EU AI Office: Role, Powers, and What It Means for AI Providers
Who is the EU AI Office, what enforcement powers does it hold under Articles 88–93, and what must AI providers do now to stay on the right side of it?
If you are building or deploying an AI system that touches the EU market, one institution now has the authority to demand your technical documentation, evaluate your model's capabilities, and impose fines directly against your company. That institution is the EU AI Office — and understanding how it operates is not optional for compliance professionals or AI executives.
This article explains what the AI Office is, what legal powers it holds, how it enforces the AI Act in practice, and what steps AI providers should take now to be prepared.
What Is the EU AI Office?
The EU AI Office was established by Commission Decision C(2024)1021 and operates as a body within the European Commission. This structural choice matters: the AI Office is not an independent regulatory agency like the European Central Bank or the European Securities and Markets Authority. It sits inside the Commission, reports to the Commission, and derives its regulatory authority from the EU AI Act rather than from a founding treaty article that would give it separate legal personality.
Its formal governance framework is set out in Articles 64 through 70 of the EU AI Act. The AI Office's mandate covers four broad areas:
- GPAI model enforcement: Direct enforcement authority over general-purpose AI model providers under Articles 51–56 and the enforcement articles 88–93
- Coordination of national authorities: Supporting and coordinating national market surveillance authorities across EU member states, which enforce the AI Act's high-risk AI system obligations
- Standards and guidance development: Developing technical guidelines, contributing to harmonized standards, and publishing guidance on the application of the AI Act
- EU-level regulatory sandboxes: Running regulatory sandboxes at the European level for cross-border AI innovation projects
One critical distinction applies to every AI provider reading this: the AI Office enforces obligations on GPAI model providers directly. For high-risk AI systems under Annex III, enforcement is handled by national market surveillance authorities in each member state — not by the AI Office. The AI Office plays a coordination and support role for Annex III enforcement, but the front-line enforcement body for, say, an AI-driven recruitment tool or a medical device AI system is the national authority in the country where the product is placed on the market.
Enforcement Powers: Articles 88–94
The AI Act grants the AI Office a set of enforcement tools that are substantial by EU regulatory standards. These are not merely advisory powers — they include the ability to compel the production of documents, evaluate model capabilities, and impose financial penalties directly.
Article 88: Information and Documentation Requests
The AI Office can request any information and documentation from GPAI model providers that it considers necessary to carry out its functions. This includes technical documentation, training data summaries, safety testing results, internal governance records, and incident reports. Providers must respond within the timeframes specified in the request.
This is in effect a subpoena-like power. Providers cannot refuse on the grounds of commercial sensitivity alone, though the AI Office is required to handle confidential business information with appropriate procedural protections. The practical implication: every document the AI Office might request should already exist in a structured, retrievable form. If it does not, producing it under time pressure significantly increases legal and reputational risk.
Article 89: Model Evaluations
The AI Office can conduct evaluations of GPAI models to assess whether they comply with their obligations under the AI Act. This includes requesting that a provider make the model available for testing, providing access to relevant documentation, and cooperating with the AI Office's appointed evaluators.
Model evaluations under Article 89 are triggered both by routine compliance monitoring and by specific concerns raised by national authorities, third parties, or the AI Office's own analysis. Providers should treat any Article 89 evaluation as a formal regulatory interaction requiring legal and technical preparation.
Article 90: Access to Model Weights and Source Code
For GPAI models that present systemic risk, the AI Office holds the extraordinary power to request access to model weights and source code. Article 90 establishes this as a proportionate measure subject to confidentiality protections — but the power exists and can be exercised.
This provision has no close parallel in prior EU digital regulation. It reflects the legislative view that the internal architecture of frontier AI models is itself a regulatory matter when those models present systemic risk. Providers of models above the 10²⁵ FLOPs training threshold should ensure they have legal and technical procedures for responding to an Article 90 request.
Article 91: Measures Against Systemic Risk GPAI Models
When the AI Office finds that a systemic risk GPAI model presents risks that are not adequately addressed, it can require the provider to:
- Modify the model's capabilities
- Restrict or suspend deployment in the EU market
- Withdraw the model from the market entirely
These are among the most consequential enforcement powers in EU digital regulation. Requiring a commercial AI provider to modify or withdraw a product is a direct intervention in business operations of the highest order. Providers of frontier models should understand Article 91 as the ultimate backstop of the GPAI regulatory framework.
Article 93: Direct Fines Against GPAI Providers
The AI Office can impose fines directly against GPAI model providers without routing through national authorities. The fine structure is:
| Violation type | Maximum fine |
|---|---|
| Providing incorrect, incomplete, or misleading information | €15 million or 3% of global annual turnover (whichever is higher) |
| Failing to comply with an AI Office measure or request | €15 million or 3% of global annual turnover (whichever is higher) |
| Prohibited AI practices (Article 5) | €35 million or 7% of global annual turnover (whichever is higher) |
These figures apply to GPAI model providers specifically. For high-risk AI system providers, fines are imposed by national market surveillance authorities under national procedural law, with the same financial ceilings.
How an AI Office Investigation Works in Practice
Understanding the procedural sequence of an AI Office investigation helps providers prepare appropriate responses.
Step 1 — Trigger: An investigation can be triggered by a complaint from a national authority, a third-party report, an incident notification, the AI Office's own monitoring activities, or a targeted review of a specific model or category.
Step 2 — Information request under Article 88: The AI Office issues a formal request for documents and information. This request will specify the type of documentation required, the timeframe for response (typically 10 to 30 working days), and the legal basis.
Step 3 — Model evaluation under Article 89: If the information provided is insufficient or raises further concerns, the AI Office may initiate a formal model evaluation. This can involve independent technical assessors appointed by the AI Office.
