Chapter IX, Section 2 — Market surveillanceArticle 78

Article 78: Confidentiality

Applies from 2 Aug 20266 min readEUR-Lex verified Apr 2026

Article 78 requires all parties involved in the application of the Regulation — authorities, notified bodies, and any natural or legal person — to respect the confidentiality of information and data obtained in carrying out their tasks. This includes trade secrets, business-confidential information, and the protection of intellectual property rights including source code. Information must only be shared in accordance with the Regulation and applicable Union or national law. Authorities must protect commercially sensitive information when sharing with other authorities or the Commission. This article is the confidentiality safeguard that makes the extensive access powers under Article 74 and Article 77 workable. Always verify on EUR-Lex.

Start free assessment All articles

Who does this apply to?

-Market surveillance authorities handling trade secrets and source code during inspections
-Notified bodies accessing confidential technical documentation during conformity assessments
-The AI Office processing confidential GPAI model information under Chapter V
-Providers sharing proprietary information (source code, training data details, model architecture) with authorities during inspections or investigations

Scenarios

A market surveillance authority requests access to a provider's source code and model weights under Article 74 to investigate a non-compliance complaint. The provider is concerned about trade secret exposure.

Article 78 requires the authority to protect the confidentiality of the source code and model weights. Access is granted under controlled conditions — the authority may not disclose the information to competitors or the public, and must implement safeguards (secure viewing, limited personnel access). The provider can identify specific elements as trade secrets to ensure targeted protection.

Ref. Art. 78 + Art. 74

A notified body conducts a conformity assessment (Article 43) of a high-risk medical AI system and accesses detailed training data composition, model architecture, and performance benchmarks.

Under Article 78, the notified body must treat all commercially sensitive information as confidential. Staff who access the information are bound by confidentiality. The notified body may not use the information for any purpose other than the conformity assessment, and must not share it with competitors or third parties.

Ref. Art. 78 + Art. 43

What Article 78 protects (plain terms)

Article 78 establishes a comprehensive confidentiality obligation that covers:

Trade secrets — proprietary algorithms, model architectures, training methodologies, and commercial strategies
Business-confidential information — pricing, contracts, market data, and competitive positioning disclosed during authority interactions
Intellectual property rights — patents, copyrights, and database rights; specifically including source code which authorities may access under Article 74 safeguards
Personal data — where information obtained during enforcement contains personal data, GDPR obligations apply in parallel

The obligation binds everyone involved in applying the Regulation: authority staff, notified body personnel, external experts consulted by authorities, and any other person who obtains information through the enforcement process.

How confidentiality enables enforcement

Article 78 is the trust mechanism that makes the Act's extensive access powers viable:

Without confidentiality guarantees, providers would resist sharing source code (Article 74), training data details (Article 10), and model documentation (Article 11) — undermining enforcement
The article allows authorities to share information with each other (mutual assistance under Article 75) and with the Commission, but only to the extent necessary and with appropriate safeguards for commercially sensitive content
When information is shared between authorities across borders, the receiving authority inherits the same confidentiality obligation
The article does not prevent authorities from publishing aggregated, anonymised findings or enforcement decisions that do not reveal protected information

How Article 78 connects to the rest of the Act

Article 74 — Market surveillance access powers (source code, documentation) that Article 78 constrains with confidentiality.
Article 75 — Mutual assistance where confidential information crosses borders.
Article 77 — Fundamental rights authorities accessing documentation — bound by Article 78.
Article 43 — Conformity assessments by notified bodies involving confidential material.
Article 11 — Technical documentation that typically contains trade secrets.
Article 78 — Full text on EUR-Lex.
Article 113 — Application dates and staged entry into force.

Recitals (preamble) on EUR-Lex

The recitals in the consolidated AI Act on EUR-Lex emphasise that effective enforcement requires access to commercially sensitive information, but that such access must be balanced with legitimate business interests. The confidentiality obligation under Article 78 is modelled on analogous provisions in the EU market surveillance regulation (2019/1020) and product safety legislation. Consult the official preamble on EUR-Lex.

Compliance checklist

Before sharing information with authorities, mark specific documents or sections as trade secrets or business-confidential.
Request that authorities confirm their Article 78 obligations in writing before disclosing highly sensitive materials (source code, model weights).
Implement controlled-access procedures for source code review: secure rooms, limited personnel, no copying.
When receiving mutual assistance requests (Article 75), verify that the requesting authority acknowledges confidentiality obligations.
Train internal teams on what information authorities can and cannot request, and what safeguards to expect.
For notified body engagements: include Article 78 confidentiality acknowledgements in conformity assessment contracts.

Read the official text on EUR-Lex

Protect your IP during compliance—start the free assessment.

Start Free Assessment

Article 11: Technical Documentation

Article 43: Conformity Assessment for High-Risk AI Systems

Article 74: Market Surveillance and Control of AI Systems in the Union Market

Article 75: Mutual Assistance, Market Surveillance and Control of General-Purpose AI Systems

Article 77: Powers of Authorities Protecting Fundamental Rights

Article 99: Penalties for AI Act Infringements

Article 113: Entry into Force and Application Dates

Frequently asked questions

Can I refuse to share source code with an authority by citing confidentiality?

No. Article 78 does not override the authority's access powers under Article 74 — it constrains what the authority does with the information after receiving it. You must cooperate with legitimate access requests; refusal risks penalties under Article 99.

What happens if an authority leaks my trade secrets?

Authority personnel who breach Article 78 confidentiality may face disciplinary and legal consequences under national law, including potential liability under the EU Trade Secrets Directive (2016/943). The specific remedies depend on Member State implementation.

Does Article 78 apply to information shared in regulatory sandboxes?

Yes. Any information obtained by authorities in the course of applying the Regulation — including sandbox supervision under Articles 57–60 and real-world testing supervision under Article 76 — is covered by Article 78 confidentiality obligations.

On this page

Key terms

Trade secret: Information that is secret, has commercial value because it is secret, and has been subject to reasonable steps to keep it secret — as defined in the EU Trade Secrets Directive (2016/943). Includes proprietary algorithms, model architectures, and training methodologies.
Business-confidential information: Commercially sensitive information that is not necessarily a trade secret but whose disclosure would harm the competitive position of the provider — e.g., pricing strategies, customer data, market plans.
Confidentiality safeguards: The obligations on market surveillance authorities to protect trade secrets and commercially sensitive information obtained during inspections and investigations, disclosing them only to the extent necessary for enforcement.

Maximum penalties (Art. 99)

3% of turnover / Up to EUR 15 million or 3% of global annual turnover under Article 99(4) for non-cooperation with authorities
SMEs / start-ups: Lower caps for SMEs and start-ups under Article 99(6)
Article 78 primarily constrains authorities and notified bodies. Providers cannot use confidentiality concerns to refuse legitimate access requests — refusal triggers penalties under Article 99. Breaches of confidentiality by authority personnel may trigger disciplinary or legal consequences under national law.

At a glance

Article: 78
Status: Upcoming
Timeline: 2 Aug 2026
Updated: 11 Apr 2026

Recommended next step

Run the short assessment to map risk class and obligations to your specific AI use case in minutes.

Start assessment now