The EU AI Office, established within the European Commission, is the primary EU-level body overseeing GPAI models and coordinating AI Act enforcement. This page explains its mandate, investigative powers, sanctions authority, and how it interacts with national market surveillance authorities.
What Is the EU AI Office?
The EU AI Office (formally: Office for Artificial Intelligence) is the EU-level body established within the European Commission to oversee the implementation and enforcement of the EU AI Act — with a specific mandate covering general-purpose AI (GPAI) models.
Unlike traditional EU agencies (such as ENISA or EBA), the AI Office is not an independent regulatory authority. It is structured as an administrative office within the Directorate-General for Communications Networks, Content and Technology (DG CONNECT). This structure gives it direct access to Commission resources and agenda-setting, but also means its enforcement decisions are technically Commission decisions subject to EU judicial review.
The AI Office was created early — established formally in February 2024, several months before the AI Act was published in the Official Journal (July 2024) and entered into force (August 2024). This early establishment was deliberate: GPAI regulation is time-sensitive given the pace of foundation model development, and the Commission wanted enforcement infrastructure ready before the most urgent obligations kicked in.
Legal Basis and Mandate
The EU AI Office's legal basis is Chapter VIII of the EU AI Act (Art. 64–68), supplemented by the Commission Decision of 24 January 2024 that formally established it.
Its core mandate covers three areas:
1. GPAI Model Oversight (Direct Enforcement)
The AI Office has exclusive EU-level competence for overseeing providers of general-purpose AI models. This includes:
- Monitoring compliance with Chapter V obligations (transparency, technical documentation, copyright compliance, energy efficiency reporting for systemic-risk models)
- Requesting and reviewing technical documentation from GPAI providers
- Conducting evaluations of GPAI models — including adversarial testing and red-team exercises — to assess capabilities and systemic risks
- Issuing alerts when a GPAI model poses systemic risk
- Imposing fines and corrective measures
2. Cross-Border Coordination (High-Risk AI Systems)
For high-risk AI systems, enforcement is primarily national. But the AI Office plays a key coordination role:
- Facilitating information exchange between national market surveillance authorities (MSAs)
- Handling cases where a non-compliant high-risk AI system circulates across multiple member states
- Providing technical expertise and guidance to national authorities
- Requesting joint investigations where cross-border impact is significant
3. Scientific and Technical Support
The AI Office operates a Scientific Advisory Board composed of independent AI experts (Art. 68). This board provides:
- Technical assessments of GPAI model capabilities and risks
- Advice on classification thresholds (e.g., the compute threshold for systemic-risk GPAI models)
- Input into the development of standards, codes of conduct, and evaluation methodologies
Investigative and Enforcement Powers
The EU AI Office has significant investigative powers over GPAI model providers, including:
Information Requests
The AI Office may request any information from a GPAI provider that it deems necessary for its oversight tasks (Art. 91). Providers must respond within the timeframe set by the Office. Failure to provide information, or providing false or misleading information, is itself a sanctionable offence.
Evaluations and Testing
The AI Office can request that a GPAI provider submit its model for evaluation, including:
- Capability assessments (identifying dangerous capabilities such as CBRN assistance, cyberattack facilitation, or manipulation at scale)
- Safety and alignment evaluations
- Adversarial testing / red-teaming
The Office can conduct evaluations itself, or commission them to qualified third parties or national authorities. The AI Act requires GPAI providers with systemic-risk models to provide access to their models for evaluation purposes.
On-Site Inspections
For systemic-risk GPAI models, the AI Office may conduct on-site inspections of the provider's facilities, with the assistance of national authorities in the member state concerned. Prior notice is generally required unless the Office has specific grounds to believe that prior notice would prejudice the investigation.
Interim Measures
Where there is an urgent risk, the AI Office can impose provisional interim measures to prevent serious and irreparable harm. These measures must be proportionate and are subject to review.
Fines
Fines are structured in three tiers:
| Violation | Maximum Fine |
|---|---|
| GPAI obligations non-compliance (Chapter V) | €15M or 3% global annual turnover |
| Providing incorrect/incomplete information | €7.5M or 1.5% global annual turnover |
| Systemic-risk GPAI obligations non-compliance | €30M or 6% global annual turnover |
| General violations applicable to all entities | €35M or 7.5% (prohibited practices) |
For SMEs and startups, the lower of the fixed amount or the turnover percentage applies. The AI Office must take into account the nature, gravity, duration, and consequences of the infringement, as well as cooperation levels shown by the provider.
The GPAI Code of Practice
A key instrument of the AI Office is the GPAI Code of Practice — a technical voluntary instrument developed through a multi-stakeholder process that translates the Act's Chapter V obligations into concrete implementation guidance.
The Code of Practice process began in October 2024, with the AI Office convening working groups of GPAI providers, academic researchers, civil society organisations, and national authorities. It covers:
- Transparency obligations for GPAI providers (training data summaries, capability documentation)
- Copyright compliance procedures
- Model evaluation methodologies for systemic-risk assessment
- Safety and security standards for systemic-risk GPAI models
Compliance with the Code of Practice creates a presumption of conformity with the corresponding Chapter V obligations. This is a significant benefit: providers who follow the Code can rely on it in enforcement proceedings rather than having to demonstrate compliance from scratch.
