2026-04-16·12 min read·

EU AI Act Art.46 Derogation from Conformity Assessment: Emergency Authorisation for High-Risk AI — Developer Guide (2026)

EU AI Act Article 46 is the regulation's emergency exit. Where Art.43 defines the normal conformity assessment path — internal control under Annex VI or notified body assessment under Annex VII — Art.46 creates a derogation mechanism that allows a national market surveillance authority (MSA) to authorise a high-risk AI system for market placement or service deployment without the system having completed that assessment. The derogation is not a loophole. It is a structured exception with time limits, Commission notification requirements, an objection window, and a revocation power. But it exists — and for developers building AI systems for government customers, defence agencies, or emergency response operators, understanding when and how Art.46 activates is essential.

The practical significance for most SaaS developers is indirect. Art.46 is invoked by the government, not by the provider. A national MSA decides to grant the derogation; the provider does not apply for it in the way they would file for a conformity assessment. But the derogation creates documentation obligations on the provider side, and it affects the chain of Art.43, Art.44, Art.48, and Art.49 compliance steps that normally precede market placement. If your enterprise customer is a government agency operating under an Art.46 derogation, you need to understand what that derogation covers and what it does not.

Art.46 in the Conformity Assessment Framework

The EU AI Act's conformity assessment chain for high-risk AI runs in sequence: Art.43 (assessment procedure) → Art.44 (certificates, if notified body path) → Art.48 (EU Declaration of Conformity) → Art.49 (CE marking) → Art.32 (EU database registration). Under normal circumstances, all five steps must complete before a high-risk AI system can be placed on the EU market or put into service.

Art.46 interrupts this chain at the Art.43 step. It does not eliminate the requirement for the other steps — providers operating under an Art.46 derogation still need documentation, still face Art.16 provider obligations, and still must cooperate with MSA supervision. What Art.46 does is allow a specific system to be deployed before the conformity assessment is complete, when the public interest in doing so outweighs the certification requirements.

The article sits in Chapter V (Standards, Certificates, Registration) between Art.45 (notified body information obligations) and Art.47 (simplified declaration of conformity for Annex I products). Its position reflects that it is a procedural exception to Art.43, operating within the broader conformity machinery.

Art.46(1): National MSA Authorisation

Art.46(1) grants national MSAs the authority to issue derogation authorisations. The conditions are:

Reasoned request requirement. A reasoned request must precede the authorisation. The regulation does not specify who files the request — in practice it will typically be the operator deploying the system (a government agency, emergency service, or regulated entity) rather than the provider. The request must establish why the public interest outweighs the certification requirements.

Public interest test. The MSA must conclude that the public interest in placing or putting into service the high-risk AI system "outweighs the certification requirements set out in Art.43(1)." The regulation does not define "public interest" with precision, but the legislative history and context indicate circumstances like: national security needs, disaster response requiring rapid AI deployment, public health emergencies, or critical infrastructure protection where the conformity assessment timeline would cause harm that exceeds the risk of deploying an uncertified system.

Six-month time limit. The authorisation is "limited to a period appropriate to the circumstances and, in any case, shall not exceed six months." This is an absolute cap. The MSA cannot grant a twelve-month derogation. If the provider needs continued deployment beyond six months, they would need to complete the Art.43 conformity assessment or obtain a new derogation (which would require a new public interest determination).

Immediate Commission and Member State notification. Upon granting the authorisation, the MSA must "without delay" notify the Commission and all other Member States. The notification triggers the Art.46(2) objection window.

Art.46(2) creates a 15-working-day window after the Commission and other Member States receive the Art.46(1) notification. If no objection is raised during that window, "the authorisation shall be deemed to be legitimate."

This is the EU AI Act's silent consent mechanism for Art.46 derogations. The practical effect is that a national derogation becomes EU-wide implicitly acknowledged if no other party objects within three calendar weeks (approximately). The silence of the Commission and peer Member States is treated as tacit approval.

