One hundred days from now, the main operator provisions of Regulation (EU) 2024/1689 enter application. Most deployers in Europe do not yet know which national body will supervise their compliance. This tracker exists to answer that question for every Member State using the best available verified data as of 25 April 2026. Where the data is uncertain, this document says so.

Key takeaways

  • Article 70 required Member States to designate national competent authorities by 2 August 2025. The deadline has passed. Only Cyprus, Ireland, Italy, Lithuania, Malta, and Finland have completed or substantially completed formal designation as of April 2026.
  • Three further Member States, Luxembourg, Slovenia, and Spain, have designations pending final adoption, acknowledged by the European Commission's official list but not yet fully notified.
  • The remaining 18 Member States are in various stages of legislative drafting, public consultation, or have published no actionable proposals at all. Among these are France, Germany, and the Netherlands, three of the EU's largest economies.
  • Italy enacted the first dedicated national AI law in the EU on 10 October 2025, designating the National Cybersecurity Agency (ACN) as market surveillance authority and single point of contact.
  • The absence of a designated authority does not suspend AI Act obligations. Article 99 penalties apply from 2 August 2026 as Regulation law, and existing sectoral regulators retain interim oversight capacity in most Member States.
  • Deployers operating across multiple Member States face genuine multi-authority exposure. Even where the primary supervisor is in the deployer's home Member State, Article 74 enables affected-state authorities to coordinate enforcement and request information from the lead supervisor.
  • The penalty ceiling for deployer obligation violations under Article 99(2) is EUR 15 million or 3 per cent of worldwide annual turnover, whichever is higher. Every deployer should be able to identify the authority most likely to enforce that ceiling against them before 2 August 2026.

Why Member State implementation matters

The EU AI Act is a Regulation, not a Directive. That means it does not require transposition into national law to produce legal effect. From the dates specified in Article 113, the obligations it contains apply directly to providers, deployers, importers, and distributors throughout the EU without any intervening national act. Unlike GDPR, where national data protection laws were necessary to fill in specific fields, the AI Act's core requirements are self-executing.

What Member States must do, under Article 70, is not transpose the Regulation but designate the national bodies responsible for enforcing it. At minimum, each Member State must designate one notifying authority (responsible for overseeing conformity assessment bodies) and one market surveillance authority (responsible for enforcing the Act against providers and deployers in the market). Where multiple market surveillance authorities are appointed, one must be nominated as the single point of contact for coordination with the European Commission and the AI Office.

The enforcement consequences of this structure are direct. When a deployer in Paris deploys a high-risk AI system in an employment screening context, the authority that will conduct any enforcement inquiry is the French market surveillance authority, not the AI Office in Brussels. When that deployer expands to deploy the same system in Amsterdam, the Dutch authority becomes relevant in parallel. The legal standard is uniform across all 27 jurisdictions because it is set by a single Regulation, but the enforcement entity, its powers, its institutional culture, and its enforcement priorities vary by Member State.

Article 70(2) adds a further layer. For AI systems used in specific high-risk categories involving personal data, including biometric identification, law enforcement, and a number of employment and financial screening applications, data protection authorities are designated as market surveillance authorities. This means the GDPR supervisory structure is directly embedded into AI Act enforcement for the most sensitive use cases.

The penalty exposure routed through national authorities under Article 99(2) reaches EUR 15 million or 3 per cent of worldwide annual turnover for deployer obligation violations. A deployer who has not identified the relevant national authority, not consulted its published guidance, and not structured its compliance documentation with that authority's expectations in mind is operating with a material and avoidable exposure gap.

The implementation timeline

Regulation (EU) 2024/1689 entered into force on 1 August 2024. Its obligations have applied in three phases.

The first phase covered the prohibited AI practices in Article 5: social scoring by public authorities, real-time remote biometric identification in publicly accessible spaces for law enforcement purposes (with narrow exceptions), subliminal manipulation techniques causing harm, and exploitation of vulnerabilities of specific groups. These prohibitions applied from 2 February 2026. Enforcement inquiries into prohibited practices can begin from that date.

The second phase, activating on 2 August 2025, covered the obligations for providers of general-purpose AI models under Chapter V. These obligations apply to providers of foundation models and large language models placing systems on the EU market, and are supervised primarily by the AI Office within the European Commission. The codes of practice for high-capability models were developed during this period.

