Regulation (EU) 2024/1689 · Articles 22 & 54

Your EU Authorised Representative under the EU AI Act.

Non-EU providers of high-risk AI systems and general-purpose AI models must appoint a mandated representative established in the European Union before placing their system on the market. SecureFound assumes that mandate — with the legal formation, deontological standards, and professional judgement the role demands.

Appoint your EU Representative Check your legal obligation
  • Article 22
  • Article 54
  • 27 Member States
  • AESIA Jurisdiction
  • Bar-Admitted Team
  • Lexara Advisory · NYC

A statutory obligation. Not a compliance preference.

Operating AI in the European market from outside the Union without an Authorised Representative is a direct breach of Regulation (EU) 2024/1689. Enforcement is staged, real, and underway.

Who is affected

Providers established in the United States, United Kingdom, Canada, Israel, Singapore, Japan, Australia, and any third country, when their AI systems or GPAI models are placed on the EU market or their output is used in the Union.

What is at stake

Administrative fines up to €35M or 7% of total worldwide annual turnover for prohibited practices; up to €15M or 3% for breaches of Articles 22 and 54 obligations. Plus market access restrictions and reputational exposure.

When it applies

Article 54 GPAI obligations: in force since 2 August 2025. Article 22 high-risk AI systems: phased transition through 2 August 2027. AI Office full enforcement powers: 2 August 2026.

Our mandate

What we take on.

When you appoint SecureFound, we assume — by written mandate — the operational and statutory obligations established by Articles 22 and 54. This is not a forwarding service. It is the regulatory role itself.

01

Mandate execution

Formal acceptance of the written mandate as your sole Authorised Representative within the European Union, registered correctly across instructions for use, the EU Declaration of Conformity, and your registration in the EU database under Article 49.

02

Documentation custody

Secure custody of your technical documentation, EU Declaration of Conformity, conformity certificates, and post-market monitoring records for the full statutory period of 10 years. EU data residency. GDPR-compliant infrastructure.

03

Regulatory liaison

Single point of contact for AESIA, the EU AI Office, and any national market surveillance authority. Inbound communications received, triaged, contextualised, and answered with the standards of professional regulatory practice.

04

Authority cooperation

Active cooperation in any investigation, audit, or risk-mitigation procedure. Article 26 reporting and Article 61 cooperation duties handled with the procedural rigour the regulation requires.

05

Registration support

Assistance in completing and maintaining the obligations under Article 49 of the AI Act, including the EU database submission and the verification of correctness of the information delivered to authorities.

06

Independent professional judgement

The Act requires the Authorised Representative to terminate the mandate where the provider acts contrary to its obligations. We do not treat this as a contractual technicality. We treat it as the law. That independence is what makes our representation credible to authorities — and protective for you.

Eligibility

Do you need an Authorised Representative?

Article 22 Article 54
ScopeHigh-risk AI systemsGeneral-purpose AI models
ExamplesBiometrics · Credit scoring · HR & recruitment · Critical infrastructure · Migration · JusticeLarge language models · Text-to-image · Foundation models
Reports toNational market surveillance authoritiesEU AI Office
Open-source exceptionNoYes (unless systemic risk)
In forcePhased through 2027Since 2 August 2025

If all four are true, you must appoint a representative:

  • The provider is established outside the European Union
  • The AI system is high-risk under Annex III, OR the model is a GPAI model
  • The system or its output reaches the EU market
  • No legal entity established in an EU Member State acts as provider
Request eligibility check

Who we are

An AI governance consultancy. Led by lawyers.

SecureFound is an AI governance consultancy established in Spain. It is led by a team of bar-admitted attorneys with decades of professional formation in European law, data protection, administrative procedure, and fundamental rights.

We are not engineers who learned regulation when the Act was published. We are legal professionals who built a consultancy practice around AI governance because the EU AI Act is, before anything else, a legal instrument — with recitals, cross-references to sector law, and an enforcement culture that requires fluency in how European authorities reason and act.

