§ EU AI Act · Article 78
AI Act Article 78: Obligations, Deadlines & Penalties
At a glance
Article 78 of the AI Act imposes 9 obligations on Authorities involved in the application of the Regulation, Commission, Law enforcement and 6 other entity type(s). At least one obligation carries an explicit compliance deadline.
§ Obligations
All obligations under Article 78
Obligation 1
The Commission, market surveillance authorities, notified bodies, and other persons involved in applying the Regulation must respect the confidentiality of information and data obtained, protecting intellectual property rights, trade secrets, and other specified interests.
Regulation (EU) 2024/1689, Article 78, Article 78
- Obligated entity
-
Commission, market surveillance authorities, notified bodies, other natural or legal persons involved in application
- Action required
-
respect confidentiality
- Deadline
-
—
- Penalty
-
—
- Exemptions
- Cases referred to in Article 5 of Directive (EU) 2016/943 regarding trade secrets
Obligation 2
Authorities involved in applying the Regulation shall request only data that is strictly necessary for the assessment of the risk posed by AI systems and for the exercise of their powers.
Regulation (EU) 2024/1689, Article 78, Article 78
- Obligated entity
-
Authorities involved in the application of the Regulation
- Action required
-
request only strictly necessary data
- Deadline
-
—
- Penalty
-
—
Obligation 3
Authorities involved in applying the Regulation shall put in place adequate and effective cybersecurity measures to protect the security and confidentiality of the information and data obtained.
Regulation (EU) 2024/1689, Article 78, Article 78
- Obligated entity
-
Authorities involved in the application of the Regulation
- Action required
-
implement cybersecurity measures
- Deadline
-
—
- Penalty
-
—
Obligation 4
Authorities involved in applying the Regulation shall delete the data collected as soon as it is no longer needed for the purpose for which it was obtained.
Regulation (EU) 2024/1689, Article 78, Article 78
- Obligated entity
-
Authorities involved in the application of the Regulation
- Action required
-
delete data
- Deadline
-
as soon as it is no longer needed
- Penalty
-
—
Obligation 5
Information exchanged on a confidential basis between national competent authorities or between them and the Commission shall not be disclosed without prior consultation of the originating authority and the deployer when high-risk AI systems are used by law enforcement, border control, immigration or asylum authorities and disclosure would jeopardise public and national security interests.
Regulation (EU) 2024/1689, Article 78, Article 78
- Obligated entity
-
National competent authorities, Commission
- Sector scope
- Law enforcement, border control, immigration, asylum
- Action required
-
not disclose without prior consultation
- Deadline
-
—
- Penalty
-
—
Obligation 6
The exchange of information shall not cover sensitive operational data in relation to the activities of law enforcement, border control, immigration or asylum authorities.
Regulation (EU) 2024/1689, Article 78, Article 78
- Obligated entity
-
National competent authorities, Commission
- Sector scope
- Law enforcement, border control, immigration, asylum
- Action required
-
exclude sensitive operational data
- Deadline
-
—
- Penalty
-
—
Obligation 7
When law enforcement, immigration or asylum authorities are providers of high-risk AI systems, the technical documentation shall remain within the premises of those authorities.
Regulation (EU) 2024/1689, Article 78, Article 78
- Obligated entity
-
Law enforcement, immigration or asylum authorities acting as providers
- Sector scope
- Law enforcement, immigration, asylum
- Action required
-
keep documentation on premises
- Deadline
-
—
- Penalty
-
—
Obligation 8
Law enforcement, immigration or asylum authorities acting as providers shall ensure that market surveillance authorities can, upon request, immediately access the technical documentation or obtain a copy thereof.
Regulation (EU) 2024/1689, Article 78, Article 78
- Obligated entity
-
Law enforcement, immigration or asylum authorities acting as providers
- Sector scope
- Law enforcement, immigration, asylum
- Action required
-
ensure immediate access to documentation
- Deadline
-
upon request
- Penalty
-
—
Obligation 9
Only staff of the market surveillance authority holding the appropriate level of security clearance shall be allowed to access the technical documentation or any copy thereof.
Regulation (EU) 2024/1689, Article 78, Article 78
- Obligated entity
-
Market surveillance authorities
- Action required
-
restrict access to cleared staff
- Deadline
-
—
- Penalty
-
—
§ Deadlines
EU AI Act compliance deadlines
-
2025-02-02
Article 4 AI literacy
in_force
-
2025-02-02
Article 5 prohibitions (unacceptable risk)
in_force
-
2025-08-02
GPAI model obligations (Articles 51 to 56)
in_force
-
2026-08-02
Article 50(2) machine-readable marking (watermarking) of AI-generated content
provisionally_amended
-
2026-08-02
Article 50 transparency obligations OTHER than the 50(2) marking grace (for example disclosure that a user is interacting with an AI system)
scheduled
-
2026-08-02
Annex III stand-alone high-risk obligations
provisionally_amended
-
2026-08-02
National AI regulatory sandboxes (establishment deadline)
provisionally_amended
-
2026-12-02
NEW Article 5 prohibition: AI generation of non-consensual intimate imagery (NCII) and CSAM
provisionally_amended
-
2027-08-02
Annex I embedded (regulated-product) high-risk obligations
provisionally_amended
§ Frequently asked
Questions about Article 78
Who must comply with Article 78 of the AI Act?
+
Authorities involved in the application of the Regulation, Commission, Law enforcement, Market surveillance authorities, National competent authorities, immigration or asylum authorities acting as providers, market surveillance authorities, notified bodies, other natural or legal persons involved in application.
What does Article 78 of the AI Act require?
+
respect confidentiality request only strictly necessary data implement cybersecurity measures
What is the compliance deadline for AI Act Article 78?
+
as soon as it is no longer needed; upon request