sota.io
2026-04-16·12 min read·

EU AI Act Art.54 Authorized Representative: What Non-EU GPAI Providers Must Do Before Entering the EU Market (2026)

Your company is headquartered in San Francisco. You have trained a general-purpose AI model. You are making that model available via API to customers in Germany, France, and the Netherlands. You believe your EU legal exposure is limited to GDPR compliance handled by a data processing agreement.

You are wrong about the EU AI Act.

EU AI Act Article 54 creates a mandatory EU Authorized Representative (AR) requirement for every non-EU provider of a general-purpose AI model (GPAI model) who makes that model available in the Union. The obligation triggers before you place the model on the market. There is no minimum-revenue threshold, no grace period for small companies, and no carve-out for API-only access. If you offer a GPAI model to EU users and you are established outside the EU, you need an EU AR.

This guide covers exactly what Article 54 requires, how to select and mandate an AR, how this interacts with your GDPR Art.27 representative, and the enforcement exposure you face if you skip this step.

What Article 54 Actually Requires

Article 54 of EU AI Act (Regulation (EU) 2024/1689) reads:

Art.54(1): Before making a general-purpose AI model available on the Union market, providers of general-purpose AI models established in third countries shall, by written mandate, appoint an authorised representative established in the Union.

Three elements to parse:

"Before making available" — The AR must be in place before you offer the model to EU users. Retroactive compliance (appointing an AR after EU customers are already using your model) cures the violation going forward but leaves a gap during which enforcement action is possible.

"By written mandate" — Informal appointments are insufficient. You need a signed contract specifying the AR's powers, tasks, and the information you will provide them. The AI Office can request a copy of this mandate in an EU official language.

"Established in the Union" — The AR must be a legal entity or natural person with an actual establishment in an EU Member State. A registered address in a Cayman Islands holding company that also has a filing address in Dublin does not qualify. The AR must have an address, a contact point, and be reachable during normal business hours.

Who Must Appoint an EU AR?

The obligation applies to GPAI providers — the entities that train and make available the underlying general-purpose model — who are established in a third country (outside the EU).

This covers:

Who does NOT need to appoint an AR under Art.54:

The deployer distinction is critical: If you are a Berlin-based startup using GPT-4 via OpenAI's API to build a legal document tool, you are a deployer, not a GPAI provider. Art.54 does not apply to you. OpenAI (the GPAI provider) bears the AR obligation for its own model. Your EU AI Act obligations as a deployer flow from Chapter III (high-risk AI) or Chapter IV (transparency), not Art.54.

The Four Mandatory Duties of the AR

Under Art.54(3), the written mandate must empower the AR to carry out four specific tasks:

Duty 1: Documentation and Registration Verification (Art.54(3)(a))

The AR must verify that:

This is an active verification duty, not passive record-keeping. The AR must have access to your technical documentation and must be able to confirm its completeness to the AI Office. If your technical documentation is confidential or classified as trade secret, you must establish a process for giving the AR access under appropriate confidentiality conditions.

Duty 2: Contact Point Maintenance (Art.54(3)(b))

The AR must keep the provider's contact details available for the AI Office and national competent authorities under Art.70. This means:

The AR becomes the primary channel through which EU authorities reach a non-EU provider. An AR who cannot actually contact the provider or who has stale contact information creates enforcement liability for both the AR and the provider.

Duty 3: Compliance Documentation on Request (Art.54(3)(c))

When the AI Office or a national competent authority requests documentation demonstrating compliance, the AR must be able to provide:

This duty requires a live data-sharing arrangement between the provider and the AR. The AR cannot fulfill this duty from a locked filing cabinet — they need secure, current access to compliance documentation.

Duty 4: Cooperation with Authorities (Art.54(3)(d))

The AR must cooperate with the AI Office and national competent authorities in any action taken regarding the GPAI model, including when the model presents systemic risk. This is the most open-ended duty: it covers investigations, audits, recall proceedings, and any enforcement action up to and including market withdrawal.

For GPAI models designated as systemic risk under Art.51, this duty expands: the AR must be able to facilitate the enhanced obligations under Art.55 (adversarial testing, incident reporting, technical documentation updates, cybersecurity measures).

Provider Obligations to the AR

The mandate is not a one-way delegation. Art.54(4) places reciprocal obligations on the provider:

The authorised representative shall be informed of and shall have the necessary resources and authority to fulfil its obligations under this Regulation.