The third phase, activating on 2 August 2026, is the one most relevant to deployers of high-risk AI systems. From that date, the full set of provider obligations in Chapter III (Articles 9 through 17), the deployer obligations in Article 26, and the transparency obligations in Article 50 apply to the systems listed in Annex III. The penalty provisions of Article 99 become operative on the same date. This is the phase for which most organisations across the EU are preparing compliance programmes.

A further deferral applies to high-risk AI systems embedded in the regulated products listed in Annex I, including machinery, medical devices, aviation equipment, and toys. These systems face a final deadline of 2 August 2027.

Comparative status: all 27 Member States

The table below maps the designation status across all 27 Member States as of 25 April 2026. Status categories follow the European Commission's official market surveillance authority list and supplementary research from published national legislative proposals. Where no formal designation has been published and no reliable secondary source confirms a specific authority, the status is recorded as "Pending verification."

Note on methodology: The primary source for formal designations is the European Commission's official list of market surveillance authorities under the AI Act, last updated September 2025. Secondary sources include published national implementing bills, government programme declarations, and regulatory authority communications. This table is a snapshot as of April 2026 and will be updated as designations are confirmed. Omissions or corrections can be sent to the editorial desk via the contact page.

Member State Designated Authority Designation Status National Legislation Official Contact
Austria Pending verification. AI Service Desk established under RTR (Broadcasting and Telecommunications Regulator). Pending No implementing act enacted. Three advisory governance forums created (Advisory Board, Policy Forum, Stakeholders Forum). rtr.at
Belgium Belgian Institute for Postal Services and Telecommunications (BIPT/IBPT) proposed as primary market surveillance authority. FOD Economy coordinating. Proposed Government Declaration of 31 January 2025 designates BIPT. No implementing law enacted. Ethics Advisory Council on Data and AI established. bipt.be
Bulgaria Pending verification. Ministry of Electronic Governance identified as lead coordinator. Pending No implementing act enacted. 9 fundamental rights protection bodies designated. Pending verification
Croatia Pending verification. Central State Office for Digital Society Development identified as lead. Pending No implementing act enacted. Ministry of Justice designated 7 fundamental rights protection bodies. Pending verification
Cyprus Commissioner of Communications (ΕΠΙΤΡΟΠΟΣ ΕΠΙΚΟΙΝΩΝΙΩΝ). Formally notified to European Commission. Formally Designated Formal notification made to Commission. 3 fundamental rights bodies identified (subject to revision). mcit.gov.cy
Czech Republic Pending verification. 2 bodies designated for fundamental rights protection. Lead authority not yet confirmed. Pending No implementing act enacted. Revised national AI strategy adopted July 2024. Pending verification
Denmark Danish Agency for Digital Government (Digitaliseringsstyrelsen) designated as coordinating authority. Full MSA designation pending. Partial Implementing legislation pending parliamentary passage. Working group established September 2024. 7 fundamental rights authorities designated. digst.dk
Estonia Pending verification. Ministry of Economic Affairs and Communications and Ministry of Justice identified as leads. Pending No implementing act enacted. 3 bodies designated for fundamental rights protection. Pending verification
Finland Finnish Transport and Communications Agency (Traficom) as single point of contact. 10 sectoral authorities designated for market surveillance. Formally Designated Government Proposal HE 46/2025. National implementing acts entered into force 1 January 2026 following Presidential assent on 22 December 2025. traficom.fi
France No authority formally designated. Draft proposals include CNIL for 15 personal data AI use cases, plus 16 additional sectoral bodies. Overdue DGE draft designation published September 2025. Provisions subsequently withdrawn from parliamentary bill. No implementing law enacted. cnil.fr (interim guidance)
Germany Bundesnetzagentur (BNetzA) proposed as primary MSA and single point of contact. BfDI, BSI, and sectoral bodies for respective domains. Proposed Draft KI-Marktüberwachungsgesetz- und Innovationsförderungsgesetz (KI-MIG) in consultation as of October 2025. Implementing act not yet passed. bundesnetzagentur.de
Greece Pending verification. Ministry of Digital Governance identified as lead. 4 fundamental rights bodies designated. Pending No implementing act enacted. Pending verification
Hungary Minister for National Economy (primary MSA and single point of contact). National Accreditation Authority (NAH) as notifying authority. Hungarian National Bank for financial sector AI. Formally Designated Act LXXV of 2025 entered into force 1 December 2025. Hungarian Artificial Intelligence Council established for strategic oversight. kormany.hu
