EU AI Act for Non-EU Companies: Your Guide to Compliance & GDPR

For non-EU companies leveraging artificial intelligence in markets like health-tech, the European regulatory landscape is becoming increasingly complex. While the General Data Protection Regulation (GDPR) has long been a compliance cornerstone, the landmark EU AI Act introduces a parallel, product-safety-oriented framework. This creates a critical new requirement for many businesses: the need for an AI Act Authorised Representative in addition to the existing GDPR Article 27 Representative. For a non-EU company offering an AI-driven service that processes the personal data of EU residents, navigating the distinct yet overlapping responsibilities of these two roles is a strategic imperative. While a GDPR representative focuses on data protection and communication with Data Protection Authorities (DPAs), an AI Act representative is responsible for product conformity, technical documentation, and liaising with Market Surveillance Authorities (MSAs). This guide provides a comprehensive framework for understanding these roles, evaluating providers, and ensuring seamless compliance across both regulations. ## Key Points * **Two Distinct Mandates:** The GDPR Article 27 Representative is a data protection point of contact, while the AI Act Authorised Representative is a product safety and conformity steward for high-risk AI systems. Their core functions, required expertise, and liabilities are fundamentally different. * **Divergent Skill Sets:** A provider's expertise in data protection law (GDPR) does not guarantee competence in AI system risk management, conformity assessments, or post-market surveillance (AI Act). The latter requires deep technical and product regulatory knowledge. * **Strategic Choice: Single vs. Separate Representatives:** Appointing a single entity for both roles can streamline communication, but it risks insufficient expertise in one domain. Using separate, specialized providers ensures deep knowledge but requires more coordination from the manufacturer. * **Vetting is Critical:** Companies must rigorously evaluate a potential representative's capabilities across both data privacy and AI product regulation. This includes assessing their technical understanding of AI, experience with quality management systems, and liability coverage. * **Contractual Precision is Non-Negotiable:** Service agreements must clearly delineate responsibilities, liability, and communication protocols for each regulation. This prevents compliance gaps between data protection and market surveillance obligations. ## Understanding the Two Key EU Representative Roles For non-EU companies, both the GDPR and the AI Act mandate the appointment of an in-Union representative to act as a formal point of contact. However, their responsibilities and the expertise required to fulfill them are vastly different. ### The GDPR Article 27 Representative: The Data Protection Point of Contact The role of the Article 27 Representative is established under the GDPR for non-EU controllers and processors that offer goods or services to, or monitor the behavior of, individuals in the EU. **Core Responsibilities:** * **Point of Contact:** Serve as the primary contact for EU-based data subjects who wish to exercise their rights (e.g., access, rectification, erasure) and for Data Protection Authorities (DPAs) conducting inquiries or investigations. * **Record Keeping:** Maintain a copy of the company’s Record of Processing Activities (ROPA) and make it available to DPAs upon request. * **Communication Facilitator:** Act as a bridge between the non-EU company and EU authorities, ensuring timely and compliant communication. The role is centered entirely on data protection law. The representative must be an expert in GDPR interpretation and application but is not required to have deep technical knowledge of the company's products or services beyond how they process personal data. ### The AI Act Authorised Representative: The Product Safety & Compliance Steward The AI Act mandates an Authorised Representative for non-EU providers placing high-risk AI systems on the EU market. This role is analogous to representatives required under other EU product safety legislation, such as the Medical Device Regulation (MDR). **Core Responsibilities:** * **Conformity Verification:** Verify that the non-EU provider has carried out the appropriate conformity assessment procedure and has drawn up the required technical documentation and EU declaration of conformity. * **Documentation Management:** Keep a copy of the declaration of conformity and technical documentation, ensuring they are available for national Market Surveillance Authorities (MSAs) for a specified period. * **Cooperation with Authorities:** Cooperate with MSAs on any action taken to eliminate the risks posed by the AI system, including providing samples or information as requested. * **Incident Reporting:** Immediately inform the provider of any complaints or reports from individuals, healthcare professionals, or users about incidents or non-compliance related to the AI system. This role demands a sophisticated understanding of product regulation, technical systems, and risk management. The representative is not just a mailbox but an active participant in the product's compliance lifecycle. ## A Framework for Vetting Your EU Representative Choosing a representative—or deciding whether a single entity can fulfill both roles—requires a structured evaluation. Companies should assess potential providers against a detailed set of criteria to avoid significant compliance and liability risks. ### Criterion 1: Regulatory and Legal Expertise The provider must demonstrate deep, distinct expertise in both legal frameworks. **For GDPR:** * What is their documented experience handling inquiries from DPAs? * Can they provide case studies of managing data subject access requests (DSARs)? * How do they stay current with evolving GDPR guidance and case law from the European Data Protection Board (EDPB)? **For the AI Act:** * Do they have experience with EU product safety regulations (e.g., CE marking, MDR, Machinery Regulation)? This is a strong indicator of relevant competence. * Can they explain the different conformity assessment modules under the AI Act and which might apply to your system? * Do they understand the specific documentation requirements for high-risk AI, including risk management, data governance, and post-market surveillance plans? ### Criterion 2: Technical Competence for AI Systems An effective AI Act Authorised Representative cannot be a technical novice. They must be able to meaningfully