To be clear: SecureFound is not a law firm. We do not provide legal advice and we do not create attorney–client relationships. We provide the Authorised Representative mandate, and we do so under the standards that decades of legal practice make non-negotiable: maximum confidentiality, GDPR compliance with EU data residency, independent professional judgement, and the duty to terminate the mandate when the law requires it.

  • 01

    Bar-admitted leadership

    The team's professional formation is in law. Decades of practice in the regulatory environment SecureFound now operates within.

  • 02

    AESIA jurisdiction

    Established in Spain — the jurisdiction of AESIA, one of the EU's most active national AI supervisory authorities.

  • 03

    Professional standards

    Confidentiality, independence, and deontological discipline carried over from legal practice into consultancy execution.

  • 04

    Transatlantic reach

    Strategic partnership with Lexara Advisory LLC (New York) for clients requiring coverage on both sides of the Atlantic.

Why SecureFound

Three categories of provider. One serious choice.

SecureFound Compliance platforms Tech consultancies
Bar-admitted leadership
Decades of EU legal formation
Independent professional judgement
AESIA jurisdiction
Transatlantic coverage
Operational mandate execution
10-year documentation custody

Yes Partial No

EU coverage

One representative. 27 Member States.

Article 22 of Regulation (EU) 2024/1689 requires the appointment of “an authorised representative which is established in the Union” — not one per country. A single Authorised Representative covers the entire Union market.

How the coverage works in practice

SecureFound is established in Spain, placing AESIA as our coordinating “home” authority. From that single establishment, we represent your AI system or GPAI model before every market surveillance authority across the 27 Member States — and before the EU AI Office in Brussels.

If the German Bundesnetzagentur, the French CNIL, the Italian AgID, or any of the approximately 2,000 national market surveillance authorities operating under the AI Act addresses an enquiry to you, that enquiry is received and handled by SecureFound. You appoint one representative; you cover one Union.

This mirrors the long-established Article 27 GDPR regime, where a representative appointed in any single Member State has covered the entire EU since 2018.

  • EU
    Single mandate, full Union scope One written mandate under Art. 22 or Art. 54 covers all 27 Member States. No multi-country appointments required.
  • ES
    Spain as your coordinating jurisdiction AESIA is your "home" authority — the channel for registration, coordination, and EU AI Board interaction.
  • DE FR IT NL
    Direct liaison with any national authority We are the addressable contact for any national market surveillance authority that engages with your system across the Union.
  • EU·AI
    Direct line to the EU AI Office For GPAI providers under Article 54, we are your sole point of contact with the European Commission's AI Office in Brussels.

Why Spain · Why AESIA

  • One centralised authority. AESIA is a single national supervisory body — unlike Germany (multiple federal and regional authorities) or Finland (10 sectoral authorities). One channel, one process.
  • Operative ahead of schedule. AESIA was among the first national authorities operationally designated and aligned with the EU AI Office.
  • Bilingual operation. AESIA processes communications in Spanish and English without requiring sworn translations to French, German, or Italian.
  • Aligned with Brussels. AESIA's protocols match the EU AI Office's coordination procedures, smoothing GPAI cases under Article 54.

Engagement

How it works.

  1. 01

    Eligibility review

    We confirm whether your AI system or model triggers Articles 22 or 54, classify it under Annex III where applicable, and map your market entry timeline. Free · 48 hours

  2. 02

    Mandate drafting

    Tailored written mandate covering scope, duration, transition provisions, and the statutory termination obligations under Articles 22(4) and 54(5). Reviewed by your counsel before execution.

  3. 03

    Mandate execution

    Formal signature. Your representative details are immediately ready for inclusion in your instructions for use, EU Declaration of Conformity, and EU database registration.

  4. 04

    Ongoing representation

    Documentation custody, regulatory liaison, post-market monitoring cooperation, and authority interaction for the lifecycle of your mandate.

Strategic partner

One partnership. Two jurisdictions.

SecureFound operates in strategic partnership with Lexara Advisory LLC, an AI governance consultancy based in New York, led by a Spanish-barred attorney with deep formation in EU AI Act, GDPR, and US AI regulatory frameworks.

