European Union AI Governance Actors

Quick Assessment

Key Links

Overview

The European Union AI Governance Actors are the institutions, bodies, and regulated entities constituted under the EU AI Act (Regulation (EU) 2024/1689) to oversee, implement, and enforce AI regulation across all 27 EU member states. Adopted on June 13, 2024 and entering into force on August 1, 2024, the AI Act represents the world's first comprehensive statutory AI governance framework and establishes a layered structure of public authorities alongside defined obligations for private-sector participants across the AI value chain.

At the EU level, the European Commission—led by Commissioner for Digital Affairs Henna Virkkunen and supported by the Directorate-General for Communications Networks, Content and Technology (DG CNECT)—sits at the apex of the governance architecture. The European AI Office, established within the Commission in February 2024, holds exclusive competence over general-purpose AI (GPAI) models and acts as the central coordinator for the entire framework. Beneath this sit three advisory bodies—the European Artificial Intelligence Board, the Scientific Panel, and the Advisory Forum—alongside national competent authorities in each member state.

The governance structure is directly relevant to ongoing debates about AI governance and policy and intersects with broader questions about government regulation versus industry self-governance. Critics argue that the Act's risk classifications may be too rigid for rapidly evolving AI capabilities, and that enforcement fragmentation across member states risks replicating problems seen under the GDPR. Nonetheless, the framework represents the most detailed statutory attempt yet to define the responsibilities of everyone from AI developers to downstream deployers, and its influence on global standards—via what analysts call the "Brussels Effect"—is a subject of active research and debate. For a broader map of actors and power relationships in AI policy, see the AI Power and Influence Map.

History

The EU's engagement with AI governance stretches back to 2018, when the European Commission articulated a vision for AI policy organized around three pillars: investment in AI research, managing socioeconomic transitions, and establishing an ethical and legal framework aligned with European values.¹

In February 2020, the Commission published its White Paper on Artificial Intelligence: A European Approach to Excellence and Trust, which launched the consultation process that would eventually shape the AI Act.² Public consultations in 2020 revealed significant tensions between business stakeholders—who favored lighter regulatory touch to preserve innovation capacity—and NGOs, research institutes, and labor unions, who pushed for strong external oversight, mandatory explainability requirements for safety-critical systems, and prohibitions on certain AI applications.³

The Commission formally proposed the AI Act on April 21, 2021, structured around a risk-based classification system that would impose different obligations depending on the potential harm of each AI application. The Council of the EU adopted its common position in December 2022, and the European Parliament adopted its negotiating position in June 2023 with 499 votes in favor. Following intensive "marathon" trilogue negotiations, the EU Council and Parliament reached a provisional agreement on December 9, 2023.

A critical development during those final negotiations was the introduction of the European AI Office as a visible central authority. Initially, the governance design had involved only the Commission and an advisory AI Board; however, the trilogue process substantially expanded the proposed AI Office's scope from a GPAI-only oversight body to a broader coordinator of Act implementation. Simultaneously, negotiations nearly saw GPAI provisions gutted after objections from French and German technology interests and companies such as Mistral and Aleph Alpha, though GPAI obligations were ultimately retained with modifications.⁴

The Internal Market and Civil Liberties Committees voted 71-8 to approve the negotiated text in February 2024, and all 27 member states unanimously endorsed it. The European AI Office was formally launched on February 21, 2024 within DG CNECT. The Act was published in the Official Journal on July 12, 2024, and entered into force on August 1, 2024, with phased application through 2026–2027.

Key Activities and Governance Structure

The European Commission and DG CNECT

The European Commission retains ultimate legislative and policy authority over the AI Act's implementation. DG CNECT serves as the administrative home for both the European AI Office and broader digital policy instruments. Commissioner Henna Virkkunen, who took office in late 2024 as Executive Vice President for Tech Sovereignty, Security and Democracy, has signaled openness to adjusting implementation timelines—notably suggesting possible postponement of certain high-risk AI compliance deadlines to reduce regulatory burden on industry.⁵ The Commission launched the AI Pact (a voluntary early-compliance initiative) and the AI Act Service Desk to support organizations preparing for the Act's phased rollout.

