EU AI Act NCA Investigation: What Happens When Your AI System Is Under Scrutiny — Developer Response Guide 2026

Post #1649 in the sota.io EU AI Compliance Series — EU AI Act Enforcement Series #3/5

The EU AI Act's August 2, 2026 deadline activates full NCA enforcement powers for high-risk AI systems. Previous posts covered what NCAs can demand during market surveillance (Art.74) and the corrective action framework when violations are found (Art.75). This post covers the middle ground: the investigation process itself — how it starts, what your procedural rights are, and how to respond when your AI system is under active scrutiny.

How Investigations Start: The Three Entry Points

NCA investigations of high-risk AI systems originate from three main sources. Understanding which entry point triggered an investigation determines your immediate response timeline and the documents you need to prepare.

Entry Point 1: Market Surveillance Sweeps (Art.74)

NCAs can initiate investigations on their own initiative as part of coordinated market surveillance programs. The European AI Board coordinates these sweeps across member states, typically targeting specific high-risk categories or providers with notable market share. If you receive a formal notification that your AI system has been selected for market surveillance review, you are not necessarily in violation — NCAs routinely audit compliant systems to verify conformity assessment completeness.

The Art.74 sweep typically begins with a written request for technical documentation with a specified response deadline. This is not optional. Failure to cooperate with a market surveillance authority is itself a violation that can lead to penalties under Art.99.

Entry Point 2: Complaint-Driven Investigations (Art.87)

Art.87 gives natural persons, organisations, and associations the right to lodge complaints with NCAs when they believe an AI system violates the Regulation. Importantly, Art.87 requires NCAs to handle complaints "with due diligence and care" and inform complainants of the outcome within a reasonable period.

For developers, this means any user, affected person, competitor, or civil society organisation can trigger an NCA investigation. The complaint mechanism does not require the complainant to demonstrate harm — a credible allegation that a system is deployed in a prohibited use case or lacks required conformity documentation is sufficient to open a preliminary inquiry.

Entry Point 3: Incident Report Escalation (Art.73)

When you submit a serious incident report under Art.73, the receiving NCA is required to review whether the incident reveals systemic compliance gaps. A single Art.73 report can escalate into a full Art.74 investigation if the NCA concludes that the incident suggests inadequate post-market monitoring (Art.72) or flawed risk management (Art.9).

This escalation path is particularly sensitive because your own incident report becomes the primary evidence in the investigation. The way you document incidents in Art.73 reports — specifically how you characterise root cause, monitoring gaps, and corrective actions — directly shapes the NCA's initial assessment of your compliance posture.

The Investigation Timeline

Once an investigation is formally opened, it follows a structured procedural sequence. The exact timeline varies by member state, but the EU AI Act establishes procedural requirements that create predictable checkpoints.

INVESTIGATION TIMELINE (High-Risk AI Systems)

Week 1-2:    Formal notification + initial documentation request
Week 2-6:    Technical documentation review + preliminary assessment
Week 6-8:    Preliminary findings issued (if violations identified)
Week 8-10:   Developer response period (your right to be heard)
Week 10-12:  Final determination + corrective action order or closure
Week 12+:    Corrective action monitoring / penalty proceedings (if applicable)

Preliminary Findings

When an NCA identifies potential compliance violations, it must issue preliminary findings before taking any corrective action. The preliminary findings document specifies what the NCA believes is non-compliant and gives you the opportunity to contest the assessment.

The right to respond to preliminary findings before any enforcement measure is taken is a core procedural protection. You have the right to submit written observations, provide additional technical documentation, and request an oral hearing. Do not waive this opportunity — preliminary findings frequently contain factual errors about technical implementation that you can correct before they become the basis for an enforcement order.

Documentary Evidence Management

During an active investigation, preserve all technical documentation in its current state. Do not modify, delete, or restructure documentation after receiving an NCA inquiry notification. If your documentation is stored on infrastructure subject to third-country jurisdiction, document the jurisdictional exposure explicitly — NCAs investigating potential CLOUD Act conflicts will request affidavits confirming that no parallel third-country access requests have been received.

