EU AI Act Art.74 Market Surveillance: What National Competent Authorities Can Inspect and Demand
Post #1 in the sota.io EU AI Act Market Surveillance Operations Series
When August 2, 2026 arrives, national competent authorities across the EU gain the legal power to walk into your organization—virtually or physically—and demand access to your high-risk AI systems, technical documentation, training datasets, and operational logs. Article 74 of the EU AI Act is not aspirational guidance; it is an enforcement mandate. Understanding exactly what inspectors can demand, and what you must hand over, is now a compliance prerequisite.
What Art.74 Actually Establishes
Art.74 creates the legal framework for market surveillance and control of AI systems in the EU's internal market. It works in conjunction with the EU's general market surveillance framework (Regulation EU 2019/1020) while adding AI-specific requirements.
The core obligation: providers and deployers of high-risk AI systems must cooperate with market surveillance authorities (MSAs) and provide all necessary assistance.
Three categories of oversight under Art.74:
- Proactive market surveillance — NCAs monitor the market for compliance without waiting for incidents
- Reactive investigations — NCAs respond to complaints, serious incidents (Art.73), or Commission referrals
- Post-incident review — NCAs audit provider responses after serious incidents are reported
Who Is the National Competent Authority?
Each EU member state must designate at least one national competent authority by August 2, 2026. In practice, most member states are designating existing regulators:
| Country | Expected NCA | Existing Authority |
|---|---|---|
| Germany | Expected: Bundesnetzagentur or new body | Currently establishing AI Act authority |
| France | Expected: CNIL or new body | Data protection focus |
| Netherlands | Expected: Autoriteit Persoonsgegevens extension | |
| Spain | Expected: AESIA (AI Spain Agency) | Established 2023 |
Important for SaaS providers: If you serve users across multiple EU member states, you may face inspections from multiple NCAs. Art.74 coordinates this through a "home country" principle—the NCA where your establishment is located takes the lead role, but other member state NCAs can initiate proceedings for their territory.
The Evidence NCAs Can Compel Under Art.74
Art.74 grants NCAs broad access rights that go beyond what most organizations have prepared for:
Documentary Access
Market surveillance authorities can demand:
- Complete technical documentation as specified in Annex IV — not summaries, but the full package
- Risk management system records (Art.9) including all identified risks, mitigations, and residual risk assessments
- Training dataset documentation (Art.10) including data sources, bias testing results, and data governance records
- Conformity assessment records (Art.43) including self-assessment findings or notified body certificates
- Post-market monitoring data (Art.72) including all performance metrics since deployment
- Serious incident logs and internal communications about incidents (Art.73)
System Access
NCAs can require providers to:
- Demonstrate system functionality — running the AI system in controlled conditions before inspectors
- Grant access to test the system using NCA-selected test cases
- Provide audit logs going back to initial deployment
- Explain algorithmic decisions for specific outputs, particularly in the employment, credit, and education sectors
Human Resource Access
Inspectors can interview:
- Technical leads responsible for AI system development
- Data governance officers
- Quality management personnel
- Operators who work with the system daily
Infrastructure Access
In cases where the NCA suspects a serious risk, Art.74 enables:
- Access to training infrastructure to verify data processing claims
- Review of version control to understand system changes post-deployment
- Third-party supplier documentation for components in your AI supply chain
What Triggers an NCA Inspection
Inspections do not require an incident. NCAs can initiate market surveillance for:
Regulatory reasons:
- Failure to register in the EU database (Art.49/Art.51)
- Missing or insufficient CE marking documentation
- Complaints from affected individuals or deployers
- Referrals from the AI Office or other member state NCAs
Technical reasons:
- Anomalies in serious incident reports (Art.73) suggesting under-reporting
- Post-market monitoring data (Art.72) indicating performance degradation
- Whistleblower reports about prohibited practices (Art.5)
Sector-triggered reasons:
- Your AI system falls under an Annex III category being prioritized by the NCA
- A peer system in your category triggered enforcement action
The Timeline Pressure: August 2, 2026
The August 2, 2026 deadline for high-risk AI compliance is also the date NCAs begin full enforcement authority. Before that date, authorities may audit and investigate but penalties under Art.99 are limited. After that date:
- Providers of high-risk AI systems without compliant technical documentation face fines up to €15 million or 3% of global annual turnover (whichever is higher)
- Providers who make false statements to NCAs face fines up to €7.5 million or 1.5% of global annual turnover
- Infringement of the prohibited practices prohibition (Art.5) carries fines up to €35 million or 7% of global annual turnover
That means if an NCA inspection on August 3, 2026 finds your technical documentation incomplete, you are immediately in penalty range.
