EU Authorised Representative under EU AI Act — Article 22

Strategic Partner · One Mandate · 27 Member States

SecureFound — your EU Authorised Representative

SecureFound is an AI governance consultancy established in Adeje, Tenerife (Spain), led by a team of bar-admitted attorneys with decades of professional formation in European law, data protection, and administrative procedure. SecureFound serves as Authorised Representative under Articles 22 (high-risk AI systems) and 54 (general-purpose AI models) for non-EU providers — assuming, by written mandate, the operational and statutory obligations established by Regulation (EU) 2024/1689.

Through its strategic partnership with Lexara Advisory LLC (New York), the engagement delivers one transatlantic compliance stack across two jurisdictions: Lexara handles US-side audit, Annex IV documentation, and conformity assessment; SecureFound holds the European mandate, faces the regulator, and maintains documentation custody for the full statutory 10-year period.

EU Member States covered from one mandate

Years statutory documentation custody

AESIA

Spanish AI supervisory authority — coordinating home jurisdiction

Art. 22 + 54

Both high-risk and GPAI mandate regimes

Visit securefound.com → Contact Lexara to coordinate the engagement

Why US Companies Need an EU Representative

The EU AI Act follows the same extraterritorial model as the GDPR. If you are a US-based provider of a high-risk AI system that is placed on the EU market or whose output is used in the EU, you need an authorised representative established in an EU Member State. Without one, you cannot complete Article 71 database registration.

The role is not administrative — it is the regulatory contact point under EU law. National market surveillance authorities and the EU AI Office address the representative; the representative must be able to receive their communications, produce documentation, and engage on substantive regulatory issues.

What the Representative Must Do

Under Article 22(3), the authorised representative must perform the tasks specified in the mandate, which include:

Verify documentation: Confirm that the EU Declaration of Conformity (Article 47) and technical documentation (Annex IV) have been properly drawn up.
Keep records for 10 years: Maintain the provider's contact details, the EU Declaration of Conformity, the technical documentation, and any Notified Body certificate. SecureFound provides EU data residency and GDPR-compliant infrastructure for this custody.
Cooperate with authorities: Provide competent authorities with all information necessary to demonstrate conformity, including access to automatically generated logs.
Act on corrective measures: Cooperate with authorities on any corrective or risk-mitigation action.
Ensure registration: Verify that Article 49 registration obligations have been met.

What the Representative Cannot Do

The mandate cannot delegate the provider's core obligations under Articles 9 through 17 — risk management, data governance, technical documentation, record-keeping, transparency, human oversight, accuracy, robustness, and cybersecurity remain the provider's responsibility. This is where the Lexara × SecureFound partnership matters: Lexara helps the US provider meet those substantive obligations on the US side; SecureFound holds the procedural mandate on the EU side.

Independent Professional Judgement — and Termination

Under Article 22(4), the authorised representative can terminate the mandate if it considers the provider to be acting contrary to its AI Act obligations. In such a case, it must immediately inform the relevant market surveillance authority. SecureFound treats this not as a contractual technicality but as a statutory duty — and that independence is what makes the representation credible to authorities. The mandate addresses termination explicitly: clear escalation procedure, written notice, transition period, and assistance in identifying a successor representative.

Article 22 vs Article 54 — Two Mandate Regimes

SecureFound covers both. The two regimes can apply concurrently — for example, a US company providing both a high-risk AI hiring system (Art. 22) and a foundation model deployed in the EU (Art. 54).

	Article 22	Article 54
Scope	High-risk AI systems (Annex III)	General-purpose AI models (GPAI)
Examples	Biometrics · Credit scoring · HR · Critical infrastructure · Migration · Justice	Large language models · Foundation models · Text-to-image
Reports to	National market surveillance authorities	EU AI Office (Brussels)
Open-source exception	No	Yes (unless systemic risk)
In force	Phased — Annex III obligations apply 2 December 2027 (post-trilogue)	Since 2 August 2025

How the Engagement Works

The Lexara × SecureFound engagement is a single, coordinated process. The steps:

Eligibility review (free, 48 hours). SecureFound confirms whether your AI system or model triggers Article 22 or 54 and classifies it under Annex III where applicable.
Lexara-side gap audit. US-side review of your existing documentation, risk management, data governance, and technical practices against EU AI Act requirements.
Annex IV documentation package. Lexara produces the mandatory technical documentation, in coordination with SecureFound's review for European regulatory standards.
Mandate drafting. SecureFound drafts the tailored written mandate covering scope, duration, transition provisions, and termination obligations under Article 22(4) / 54(5).
Mandate execution. Formal signature. Your representative details are immediately ready for inclusion in your instructions for use, EU Declaration of Conformity, and EU database registration.
Article 71 database submission & ongoing representation. SecureFound submits the required Annex VIII information to the EU AI database under Article 49 and maintains documentation custody, regulatory liaison, and authority cooperation for the lifecycle of the mandate.

Related Resources

EU AI Act for US Companies — full extraterritorial scope analysis

Registration Timeline — representative appointment must precede database submission

Penalties — consequences of non-compliance with Article 22

SecureFound · Article 22 services — detailed scope of the high-risk mandate

SecureFound · Article 54 services — GPAI mandate regime

Begin the Engagement

The Lexara × SecureFound partnership delivers EU AI Act compliance from inventory to mandate execution. Free 48-hour eligibility review.

Contact Lexara Advisory → Visit SecureFound →

Lexara Advisory LLC (New York) is an AI governance consulting firm, not a law firm. SecureFound (SECURE FOUND, S.L., NIF B-56538416, Spain) is an AI governance consultancy in Spain delivering Authorised Representative services under written mandate pursuant to Articles 22 and 54 of Regulation (EU) 2024/1689. Neither entity creates an attorney–client relationship. This content is for informational purposes only and does not constitute legal advice.

EU Authorised Representative — Article 22