The AI Office, established within the European Commission in 2024, is the EU-level centre of AI expertise and the enforcement authority for general-purpose AI models under the EU AI Act. It can demand information, commission model evaluations, require risk mitigation, and propose fines up to 3 percent of global turnover or 15 million euros, while also drafting codes of practice and coordinating with national authorities.
The EU AI Office: Role, Powers and Why It Matters for Your Compliance
Overview: The Commission's AI Enforcement Arm
The EU AI Act distributes supervision across two levels: national market surveillance authorities police AI systems within their territories, while a Union-level body supervises the layer of the stack that no single Member State can sensibly regulate alone — general-purpose AI models. That body is the AI Office, established by Commission decision of January 24, 2024 and operating within the Commission's Directorate-General for Communications Networks, Content and Technology. Article 64 of the regulation anchors it in law: the Commission develops Union expertise and capabilities in AI through the AI Office, and Member States must facilitate its tasks. For providers of foundation models and the businesses building on them, the AI Office is the most consequential AI regulator in the world right now, and understanding its powers is basic operational literacy.
What the AI Office Does
The Office's mandate spans enforcement, rulemaking support and coordination:
- Exclusive supervision of GPAI: under Article 88, the Commission — acting through the AI Office — holds exclusive powers to supervise and enforce the obligations of providers of general-purpose AI models in Chapter V
- Codes of practice: under Article 56, the AI Office facilitates the drawing up of codes of practice that operationalise GPAI obligations, including the code covering transparency, copyright and systemic risk measures that providers may rely on to demonstrate compliance until harmonised standards arrive
- Guidance and interpretation: the Office prepares guidelines, templates — including the template for the public summary of training content — and supports the Commission's delegated and implementing acts
- Systemic risk oversight: it receives notifications from providers whose models meet the systemic risk thresholds of Article 51, including the presumption tied to training compute exceeding ten to the twenty-fifth floating point operations, and can designate models as systemically risky
- Coordination: it works with the European AI Board, the Scientific Panel of independent experts, national authorities and international partners, and supports market surveillance in cases with Union-wide significance
Enforcement Powers Over GPAI Providers
Chapter IX Section 5 gives the AI Office a toolkit recognisably modelled on EU competition enforcement. Under Article 91, it can request from GPAI providers all information and documentation necessary to assess compliance, with deadlines and formal procedure. Under Article 92, it can conduct evaluations of general-purpose AI models — including through independent experts from the Scientific Panel — to assess compliance or investigate systemic risks, with the power to request model access through APIs or other appropriate technical means. Under Article 93, it can request providers to take mitigation measures, and where serious and substantiated concerns persist, request that a model be restricted, withdrawn or recalled from the market. Under Article 101, the Commission can impose fines on GPAI providers of up to 3 percent of worldwide annual turnover or 15 million euros, whichever is higher, for intentional or negligent infringements of the Chapter V obligations, non-compliance with information requests, or failure to comply with mitigation demands.
The procedural counterweights matter too: providers have rights to be heard, decisions are subject to review by the Court of Justice, and the Scientific Panel can send qualified alerts to the AI Office when it identifies concrete risks from a model — a structured channel through which independent researchers influence enforcement priorities.
What the AI Office Is Not
Precision about the boundary prevents expensive confusion. The AI Office does not supervise high-risk AI systems as such — that is the job of national market surveillance authorities under Article 74, even where the high-risk system is built on a GPAI model. It does not replace data protection authorities, who keep full jurisdiction over personal data processing. And it is not the European AI Board: the Board is the intergovernmental coordination body of Member State representatives, while the Office is the Commission's own administrative machinery. A company can therefore face the AI Office for its foundation model, a national authority for the high-risk system built on it, and a data protection authority for the personal data inside it — three regulators, three procedures, one product.
Who Should Care
GPAI model providers — including any organisation that fine-tunes or substantially modifies a foundation model and thereby may become the provider of a new model — sit directly in the Office's jurisdiction and should map their Chapter V obligations now: technical documentation under Annex XI, information for downstream providers under Annex XII, copyright policy, and the public training content summary. Downstream builders of AI systems should care indirectly but materially: the documentation the AI Office forces upstream is precisely what downstream providers need for their own compliance files, and Article 53(1)(b) obliges model providers to supply it. SMEs and start-ups should also note the Office's softer functions — it runs consultations, publishes guidance, and channels support measures — making it a source of usable compliance material, not only demands.
Practical Steps
- Determine whether anything you ship qualifies as a general-purpose AI model, including fine-tuned derivatives placed on the market under your name
- If yes, build the Chapter V file: Annex XI documentation, downstream information packages, copyright compliance policy and the training content summary in the Office's template
- Assess the systemic risk thresholds honestly; crossing them triggers notification duties within two weeks and the additional obligations of Article 55
- If you build on third-party models, contract for the Annex XII information flow and monitor the Office's enforcement actions as early warning for your supply chain
- Track the code of practice ecosystem: adherence is voluntary but functions as the practical compliance benchmark while standards mature
Concrete Example
A European scale-up fine-tunes an open foundation model into a domain model for clinical documentation and licenses it to hospital software vendors. Depending on the scale and nature of the modification, the scale-up may have become the provider of a general-purpose AI model placed on the Union market — bringing it under the AI Office's jurisdiction for documentation, copyright policy and downstream information duties — while its hospital customers build high-risk systems supervised by national authorities. When the AI Office requests documentation to verify the model's training data governance, the scale-up's ability to respond within the deadline depends entirely on whether it built the Annex XI file at development time or must reconstruct it under procedural pressure. The lesson generalises: the Office's powers are exercised through documents, and the companies that fare well are those whose documents exist before the request arrives.
Action Before August 2, 2026
GPAI obligations have applied since August 2, 2025, with models placed on the market before that date enjoying a transition until August 2, 2027 — so for many providers the AI Office is already a present-tense regulator, not a future one. August 2, 2026 adds the enforcement superstructure around it: penalties become applicable across the regulation, national authorities reach full operation, and the interplay between Office and national supervision becomes daily reality. Companies in the model supply chain should use the remaining months to close documentation gaps, formalise upstream and downstream information contracts, and assign a named owner for regulator correspondence. The AI Office has signalled that it prefers cooperative engagement supported by codes of practice — but it acquired competition-style powers for a reason, and the first formal proceedings will define the compliance climate for years.
How the AI Office Shapes Law Beyond Enforcement
Enforcement is the visible function; norm production is the larger one. The AI Office drafts or steers most of the instruments through which the regulation's open concepts acquire operational meaning: guidelines on the definition of AI systems and on prohibited practices, the template for training data summaries, the methodology for classifying systemic risk models, and the codes of practice that function as the de facto rulebook for frontier model providers while harmonised standards mature. It also conducts the consultations through which industry, academia and civil society contest those meanings — which makes participation in AI Office consultations one of the few genuinely high-leverage regulatory activities available to ordinary companies. A definition clarified in a guideline can remove an entire product line from scope or pull it in; a threshold methodology can determine whether a model carries systemic risk obligations costing millions. Companies that staff their public policy function with people able to engage technically — not just monitor — have repeatedly obtained clarifications that their silent competitors now benefit from without having shaped. The AI Office is young, its doctrine is still soft, and the window in which careful argument moves outcomes is precisely now, before administrative practice hardens into precedent.
Check your AI compliance readiness — free.
Take the Readiness Check 3 minutes · 10 questions · no signup requiredThis article is for informational purposes only and does not constitute legal advice. Regulatory requirements change frequently — verify current rules with official sources. Built by Sawai Gyoseishoshi Office, Hiroshima, Japan.