EU AI Act Article 50 β€” 20 days to seal | Get passport
πŸ‰

Market Surveillance Cooperation

EU AI Act Art 74 Β· Regulator Access Protocol Β· Incident Reporting Pipeline Β· Compliance Evidence Export Β· EAT Directive aligned

EU AI ACT ART 74 MSA ACTIVE
4
MSA Channels
72h
Access SLA
15
Serious Incident SLA
6
Evidence Formats
100%
SIGIL Verifiable
0
Black Boxes

What is Article 74?

Article 74 of the EU AI Act designates market surveillance authorities (MSAs) responsible for monitoring the compliance of AI systems placed on the Union market. MSAs have broad powers to:

DEFONEOS is designed from the ground up to facilitate market surveillance rather than resist it. Every decision, model, training dataset, and governance action is logged to the SIGIL chain with cryptographic proof of integrity, enabling MSA access on demand.

4 Market Surveillance Authority Access Channels

1
Channel 1 β€” Read-Only Evidence Portal

A secure, authenticated web portal where authorised MSA officers can browse all compliance documentation, SIGIL chain entries, incident reports, model documentation, training data provenance, and risk assessments. Read access is granted within 72 hours of formal request. All access is itself logged to the SIGIL chain (creating a meta-audit trail of surveillance activity).

2
Channel 2 β€” Direct API Access

A documented REST API (OpenAPI 3.1 spec) providing programmatic access to the SIGIL chain, model metadata, decision logs, and compliance evidence. Rate-limited (1000 req/min per MSA credential). API calls are Ed25519-signed by the MSA key and logged. Supports CSV, JSON, Parquet, OSCAL, and SIGIL-native export formats.

3
Channel 3 β€” On-Site Audit Support

For physical inspections, DEFONEOS provides a dedicated audit environment: a sandboxed instance with full read access to all subsystems, pre-configured query tools, and an evidence export pipeline. The audit environment runs the exact same code as production (verified via SIGIL hash matching), so MSA findings reflect real system behaviour.

4
Channel 4 β€” Incident Notification Pipeline

Automated incident reporting: when DEFONEOS detects a serious incident (Art 73), it auto-generates a structured incident report in the EU AI Office's required format and transmits it to the relevant MSA within 15 days (target: 48 hours for critical incidents). The report includes root cause analysis, affected persons, mitigation actions, and corrective measures.

Article 74 Compliance Matrix

RequirementStatusDEFONEOS Implementation
Provide documentation on requestβœ… METChannel 1 + 2: Full Annex IV documentation, model cards, risk assessments
Provide access to training data logsβœ… METTraining data provenance recorded in SIGIL chain with hash, source, license, and bias audit
Provide access to operational logsβœ… METAll 8 logging categories (System/Governance/Security/Data/Monitoring/MCP/Federation/Agent) via API
Cooperate with MSA investigationsβœ… METChannel 3: Dedicated audit environment with evidence export pipeline
Report serious incidents (Art 73)⚠️ PARTIALChannel 4 designed. Incident detection functional. EU AI Office reporting format pending official specification.
Allow unannounced inspectionsβœ… METChannel 3 always available; audit sandbox can be provisioned within 4 hours
Implement corrective actions on MSA order⚠️ PARTIALDeployment pipeline supports hot-fixes. Formal MSA-order workflow not yet implemented.
Provide information to importing MSAβœ… METAll documentation exportable in EU official languages (English primary; translation framework designed)

Serious Incident Reporting Pipeline (Art 73)

INCIDENT LIFECYCLE: 1. DETECT → Monitor detects anomaly (accuracy drop, bias spike, red line breach, security event) 2. CLASSIFY → Severity assigned: CRITICAL / SERIOUS / MODERATE / MINOR 3. CONTAIN → Automated containment: stop button, model rollback, traffic isolation 4. INVESTIGATE→ Root cause analysis using SIGIL chain trace + model explainability 5. NOTIFY → If SERIOUS or CRITICAL: auto-generate Art 73 incident report → Transmit to EU AI Office + relevant MSA within 15 days → Target: 48h for CRITICAL (death, injury, fundamental rights violation) 6. REMEDIATE → Corrective action plan with timeline, assigned owner, verification criteria 7. VERIFY → BFT council review (quorum 12/33) confirms remediation effective 8. CLOSE → Incident closed with SIGIL entry. All evidence retained 5 years (cold storage). INCIDENT REPORT FIELDS (Art 73 compliant): - incident_id (Ed25519-signed SIGIL hash) - severity (CRITICAL / SERIOUS / MODERATE / MINOR) - detected_at (ISO 8601 UTC) - description (plain language summary) - affected_system (model version, component, MCP) - affected_persons (count, categories, harm assessment) - root_cause (technical analysis) - containment_actions (what was done immediately) - corrective_actions (permanent fixes) - verification_status (BFT-verified / pending) - regulator_notified (MSA name, date, reference) - sigil_hash (chain proof)

