EU AI Act Importers and Distributors: The Lesser-Known Article 23 and Article 24 Obligations
Article 23 covers importer obligations and Article 24 covers distributor obligations for high-risk AI systems in the EU. The roles get conflated with provider and deployer roles in practice. An importer is the operator that places a high-risk AI system from outside the EU onto the EU market. A distributor is the operator that makes a high-risk AI system available in the EU market without being the importer or the provider. Both have specific verification obligations before the system reaches the deployer. With the August 2, 2026 enforcement date approaching, EU resellers and EU branches of non-EU vendors need to understand which obligations belong to them.

Article 23 covers importer obligations and Article 24 covers distributor obligations for high-risk AI systems in the EU. The roles get conflated with provider and deployer roles in practice. An importer is the operator that places a high-risk AI system from outside the EU onto the EU market. A distributor is the operator that makes a high-risk AI system available in the EU market without being the importer or the provider. Both have specific verification obligations before the system reaches the deployer. The obligations are routinely underestimated because most attention has gone to the provider and deployer roles.
With the August 2, 2026 enforcement date 35 days away, every EU reseller of an AI system built outside the EU, every EU branch of a non-EU vendor, and every value-added reseller that bundles a third-party AI system into its own offering needs to understand which role applies and which verification duties belong to them. The chain of accountability the regulation creates means a deployer that cannot produce proper Article 19 logs can trace the gap back through the distributor and the importer; each link in the chain has duties that the next link is allowed to rely on.
I want to walk through the importer obligations, the distributor obligations, the operator-of-last-resort cases where an importer or distributor inherits provider-equivalent duties, and the documentation artifacts each role needs to retain.
Importer obligations under Article 23
An importer is a natural or legal person established in the EU that places on the EU market a high-risk AI system that bears the name or trademark of a natural or legal person established outside the EU. The importer is the first EU-side operator in the supply chain for that system.
Before placing the system on the market, the importer must verify that the provider has carried out the conformity assessment, that the technical documentation has been drawn up, that the system bears the CE marking and is accompanied by the EU declaration of conformity and instructions for use, and that the provider has appointed an authorized representative under Article 22 (the EU-based representative for the non-EU provider).
The importer must also ensure that, while the system is under its responsibility, storage or transport conditions do not jeopardize compliance with the high-risk requirements. The importer must keep, for ten years after the system has been placed on the market, a copy of the EU declaration of conformity and a copy of the certificate where applicable. The importer's contact details must appear on the system, on its packaging, or in the accompanying documentation.
If the importer considers or has reason to consider that a high-risk system is not in conformity with the regulation, the importer must not place the system on the market until it has been brought into conformity. If the system presents a risk under Article 79, the importer must inform the provider and the relevant market surveillance authorities.
Distributor obligations under Article 24
A distributor is any natural or legal person in the supply chain, other than the provider or the importer, that makes a high-risk AI system available on the EU market. A distributor takes the system as it is and resells or otherwise distributes it.
Before making the system available, the distributor must verify that the system bears the required CE marking, that the system is accompanied by the EU declaration of conformity and instructions for use, and that the provider and importer (if applicable) have complied with their respective obligations under Articles 16 and 23 to the extent the distributor can reasonably verify.
The distributor must ensure that, while the system is under its responsibility, storage or transport conditions do not jeopardize compliance. If the distributor considers or has reason to consider that the system is not in conformity, the distributor must not make the system available on the market until it has been brought into conformity. If the system presents a risk under Article 79, the distributor must inform the provider, the importer, and the relevant authorities.
The distributor's verification duties are lighter than the importer's: the distributor does not have to verify the existence of an authorized representative under Article 22 (because by then the importer has done so), and the distributor does not have to retain the Article 19 declaration copy for ten years. The verification scope is what a reasonable downstream operator can check from the documentation accompanying the system.
The operator-of-last-resort cases
Article 25 carries the role-flipping provisions for the supply chain. An importer or a distributor can step into the provider role under specific conditions. The cases that matter most in practice:
The importer or distributor puts its name or trademark on the high-risk AI system. The system is now the importer or distributor's product for regulatory purposes. The provider obligations under Article 16 attach.
The importer or distributor modifies the high-risk AI system in a way that is substantial under Article 25(1)(c). The substantial modification flips the role to provider for the modified version.
The importer or distributor makes the high-risk AI system available for an intended purpose different from what the original provider declared. The new intended purpose flips the role to provider for the new use case.
The pattern is the same as for deployers: the act of putting the system into a new context with the operator's name on it, with material changes, or with a different intended purpose, makes the operator the provider for that variant. The role-determination memo described in the Article 16/Article 26 split applies equally to importers and distributors.
The interaction with the deployer
The deployer's obligations under Article 26 do not change based on whether the deployer obtained the system from an importer or a distributor. The deployer's Article 19 logging obligation, the human-oversight obligation, the input-data verification obligation, and the suspension obligation all apply identically.
