A Magic Circle Firm Just Asked Which Parts of Your AI Contract Review Tool's Technical File You Can Keep Confidential During a Market Surveillance Audit: Answering the Article 78 Questions
The security review section of a large law firm's procurement questionnaire contains a question that reads more like a regulatory exam than a vendor assessment: "In the event of a market surveillance authority audit of your AI system, which elements of your technical documentation would you claim confidentiality over, and under which provision of the EU AI Act? How would you balance transparency obligations with trade secret protection?"
This is an Article 78 question — and it's a sophisticated one. Here's what the article actually says and how to answer it without giving more away than you have to.
What Article 78 actually says
Article 78 of the EU AI Act addresses the protection of confidential information during the work of national competent authorities and market surveillance authorities. It states that these authorities must protect the confidentiality of information and data they access in the course of their tasks — including trade secrets, confidential commercial information, and personal data.
For AI providers, the practical implication is: if a market surveillance authority requests your technical documentation under Article 64 (the data access provision), you do not have to hand over everything without restriction. You can flag which elements constitute trade secrets or confidential commercial information, and the authority is obliged to treat them accordingly.
Elements typically claimed as confidential include:
- Proprietary model architecture details and weights
- Training data composition beyond what's required for conformity assessment
- Internal benchmarking results not material to the specific conformity question being assessed
- Customer-specific configurations or deployment details
Elements you generally cannot withhold include:
- The conformity assessment procedure summary (required by Article 19)
- The EU declaration of conformity
- The risk management documentation required under Article 9
- Corrective actions taken in response to a specific incident under review
How to answer the questionnaire question
A clean answer for a law firm's vendor questionnaire looks like this:
"In the event of a market surveillance authority audit under Article 74, we would provide full access to the documentation required under Article 64 to assess the conformity of our system. Under Article 78, we would identify trade secret and commercially sensitive elements — specifically proprietary model architecture details and non-material training data composition — and request that these be treated as confidential. We would not withhold any documentation that is directly material to the assessment of safety, accuracy, or fundamental rights impact. Our EU declaration of conformity and risk management documentation would be provided in full."
Why law firms ask this question
Large law firms are increasingly both deployers and advisors on EU AI Act matters. When they procure AI contract review tools, their procurement teams (often with input from their own regulatory lawyers) test whether vendors have thought through their obligations in detail. A vendor who can explain Article 78 with specificity demonstrates regulatory literacy — and is a much lower-risk counterparty than one who answers with "we comply with all applicable regulations."
The faster way to answer questionnaires like this
Article 78 questions appear in procurement questionnaires from large legal, financial, and regulated-industry buyers. These questions are testing whether you've actually read the regulation — and generating a precise, accurate answer on the spot is difficult without a tool designed for it.
Complizo generates accurate, article-specific answers to EU AI Act procurement questionnaires. Paste in the question, describe your system, and get a defensible draft response in minutes.
Try Complizo free at complizo.com