Ireland 15 national competent authorities including Data Protection Commission (DPC) and Central Bank of Ireland (CBI). National AI Office to coordinate by August 2026. Minister for Enterprise, Tourism and Employment as formal single point of contact. Formally Designated Distributed model announced 5 March 2025. Regulation of Artificial Intelligence Bill in 2025 Spring Legislative Programme. Ireland among first 6 Member States to designate. enterprise.gov.ie
Italy National Cybersecurity Agency (ACN) as market surveillance authority and single point of contact. Agency for Digital Italy (AgID) as notifying authority. Formally Designated Law No. 132/2025 entered into force 10 October 2025. First dedicated national AI law in EU. Coordination Committee at Presidency of Council of Ministers. acn.gov.it
Latvia Pending verification. Ministry of Economic Affairs proposed as notifying authority. 12 to 14 bodies proposed for market surveillance. Pending No implementing act enacted. Latvian National Accreditation Bureau designated for accreditation functions. Pending verification
Lithuania Communications Regulatory Authority (RRT) as market surveillance authority and single point of contact. Innovation Agency as notifying authority. Formally Designated Parliamentary amendments to Law on Technology and Innovation and Law on Information Society Services passed January 2025. AI regulatory sandbox established. rrt.lt
Luxembourg National Commission for Data Protection (CNPD) as primary market surveillance authority and single point of contact. CSSF for financial sector. Judicial Supervisory Authority for court AI. Pending Final Adoption National bill submitted designating CNPD. Acknowledged in Commission's pending list. Bill pending final parliamentary passage. cnpd.public.lu
Malta Malta Digital Innovation Authority (MDIA) as market surveillance authority and notifying authority. Information and Data Protection Commissioner for personal data AI systems. Formally Designated Formal designation completed. 10 fundamental rights protection bodies identified. MDIA has operated since 2018 under the Innovative Technology Arrangements and Services Act. mdia.gov.mt
Netherlands Five co-supervisors proposed: AP (data protection), RDI (digital infrastructure), ACM (consumer markets), AFM (financial markets), DNB (central bank). No single authority formally designated. Overdue AP and RDI published advisory to Minister of Economic Affairs in November 2025. EU AI Act Implementation Act expected to be laid before Parliament Q4 2026. autoriteitpersoonsgegevens.nl
Poland Commission for the Development and Safety of AI (KRiBSI) proposed as primary market surveillance authority. Minister for Digital Affairs as notifying authority. Proposed Draft Act on Artificial Intelligence Systems published June 2025. KRiBSI to include representatives from UOKiK, KNF, UKE, and KRRiT. Formal passage pending. Pending verification
Portugal Pending verification. Administrative Modernization Agency (AMA) and Ministry of Youth and Modernization identified as leads. 14 fundamental rights bodies identified. Pending No implementing act enacted. Pending verification
Romania Pending formal designation. Authority for the Digitalization of Romania (ADR) proposed as lead under draft national strategy. Overdue Draft bill Pl-x nr. 184/2025 registered in Senate March 2025, unapproved as of April 2026. National AI Strategy 2024 to 2027 published. Pending verification
Slovakia Pending verification. Ministry of Investment, Regional Development and Informatics identified as lead. 2 fundamental rights bodies designated. Pending No implementing act enacted. CERAI ethics commission established 2020. AISlovakia platform operational. Pending verification
Slovenia AKOS (Agency for Communication Networks and Services) proposed as market surveillance authority. Pending Final Adoption Acknowledged in Commission's pending list. Expert council establishment underway. 10 fundamental rights bodies designated. akos-rs.si
Spain AESIA (Agencia Española de Supervisión de Inteligencia Artificial) as primary market surveillance authority and single point of contact. Established September 2023 as autonomous public agency. Pending Final Adoption Acknowledged in Commission's pending list. AESIA has been operational since 2023 and has published guidance. Formal Commission notification pending. 12 fundamental rights bodies designated. aesia.es
Sweden Pending verification. Swedish Data Protection Authority (IMY) and Swedish Digitalization Authority (Digg) identified as likely co-supervisors. 4 fundamental rights bodies designated. Pending No implementing act enacted. Ministry of Finance as lead ministry. AI Council established to strengthen national competitiveness. imy.se

Status legend: Formally Designated = notified to Commission or equivalent formal act. Pending Final Adoption = acknowledged in Commission's pending list. Proposed = published in official government document but not legally enacted. Partial = one authority designated, remainder pending. Pending = no confirmed authority. Overdue = August 2025 deadline passed with no credible progress.

