Article 22 EU AI Act · Authorised Representative

Your AI system reaches the EU. An EU representative is now mandatory.

Article 22 of Regulation (EU) 2024/1689 requires every non-EU provider of high-risk AI systems to appoint, by written mandate, an Authorised Representative established in the European Union — before placing the system on the market. Lexara Advisory in New York coordinates the appointment with our strategic partner SecureFound, established in Spain.

A statutory obligation. Not a compliance preference.

Operating an AI system in the European market from outside the Union without an Authorised Representative is a direct breach of Regulation (EU) 2024/1689. Article 22 governs non-EU providers of high-risk AI systems listed under Annex III. Article 54 applies in parallel to non-EU providers of general-purpose AI models. Both regimes can apply concurrently to the same organization. Enforcement is staged, real, and underway.

Who is affected

Non-EU providers placing AI on the EU market

Providers established in the United States, United Kingdom, Canada, Israel, Singapore, Japan, Australia, and any third country, when their AI systems or GPAI models are placed on the EU market or their output is used in the Union.

What is at stake

Up to €35M / 7% of worldwide turnover

Administrative fines up to €35 million or 7% of total worldwide annual turnover for prohibited practices; up to €15 million or 3% for breaches of Articles 22 and 54 obligations. Plus market access restrictions, withdrawal orders from national authorities, and reputational exposure.

When it applies

Phased timeline through 2028

Article 54 GPAI obligations: in force since 2 August 2025. Article 22 high-risk AI systems: under the Digital Omnibus provisional agreement of 7 May 2026, application date is 2 December 2027 for stand-alone Annex III systems and 2 August 2028 for Annex I embedded systems. AI Office full enforcement powers: 2 August 2026.

Article 22 or Article 54? The eligibility test.

The AI Act draws a clean line between the two regimes. The table below sets out the distinction. If you are unsure where your system falls, the eligibility review is free and runs in 48 hours.

Article 22Article 54
ScopeHigh-risk AI systemsGeneral-purpose AI models
ExamplesBiometrics · Credit scoring · HR & recruitment · Critical infrastructure · Migration · JusticeLarge language models · Text-to-image · Foundation models
Reports toNational market surveillance authoritiesEU AI Office
Open-source exceptionNoYes (unless systemic risk)
In forcePhased through 2027–2028Since 2 August 2025

If all four are true, you must appoint an Authorised Representative:

The provider is established outside the European Union
The AI system is high-risk under Annex III, OR the model is a GPAI model
The system or its output reaches the EU market
No legal entity established in an EU Member State acts as provider

What the mandate covers

The Authorised Representative is not a forwarding service. It is a regulatory role with statutory duties under Articles 22 and 54. Once appointed by written mandate, the representative assumes the operational obligations on behalf of the non-EU provider.

01
Mandate execution

Formal acceptance of the written mandate as your sole Authorised Representative within the European Union, registered correctly across instructions for use, the EU Declaration of Conformity, and your registration in the EU database under Article 49.

02
Documentation custody

Secure custody of your technical documentation, EU Declaration of Conformity, conformity certificates, and post-market monitoring records for the full statutory period of 10 years. EU data residency. GDPR-compliant infrastructure.

03
Regulatory liaison

Single point of contact for AESIA, the EU AI Office, and any national market surveillance authority. Inbound communications received, triaged, contextualised, and answered with the standards of professional regulatory practice.

04
Authority cooperation

Active cooperation in any investigation, audit, or risk-mitigation procedure. Article 26 reporting and Article 61 cooperation duties handled with the procedural rigour the regulation requires.

05
Registration support

Assistance in completing and maintaining the obligations under Article 49 of the AI Act, including the EU database submission and the verification of correctness of the information delivered to authorities.

06
Independent professional judgement

The Act requires the Authorised Representative to terminate the mandate where the provider acts contrary to its obligations. That independence is what makes the representation credible to authorities — and protective for you.

How we deliver this. One partnership, two jurisdictions.

Lexara Advisory operates in strategic partnership with SecureFound, an AI governance consultancy established in Spain — the jurisdiction of AESIA, one of the EU's most active national AI supervisory authorities. SecureFound is led by bar-admitted attorneys with decades of professional formation in European law. They assume the Authorised Representative mandate; Lexara coordinates the engagement on the US side and aligns the work with your broader EU AI Act, GDPR, and US compliance posture.

Strategic partner

SecureFound — EU Authorised Representative

SecureFound is established in Spain (Tenerife, AESIA jurisdiction). It assumes — by written mandate — the operational and statutory obligations under Articles 22 and 54 of Regulation (EU) 2024/1689. A single mandate covers all 27 EU Member States, mirroring the Article 27 GDPR regime in force since 2018.

SecureFound · Spain

  • EU presence under Articles 22 and 54
  • Regulatory liaison · AESIA · EU AI Office
  • Documentation custody · 10 years
  • Bar-admitted leadership in Spain

Lexara Advisory · NYC

  • EU AI Act gap audit and risk classification
  • GDPR alignment
  • NYC Local Law 144 · US state frameworks
  • Coordination of the EU representative appointment
Visit SecureFound ↗

How the engagement works

Each appointment runs through a predictable four-step process. Lexara Advisory leads the eligibility review and the coordination on the US side; SecureFound executes the mandate and delivers the ongoing representation in the EU.

Step 1
Eligibility review

We confirm whether your AI system or model triggers Articles 22 or 54, classify it under Annex III where applicable, and map your EU market entry timeline. Free · 48 hours.

Step 2
Mandate drafting

SecureFound drafts a tailored written mandate covering scope, duration, transition provisions, and the statutory termination obligations under Articles 22(4) and 54(5). Reviewed by your counsel before execution.

Step 3
Mandate execution

Formal signature. Your representative details are immediately ready for inclusion in your instructions for use, EU Declaration of Conformity, and EU database registration under Article 49.

Step 4
Ongoing representation

Documentation custody, regulatory liaison, post-market monitoring cooperation, and authority interaction for the lifecycle of the mandate. Lexara coordinates the broader EU AI Act and GDPR alignment.

Need to appoint an EU Authorised Representative?

Free 48-hour eligibility review. We confirm whether Article 22 or 54 applies to your AI system, classify it under Annex III, and outline next steps for the appointment with SecureFound.

Request eligibility review →
Lexara Advisory LLC is an AI governance consultancy. Not legal advice under U.S. law. The Authorised Representative mandate under Articles 22 and 54 of Regulation (EU) 2024/1689 is executed by SecureFound (S.L., NIF B-56538416) under a separate written engagement. Lexara Advisory coordinates the engagement and aligns it with the client's broader compliance posture. SecureFound is not a law firm and does not provide legal advice. Both firms operate under European professional standards.