The 15-working-day clock starts from receipt of notification, not from the grant of the authorisation. In urgent cases, the MSA may grant the authorisation and notify simultaneously, starting the clock immediately. In practice, if an MSA notifies on Monday, the 15-working-day window closes three calendar weeks later (assuming no holidays), making the derogation "deemed legitimate" before the end of the first month.

Developer implication: If your customer is deploying under an Art.46(1) derogation and the 15-working-day window has passed without objection, the derogation has achieved implicit EU-wide legitimacy. You can rely on it for the duration of the six-month limit — but document when the notification was made and when the 15 days expired.

Art.46(3): Commission Objection and Revocation Power

Art.46(3) defines what happens when the Commission or another Member State raises an objection during the 15-working-day window. Two scenarios:

Scenario A — Another Member State objects. If a peer MSA raises objections, the Commission must "without delay enter into consultations with the relevant national authority." This is a mediation role: the Commission convenes the conversation rather than deciding unilaterally at this stage. The outcome of those consultations informs the Commission's subsequent decision.

Scenario B — Commission acts independently. The Commission may also determine that an authorisation is "contrary to Union law" and initiate the Art.46(3) process on its own motion, without waiting for a Member State objection.

Commission decision. Following consultation, the Commission decides whether the authorisation is "justified or not" and addresses that decision to the granting Member State. If the Commission's decision is negative — it finds the authorisation unjustified — the authorisation is revoked.

Developer implication: A revocation under Art.46(3) terminates the derogation. If the system has been deployed under the now-revoked authorisation, the operator must immediately halt use or comply with the standard Art.43 path within whatever transition period the Commission specifies. Providers should build their contractual terms with government customers to address what happens if an Art.46 derogation is revoked.

Art.46 Intersection Matrix

Article	Intersection
Art.43	Art.46 is a derogation from Art.43(1) — the conformity assessment procedure is bypassed by the MSA authorisation
Art.44	No certificate is issued under Art.46 — the notified body path (Annex VII) is not followed
Art.48	Provider must still maintain documentation supporting a DoC equivalent, even if the formal DoC clock differs
Art.49	CE marking cannot be affixed under Art.46 — the system has not completed Art.43
Art.16	Provider Art.16 obligations continue under Art.46 — quality management system, technical documentation, post-market monitoring
Art.74	MSA supervision continues at full intensity — Art.46 derogations are not free from market surveillance
Art.99	Penalties apply if provider misrepresents Art.46 scope or conditions, or continues deployment after revocation
Art.47	Separate article governing simplified DoC for Annex I products — not the same mechanism as Art.46

CE marking is not available under Art.46. This is a critical point often missed in emergency procurement discussions. Art.46 allows market placement without completing Art.43, but it does not confer the right to affix CE marking under Art.49. The CE marking requires completed conformity assessment. Providers who affix CE marking on a system deployed only under Art.46 are in violation of Art.49.

Provider Documentation Obligations Under Art.46

Even without completing Art.43, providers deploying under an Art.46 derogation face significant documentation obligations. Art.16 provider obligations continue in full:

Technical documentation (Art.11). The provider must maintain technical documentation as specified in Annex IV. The derogation does not suspend this obligation. MSA inspectors will scrutinise the documentation when they audit Art.46 deployments.

Quality management system (Art.9-equivalent). Risk management documentation under Art.9, and the quality management system elements under Art.17, remain required. Art.46 creates an exception to the assessment procedure, not to the underlying compliance architecture.

Post-market monitoring (Art.30, Art.72). The Art.30 post-market monitoring plan must be in place and operating. Under Art.46, where the system has not been through the notified body's scrutiny, the post-market monitoring function carries additional weight in demonstrating ongoing compliance.

Serious incident reporting (Art.73). If a serious incident occurs during an Art.46 deployment, Art.73 reporting obligations apply in full. The derogation does not exempt the provider from incident reporting to the MSA and Commission.