The five most-developed Member States

Italy

Italy holds a singular position in EU AI Act implementation. Law No. 132/2025, signed into law on 10 October 2025, made Italy the first EU Member State to enact dedicated and comprehensive national AI legislation complementing the Regulation. The law does not attempt to replicate the AI Act's requirements, which apply directly, but addresses areas the Regulation leaves to national discretion: sectoral rules for specific high-risk applications, governance of AI in the public sector, obligations for AI use in medical, legal, and media contexts, and the designation of national supervisory bodies.

The National Cybersecurity Agency (ACN) is designated as both market surveillance authority and single point of contact with EU institutions. This choice reflects Italy's view that AI risk is principally a cybersecurity and critical infrastructure concern rather than primarily a data protection matter. The Agency for Digital Italy (AgID) serves as notifying authority. A Coordination Committee at the Presidency of the Council of Ministers provides cross-government oversight. The Garante per la protezione dei dati personali retains its GDPR supervisory function and its Article 70(2) role as market surveillance authority for personal data-intensive AI use cases, operating in parallel with ACN.

Deployers in Italy should direct AI Act compliance enquiries to ACN for general high-risk AI matters and to the Garante for any system processing personal data in a high-risk context. ACN has begun publishing operational guidance for sectors identified in the national AI law, including healthcare and media.

Ireland

Ireland's implementation is notable for both its speed and its structural ambition. The government announced a distributed supervision model on 5 March 2025, designating 15 national competent authorities simultaneously rather than creating a single new body. The rationale was explicit: existing sectoral expertise should not be duplicated when it already exists within established regulators.

Ireland became one of the first six Member States to meet the designation milestone. The Data Protection Commission, which already supervises a substantial share of EU GDPR enforcement given the concentration of technology companies in Dublin, takes responsibility for AI systems involving personal data. The Central Bank of Ireland covers financial services AI. The Health Information and Quality Authority (HIQA) covers health sector AI. The Minister for Enterprise, Tourism and Employment is formally designated as the single point of contact for Commission notifications.

A National AI Office will be established by 2 August 2026 to coordinate the 15 authorities, host a regulatory sandbox, and provide technical expertise. The Regulation of Artificial Intelligence Bill was in the Spring 2025 Legislative Programme. Given Ireland's role as European headquarters for most of the world's largest AI system providers, the DPC's AI Act posture will have outsized practical significance for the European enforcement landscape.

Germany

Germany has made detailed proposals but has not completed formal designation. The draft KI-MIG (KI-Marktüberwachungsgesetz- und Innovationsförderungsgesetz) circulated for public consultation with a deadline of 10 October 2025. The draft designates the Bundesnetzagentur (Federal Network Agency, BNetzA) as the primary market surveillance authority, single point of contact, and operator of the national AI regulatory sandbox and the Koordinierungs- und Kompetenzzentrum KI-VO (KoKIVO).

The BfDI retains its role as the data protection authority and will function as a market surveillance authority for personal data-intensive high-risk AI systems under Article 70(2). The BSI (Federal Office for Information Security) retains oversight where AI systems intersect with cybersecurity obligations. Germany's federal structure means that Länder-level sectoral regulators will also play roles in specific domains. The BNetzA's designation as coordinating authority is designed to impose coherence on this distributed system.

Deployers operating in Germany face a genuinely complex authority landscape until the KI-MIG passes. The most practical approach is to treat the BNetzA as the likely primary contact for general AI Act matters and the BfDI for any AI system processing personal data, while monitoring the legislative progress of the implementing act.

France

France's implementation has been characterised by ambition in design and delay in execution. The Directorate-General for Enterprises (DGE) published a detailed draft in September 2025 proposing 17 market surveillance authorities, with CNIL designated for the 15 most significant AI use cases involving personal data. The CNIL published its own question-and-answer document on the AI Act's entry into force, confirming that it views AI oversight as central to its mandate and has established an internal AI division.

The political complication is that the designation provisions were withdrawn from the bill submitted to Parliament, leaving the September 2025 draft without legislative authority. As of April 2026, France remains without formally designated authorities more than eight months after the Article 70 deadline. The CNIL continues to operate as the de facto interim supervisory body for AI systems involving personal data, but its formal authority under the AI Act awaits a parliamentary act that has not yet been scheduled.

