Unacceptable Risk

For example, AI systems that allow “social scoring” by governments or companies are considered a clear threat to people's fundamental rights and are therefore banned.

High Risk

High-risk AI systems such as AI-based medical software or AI systems used for recruitment must comply with strict requirements, including risk-mitigation systems, high-quality data sets, clear user information, human oversight, etc.

Limited Risk

Systems like chatbots must clearly inform users that they are interacting with a machine, while certain AI-generated content must be labelled as such.

Minimal Risk

Most AI systems such as spam filters and AI-enabled video games face no obligation under the AI Act, but companies can voluntarily adopt additional codes of conduct.

Submit Complaint

Market Surveillance Authority

What is a Market Surveillance Authority?

What is a Market Surveillance Authority?

A Market Surveillance Authority is a national body responsible for ensuring that products available in the market comply with relevant safety, health, environmental, and consumer protection laws. Its role is to monitor and enforce compliance with national and European Union regulations, safeguarding consumers, and maintaining fair competition among businesses. Through inspections, testing, and collaboration with other regulatory bodies, the authority helps identify and address dangerous or non-compliant products circulating in the marketplace.

As defined in AI Act: Market Surveillance Authority means the national authority carrying out the activities and taking the measures pursuant to Regulation (EU) 2019/1020 - Article 3 (26)

Cyprus Market Surveillance Authorities under EU AI Act

Under the EU Artificial Intelligence Act, each Member State must appoint a Market Surveillance Authority (MSA) to monitor and enforce compliance of AI systems. In Cyprus, this role has been assigned to both the Commissioner of Communications and Commissioner for Personal Data Protection. Both Authorities will be responsible for overseeing the application of the AI Act, especially for high-risk AI systems, ensuring they meet EU standards after entering the Cypriot market. 

The Office of the Commissioner for Personal Data Protection acts as the Market Surveillance Authority for Artificial Intelligence, for high-risk systems referred to in points 1 in so far as those systems are used for law-enforcement purposes, points 6, 7 and 8 of Annex III of the Regulation, and for prohibited systems referred to in Article 5 of the Regulation and related to its areas of application in Annex III of the Regulation.

How Market Surveillance Works

How Market Surveillance Works

Powers of Market Surveillance Authorities

Access to Premises:

The power to enter the premises of economic operators to conduct inspections and gather evidence.

Sampling and Testing:

The power to take samples of products for testing in laboratories.

Request for Information:

The power to request information from economic operators about their products and activities.

Document Seizure:

The power to seize documents and records relevant to an investigation.

Market Withdrawal:

To remove non-compliant products from the market.

Corrective Action Orders:

The power to order economic operators to take corrective action, such as bringing a product into compliance, withdrawing it from the market, or recalling it from consumers.

Imposition of Penalties:

The power to impose penalties on economic operators who fail to comply with regulations.

Responsibilities of the Market Surveillance Authorities

Core Administrative Functions
  • Receive and register notifications from various actors (providers, importers, deployers, etc.) concerning risks, non-compliance, incidents, or derogations.
  • Maintain documentation including:
    • Real-time biometric system use notifications.
    • EU declarations of conformity.
    • Notifications on systemic GPAI incidents.
    • Technical documentation from providers and representatives.
Monitoring, Evaluation, and Investigation
  • Evaluate AI systems for compliance with the AI Act, especially in cases of suspected non-compliance or misclassification as non-high-risk.
  • Conduct inspections (including unannounced, remote, or on-site).
  • Access source code and data when necessary to assess conformity.
  • Perform risk assessments for vulnerable groups and fundamental rights.
Corrective and Enforcement Actions
  • Corrective measures, market withdrawal, or product recall when systems are non-compliant or pose risks.
  • Revoke authorizations for placing AI systems on the market in exceptional cases.
  • Ensure restrictive measures are taken when risks remain even in compliant systems.
  • Impose penalties for infringements of the AI Act. 
Real-World Testing Oversight
  • Authorize, supervise, and inspect real-world testing of high-risk AI systems.
  • Suspend or terminate testing when serious incidents or non-compliance are identified.
  • Ensure testing follows Article 60 and respects health, safety, and fundamental rights.
Coordination and Cooperation
  • Cooperate with national Personal Data Protection authorities, the AI Office, and other MSAs.
  • Participate in the AI regulatory sandbox: provide guidance, supervision, and issue exit reports.
  • Engage in joint investigations or compliance activities across Member States.
Regulatory and Investigative Powers
  • Handle and investigate complaints from individuals or legal entities.
  • Ensure compliance with CE marking, technical documentation, registration, and other conformity requirements.
Reporting and Transparency
  • Submit annual reports on the use of real-time biometric systems.
  • Notify the Commission and Member States of:
    • Any non-compliance findings.
    • Corrective actions taken.
    • Any serious incidents or public interest risks.