Cooperating with the derogation conditions. The MSA may attach conditions to the Art.46 authorisation. Providers must understand and comply with those conditions — the six-month limit, any usage restrictions, any monitoring requirements the MSA specifies.

Art.46 in Practice: Emergency AI Procurement

The most common Art.46 use cases in the 2026 AI Act landscape are:

Pandemic/disaster response systems. AI systems for rapid triage, resource allocation, or epidemiological modelling that need immediate deployment during a declared emergency. The Art.46 derogation allows deployment before the conformity assessment — typically months long — can be completed.

Law enforcement and national security. Real-time biometric identification systems or threat detection AI needed urgently in specific national security contexts. Note that Art.5 prohibited AI (social scoring, mass untargeted biometric surveillance) is not unlocked by Art.46 — the derogation only applies to AI systems that are high-risk under Annex III, not ones that are categorically prohibited.

Critical infrastructure protection. AI systems managing grid stability, water treatment, or transport during a crisis that meets the public interest threshold.

Defence procurement. AI systems needed for specific defence operations under the public security exception.

What Art.46 does not cover:

Prohibited AI systems under Art.5 — Art.46 cannot authorise these
General-purpose AI (Chapter V) — Art.46 is scoped to Art.43(1) conformity assessment for Annex III high-risk systems
Continuous operations post-six-months without a new derogation or completed Art.43

Five Common Mistakes

Mistake 1: Treating Art.46 as a provider-initiated process. Art.46 is MSA-initiated. The provider cannot apply for a derogation. A government customer or operator must obtain the derogation from their national MSA. Providers who market their systems as "Art.46 certified" or who claim to have "obtained an Art.46 derogation" are misrepresenting the mechanism.

Mistake 2: Affixing CE marking under Art.46. CE marking requires completed Art.43 assessment. Art.46 derogations do not confer CE marking rights. Affixing CE marking on a system deployed only under Art.46 is an Art.49 violation subject to Art.99 penalties.

Mistake 3: Assuming Art.46 means no documentation. The derogation bypasses the conformity assessment procedure, not the underlying Art.16 compliance obligations. Technical documentation, quality management, post-market monitoring, and incident reporting all continue.

Mistake 4: Ignoring the 15-working-day window. Providers and government customers should track when the Commission notification was made. If the 15-day window has not yet expired, the derogation's "deemed legitimate" status has not yet been achieved. Deployments during this window are valid under Art.46(1) but not yet through the silent consent threshold.

Mistake 5: Not planning for revocation. If the Commission issues a negative decision under Art.46(3), the derogation is revoked. Contracts with government customers should address what happens operationally and commercially in a revocation scenario — system shutdown, data handling, transition obligations.

CLOUD Act Jurisdiction Risk for Art.46 Records

The intersection of Art.46 derogation records with US CLOUD Act compellability risk is significant:

Derogation documentation sensitivity. Art.46 authorisations in national security, law enforcement, or critical infrastructure contexts involve documentation that the deploying government may consider sensitive or classified. If the provider's technical documentation, post-market monitoring logs, or incident reports are stored on US-jurisdiction cloud infrastructure, they may be compellable under the CLOUD Act without the EU government customer's knowledge.

Dual exposure. The provider faces CLOUD Act compellability from the US side, and Art.16/Art.74 cooperation obligations from the EU MSA side. If these two regimes conflict — a US subpoena for the same records a EU MSA is entitled to inspect — the provider is caught between jurisdictions.

EU-native infrastructure eliminates the risk. Providers using EU-sovereign infrastructure for technical documentation, post-market monitoring data, and derogation-related records are subject only to EU jurisdiction. There is no compellability exposure to a foreign government. For providers building systems likely to be deployed under Art.46 in national security or law enforcement contexts, EU-native infrastructure is not just a compliance differentiator — it is a prerequisite for secure government procurement.

