EU AI Act NCA Inspection Response: Step-by-Step Playbook for High-Risk AI Providers

Post #1478 — EU-AI-ACT-AUDIT-READINESS-SPRINT-2026 #2/5

The first post in this sprint mapped the 30 documents every high-risk AI provider must have ready before August 2, 2026. This post answers the operational question: what actually happens when a national competent authority (NCA) contacts your organization, and what are you required to do?

Market surveillance under the EU AI Act is not theoretical. Art.74 gives NCAs direct access rights to technical documentation, on-site inspection authority, and the power to order corrective measures including market withdrawal. Art.21 creates a binding cooperation obligation for providers. Understanding the inspection sequence before you receive the first contact letter is the difference between a resolved inquiry and an escalated enforcement action.

How NCA Inspections Are Triggered

Market surveillance authorities do not inspect providers at random. The EU AI Act structures how NCAs identify inspection targets through three primary triggers.

Trigger 1: Post-market monitoring data

Art.72 requires high-risk AI providers to conduct active post-market monitoring throughout the system lifecycle. Monitoring data flows into the national market surveillance infrastructure. If monitoring reports reveal anomalies — accuracy degradation, systematic errors, unexpected output patterns — NCAs can initiate inquiries based on your own submitted data.

This is why post-market monitoring is simultaneously a compliance obligation and an inspection trigger. A monitoring plan that identifies and reports issues is better than one that produces no findings, because it demonstrates active oversight. A monitoring report that reports no issues over an extended period may prompt scrutiny.

Trigger 2: Serious incident reports

Art.73 requires providers to report serious incidents to the market surveillance authority of the member state where the incident occurred, typically within 15 working days of first becoming aware. Serious incident reports are a direct inspection trigger. An NCA that receives an Art.73 notification will assess whether to initiate a market surveillance inquiry based on the nature of the incident and the completeness of your report.

Trigger 3: Complaints and market surveillance sweeps

NCAs can initiate inspections based on user complaints, reports from deployers, or coordinated market surveillance sweeps organized at EU level. The AI Office coordinates cross-border market surveillance for general-purpose AI models under Art.74 provisions. High-risk AI systems may be selected for systematic review in specific deployment sectors.

The Contact Sequence: What an NCA Inquiry Looks Like

A market surveillance inquiry typically follows a structured sequence. Understanding each stage helps your team respond proportionately rather than reactively.

Stage 1: Initial contact letter

Your first contact is typically a formal letter from the national market surveillance authority, sent to your registered legal representative in the EU if you are a non-EU provider. The letter will reference Art.74 and Art.21 and include:

• A description of the inquiry basis (post-market data, incident report, or targeted review)
• A specific list of documents requested
• A response deadline (commonly 10 to 15 working days)
• Contact details for the designated case officer

This letter is the start of your legally binding cooperation window. Art.21 states that providers must cooperate with competent authorities upon reasoned request, providing all information and documentation necessary to demonstrate conformity. Non-cooperation is itself a compliance failure.

Stage 2: Document submission

You submit the requested documentation within the stated deadline. Common requests at this stage align with the Art.11 technical documentation requirements and the Annex IV structure. The documents covered in Sprint Post #1/5 — your 30-document evidence packet — are what NCAs request at Stage 2.

If your submission is complete and consistent, many inquiries resolve at this stage with a closure letter confirming satisfactory documentation.

Stage 3: Technical clarification

If your documents raise questions, the NCA may request written clarifications or a technical meeting. This is still within the document phase. Your compliance and legal team can participate; it does not require on-site access.

Stage 4: On-site inspection

Art.74 authorizes NCAs to conduct on-site inspections when documentary review is insufficient. This step is escalated from Stage 2 or 3 when documentation is incomplete, inconsistent, or where the NCA determines that system behavior needs direct verification. On-site inspectors may request access to development environments, test systems, training datasets, and staff.

Stage 5: Corrective measures

If the inspection identifies non-conformity, the NCA can require corrective actions under Art.20. These range from documentation remediation to operational restrictions. Serious non-conformity may result in market withdrawal orders under Art.74.

Art.21 Cooperation Obligations: What You Must Provide

Art.21 creates a cooperation obligation that is not optional. Providers of high-risk AI systems must, upon reasoned request:

• Provide all information and documentation necessary to demonstrate conformity
• Make the AI system available for examination
• Cooperate with competent authority staff during on-site inspections

What constitutes a reasoned request?

The NCA letter is a reasoned request when it identifies the inquiry basis and specifies what it needs. You cannot decline to provide documents on the basis that the request is burdensome. You can request clarification on scope if the request is ambiguous, but this does not pause the response deadline.

Confidentiality protections during cooperation

Art.78 protects commercially sensitive information disclosed during market surveillance. NCAs must maintain confidentiality for trade secrets and competitively sensitive technical documentation. When submitting documents that contain proprietary information, mark them explicitly as commercially sensitive — this triggers Art.78 protection obligations.

Assembling Your Response Team

A market surveillance response requires coordination across at least three functions. Assign roles before you receive a request, not after.

Legal lead

Responsible for: receiving and interpreting NCA correspondence, managing all formal communications with the authority, reviewing documents before submission, assessing confidentiality marking, tracking deadlines.

The legal lead should have experience with administrative law in the NCA's jurisdiction. For non-EU providers, this is typically your EU legal representative.

Technical documentation owner

Responsible for: locating and compiling technical documentation, verifying that submitted documents are current (not superseded versions), coordinating with engineering teams on clarifications, preparing the Annex IV technical documentation package.