In practice this means:

Provider ObligationWhat It Requires
Inform the ARRegular updates on model changes, new deployments, incidents, regulatory queries
ResourcesThe AR must be adequately compensated — underfunded or pro-forma AR arrangements are legally vulnerable
AuthorityThe AR must be empowered to make commitments to authorities on the provider's behalf within the mandate scope
Documentation accessReal-time or on-demand access to Art.53 technical documentation
Incident notificationProvider must notify AR immediately when a serious incident occurs (Art.73 applies to high-risk systems; for GPAI models the cooperation duty in Art.54(3)(d) creates an analogous obligation)

A common mistake: treating the AR like a registered agent service that files papers and forwards mail. EU AI Act Art.54 requires a substantive relationship. The AR must be able to verify documentation and cooperate with investigations — functions that require actual competence and engagement, not just a legal address.

Selecting an Authorized Representative: Practical Criteria

The EU AI Act does not define specific professional qualifications for an AR. In practice, your AR should satisfy at least the following:

Legal capacity: Must be a legal entity or natural person with legal capacity to contract and to act as a representative under EU law. An individual lawyer, a law firm, a compliance consultancy, or a specialist AI regulatory service all qualify.

EU establishment: Actual presence in an EU Member State with a real business address, not just a registered agent or mail-forwarding service. The AR must be reachable "during normal business hours" per Art.54(5) — implying staffed presence, not just a PO box.

AI Act competence: The AR is responsible for verifying technical documentation and cooperating on enforcement. A general corporate law firm with no AI regulatory experience will struggle with the Art.53 documentation verification duty. Look for AR services with demonstrated AI regulation or product compliance backgrounds.

Information security: You will need to share technical documentation, model weights metadata, and potentially incident reports with your AR. Evaluate their data handling practices.

Conflicts of interest: An AR who simultaneously represents a competitor's GPAI model creates obvious conflict risks.

Market options: By mid-2026, several European law firms and specialist compliance services have begun offering EU AR services for AI Act purposes, following the pattern established for GDPR Art.27 representative services. The EU AI Office has not yet established a registry of qualified ARs (as of Q2 2026), so due diligence on candidates is the provider's responsibility.

Relationship to GDPR Art.27: EU Representative

Many non-EU AI companies are already familiar with the GDPR Art.27 requirement to appoint an EU Representative for data protection purposes. The AI Act Art.54 AR is a parallel but distinct obligation:

DimensionGDPR Art.27 EU RepEU AI Act Art.54 AR
Legal basisGDPR (Regulation (EU) 2016/679)EU AI Act (Regulation (EU) 2024/1689)
TriggerProcessing personal data of EU data subjectsMaking GPAI model available in EU
Who contacts themData protection authorities (DPAs)AI Office + national competent authorities
Primary obligationData subjects can exercise rights through RepProvider's Art.53 compliance is verifiable through AR
Can be same entity?Yes — there is no legal bar to having the same organisation serve as both Art.27 Rep and Art.54 ARSame

Practical advice: If you already have a GDPR Art.27 EU Representative, assess whether that entity also has AI Act competence and can serve as your Art.54 AR. A single EU entity serving both roles reduces complexity and creates a unified regulatory contact point. However, do not simply extend the GDPR representative appointment by memo — Art.54 requires a separate written mandate specifying the Art.54-specific tasks.

Some specialist firms offering "AI Act representative" services bundle GDPR Art.27 and AI Act Art.54 representation in a single engagement. This is operationally sensible for companies without existing EU compliance infrastructure.

Art.54 vs. the GPAI Registry: Art.71 Interaction

GPAI providers must register their models in the EU database established under Art.71. The AR plays a direct role in this: Art.54(3)(a) requires the AR to verify that registration has been completed. The Art.71 database will be managed by the AI Office and will contain, at minimum:

For systemic risk GPAI models (those meeting the Art.51 compute threshold of ≥10²⁵ FLOPs or designated by the AI Office), additional registration obligations apply. The AR's verification duty under Art.54(3)(a) extends to confirming these enhanced entries are complete and current.

The practical implication: your AR needs to be in the loop before you register a model in the EU database. Registering without an AR in place when you are a non-EU provider creates a documentation inconsistency that will surface during any AI Office audit.

Enforcement Exposure for Non-Compliance

The EU AI Act's penalty framework (Art.99) applies to GPAI providers, including those established outside the EU. Failure to appoint an AR is an infringement of Art.54, which falls under the Art.99(3) penalty tier:

Art.99(3): Non-compliance with obligations of providers of general-purpose AI models — administrative fine up to €15,000,000 or, if the offender is an undertaking, up to 3% of total worldwide annual turnover from the preceding financial year, whichever is higher.

For perspective, the 3% worldwide turnover cap makes this substantially more painful for large US AI companies than any flat-cap reading suggests. For a company with €10bn in revenue, the maximum fine is €300m.

