National Competent Authorities

Learning Objectives

By the end of this chapter, you will be able to:

Understand the structure and designation requirements for national competent authorities
Map authority powers across investigation, enforcement, and penalties
Prepare effectively for inspections and information requests
Navigate multi-authority structures in complex Member States
Develop a cross-border compliance strategy for pan-EU operations

Authority Framework Overview

The AI Act requires each Member State to designate national authorities responsible for enforcement. This creates a decentralised enforcement landscape where understanding local authority structures is essential for compliance.

Authority Types Required

Authority Type	Legal Basis	Primary Role	Key Activities
Notifying Authority	Article 28	Conformity assessment body oversight	Designate, monitor, and supervise notified bodies
Market Surveillance Authority	Article 74	AI system monitoring	Inspect, investigate, enforce compliance
Competent Authority	Article 70	General AI Act enforcement	Coordination, guidance, penalty imposition

Designation Requirements

Requirement	Article	Details
At least one authority	Article 70(1)	Minimum requirement per Member State
Adequate resources	Article 70(3)	Human, technical, and financial resources
Independence	Article 70(1)	Functional independence from external influence
Expertise	Article 70(3)	Competence in AI, fundamental rights, data protection
Notification to Commission	Article 70(2)	Inform Commission of designated authorities

Authority Powers (Article 74-77)

Information Access Powers

Power	Scope	Legal Authority
Document Requests	Technical documentation, conformity records, logs	Article 74(3)(a)
AI System Access	Access to AI systems, including source code where necessary	Article 74(3)(b)
Data Access	Training, validation, and test datasets	Article 74(3)(c)
Algorithm Access	Access to algorithms and processes	Article 74(3)(d)
Premises Access	Physical access to premises, data centres	Article 74(3)(e)
Personnel Interviews	Question relevant personnel	Article 74(3)(f)

Investigation Powers

Power	Description	Conditions
On-site Inspections	Unannounced or scheduled inspections	Proportionate to risk
Sample Collection	Obtain AI system samples for testing	Testing purposes
Expert Engagement	Engage external technical experts	Complex evaluations
Joint Investigations	Cross-border coordinated investigations	Multi-Member State issues
Third-Party Inquiries	Request information from value chain participants	Supply chain tracing

Enforcement Powers

Power	Article	Application
Corrective Measures	Article 79(1)	Order modifications to achieve compliance
Market Withdrawal	Article 79(2)(a)	Order removal from EU market
Product Recall	Article 79(2)(b)	Recall from deployers and end users
Prohibition	Article 79(2)(c)	Prohibit making AI system available
Warnings	Article 79(1)(a)	Formal warning to operator
Administrative Fines	Article 99	Financial penalties (see Chapter 3)

Expert Insight

Authorities increasingly use a "soft power" approach before formal enforcement—engaging in dialogue, issuing guidance, and allowing correction periods. However, don't mistake this for lenience; serious violations or non-cooperation will trigger full enforcement powers.

Authority Models Across Member States

Member States have adopted different models for implementing AI Act authority requirements:

Model 1: Centralised Authority

Structure	Examples	Characteristics
Single dedicated AI authority	Spain (AESIA), Netherlands (RDI)	Unified responsibility, clear accountability
Pros	Consistent approach, clear contact point, AI-specific expertise
Cons	May lack sectoral depth, resource constraints

Model 2: Existing Authority Extension

Structure	Examples	Characteristics
Extended powers to existing authority	France (CNIL extension), Ireland (ComReg)	Builds on established infrastructure
Pros	Existing expertise, established processes, cost-effective
Cons	AI may not be core focus, competing priorities

Model 3: Multi-Authority Coordination

Structure	Examples	Characteristics
Sectoral authorities with coordination	Germany (BNetzA + sectoral), Italy (multiple)	Sector-specific expertise
Pros	Deep sectoral knowledge, existing relationships
Cons	Coordination complexity, potential inconsistency

Authority Contact Directory (Selected)

Member State	Primary Authority	Sector-Specific	Contact Notes
Germany	Federal Network Agency (BNetzA)	BaFin (financial), BfArM (medical)	Multi-authority coordination
France	CNIL (data aspects)	ANSSI (cybersecurity), sectoral regulators	Building on GDPR infrastructure
Netherlands	RDI	ACM (consumer), DNB (financial)	Centralised with coordination
Spain	AESIA	CNMC (competition), sectoral	New dedicated AI agency
Italy	AgID	AGCM (consumer), CONSOB (financial)	Multi-authority model
Poland	Office of Electronic Communications	KNF (financial), sector-specific	Evolving structure
Ireland	ComReg	Central Bank, sectoral	Small authority approach

