EU AI Act Art.74 Market Surveillance: What NCAs Will Actually Check — Developer Guide 2026

Post #1647 in the sota.io EU AI Compliance Series — EU AI Act Enforcement Series #1/5

The EU AI Act's August 2026 compliance deadline is approaching, and with it comes the activation of national competent authority (NCA) enforcement powers under Art.74. If you're a high-risk AI provider or deployer, you will eventually receive an NCA inquiry — and the difference between a smooth audit and a months-long enforcement proceeding comes down to preparation.

This guide covers what Art.74 gives NCAs the power to demand, what documents you need to have ready, and how your infrastructure choices affect your exposure.

What Art.74 Actually Authorizes

Art.74 designates NCAs as the market surveillance authorities responsible for supervising AI systems placed on the Union market. This is not a passive oversight role. NCAs receive active investigation powers that can be triggered without prior warning.

Under the market surveillance framework, NCAs can:

• Request full technical documentation — the complete Annex IV package including system architecture, training methodology, risk management system records, and conformity assessment files
• Access training, validation, and testing datasets — Art.74 explicitly grants NCAs the right to examine the data used to develop your AI system, not just the deployed model
• Conduct on-site inspections of premises where AI systems are developed, deployed, or operated
• Request product samples or require demo access to AI systems under review
• Order immediate corrective actions if a serious risk is identified during market surveillance

The source code access question deserves special attention. Art.74 requires a reasoned request from the NCA and, in practice, access to source code typically requires judicial or administrative authorization — but it is explicitly within scope. Providers who store source code on infrastructure subject to third-country jurisdiction face a compounded risk: the CLOUD Act could allow parallel access requests from US authorities without the procedural protections of the EU framework.

The Four NCA Audit Triggers

NCAs do not conduct random audits of every AI provider. Market surveillance is risk-driven, and you're most likely to receive attention through one of four triggers:

1. Serious Incident Reports

When Art.73 requires you to report a serious incident to your national market surveillance authority, that report automatically puts your AI system under scrutiny. The NCA will review whether your post-market monitoring system (Art.72) is functioning correctly and whether your corrective actions are proportionate. Incident reports that reveal systemic monitoring gaps frequently escalate into full Art.74 audits.

2. Complaint-Driven Surveillance

Art.85 gives affected persons the right to lodge complaints with NCAs. A single substantiated complaint about discriminatory outputs, safety failures, or insufficient human oversight can trigger an investigation. Deployers who use high-risk AI systems for consequential decisions — credit scoring, recruitment, educational assessment, law enforcement profiling — face the highest complaint exposure.

3. Coordinated Union-Level Sweeps

The AI Office coordinates market surveillance activities across Member States under Art.74(11). Sector-specific sweeps targeting high-risk AI categories (medical devices, biometric identification, critical infrastructure) are likely in 2026-2027. If your industry vertical is targeted, all providers in that category should expect simultaneous outreach.

4. Whistleblower Disclosures

Art.87 protects persons who report violations to NCAs. Internal team members, contractors, or users with knowledge of non-compliant AI practices can trigger investigations without being identified. Providers without robust compliance documentation face disproportionate risk here — a whistleblower disclosure against a poorly-documented system often results in an immediate request for the full Annex IV package.

What NCAs Will Request First

Based on the market surveillance framework, expect the first NCA inquiry to request:

Priority 1 (typically within 15-30 days notice):
├── Annex IV Technical Documentation (complete)
├── EU Declaration of Conformity
├── Conformity Assessment records (third-party NB report if required)
├── CE marking authorisation documentation
└── Post-market monitoring plan (Art.72 PMP)

Priority 2 (may follow within initial request):
├── Risk Management System documentation (Art.9 RMS)
├── Data governance records (Art.10 compliance evidence)
├── Human oversight implementation evidence (Art.14)
├── Incident log (Art.73 serious incident records)
└── Quality Management System documentation (Art.17 QMS)

Priority 3 (deep audit phase):
├── Training dataset access or documented data governance trail
├── Validation and testing dataset records
├── Change management log (substantial modifications — updates that may require re-assessment)
└── Source code access request (requires separate authorization)

Companies that cannot produce Priority 1 documentation within the notice period face immediate provisional measures — including market withdrawal orders — under Art.74(9).

Infrastructure Access: The Cloud Act Exposure Problem

Art.74 creates a specific risk for AI providers using US-owned cloud infrastructure. When an NCA requests access to training data stored on AWS, Azure, or Google Cloud, they are requesting access to data held on infrastructure that is simultaneously subject to US Department of Justice CLOUD Act orders.

