If you're an Authorised Representative — what's specific to your role

For: authorised_representative
Tier: free+
Time: ~5 min

Why you'd do this

Authorised Representative (Art. 3(5)) is the EU-established legal person mandated by a non-EU Provider to perform certain tasks on their behalf. The role has only 3 AR-specific obligations + Art. 4 AI literacy + universal Art. 5 prohibitions, but those 3 are weighty: they make YOU the EU contact point that authorities reach when they have questions about the AI system.

Before you start

You should hold a written mandate from the Provider before any AR obligation kicks in — without it you have no role under Art. 22
Confirm with the Provider that the AI system is high-risk OR a GPAI model — AR obligation only applies to those categories (Art. 22(1) + Art. 54(1))

Step 1

Workflow 1 — The mandate itself (Art. 22(2))

Art. 22(2) defines the minimum tasks the Provider's mandate must delegate to you, and Art. 22(4) lists what you cannot delegate back. Concretely:

You MUST be empowered to:

Verify that the EU declaration of conformity + technical documentation have been drawn up
Keep both available to authorities for 10 years after placing the system on the market
Provide the documentation + cooperate with authorities on request
Terminate the mandate if the Provider acts contrary to the AI Act, with notification to authorities

You MUST NOT:

Modify the system, declaration of conformity, or technical documentation
Take Provider obligations onto yourself (e.g. you don't run the QMS, the Provider does)

Step 2

Workflow 2 — GPAI-specific AR obligations (Art. 54)

If the system you're representing is a GPAI model (Art. 3(63)), two additional AR-specific obligations attach:

Art. 54(3) — the AR must verify that the GPAI Provider has drawn up the technical documentation per Art. 53 and complies with the obligations referred to in Art. 53
Art. 54(5) — the AR must terminate the mandate if it has reason to believe the Provider acts contrary to AI Act, and inform the AI Office accordingly

These are stricter than the Art. 22 versions because GPAI is a stricter category — the AR is expected to perform more substantive verification, not just hold paperwork.

Step 3

Workflow 3 — Day-to-day AR operations

The 10-year retention is the longest single horizon in the entire AI Act. Practical implications:

Document storage: a stable, indexed, access-controlled system for the conformity dossier — survives staff turnover + Provider's possible insolvency
Authority correspondence log: who asked what, when, and how you replied — defensible audit trail
Mandate renewal / termination: contractual hygiene with the Provider; pre-agreed termination triggers (see Art. 22(4))
Translation capacity: authorities may request documentation in their working language; pre-arrange translation provider for DE/FR/IT etc.

ComplianceLint's role for AR is procedural — the Art. 22 / Art. 54 Human Gates questionnaires capture mandate scope, storage location, contact procedures, and termination policies. We don't operate the document store; you do.

What can go wrong

Provider signed you as AR but doesn't share the technical documentation with you — Without the dossier you cannot perform Art. 22(2)(a) verification or Art. 22(2)(b) availability-to-authorities. This is grounds for terminating the mandate per Art. 22(4) and notifying authorities. Document the request + non-response in writing before termination.
Authority asks you a substantive question about how the system was built or trained — not just the dossier — Per Art. 22(4) you cannot answer technical/design questions on the Provider's behalf — your role is to provide the dossier and facilitate the authority contacting the Provider. Refer the authority back to the Provider via the contact channel in the dossier.

Last updated: 2026-04-30

If you're an Authorised Representative — what's specific to your role

For: authorised_representative
Tier: free+
Time: ~5 min

Why you'd do this

Before you start

You should hold a written mandate from the Provider before any AR obligation kicks in — without it you have no role under Art. 22
Confirm with the Provider that the AI system is high-risk OR a GPAI model — AR obligation only applies to those categories (Art. 22(1) + Art. 54(1))

Step 1

Workflow 1 — The mandate itself (Art. 22(2))

Art. 22(2) defines the minimum tasks the Provider's mandate must delegate to you, and Art. 22(4) lists what you cannot delegate back. Concretely:

You MUST be empowered to:

Verify that the EU declaration of conformity + technical documentation have been drawn up
Keep both available to authorities for 10 years after placing the system on the market
Provide the documentation + cooperate with authorities on request
Terminate the mandate if the Provider acts contrary to the AI Act, with notification to authorities

You MUST NOT:

Modify the system, declaration of conformity, or technical documentation
Take Provider obligations onto yourself (e.g. you don't run the QMS, the Provider does)

Step 2

Workflow 2 — GPAI-specific AR obligations (Art. 54)

If the system you're representing is a GPAI model (Art. 3(63)), two additional AR-specific obligations attach:

Art. 54(3) — the AR must verify that the GPAI Provider has drawn up the technical documentation per Art. 53 and complies with the obligations referred to in Art. 53
Art. 54(5) — the AR must terminate the mandate if it has reason to believe the Provider acts contrary to AI Act, and inform the AI Office accordingly

These are stricter than the Art. 22 versions because GPAI is a stricter category — the AR is expected to perform more substantive verification, not just hold paperwork.

Step 3

Workflow 3 — Day-to-day AR operations

The 10-year retention is the longest single horizon in the entire AI Act. Practical implications:

Document storage: a stable, indexed, access-controlled system for the conformity dossier — survives staff turnover + Provider's possible insolvency
Authority correspondence log: who asked what, when, and how you replied — defensible audit trail
Mandate renewal / termination: contractual hygiene with the Provider; pre-agreed termination triggers (see Art. 22(4))
Translation capacity: authorities may request documentation in their working language; pre-arrange translation provider for DE/FR/IT etc.

What can go wrong

Provider signed you as AR but doesn't share the technical documentation with you — Without the dossier you cannot perform Art. 22(2)(a) verification or Art. 22(2)(b) availability-to-authorities. This is grounds for terminating the mandate per Art. 22(4) and notifying authorities. Document the request + non-response in writing before termination.
Authority asks you a substantive question about how the system was built or trained — not just the dossier — Per Art. 22(4) you cannot answer technical/design questions on the Provider's behalf — your role is to provide the dossier and facilitate the authority contacting the Provider. Refer the authority back to the Provider via the contact channel in the dossier.

Last updated: 2026-04-30

If you're an Authorised Representative — what's specific to your role

Why you'd do this

Before you start

Step 1

Step 2

Step 3

What can go wrong

Related

If you're an Authorised Representative — what's specific to your role

Why you'd do this

Before you start

Step 1

Step 2

Step 3

What can go wrong

Related