Who Actually Enforces the AI Act, and What Draws Their Attention

A regulation is only as real as its enforcement, and for a long time the AI Act's enforcement felt abstract. That is changing. The authorities are being designated, the supervisory structure is taking shape, and the question for any organisation operating at scale is no longer whether enforcement will come, but how it will work.

The architecture is layered. National competent authorities do the front-line supervision in each Member State, acting as market surveillance authorities for AI. Above them, the AI Office and the AI Board coordinate, handle general-purpose AI, and manage the cross-border cases that a single national authority cannot resolve alone. The effect, for a multinational, is overlapping jurisdiction rather than a single regulator.

Designation has largely happened, with Member States naming their authorities, and several publishing enforcement priorities that point first at healthcare and public administration. Knowing which authority supervises you, and what it has said it cares about, is now a concrete input to planning.

Market surveillance will operate much as it does in other product regimes: authorities can request documentation, investigate, require corrective action, and ultimately restrict or withdraw a system. The practical lesson is that your technical file and your registration are not archive material, they are the things an authority asks to see.

What draws attention? Complaints, incidents, media and civil-society scrutiny, published priorities, and the simple visibility of a public registration. A high-risk system in a sensitive sector with a thin paper trail is a more likely subject than a well-documented system nobody has complained about.

Penalties are tiered, with prohibited uses at the top of the scale, up to 35 million euro or 7% of global annual turnover, and high-risk and information failures below. Cross-border cases run through the AI Board, which means a problem in one market can become a problem across several.

Reducing exposure is less about prediction and more about readiness: know your supervising authority, keep documentation and registration current, run the literacy and oversight the Act requires, and be able to respond to a request quickly and coherently.

Our whitepaper, Enforcement Architecture, maps the layers, the designation picture, the investigation triggers, and a practical framework for lowering risk. The enforcement window is open, and the organisations that prepare for contact handle it better than those surprised by it.