Python Implementation

from dataclasses import dataclass, field
from datetime import date, timedelta
from typing import Optional
from enum import Enum

class DerogationStatus(Enum):
    GRANTED = "granted"
    NOTIFIED = "notified_commission"
    SILENT_CONSENT = "deemed_legitimate"
    UNDER_REVIEW = "commission_review"
    REVOKED = "revoked"
    EXPIRED = "expired"

@dataclass
class DerogationAuthorisationRecord:
    """Art.46(1): National MSA derogation authorisation record."""
    system_name: str
    provider: str
    granting_msa_member_state: str
    authorisation_date: date
    public_interest_grounds: str
    duration_days: int  # max 183 (6 months)
    commission_notification_date: Optional[date] = None
    status: DerogationStatus = DerogationStatus.GRANTED

    @property
    def expiry_date(self) -> date:
        return self.authorisation_date + timedelta(days=min(self.duration_days, 183))

    @property
    def silent_consent_deadline(self) -> Optional[date]:
        """15 working days after Commission notification (approx 21 calendar days)."""
        if self.commission_notification_date:
            return self.commission_notification_date + timedelta(days=21)
        return None

    def is_expired(self, check_date: date = None) -> bool:
        check = check_date or date.today()
        return check > self.expiry_date

    def has_silent_consent(self, check_date: date = None) -> bool:
        """Art.46(2): deemed legitimate after 15 working days without objection."""
        if self.status not in (DerogationStatus.NOTIFIED, DerogationStatus.SILENT_CONSENT):
            return False
        check = check_date or date.today()
        deadline = self.silent_consent_deadline
        return deadline is not None and check >= deadline


@dataclass
class Art46NotificationTracker:
    """Tracks Art.46(1) Commission notification and Art.46(2) silent consent window."""
    derogation: DerogationAuthorisationRecord
    objections_received: list = field(default_factory=list)
    commission_decision_date: Optional[date] = None
    commission_decision_justified: Optional[bool] = None

    def record_notification(self, notification_date: date):
        self.derogation.commission_notification_date = notification_date
        self.derogation.status = DerogationStatus.NOTIFIED

    def record_objection(self, objecting_party: str, objection_date: date):
        self.objections_received.append({
            "party": objecting_party,
            "date": objection_date.isoformat()
        })
        self.derogation.status = DerogationStatus.UNDER_REVIEW

    def record_commission_decision(self, decision_date: date, justified: bool):
        self.commission_decision_date = decision_date
        self.commission_decision_justified = justified
        if not justified:
            self.derogation.status = DerogationStatus.REVOKED
        else:
            self.derogation.status = DerogationStatus.SILENT_CONSENT

    def update_status(self, check_date: date = None):
        check = check_date or date.today()
        if self.derogation.status == DerogationStatus.REVOKED:
            return
        if self.derogation.is_expired(check):
            self.derogation.status = DerogationStatus.EXPIRED
            return
        if self.derogation.has_silent_consent(check):
            if self.derogation.status == DerogationStatus.NOTIFIED:
                self.derogation.status = DerogationStatus.SILENT_CONSENT


@dataclass
class DerogationComplianceChecker:
    """Validates provider compliance during Art.46 derogation deployment."""
    derogation: DerogationAuthorisationRecord
    technical_documentation_complete: bool = False
    qms_in_place: bool = False
    pms_plan_active: bool = False
    ce_marking_affixed: bool = False  # must be False under Art.46

    def check_compliance(self) -> dict:
        issues = []
        if not self.technical_documentation_complete:
            issues.append("Art.11: Technical documentation incomplete — required even under Art.46")
        if not self.qms_in_place:
            issues.append("Art.17: Quality management system not in place — Art.16 obligations continue")
        if not self.pms_plan_active:
            issues.append("Art.30: Post-market monitoring plan not active — required under Art.46")
        if self.ce_marking_affixed:
            issues.append("Art.49 VIOLATION: CE marking affixed without completed Art.43 — revoke immediately")
        if self.derogation.is_expired():
            issues.append("Art.46: Derogation expired — halt deployment immediately")
        if self.derogation.status == DerogationStatus.REVOKED:
            issues.append("Art.46(3): Derogation revoked by Commission — halt deployment immediately")
        return {
            "derogation_status": self.derogation.status.value,
            "derogation_valid_until": self.derogation.expiry_date.isoformat(),
            "silent_consent_achieved": self.derogation.has_silent_consent(),
            "compliance_issues": issues,
            "compliant": len(issues) == 0
        }