What changes is the supply-chain documentation the deployer can rely on. A deployer that bought the system through an EU-registered importer can rely on the importer's verification that the conformity assessment was carried out and the CE marking is valid. A deployer that bought the system through a distributor can rely on the distributor's verification that the documentation accompanying the system is complete. A deployer that procured the system directly from a non-EU provider with no EU intermediary has to perform the importer-equivalent verification itself.
In practice, the deployer's procurement workflow needs to identify each operator in the chain, capture the operator's contact details, and verify that the operator carried out the verification duties the regulation assigns. The deployer audit defense for any chain gap routes through whichever operator was responsible for the gap.
Documentation artifacts each role retains
The importer retains, for ten years after the system was placed on the market, a copy of the EU declaration of conformity, a copy of the certificate where applicable, a copy of the instructions for use, and records of the importer's own verifications. The importer must also be able to produce the contact details that appear on the system.
The distributor retains records showing the verifications carried out before making the system available, the documentation that accompanied the system at the point of distribution, and any communications with the provider or importer about conformity issues. The distributor's retention period for these records is not explicitly set in Article 24 but follows the regulation's general expectation that supply-chain records be available throughout the system's market life.
The deployer's artifacts under Article 26 remain the deployer's responsibility regardless of which operator the deployer obtained the system from. The Article 19 logs are the deployer's records; the human-oversight roles are the deployer's assignments; the input-data review is the deployer's evidence.
What sits with the provider regardless of the chain
The technical documentation under Article 11, the EU declaration of conformity, the CE marking, the post-market monitoring plan, the incident reporting procedure, and the instructions for use are all provider artifacts. The importer verifies they exist and passes them through the chain; the distributor verifies the documentation accompanies the system; the deployer relies on them in operating the system. None of those intermediate operators rewrites the provider artifact.
If the provider is established outside the EU, the provider must appoint an authorized representative in the EU under Article 22. The authorized representative is not the importer or the distributor; it is a separate role that the provider designates and that the importer must verify before placing the system on the market.
DeepInspect
DeepInspect's role in the importer-distributor-deployer chain is at the deployer's operating layer. DeepInspect produces the per-decision audit records the deployer needs to satisfy Article 19. The system's CE marking, EU declaration of conformity, and technical documentation come from the provider; the verification of those artifacts is the importer's and the distributor's duty.
For a deployer that has procured a high-risk AI system through an importer or distributor, DeepInspect is the runtime infrastructure that turns the system's per-design logging capability into actually-retained, identity-bound, tamper-evident records. The provider's documentation states the system supports automatic logging; the deployer's operating reality has to produce the logs. DeepInspect is the boundary control that produces them at the AI request layer independently of the application that issued the request.
If you are facing the August deadline and your supply-chain documentation has gaps at the importer or distributor link, that is a procurement issue to resolve with the upstream operator. If your readiness depends on application logs that the application controls, that is a deployer-side architecture issue. Let's talk today.
Frequently asked questions
- Are we the importer if we are the EU branch of a non-EU AI company?
Possibly. The role attaches to the operator that places the system on the EU market. If the EU branch handles the EU-market activities and places the system on the market in its own name, it is the importer. If the EU branch acts only as an authorized representative under Article 22 on behalf of the non-EU provider, it is the authorized representative, not the importer. The contractual arrangement determines which role applies.
- What does "place on the EU market" mean for an AI system?
The regulation uses the concept established in EU product-safety law. A system is placed on the market when it is supplied for the first time on the EU market for distribution or use, whether for payment or free of charge. For an AI system delivered through a SaaS subscription, the placement happens when the system is first made available to an EU customer.
- What is the difference between an importer and an authorized representative?
The authorized representative under Article 22 acts on behalf of the non-EU provider, has a written mandate, and primarily handles regulator-facing tasks like cooperation with authorities, providing the EU declaration of conformity, and notifying authorities. The importer is the EU operator that actually places the system on the market. They can be the same legal entity, but the roles and the obligations are distinct.
- Are distributors subject to the Article 79 risk procedure?
Yes. If a distributor considers or has reason to consider that a high-risk AI system poses a risk under Article 79, the distributor must not make the system available, must inform the provider and the importer, and must inform the relevant market surveillance authorities.
- Do these obligations apply to general-purpose AI models?
Articles 23 and 24 are written for high-risk AI systems. General-purpose AI models have their own regime under Title VIII-A of the regulation with separate provider and downstream-integrator obligations. The importer/distributor roles for GPAI models have their own scope under those provisions.
- What records does the importer need to keep?
A copy of the EU declaration of conformity for ten years after the system was placed on the market, a copy of the certificate where applicable, a copy of the instructions for use, and records of the importer's verifications. The retention period is explicit