§ EU AI Act · Article 78

AI Act Article 78: Obligations, Deadlines & Penalties

Regulation (EU) 2024/1689, Article 78 · All obligations · EU AI Act
At a glance
Article 78 of the AI Act imposes 9 obligations on Authorities involved in the application of the Regulation, Commission, Law enforcement and 6 other entity type(s). At least one obligation carries an explicit compliance deadline.
§ Obligations

All obligations under Article 78

Obligation 1
The Commission, market surveillance authorities, notified bodies, and other persons involved in applying the Regulation must respect the confidentiality of information and data obtained, protecting intellectual property rights, trade secrets, and other specified interests. Regulation (EU) 2024/1689, Article 78, Article 78
Obligated entity
Commission, market surveillance authorities, notified bodies, other natural or legal persons involved in application
Action required
respect confidentiality
Deadline
Penalty
Exemptions
Cases referred to in Article 5 of Directive (EU) 2016/943 regarding trade secrets
Obligation 2
Authorities involved in applying the Regulation shall request only data that is strictly necessary for the assessment of the risk posed by AI systems and for the exercise of their powers. Regulation (EU) 2024/1689, Article 78, Article 78
Obligated entity
Authorities involved in the application of the Regulation
Action required
request only strictly necessary data
Deadline
Penalty
Obligation 3
Authorities involved in applying the Regulation shall put in place adequate and effective cybersecurity measures to protect the security and confidentiality of the information and data obtained. Regulation (EU) 2024/1689, Article 78, Article 78
Obligated entity
Authorities involved in the application of the Regulation
Action required
implement cybersecurity measures
Deadline
Penalty
Obligation 4
Authorities involved in applying the Regulation shall delete the data collected as soon as it is no longer needed for the purpose for which it was obtained. Regulation (EU) 2024/1689, Article 78, Article 78
Obligated entity
Authorities involved in the application of the Regulation
Action required
delete data
Deadline
as soon as it is no longer needed
Penalty
Obligation 5
Information exchanged on a confidential basis between national competent authorities or between them and the Commission shall not be disclosed without prior consultation of the originating authority and the deployer when high-risk AI systems are used by law enforcement, border control, immigration or asylum authorities and disclosure would jeopardise public and national security interests. Regulation (EU) 2024/1689, Article 78, Article 78
Obligated entity
National competent authorities, Commission
Sector scope
Law enforcement, border control, immigration, asylum
Action required
not disclose without prior consultation
Deadline
Penalty
Obligation 6
The exchange of information shall not cover sensitive operational data in relation to the activities of law enforcement, border control, immigration or asylum authorities. Regulation (EU) 2024/1689, Article 78, Article 78
Obligated entity
National competent authorities, Commission
Sector scope
Law enforcement, border control, immigration, asylum
Action required
exclude sensitive operational data
Deadline
Penalty
Obligation 7
When law enforcement, immigration or asylum authorities are providers of high-risk AI systems, the technical documentation shall remain within the premises of those authorities. Regulation (EU) 2024/1689, Article 78, Article 78
Obligated entity
Law enforcement, immigration or asylum authorities acting as providers
Sector scope
Law enforcement, immigration, asylum
Action required
keep documentation on premises
Deadline
Penalty
Obligation 8
Law enforcement, immigration or asylum authorities acting as providers shall ensure that market surveillance authorities can, upon request, immediately access the technical documentation or obtain a copy thereof. Regulation (EU) 2024/1689, Article 78, Article 78
Obligated entity
Law enforcement, immigration or asylum authorities acting as providers
Sector scope
Law enforcement, immigration, asylum
Action required
ensure immediate access to documentation
Deadline
upon request
Penalty
Obligation 9
Only staff of the market surveillance authority holding the appropriate level of security clearance shall be allowed to access the technical documentation or any copy thereof. Regulation (EU) 2024/1689, Article 78, Article 78
Obligated entity
Market surveillance authorities
Action required
restrict access to cleared staff
Deadline
Penalty
§ Deadlines

EU AI Act compliance deadlines

§ Frequently asked

Questions about Article 78

Who must comply with Article 78 of the AI Act? +
Authorities involved in the application of the Regulation, Commission, Law enforcement, Market surveillance authorities, National competent authorities, immigration or asylum authorities acting as providers, market surveillance authorities, notified bodies, other natural or legal persons involved in application.
What does Article 78 of the AI Act require? +
respect confidentiality request only strictly necessary data implement cybersecurity measures
What is the compliance deadline for AI Act Article 78? +
as soon as it is no longer needed; upon request
Need a cross-border briefing on AI Act Article 78?
Search Fontvera ↵
All EU obligation pages  ·  All EU AI Act articles