The EU AI Act creates a layered enforcement architecture involving the European AI Office, national market surveillance authorities, notified bodies, and national data protection authorities. Each body has distinct jurisdiction, distinct powers, and distinct procedures. Understanding which body supervises which obligation, and what powers that body holds, is the starting point for any enforcement analysis.
This guide covers the institutional structure of AI Act enforcement, the supervisory powers available to each authority, the rights of individuals affected by AI systems, the complaint and redress mechanisms, the penalties applicable to each category of infringement, and the procedures that apply when enforcement action is taken. It cites the specific articles of Regulation (EU) 2024/1689 on which each point is based.
Before reading this guide, two points of orientation are useful. First, enforcement jurisdiction follows the subject matter of the obligation, not the identity of the operator. GPAI model obligations are enforced by the AI Office. High-risk AI system obligations are enforced by national market surveillance authorities. Some obligations, such as the prohibited practices in Article 5, may be enforced by both depending on the nature of the system involved. Second, enforcement of the AI Act operates alongside, and does not replace, enforcement of the GDPR, the NIS2 Directive, the Cyber Resilience Act, and other applicable Union law. Where obligations overlap, both sets of enforcement mechanisms apply.
Enforcement Architecture at a Glance
| Body | Primary jurisdiction | Legal basis |
|---|---|---|
| European AI Office | GPAI model providers. Cross-border systemic risk. Coordination of national authorities | Articles 64, 88-94 |
| National market surveillance authorities | High-risk AI system providers and deployers within their member state | Articles 70, 74-81 |
| AI Board | Coordination between national authorities. Opinions and recommendations on cross-border cases | Article 65 |
| Scientific Panel of Independent Experts | Advisory role on GPAI model capabilities and systemic risk assessments | Article 68 |
| National data protection authorities | AI systems processing personal data. Enforcement of GDPR obligations running alongside AI Act obligations | Article 74(4) |
| Notified bodies | Third-party conformity assessment for Annex I product-embedded systems and certain biometric systems | Articles 28-39 |
| Market surveillance authorities under sector law | AI systems regulated under sector-specific Union harmonisation legislation | Article 74(5) |
1. The European AI Office
Establishment and Mandate
Article 64(1) states: “The Commission shall develop Union expertise and capabilities in the field of AI through the European AI Office established by Commission Decision of 24 January 2024.”
The AI Office sits within the European Commission and operates as the central supervisory authority for GPAI model providers across the EU. It is not a national authority. It exercises jurisdiction at Union level and its decisions bind providers across all member states simultaneously.
Article 64(3) specifies the AI Office’s functions: monitoring the implementation and enforcement of the GPAI framework, supporting the development of codes of practice, conducting evaluations of GPAI models, maintaining the EU database, coordinating with national authorities, and developing guidelines and guidance documents on implementation of the Act.
Supervisory Powers over GPAI Providers
Articles 88 to 94 set out the AI Office’s enforcement powers in relation to GPAI model providers.
Article 88(1) states: “The AI Office shall monitor and supervise the compliance of providers of general-purpose AI models with the obligations set out in this Regulation.”
Article 91(1) states: “The AI Office may request providers of general-purpose AI models, and third parties that have been involved in the distribution or deploying of general-purpose AI models, to provide documentation or information that is necessary for the purpose of supervision and evaluation activities.”
Article 91(2) states: “Where the AI Office has requested a provider of a general-purpose AI model to provide documentation or information pursuant to paragraph 1, it shall indicate the purpose of the request, specify what information is required and set a reasonable time limit for its provision.”
| AI Office supervisory power | What it enables | Legal basis |
|---|---|---|
| Information requests | Request documentation and information from GPAI providers and third parties involved in distribution | Article 91(1) |
| Model evaluations | Conduct evaluations of GPAI models, including systemic risk models, using the Scientific Panel | Article 92(1) |
| Corrective measure requests | Request providers to take specific corrective measures to bring models into compliance | Article 93(1) |
| Access to model weights | Request access to model parameters, weights, and source code where necessary for evaluation | Article 91(3) |
| Sanctions | Impose fines under Article 99 and periodic penalty payments under Article 101 | Articles 99, 101 |
| Interim measures | Request member state authorities to take interim measures in urgent cases | Article 81 |
| Code of practice oversight | Assess adequacy of codes of practice and withdraw recognition where they no longer ensure compliance | Article 56(4) |
Model Evaluation Procedure
Article 92(1) states: “The AI Office may conduct evaluations of general-purpose AI models, including general-purpose AI models with systemic risk, in order to assess their compliance with the obligations set out in this Regulation, or to investigate systemic risks at Union level in view of supporting the Commission in developing Union-wide policy.”
