Chapter IX, Section 5 — RemediesArticle 87

Article 87: Reporting of Infringements and Protection of Reporting Persons

Applies from 2 Aug 20266 min readEUR-Lex verified Apr 2026

Article 87 requires that Directive (EU) 2019/1937 (the EU Whistleblower Protection Directive) applies to the reporting of infringements of the AI Act and to the protection of persons reporting such infringements. This creates a formal whistleblowing channel for AI Act enforcement, complementing the complaint right in Article 85.

Start free assessment All articles

Who does this apply to?

-Employees and individuals who discover AI Act violations and wish to report them through protected channels
-Organisations with internal reporting channels that must accommodate AI Act infringement reports
-Market surveillance authorities receiving and acting on whistleblower reports about AI Act non-compliance

Scenarios

A data scientist at a provider of a high-risk AI recruitment tool discovers that the system was deployed without the required conformity assessment under Article 43 and without registration in the EU database under Article 49. The scientist reports this to the national market surveillance authority.

The reporting person is protected under Directive (EU) 2019/1937 as transposed into national law. The market surveillance authority opens an investigation into the provider's non-compliance. The data scientist cannot be dismissed, demoted, or subjected to retaliation for making the report.

Ref. Art. 87(1)–(2)

An IT contractor working for a municipal government discovers that the city is deploying a social scoring AI system in a way that appears to violate Article 5(1)(c). The contractor files a confidential report with the national supervisory authority through the external reporting channel established under the Whistleblower Protection Directive.

The market surveillance authority investigates the prohibited practice allegation. The contractor's identity is protected under the confidentiality requirements of Directive (EU) 2019/1937, and the city cannot take adverse measures against the contractor for making the report.

Ref. Art. 87(2)

What Article 87 does (in plain terms)

Article 87 creates a formal whistleblowing framework for the AI Act. Its core elements:

1. Reporting channels: Member States must put in place measures that allow any natural or legal person to report potential infringements of the AI Act to the relevant market surveillance authority. This goes beyond the complaint right in Article 86 — it specifically covers reporting by insiders who may have knowledge of non-compliance but are not necessarily affected by it. 2. Whistleblower protection: Member States must ensure that the protections of Directive (EU) 2019/1937 (the EU Whistleblower Protection Directive) apply to persons who report AI Act infringements. This includes protection against retaliation, confidentiality of identity, and access to support measures. 3. Bridge to existing frameworks: By cross-referencing the Whistleblower Protection Directive, Article 87 avoids creating a parallel protection regime and instead leverages the established EU whistleblower framework.

This article is particularly important for employees and contractors inside organisations that develop or deploy AI systems, who may be first to notice systemic non-compliance.

How Article 87 connects to the rest of the Act

Article 86 — Right to lodge a complaint: Article 86 allows any person to complain about suspected infringements; Article 87 adds dedicated whistleblower channels and protection for insiders.
Article 74 — Market surveillance and control of AI systems: the authorities that receive whistleblower reports under Article 87.
Article 79 — Procedure at national level for AI systems presenting a risk: whistleblower reports may trigger risk-assessment procedures under Article 79.
Article 113 — Application dates: Article 87 applies from 2 August 2026 as part of the general application date.
Directive (EU) 2019/1937 — The EU Whistleblower Protection Directive, which provides the substantive protection regime that Article 87 incorporates by reference.

Practical guidance: building an AI Act whistleblowing infrastructure

For organisations (providers and deployers), Article 87's interaction with the Whistleblower Protection Directive means:

1. Extend existing channels — If your organisation already has internal reporting channels under the Whistleblower Protection Directive, ensure they explicitly cover AI Act infringements (prohibited practices, missing conformity assessments, unreported serious incidents, etc.). 2. Train compliance teams — The people receiving reports must understand AI Act obligations well enough to triage incoming whistleblower reports and escalate credible concerns. 3. Document protections — Make clear in internal policies and employment contracts that reporting AI Act concerns is protected activity, and that retaliation will not be tolerated. 4. Coordinate with market surveillance — Establish a protocol for when internally reported concerns must be escalated to the national market surveillance authority. 5. Anonymous reporting — Consider whether your reporting channels allow anonymous reports, which may encourage disclosures from individuals who fear retaliation despite legal protections.

Official wording: Article 87

Article 87

Reporting of infringements and protection of reporting persons

Directive (EU) 2019/1937 shall apply to the reporting of infringements of this Regulation and the protection of persons reporting such infringements.

Compliance checklist

Review your existing Whistleblower Protection Directive (2019/1937) implementation and verify it explicitly covers AI Act infringements.
Ensure internal reporting channels are equipped to receive and triage reports about AI Act non-compliance, including prohibited practices and missing conformity assessments.
Train designated reporting officers on the key AI Act obligations so they can assess the credibility and urgency of whistleblower reports.
Document anti-retaliation protections in employment contracts, internal policies, and contractor agreements, explicitly referencing AI Act reporting.
Establish an escalation protocol for forwarding credible whistleblower reports to the national market surveillance authority.
Verify that the national transposition of Directive (EU) 2019/1937 in each Member State where you operate covers AI Act reports.

Read the official text on EUR-Lex

Ensure your whistleblowing channels cover the AI Act — start the free assessment.

Start Free Assessment

Article 86: Right to Lodge a Complaint with a Market Surveillance Authority

Article 74: Market Surveillance and Control of AI Systems in the Union Market

Article 79: Procedure at National Level for AI Systems Presenting a Risk

Article 113: Entry into Force and Application Dates

Frequently asked questions

Does Article 87 create a new whistleblower protection regime?

No. Article 87 incorporates by reference the existing EU Whistleblower Protection Directive (2019/1937). It requires Member States to ensure that the Directive's protections — including confidentiality, anti-retaliation measures, and access to support — apply to persons who report AI Act infringements. Organisations already complying with the Directive need to extend their channels to cover AI Act concerns.

Who qualifies as a 'reporting person' under Article 87?

Any natural person who reports potential AI Act infringements through the channels established under the Whistleblower Protection Directive qualifies for protection. This typically includes employees, contractors, trainees, volunteers, shareholders, and persons whose work-based relationship has ended, provided they report through internal or external channels as defined by the Directive.

How does Article 87 differ from Article 86?

Article 86 grants any natural or legal person the right to lodge a complaint about AI Act infringements with a market surveillance authority. Article 87 specifically addresses whistleblower reporting — it creates protected channels for insiders (employees, contractors) and ensures they receive anti-retaliation protection under Directive (EU) 2019/1937. Article 86 is a general complaint mechanism; Article 87 is a specialised whistleblowing framework.

On this page

Key terms

Reporting person: A natural person who reports information about AI Act infringements acquired in the context of their work-related activities, and who is entitled to protection against retaliation under Directive (EU) 2019/1937.
Directive (EU) 2019/1937: The EU Whistleblower Protection Directive, which establishes minimum standards for the protection of persons who report breaches of Union law, including internal and external reporting channels, confidentiality requirements, and anti-retaliation measures.
Internal reporting channel: A mechanism within an organisation through which employees and other work-related persons can report suspected infringements confidentially, as required by the Whistleblower Protection Directive and extended to AI Act matters by Article 87.

At a glance

Article: 87
Status: Upcoming
Timeline: 2 Aug 2026
Updated: 11 Apr 2026

Recommended next step

Run the short assessment to map risk class and obligations to your specific AI use case in minutes.

Start assessment now