Step 4 — Preliminary findings: The AI Office issues preliminary findings and provides the provider an opportunity to respond. This is a critical procedural step — providers should engage substantively with preliminary findings and provide detailed technical and legal responses.
Step 5 — Decision: The AI Office issues a formal decision, which may include measures under Article 91 or fines under Article 93. Decisions are subject to judicial review before the Court of Justice of the European Union.
Throughout this process, the provider's ability to produce structured, current, and accurate documentation is the single most important factor in the outcome.
The AI Safety Institute Network and International Cooperation
The AI Office does not operate in isolation. It works within a broader international framework of AI safety organizations, most notably through cooperation with AI Safety Institutes in the United Kingdom, the United States (via NIST), Japan, and other jurisdictions participating in the International Network of AI Safety Institutes.
This cooperation is operationally significant. Model evaluations conducted by the UK AI Safety Institute, for example, can inform AI Office assessments. Incident reports filed in one jurisdiction can trigger review in others. Providers operating globally should treat their compliance posture across jurisdictions as interconnected rather than siloed.
What Has the AI Office Published So Far?
The AI Office has been active in publishing guidance since its establishment. Key publications include:
- The GPAI Code of Practice (July 10, 2025), which sets out the voluntary compliance framework for GPAI model providers and creates a presumption of compliance with Articles 53 and 55 when followed
- General-purpose AI model guidance, covering the interpretation of key definitions including the FLOPs threshold and the classification of models presenting systemic risk
- Regulatory sandbox framework guidance for cross-border AI development projects
Additional technical standards are being developed in cooperation with CEN-CENELEC, the European standardization bodies, and with the involvement of the AI Office's Scientific Panel under Article 68.
What This Means Strategically for AI Providers
The AI Office has the legal authority to demand your documentation, evaluate your model, and fine your company before any national court proceeding begins. The strategic implication is direct: your compliance documentation must be current, complete, and ready to produce at short notice.
For GPAI model providers, this means maintaining:
- A current technical documentation package covering model capabilities, training data, safety testing, and governance procedures
- An up-to-date copyright compliance policy and training data summary
- Records of all internal safety evaluations and their outcomes
- A documented governance structure with named responsible individuals
For high-risk AI system providers, the primary enforcement body remains the national market surveillance authority in your target market — but the AI Office can refer matters, coordinate investigations, and publish guidance that shapes how national authorities interpret the Act.
The AI Office's powers are not theoretical. The enforcement framework is in place, the Code of Practice is published, and the GPAI obligations have been in force since August 2025. Providers who have not yet structured their compliance documentation are operating without the protection that documentation would provide.
How DilAIg Helps You Stay Audit-Ready
DilAIg's 50-question audit generates the four mandatory compliance documents that any AI provider — whether subject to AI Office scrutiny or national market surveillance — needs to have in place: Technical Documentation (Annex IV), EU Declaration of Conformity, Fundamental Rights Impact Assessment (FRIA), and Transparency Notice.
When an Article 88 information request arrives, or when a national authority initiates a conformity assessment review, the question is not whether you are compliant in substance — it is whether you can demonstrate it in documents, immediately. DilAIg is built for that moment.
Start your compliance audit or contact us to discuss your situation.
FAQ: EU AI Office
Is the EU AI Office the same as a national data protection authority? No. National data protection authorities (DPAs) enforce the GDPR. The AI Office is a Commission body that enforces GPAI obligations under the EU AI Act. The two have overlapping jurisdiction in some areas — particularly where AI systems process personal data — but they are distinct institutions with distinct legal mandates.
Does the AI Office enforce high-risk AI system obligations? Not directly. For Annex III high-risk AI systems, enforcement is handled by national market surveillance authorities in each member state. The AI Office coordinates, supports, and issues guidance — but it does not directly conduct enforcement actions against high-risk system providers except where those systems also involve GPAI models.
Can the AI Office investigate a US-based company? Yes, if that company provides a GPAI model that is placed on the EU market or used in the EU, it falls within the territorial scope of the AI Act under Article 2. The AI Office can issue information requests and model evaluations regardless of where the provider is incorporated.
What is the Scientific Panel and does it matter for providers? The Scientific Panel under Article 68 advises the AI Office on technical matters, including model evaluations and threshold assessments. Its findings can influence AI Office decisions. Providers should follow Scientific Panel publications as leading indicators of AI Office interpretive positions.
How quickly must a provider respond to an Article 88 information request? The AI Act does not set a fixed statutory deadline — the AI Office specifies the deadline in each request. In practice, requests have typically specified response windows of 10 to 30 working days. Providers should ensure their documentation is maintained in a state that allows rapid retrieval and production.
Can AI Office decisions be appealed? Yes. AI Office decisions are subject to judicial review before the Court of Justice of the European Union under the standard administrative law framework applicable to Commission decisions.
Key Takeaways
- The EU AI Office is a Commission body (not an independent agency) established by Decision C(2024)1021, with governance under Articles 64–70 of the AI Act
- It has direct enforcement authority over GPAI model providers, including powers to request documents (Article 88), evaluate models (Article 89), access weights and source code (Article 90), require model modification or withdrawal (Article 91), and impose fines of up to €35M or 7% of global turnover (Article 93)
- National market surveillance authorities — not the AI Office — enforce Annex III high-risk AI system obligations
- An AI Office investigation follows a defined procedural sequence from information request to formal decision, with the provider's documentation quality determining the outcome at every stage
- The AI Office cooperates internationally with AI Safety Institutes, meaning compliance posture across jurisdictions is interconnected
- Providers who cannot produce structured compliance documentation on demand are exposed to the full enforcement sequence with limited ability to mitigate findings