Article 92(2) states that the AI Office may, for evaluation purposes, request providers to provide access to a model through an API or other appropriate technical means, and may draw on the expertise of the Scientific Panel of Independent Experts and independent third parties. Providers must cooperate fully with evaluation requests and cannot restrict the AI Office’s access to model parameters or outputs on commercial confidentiality grounds during an evaluation.
Where an evaluation identifies compliance failures, Article 93(1) states: “Where the AI Office finds that a provider of a general-purpose AI model has violated this Regulation, it may request the provider to take the necessary corrective measures to bring the violation to an end, within a reasonable time limit set by the AI Office.”
2. National Market Surveillance Authorities
Designation and Jurisdiction
Article 70(1) states: “Member States shall designate one or more national competent authorities as national supervisory authorities for the purpose of supervising the application and implementation of this Regulation. National supervisory authorities shall include at least one market surveillance authority.”
Every EU member state must designate at least one national market surveillance authority with jurisdiction over high-risk AI systems within that state. Member states may designate different authorities for different sectors. In practice, several member states have designated existing product safety, data protection, or sector-specific regulators as their AI Act market surveillance authorities.
Article 70(3) states: “National supervisory authorities shall be provided with adequate technical, financial and human resources, and infrastructure to fulfil their tasks effectively.”
Supervisory Powers
Article 74 sets out the powers available to national market surveillance authorities. These mirror the general market surveillance powers under Regulation (EU) 2019/1020, adapted for the specific characteristics of AI systems.
Article 74(1) states: “National market surveillance authorities shall have the power to require providers, authorised representatives, deployers and other relevant third parties to provide documentation and information that are necessary for the fulfilment of their supervisory tasks.”
Article 74(2) states: “National market surveillance authorities shall have the power to carry out inspections of providers and deployers to verify that they are applying the requirements and obligations set out in this Regulation.”
| National authority supervisory power | What it enables | Legal basis |
|---|---|---|
| Documentation requests | Require providers, authorised representatives, deployers, and third parties to produce documentation | Article 74(1) |
| Inspections | Conduct inspections of providers and deployers to verify compliance | Article 74(2) |
| Access to training data | Require access to training, validation, and testing datasets where automated log access is insufficient | Article 74(8) |
| Access to source code | Require access to source code of high-risk AI systems upon reasoned request | Article 74(8) |
| Corrective measures | Require providers to bring non-compliant systems into compliance | Article 79(1) |
| Market restriction | Require providers to restrict or prohibit the system’s availability on the market | Article 79(1)(c) |
| Withdrawal | Require providers to withdraw the system from the market | Article 79(1)(d) |
| Recall | Require providers to recall systems already in service | Article 79(1)(e) |
| Interim measures | Take interim measures to prevent serious risk pending full investigation | Article 81 |
| Information sharing | Share information with other member state authorities and the AI Office | Article 75 |
Cross-Border Cases
Where a high-risk AI system is available in multiple member states, Article 75 requires national market surveillance authorities to cooperate and share information. The authority in the member state where the provider or its authorised representative is established takes the lead in coordinating enforcement.
Article 76(1) states: “Where the market surveillance authority of one Member State has sufficient reason to consider that a high-risk AI system presents a risk to the health or safety or to the protection of fundamental rights of persons, it shall carry out an evaluation of the high-risk AI system concerned in relation to its compliance with all the requirements and obligations set out in this Regulation.”
3. The AI Board
Article 65(1) states: “A European Artificial Intelligence Board is hereby established.”
The AI Board is composed of one representative of the national supervisory authority from each member state and one representative of the European Data Protection Supervisor. The Commission participates as observer. The AI Board does not have direct enforcement powers over individual operators. It coordinates between national authorities, issues opinions and recommendations on cross-border cases, and provides guidance on consistent application of the Act across member states.
Article 65(2)(c) requires the AI Board to “issue opinions, recommendations or written contributions on matters related to the implementation of this Regulation, in particular as regards technical specifications or existing standards regarding the requirements set out in Chapter II, the assessment of codes of conduct, the assessment of codes of practice, and the Coordinated Plan on AI.”