engage with your product's documentation. * **Documentation Review:** Does the provider have personnel who can understand and critically assess AI technical documentation, including model architecture, validation reports, and data sheets? * **Risk Management Understanding:** Can they discuss AI-specific risks like algorithmic bias, data drift, robustness, and cybersecurity, and review your risk management file? Experience with standards like ISO 14971 (for medical devices) is highly relevant. * **Domain Knowledge:** For a health-tech AI, does the representative understand the clinical context, intended use, and potential patient safety implications? ### Criterion 3: Quality Management and Post-Market Surveillance (PMS) The AI Act imposes significant QMS and PMS requirements on providers of high-risk AI systems. Your representative is a key part of this system. * **QMS Experience:** Does the provider have experience working with formal quality management systems, such as ISO 13485 (for medical devices) or ISO 9001? They must understand concepts like change control, corrective and preventive actions (CAPA), and management review. * **PMS Processes:** What is their process for receiving and escalating user complaints or incident reports? How will they support your PMS activities and cooperate with MSA investigations? * **Cross-Regulatory Insight:** Experience with robust PMS systems, such as those detailed in FDA guidance documents for medical devices in the U.S. (governed by regulations like 21 CFR Part 820), can be a strong indicator of a provider's capability to manage these complex processes. ## Strategic Scenarios for Appointing Representatives Companies essentially have two strategic options, each with distinct advantages and disadvantages. ### Scenario 1: Appointing a Single Entity for Both Roles A large consulting firm or law firm might offer a "one-stop-shop" service covering both GDPR and AI Act representation. * **Potential Advantages:** * **Efficiency:** A single point of contact simplifies communication and contract management. * **Cost Savings:** Bundled services may offer a lower total cost. * **Integrated Oversight:** One partner has a holistic view of your EU compliance posture. * **Potential Risks and Vetting Focus:** * **Diluted Expertise:** The firm may be strong in one area (e.g., data privacy law) but weak in the other (e.g., technical product conformity). * **Siloed Teams:** Even within one firm, the GDPR and AI Act teams might not be integrated. You must verify that the expertise is not just on paper but is operationally connected. * **Vetting Questions:** Ask to speak with the specific individuals who will handle each function. Request case studies where they have managed both data privacy and product compliance for a complex technology product. ### Scenario 2: Appointing Separate, Specialized Representatives This involves engaging a boutique data privacy firm for the GDPR role and a specialized med-tech or product regulatory consultancy for the AI Act role. * **Potential Advantages:** * **Deep Expertise:** Each provider is a dedicated specialist in their domain, ensuring best-in-class knowledge. * **Clear Accountability:** Responsibilities are cleanly separated, reducing ambiguity. * **Potential Risks and Vetting Focus:** * **Coordination Burden:** The manufacturer is responsible for managing two relationships and ensuring seamless communication between them. * **Compliance Gaps:** An incident could have both data protection and product safety implications. Without a pre-defined protocol, the representatives could point fingers at each other, causing critical delays. * **Vetting Questions:** Before signing contracts, a manufacturer should create a responsibility matrix (e.g., a RACI chart) and have both potential representatives agree to a cooperation framework. ## Updating Contracts to Mitigate Compliance Gaps Whether using one provider or two, your contractual agreements must be updated to reflect the dual regulatory requirements. 1. **Scope of Services:** The contract must explicitly and separately define the services to be performed under GDPR Article 27 and the EU AI Act. Do not bundle them under a generic "EU Representative" service. 2. **Liability and Insurance:** The liability clauses should be distinct for each regulation. A provider must have adequate insurance covering both data protection breaches (GDPR fines can be substantial) and product liability claims (which fall under the AI Act). 3. **Communication Protocols:** Define clear Service Level Agreements (SLAs) for communication. For example, how quickly must the representative notify you of an inquiry from a DPA versus an MSA? The processes and urgency may differ. 4. **Cooperation Clause:** If using two separate representatives, the contract with each should include a clause obligating them to cooperate with the other representative and the manufacturer in the event of an incident or investigation that spans both regulations. ## Finding and Comparing GDPR Article 27 Representative Providers Choosing the right representative is a critical compliance decision. When evaluating providers, focus on their demonstrated expertise, operational capacity, and transparency. Look for providers who can clearly articulate the differences between the GDPR and AI Act roles and can present a credible plan for managing the technical and regulatory demands of AI systems. Assess their experience with relevant product sectors, such as medical devices or other regulated software. To find qualified vetted providers [click here](https://cruxi.ai/regulatory-directories/gdpr_art27_rep) and request quotes for free. ## Key Regulatory References When navigating EU compliance, it is essential to refer to the primary legal texts and official guidance documents. * The EU AI Act (Regulation on Artificial Intelligence) – The primary legal text outlining requirements for AI systems. * The EU General Data Protection Regulation (GDPR) – The foundational regulation for data protection in the EU. * Guidance from the European Data Protection Board (EDPB) on the territorial scope of GDPR and the role of the representative. * Relevant product safety and quality system regulations, which provide context for the AI Act's approach, such as those found in the U.S. under 21 CFR Part 820 (Quality System Regulation). This article is for general educational purposes only and is not legal, medical, or regulatory advice. For device-specific questions, sponsors should consult qualified experts and consider engaging FDA via the Q-Submission program. --- *This answer was AI-assisted and reviewed for accuracy by Lo H. Khamis.*