Article 23 of the EU AI Act requires importers, before placing a high-risk AI system on the market, to verify that the provider carried out the conformity assessment, drew up the technical documentation, affixed the CE marking and provided the EU declaration of conformity and instructions for use, and to add their own name and contact details to the system or its documentation.
EU AI Act Article 23: Obligations of Importers of High-Risk AI Systems
What Article 23 Covers
Article 23 of Regulation (EU) 2024/1689 assigns duties to importers, defined in Article 3(6) as natural or legal persons located or established in the Union that place on the market an AI system bearing the name or trademark of a natural or legal person established in a third country. The importer is the first EU-based commercial actor in the chain for foreign systems, and the regulation uses that position as a checkpoint: non-compliant systems should be stopped at the point of import, not discovered in the field.
The Pre-Market Verification Duties
Before placing a high-risk AI system on the market, importers shall ensure that the system is in conformity with the regulation by verifying that:
- The relevant conformity assessment procedure referred to in Article 43 has been carried out by the provider.
- The provider has drawn up the technical documentation in accordance with Article 11 and Annex IV.
- The system bears the required CE marking and is accompanied by the EU declaration of conformity referred to in Article 47 and instructions for use.
- The provider has appointed an authorised representative in accordance with Article 22(1), where applicable.
This is a document-and-marking verification duty, not a duty to re-run the provider's testing. But it must be performed genuinely: an importer that waves systems through without checking has its own liability under the regulation, independent of the provider's.
When Verification Fails
Article 23(2) directs what happens when the check turns up problems. Where an importer has sufficient reason to consider that a high-risk AI system is not in conformity with the regulation, or is falsified, or accompanied by falsified documentation, it shall not place the system on the market until it has been brought into conformity. Furthermore, where the high-risk AI system presents a risk within the meaning of Article 79(1), the importer shall inform the provider of the system, the authorised representative and the market surveillance authorities to that effect.
Identification, Storage and Cooperation Duties
Article 23 continues with a set of ongoing duties:
- Importers shall indicate their name, registered trade name or registered trademark, and the address at which they can be contacted, on the high-risk AI system and on its packaging or its accompanying documentation, where applicable.
- Importers shall ensure that, while a system is under their responsibility, storage or transport conditions, where applicable, do not jeopardise its compliance with the requirements of Section 2 of Chapter III.
- Importers shall keep, for ten years after the system has been placed on the market or put into service, a copy of the certificate issued by the notified body, where applicable, of the instructions for use, and of the EU declaration of conformity.
- Importers shall provide the relevant competent authorities, upon a reasoned request, with all the necessary information and documentation, including the documents kept above, to demonstrate the conformity of the system, in a language which can be easily understood by them, and shall cooperate with those authorities in any action they take, in particular to reduce and mitigate the risks posed by a system they have placed on the market.
How to Implement Article 23 in Practice
- Build an import compliance checklist that mirrors Article 23(1): conformity assessment evidence, Annex IV technical documentation confirmation, CE marking present and correctly affixed under Article 48, EU declaration of conformity matching the system version, instructions for use in the required languages, and authorised representative appointment where the provider is outside the EU.
- Gate the commercial process on the checklist: no listing, shipping or activation of the system for EU customers until the file is complete and reviewed.
- Implement the labelling duty: add the importer's name and contact address to the product, packaging or accompanying documentation, which for software typically means the documentation and product information screens.
- Set up the ten-year archive for certificates, instructions and declarations of conformity, aligned with the provider-side retention regime of Article 18 and the representative duties of Article 22.
- Define an escalation procedure for failed checks and risk findings, including the mandatory notifications to the provider, the authorised representative and market surveillance authorities.
- Address Article 23 in supply contracts: documentation delivery, update notices for new versions, and cooperation commitments for authority requests.
A Concrete Example
An Amsterdam-based distributor-importer brings a Singapore provider's AI-based candidate assessment platform to the EU market. Before the first sale, it verifies the internal-control conformity assessment record, receives the Annex IV documentation confirmation and the signed EU declaration of conformity, checks the CE marking on the product information, confirms the provider has mandated an authorised representative in Frankfurt, and files all documents in its ten-year archive. When a later software release changes the system's intended purpose, the importer repeats the verification for the new configuration before continuing sales, because the original declaration no longer covers it.
How Article 23 Connects to Other Provisions
Article 23 is one of three value-chain control provisions, alongside Article 24 for distributors and Article 25, under which an importer that puts its own name or trademark on a high-risk system, substantially modifies it, or changes its intended purpose so that it becomes high-risk, is itself considered a provider with full Article 16 obligations. The verification targets all come from provider duties: Article 43 conformity assessment, Article 11 documentation, Article 47 declaration, Article 48 CE marking and Article 22 representation. Importer failures are independently sanctionable under Article 99, with fines for non-compliance with operator obligations of up to 15 million euros or 3 percent of total worldwide annual turnover.
Actions to Take Before August 2, 2026
Organisations that import AI systems into the EU should map their catalogue against Annex III and Article 6 now to identify which systems will be high-risk, contact third-country providers about documentation readiness, and stand up the verification checklist and archive before the obligations apply on August 2, 2026. Importers who discover at the deadline that their providers have no conformity documentation will face a simple choice: halt sales or carry the risk themselves. This article provides general information about Regulation (EU) 2024/1689 and is not advice for any specific import arrangement.
Check your AI compliance readiness — free.
Take the Readiness Check 3 minutes · 10 questions · no signup requiredThis article is for informational purposes only and does not constitute legal advice. Regulatory requirements change frequently — verify current rules with official sources. Built by Sawai Gyoseishoshi Office, Hiroshima, Japan.