The Commission also holds residual powers under flexible provisions of the Act, enabling it to issue implementing regulations, update prohibited-practice guidelines, and manage the broader digital policy ecosystem, including the Digital Services Act and data governance frameworks.

The European AI Office

The European AI Office is the Act's operational core. Established within the Commission but designed to function as an independent center of AI expertise, it holds:

• Exclusive competence over GPAI models (Chapter V of the Act), including the authority to investigate systemic risks posed by frontier models and to demand information from providers
• Market surveillance authority when an AI system and its underlying GPAI model are developed by the same provider
• Coordination functions with national competent authorities, facilitating information-sharing and consistent enforcement
• Norm-setting functions, including publishing Codes of Practice for GPAI providers and guidelines on the Act's provisions

GPAI obligations became effective on August 2, 2025, at which point the AI Office published the first Code of Practice for GPAI providers. In July 2025, the Commission separately published draft guidelines on GPAI provisions. The AI Office maintains a repository of AI literacy practices and has sought to provide simplified compliance pathways for SMEs. According to governance analyses, the AI Office's scope was substantially broadened during the December 2023 trilogue from its original GPAI-only mandate—a process described as driven by the need to reduce fragmentation that had previously plagued GDPR enforcement.⁶

Scientific Panel and Advisory Forum

The AI Office is supported by two specialized bodies:

• The Scientific Panel consists of independent AI experts who provide technical advice on risk assessment and implementation questions, including for GPAI model evaluations
• The Advisory Forum brings together diverse commercial and non-commercial stakeholders to represent a range of interests in governance design

The European Artificial Intelligence Board

The European Artificial Intelligence Board (AI Board) is composed of one high-level representative from each EU member state, plus a representative from the European Commission and the European Data Protection Supervisor (EDPS). Its primary role is advisory and coordinative: it advises the Commission and member states on consistent application of the Act, gathers technical expertise, issues recommendations on cross-border compliance issues, and facilitates dialogue between national authorities and EU-level institutions. The Board does not itself hold enforcement powers, but its outputs shape how national authorities interpret and implement the Act.

The European Parliament: ITRE, LIBE, and IMCO

The European Parliament does not hold ongoing enforcement authority under the AI Act, but its committee structure was central to shaping the legislation and retains oversight functions. Three committees were particularly involved:

• ITRE (Industry, Research and Energy) — focused on innovation, competitiveness, and the industrial policy dimensions of the Act
• LIBE (Civil Liberties, Justice and Home Affairs) — focused on fundamental rights, biometric surveillance, and migration-related exemptions
• IMCO (Internal Market and Consumer Protection) — focused on market access, operator obligations, and enforcement

The Parliament's two co-rapporteurs for the AI Act were Brando Benifei (S&D, LIBE) and Dragoș Tudorache (Renew, ITRE). Tudorache, who also chaired the Special Committee on AI in the Digital Age, has publicly discussed the challenge of balancing EU innovation goals against the Act's compliance architecture and the future trajectory of the AI Office.⁷ The Parliament has expressed frustration over the withdrawal of the proposed AI Liability Directive, which critics argue removed post-deployment accountability mechanisms that the AI Act itself does not fully provide.