Where national authorities reach divergent conclusions on the same cross-border compliance question, Article 65 provides a mechanism for the AI Board to issue a coordinating opinion. This opinion is not legally binding on national authorities but carries significant weight in subsequent enforcement and legal proceedings.
4. The Scientific Panel of Independent Experts
Article 68(1) states: “The Commission shall provide for a scientific panel of independent experts to support the enforcement activities under this Regulation.”
The Scientific Panel advises the AI Office on GPAI model capabilities, systemic risk assessments, and technical questions arising in enforcement. It may be called upon to conduct independent evaluations of GPAI models and to provide expert opinions in enforcement proceedings.
Article 68(2) specifies that panel members must have deep expertise in AI, data science, fundamental rights, cybersecurity, or other relevant fields and must be independent of commercial interests in the AI systems they evaluate.
Article 90(1) states: “The Scientific Panel may provide an alert to the AI Office, where it considers that there are reasonable grounds to believe that a particular general-purpose AI model presents a concrete identifiable risk at Union level. In such a case, the AI Office shall assess whether those grounds are substantiated and may decide to take the measures provided for in this Regulation.”
5. Complaint and Redress Mechanisms for Individuals
The Right to Complain
Article 85(1) states: “Any natural or legal person having grounds to consider that there has been an infringement of the provisions of this Regulation may submit complaints to the relevant market surveillance authority.”
The right to complain is broad. It applies to any natural or legal person, not only those directly affected by the AI system in question. A civil society organisation, a trade union, or a competitor may submit a complaint on grounds of infringement. The complaint must be directed to the national market surveillance authority in the relevant member state.
Article 85(2) states: “Complaints shall be assessed by the relevant market surveillance authority and handled in accordance with the procedures and timeframes established by Union and national law applicable to market surveillance activities.”
National authorities are not required to investigate every complaint. They must assess complaints and handle them according to their national procedures, but they retain discretion on the allocation of enforcement resources. However, a reasoned decision declining to investigate must be provided to the complainant under Article 85(2).
The Right to Explanation
Article 86(1) states: “Any affected person subject to a decision taken by the deployer on the basis of the output of a high-risk AI system listed in Annex III, with the exception of systems listed in point 2 of that Annex, that produces legal effects or similarly significantly affects that person in a way that they consider to have an adverse impact on their health, safety or fundamental rights shall have the right to obtain from the deployer clear and meaningful explanations of the role of the AI system in the decision-making procedure and the main elements of the decision taken.”
The right to explanation applies where all three of the following conditions are met: the decision is taken by a deployer on the basis of a high-risk AI system output, the decision produces legal effects or similarly significant effects, and the affected person considers the decision to have had an adverse impact on their health, safety, or fundamental rights.
The right is not an absolute right to a full technical account of the system’s operation. Article 86(2) clarifies that the explanation must cover the role of the AI system in the decision-making procedure and the main elements of the decision. The deployer is not required to disclose proprietary technical information about the system beyond what is necessary to give a meaningful explanation.
| Right to explanation element | What the deployer must provide | Legal basis |
|---|---|---|
| Role of the AI system | How the system contributed to the decision, including whether the decision was automated or human-assisted | Article 86(1) |
| Main elements of the decision | The principal factors taken into account in the decision, to the extent the AI system’s output informed them | Article 86(1) |
| Scope limitation | Explanation need not disclose proprietary technical details beyond what is necessary for meaningful explanation | Article 86(2) |
| Annex III exclusion | Systems listed in Annex III point 2 (critical infrastructure management) are excluded from the right | Article 86(1) |
The Right to Lodge a Complaint About an AI System Affecting Fundamental Rights
Article 85 operates alongside rights under other Union law. Where an AI system processes personal data, the GDPR provides complementary rights including the right to object to automated decision-making under GDPR Article 22, the right of access under GDPR Article 15, and the right to rectification under GDPR Article 16. These rights are enforced by national data protection authorities and are not displaced by the AI Act.
Article 74(4) states: “Where the market surveillance authority designated for the purposes of this Regulation is not the national data protection authority, it shall cooperate with the national data protection authority in order to ensure that the requirements of Regulation (EU) 2016/679 and those of this Regulation are both complied with effectively.”