Beyond the fine, the enforcement mechanism for non-EU providers is worth understanding:

Enforcement chain for non-EU GPAI providers:

  1. AI Office or national competent authority identifies a potential violation
  2. Authority attempts to contact the provider through the AR
  3. If no AR exists, authority may contact the provider directly (Art.70 cooperation provisions) and document the Art.54 violation
  4. AI Office can initiate an investigation under Art.90 — including, for systemic risk GPAI models, access to model documentation, mandatory adversarial testing, and compliance orders
  5. If the provider fails to comply with a compliance order, the AI Office can impose the Art.99 fines
  6. For companies without EU establishment, the AI Office can request cooperation from the third country's authorities under applicable international agreements — a slow but real pathway

The AR gap creates compounding risk: A non-EU provider with no AR also typically lacks the documentation verification structure that Art.54 requires. When an investigation begins, the combination of no AR + incomplete documentation + no EU presence creates a significantly harder enforcement defense than a provider who has the AR infrastructure in place.

Python ARComplianceChecker

from dataclasses import dataclass, field
from enum import Enum
from typing import Optional
import datetime

class EstablishmentZone(Enum):
    EU = "eu"
    THIRD_COUNTRY = "third_country"
    UK = "uk"  # Post-Brexit: treated as third country for AI Act
    EEA_NON_EU = "eea_non_eu"  # Norway, Iceland, Liechtenstein: may adopt AI Act via EEA agreement

class ARStatus(Enum):
    NOT_REQUIRED = "not_required"
    REQUIRED_MISSING = "required_missing"
    REQUIRED_DEFICIENT = "required_deficient"
    REQUIRED_COMPLIANT = "required_compliant"

@dataclass
class GPAIProviderProfile:
    company_name: str
    establishment_zone: EstablishmentZone
    is_gpai_provider: bool  # True = trains/distributes GPAI model; False = deployer only
    makes_available_in_eu: bool
    
    # AR details
    ar_appointed: bool = False
    ar_written_mandate: bool = False
    ar_eu_established: bool = False
    ar_contact_reachable: bool = False  # reachable during normal business hours
    
    # AR mandate scope
    ar_can_verify_documentation: bool = False    # Art.54(3)(a)
    ar_has_contact_details: bool = False         # Art.54(3)(b)
    ar_can_provide_docs_on_request: bool = False  # Art.54(3)(c)
    ar_cooperates_with_authorities: bool = False  # Art.54(3)(d)
    
    # Provider-side obligations
    ar_informed_of_changes: bool = False         # Art.54(4)
    ar_has_sufficient_resources: bool = False    # Art.54(4)
    ar_has_authority_to_act: bool = False        # Art.54(4)
    documentation_access_granted: bool = False   # for AR to fulfill Art.54(3)(a)
    
    # Complementary
    gdpr_art27_rep_appointed: bool = False
    same_entity_for_both: Optional[bool] = None  # None if not applicable
    
    # Model registration
    art71_registration_complete: bool = False
    ar_verified_registration: bool = False       # Art.54(3)(a) duty

@dataclass
class ARComplianceResult:
    status: ARStatus
    gaps: list[str] = field(default_factory=list)
    warnings: list[str] = field(default_factory=list)
    recommendations: list[str] = field(default_factory=list)

def check_ar_compliance(provider: GPAIProviderProfile) -> ARComplianceResult:
    """
    Check EU AI Act Art.54 Authorized Representative compliance.
    Returns structured result with gaps and recommendations.
    """
    # Step 1: Does Art.54 apply?
    if not provider.is_gpai_provider:
        return ARComplianceResult(
            status=ARStatus.NOT_REQUIRED,
            recommendations=["You are a deployer, not a GPAI provider. Art.54 AR obligation does not apply to you. Check Art.26 deployer obligations instead."]
        )
    
    if not provider.makes_available_in_eu:
        return ARComplianceResult(
            status=ARStatus.NOT_REQUIRED,
            recommendations=["GPAI model not available in EU. Art.54 does not trigger. If you expand to EU, appoint AR before launch."]
        )
    
    if provider.establishment_zone == EstablishmentZone.EU:
        return ARComplianceResult(
            status=ARStatus.NOT_REQUIRED,
            recommendations=["EU-established GPAI provider. Art.54 AR not required — you are directly subject to AI Act obligations."]
        )
    
    # EEA status depends on EEA AI Act adoption (not yet confirmed as of 2026)
    if provider.establishment_zone == EstablishmentZone.EEA_NON_EU:
        return ARComplianceResult(
            status=ARStatus.NOT_REQUIRED,
            warnings=["EEA status (Norway/Iceland/Liechtenstein) is pending. If EEA AI Act adoption occurs without equivalence, Art.54 will apply. Monitor EEA Joint Committee decisions."]
        )
    
