Skip to main content

04 · Governance & the AI Office

Sources
note

Governance chapter (Chapter VII) became applicable 2 August 2025. The base Act's general application date is 2 August 2026, but PE-CONS 30/26 defers Chapter III high-risk Sections 1–3 to 2 December 2027 for Annex III and 2 August 2028 for Annex I, pending OJ publication and entry into force.

The governance structure at a glance

The AI Act creates a layered governance system with EU-level and national-level actors.

European AI Office (EU-level)

  • Sits within the European Commission (DG CONNECT)
  • Primary mandate: supervise and enforce obligations on GPAI model providers across all 27 member states
  • Conducts evaluations and investigations of GPAI models
  • Can issue decisions, impose fines on GPAI providers
  • Coordinates with national authorities
  • Publishes guidelines, codes of practice, and support tools
  • Maintains the AI Act Service Desk
  • Contact: CNECT-AIOFFICE@ec.europa.eu
  • Page: https://digital-strategy.ec.europa.eu/en/policies/ai-office

Under PE-CONS 30/26, the AI Office's powers are reinforced for AI systems falling under Article 75 supervision, including stronger investigation, monitoring, and EU-level sandbox roles. This is narrower than centralising oversight of every GPAI-based system.

AI Board

  • Composed of one high-level representative from each member state
  • Advises and assists Commission on consistent application of the Act
  • Coordinates between national authorities
  • Covers the whole Act, not just GPAI

Scientific Panel of Independent Experts

  • Body of independent AI scientists
  • Alerts AI Office to potential systemic risks from GPAI models
  • Supports model evaluations and technical assessments
  • A "qualified alert" from the panel can trigger an AI Office investigation

Advisory Forum

  • Consultative body
  • Industry, civil society, academia
  • Advises AI Board and Commission

National-level enforcement

  • Each member state must designate:
    • Notifying authority: assesses and designates notified bodies
    • Market surveillance authority: monitors compliance of AI systems on the market
  • EDPB's recommended model: existing data protection authorities (DPAs) as market surveillance authorities for AI systems impacting personal data rights
  • National authorities enforce against non-GPAI AI systems (i.e., Annex III high-risk AI, limited-risk AI, etc.)
  • Member states must have national penalty laws in place (as of 2 Aug 2025)

Penalties

ViolationMaximum fine
Prohibited practices (Article 5)€35M or 7% global annual turnover
GPAI/high-risk AI Act violations€15M or 3% global annual turnover
Providing incorrect/misleading information to authorities€7.5M or 1% global annual turnover

For SMEs and start-ups, the base Act caps fines at whichever is lower. PE-CONS 30/26 extends the lower-of cap for certain fines to SMCs, pending OJ publication.

Regulatory sandboxes

  • Under PE-CONS 30/26, at least one national AI regulatory sandbox must be operational by 2 August 2027.
  • The AI Office may establish a Union-level sandbox for AI systems covered by Article 75(1), with priority access for SMEs, start-ups and SMCs.
  • Allow providers to test AI in real-world conditions under regulatory supervision
  • Simplified rules for sandbox participants

AI Act Whistleblower Tool

Key articles

TopicArticle(s)
AI OfficeArt. 64–70
AI BoardArt. 65
Scientific PanelArt. 68
Advisory ForumArt. 67
National competent authoritiesArt. 70
Notifying authoritiesArts. 27–30
Market surveillanceArts. 74–78
PenaltiesArts. 99–100
Governance chapter applicationArt. 113(b)
SandboxesArt. 57