The Role of the EU AI Office: Who Is Enforcing the New Rules?

Governance & Enforcement · 8 min read · Updated March 2026

The EU AI Act created an entirely new regulatory architecture to govern artificial intelligence across Europe. At the centre of this architecture sits the EU AI Office — the first dedicated AI regulatory body in the world. But the AI Office is only one piece of a multi-layered enforcement structure. This guide explains who does what, who has authority over your organisation, and how enforcement is likely to work in practice.

Key Takeaways

The EU AI Office operates within the European Commission and has direct enforcement authority over General Purpose AI (GPAI) model providers — regardless of where they are headquartered.
National Market Surveillance Authorities (NMSAs) enforce the Act against high-risk AI providers and deployers within their member state’s jurisdiction.
The AI Board coordinates consistency across member states; the Advisory Forum provides stakeholder input; the Scientific Panel advises on GPAI model assessments.
Enforcement priority will focus on the highest-risk sectors first — healthcare AI, law enforcement tools, and financial services AI will likely attract early scrutiny.

The EU AI Office: What It Is and What It Does

The EU AI Office was established by the European Commission in February 2024 — before the EU AI Act itself entered into force — signalling the Commission’s intent to have enforcement infrastructure operational well ahead of compliance deadlines. It operates as a distinct body within the Commission’s Directorate-General for Communications Networks, Content and Technology (DG CONNECT).

🏛️

Formal Status

A body within the European Commission — not an independent EU agency. This gives it direct access to Commission enforcement tools and resources, but also means it operates under Commission political leadership.

🌍

Geographic Reach

Has direct jurisdiction over GPAI model providers regardless of where they are headquartered. A US or UK foundation model company must engage with the EU AI Office directly if their model meets the applicability thresholds.

📋

Operational Since

February 2024. The AI Office published its first Code of Practice for GPAI models in early 2025, and its GPAI model enforcement powers became fully applicable from 2 August 2025.

The EU AI Office’s Core Functions

Direct GPAI Enforcement. The AI Office has exclusive EU-level enforcement authority over General Purpose AI model providers (Chapter V of the Act). It can investigate GPAI providers, request documentation, conduct evaluations, impose fines, and order corrective measures — including requiring changes to model behaviour or restricting market access.

Standards and Technical Guidance Development. The AI Office coordinates with CEN-CENELEC and ETSI on the development of harmonised technical standards that, once cited in the Official Journal, create a presumption of conformity for high-risk AI systems.

Code of Practice for GPAI. The AI Office developed and manages the Code of Practice for General Purpose AI models — a practical compliance framework that GPAI providers are expected to sign up to. Adherence to the Code creates a presumption of compliance with Chapter V obligations.

EU AI Act Database Management. The AI Office operates the EU AI Act registration database — the publicly accessible registry where high-risk AI system providers must register before EU market placement. This database enables downstream verification by deployers, national authorities, and the public.

Cross-Border Coordination. Where AI systems operate across multiple member states, the AI Office coordinates enforcement activities between national authorities to ensure consistent application and prevent forum-shopping by regulated entities.

The Full EU AI Act Governance Architecture

The EU AI Act establishes four distinct governance bodies, each with a different role in the regulatory ecosystem. Understanding which body has authority over your organisation is essential for knowing who you may be accountable to.

EU AI Office European Commission body

JurisdictionGPAI model providers (all sizes, all geographies)

Enforcement powersInvestigations, fines, market access restrictions

Key outputsCode of Practice, harmonised standards, AI database

Operational sinceFebruary 2024

European AI Board Coordination body

The AI Board is composed of one representative from each EU member state’s national competent authority, plus the European Data Protection Supervisor as an observer. It is chaired by a Commission representative.

RoleAdvisory and coordination — no direct enforcement powers

FunctionsIssues opinions, recommends guidelines, ensures consistent application across member states

Practical importanceOpinions from the AI Board shape how national authorities interpret the Act — making its guidance documents essential reading

National Market Surveillance Authorities (NMSAs) Primary enforcement body for most organisations

Each member state must designate at least one National Market Surveillance Authority responsible for enforcing the EU AI Act within their jurisdiction. For most organisations, this is the body they will deal with — the NMSAs handle investigations, complaints, market surveillance activities, and enforcement actions against high-risk AI providers and deployers.