SecureFound · Spain

  • EU presence under Articles 22 / 54
  • Regulatory liaison · AESIA · EU AI Office
  • Documentation custody · 10 years
  • Professional confidentiality standards

Lexara Advisory · New York

  • EU AI Act gap audit
  • GDPR alignment
  • NYC Local Law 144 · US state frameworks
  • AI governance consulting
Visit Lexara Advisory

Frequently asked

Questions general counsel ask.

Do I need Article 22 or Article 54 representation?

If your AI system is listed under Annex III of the EU AI Act (biometrics, credit scoring, HR, critical infrastructure, migration, justice, education, law enforcement) and you are established outside the EU, Article 22 applies. If you provide a general-purpose AI model — large language models, foundation models, text-to-image or text-to-video models — and you are established outside the EU, Article 54 applies. The two regimes can also apply concurrently.

Can my EU subsidiary act as the Authorised Representative?

Legally yes, but only if the subsidiary's independence is credible, it has the operational capacity to fulfil regulatory obligations, and the mandate is formally documented. The Authorised Representative must terminate the mandate where the provider breaches its obligations under the Act — a duty that structurally dependent entities frequently cannot exercise. For most providers, an independent representative is the safer and more credible choice.

What happens if SecureFound terminates the mandate?

The Act requires the Authorised Representative to terminate where the provider acts contrary to its obligations and to inform the relevant authority. We address this in the mandate itself: clear escalation procedure, written notice, transition period, and assistance in identifying a successor representative. The duty exists by law; our role is to make the worst case orderly, not adversarial.

What are the deadlines I should be aware of?

2 August 2025: Article 54 GPAI obligations entered into force for new models. 2 August 2026: the EU AI Office obtains full enforcement powers, including the ability to request information, mandate mitigations, and impose fines. 2 August 2027: GPAI models placed on the market before August 2025 must be in compliance; high-risk AI systems under Annex III must comply.

Does this replace my internal compliance program?

No. The Authorised Representative is the regulatory contact point under Articles 22 and 54. It is a critical statutory role — but it is not a substitute for your internal AI governance, your conformity assessment, your risk management system, or your post-market monitoring plan. SecureFound can map the full picture for you through our partnership with Lexara Advisory.

Does SecureFound represent me across the entire EU or only in Spain?

Across the entire European Union — all 27 Member States. Article 22 of Regulation (EU) 2024/1689 requires the appointment of "an authorised representative which is established in the Union", not one per Member State. A single Authorised Representative, established in any EU Member State, covers the whole Union market. This mirrors the long-established Article 27 GDPR regime in force since 2018. SecureFound is established in Spain — placing AESIA (the Spanish Agency for the Supervision of Artificial Intelligence) as our coordinating "home" authority — but we represent providers before any national market surveillance authority across the Union, and before the EU AI Office in Brussels.

What if a German, French, or Italian authority contacts me?

They contact SecureFound. As your sole Authorised Representative in the Union, we are the addressable contact point for every national market surveillance authority across the 27 Member States — and there are approximately 2,000 of them under the AI Act. We receive their communications, coordinate the response with you, produce the required documentation, and engage with the authority directly or through AESIA depending on the procedure involved. You appoint one representative; you cover one Union.

Begin

Ready to enter the EU market with the representation it requires?

Write to us directly. We respond within 48 hours with a confidential eligibility review.

Registered office

Edificio Calle Moraditas I
C. Clara Toledo Gómez, 2, Planta 1ª, Oficina 4
38639 Las Chafiras, Santa Cruz de Tenerife
España

When you write

To accelerate the eligibility review, please include the following in your message:

  • 01
    Company & roleCompany name, your role, country of establishment.
  • 02
    System typeHigh-risk AI system (Article 22), GPAI model (Article 54), or both.
  • 03
    Sector & use caseWhat the system does, in which sector, and how it reaches the EU market.
  • 04
    Deployment timelineWhen you intend to place the system on the EU market.
  • 05
    Current EU presenceWhether any EU entity is currently acting as provider, distributor, or representative.
Write to regulatory@securefound.com

All enquiries are received under professional confidentiality standards.