The AI Board
The AI Board (Art. 65) operates in parallel with the AI Office. It is composed of:
- One representative per EU member state (national supervisory authorities)
- A representative of the European Data Protection Supervisor (EDPS)
- A Commission representative (non-voting chair)
The AI Board's functions include:
- Issuing opinions and recommendations to the AI Office and Commission
- Coordinating national supervisory approaches
- Advising on the classification of AI systems and models
- Contributing to the development of standards and evaluation methodologies
The Board is an advisory and coordination body — it does not have direct enforcement authority. However, its opinions carry significant weight and the AI Office is expected to take them into account.
National Market Surveillance Authorities
For high-risk AI systems (not GPAI models), national market surveillance authorities (MSAs) are the primary enforcement bodies. Each member state must designate at least one MSA responsible for AI Act enforcement on its territory.
MSAs have authority to:
- Conduct market surveillance activities
- Request technical documentation and access logs from providers and deployers
- Order corrective measures (withdrawal, recall, restriction of market access)
- Impose fines under national implementing legislation
The AI Office coordinates with MSAs through the AI Board and through bilateral cooperation, but does not command them. Member states are responsible for resourcing and empowering their MSAs.
Practical Implications for GPAI Providers
If you are developing or deploying a general-purpose AI model accessible in the EU market, the EU AI Office is your primary regulatory counterpart. Practically, this means:
-
Register and document proactively — the AI Office expects providers to have technical documentation ready before being asked. Scrambling to prepare documentation after an inquiry is not a strong compliance posture.
-
Engage with the Code of Practice — participation in the GPAI Code of Practice process, and adoption of its provisions, creates a presumption of conformity and demonstrates good faith to the AI Office.
-
Know your systemic-risk status — the current threshold for systemic-risk classification is training compute exceeding 10^25 FLOPs. If your model is close to or above this threshold, engage with the AI Office proactively about evaluation obligations.
-
Prepare for evaluations — if you develop a GPAI model with systemic risk, you must be able to provide model access for evaluation. This requires technical infrastructure for controlled API access, adversarial testing cooperation, and documentation of red-teaming results.
-
Monitor alerts and opinions — the AI Office publishes guidance, alerts, and opinions on its website. These are not binding regulations, but they signal enforcement priorities and interpretive positions that will shape investigations.
Official AI Act Compliance Deadline Calendar
Updated · Sources: Regulation (EU) 2024/1689 and the 2026 Digital Omnibus on AI.
| Obligation | Applies to | Original date | New date | Status | Countdown | Legal basis |
|---|---|---|---|---|---|---|
| Prohibited Practices (Art. 5) | All providers and deployers | active | — | AI Act Art. 5 | ||
| GPAI Rules (Chapter 5) | GPAI model providers | active | — | AI Act Art. 51-56 | ||
| High-risk AI — Annex III (standalone) | Providers of standalone Annex III systems | deferred | — | AI Omnibus 2026 Art. 6(2) | ||
| High-risk AI — Annex I (embedded) | AI embedded in Annex I regulated products | deferred | — | AI Omnibus 2026 Art. 6(1) | ||
| AI-Generated Content Marking | Providers of generative GPAI systems | active | — | AI Act Art. 50(2) | ||
| Regulatory Sandboxes | National competent authorities | active | — | AI Act Art. 57 |
⬇ Download JSON · CC BY 4.0
AI Act meets DORA and NIS2
Is your organisation subject to both the AI Act and DORA? The two regulations intersect on the operational resilience of financial AI systems. Our sister site regulation-dora.eu covers DORA in depth.
Explore regulation-dora.eu ↗Frequently Asked Questions
The EU AI Office is an office within the European Commission, established under Art. 64 of the EU AI Act. It is not an independent regulatory agency — it operates under the Commission's authority. It is headed by a Director and has a staff of around 140 officials. It was formally established in February 2024, before the AI Act entered into force, and began full operations in August 2024.
The EU AI Office has direct oversight and enforcement authority over providers of GPAI models (general-purpose AI models such as large language models). For high-risk AI systems and other AI systems covered by the Act, primary enforcement responsibility lies with national market surveillance authorities, not the AI Office. The AI Office coordinates with national authorities and handles systemic cross-border issues.
The EU AI Office can impose fines on GPAI model providers for: non-compliance with Chapter V obligations (up to €15 million or 3% of global annual turnover, whichever is higher); providing incorrect or misleading information to the Office (up to €7.5 million or 1.5% of global annual turnover); and for GPAI models with systemic risk, additional obligations can trigger fines up to €30 million or 6% of global annual turnover.
The AI Board (Art. 65) is the high-level advisory body composed of representatives of national supervisory authorities from all EU member states. It advises the Commission and the AI Office, coordinates national supervisory approaches, and issues opinions and recommendations. The AI Office implements; the Board advises and coordinates.
Stay ahead of AI Act changes
Get compliance alerts when deadlines or obligations change.
No spam. One-click unsubscribe.