    # Art.54 applies: check compliance
    gaps = []
    warnings = []
    recommendations = []
    
    if not provider.ar_appointed:
        gaps.append("CRITICAL: No EU Authorized Representative appointed. Art.54(1) violation. €15M / 3% turnover penalty exposure.")
        recommendations.append("Appoint EU AR before making GPAI model available in EU. Consider combined GDPR Art.27 + AI Act Art.54 representative service.")
        return ARComplianceResult(status=ARStatus.REQUIRED_MISSING, gaps=gaps, recommendations=recommendations)
    
    # AR appointed — check quality
    deficiencies = []
    
    if not provider.ar_written_mandate:
        deficiencies.append("AR mandate not in writing. Art.54(1) requires 'written mandate'. Verbal or email appointment is non-compliant.")
    
    if not provider.ar_eu_established:
        deficiencies.append("AR not established in EU. Art.54(1) requires EU establishment — registered address in third country does not qualify.")
    
    if not provider.ar_contact_reachable:
        deficiencies.append("AR not reachable during normal business hours. Art.54(5) requirement.")
    
    # Mandate scope checks (Art.54(3))
    if not provider.ar_can_verify_documentation:
        deficiencies.append("Mandate does not cover Art.54(3)(a): verification of Art.53 technical documentation and Art.71 registration.")
    
    if not provider.ar_has_contact_details:
        deficiencies.append("Mandate does not cover Art.54(3)(b): maintaining provider contact details for authorities.")
    
    if not provider.ar_can_provide_docs_on_request:
        deficiencies.append("Mandate does not cover Art.54(3)(c): providing compliance documentation on AI Office/authority request.")
    
    if not provider.ar_cooperates_with_authorities:
        deficiencies.append("Mandate does not cover Art.54(3)(d): cooperation with AI Office and national competent authorities.")
    
    # Provider-side obligations (Art.54(4))
    if not provider.ar_informed_of_changes:
        warnings.append("Art.54(4): Ensure AR is informed of model changes, new versions, incidents, and regulatory queries.")
    
    if not provider.ar_has_sufficient_resources:
        warnings.append("Art.54(4): AR must have sufficient resources. Token/minimal AR arrangements are legally vulnerable.")
    
    if not provider.ar_has_authority_to_act:
        warnings.append("Art.54(4): AR must have authority to make commitments to authorities. Read-only mandates may be insufficient.")
    
    if not provider.documentation_access_granted:
        deficiencies.append("AR cannot fulfill Art.54(3)(a) without access to Art.53 technical documentation. Grant secure access.")
    
    # Complementary checks
    if not provider.gdpr_art27_rep_appointed:
        recommendations.append("GDPR Art.27 EU Representative also likely required if processing EU personal data. Consider combined AR appointment.")
    elif provider.same_entity_for_both is False:
        warnings.append("Different entities for GDPR Art.27 and AI Act Art.54 creates dual contact points. Consider consolidating if feasible.")
    
    if not provider.art71_registration_complete:
        deficiencies.append("GPAI model not registered in Art.71 EU database. Required before/at market placement.")
    elif not provider.ar_verified_registration:
        deficiencies.append("AR has not verified Art.71 registration. Art.54(3)(a) requires AR verification.")
    
    if deficiencies:
        return ARComplianceResult(
            status=ARStatus.REQUIRED_DEFICIENT,
            gaps=deficiencies,
            warnings=warnings,
            recommendations=recommendations
        )
    
    return ARComplianceResult(
        status=ARStatus.REQUIRED_COMPLIANT,
        warnings=warnings,
        recommendations=recommendations
    )

def generate_ar_report(provider: GPAIProviderProfile) -> str:
    result = check_ar_compliance(provider)
    lines = [
        f"=== EU AI Act Art.54 AR Compliance Report ===",
        f"Provider: {provider.company_name}",
        f"Status: {result.status.value}",
        f"Date: {datetime.date.today()}",
        "",
    ]
    if result.gaps:
        lines.append("GAPS (must fix):")
        for g in result.gaps:
            lines.append(f"  ✗ {g}")
        lines.append("")
    if result.warnings:
        lines.append("WARNINGS (should fix):")
        for w in result.warnings:
            lines.append(f"  ⚠ {w}")
        lines.append("")
    if result.recommendations:
        lines.append("RECOMMENDATIONS:")
        for r in result.recommendations:
            lines.append(f"  → {r}")
    return "\n".join(lines)