Deployers in France should treat CNIL as the most likely enforcement contact for personal data AI systems, monitor the legislative calendar for the designation bill, and maintain compliance documentation sufficient to respond to a CNIL inquiry under its existing GDPR powers while the AI Act designation remains pending.

Netherlands

The Netherlands has taken one of the most analytically thorough approaches to implementation while remaining formally undesignated the longest. In November 2025, the Autoriteit Persoonsgegevens (AP) and the Rijksinspectie Digitale Infrastructuur (RDI) published a joint advisory to the Minister of Economic Affairs recommending a five-authority co-supervision model: AP, RDI, ACM (consumer and market authority), AFM (financial markets authority), and DNB (central bank).

The Dutch government accepted the advisory framework in principle but the EU AI Act Implementation Act, the national legislative vehicle for formal designation, is not expected to be laid before Parliament until Q4 2026, well after the operator obligations have activated. The AP's Department for the Coordination of Algorithmic Oversight (DCA) functions as a practical coordination point in the interim. The AP has also published a consultation document on a national regulatory sandbox, expected to become operational by August 2026.

Deployers in the Netherlands are in an unusual position: the most likely enforcement authority is known (AP for personal data AI systems) and has published relevant interim guidance, but the formal designation giving it full Article 70 powers has not been made. The AP operates under GDPR powers in the meantime, which substantially overlap with the AI Act's requirements for personal data-intensive systems.

The cross-border deployer's reading guide

A deployer that operates AI systems in more than one Member State faces a structural compliance question that the AI Act does not resolve with complete clarity: which authority is your primary supervisor, and when does a second authority's role become active?

The general rule, derived from Article 70(3) and the market surveillance coordination provisions in Articles 74 and 75, is that a deployer's primary supervisor is the market surveillance authority of the Member State where the deployer is established. If the deployer is not established in the EU, the primary supervisor is in the Member State where the affected persons are located, or where the system has its most significant impact.

A secondary authority becomes active when a deployer's AI system affects persons in its territory. Under Article 74, where a national authority has reasonable grounds to believe that an AI system presents a risk and the system is being used in its territory, it may require the deployer to provide information, conduct a technical assessment, and take corrective measures. This can occur even when the deployer's primary supervisor is in another Member State.

Article 75 provides for mutual assistance between national authorities. An authority in one Member State can request investigatory action from an authority in another, and the requested authority is required to act within specified timeframes. This mechanism creates genuine multi-authority exposure for deployers whose systems operate across borders. A complaint filed in any Member State where the system is deployed can initiate a process that reaches back to the deployer's home authority.

For deployers with operations concentrated in one Member State, the practical implication is simpler: focus compliance investment on understanding the designated authority in that Member State, engage with its published guidance early, and maintain documentation that could be produced to a secondary authority if required. For deployers with genuinely pan-European deployment, a compliance programme that is defensible to the most demanding designated authority in the operating footprint will be adequate for all others, since the substantive standard is uniform.

The European Artificial Intelligence Board, established under Article 65, provides the coordination layer above the national authorities. Its role is non-enforcement: it provides opinions, recommends guidelines, and supports the Commission in developing delegated acts. But its outputs on the application of the classification rules and the documentation standards will be the reference documents that national authorities use when assessing deployer compliance. Monitoring Board publications and Commission implementing guidelines is part of the compliance infrastructure for any multi-market deployer.

What to do if your designated authority has not been finalised

For deployers in one of the 18 Member States that have not yet completed formal designation, the practical question is how to direct compliance investment and engagement in the absence of a formally designated counterpart.

The first step is to identify which existing sectoral authority most closely corresponds to the AI use case being deployed. In virtually every Member State, the data protection authority already has oversight capacity over AI systems involving personal data, derived from its GDPR mandate. For most high-risk AI deployers, this authority is the most likely interim enforcement contact.

The second step is to consult whatever interim guidance the likely authority has published. Several data protection authorities, including the German BfDI and the Dutch AP, have published AI-specific guidance documents that overlap substantially with AI Act requirements. CNIL has published detailed technical recommendations on AI systems developed with personal data. These documents represent the expectations of the bodies most likely to conduct early enforcement, even before formal designation is complete.