Representative Actions
Article 85(3) states that representative actions brought by organisations, associations, or bodies under Directive (EU) 2020/1828 are available where those organisations, associations, or bodies meet the conditions set out in that Directive and where the infringement harms or may harm the collective interests of consumers.
This provision creates a mechanism for civil society organisations to bring collective enforcement actions on behalf of groups of individuals affected by AI systems, without each individual needing to bring a separate complaint.
6. The Penalty Framework
The Three-Tier Structure
Article 99 establishes a three-tier penalty structure. The applicable tier depends on the category of infringement, not the identity of the operator or the severity of the specific harm caused.
Article 99(1) states: “Administrative fines shall be effective, proportionate and dissuasive.”
Article 99(6) states: “For SMEs, including start-ups, each fine referred to in this Article shall be up to the percentages or amounts referred to in paragraphs 3, 4 and 5, whichever thereof is lower.”
| Infringement tier | Maximum fine | Legal basis |
|---|---|---|
| Tier 1: Prohibited practices | EUR 35,000,000 or 7% of total worldwide annual turnover, whichever is higher | Article 99(3) |
| Tier 2: Provider, deployer, importer, distributor, and Authorised Representative obligations. GPAI obligations. Notified body obligations. Transparency obligations | EUR 15,000,000 or 3% of total worldwide annual turnover, whichever is higher | Article 99(4) |
| Tier 3: Supplying incorrect, incomplete, or misleading information to notified bodies or national competent authorities | EUR 7,500,000 or 1% of total worldwide annual turnover, whichever is higher | Article 99(5) |
Tier 1: Prohibited Practice Violations
Article 99(3) states: “The non-compliance with the prohibition of the AI practices referred to in Article 5 shall be subject to administrative fines of up to 35 000 000 EUR or, if the offender is an undertaking, up to 7 % of its total worldwide annual turnover for the preceding financial year, whichever is higher.”
The prohibited practices in Article 5 carry the highest penalties in the Act. This reflects the legislative judgment that these practices represent harms so fundamental that no degree of commercial benefit can justify them. The 7% worldwide turnover cap aligns with the highest tier of GDPR fines and is designed to be materially dissuasive for large technology companies.
Tier 2: Obligation Violations
Article 99(4) states: “The non-compliance with any of the following provisions related to operators or notified bodies, other than those laid down in Article 5, shall be subject to administrative fines of up to 15 000 000 EUR or, if the offender is an undertaking, up to 3 % of its total worldwide annual turnover for the preceding financial year, whichever is higher.”
Article 99(4) then lists the specific obligations within this tier, which include:
| Obligation category | Legal basis of obligation |
|---|---|
| Provider obligations for high-risk AI systems | Articles 16-27 |
| Authorised Representative obligations | Article 22 |
| Importer obligations | Article 23 |
| Distributor obligations | Article 24 |
| Deployer obligations | Article 26 |
| Notified body requirements | Articles 31, 33, 34 |
| Transparency obligations for providers and deployers | Article 50 |
| GPAI model provider obligations | Articles 53, 55 |
Tier 3: Information Violations
Article 99(5) states: “The supply of incorrect, incomplete or misleading information to notified bodies or national competent authorities in reply to a request shall be subject to administrative fines of up to 7 500 000 EUR or, if the offender is an undertaking, up to 1 % of its total worldwide annual turnover for the preceding financial year, whichever is higher.”
This tier applies where an operator does not refuse to cooperate with authorities, but provides false, incomplete, or misleading information in response to a request. It operates as a standalone infringement, separate from and in addition to any fine applicable to the underlying compliance failure that prompted the information request.
GPAI-Specific Penalties
Article 101 provides the AI Office with a distinct penalty mechanism for GPAI model providers.
Article 101(1) states: “The Commission may impose on providers of general-purpose AI models fines not exceeding 3 % of their total worldwide annual turnover in the preceding financial year or 15 000 000 EUR, whichever is higher, where the provider intentionally or negligently fails to comply with any of the following.”
Article 101(1) then lists: failure to comply with a measure requested under Article 93 (corrective measures), failure to make available to the AI Office access to the general-purpose AI model or GPAI model with systemic risk under Article 91, and failure to notify the AI Office of a serious incident under Article 55(1)(b).
