The classic trap
Article 89 sets up two mechanisms that downstream providers systematically underestimate. First, the EU AI Office (Brussels) can launch monitoring actions at any time to verify effective compliance with the Regulation by providers of general-purpose AI models, including their adherence to approved codes of practice. Second, if you integrate a third-party GPAI model (a vendor LLM inside your product), you are a downstream provider and hold a right to lodge a complaint, but that right is conditioned on a complaint being duly reasoned. The trap: most organisations keep no documented trace of their upstream model provider's failures, so no admissible complaint, so no recourse when the upstream model pushes them into non-compliance.
The three mandatory elements of an admissible complaint
Article 89(2) lists a minimum content without which the AI Office may dismiss your complaint. You must continuously control:
- The point of contact of the GPAI model provider concerned, which means an up-to-date mapping of every upstream model embedded in your products.
- A precise factual description, the exact Regulation provisions infringed, and the reasoning linking facts to violation: without a timestamped incident log, this section is unverifiable.
- Any additional information gathered on your own initiative: tests, benchmarks, contractual exchanges, technical evidence you must have collected before the dispute, not after.
The difficulty is not legal, it is evidentiary. Without continuous traceability of your upstream model dependencies and observed failures, your theoretical Article 89 right remains a dead letter.
How Luxgap automates this risk
Our Luxgap Upstream Model Watchdog turns your theoretical right to complain into an admissible file ready to lodge with the EU AI Office. The tool continuously maps every upstream GPAI model consumed by your products (API calls to OpenAI, Anthropic, Mistral, Azure OpenAI, AWS Bedrock, Google Vertex) and automatically records each behavioural deviation, version change or documentation gap that may constitute an infringement.
- Automatically detects every third-party GPAI model integrated via analysis of your API traffic and your Azure OpenAI, Bedrock and Vertex keys, with no manual declaration.
- Keeps an up-to-date record of the point of contact and the code-of-practice adherence status of each upstream provider, as required by Article 89(2)(a).
- Logs in a timestamped, tamper-evident way the incidents, critical hallucinations, undocumented version changes and performance deviations observed on your upstream models.
- Generates a prefilled draft complaint compliant with Article 89(2), structured into facts, infringed provisions and reasoning, ready to submit to the EU AI Office.
- Produces a timestamped, sealed and opposable PDF report that demonstrates your downstream-provider diligence and materialises your contractual position against the upstream provider.
Available as a complement to a Luxgap DPO or CISO mandate or as a dedicated SaaS module depending on your scope. Request a tailored quote and our teams will prepare a demonstration on your real upstream models, with a free blank audit within 48h to measure your exposure before any commitment.