The third step is to maintain the minimum operator file described in Article 26 regardless of authority designation status. The AI Act obligations do not depend on formal authority designation. A deployer who holds a current risk record, an oversight register, a map of the instructions for use received from the provider, a logging schedule, and an incident protocol is in a defensible position regardless of which authority eventually conducts an inquiry. A deployer who has waited for formal designation to begin compliance work is not.

The fourth step is to subscribe to official channels from the likely supervisory authority. Most data protection authorities and digital regulators publish newsletters, consultation notices, and guidance documents. Designations, when they are completed, will be announced through these channels before they appear in secondary sources.

Finally, deployers in undesignated Member States should not interpret the absence of a formal authority as effective suspension of the AI Act. The European Commission retains oversight capacity, including through the AI Office, and has indicated that it will monitor Member State implementation progress. Cross-border coordination mechanisms remain available to fully designated authorities in other Member States. The risk of enforcement action does not wait for national designation to be complete.

Resources by Member State

The following are official publications from designated or proposed national authorities. Links are provided for verification and direct engagement.

Frequently asked questions

Which EU Member States have formally designated national supervisory authorities under the EU AI Act?

As of April 2026, three Member States have formally notified the European Commission of their market surveillance authorities: Cyprus (Commissioner of Communications), Italy (National Cybersecurity Agency, ACN), and Ireland (Minister for Enterprise, Tourism and Employment with 15 sectoral competent authorities). Lithuania, Finland, Malta, and Hungary have completed or substantially completed designation through national implementing legislation. Three further states (Luxembourg, Slovenia, Spain) have designations pending final adoption acknowledged by the Commission.

What is the Article 70 deadline for Member States to designate national competent authorities?

Article 70(1) of Regulation (EU) 2024/1689 required Member States to designate at least one market surveillance authority and one notifying authority by 2 August 2025. That deadline has passed. Most Member States are in breach of it. Deployers cannot treat the missed deadline as reducing their own compliance obligations, which run directly under the Regulation regardless of national designation status.

Which country was the first EU Member State to pass national AI legislation implementing the EU AI Act?

Italy enacted Law No. 132/2025, which entered into force on 10 October 2025, making it the first EU Member State to adopt a dedicated comprehensive national AI framework. The law designates the National Cybersecurity Agency (ACN) as market surveillance authority and single point of contact, and the Agency for Digital Italy (AgID) as notifying authority.

What is Germany's national authority for the EU AI Act?

Germany's draft implementing act (KI-MIG) proposes the Federal Network Agency (Bundesnetzagentur) as primary market surveillance authority and single point of contact. The BfDI covers data protection-related AI oversight. The implementing act had not passed Parliament as of April 2026 and formal designation remains pending.

What is France's supervisory authority structure for the EU AI Act?

France has not formally designated its authorities. A September 2025 DGE draft proposed 17 authorities including CNIL for 15 personal data use cases, but those provisions were withdrawn from the parliamentary bill. CNIL continues to publish guidance and operates as the practical interim contact for AI systems involving personal data.

How does the EU AI Act apply to deployers operating in multiple Member States?

The deployer's primary supervisor is in the Member State where it is established. Secondary authorities in other states where the system operates can initiate their own market surveillance activities under Article 74 and can request cooperation from the primary supervisor under Article 75. Cross-border deployers must maintain compliance documentation sufficient to respond to any authority in any jurisdiction where their system is deployed.

What penalty exposure do deployers face if their Member State has not designated a supervisory authority?

Article 99 penalties apply from 2 August 2026 as Regulation law regardless of whether the Member State has completed designation. Existing sectoral regulators hold interim oversight capacity. The absence of a formally designated authority does not suspend enforcement risk. The European Commission also retains reserve oversight capacity where national enforcement is absent.

What is Ireland's approach to EU AI Act implementation?

Ireland adopted a distributed model on 5 March 2025, designating 15 national competent authorities from existing sectoral regulators including the DPC and Central Bank. A National AI Office will coordinate by 2 August 2026. Ireland was among the first six Member States to designate and was an early mover in the European implementation landscape.

What national AI Act implementing legislation has Hungary passed?

Hungary enacted Act LXXV of 2025 on 1 December 2025. The Act designates the Minister for National Economy as primary market surveillance authority, the National Accreditation Authority (NAH) as notifying authority, and the Hungarian National Bank for financial sector AI. It also establishes a Hungarian Artificial Intelligence Council for strategic governance.