This creates a three-way tension:

1. EU NCA demands access under Art.74 for market surveillance purposes
2. CLOUD Act enables parallel US government access to the same data
3. GDPR Art.48 prohibits transfers to third-country authorities without proper safeguards

Providers using EU-native infrastructure (Hetzner Germany, OVHcloud, Scaleway) eliminate this conflict. The NCA gets access to data held under EU jurisdiction exclusively. There is no parallel CLOUD Act exposure because there is no US parent entity over whom US courts have jurisdiction.

For AI systems processing sensitive categories of data — health data, biometric data, data concerning public figures — this jurisdiction clean-break is increasingly treated as a compliance prerequisite rather than a nice-to-have.

Documentation You Need Before August 2026

The Art.74 audit readiness checklist maps directly to your existing obligations:

Annex IV Technical Documentation

Your technical documentation must be complete before August 2, 2026 — not "in progress." NCAs treating Annex IV as a work in progress will issue corrective action notices. At minimum, complete sections covering:

• General description of the AI system and its intended purpose
• Design specifications, system architecture diagram, and development methodology
• Training data description and data governance procedures
• Technical robustness and accuracy validation results
• Risk management system records (Art.9 RMS documentation)
• Human oversight mechanisms (Art.14 implementation evidence)
• Cybersecurity measures (Art.15 compliance)
• Post-market monitoring plan

Conformity Assessment Trail

If your system required third-party conformity assessment via a notified body, retain all correspondence, interim reports, and the final conformity assessment report. NCAs can request this directly from the notified body as well — inconsistencies between your records and the NB's records are a significant red flag.

Incident Log Integrity

Art.73 requires reporting serious incidents to the NCA of the Member State where the incident occurred. Your incident log needs to demonstrate continuous monitoring with timestamped entries — not a retrospective reconstruction. NCAs can correlate your incident log timestamps against your system logs to verify authenticity.

Timeline: What to Expect After an NCA Contact

Day 0:     NCA sends formal market surveillance inquiry
Days 1-3:  Acknowledge receipt; engage legal counsel
Days 15-30: Deadline for Priority 1 documentation submission (varies by Member State)
Days 30-60: NCA reviews documentation; may request Priority 2 materials
Days 60-90: NCA preliminary findings communicated
Days 90+:  Corrective action period OR escalation to provisional measures

If serious risk identified:
Day 0+:    NCA can immediately impose provisional measures (Art.74(9))
           including market withdrawal and access suspension

The key is the Day 15-30 documentation window. Providers who respond promptly with complete documentation typically receive a standard review with a corrective action notice for any gaps. Providers who cannot produce documentation within the notice period face presumption of non-compliance — NCAs have no obligation to extend deadlines when Annex IV documentation should have been prepared before system deployment.

Enforcement Penalties Under Art.99

Article 99 establishes the administrative penalty framework for AI Act violations. The penalty tiers are:

• Prohibited AI systems violations (Art.5): Up to €35 million or 7% of global annual worldwide turnover
• Provider and deployer obligation violations: Up to €15 million or 3% of global annual worldwide turnover
• Providing incorrect, incomplete or misleading information to NCAs: Up to €7.5 million or 1% of global annual worldwide turnover

For SMEs and startups, Art.99 includes proportionality provisions — penalties shall be "effective, proportionate and dissuasive," and NCAs must consider the economic situation of the provider. However, proportionality does not eliminate liability: a startup without Annex IV documentation is not exempt from enforcement, only potentially subject to a lower absolute penalty.

Practical Preparation Checklist

30 days before your target compliance date:

• Annex IV Technical Documentation complete and version-controlled
• EU Declaration of Conformity signed and filed
• Art.9 RMS documentation current
• Art.72 Post-Market Monitoring Plan in place with active monitoring
• Art.73 incident reporting procedures documented and tested
• Art.14 human oversight mechanisms verified and logged

Infrastructure verification:

• Confirm training data storage jurisdiction (EU vs US infrastructure)
• Document data governance trail for training, validation, and testing datasets
• Verify your cloud provider has no US parent entity if CLOUD Act exposure is a concern
• Ensure source code repositories are hosted under EU jurisdiction

Operational readiness:

• Legal contact designated as primary NCA liaison
• Internal escalation path for NCA inquiries (CTO → Legal → CEO)
• Document retention policy covers minimum 10 years for high-risk systems (Art.18)
• NCA contact details for your primary Member State market

This is post #1 in our EU AI Act Enforcement Series covering Art.74-82 and Art.99. Next: Art.75/76 — Corrective Actions and Remedies: what happens after NCA findings and your legal response options as a provider.

See also:

• EU AI Act Art.26 Deployer Obligations Complete Guide
• EU AI Act Art.73 Incident Reporting Pipeline
• EU AI Act Infrastructure Compliance: Which Hosting Choices Affect Your NCA Exposure