Only three EU member states have fully designated their AI Act national competent authorities. As of May 2025. Crunch time? More like panic stations.
Look, the EU AI Act kicked in August 2024, and member states had clear marching orders: pick your market surveillance authority, notifying authority, and fundamental rights enforcers. By August 2, 2025, for the first two. November 2024 for the rights protectors. Simple, right? Ha.
Spain went bold—spun up a shiny new Spanish Artificial Intelligence Supervisory Agency (AESIA) under its Digital Transformation Department. One-stop shop. Efficient, maybe. Finland? Decentralized mess: ten existing bodies, from energy watchdogs to medicine agencies. Pick your poison.
Why the AI Act’s Authority Hunt Feels Like Herding Cats
Member states get wiggle room. Designate new ones. Repurpose old. Whatever floats your bureaucratic boat. But here’s the rub: these bodies need independence, cash, tech, and staff. No bias. Art 70 spells it out. The Commission chats them up for best practices. Cute.
Yet, table time. Per the latest roundup:
As per the date this post was last updated, three Member States have designated both notifying and market surveillance authorities (‘clear’ in the table below). To our knowledge, ten Member States have pending legislative proposals or have appointed one competent authority (‘partial clarity’), whereas 14 Member States have yet to designate or establish any competent authority.
Unclear: 14. Partial: 10. Clear: 3. Fundamental rights? Hungary and Italy ghosting the list. Twenty-five others checked that box. The Commission’s got a live tracker. Still, gaps.
And Norway, Iceland, Liechtenstein? EEA hangers-on, observing AI Board meetings. Included for fun.
This isn’t just paperwork. Market surveillance authorities enforce product compliance—like the old 2019 reg. Notifying ones vet third-party certifiers. Rights enforcers? They poke high-risk AI systems (Annex III) for fundamental rights respect. Powers to demand docs. Within limits, sure.
But delays scream trouble. Remember GDPR rollout? 2018 chaos: fines started small, then exploded. Fines hit €2.7 billion by 2023. AI Act could dwarf that—prohibited systems up to 7% global turnover. High-risk non-compliance? €35 million or 7%. Who’s enforcing when no one’s designated?
Which EU Countries Are Lagging on AI Act Implementation?
Clear crew: three unnamed in the snippet, but you get it—early birds. Partial: ten with bills or half-measures. The foggy 14? Silence. Hungary, Italy on rights. Predict bold: enforcement lottery by 2026. Germany’s data protection overlords might stretch; France’s CNIL eyes expansion. But smaller states? Overloaded.
My unique hot take: this mirrors the GDPR patchwork, but worse. Back then, national DPAs varied wildly—some aggressive (Ireland, post-Facebook), others asleep. AI Act’s risk tiers demand harmony, yet national flavors persist. PR spin from Brussels? ‘Coordinated chaos.’ Reality: race to the bottom. Companies forum-shop weak enforcers. High-risk AI floods markets unchecked.
Spain’s AESIA sounds sexy. Centralized power. But will it have teeth? Finland’s ten-headed hydra—coordination nightmare. Bet on turf wars.
Deadlines whoosh by. August 2025 for competent auths. Most prohibited AI rules apply February 2025. GPAI obligations August 2026. High-risk staggered to 2027. Gaps now mean scramble later.
Does Decentralization Doom the AI Act?
But—plot twist—discretion’s baked in. Art 113(b). States tailor. Good? Flexibility beats one-size-fits-all. Bad? Fragmentation. Imagine pitching AI to 27 regimes. Compliance hell.
Corporate hype calls it ‘harmonized.’ Please. It’s a quilt of mismatches. Bold prediction: by 2027, we’ll see first mega-fines from proactive states like Netherlands or Sweden. Laggards play catch-up, beg EU aid.
Commission facilitates. Art 70(7). Observer states join chats. Noble. Insufficient.
Enforcement powers? Market surveillance: tried-true from product regs. Notifiers: assess cert bodies. Rights auths: Annex III scrutiny. All need infrastructure. Who’s funding? National budgets, strained.
Table 1 nails it:
| Status | National Competent (Art 28/70) | Rights Protectors (Art 77) |
|---|---|---|
| Unclear | 14 | 2 |
| Partial | 10 | – |
| Clear | 3 | 25 |
Fourteen unclear on the big ones. That’s Bulgaria to Slovakia, probably. Contribute info, they beg. Email away.
What Happens If They Miss the Deadlines?
Fines on states? Nah. But weak enforcement invites circumvention. US firms laugh—wait for clarity. Euro startups? Hamstrung.
Historical parallel: NIS Directive. Cyber rules, national twists. Patchy uptake. AI Act risks same—prohibited deepfakes, social scoring roam free in lax zones.
Dry humor alert: EU’s AI Board observes EEA trio. Like inviting neighbors to watch your house burn.
Deeper cut: high-risk lists evolve. Annex III dynamic. Authorities need agility. Newbies won’t have it.
Optimists say ‘work in progress.’ Critics—and me—say ticking bomb.
🧬 Related Insights
- Read more:
- Read more: EU AI Act Slams Staffing Firms: Deployers, Not Just Vendors, on the Hook
Frequently Asked Questions
What is the deadline for designating AI Act national authorities?
Competent authorities (market surveillance and notifying) by August 2, 2025. Fundamental rights enforcers listed by November 2, 2024.
Which EU countries have fully implemented AI Act authorities?
Only three as of May 2025—details sparse, but Spain’s AESIA leads the pack.
Will delays in AI Act implementation cause enforcement gaps?
Absolutely. Expect fragmented rules, forum-shopping, and slow fines—like GDPR’s rocky start.