What should deployers do if their Member State has not yet designated a national supervisory authority?

Identify the sectoral authority most likely to exercise interim oversight (usually the data protection authority for personal data AI). Consult its published guidance. Maintain the minimum Article 26 operator file. Subscribe to official channels for designation announcements. Do not interpret the absence of a designated authority as suspension of AI Act obligations.

Related reading

For a cross-border country-specific regulatory tracker tool, see the Regulatory Tracker on agentliability.co.

Footnotes and source verification

  1. Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence, OJ L, 2024/1689.
  2. Article 70(1), Regulation (EU) 2024/1689: designation deadline of 2 August 2025.
  3. European Commission, Market Surveillance Authorities under the AI Act (continuously updated): digital-strategy.ec.europa.eu. As of September 2025 update cited in this article: Cyprus (Commissioner of Communications), Italy (ACN), Ireland (Minister for Enterprise) formally notified. Luxembourg, Slovenia, Spain pending final adoption.
  4. EU Artificial Intelligence Act portal, Overview of all AI Act National Implementation Plans: artificialintelligenceact.eu. As of May 2025 snapshot: 3 states with clear designation, 10 partial, 14 unclear.
  5. Italy: Law No. 132/2025, entered into force 10 October 2025. Source: Norton Rose Fulbright, "Italy enacts Law No. 132/2025 on Artificial Intelligence": nortonrosefulbright.com.
  6. Italy ACN designation: Article 20, Law No. 132/2025. Analysis: Cleary Gottlieb, "Italy Adopts the First National AI Law in Europe Complementing the EU AI Act": clearygottlieb.com.
  7. Ireland: DETE announcement, 16 September 2025, "Ireland leads the way in EU AI regulation": enterprise.gov.ie.
  8. Ireland distributed model: Matheson, "Ireland Adopts Distributed Model for AI Oversight": matheson.com.
  9. Ireland National AI Office: Technology's Legal Edge, "Ready, set, regulate": technologyslegaledge.com.
  10. Germany KI-MIG: Simmons + Simmons, "Germany's Implementation Act for the EU AI Act": simmons-simmons.com. Pinsent Masons: pinsentmasons.com.
  11. France DGE draft: MIAI, "EU AI Act Implementation: France Still Without Designated National Competent Authorities": ai-regulation.com.
  12. CNIL Q&A on EU AI Act: cnil.fr.
  13. Netherlands AP/RDI advisory (November 2025): Autoriteit Persoonsgegevens, Department for Coordination of Algorithmic Oversight: autoriteitpersoonsgegevens.nl.
  14. Netherlands implementing act timeline (Q4 2026): Regulations.AI, Netherlands AI Regulation Overview: regulations.ai.
  15. Hungary Act LXXV/2025: CMS, "Hungary implements institutional framework for EU AI Act" (November 2025): cms-lawnow.com.
  16. Lithuania designation: Parliamentary amendments, January 2025. RRT and Innovation Agency. Source: AICR Consulting summary and Ministry of the Economy and Innovation: eimin.lrv.lt.
  17. Luxembourg CNPD: Arendt, "New Luxembourg bill designates national authorities under the AI Act": arendt.com. Pinsent Masons: pinsentmasons.com.
  18. Spain AESIA: Established September 2023 as autonomous public agency. Acknowledged in Commission pending list. EU AI Act portal, artificialintelligenceact.eu national plans.
  19. Belgium BIPT: Government Declaration of 31 January 2025. BIPT AI Act guidance page: bipt.be.
  20. Finland: Government Proposal HE 46/2025. Presidential assent 22 December 2025. Finnish Government announcement: valtioneuvosto.fi.
  21. Poland KRiBSI: Draft Act on AI Systems, June 2025 revision. Source: blog.ai-laws.org, "Unfinished Architecture? Poland's Draft Act on AI Systems": blog.ai-laws.org.
  22. Romania: No formal designation. Draft bill Pl-x nr. 184/2025. EuroCloud analysis: eurocloud.org.
  23. Malta MDIA: formally designated. MDIA established under Innovative Technology Arrangements and Services Act. Source: EU AI Act portal national plans.
  24. Articles 74 and 75, Regulation (EU) 2024/1689: cross-border market surveillance coordination mechanisms.
  25. Article 99(2), Regulation (EU) 2024/1689: EUR 15 million or 3 per cent of worldwide annual turnover for provider and deployer obligation violations.