Which NMSA governs you? For providers: the NMSA of the member state where you first place the system on the EU market, or where your EU Authorised Representative is established. For deployers: the NMSA of the member state where you are established. For non-EU providers: your designated Authorised Representative’s member state determines your primary NMSA.

Advisory Forum & Scientific Panel Consultative bodies

Advisory Forum

Provides stakeholder input to the AI Office and AI Board. Composed of representatives from industry, civil society, academia, and standardisation bodies. Issues recommendations on practical implementation challenges. Organisations can engage the Advisory Forum to raise compliance concerns and shape guidance development.

Scientific Panel

An independent expert panel that advises the AI Office on GPAI model evaluations, systemic risk thresholds, and technical classification questions. The Scientific Panel is particularly relevant for organisations building or deploying large foundation models near the 10²⁵ FLOPs systemic risk threshold.

How EU AI Act Enforcement Actually Works in Practice

Understanding the formal structure is one thing. Understanding how enforcement will work in practice — especially in the early years — is what matters for compliance planning. Here are the key mechanisms:

Market Surveillance Activities

NMSAs conduct proactive market surveillance — reviewing AI systems in their jurisdiction to assess compliance, even without a specific complaint or incident. The NMS methodology is risk-prioritised: authorities will focus first on AI systems that pose the greatest potential for harm. For the first enforcement cycle (2026–2028), expect heightened scrutiny on healthcare AI, financial services AI, HR recruitment tools, and AI used in public-sector decision-making.

Complaint-Based Investigations

Individuals, organisations, and member state authorities can file complaints with NMSAs or the EU AI Office. Unlike GDPR, there is no individual right to bring a private action — enforcement remains with public authorities. However, civil society organisations and affected individuals can provide detailed complaint documentation that triggers formal investigations. The European Digital Rights (EDRi) network and similar civil society groups have already signalled their intention to bring strategic enforcement complaints against the highest-profile AI deployments.

GPAI Model Evaluations

For GPAI model providers, the EU AI Office has the power to request access to model documentation, conduct independent evaluations, and commission the Scientific Panel to assess systemic risks. The GPAI Code of Practice provides a framework for voluntary cooperation with these evaluations. Organisations that have signed the Code of Practice and follow its procedures benefit from a presumption of compliance — reducing their enforcement exposure significantly.

Incident-Triggered Enforcement

Serious incidents must be reported by providers within 15 days. When an incident is reported — or when a serious incident becomes public through other means — NMSAs and the AI Office have authority to launch immediate investigations. High-profile AI failures in healthcare, financial services, or public safety are likely to become the catalysts for the Act’s first major enforcement actions.

Enforcement Mechanism	Triggered By	Lead Body	Possible Outcome
Proactive market surveillance	Routine NMSA activity	National NMSA	Fine, corrective measure, or market withdrawal order
Complaint investigation	Complaint by individual, NGO, or authority	National NMSA or AI Office	Investigation, fine, corrective action, public disclosure
Serious incident investigation	Incident report or public disclosure	National NMSA + AI Office	Urgent investigation, emergency corrective order, market suspension
GPAI model evaluation	AI Office initiative or Scientific Panel referral	EU AI Office + Scientific Panel	Corrective measures, model modification requirements, market access restriction
Cross-border joint investigation	AI system operating across multiple member states	AI Office coordinating multiple NMSAs	Coordinated enforcement, joint penalties, EU-wide corrective orders

Enforcement Priorities: What to Expect in 2026 and 2027

National Market Surveillance Authorities cannot audit every AI system simultaneously. Their enforcement activities will be risk-prioritised. Based on the Act’s text, the AI Office’s published priorities, and precedent from GDPR enforcement, here is what organisations should expect:

🔴 Highest Priority

Prohibited AI practices still in operation
Healthcare AI with patient safety implications
Biometric surveillance systems
GPAI models with systemic risk designation
AI used in public-sector decision-making on benefits and services

🟠 High Priority

AI in financial services (credit, insurance underwriting)
HR recruitment and employment AI
AI systems with reported serious incidents
High-volume consumer-facing AI with transparency violations

🟡 Ongoing Monitoring

Education AI and proctoring tools
AI in migration and border management
Law enforcement predictive tools
General purpose AI deployed in regulated sectors

Lessons from GDPR: What Early AI Act Enforcement May Look Like

GDPR enforcement history provides useful — if imperfect — guidance for anticipating EU AI Act enforcement patterns. In GDPR’s early years, enforcement focused on the most visible violations by the largest organisations: Google (€50M by CNIL, 2019), British Airways (£20M by ICO, 2020), and WhatsApp (€225M by DPC, 2021). The pattern was high-profile cases that established precedent and signalled regulatory seriousness.