Article 101(2) provides for periodic penalty payments of up to 1.5% of average daily worldwide turnover in the preceding financial year for each day of continued non-compliance with a measure or access request. This mechanism is designed to compel ongoing compliance rather than merely to punish past violations.
Factors Affecting Fine Levels
Article 99(1) requires fines to be effective, proportionate, and dissuasive. In determining the specific fine within the applicable maximum, enforcement authorities must take into account:
| Factor | How it affects the fine | Legal basis |
|---|---|---|
| Nature, gravity, and duration of infringement | More serious, longer-running infringements attract higher fines | Article 99(1) |
| Intentional or negligent character | Intentional infringements attract higher fines than negligent ones | Article 99(1) |
| Actions to mitigate harm | Steps taken to limit the damage caused by the infringement reduce the fine | Article 99(1) |
| Degree of responsibility | Operators with greater control and capacity to prevent the infringement bear greater responsibility | Article 99(1) |
| Prior infringements | Repeat infringements attract higher fines | Article 99(1) |
| Cooperation with authority | Active cooperation with the investigation may reduce the fine | Article 99(1) |
| Size and market share of the operator | SME status reduces the fine ceiling | Article 99(6) |
Fines for Union Institutions
Article 100 extends the penalty framework to EU institutions, bodies, offices, and agencies that deploy high-risk AI systems. The European Data Protection Supervisor has jurisdiction over AI Act infringements by Union institutions. Fines applicable to Union institutions are capped at EUR 1,500,000 for Tier 1 infringements and EUR 750,000 for Tier 2 infringements under Article 100(2).
7. Enforcement Procedures
Market Surveillance Procedure for High-Risk AI Systems
Articles 74 to 81 set out the procedure national market surveillance authorities must follow when investigating potential infringements involving high-risk AI systems.
Article 76(1) states: “Where the market surveillance authority of one Member State has sufficient reason to consider that a high-risk AI system presents a risk to the health or safety or to the protection of fundamental rights of persons, it shall carry out an evaluation of the high-risk AI system concerned in relation to its compliance with all the requirements and obligations set out in this Regulation.”
Where the evaluation identifies non-compliance, the authority must require the provider to take corrective measures within a specified timeframe under Article 79(1). If the provider fails to take adequate corrective measures, the authority may restrict or prohibit the system’s availability, require withdrawal from the market, or require recall of systems already in service.
| Enforcement procedure stage | What happens | Legal basis |
|---|---|---|
| Trigger | Authority has sufficient reason to consider a risk to health, safety, or fundamental rights | Article 76(1) |
| Evaluation | Authority conducts evaluation of the AI system against all applicable requirements | Article 76(1) |
| Finding of non-compliance | Authority notifies provider and requires corrective measures within a timeframe | Article 79(1) |
| Corrective measures | Provider takes steps to bring system into compliance within the specified period | Article 79(1) |
| Insufficient measures | Authority restricts, prohibits, withdraws, or recalls the system | Article 79(1)(b)-(e) |
| Notification | Authority notifies the Commission, AI Board, and other member state authorities | Article 79(2) |
| Right to be heard | Provider must be given opportunity to make submissions before adverse measures are taken | Article 79(4) |
The Right to Be Heard
Article 79(4) states: “Before the market surveillance authority of a Member State takes any measure referred to in paragraph 1, it shall invite the operator concerned to submit its observations, within a reasonable time period of no less than 10 business days.”
The right to be heard is a procedural safeguard that applies before any corrective measure, restriction, withdrawal, or recall is imposed. Authorities must give operators at least 10 business days to respond. Interim measures under Article 81 may be taken without prior hearing in urgent cases but must be followed by the full procedure.
Interim Measures
Article 81(1) states: “By way of derogation from Article 79, the market surveillance authority of a Member State shall take interim measures where it is necessary to act urgently in order to prevent the use or placing on the market of a high-risk AI system posing a serious risk.”
Interim measures are available where waiting for the full enforcement procedure would cause serious, potentially irreversible harm. They may include immediate market restriction, suspension of the system’s use, or seizure of the system. Interim measures must be notified to the Commission and other member state authorities through the Union rapid information system under Article 80.
AI Office Enforcement Procedure for GPAI Models
Article 93(1) states: “Where the AI Office finds that a provider of a general-purpose AI model has violated this Regulation, it may request the provider to take the necessary corrective measures to bring the violation to an end, within a reasonable time limit set by the AI Office.”
