Article 74 of the EU AI Act designates market surveillance authorities (MSAs) responsible for monitoring the compliance of AI systems placed on the Union market. MSAs have broad powers to:
DEFONEOS is designed from the ground up to facilitate market surveillance rather than resist it. Every decision, model, training dataset, and governance action is logged to the SIGIL chain with cryptographic proof of integrity, enabling MSA access on demand.
A secure, authenticated web portal where authorised MSA officers can browse all compliance documentation, SIGIL chain entries, incident reports, model documentation, training data provenance, and risk assessments. Read access is granted within 72 hours of formal request. All access is itself logged to the SIGIL chain (creating a meta-audit trail of surveillance activity).
A documented REST API (OpenAPI 3.1 spec) providing programmatic access to the SIGIL chain, model metadata, decision logs, and compliance evidence. Rate-limited (1000 req/min per MSA credential). API calls are Ed25519-signed by the MSA key and logged. Supports CSV, JSON, Parquet, OSCAL, and SIGIL-native export formats.
For physical inspections, DEFONEOS provides a dedicated audit environment: a sandboxed instance with full read access to all subsystems, pre-configured query tools, and an evidence export pipeline. The audit environment runs the exact same code as production (verified via SIGIL hash matching), so MSA findings reflect real system behaviour.
Automated incident reporting: when DEFONEOS detects a serious incident (Art 73), it auto-generates a structured incident report in the EU AI Office's required format and transmits it to the relevant MSA within 15 days (target: 48 hours for critical incidents). The report includes root cause analysis, affected persons, mitigation actions, and corrective measures.
| Requirement | Status | DEFONEOS Implementation |
|---|---|---|
| Provide documentation on request | β MET | Channel 1 + 2: Full Annex IV documentation, model cards, risk assessments |
| Provide access to training data logs | β MET | Training data provenance recorded in SIGIL chain with hash, source, license, and bias audit |
| Provide access to operational logs | β MET | All 8 logging categories (System/Governance/Security/Data/Monitoring/MCP/Federation/Agent) via API |
| Cooperate with MSA investigations | β MET | Channel 3: Dedicated audit environment with evidence export pipeline |
| Report serious incidents (Art 73) | β οΈ PARTIAL | Channel 4 designed. Incident detection functional. EU AI Office reporting format pending official specification. |
| Allow unannounced inspections | β MET | Channel 3 always available; audit sandbox can be provisioned within 4 hours |
| Implement corrective actions on MSA order | β οΈ PARTIAL | Deployment pipeline supports hot-fixes. Formal MSA-order workflow not yet implemented. |
| Provide information to importing MSA | β MET | All documentation exportable in EU official languages (English primary; translation framework designed) |
| Format | Use Case | Standard |
|---|---|---|
| SIGIL Native | Full audit trail with Ed25519 signatures | DEFONEOS SIGIL chain spec |
| OSCAL | NIST SP 800-53 / RMF compliance evidence | NIST OSCAL 1.0+ |
| JSON-LD | Machine-readable regulatory evidence | W3C JSON-LD 1.1 |
| CSV / Parquet | Bulk data export for statistical analysis | RFC 4180 / Apache Parquet |
| PDF (signed) | Human-readable compliance reports | PDF/A-3 + PAdES signatures |
| XCCDF | Security benchmark scan results | NIST XCCDF 1.2 |
| Regulator | Jurisdiction | Access Protocol |
|---|---|---|
| EU AI Office | EU-wide high-risk AI systems | Primary MSA for DEFONEOS. Channel 1-4 full access. |
| UK ICO | UK data protection + UK AI regulatory framework | Channel 1-2 access. GDPR/UK DPA 2018 evidence. |
| National MSA (per Member State) | Member State level | Channel 1-3 access on formal request. 72h SLA. |
| Data Protection Authority | GDPR enforcement | Channel 1-2 for personal data processing evidence. DPIA access. |
| Sectoral Regulators | Health (MHRA), Finance (FCA), etc. | Channel 1-2 for sector-specific deployments |
Every MSA access to DEFONEOS is itself recorded on the SIGIL chain, creating a meta-audit trail:
This meta-audit trail protects both DEFONEOS (proof of cooperation) and the MSA (proof of due diligence). It is hash-chained to the same SIGIL ledger as all other system events, making surveillance activity tamper-evident.
| Framework | Article | Surveillance Requirement | DEFONEOS Mapping |
|---|---|---|---|
| EU AI Act | Art 74 | Market surveillance authority cooperation | This page β 4 channels |
| EU AI Act | Art 73 | Serious incident reporting | Channel 4 pipeline |
| EU AI Act | Art 72 | Post-market monitoring | Continuous monitoring β PMM page |
| GDPR | Art 31 | Personal data breach notification | Channel 4 sub-pipeline for data breaches |
| GDPR | Art 58 | Supervisory authority powers | Channel 1-3 available to DPAs |
| NIS2 Directive | Art 23 | Incident notification | Channel 4 extended for NIS2 incidents |
| DORA | Art 19 | Major ICT-related incident reporting | Channel 4 for financial sector deployments |
| UK AI Regulation | White Paper | Regulator cooperation principles | Channel 1-4 for UK regulators (ICO, MHRA, FCA, Ofcom) |
| ISO 42001 | Cl. 9.1 | Monitoring, measurement, analysis | Channel 1-2 provides MSA-grade evidence |
| SOC 2 | CC7 | System operations monitoring | Channel 2 API for continuous monitoring |
| IEC 62304 | Β§6 | Medical software problem resolution | Channel 4 + corrective action workflow |
| MHRA AIaSP | Phase 2 | AI as a Software Product regulation | Channel 1-4 for MHRA access |
The market surveillance cooperation framework described here is the designed system. DEFONEOS has not been subject to a formal MSA investigation under Art 74. The 72-hour access SLA is a design target, not measured performance. The EU AI Office's exact reporting format for Art 73 incident reports has not been officially published at time of writing β DEFONEOS uses the draft format from the implementing acts. The on-site audit sandbox (Channel 3) is architecturally designed but has not been used in a real inspection. No MSA credential has been issued β the authentication framework exists but has no live regulator credentials enrolled. The meta-audit trail concept (logging MSA access itself) is sound but has not been validated against regulator expectations. UK-specific MSA arrangements are pending the UK government's final AI regulatory framework. DEFONEOS's willingness to cooperate with market surveillance is absolute β this page documents the technical facilitation of that cooperation.