Your Procedural Rights During Investigation

The EU AI Act provides several procedural rights that developers can exercise during an NCA investigation. Knowing these rights and exercising them correctly is the difference between a manageable audit and a runaway enforcement proceeding.

Right to Be Heard

Before any corrective action is ordered, you have the right to submit observations to the investigating NCA. This right applies to: withdrawal orders, market access restrictions, interim measures, and final penalty determinations. Exercise this right systematically — submit detailed written observations that address each preliminary finding with technical specificity, not generic compliance assertions.

Confidentiality Protection (Art.78)

Art.78 requires NCAs and the AI Office to maintain confidentiality of commercially sensitive information obtained during investigations. You can formally designate specific technical documentation as confidential when submitting it to an NCA. Confidentiality designations should be applied to: proprietary algorithms, training dataset composition, undisclosed product roadmaps, and business strategy documents.

Confidentiality protection has practical limits — NCAs can share information with other NCAs and the European AI Board under specific conditions. For cross-border investigations involving AI systems deployed in multiple member states, information shared through the cooperation mechanism is subject to confidentiality rules at each receiving authority.

Right to Request Urgency Review

If the NCA proposes an interim measure — such as an immediate suspension of your AI system — you have the right to challenge the urgency finding. Interim measures require the NCA to demonstrate that immediate action is necessary to prevent serious irreversible harm. If the alleged harm does not meet this threshold, an urgency challenge can delay enforcement while you complete corrective actions.

The Corrective Action Response Framework

When an NCA issues a corrective action order, you typically face one of four scenarios requiring different response strategies:

Scenario 1: Documentation Gap

The most common enforcement finding is incomplete technical documentation — missing Annex IV elements, inadequate post-market monitoring plans, or insufficient risk management system records. The corrective action is to produce the missing documentation within the specified deadline.

Response: Conduct a documentation audit immediately. Identify all missing elements against Annex IV. Assign ownership for each element and set completion deadlines that fit within the NCA's corrective action window. Provide progress updates to the NCA proactively — NCAs routinely extend deadlines for providers who demonstrate good-faith remediation effort.

Scenario 2: Conformity Assessment Violation

If the NCA determines that your AI system required third-party notified body assessment but was self-certified, or that your self-assessment does not meet the applicable conformity procedure requirements, the corrective action typically requires engaging a notified body and suspending commercial use pending assessment completion.

Response: Contact at least three Annex VII-listed notified bodies immediately to understand their availability and assessment timelines. Request from the NCA whether continued use during assessment is permitted or whether a formal suspension is required. In some member states, NCAs have discretion to permit continued use under enhanced monitoring conditions while a notified body assessment is underway.

Scenario 3: Prohibited Practice Finding

If the NCA finds that your AI system implements a prohibited practice under Art.5 — such as biometric categorisation, social scoring, or real-time remote biometric identification in prohibited contexts — the corrective action is withdrawal from the market. There is no remediation pathway for confirmed prohibited practices.

Response: If you dispute the prohibited practice characterisation, file written observations immediately contesting the preliminary finding with detailed technical evidence about your system's actual operation. If the finding is correct, cease commercial use of the specific capability immediately and notify all deployers. The speed of your voluntary compliance response will factor into penalty calculations under Art.99.

Scenario 4: Systemic Monitoring Failure

If an Art.73 incident report escalates into an Art.74 investigation that reveals systemic post-market monitoring gaps, the corrective action typically requires implementing a comprehensive monitoring remediation plan with specific technical milestones.

Response: Present a monitoring remediation plan that connects your implementation directly to Art.72 and Annex IX requirements. Include specific metric thresholds, alert configurations, and escalation protocols. Demonstrate that the monitoring failure was isolated rather than systemic.

