This article summarises publicly available guidance from regulators and official sources. It is general educational information only and does not constitute legal or professional advice. Requirements vary by jurisdiction. Consult your regional authority or a qualified professional for advice specific to your situation.
The EU AI Act doesn't have a single enforcement body the way GDPR has a data protection authority in each member state. Instead, enforcement is split across several different bodies, each responsible for a different slice of the Act, which makes "who would actually contact us" a genuinely useful question to have answered in advance rather than working out under pressure.
In short: The AI Office, part of the European Commission, handles general-purpose AI models with systemic risk at EU level. For almost everything else, day-to-day enforcement runs through your own country's national market surveillance authority, which supervises high-risk AI systems and investigates non-compliance. Notifying authorities and notified bodies handle pre-market conformity assessment for high-risk systems specifically.
The AI Office: EU-level, but narrow in scope
The AI Office sits within the European Commission and was established specifically to support coherent application of the AI Act across the EU. It prepares guidance, coordinates implementing tools, and investigates possible infringements, but its direct enforcement remit is narrower than its EU-wide profile suggests: it's primarily responsible for supervising general-purpose AI models with systemic risk, the small number of very large, capable foundation models rather than the AI tools most SMBs actually use or build. For most businesses, the AI Office is a source of guidance and standards, not the body likely to open an investigation.
National market surveillance authorities: the ones most businesses will actually deal with
The compliance lead at a 60-person EU software company had just found out its scheduling product might count as a high-risk AI system, and assumed a single EU-wide AI regulator would eventually get in touch, the way she was used to with GDPR's supervisory authority model. What she found instead is that day-to-day enforcement of the AI Act's rules for AI systems, including the prohibitions and the high-risk requirements, runs through market surveillance authorities designated by each member state. These authorities have the power to investigate, request documentation, data sets, and even source code, and to intervene when an AI system poses a risk or doesn't comply with the Act's requirements.
Which specific national body this is varies by member state and, in some countries, by sector, mirroring how existing product-safety regulators are often reused for this role rather than a brand-new AI-specific agency being created from scratch in every country. The practical step for any business with EU market exposure is identifying its own country's designated market surveillance authority for AI in advance, rather than discovering it for the first time during an actual inquiry.
Notifying authorities and notified bodies: pre-market, not post-market
A separate pair of bodies handles a different stage entirely. Notifying authorities designate and supervise notified bodies, independent organisations that carry out pre-market conformity assessment for certain high-risk AI systems, essentially checking a system meets the Act's requirements before it can be placed on the market. This is relevant primarily to businesses building or providing a genuinely high-risk AI system, rather than to businesses using one as an ordinary customer.
Working out who applies to you
For most SMBs using ordinary AI tools, writing assistants, scheduling software, general chatbots, none of these bodies are likely to have any reason to make contact, because the AI systems in question aren't high-risk in the first place. If your business does build, sell, or deploy a genuinely high-risk AI system, the practical order to work through is: check whether your product needs pre-market conformity assessment (notified bodies), identify your own country's market surveillance authority for ongoing compliance, and treat the AI Office as a source of EU-level guidance rather than your first point of contact.
Who actually imposes the fines
Fine-setting authority mostly sits with national market surveillance authorities and national data protection or competition bodies designated by each member state, acting within the penalty tiers set out in the Act itself. The AI Office's own enforcement powers, including the ability to investigate and fine, apply specifically to general-purpose AI model providers, again mostly relevant to the handful of large foundation-model companies rather than an ordinary SMB. This means the practical financial exposure for most businesses runs through the same national authority that would investigate a compliance concern in the first place, not a separate EU-level fining body.
One further wrinkle worth knowing: because national authorities designate their own AI enforcement bodies, a business operating across multiple EU countries can technically face scrutiny from more than one national authority if its AI system is used in several member states. In practice, EU-level coordination mechanisms exist to avoid duplicate investigations into the same conduct, but a genuinely EU-wide AI product should expect its compliance posture to be visible to more than one national regulator, not just the one in its home country.
Methodology (Real-World, Verified)
We test AI tools against real SMB workflows: the tasks a 20-person business actually uses AI for, not enterprise demos. Pricing is verified at the vendor's published rates, with local-currency conversions noted where relevant. Compliance notes reference the legislation and regulatory guidance relevant to each article's region. Every tool is judged on one question: could a business with no dedicated IT department actually pick this up and use it on Monday morning.
Related reading: our AI governance by region.
Is there one single EU regulator for the AI Act, like there is for GDPR?
No. Enforcement is split across the AI Office (EU-level, focused on general-purpose AI models with systemic risk), national market surveillance authorities (day-to-day enforcement in each member state), and notifying authorities/notified bodies (pre-market conformity assessment for high-risk systems).
Will the AI Office ever contact an ordinary SMB about AI Act compliance?
Unlikely. The AI Office's direct enforcement remit is focused on general-purpose AI models with systemic risk, a small category of very large foundation models, not the everyday AI tools most SMBs use or build.
Which body actually investigates AI Act non-compliance for most businesses?
Your own country's designated national market surveillance authority for AI. This body has the power to investigate, request documentation, and intervene where an AI system poses a risk or doesn't comply with the Act's requirements.
Do notified bodies matter if I only use AI tools rather than build them?
Generally no. Notified bodies handle pre-market conformity assessment for providers of certain high-risk AI systems. A business using an off-the-shelf AI tool as a deployer, rather than building or selling a high-risk AI system, doesn't typically interact with notified bodies directly.
The information in this article is general in nature. It reflects a summary of publicly available guidance and does not constitute legal, privacy, or professional advice. Your obligations will depend on your specific situation, jurisdiction, and business circumstances. Do not rely on this article as a substitute for qualified legal or professional advice.
Not sure whether your AI tool actually counts as high-risk in the first place? Check the risk tiers before working out who enforces what.
Check the Risk Tiers