# Example: US-based GPAI provider entering EU market
us_provider = GPAIProviderProfile(
    company_name="ExampleAI Corp (San Francisco)",
    establishment_zone=EstablishmentZone.THIRD_COUNTRY,
    is_gpai_provider=True,
    makes_available_in_eu=True,
    ar_appointed=True,
    ar_written_mandate=True,
    ar_eu_established=True,
    ar_contact_reachable=True,
    ar_can_verify_documentation=True,
    ar_has_contact_details=True,
    ar_can_provide_docs_on_request=True,
    ar_cooperates_with_authorities=True,
    ar_informed_of_changes=False,  # gap
    ar_has_sufficient_resources=True,
    ar_has_authority_to_act=True,
    documentation_access_granted=True,
    gdpr_art27_rep_appointed=True,
    same_entity_for_both=True,
    art71_registration_complete=True,
    ar_verified_registration=True,
)

print(generate_ar_report(us_provider))

Output for the mostly-compliant US provider above:

=== EU AI Act Art.54 AR Compliance Report ===
Provider: ExampleAI Corp (San Francisco)
Status: required_deficient

GAPS (must fix):
  ✗ Art.54(4): Ensure AR is informed of model changes, new versions, incidents...

WARNINGS (should fix):
  ...

RECOMMENDATIONS:
  ...

Note: the ar_informed_of_changes=False field flags an Art.54(4) gap, illustrating that most AR arrangements have a process gap even when the structural appointment is correct.

25-Item Art.54 AR Compliance Checklist

Section 1: Obligation Trigger (Items 1–5)

Section 2: AR Appointment (Items 6–11)

Section 3: AR Mandate Scope (Items 12–15)

Section 4: Provider-Side Obligations (Items 16–20)

Section 5: Integration with Broader Compliance (Items 21–25)

Common Mistakes

Mistake 1: Treating the AR like a registered agent Many US companies appoint a lawyer or registered-agent service to receive mail and forward it. Art.54 requires an AR who can verify documentation and cooperate with investigations. A mail-forwarding service cannot fulfill Art.54(3)(a)–(d). The AR needs AI regulatory competence, not just a filing address.

Mistake 2: Applying deployer logic to GPAI provider obligations If you are building a product on top of a GPAI API (e.g., using Claude, GPT-4, or Gemini via API), you are a deployer. You do not need an Art.54 AR — the GPAI provider (Anthropic, OpenAI, Google) bears that obligation for their own model. However, if you fine-tune the GPAI model and distribute the fine-tuned version commercially, you may become a GPAI provider of the derivative model, triggering your own Art.54 obligation.

Mistake 3: Using the GDPR Art.27 Rep without extending the mandate Your existing GDPR EU Representative cannot automatically serve as your AI Act AR. They need a separate, explicit written mandate that covers the four Art.54(3) tasks. Simply telling your GDPR rep "you are also our AI Act rep" is non-compliant. Execute a proper Art.54 mandate document.

Mistake 4: Appointing an AR retroactively Art.54(1) says "before making available." If your model has been live in EU for six months without an AR, you have an ongoing violation. Appointing an AR now cures it prospectively but the historical violation remains. Document the appointment date clearly and assess whether voluntary disclosure to the AI Office makes sense for your risk profile.

Mistake 5: Forgetting the Art.71 registration link Appointing an AR without completing Art.71 registration (or ensuring the AR has verified it) leaves a gap in Art.54(3)(a). The AR's first verifiable duty is confirming that the registration exists and is complete. Schedule an Art.71 registration check as part of the AR onboarding process.

Summary

EU AI Act Article 54 imposes a straightforward but mandatory structural requirement on non-EU GPAI providers: appoint an EU-based Authorized Representative by written mandate before making your model available in the Union.

The key points:

  1. Trigger: Non-EU GPAI provider (not deployer) making model available in EU — before market placement.
  2. AR must: be EU-established, have a reachable contact point, and be mandated to cover all four Art.54(3) tasks.
  3. Provider must: give the AR adequate resources, authority, and documentation access to do the job.
  4. Not the same as GDPR Art.27: Parallel obligation, separate mandate, but can be the same entity.
  5. Penalty: Up to €15M or 3% global turnover for non-compliance.
  6. Art.71 link: AR must verify EU database registration — appoint AR and register simultaneously.

For US and other non-EU AI companies entering the EU market with GPAI capabilities, Art.54 is a day-one compliance item, not an afterthought. The AR infrastructure also positions you to handle the ongoing compliance obligations under Art.53 and, if your model reaches systemic risk thresholds, the enhanced obligations under Art.55.