Council of the EU and Member State AI Governance

The Council of the EU adopted its common position on the AI Act in December 2022 and formally adopted the final text in May 2024. At the national level, each member state was required to designate national competent authorities by August 2, 2025, including:

• Market Surveillance Authorities (MSAs): Responsible for enforcing compliance with the Act's prohibitions and high-risk system requirements, including conducting investigations, imposing corrective measures, and sharing non-compliance data with other member states
• Notifying Authorities: Responsible for designating and overseeing third-party conformity assessment bodies ("notified bodies") for pre-market assessments of high-risk AI systems

National implementation models vary considerably. Analyses identify several distinct patterns: some member states have anchored AI oversight in existing communications or cybersecurity regulators, others in data protection authorities, and a few have established dedicated AI-specific bodies. Notable national actors include:

• Germany — BSI (Bundesamt für Sicherheit in der Informationstechnik): Germany's Federal Office for Information Security, which has a substantial role in cybersecurity and is expected to take on AI market surveillance functions
• France — INESIA (Institut national de l'expertise et des essais sur les systèmes d'intelligence artificielle): France's designated AI supervisory body
• Spain: Has established a dedicated AI Supervisory Agency
• Italy and Hungary: Have designated market surveillance authorities, though Italy's model has been characterized as more government-influenced compared to independent models seen in smaller member states such as Lithuania and Luxembourg
• Netherlands: Has a distributed approach involving existing sectoral regulators

Governance analysts note that this diversity of national designs risks creating the same enforcement fragmentation that hampered GDPR implementation—a concern flagged in European Commission internal discussions.⁸

European Data Protection Board and Digital Services Coordinators

The European Data Protection Board (EDPB), which coordinates national data protection authorities, intersects with AI governance wherever AI systems process personal data—which encompasses a large share of high-risk AI applications. The EDPS specifically serves as the market surveillance authority for AI systems deployed within EU institutions and as a notified body for high-risk conformity assessments; it also sits on the AI Board.

Digital Services Coordinators (DSCs), designated under the Digital Services Act, are national authorities responsible for enforcing DSA obligations on online platforms. Where AI-driven content recommendation, moderation, or advertising systems are deployed by very large online platforms, DSCs have overlapping jurisdiction. The coordination mechanisms between DSCs, national AI market surveillance authorities, and the AI Office remain a developing area of governance architecture.

Standards Bodies: ENISA, CEN-CENELEC, and ETSI

Technical standards are a critical enabling layer for AI Act implementation. Three bodies play central roles:

• ENISA (EU Agency for Cybersecurity): Provides guidance on cybersecurity requirements for AI systems, which are relevant both to high-risk AI obligations and to GPAI model governance; ENISA contributes to threat assessments and supports the AI Office's capabilities evaluations
• CEN-CENELEC JTC-21: The primary standardization committee tasked with developing harmonized technical standards for high-risk AI systems under the AI Act. These standards will provide the concrete technical benchmarks against which conformity assessments are conducted. Delays in JTC-21's standards development have been a source of practical concern, with calls from some stakeholders for deadline postponements
• ETSI (European Telecommunications Standards Institute): Contributes particularly to standards relevant to telecommunications and network-connected AI systems

Harmonized standards developed by these bodies, once published and referenced in the Official Journal, create a presumption of conformity with the Act's requirements—making them de facto compliance instruments for the regulated industry.

Enforcement Chain

The AI Act's enforcement operates through a layered chain of authority:

1. European Commission — sets policy direction, adopts delegated and implementing acts, and hosts the AI Office. Exclusive competence over general-purpose AI models.
2. European AI Office — central coordinator for GPAI oversight, codes of practice, and cross-border cases. Supports member-state authorities and the AI Board.
3. Member-state notifying authorities — designate and oversee the conformity-assessment bodies (notified bodies) that certify high-risk AI systems before market placement.
4. Market surveillance authorities (MSAs) — the national regulators responsible for monitoring AI systems placed on the market, investigating complaints, ordering corrective action, and proposing fines.
5. National courts and the Court of Justice of the EU — adjudicate appeals against MSA decisions and rule on penalties. Fines up to €35 million or 7% of global turnover are enforced through national legal systems.

In parallel, the European Artificial Intelligence Board (member-state representatives), the Scientific Panel (independent experts on systemic-risk GPAI), and the Advisory Forum (stakeholder input) advise but do not hold enforcement powers.

Sources