Article 93(3) states: “Before the AI Office takes any measure against a provider of a general-purpose AI model, it shall invite the provider to submit its observations, within a reasonable time limit of no less than 10 business days.”
The procedural safeguards for GPAI enforcement mirror those for high-risk AI enforcement: the right to be heard before adverse measures are taken, a minimum 10 business day response period, and a right to challenge measures through the Court of Justice of the European Union under Article 263 TFEU.
Article 94(1) states: “The providers of general-purpose AI models shall have the right to be heard before the AI Office takes any individual measure against them.”
8. Confidentiality and Information Sharing
Confidentiality Obligations
Article 78(1) states: “National competent authorities and the AI Office shall carry out their activities with a high level of transparency.”
Article 78(2) states: “National competent authorities and the AI Office shall ensure that any confidential information obtained in the course of their activities is protected in accordance with applicable Union and national law.”
Information obtained by authorities during enforcement investigations, including technical documentation, source code, and model weights, is subject to professional secrecy obligations. Authorities cannot disclose commercially sensitive information to competitors or publish it in enforcement decisions beyond what is necessary to establish the facts of the infringement.
The Union Rapid Information System
Article 80(1) states: “Member States shall notify the Commission, through the electronic interface of the information and communication system referred to in Article 84, about any measure they have taken to restrict or prohibit a high-risk AI system.”
The rapid information system enables member state authorities to share information about market restrictions and enforcement actions in real time. Where one member state takes action against a high-risk AI system, other member states are notified and may take corresponding action against the same system within their jurisdictions.
Whistleblower Protection
Article 87(1) states: “Reports of infringements of this Regulation and the protection of the persons reporting such infringements shall be covered by Directive (EU) 2019/1937,” the EU Whistleblower Protection Directive.
Individuals who report infringements of the AI Act to national authorities or the AI Office are protected from retaliation, dismissal, or other adverse treatment under the Whistleblower Directive. This protection applies to employees, contractors, and other persons in a work-related context.
9. Interaction with Other Union Law
GDPR
The AI Act and the GDPR apply concurrently where AI systems process personal data. Article 74(4) requires national AI Act market surveillance authorities to cooperate with data protection authorities where the same system engages both frameworks. Fines under the GDPR and fines under the AI Act may be imposed for separate infringements arising from the same system and the same facts, subject to the principle that the same infringement is not punished twice.
Article 2(7) states: “This Regulation shall not affect the application of the provisions on the liability of online intermediaries set out in Regulation (EU) 2022/2065,” the Digital Services Act.
NIS2 and the Cyber Resilience Act
Where a high-risk AI system or GPAI model falls within the scope of the NIS2 Directive or the Cyber Resilience Act, cybersecurity obligations under those instruments apply alongside the AI Act requirements. Enforcement of cybersecurity obligations under NIS2 is conducted by national NIS2 competent authorities. Enforcement of Cyber Resilience Act obligations follows the market surveillance framework under that regulation. The AI Act’s Article 15 accuracy and robustness requirements and Article 55(1)(c) GPAI cybersecurity requirements operate as additional, not alternative, obligations.
Sector-Specific Regulation
Article 74(5) states: “Where appropriate and consistent with Union law, Member States may decide that their market surveillance authorities for the purposes of this Regulation shall also be the market surveillance or competent authority for the purpose of other Union legal acts governing specific areas where high-risk AI systems, as defined in this Regulation, are used.”
In practice, this means financial services AI systems may be supervised by both the designated AI Act market surveillance authority and the relevant financial services regulator. Medical device AI systems remain subject to the Medical Device Regulation conformity assessment and post-market surveillance requirements in addition to AI Act obligations. Operators in regulated sectors must satisfy both the AI Act framework and all applicable sector-specific requirements.
Frequently Asked Questions
Which authority do we contact if we want to report a potential AI Act infringement?
Complaints should be directed to the national market surveillance authority in the member state where the infringement occurs or where the provider or its Authorised Representative is established. For infringements involving GPAI model providers, complaints may be directed to the AI Office directly. Article 85(1) gives any natural or legal person grounds to submit a complaint to the relevant authority. The AI Office publishes contact details for national authorities on its website.
Can both a national authority and the AI Office investigate the same infringement?