Evidence Export Formats

FormatUse CaseStandard
SIGIL NativeFull audit trail with Ed25519 signaturesDEFONEOS SIGIL chain spec
OSCALNIST SP 800-53 / RMF compliance evidenceNIST OSCAL 1.0+
JSON-LDMachine-readable regulatory evidenceW3C JSON-LD 1.1
CSV / ParquetBulk data export for statistical analysisRFC 4180 / Apache Parquet
PDF (signed)Human-readable compliance reportsPDF/A-3 + PAdES signatures
XCCDFSecurity benchmark scan resultsNIST XCCDF 1.2

Cross-Regulator Coordination

RegulatorJurisdictionAccess Protocol
EU AI OfficeEU-wide high-risk AI systemsPrimary MSA for DEFONEOS. Channel 1-4 full access.
UK ICOUK data protection + UK AI regulatory frameworkChannel 1-2 access. GDPR/UK DPA 2018 evidence.
National MSA (per Member State)Member State levelChannel 1-3 access on formal request. 72h SLA.
Data Protection AuthorityGDPR enforcementChannel 1-2 for personal data processing evidence. DPIA access.
Sectoral RegulatorsHealth (MHRA), Finance (FCA), etc.Channel 1-2 for sector-specific deployments

MSA Access Logging (Meta-Audit)

Every MSA access to DEFONEOS is itself recorded on the SIGIL chain, creating a meta-audit trail:

This meta-audit trail protects both DEFONEOS (proof of cooperation) and the MSA (proof of due diligence). It is hash-chained to the same SIGIL ledger as all other system events, making surveillance activity tamper-evident.

12-Framework Crosswalk

FrameworkArticleSurveillance RequirementDEFONEOS Mapping
EU AI ActArt 74Market surveillance authority cooperationThis page β€” 4 channels
EU AI ActArt 73Serious incident reportingChannel 4 pipeline
EU AI ActArt 72Post-market monitoringContinuous monitoring β†’ PMM page
GDPRArt 31Personal data breach notificationChannel 4 sub-pipeline for data breaches
GDPRArt 58Supervisory authority powersChannel 1-3 available to DPAs
NIS2 DirectiveArt 23Incident notificationChannel 4 extended for NIS2 incidents
DORAArt 19Major ICT-related incident reportingChannel 4 for financial sector deployments
UK AI RegulationWhite PaperRegulator cooperation principlesChannel 1-4 for UK regulators (ICO, MHRA, FCA, Ofcom)
ISO 42001Cl. 9.1Monitoring, measurement, analysisChannel 1-2 provides MSA-grade evidence
SOC 2CC7System operations monitoringChannel 2 API for continuous monitoring
IEC 62304Β§6Medical software problem resolutionChannel 4 + corrective action workflow
MHRA AIaSPPhase 2AI as a Software Product regulationChannel 1-4 for MHRA access

⚠️ Honesty Register

The market surveillance cooperation framework described here is the designed system. DEFONEOS has not been subject to a formal MSA investigation under Art 74. The 72-hour access SLA is a design target, not measured performance. The EU AI Office's exact reporting format for Art 73 incident reports has not been officially published at time of writing β€” DEFONEOS uses the draft format from the implementing acts. The on-site audit sandbox (Channel 3) is architecturally designed but has not been used in a real inspection. No MSA credential has been issued β€” the authentication framework exists but has no live regulator credentials enrolled. The meta-audit trail concept (logging MSA access itself) is sound but has not been validated against regulator expectations. UK-specific MSA arrangements are pending the UK government's final AI regulatory framework. DEFONEOS's willingness to cooperate with market surveillance is absolute β€” this page documents the technical facilitation of that cooperation.