Chapter III, Section 3 — Obligations of providers and deployers of high-risk AI systems and other partiesArticle 20

Article 20: Corrective Actions and Duty of Information

Applies from 2 Aug 20264 min readEUR-Lex verified Apr 2026

Article 20 requires providers of high-risk AI systems to take immediate corrective action when they consider or have reason to consider that a system they placed on the market or put into service is not in conformity with the Regulation. The provider must bring the system into conformity, withdraw it, or recall it as appropriate. When the system presents a risk (within Article 79(1)), the provider must immediately inform the national competent authorities of the Member State(s) where the system is available, giving details of the non-conformity and corrective measures taken. This is the provider's proactive self-correction duty.

Start free assessment All articles

Who does this apply to?

-Providers of high-risk AI systems who discover non-conformity
-Importers and distributors who must be informed of corrective actions
-National competent authorities receiving non-conformity notifications

Scenarios

A provider discovers through post-market monitoring that its credit scoring AI has accuracy drift below declared levels. It immediately patches the model and notifies authorities.

Compliant with Article 20 — proactive correction plus authority notification for the risk-presenting scenario.

Ref. Art. 20

A provider becomes aware of non-conformity but waits 3 months before taking action, hoping the issue self-resolves.

Non-compliant — Article 20 requires immediate corrective action upon awareness. Delay compounds enforcement risk.

Ref. Art. 20

The corrective action duty (plain terms)

When a provider considers or has reason to consider that a high-risk AI system is not in conformity with the Regulation:

1. Immediately take necessary corrective action to bring the system into conformity 2. If bringing into conformity is not possible: withdraw or recall the system as appropriate 3. Inform distributors and, where applicable, deployers and authorised representatives

When the system presents a risk within Article 79(1) (health, safety, fundamental rights, environment), the provider must also immediately inform the national competent authorities of each Member State where the system is available.

How Article 20 connects to the rest of the Act

Article 16(f)/(g) — Corrective actions and information duties are lettered provider obligations.
Article 72 — Post-market monitoring surfaces the non-conformities that trigger Article 20.
Article 73 — Serious incident reporting (runs in parallel when incidents occur).
Article 79 — Defines the risk threshold triggering authority notification.
Article 23 / Article 24 — Importers and distributors have their own duty to inform if they discover non-conformity.
Article 21 — General cooperation duty with authorities.

Compliance checklist

Establish internal escalation procedures to surface non-conformity immediately.
Define corrective action tiers: patch, retrain, withdraw, recall.
Pre-identify national competent authorities for each Member State where the system is available.
Build notification templates for authorities with non-conformity details and corrective measures.
Inform distributors, deployers, and authorised representatives alongside authority notification.
Document all corrective actions with dates, measures taken, and outcomes.
Integrate Article 20 triggers into QMS procedures (Article 17).

Read the official text on EUR-Lex

Build your corrective action workflow—free assessment.

Start Free Assessment

Article 16: Obligations of Providers of High-Risk AI Systems

Article 17: Quality Management System for High-Risk AI

Article 21: Cooperation with Competent Authorities

Article 23: Obligations of Importers

Article 24: Obligations of Distributors

Article 72: Post-Market Monitoring

Article 73: Reporting of Serious Incidents

Article 79: Procedure at National Level for AI Systems Presenting a Risk

Article 99: Penalties for AI Act Infringements

Article 113: Entry into Force and Application Dates

Frequently asked questions

Must I notify authorities for every minor non-conformity?

Authority notification is required when the system presents a risk within Article 79(1). For non-conformities that do not present such a risk, the corrective action duty still applies but authority notification may not be required. Err on the side of notification.

What if the deployer caused the non-conformity?

The provider's Article 20 duty is triggered by awareness of non-conformity regardless of cause. Separately, the deployer has duties under Article 26. Coordinate corrective actions.

Does Article 20 require product recall if an AI system poses a risk?

Article 20 requires providers to take immediate corrective actions — including withdrawal or recall — if they consider or have reason to believe that a high-risk AI system is not in conformity. If the system presents a risk, the provider must immediately inform the competent authorities of the Member States where it is available and detail the non-conformity and corrective actions taken.

On this page

Key terms

Corrective action: Any measure taken by the provider to bring a non-conforming high-risk AI system into conformity, or to withdraw or recall it from the market.
Recall: A measure aimed at achieving the return to the provider or taking out of service or disabling the use of an AI system already made available to deployers (Article 3(16)).
Withdrawal / Recall: Corrective actions by which a provider removes a non-conforming AI system from the market (withdrawal) or retrieves systems already provided to deployers (recall).

At a glance

Article: 20
Status: Upcoming
Timeline: 2 Aug 2026
Updated: 11 Apr 2026

Recommended next step

Run the short assessment to map risk class and obligations to your specific AI use case in minutes.

Start assessment now