Python Implementation: Investigation Response Tracker

from dataclasses import dataclass, field
from enum import Enum
from datetime import date, timedelta
from typing import Optional

class InvestigationStage(Enum):
    NOTIFICATION = "notification"
    DOCUMENTATION_REQUEST = "documentation_request"
    PRELIMINARY_ASSESSMENT = "preliminary_assessment"
    PRELIMINARY_FINDINGS = "preliminary_findings"
    RESPONSE_PERIOD = "response_period"
    FINAL_DETERMINATION = "final_determination"
    CORRECTIVE_ACTION = "corrective_action"
    CLOSED = "closed"

class EntryPoint(Enum):
    MARKET_SURVEILLANCE = "art74_sweep"
    COMPLAINT = "art87_complaint"
    INCIDENT_ESCALATION = "art73_escalation"

@dataclass
class InvestigationResponse:
    case_reference: str
    nca_member_state: str
    entry_point: EntryPoint
    notification_date: date
    stage: InvestigationStage = InvestigationStage.NOTIFICATION
    doc_request_deadline: Optional[date] = None
    preliminary_findings_date: Optional[date] = None
    response_deadline: Optional[date] = None
    confidential_docs: list[str] = field(default_factory=list)
    observations_submitted: bool = False
    corrective_actions: list[str] = field(default_factory=list)

    def doc_request_response_deadline(self) -> date:
        return self.notification_date + timedelta(days=14)

    def preliminary_response_window_days(self) -> int:
        if self.preliminary_findings_date is None:
            return 0
        if self.response_deadline is None:
            return 10  # minimum working days under standard procedure
        return (self.response_deadline - self.preliminary_findings_date).days

    def days_until_response_deadline(self, as_of: date) -> Optional[int]:
        if self.response_deadline is None:
            return None
        return (self.response_deadline - as_of).days

    def is_urgent_interim_measure(self) -> bool:
        return self.stage == InvestigationStage.FINAL_DETERMINATION

    def corrective_action_brief(self) -> dict:
        return {
            "case": self.case_reference,
            "stage": self.stage.value,
            "entry_point": self.entry_point.value,
            "nca": self.nca_member_state,
            "observations_filed": self.observations_submitted,
            "confidential_docs_designated": len(self.confidential_docs),
            "corrective_actions_pending": len(self.corrective_actions),
        }


class InvestigationResponseManager:
    def __init__(self):
        self.cases: list[InvestigationResponse] = []

    def register_case(self, case: InvestigationResponse) -> None:
        self.cases.append(case)

    def active_cases(self) -> list[InvestigationResponse]:
        return [c for c in self.cases if c.stage != InvestigationStage.CLOSED]

    def deadline_alerts(self, as_of: date, warning_days: int = 5) -> list[dict]:
        alerts = []
        for case in self.active_cases():
            days = case.days_until_response_deadline(as_of)
            if days is not None and days <= warning_days:
                alerts.append({
                    "case": case.case_reference,
                    "nca": case.nca_member_state,
                    "days_remaining": days,
                    "stage": case.stage.value,
                    "observations_submitted": case.observations_submitted,
                })
        return sorted(alerts, key=lambda a: a["days_remaining"])

    def mark_observations_submitted(self, case_reference: str) -> None:
        for case in self.cases:
            if case.case_reference == case_reference:
                case.observations_submitted = True
                return
        raise ValueError(f"Case {case_reference} not found")


# Example: complaint-triggered investigation
manager = InvestigationResponseManager()

case = InvestigationResponse(
    case_reference="DE-BNetzA-2026-0847",
    nca_member_state="Germany",
    entry_point=EntryPoint.COMPLAINT,
    notification_date=date(2026, 8, 10),
    stage=InvestigationStage.PRELIMINARY_FINDINGS,
    preliminary_findings_date=date(2026, 8, 28),
    response_deadline=date(2026, 9, 11),
    confidential_docs=["training_dataset_composition.pdf", "model_architecture_v3.pdf"],
    corrective_actions=["Submit Annex IV documentation gap analysis", "Engage notified body for conformity review"],
)

manager.register_case(case)
alerts = manager.deadline_alerts(date(2026, 9, 8), warning_days=5)
for alert in alerts:
    print(f"[DEADLINE ALERT] {alert['case']} ({alert['nca']}): {alert['days_remaining']} days to file observations")
    if not alert['observations_submitted']:
        print("  → Written observations NOT yet submitted. File immediately.")

