Under Article 70 of the EU AI Act, each Member State must establish or designate at least one notifying authority and at least one market surveillance authority as national competent authorities, designated by August 2, 2025, with a single point of contact identified publicly. These authorities enforce the regulation nationally, supported by sector regulators, data protection authorities and penalty regimes set in national law.
National Competent Authorities Under the EU AI Act: Who Enforces What
Overview: Where EU AI Law Meets National Reality
The EU AI Act is a regulation — directly applicable in every Member State without transposition — but its enforcement is profoundly national. The Commission's AI Office supervises only general-purpose AI models; everything else, from a recruitment algorithm in Lisbon to a credit scoring model in Helsinki, is policed by national competent authorities. Article 70 sets the institutional baseline: each Member State must establish or designate at least one notifying authority and at least one market surveillance authority for the purposes of the regulation, equip them properly, and identify a single point of contact. For any organisation deploying AI in Europe, knowing who your authority is, what powers it holds and how it works is as practical a question as knowing your tax office.
The Two Mandatory Roles
The regulation requires two functionally distinct authorities:
- The notifying authority handles the conformity assessment infrastructure: it assesses, designates, notifies and monitors the notified bodies that perform third-party assessment of certain high-risk AI systems, under the procedures of Articles 28 to 36
- The market surveillance authority polices AI systems on the market: it monitors compliance of high-risk systems, prohibited practices and transparency duties, investigates complaints and incidents, and wields the powers of Regulation (EU) 2019/1020 plus the AI-specific powers of the AI Act, including access to documentation, data and — under strict conditions — source code
Member States had to make the designations and communicate them to the Commission by August 2, 2025, identify a single point of contact, and make the identity and tasks of their authorities publicly available. Article 70 also imposes a resourcing duty that is unusual in its specificity: authorities must be provided with adequate technical, financial and human resources and infrastructure, with personnel possessing in-depth understanding of AI technologies, data and data computing, personal data protection, cybersecurity, fundamental rights and health and safety risks, plus knowledge of existing standards and legal requirements. Member States report to the Commission on the status of those resources every two years — a built-in audit of enforcement capacity.
The National Map Is More Crowded Than Two Boxes
In practice, every Member State's enforcement landscape involves several institutions beyond the two mandatory designations. Article 74(3) lets Member States choose their market surveillance configuration, and the chosen models differ — some have centralised AI supervision in a single digital or telecom regulator, others have distributed it across sector bodies. Article 74(6) makes financial supervisors the natural market surveillance authorities for AI used by regulated financial institutions. Article 74(8) requires that for high-risk AI in law enforcement, border management, justice and democracy, the role go to data protection authorities or bodies with equivalent independence. Data protection authorities additionally keep their full GDPR jurisdiction over any personal data dimension. Article 77 gives fundamental rights authorities — equality bodies, ombudsman institutions — the right to request and access documentation created under the AI Act where needed for their mandates. And under Article 99, each Member State lays down its own rules on penalties within the regulation's ceilings, notified to the Commission, which means procedural culture and sanctioning practice will vary even where the substantive law is identical.
What This Means for Companies
Three operational consequences follow. First, multi-country operators must build an authority map: for each Member State of operation, which body supervises their AI system category, what language proceedings run in, and what the complaint and appeal routes are. The same credit scoring system may answer to a financial supervisor in one country and a general market surveillance body in another. Second, the single point of contact and the publicly listed authorities are working tools — providers can and should direct classification questions, registration issues and incident notifications to the correct institution rather than guessing. Third, national penalty variation is a genuine exposure variable: the regulation caps fines — up to 35 million euros or 7 percent of worldwide turnover for prohibited practices, 15 million or 3 percent for most other violations, 7.5 million or 1 percent for incorrect information, with lower ceilings for SMEs — but national law determines aggravation practice, settlement culture and the appetite for early showcase enforcement.