For high-risk AI providers who have completed their documentation sprint, this role should be able to produce any of the 30 evidence packet documents within 24 hours.

Compliance officer

Responsible for: mapping the NCA's document request to your internal document inventory, identifying gaps before submission, coordinating remediation if gaps exist, ensuring consistency across submitted documents.

The compliance officer should review all submissions for internal consistency — discrepancies between the risk register, test results, and technical documentation are common escalation triggers.

The 10-Day Response Procedure

When an NCA contact letter arrives, run this procedure. Timelines assume a 10 working day response window; adjust proportionally if your letter specifies a different period.

Day 1: Receipt and triage

• Legal lead reads the full letter and identifies every document requested
• Technical documentation owner pulls your document inventory and marks each request as: available and current / available but outdated / gap requiring creation
• Compliance officer assesses gap severity
• If gaps exist, begin remediation immediately — do not wait for Day 7

Days 2–5: Document collection and review

• Technical documentation owner compiles all available documents
• Legal lead reviews each for confidentiality concerns; marks commercially sensitive items
• Compliance officer cross-checks documents for internal consistency
• Any request for clarification from the NCA (if needed) is sent by Day 3 at the latest

Days 6–8: Compilation and internal approval

• Assemble the submission package in the format specified or in the Annex IV structure if unspecified
• Legal lead conducts final review
• Senior management sign-off on submission (required for formal regulatory submissions in most jurisdictions)

Day 9: Submission

• Submit via the channel specified in the NCA letter (certified mail, secure portal, email with acknowledgment request)
• Request a formal acknowledgment of receipt
• Log submission timestamp and all document identifiers internally

Day 10: Buffer

Keep Day 10 as buffer for technical issues. Never plan your final submission for the last day of the window.

Red Flags That Escalate to On-Site Inspection

Based on the Art.74 escalation structure, the following submission characteristics tend to trigger Stage 4 on-site inspection:

Documentation gaps

Missing documents from the standard Annex IV bundle — particularly the risk register, conformity assessment report, or human oversight procedures — are escalation triggers. Partial submissions with explanation of gaps pending remediation are better than omissions without explanation.

Version inconsistency

Submitting a risk management plan dated from development but test results from a substantially later version of the system indicates documentation process failures. NCAs verify that records reflect the current deployed system.

Unresolved serious incident

If you submitted an Art.73 serious incident report that is referenced in the NCA inquiry, and your submitted documents do not include the corrective action taken in response, inspectors will assess whether the incident remains live.

Discrepancy between monitoring data and documentation

If post-market monitoring reports indicate system behavior outside the accuracy range documented in the technical documentation, and the documentation has not been updated to reflect this, the discrepancy will be treated as a potential non-conformity.

No EU legal representative for non-EU providers

Art.22 requires non-EU providers to designate an EU-based legal representative before placing systems on the EU market. An NCA contact letter that cannot be formally delivered is not a successful response.

Communication Protocols During Active Inspection

From Stage 1 onward, apply these communication controls:

Single point of contact

All formal communication with the NCA goes through your legal lead only. Engineering and compliance staff should not respond directly to NCA inquiries, even if contacted informally. This avoids inconsistent statements.

Written communication by default

Request that all NCA communications be in writing, including meetings — request written minutes within 5 working days. This creates a complete record of what was said and what was agreed.

Log everything

Maintain an inspection log with timestamps: when contact was received, what was requested, when documents were submitted, what clarifications were requested and answered. This log is evidence of good-faith cooperation if the inquiry escalates.

Do not volunteer beyond the request

Art.21 requires you to cooperate with what is reasonably requested. You are not required to submit documents beyond the scope of the request. If the NCA requests clarification on a specific system component, answer that component — do not expand the scope of your disclosure.

What Happens After the Inspection

If the NCA closes the inquiry with a no-action letter, file it with your compliance records. It is evidence that the authority reviewed your documentation and found it satisfactory at that point in time. Post-market monitoring continues; a closed inquiry does not mean permanent clearance.

If the NCA requires corrective action, you will receive a formal requirement specifying the nature of the action and the deadline. Corrective actions under Art.20 can include documentation updates, operational restrictions, modified monitoring, or system modifications. Your compliance officer tracks implementation and notifies the NCA upon completion.

If the NCA issues a withdrawal order or an access restriction, your legal lead activates your incident response process. Art.74 allows providers to challenge NCA decisions through national administrative review procedures. Document your objections in writing within the period specified.

Preparing Before the Call Arrives

The audit readiness principle is simple: the inspection you handle well is the one you prepared for when you were not under deadline pressure.

The three actions that reduce inspection risk most significantly:

One: Maintain a current document inventory linked to your Annex IV technical documentation structure. Know which documents you have, where they are, and when they were last updated.

Two: Designate your response team now and ensure every member knows their role. Run a tabletop exercise using a mock NCA letter.

Three: Review your Art.73 incident log. Any serious incident that you reported but have not fully closed in your documentation creates escalation risk. Close it before an NCA does.

Post #3 in this sprint covers Art.11 technical documentation in depth — the single document cluster that NCAs examine most closely in every inspection and where documentation gaps are most frequently found.

Sources: Regulation (EU) 2024/1689 (EU AI Act), Art.16, Art.20, Art.21, Art.72, Art.73, Art.74, Art.78. Procedural guidance reflects published market surveillance authority practices and draft NCA implementation guidance.