Art.46 Compliance Checklist (30 Items)

MSA Authorisation Verification

Confirmed derogation was granted by national MSA (not self-declared by provider or operator)
Obtained copy of MSA authorisation document including grounds and duration
Verified duration does not exceed 6 months from authorisation date
Confirmed Art.5 prohibited AI categories are not involved (Art.46 cannot unlock these)
Confirmed system is Annex III high-risk (Art.46 applies to Art.43(1) assessment)
Noted exact authorisation date and expiry date in compliance records

Confirmed MSA notified Commission and all Member States "without delay" after Art.46(1) grant
Recorded Commission notification date
Calculated 15-working-day (≈ 21 calendar day) silent consent deadline
Monitored for Commission or Member State objections during the window
Confirmed "deemed legitimate" status achieved (Art.46(2) silent consent) or commission approval
Alert system in place for Art.46(3) Commission objection notification

Provider Art.16 Ongoing Obligations

Technical documentation (Annex IV) complete and maintained
Quality management system (Art.17) in place and documented
Post-market monitoring plan (Art.30) active and generating data
Serious incident reporting (Art.73) process configured for Art.46 deployment
MSA access to documentation and records confirmed under Art.74
Authorised representative in place if provider is non-EU (Art.22)

CE Marking and Conformity Chain

Confirmed CE marking is NOT affixed (Art.49 requires completed Art.43)
Confirmed EU Declaration of Conformity not issued in misleading form claiming Art.43 completion
Art.32 EU database registration not filed with false conformity status
Customer/operator informed that system operates under derogation, not full conformity certification

Revocation and Expiry Planning

Contract with government customer addresses Art.46(3) revocation scenario
Operational shutdown/transition plan documented if derogation is revoked
Reminder system set for 30 days before derogation expiry
Plan documented: will provider complete Art.43 before expiry, or seek new derogation?
Data handling procedure for post-derogation system shutdown defined

CLOUD Act and Jurisdiction

Technical documentation and post-market monitoring records hosted on EU-sovereign infrastructure
No US-jurisdiction cloud used for records related to national security Art.46 deployments
Provider's US parent or subsidiary cannot compel EU-sensitive derogation records
Supabase/equivalent configured in EU region, not US
Government customer informed of infrastructure jurisdiction for derogation-related records

Key Takeaways

Art.46 is MSA-initiated, not provider-initiated. Providers do not "apply" for Art.46 derogations. A national market surveillance authority grants them upon a reasoned request, typically from a government operator.
Six-month absolute cap. No derogation can exceed six months. After expiry, the provider must halt deployment, complete Art.43, or obtain a new derogation.
No CE marking. Systems deployed under Art.46 have not completed Art.43. CE marking under Art.49 is unavailable. Any CE marking affixed on an Art.46-only deployment is an Art.49 violation.
15-working-day silent consent. After the Commission is notified, a 15-working-day window determines whether the derogation becomes "deemed legitimate" across the EU. No objection = tacit approval.
Commission can revoke. If the Commission or a peer Member State objects and the Commission decides the authorisation is unjustified, the derogation is revoked. Providers should plan contractually for this scenario.
Art.16 obligations continue. Technical documentation, quality management, post-market monitoring, and incident reporting apply in full under Art.46. The derogation bypasses the assessment procedure, not the underlying compliance architecture.
CLOUD Act risk is highest here. Art.46 deployments in national security and law enforcement contexts involve the most sensitive documentation. EU-native infrastructure is critical for providers operating in these spaces.