EU AI Act Art.22 Authorised Representative: What Non-EU High-Risk AI Providers Must Do Before CE Marking

Post #1490 in the sota.io EU Regulatory Compliance Series — CE-MARKING-2026 #4/5

If you are a SaaS company headquartered outside the European Union that provides a high-risk AI system to EU customers, you cannot simply affix the CE marking and file your EU Declaration of Conformity without one additional prerequisite: you must appoint an authorised representative established in the EU, as required under Article 22 of the EU AI Act (Regulation (EU) 2024/1689).

This requirement applies regardless of your technical compliance. You can have perfect technical documentation, a complete quality management system, and a signed EU Declaration of Conformity — and still be blocked from legally placing your high-risk AI on the EU market if you have not designated an Art.22 authorised representative.

This is the fourth post in our five-part CE marking series. Posts one through three covered what the EU Declaration of Conformity is, how the conformity chain works from Art.43 through Art.47 and Art.48, and a complete Annex V template. This post focuses on the often-overlooked Art.22 requirement that applies specifically to providers operating from outside the EU.

Who Art.22 Applies To

Article 22 addresses providers of high-risk AI systems that are established outside the European Union. The provision requires that before such a provider places a high-risk AI system on the EU market or puts it into service in the EU, they must appoint — by written mandate — an authorised representative established in the Union.

The practical scope is wide. If your SaaS company is based in the United States, the United Kingdom post-Brexit, Canada, Israel, India, or any other third country, and you offer a high-risk AI system to EU customers through an EU-facing product or API, you fall within Art.22.

The key trigger is market presence: making a high-risk AI system available to users in the EU. That includes:

• A US-headquartered AI startup selling its high-risk AI SaaS product to EU enterprise customers
• A UK software company providing AI-powered recruitment screening (Annex III high-risk category) to EU employers after Brexit
• A Singapore-based AI vendor whose model is embedded in EU-deployed applications

What Art.22 does not apply to is providers already established in the EU. If you have an EU subsidiary or your company is incorporated in an EU member state, you are directly subject to provider obligations without needing an external representative. Art.22 exists specifically for the extraterritorial reach scenario where EU law applies to non-EU actors.

What the Art.22 Mandate Must Cover

The designation must be a written mandate — not an informal arrangement, not a terms-of-service clause, not an email thread. The mandate must specify the tasks the authorised representative is empowered to perform on behalf of the provider.

Core tasks that the mandate should address:

Regulatory cooperation: The authorised representative must be able to cooperate with and respond to national competent authorities (NCAs) on behalf of the provider. When a market surveillance authority in Germany, France, or any other EU member state initiates an investigation or requests documentation, the authorised representative is the point of contact in the EU.

Documentation access: The representative must have access to and be able to make available the EU Declaration of Conformity under Art.47 and the technical documentation required under the EU AI Act. National authorities are entitled to request these documents, and the representative must be able to produce them.

Registration coordination: The authorised representative must be named in the EU database registration under Article 49. You cannot complete the registration of a high-risk AI system without identifying your Art.22 representative.

Corrective action authority: If national authorities identify non-compliance and request corrective measures, the authorised representative must have enough authority to coordinate a response — though ultimate compliance responsibility remains with the provider.

How the Authorised Representative Connects to CE Marking

The CE marking process under Article 48 requires that a provider has fulfilled all the preceding obligations before affixing the mark. For a non-EU provider, the Art.22 authorised representative is one of those obligations.

The complete pre-CE-marking checklist for a non-EU provider of high-risk AI looks like this:

1. Complete conformity assessment under Art.43 (self-assessment or notified body, depending on the AI category)
2. Establish the quality management system required for high-risk AI providers
3. Prepare technical documentation meeting the requirements for your AI system type
4. Designate an Art.22 authorised representative by written mandate
5. Issue the EU Declaration of Conformity under Art.47 using the Annex V structure
6. Register the system in the EU database under Art.49, listing your authorised representative
7. Affix the CE marking under Art.48

Step 4 cannot be skipped or deferred. If you affix the CE marking without having appointed an authorised representative, your CE marking is legally defective. National market surveillance authorities can require withdrawal of non-conforming AI systems from the EU market, and the absence of an Art.22 representative is a compliance defect in the same category as missing technical documentation.

EU Database Registration Under Art.49

Article 49 governs registration of operators and high-risk AI systems in the EU database. For non-EU providers, the registration entry must include the name and contact details of the Art.22 authorised representative.

This linkage has a practical consequence: you need to identify and appoint your authorised representative before you can complete the Art.49 registration, and you need the Art.49 registration before you can legally place your high-risk AI system on the EU market with a valid CE marking under Art.48.

The EU database is publicly accessible. National competent authorities, market surveillance bodies, and the European AI Office can all cross-reference the registration to identify the EU-accessible point of contact for a given high-risk AI system.