Preparing for Authority Engagement

Inspection Readiness Checklist

Category	Preparation	Documentation
Documentation	All technical documentation current and accessible	Organised file system
Access Protocols	Procedures for providing system access	Access credentials, NDAs
Personnel	Designated compliance contacts identified	Contact list, availability
Premises	Visitor protocols, secure areas identified	Access procedures
Response Team	Cross-functional team ready to respond	Escalation procedures
Legal Support	Legal counsel available for complex requests	External counsel on retainer

Information Request Response Framework

Stage	Timeline	Activities
Receipt	Day 0	Log request, notify compliance team, assess scope
Assessment	Days 1-2	Evaluate request scope, identify gaps, legal review
Coordination	Days 3-5	Gather information, verify accuracy, prepare response
Review	Days 6-7	Legal and management review
Response	By deadline	Submit response, retain copies, track follow-up

Common Information Requests

Request Type	Typical Content	Response Strategy
Technical Documentation	Annex IV documentation for high-risk AI	Provide current documentation
Conformity Evidence	CE declaration, conformity assessment records	Certified copies
Incident Reports	Serious incident documentation	Complete incident files
Testing Results	Validation and testing data	Summary and raw data
Training Data	Dataset descriptions, governance records	Metadata, samples if requested
Algorithm Information	Model documentation, decision logic	Balance transparency with IP

Compliance Note

Providing false, incomplete, or misleading information to authorities is a separate violation with its own penalty tier (€7.5 million / 1% turnover). Always verify accuracy before submitting and disclose any uncertainties.

Cross-Border Coordination

Mutual Assistance (Article 75)

Mechanism	Description	When Used
Information Exchange	Authorities share enforcement information	Cross-border AI systems
Joint Investigations	Coordinated investigations across Member States	Multi-territory violations
Enforcement Requests	Request another authority to take action	Operator in another Member State
Alert System	Notify other authorities of non-compliant AI	Market-wide concerns

Lead Authority Concept

For cross-border AI systems:

Scenario	Lead Authority	Coordination
EU establishment	Authority where provider established	Other affected authorities consulted
No EU establishment	Authority where authorised representative based	Coordinate with markets
Multiple markets	Authority designated by provider or first to act	AI Board coordination if disputes

Managing Multi-Jurisdictional Compliance

Strategy	Implementation	Benefit
Single compliance framework	Develop EU-wide compliance approach	Consistency, efficiency
Local adaptation	Adapt to specific Member State guidance	Address local expectations
Central coordination	Central team coordinates local engagement	Unified messaging
Authority mapping	Document relevant authorities per market	Clear engagement channels
Relationship building	Proactive engagement in key markets	Anticipate issues

Sector-Specific Authority Considerations

Financial Services AI

Authority	Role	Specific Concerns
National financial regulator (e.g., BaFin, AMF, FCA)	AI in financial services	Model risk management, algorithmic trading, credit decisions
ECB/SSM	Banking supervision	Significant institution oversight
ESMA	Securities markets	Cross-border financial AI

Healthcare AI

Authority	Role	Specific Concerns
Medical device authorities	AI as medical device	MDR compliance, clinical evaluation
Health ministries	Healthcare AI policy	Patient safety, clinical validation
National medicines agencies	AI in pharma	Drug development, pharmacovigilance

Telecommunications/Digital

Authority	Role	Specific Concerns
National telecom regulators	AI in networks	Network security, service quality
Data protection authorities	Data aspects of AI	GDPR intersection
Consumer protection authorities	Consumer-facing AI	Fairness, transparency

Enforcement Trends and Priorities

Expected Enforcement Focus Areas (2025-2026)

Priority Area	Why	Preparation
Prohibited AI practices	Highest risk, earliest deadline	Ensure no prohibited uses
High-risk AI without conformity	Core obligation, significant market	Complete conformity assessments
Missing transparency	Easy to detect, user-facing	Implement disclosure requirements
GPAI documentation gaps	AI Office active	Prepare Article 53 documentation
Rights-impact sectors	Political priority	Focus on employment, migration, justice

Enforcement Approach Indicators

Signal	Interpretation	Response
Guidance publication	Priority area, enforcement anticipated	Self-assess against guidance
Consultation launch	Authority developing approach	Participate, shape expectations
Sector sweep announced	Targeted enforcement coming	Priority preparation
First enforcement actions	Precedent-setting	Learn from cases
Cross-border coordination	Major initiative	Group-wide review