The Art.74 Cooperation Obligation: What You Cannot Refuse
Art.74 creates binding cooperation obligations. Providers cannot:
- Claim commercial confidentiality to withhold technical documentation from NCAs
- Delay document production beyond the NCA's requested timeline without good cause
- Obstruct or impede the inspection process
- Provide misleading or incomplete information
What you can protect:
- Genuinely confidential business information may be subject to confidentiality protections, but the NCA can still access it under sealed review procedures
- Trade secrets do not override Art.74 access rights — they limit publication, not inspection
Preparing for Art.74: The Six Readiness Requirements
1. Documentation Registry
Maintain a single, indexed registry of all Art.74-relevant documents. When an NCA makes a request, you should be able to produce any document within 48 hours. This requires:
- Technical documentation package (Annex IV compliant)
- Risk management system records (Art.9)
- Data governance documentation (Art.10)
- Conformity assessment files (Art.43)
- Post-market monitoring reports (Art.72)
- Incident log (Art.73)
2. Legal Point of Contact
Designate a named legal point of contact for NCA communications. If you are a non-EU provider, your EU authorized representative (Art.22) becomes the primary NCA contact — their address appears in the EU database and on CE marking documentation.
3. Response Protocol
Document your internal inspection response protocol before an inspection happens:
NCA Contact Received → Legal Counsel Notified (same day)
→ Technical Lead Assigned (same day)
→ Document Assembly Team Activated (24h)
→ Response Prepared and Reviewed (NCA deadline - 48h)
→ Secure Delivery to NCA
4. System Demonstration Environment
Maintain a controlled demonstration environment where you can:
- Run the AI system for NCA-selected test cases
- Reproduce historical decisions with audit logs
- Explain model outputs without exposing production infrastructure
5. Supply Chain Documentation
If your system uses third-party AI components (foundation models, data providers, annotation services), document your contractual rights to obtain compliance information from suppliers. NCAs can ask you to produce supplier documentation — you need the contractual right to get it.
6. Cross-Border Coordination Plan
If you are supervised by NCAs in multiple member states, establish which NCA is your "lead" authority and how you coordinate multi-NCA requests to avoid conflicting obligations.
The Cloud Act Intersection
EU-based high-risk AI providers face a structural compliance advantage in NCA inspections: documentation stored exclusively on EU-native infrastructure is not subject to US CLOUD Act requests, which could otherwise compromise confidential NCA investigation materials.
Providers running on AWS, Azure, or Google Cloud face a legal ambiguity: US authorities could theoretically compel disclosure of the same technical documentation that EU NCAs are examining. Storing your Art.74-relevant documentation on EU-native infrastructure (Hetzner, OVHcloud, Scaleway) removes this exposure — NCA inspection materials stay within EU jurisdiction throughout the process.
What Comes Next in This Series
This is Post #1 of 5 in the EU AI Act Market Surveillance Operations Series:
- Art.74 NCA Inspection Powers ← You are here
- Market surveillance procedures: what happens during an active investigation
- Corrective actions and market restriction orders: developer response obligations
- Serious risk determinations and emergency measures: when NCAs can pull your system
- Market Surveillance Finale: Complete provider response playbook and documentation template
Next reading: EU AI Act Post-Market Monitoring: Art.72 Provider Obligations — the continuous monitoring requirements that feed into Art.74 inspections.
Also relevant: EU AI Act Serious Incident Reporting: Art.73 Operations Guide — what triggers an NCA investigation from the incident reporting pipeline.
EU-Native Hosting
Ready to move to EU-sovereign infrastructure?
sota.io is a German-hosted PaaS — no CLOUD Act exposure, no US jurisdiction, full GDPR compliance by design. Deploy your first app in minutes.