act Exposure for GPAI Providers
Most large GPAI model providers (OpenAI, Google DeepMind, Anthropic, Meta, Mistral with US infrastructure) store training data, model weights, evaluation results, and technical documentation in US cloud infrastructure subject to the US CLOUD Act. An Art.90 information request creates a potential jurisdictional collision.
| GPAI Document Category | CLOUD Act Compellability | EU Art.90 Obligation | Mitigation |
|---|---|---|---|
| Technical documentation (Art.53(1)(a)) | High — text docs | Full supply required | Pre-position EU copy |
| Training data summaries (Art.53(1)(c)) | Medium — summary docs | Summary required, not raw data | EU-stored summary layer |
| Adversarial test results (Art.55(1)(a)) | High — structured reports | Full supply required | EU test environment |
| Model weights / architecture specs | Low — trade secret protection asserted by US providers | Summary disclosure sufficient | Treat-as-confidential designation |
| Incident reports / near-misses | Medium — operational records | Must supply EU-reportable incidents | EU incident logging system |
| Training compute records | Low — internal operational data | Supply if directly requested | Aggregate metrics only |
The mitigation strategy: Providers that anticipated Art.90 exposure have begun maintaining "EU compliance mirrors" — EU-hosted copies of Art.90-disclosable documentation, separated from US systems subject to CLOUD Act compulsion. This approach allows the provider to supply Art.90 information from EU-controlled sources without triggering US jurisdictional conflict.
For providers using sota.io's EU-native infrastructure, compliance documentation can be hosted in EU jurisdictions from the outset — eliminating the CLOUD Act collision from day one rather than engineering around it after an Art.90 request arrives.
Provider Response Strategy
An Art.90 request demands a structured internal response process. The following sequence has been validated across EU administrative law practice:
Step 1: Receipt and Classification (Day 0–1)
On receipt of an Art.90 request:
- Confirm it is an Art.90 request (not Art.74 or another provision) — check the legal basis citation
- Note the deadline and calculate the working-day count
- Identify whether it is a simple request or a binding decision (the CJEU review right reference distinguishes them)
- Engage EU regulatory counsel immediately
- Notify the authorised EU representative if the company is non-EU established
Step 2: Scope Assessment (Day 1–3)
- Map the information requested against available documentation
- Identify gaps between what is requested and what exists
- Flag trade-secret / confidential business information for redaction or confidentiality request
- Identify any legal professional privilege claims
Legal professional privilege (LPP) in EU proceedings: LPP protects communications between an undertaking and its independent, EU-qualified lawyers made for the purpose of legal advice in the context of ongoing or anticipated proceedings. In-house lawyers in most EU Member States do not benefit from LPP in EU administrative proceedings (Akzo Nobel standard). This matters for Art.90 because instructions to in-house counsel about regulatory compliance — even if labelled legal advice — may not be protected.
Step 3: Response Preparation (Day 3 to deadline)
- Compile responsive documents in the format requested
- Prepare a cover letter explaining the response structure, any confidentiality claims, and any information the provider asserts is not within Art.90 scope
- Do not provide information beyond what is requested — scope creep creates additional exposure
- If time is insufficient: request an extension before the deadline, in writing, citing specific volume and complexity
Step 4: Submission and Follow-up
- Submit via the AI Office's designated channel (typically an EU regulatory portal or secure transmission)
- Retain a complete copy of everything submitted with timestamps
- Monitor for follow-up requests — an Art.90 response often generates a second, more targeted request
Python Implementation: Art90InformationRequest
from dataclasses import dataclass, field
from datetime import date, timedelta
from enum import Enum
from typing import Optional
class RequestMode(Enum):
SIMPLE_REQUEST = "simple_request"
BINDING_DECISION = "binding_decision"
class ResponseStatus(Enum):
PENDING = "pending"
EXTENSION_REQUESTED = "extension_requested"
SUBMITTED = "submitted"
CHALLENGED = "challenged" # CJEU interim measures application
@dataclass
class Art90InformationRequest:
"""Tracks an AI Office Art.90 information request and provider response."""
# Request metadata
request_id: str
mode: RequestMode
received_date: date
deadline_date: date
legal_basis_cited: bool = False # Must cite Art.90
# Art.90(2) mandatory elements present?
purpose_stated: bool = False
information_specified: bool = False
format_specified: bool = False
penalty_notice_included: bool = False # Art.99(4)(d) + Art.101
# Art.90(3) additional elements (binding decision only)
cjeu_review_right_stated: bool = False # Required for decisions
# Scientific Panel trigger
panel_qualified_alert: bool = False
panel_alert_reference: Optional[str] = None
# Response tracking
status: ResponseStatus = ResponseStatus.PENDING
acknowledged_date: Optional[date] = None
extension_requested: bool = False
extension_granted: Optional[date] = None
submitted_date: Optional[date] = None
# Compliance documentation
eu_representative_engaged: bool = False
eu_counsel_engaged: bool = False
lpp_review_completed: bool = False
confidential_business_info_flagged: bool = False
# CLOUD Act
cloud_act_exposure: bool = False
eu_compliance_mirror_available: bool = False
def days_remaining(self) -> int:
return (self.deadline_date - date.today()).days
def validate_request_elements(self) -> list[str]:
"""Check Art.90(2)/(3) mandatory elements are present in the request."""
issues = []
if not self.legal_basis_cited:
issues.append("Art.90: Legal basis (Art.90 EU AI Act) not cited — request may be defective")
if not self.purpose_stated:
issues.append("Art.90(2)(b): Purpose of request not stated")
if not self.information_specified:
issues.append("Art.90(2)(c): Information required not specified")
if not self.penalty_notice_included:
issues.append("Art.90(2)(e): Penalty notice (Art.99(4)(d)/Art.101) missing")
if self.mode == RequestMode.BINDING_DECISION and not self.cjeu_review_right_stated:
issues.append("Art.90(3)(a): CJEU review right not stated in decision")
return issues
def readiness_score(self) -> dict:
"""Score provider readiness to respond (0–100)."""
