04 · Governance & the AI Office
- EC AI Office page + Governance & Enforcement page + FLI AI Office summary
- Governance chapter became applicable: 2 August 2025
Governance chapter (Chapter VII) became applicable 2 August 2025. The base Act's general application date is 2 August 2026, but PE-CONS 30/26 defers Chapter III high-risk Sections 1–3 to 2 December 2027 for Annex III and 2 August 2028 for Annex I, pending OJ publication and entry into force.
The governance structure at a glance
The AI Act creates a layered governance system with EU-level and national-level actors.
European AI Office (EU-level)
- Sits within the European Commission (DG CONNECT)
- Primary mandate: supervise and enforce obligations on GPAI model providers across all 27 member states
- Conducts evaluations and investigations of GPAI models
- Can issue decisions, impose fines on GPAI providers
- Coordinates with national authorities
- Publishes guidelines, codes of practice, and support tools
- Maintains the AI Act Service Desk
- Contact: CNECT-AIOFFICE@ec.europa.eu
- Page: https://digital-strategy.ec.europa.eu/en/policies/ai-office
Under PE-CONS 30/26, the AI Office's powers are reinforced for AI systems falling under Article 75 supervision, including stronger investigation, monitoring, and EU-level sandbox roles. This is narrower than centralising oversight of every GPAI-based system.
AI Board
- Composed of one high-level representative from each member state
- Advises and assists Commission on consistent application of the Act
- Coordinates between national authorities
- Covers the whole Act, not just GPAI
Scientific Panel of Independent Experts
- Body of independent AI scientists
- Alerts AI Office to potential systemic risks from GPAI models
- Supports model evaluations and technical assessments
- A "qualified alert" from the panel can trigger an AI Office investigation
Advisory Forum
- Consultative body
- Industry, civil society, academia
- Advises AI Board and Commission
National-level enforcement
- Each member state must designate:
- Notifying authority: assesses and designates notified bodies
- Market surveillance authority: monitors compliance of AI systems on the market
- EDPB's recommended model: existing data protection authorities (DPAs) as market surveillance authorities for AI systems impacting personal data rights
- National authorities enforce against non-GPAI AI systems (i.e., Annex III high-risk AI, limited-risk AI, etc.)
- Member states must have national penalty laws in place (as of 2 Aug 2025)
Penalties
| Violation | Maximum fine |
|---|---|
| Prohibited practices (Article 5) | €35M or 7% global annual turnover |
| GPAI/high-risk AI Act violations | €15M or 3% global annual turnover |
| Providing incorrect/misleading information to authorities | €7.5M or 1% global annual turnover |
For SMEs and start-ups, the base Act caps fines at whichever is lower. PE-CONS 30/26 extends the lower-of cap for certain fines to SMCs, pending OJ publication.
Regulatory sandboxes
- Under PE-CONS 30/26, at least one national AI regulatory sandbox must be operational by 2 August 2027.
- The AI Office may establish a Union-level sandbox for AI systems covered by Article 75(1), with priority access for SMEs, start-ups and SMCs.
- Allow providers to test AI in real-world conditions under regulatory supervision
- Simplified rules for sandbox participants
AI Act Whistleblower Tool
- Secure channel for individuals to report AI Act violations to the AI Office
- Page: https://digital-strategy.ec.europa.eu/en/policies/ai-act-whistleblower-tool
Key articles
| Topic | Article(s) |
|---|---|
| AI Office | Art. 64–70 |
| AI Board | Art. 65 |
| Scientific Panel | Art. 68 |
| Advisory Forum | Art. 67 |
| National competent authorities | Art. 70 |
| Notifying authorities | Arts. 27–30 |
| Market surveillance | Arts. 74–78 |
| Penalties | Arts. 99–100 |
| Governance chapter application | Art. 113(b) |
| Sandboxes | Art. 57 |