Practical Steps
- Identify your supervising authority in every Member State where you place systems on the market or deploy them, using the Commission's published lists and national announcements
- Map sector overlays: financial supervision, health regulators for medical AI under Annex I, data protection authorities for the law enforcement and justice categories
- Establish a regulator-response capability: named owner, document retrieval within statutory deadlines, and language coverage for the jurisdictions you operate in
- Route serious incident reporting under Article 73 to the correct market surveillance authority and rehearse the fifteen-day standard timeline, with the shorter deadlines for widespread infringements and deaths
- Monitor your authorities' guidance output: national authorities publish interpretation, complaint statistics and inspection priorities that are more operationally predictive than Union-level documents
Concrete Example
A SaaS provider sells an Annex III point 4 hiring tool across the Union from its base in one Member State. Its conformity assessment is internal control, so it never meets a notifying authority — but its market surveillance exposure is wide: the authority of its home state supervises it as provider, while authorities in every state where customers deploy the tool can receive complaints from rejected candidates, demand the technical documentation through cooperation mechanisms, and act against the local deployments. When a complaint lands in a second Member State, the cooperation and mutual assistance machinery of Regulation 2019/1020 and the AI Act's safeguard procedures determine how the case travels — and the provider's experience of the process will be shaped by which national authority leads. Companies that have pre-built their authority map and document-response capability resolve such cases in correspondence; those that have not, meet the full procedural apparatus unprepared.
Action Before August 2, 2026
The institutional scaffolding was due by August 2, 2025; August 2, 2026 is when the case load arrives, because that is when the high-risk obligations, the registration duties and the bulk of penalties become enforceable. Use the interval to make contact in the jurisdictions that matter most to you — many authorities run pre-enforcement dialogue, sandbox programmes and SME helpdesks precisely to reduce the first wave of formal proceedings. Verify that your incident reporting, registration and documentation workflows name the correct institutions with current addresses. And follow the biennial resourcing reports and Board coordination work, because where authorities are under-resourced, enforcement tends to be complaint-driven and headline-seeking — a pattern any compliance strategist will want to anticipate rather than discover.
Working With Authorities: Posture Matters
A final, practical observation drawn from adjacent regulatory regimes: outcomes with national authorities correlate strongly with the operator's procedural posture. Authorities applying the AI Act are building their own expertise under resource pressure, and they distinguish sharply between operators who respond completely and on time, and operators who contest every request into attrition. The former receive the benefit of proportionality judgments the regulation deliberately leaves open — corrective action periods, the choice between formal and informal resolution, the framing of findings. The latter become the cases authorities select when they need a public precedent. This does not mean conceding contested legal points; the appeal routes exist and should be used where classification or interpretation genuinely matters. It means separating cooperation on facts from contestation on law: deliver the documents, meet the deadlines, correct the trivial findings immediately, and reserve the fight for issues worth fighting. Organisations that internalise this distinction — and rehearse it before the first request arrives, with named owners and realistic retrieval drills — consistently report shorter proceedings and narrower findings. The AI Act gives national authorities formidable powers; it also gives well-prepared operators every procedural tool needed to keep encounters with those powers brief, bounded and survivable.
For smaller organisations, two further resources deserve a bookmark. Article 70 obliges Member States to provide guidance and advice on implementation, particularly to SMEs and start-ups, taking account of guidance from the Board and the Commission — meaning your national authority is required to be a help desk as well as an inspector, and asking it questions early is both free and strategically informative. And the single points of contact exist precisely so that an organisation unsure which of several national bodies owns its question can route it once and correctly; using that front door creates a paper trail of good-faith engagement that costs nothing and reads well in any later proceeding.
Check your AI compliance readiness — free.
Take the Readiness Check 3 minutes · 10 questions · no signup requiredThis article is for informational purposes only and does not constitute legal advice. Regulatory requirements change frequently — verify current rules with official sources. Built by Sawai Gyoseishoshi Office, Hiroshima, Japan.