EU AI Act enforcement is likely to follow a similar trajectory — early cases will target well-known AI deployments in sectors with the highest public sensitivity. Healthcare AI failures, biometric surveillance by major retailers, and discriminatory outcomes from widely-used financial AI are all candidates for early enforcement actions.

One key difference from GDPR: the EU AI Office’s direct jurisdiction over GPAI model providers means major AI companies (OpenAI, Google DeepMind, Meta AI, Mistral, and others) face direct Commission-level oversight from day one — not the fragmented national-authority enforcement that allowed some GDPR violations to go unpunished for years.

Practical recommendation: Do not wait for enforcement to begin before investing in compliance. The organisations that will face the highest enforcement risk are those that — like many GDPR violators in 2018 — believed enforcement was unlikely and delayed action. The EU AI Office has made clear that it intends to be an active regulator from August 2026, not a passive one.

For a complete overview of the Act’s requirements and deadlines, see our EU AI Act Summary 2026.

Frequently Asked Questions

Is the EU AI Office the same as a Data Protection Authority? +

No. Data Protection Authorities (DPAs) enforce GDPR and operate independently in each member state. The EU AI Office is a European Commission body that enforces the EU AI Act specifically, with direct authority over GPAI model providers. National Market Surveillance Authorities (NMSAs) — separate from DPAs — enforce the AI Act at the national level. The same AI system may be investigated by a DPA (for GDPR violations), an NMSA (for AI Act violations), and the AI Office (if it involves a GPAI model) simultaneously. Coordination protocols between these bodies are still being developed.

Can individuals report EU AI Act violations directly to the EU AI Office? +

Individuals cannot bring private legal actions under the EU AI Act — there is no equivalent of GDPR’s individual right to lodge complaints with DPAs and seek compensation. However, individuals and organisations can bring concerns about potential violations to their national NMSA, which has the authority to investigate and refer cases to the EU AI Office where appropriate. Civil society organisations are expected to play a significant role in identifying violations and bringing structured complaints.

Which EU member states have designated their National Market Surveillance Authorities? +

Member states were required to designate their NMSAs by 2 August 2025. Most large member states have now done so, with several designating existing financial regulators, data protection authorities, or technology regulators as the lead NMSA. Germany designated the Federal Network Agency (Bundesnetzagentur) as a lead body. France expanded DINUM’s AI regulatory responsibilities. The precise designation varies by member state and sometimes by sector — healthcare AI and financial AI may fall under sector-specific regulators in addition to the general NMSA.

What is the GPAI Code of Practice and should my company sign up? +

The GPAI Code of Practice is a voluntary compliance framework developed by the EU AI Office in consultation with GPAI model providers, researchers, and civil society. It provides detailed, practical guidance on meeting the obligations of Chapter V (GPAI model requirements) and, for systemic risk models, the additional obligations of Chapter V Section 2. Adherence to the Code creates a presumption of compliance with the relevant Chapter V obligations — meaning the AI Office and Scientific Panel treat Code-adherent providers as compliant unless evidence emerges to the contrary. If you are a GPAI model provider, signing the Code is strongly recommended. If you are deploying GPAI models in high-risk applications, ensure your GPAI vendor has signed or is in the process of signing the Code.

Know your compliance obligations before enforcement begins

Not sure if your AI systems are in scope? Take our free 2-minute risk assessment to find out your exact classification — and which enforcement body has jurisdiction over you.

Take the Risk Assessment →

Sources: European Commission — EU AI Office · EU AI Act — EUR-Lex · European Parliament AI Act Overview · European Digital Rights (EDRi) · IAPP EU AI Act Resource Centre