Article 92: Access to Data and Documentation

Article 92 is the investigative access power that makes AI Act enforcement possible. Without it, authorities would have enforcement mandates but no practical ability to verify compliance. Its core elements:

1. Reasoned request power: Market surveillance authorities and the AI Office may require providers to grant access to data and documentation needed for enforcement. The request must be reasoned — the authority must explain why the data is necessary — preventing fishing expeditions. 2. Training data access: The article specifically covers access to training, validation, and testing datasets, which are the evidentiary foundation for assessing compliance with data quality requirements (Article 10), bias testing, and conformity assessment. 3. Confidentiality safeguard: Authorities must ensure the confidentiality of trade secrets and proprietary information they obtain through data access requests. This protects providers' competitive positions while enabling enforcement. 4. Dual scope: Article 92 serves both national market surveillance authorities (supervising high-risk AI systems) and the AI Office (supervising GPAI models), making it a cross-cutting enforcement enabler.

This is the article that gives enforcement authorities the ability to "look under the hood" of AI systems — without it, the AI Act's substantive requirements would be unverifiable.

• Article 21 — Cooperation with competent authorities: providers' general duty to cooperate with authorities, which Article 92 operationalises through specific data access powers.
• Article 74 — Market surveillance and control: Article 92 provides the data access tools that market surveillance authorities need to exercise their Article 74 powers effectively.
• Article 78 — Confidentiality: the confidentiality framework that governs how authorities handle trade secrets obtained through Article 92 access.
• Article 79 — Procedure at national level: data obtained under Article 92 feeds into the risk assessment procedures under Article 79.
• Article 113 — Application dates: Article 92 applies from 2 August 2026.

For providers of high-risk AI systems and GPAI models:

1. Organise training data records — Maintain structured, accessible records of training, validation, and testing datasets, including data provenance, pre-processing steps, and data quality metrics. When an Article 92 request arrives, you should be able to respond within the timeframe specified. 2. Classify confidential information — Pre-identify which elements of your datasets and documentation constitute trade secrets or proprietary information. When responding to an Article 92 request, explicitly flag these elements so the authority can apply confidentiality protections. 3. Establish a response protocol — Define internal procedures for handling authority data access requests: who receives them, who reviews for scope and validity, who coordinates the technical response, and who ensures confidentiality markings are applied. 4. Understand the "reasoned request" standard — Authorities must explain why the data is necessary. If a request appears overbroad or insufficiently reasoned, you have grounds to seek clarification or challenge the scope. 5. Prepare secure data rooms — For particularly sensitive training data, consider establishing secure environments (virtual data rooms) where authority reviewers can inspect data without taking copies, reducing the risk of trade secret leakage.

Article 92

Power to conduct evaluations

1. The AI Office, after consulting the Board, may conduct evaluations of the general-purpose AI model concerned:

(a) to assess compliance of the provider with obligations under this Regulation, where the information gathered pursuant to Article 91 is insufficient; or

(b) to investigate systemic risks at Union level of general-purpose AI models with systemic risk, in particular following a qualified alert from the scientific panel in accordance with Article 90(1), point (a).

2. The Commission may decide to appoint independent experts to carry out evaluations on its behalf, including from the scientific panel established pursuant to Article 68. Independent experts appointed for this task shall meet the criteria outlined in Article 68(2).

3. For the purposes of paragraph 1, the Commission may request access to the general-purpose AI model concerned through APIs or further appropriate technical means and tools, including source code.

4. The request for access shall state the legal basis, the purpose and reasons of the request and set the period within which the access is to be provided, and the fines provided for in Article 101 for failure to provide access.

5. The providers of the general-purpose AI model concerned or its representative shall supply the information requested. In the case of legal persons, companies or firms, or where the provider has no legal personality, the persons authorised to represent them by law or by their statutes, shall provide the access requested on behalf of the provider of the general-purpose AI model concerned.

6. The Commission shall adopt implementing acts setting out the detailed arrangements and the conditions for the evaluations, including the detailed arrangements for involving independent experts, and the procedure for the selection thereof. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 98(2).

7. Prior to requesting access to the general-purpose AI model concerned, the AI Office may initiate a structured dialogue with the provider of the general-purpose AI model to gather more information on the internal testing of the model, internal safeguards for preventing systemic risks, and other internal procedures and measures the provider has taken to mitigate such risks.