Infrastructure and Jurisdiction Considerations

The jurisdiction of your infrastructure becomes directly relevant during an NCA investigation for two reasons.

Art.74 Document Access and CLOUD Act Exposure

When an NCA requests access to technical documentation stored on US-based cloud infrastructure, there is a potential conflict between the NCA's Art.74 access rights and the US CLOUD Act's parallel access mechanism. An NCA request for documentation is governed by EU procedural rules with confidentiality protections under Art.78. A simultaneous US CLOUD Act request operates under US law with different confidentiality guarantees and without the procedural protections the EU framework provides.

This conflict is not theoretical. For AI providers subject to both EU and US regulatory scrutiny, running training data, model weights, and technical documentation on EU-native infrastructure eliminates this jurisdiction conflict by design — the investigation file exists only within EU procedural jurisdiction.

Multi-Jurisdiction Investigation Coordination

If your AI system is deployed across multiple EU member states, multiple NCAs may simultaneously conduct investigations. The AI Board coordinates cross-border investigations, but the lead NCA is typically the authority in the member state where your establishment is located. If you have no EU establishment, investigations may be coordinated differently.

For SaaS providers without a formal EU legal entity, the absence of a designated establishment can complicate investigation coordination and create uncertainty about which NCA has primary jurisdiction — an argument for establishing clear EU presence, both for regulatory certainty and as a demonstration of good faith during investigations.

Art.99 Penalty Context

While this post focuses on investigation procedure rather than penalties, understanding the penalty structure contextualises the stakes of each investigation stage decision.

Art.99 establishes penalty tiers:

• Up to €35 million or 7% of global annual turnover (whichever is higher) for prohibited practice violations
• Up to €15 million or 3% of global annual turnover for violations of provider/deployer obligations
• Up to €7.5 million or 1.5% of global annual turnover for providing incorrect or misleading information to authorities

Critically, Art.99 requires NCAs to consider mitigating factors when calculating penalty amounts. These mitigating factors include: the degree of cooperation with the investigating authority, the speed of voluntary corrective action, the novelty of the compliance question, and the provider's technical and financial capacity.

This means that how you respond during the investigation — whether you cooperate proactively, submit observations substantively, designate confidential documents properly, and implement corrective actions quickly — directly affects the penalty quantum if a violation is confirmed. Stonewalling an NCA investigation eliminates any mitigating factors and maximises penalty exposure.

Investigation Readiness Checklist

Use this checklist before August 2026 to ensure you can respond effectively if an investigation is initiated:

Documentation Readiness

• Annex IV technical documentation complete and version-controlled
• Art.9 risk management system records current and accessible
• Art.72 post-market monitoring plan documented and implemented
• Art.73 serious incident reporting procedures tested
• Conformity assessment files (self-assessment or notified body certificate) retrievable within 24 hours

Procedural Readiness

• Designated internal point of contact for NCA communications
• External legal counsel identified with EU AI Act enforcement experience
• Confidentiality designation criteria established for technical documentation
• Process for tracking NCA communication deadlines implemented

Infrastructure Readiness

• Technical documentation stored in EU-jurisdiction infrastructure
• Source code repository jurisdiction documented
• CLOUD Act exposure assessed and documented in compliance records
• Deployer notification process established for corrective action scenarios

Response Protocol

• Preliminary findings response template prepared
• Oral hearing request procedure documented
• Corrective action tracking system implemented (see Python class above)
• Escalation path from technical team to legal team defined

Cooperation Protocol

• Decision matrix for voluntary disclosure vs. required disclosure
• Art.73 incident report quality review process (incident reports become investigation evidence)
• Cross-border NCA coordination procedure if AI system deployed in multiple member states

Part of the EU AI Act Enforcement Series: #1/5 Art.74 Market Surveillance NCA Powers | #2/5 Art.75-76 Corrective Actions | #3/5 Investigation Process (this post) | #4/5 Art.81-82 Cross-Border Enforcement | #5/5 Art.99 Penalties + Complete Checklist