Yes, where the infringement involves a GPAI model and also raises issues for national market surveillance. The AI Office has primary jurisdiction over GPAI model obligations under Articles 88 to 94. National market surveillance authorities have primary jurisdiction over high-risk AI system obligations under Articles 74 to 81. Where the same system triggers both frameworks, the bodies must cooperate under Article 75 to avoid duplicating enforcement action.
We are a small business. Does the SME fine cap protect us significantly?
The SME cap in Article 99(6) provides that fines are capped at the lower of the applicable percentage or fixed amount. For a Tier 1 prohibited practice violation, the cap means an SME pays the lower of EUR 35,000,000 or 7% of turnover. For a small business with annual turnover of EUR 1,000,000, 7% is EUR 70,000, which is substantially lower than the EUR 35,000,000 maximum. The percentage cap is designed to ensure proportionality. However, the SME cap does not eliminate financial exposure. A EUR 70,000 fine is material for a small business and the reputational consequences of an enforcement action are independent of the size of the fine.
We received a request for documentation from a national market surveillance authority. What are our obligations?
Article 74(1) requires operators to provide documentation and information requested by national market surveillance authorities within the timeframe specified. Failure to comply with a documentation request is itself an infringement under Article 99(4). Providing incorrect, incomplete, or misleading information in response to a request is an infringement under Article 99(5) carrying a fine of up to EUR 7,500,000 or 1% of worldwide turnover.
Operators must cooperate with authority requests and may seek to protect genuinely confidential information through established legal mechanisms, but cannot refuse to provide documentation on grounds of commercial sensitivity alone.
An AI system made a decision that adversely affected me. What can I do?
Article 86(1) gives you the right to obtain a clear and meaningful explanation from the deployer of the role the AI system played in the decision and the main elements of the decision, where the decision was made on the basis of a high-risk Annex III system, produced legal or similarly significant effects, and you consider it had an adverse impact on your health, safety, or fundamental rights. You may also submit a complaint to the national market surveillance authority under Article 85(1). Where personal data was processed, you have complementary rights under the GDPR including the right to object to automated decision-making under GDPR Article 22.
Our Authorised Representative has terminated our mandate and notified the authorities. What are the immediate consequences?
Termination of the Authorised Representative mandate means you no longer have an EU-established representative, which is a condition of lawful market access for non-EU providers of high-risk AI systems and GPAI models. You must appoint a replacement before continuing to make your system available on the EU market. Continuing to operate without a properly mandated representative after the deadline triggers liability under Article 99(4).
The notification by the former representative to the relevant authority is likely to prompt an investigation into the conduct that led to termination, which may itself give rise to enforcement action on the underlying compliance failures.
Can a fine be challenged?
Yes. Fines imposed by national market surveillance authorities are subject to challenge through national administrative and judicial review procedures. Fines imposed by the AI Office against GPAI providers may be challenged before the Court of Justice of the European Union under Article 263 TFEU. The right to be heard under Article 79(4) and Article 94(1) is a procedural precondition that must be satisfied before any adverse measure is taken, and failure to comply with this procedural requirement may itself constitute grounds for challenge.
We discovered an infringement in our own systems. Should we self-report?
Self-reporting is not expressly required by the AI Act for compliance failures that do not meet the Article 73 serious incident reporting threshold. However, the factors used to determine fine levels under Article 99(1) include the degree of cooperation with authorities and the actions taken to mitigate harm. Self-reporting and remediation before an authority investigation begins are likely to be treated as mitigating factors in any subsequent enforcement proceeding. The serious incident reporting obligation under Article 73 requires providers to report serious incidents within 15 days of becoming aware of them regardless of whether the incident was caused by their own compliance failure.
The Digital Omnibus proposes changes to the enforcement framework. What is the current position?
The Digital Omnibus proposals published in February 2025 do not propose substantive changes to the penalty framework in Articles 99 to 101 or to the enforcement procedures in Articles 74 to 94. The proposals concern primarily the high-risk AI system application timeline and certain definitional questions. The enforcement architecture and penalty structure described in this guide reflect the current law and are not affected by the Digital Omnibus proposals as currently drafted.
This guide reflects the text of Regulation (EU) 2024/1689 as published in the Official Journal on 12 July 2024 and applicable guidance issued by the European AI Office through May 2026. It is published for general informational purposes and does not constitute legal advice. Operators subject to enforcement proceedings or investigation should obtain advice specific to their circumstances and the jurisdiction in which enforcement action is being taken.
