EU AI Act Authorized Representative: Why US SaaS Companies Need One
Most EU AI Act coverage focuses on classification and technical documentation. But there's a gating requirement that trips up US companies before any of that matters: if you have no legal establishment in the EU, you can't place a covered AI system on the EU market at all until you've appointed someone local to answer for it.
Who This Requirement Actually Hits
If your company is established outside the EU and you provide a high-risk AI system or a general-purpose AI model that is placed on the EU market or put into service there — including where the output produced by the system is used in the EU — the AI Act requires you to appoint an authorized representative established within the Union before that placement happens. This is separate from, and comes before, the question of whether your specific system is compliant.
The requirement doesn't apply if you already route through an EU-based importer who contractually takes on equivalent responsibilities, or if you're selling exclusively through an EU distributor who has independently verified conformity documentation exists. But most SaaS companies selling directly to EU customers by contract, with no EU importer in the chain, don't get that exemption.
What the Representative Is Mandated To Do
Verify conformity documentation exists
VerificationConfirm the EU declaration of conformity and technical documentation have been drawn up, and that an appropriate conformity assessment procedure has been carried out by the provider before appointment.
Keep documentation available for authorities
RecordkeepingHold a copy of the declaration of conformity, technical documentation, and contact details of the provider, available to market surveillance authorities for a set retention period after the system is placed on the market.
Act as the EU point of contact
LiaisonProvide authorities with all information and documentation necessary to demonstrate conformity, in a language they can readily understand, and respond to reasoned requests without the provider needing an EU office to field them.
Cooperate on corrective action
EnforcementCooperate with market surveillance authorities on any action taken to address risks posed by the AI system, including recalls or withdrawal — and terminate the mandate if the provider acts contrary to its AI Act obligations, notifying the relevant authority.
Authorized Representative vs. GDPR Representative
Companies that already appointed a GDPR Article 27 representative when they started serving EU users sometimes assume that role covers the AI Act too. It doesn't. They're distinct legal mandates under different regulations, aimed at different regulators — data protection authorities versus AI market surveillance authorities — even though the underlying idea (someone local who can be held accountable) is the same. You need a separate, specific mandate naming the AI Act tasks, even if you use the same firm for both roles.
Practically, many US companies bundle both mandates with a single EU compliance-services provider or law firm, since the operational overhead of managing two separate vendors for what is conceptually similar work is rarely worth it. Just make sure the engagement letter or mandate explicitly covers both roles rather than assuming one implies the other.
Does Your Company Need One? A Quick Triage
Do you have any legal entity, subsidiary, or branch established in the EU?
GatingIf yes, and that entity is the one placing the AI system on the market, you likely don't need a separate authorized representative — you already have EU presence. If your only EU footprint is customers and no legal entity, you need one.
Is your AI system classified as high-risk, or is it a general-purpose AI model?
CriticalThe mandatory-representative requirement in Article 22 applies specifically to these categories. Limited-risk or minimal-risk systems (most consumer chatbots without high-stakes use cases) aren't subject to this specific obligation, though other transparency duties may still apply.
Do you sell directly to EU customers, or through an EU importer/distributor?
HighDirect sales with no EU importer taking on equivalent responsibility means you need your own representative. Selling exclusively through a verified EU importer may shift or share the obligation — get this in writing in your distribution contract.
Have you already appointed a GDPR Article 27 representative?
MediumThat's a head start on vendor relationships, not a substitute. You still need a distinct written mandate covering the AI Act's specific tasks — verification, documentation retention, and cooperation with market surveillance authorities.
Setting Up the Mandate: What to Get Right
- Confirm the mandate is written and explicitly lists the tasks required under the AI Act, not a generic agency agreement.
- Choose a representative established in a Member State where you have or plan meaningful market activity — some authorities expect a genuine nexus, not a shell address.
- Give the representative real access to technical documentation and the conformity assessment, not just a summary — they need to actually verify it exists.
- Build a notification path so the representative learns immediately if you become aware your system poses a risk, so they can meet their own cooperation duties.
- Don't let the mandate lapse silently — termination without a replacement in place effectively pulls your product off the EU market.
This requirement is easy to miss because it sits upstream of the classification and documentation work most compliance checklists lead with. Get the representative in place first — everything else about EU AI Act compliance assumes it already exists.
See where your AI product is exposed
RatedWithAI helps SaaS teams surface compliance and trust gaps across their web properties. Start with a free scan to understand how your product presents to users and regulators alike.
Scan Your Product for Free →Frequently Asked Questions
Can one authorized representative cover multiple AI systems or products?
Yes, a single authorized representative can be mandated to cover multiple AI systems from the same provider, as long as the written mandate specifies each system and the representative can genuinely perform the verification and documentation duties for all of them.
Does this apply to open-source or free AI models?
General-purpose AI models released under free and open-source licenses have narrower obligations under the Act, but providers of models that present systemic risk are not exempt from the representative requirement regardless of license, and high-risk system providers aren't exempt based on price or license type.
Who is liable if the AI system turns out to be non-compliant — the provider or the representative?
The provider remains primarily liable for the AI system's conformity; the representative's role is verification, documentation, and liaison, not underwriting the provider's engineering. That said, a representative who knowingly facilitates a non-compliant product onto the market faces its own exposure and can terminate the mandate to protect itself.
When did the authorized representative obligation take effect?
Obligations under the AI Act phase in on a staggered timeline by chapter, with high-risk system requirements including representative appointment tied to the classification rules taking effect on a later schedule than the prohibited-practices provisions. Treat 2026 as the year to have the mandate signed, not the year enforcement first becomes possible.