score = 0
checks = {
"EU representative engaged": self.eu_representative_engaged,
"EU counsel engaged": self.eu_counsel_engaged,
"LPP review completed": self.lpp_review_completed,
"Confidential info flagged": self.confidential_business_info_flagged,
"Acknowledged within 48h": self.acknowledged_date is not None and
(self.acknowledged_date - self.received_date).days <= 2,
"CLOUD Act exposure assessed": self.cloud_act_exposure is not None,
"EU compliance mirror available": self.eu_compliance_mirror_available,
}
score = sum(15 for v in checks.values() if v) # 7 items × ~14 = 98
return {"score": score, "checks": checks, "days_remaining": self.days_remaining()}
def response_priority(self) -> str:
days = self.days_remaining()
if days <= 5:
return "CRITICAL — immediate submission required"
elif days <= 10:
return "HIGH — finalise response, no further extensions"
elif days <= 20:
return "MEDIUM — preparation phase"
else:
return "NORMAL — scope assessment phase"
def cloud_act_risk_assessment(self) -> str:
if not self.cloud_act_exposure:
return "LOW — documentation in EU-controlled infrastructure"
if self.eu_compliance_mirror_available:
return "MANAGED — EU mirror available, supply from EU source"
return "HIGH — US CLOUD Act jurisdiction conflict. Engage US and EU counsel before supply."
20-Item Art.90 Response Checklist
| # | Check | Why |
|---|---|---|
| 1 | Confirm legal basis is Art.90 (not Art.74 or other) | Determines applicable response framework |
| 2 | Identify mode: simple request vs. binding decision | CJEU challenge option exists only for decisions |
| 3 | Record the exact deadline and calculate working days | Deadline errors are non-excusable |
| 4 | Engage EU regulatory counsel within 24h of receipt | LPP strategy requires counsel from day one |
| 5 | Notify authorised EU representative (if non-EU provider) | Art.90(4) — representative is the obligated party |
| 6 | Obtain copy of Scientific Panel qualified alert if Panel-triggered | Alert defines the scope of the AI Office's concern |
| 7 | Validate Art.90(2) mandatory elements are all present | Missing elements may make request procedurally defective |
| 8 | Map requested information against available documentation | Identifies gaps before deadline |
| 9 | Assess CLOUD Act exposure for relevant documents | US-jurisdiction storage creates conflicting legal obligations |
| 10 | Check EU compliance mirror availability for CLOUD Act items | Allows EU-source supply without US jurisdictional conflict |
| 11 | Complete LPP review — identify privileged communications | Privileged documents should be listed but not produced |
| 12 | Flag confidential business information for redaction | CBI can be withheld with a reasoned confidentiality request |
| 13 | Assess if extension is needed — request before deadline | AI Office will not grant retroactive extensions |
| 14 | Prepare structured cover letter mapping response to request | Shows AI Office the response is complete and organised |
| 15 | Do not provide information beyond the stated scope | Scope creep creates additional investigation risk |
| 16 | Verify information is accurate and complete | Art.99(4)(d) applies to incorrect/incomplete information |
| 17 | Retain timestamped copy of everything submitted | Required for any Art.89 or CJEU proceedings that follow |
| 18 | Submit via designated AI Office channel, obtain confirmation | Proof of timely submission is essential |
| 19 | Monitor for follow-up requests within 30 days | First Art.90 responses commonly trigger targeted follow-ups |
| 20 | Assess whether Art.89 right-to-be-heard engagement will follow | If AI Office moves to corrective measures, Art.89 applies |
Art.90 Series Context
Art.90 is part of the AI Office's GPAI investigation sequence:
| Article | Function | Stage |
|---|---|---|
| Art.51 | GPAI classification and systemic risk designation | Pre-investigation |
| Art.53 | Technical documentation and reporting obligations | Ongoing compliance |
| Art.55 | Scientific Panel evaluation and qualified alerts | Monitoring |
| Art.90 | AI Office information requests (documentary) | Investigation — Stage 1 |
| Art.91 | AI Office inspections (access-based) | Investigation — Stage 2 |
| Art.93 | AI Office interim measures (urgency) | Emergency enforcement |
| Art.89 | Right to be heard before enforcement measures | Pre-decision procedural right |
| Art.99 | Penalties | Final enforcement |
Understanding Art.90's position helps providers calibrate their response investment. A complete, well-organised Art.90 response that addresses the AI Office's underlying concerns can close the investigation at Stage 1. An inadequate response escalates to Art.91 — a substantially more intrusive and disruptive process.
See Also
- Art.91: AI Office Inspections of GPAI Providers — On-Site and Remote Access Developer Guide — Art.91 is the access-based Stage 2 investigation that follows an inadequate or incomplete Art.90 response; the Commission decision authorises physical entry and remote system access.
- Art.89: Right to Be Heard Before Enforcement Measures — Developer Response Guide — The Art.89 procedural right applies after an Art.90 investigation escalates to a corrective measure or penalty decision.
- Art.88: Whistleblower Protection for AI Act Reporters — Whistleblower reports can trigger NCA complaints (Art.87) and Scientific Panel alerts that feed into Art.90 requests.
- Art.87: Complaints to Market Surveillance Authorities — For high-risk AI systems supervised by NCAs; Art.90 is the GPAI-equivalent investigation tool at AI Office level.
- Art.55: AI Office Evaluation of GPAI Models and Scientific Panel Powers — Scientific Panel qualified alerts are the primary Art.90 trigger from the monitoring layer.