The EU AI Act Is Law. Enforcing It Is a Different Problem Entirely.

The European Union's Artificial Intelligence Act is the kind of legislation that generates enormous fanfare at signing and then disappears into a quieter, harder second chapter. That chapter is enforcement, and it is where most of the interesting problems live.

The Act creates a tiered risk framework. Systems classified as high-risk, things like credit-scoring tools, hiring algorithms, and components of critical infrastructure, face conformity assessments, documentation requirements, and ongoing monitoring obligations before they can operate in the single market. Prohibited practices sit above that tier: social scoring by public authorities, real-time biometric surveillance in public spaces with narrow exceptions, systems that exploit psychological vulnerabilities. At the base, most AI applications carry only transparency obligations or nothing at all.

The architecture is coherent on paper. On the ground, the question of who actually investigates a violation is considerably messier.

Primary enforcement responsibility falls to national market surveillance authorities in each member state. The problem is that those bodies vary enormously in their technical capacity and political appetite for confronting large technology companies. A well-resourced authority in Berlin or Stockholm operates in a different reality from its counterpart in a smaller member state that may have a handful of staff covering all product safety regulation.

Above the national layer sits the European AI Office, established within the European Commission in Brussels. It holds authority over the most powerful general-purpose AI models, the foundation systems that underpin many downstream applications. That is a significant responsibility for a body that was still hiring key personnel well after the Act's provisions began phasing in. The Office can investigate, it can impose fines, but it depends on cooperation from national authorities and, in practice, from the companies themselves providing documentation that the Office cannot always independently verify.

Fines under the Act are calibrated to deter: up to 35 million euros or seven percent of global annual turnover for the most serious violations involving prohibited practices, lower ceilings for lesser infractions. Those numbers look large until you set them against the operating budgets of the companies most likely to be deploying frontier systems. For a major provider, a fine at the lower end of the scale is a compliance cost, not an existential threat.

There is also a deeper procedural challenge. Conformity assessments for high-risk systems are largely self-reported, with third-party auditors involved in some categories. The auditing ecosystem for AI is still maturing. Auditors are scarce. Standards that assessments are supposed to reference are still being developed by bodies like CEN and CENELEC. Regulators asking whether an algorithm meets requirements for accuracy, robustness, or non-discrimination are often working from criteria that were not fully specified when the system was deployed.

What this produces is a familiar pattern in European regulatory history. A framework that is genuinely ambitious and structurally sound in its design runs into a slow-motion implementation problem driven by resource asymmetries, jurisdictional complexity, and the pace at which technical reality outruns the vocabulary of law.

The single market has absorbed this dynamic before, in pharmaceutical regulation, in financial services after 2008, in data protection after the GDPR came into force. The pattern is roughly the same: years of uneven enforcement, a handful of high-profile cases that establish the outer boundaries, and a gradual normalisation as industry learns where regulators will actually push.

For the AI Act, that normalisation period has only just begun. The first serious enforcement actions will matter enormously, not for the fines they impose but for the interpretations they establish. Brussels wrote the architecture. The case law will build it out.