With the formal adoption of the EU Artificial Intelligence Act, the framework for oversight and enforcement is now defined, and the timeline toward active penalties is set. The Act introduces a tiered system of administrative fines, reflecting the severity of violations and the scale of the organizations involved. Breaches of prohibited AI restrictions can incur penalties of up to EUR 35 million or 7% of global annual turnover, whichever is lower for small and medium-sized enterprises and higher for larger entities. Lesser infringements, such as failing to meet most operational obligations, carry fines up to EUR 15 million or 3% of turnover. Even supplying incorrect or misleading information to authorities can lead to fines of EUR 7.5 million or 1% of turnover. These penalties will apply from August 2, 2025, with obligations specific to General-Purpose AI Models (GPAIMs) enforceable from August 2, 2026.
Primary enforcement responsibilities will rest with national market surveillance authorities, operating under the framework of EU Regulation 2019/1020. These bodies will conduct compliance investigations and take enforcement actions across member states. However, the European Commission has established a dedicated AI Office, tasked with exclusive jurisdiction over GPAIM-related provisions. This office is empowered to request documentation necessary for compliance assessments and to monitor AI systems that integrate GPAIMs, particularly when the same provider develops both the model and the system.
The AI Office’s remit marks a significant expansion of the Commission’s investigative scope beyond competition law. Past competition investigations have demonstrated the Commission’s capacity to handle vast volumes of documentation, including draft versions, which it considers critical for revealing an organization’s “true intentions.” Such investigations have involved dawn raids, on-site inspections, and the seizure of documents. While AI enforcement may differ in procedural detail, it is expected that some of these rigorous practices will be mirrored in the AI Office’s approach.
The Act also defines boundaries for regulatory powers. Confidentiality provisions apply to all enforcement bodies, and providers retain procedural rights, including the right to be heard before decisions are made, except in emergencies. Unlike the Digital Markets Act (DMA) and Digital Services Act (DSA), the AI Act does not grant the Commission direct authority to conduct interviews or inspections unless it assumes the powers of national surveillance authorities. Furthermore, documents exchanged with external EEA-qualified lawyers, whether related to litigation or not, are protected from disclosure and cannot be used as evidence. Organizations can challenge Commission decisions and investigatory actions, a practice becoming more common.
For engineers and developers working on AI systems—whether in aerospace control algorithms, autonomous vehicle navigation, or industrial robotics—the implications are clear. Each stage of the AI lifecycle generates potentially relevant information, often in multiple iterations, which could be subject to regulatory scrutiny. The Commission’s historical emphasis on draft documents suggests that even preliminary technical schematics or early code versions could be examined for compliance intent.
Mitigation strategies begin with sensitizing all personnel involved in AI development and commercialization to the risks posed by regulatory investigations. Awareness of enforcement powers and documentation practices is essential. Equally important is the clear identification of communications with legal advisors that may be subject to privilege, noting that rules of privilege differ between EU-level proceedings and those at the member state level.
The AI Act’s enforcement structure reflects a balance between robust oversight and defined limits on investigatory reach. For industries integrating AI into high-stakes applications—such as aerospace flight control, autonomous drones, or precision manufacturing—the regulatory landscape will require careful alignment of technical processes with compliance frameworks. The interplay between national authorities and the AI Office will shape how these rules are applied, and the lessons from competition law enforcement provide a preview of the intensity and depth of potential investigations.