If your authorised representative changes — because the representative terminates the mandate, your contractual arrangement ends, or you restructure your EU operations — you must update the EU database entry. Failing to maintain an accurate and current authorised representative registration is an ongoing compliance obligation, not a one-time setup task.

Choosing an Authorised Representative: Practical Considerations

The EU AI Act does not prescribe who can serve as an authorised representative, but the practical requirements narrow the options. The representative must:

• Be established in the EU: This means a physical establishment, not just a postal address. A one-person consultancy incorporated in an EU member state qualifies. A virtual mailbox in Dublin does not.
• Have the operational capacity to respond: When a market surveillance authority sends a formal request with a compliance deadline, your representative must be able to engage substantively — not just forward emails.
• Hold a written mandate: The mandate should specify what they are authorised to do, what documentation they can access and provide, and what authority they have to commit the provider to corrective actions.

Non-EU AI providers typically choose from three categories:

Dedicated AI compliance consultancies: Firms that specialize in EU AI Act compliance and offer authorised representative services as a product. These typically have the regulatory expertise but may serve many clients simultaneously.

EU law firms with AI practice: Offer the legal structure and professional liability that comes with established legal entities, and can also provide regulatory advice alongside the representative function.

EU subsidiaries or affiliated entities: If you have any EU corporate presence — even a small sales office — that entity can potentially serve as your authorised representative. This requires careful legal structuring but keeps the function within your organizational control.

What you cannot do is appoint an individual without an EU corporate establishment, designate a third-country entity with a European branch (the branch would need to be the legal entity), or outsource the role to someone who does not have access to your technical documentation and cannot actually engage with EU authorities.

Provider Responsibility Remains with You

Designating an Art.22 authorised representative does not shift the compliance burden to the representative. The provider — the non-EU company — retains full legal responsibility for compliance with all EU AI Act obligations.

The authorised representative is an interface with EU regulatory authorities, not a legal shield against enforcement. If your high-risk AI system is found non-compliant, the enforcement action runs against the provider. The representative's role is to ensure that the provider can be reached and engaged effectively from within the EU jurisdiction.

This distinction matters when structuring the mandate. Your authorised representative should have enough information access and operational authority to handle regulatory inquiries effectively, but the underlying compliance decisions — technical architecture, training data governance, post-market monitoring — remain your responsibility as the provider.

The August 2026 Deadline for Non-EU Providers

High-risk AI systems listed in Annex III must comply with the EU AI Act by August 2, 2026. For non-EU providers, this deadline encompasses both the technical compliance requirements and the Art.22 authorised representative appointment.

Non-EU providers who have not yet designated an authorised representative and are currently marketing high-risk AI to EU customers should treat this as an immediate action item. The timeline for finding, evaluating, and formally appointing a representative — including drafting a mandate that meets the practical requirements — is typically 4 to 8 weeks. Given that we are now under 60 days from the August deadline, the process needs to begin without delay.

Providers still building their technical documentation and conformity assessment package should not treat the Art.22 requirement as a final step. The authorised representative needs enough lead time to understand your system, review your documentation, and be prepared to engage with authorities from day one. A representative appointed 24 hours before market placement cannot practically fulfill the role.

Connection to the CE-MARKING-2026 Series

This series has followed the CE marking pathway from the initial declaration of conformity requirements through the Annex V template. Art.22 is the step that makes all of it legally valid for non-EU providers.

Without an Art.22 representative:

• Your Art.47 EU Declaration of Conformity is incomplete (it cannot accurately identify an EU-established operator responsible for the system)
• Your Art.49 registration in the EU database is incomplete
• Your Art.48 CE marking is legally defective regardless of your technical compliance

The final post in this series will cover the complete CE marking operational checklist — the step-by-step sequence from conformity assessment through to ongoing post-market monitoring obligations that come after the CE marking is affixed.

Summary: Art.22 Authorised Representative Checklist for Non-EU Providers

Before affixing the CE marking and placing your high-risk AI system on the EU market:

• Determine whether you are established outside the EU (Art.22 applies if yes)
• Identify a candidate authorised representative established in an EU member state
• Verify the representative has the operational capacity to respond to EU authority requests
• Draft a written mandate specifying the representative's tasks and documentation access
• Ensure the representative can access your EU Declaration of Conformity (Art.47) and technical documentation
• Complete the Art.49 EU database registration, listing the authorised representative's name and contact details
• Confirm the mandate is in place before the Art.48 CE marking is affixed
• Maintain the registration with current representative details; update immediately if the representative changes

For non-EU SaaS providers building toward the August 2, 2026 compliance deadline, the Art.22 authorised representative is a gate that cannot be bypassed. The CE marking is the culmination of the conformity pathway — and for companies operating from outside the EU, that pathway runs through Art.22.

This post is part of the sota.io CE-MARKING-2026 series. Previous posts: Art.47 DoC + Art.48 CE Marking basics | Conformity chain Art.43→47→48 | Annex V DoC Template. Next: CE-MARKING-2026 #5/5 — Complete operational checklist.