EU AI Act enforcement begins with first compliance audits

European Union regulators have launched the first formal compliance audits under the EU AI Act, targeting major technology companies over alleged failures to meet transparency and documentation requirements — marking a watershed moment in global AI governance that industry analysts say could reshape how artificial intelligence is developed and deployed worldwide. The audits, conducted by newly empowered national market surveillance authorities across several member states, represent the most significant regulatory action against AI systems since the legislation entered into force.

What the Audits Cover and Who Is Being Targeted

Regulators are understood to be scrutinising a range of AI-powered products and services, with particular focus on systems that fall into the Act's "high-risk" classification — a legal category that triggers the most demanding compliance obligations under the legislation. These include AI tools used in employment screening, access to essential services, and law enforcement applications. Officials said the audits are examining whether companies have maintained adequate technical documentation, conducted conformity assessments, and implemented human oversight mechanisms as required by law.

High-Risk AI Systems Under the Microscope

Under the Act's framework, companies deploying high-risk AI must register their systems in an EU-wide database, make certain information available to users, and demonstrate that their models have been trained on data meeting minimum quality standards. Regulators have indicated that early findings suggest widespread inconsistencies in how firms have interpreted these requirements — particularly around the obligation to provide meaningful explanations of automated decisions to affected individuals. This concept, often described as "explainability," refers to the ability of an AI system to offer a comprehensible account of why it reached a particular conclusion, such as why a loan application was rejected or why a job candidate was filtered out.

For further detail on the regulatory framework underpinning these enforcement actions, see our earlier coverage of how EU regulators finalised AI Act enforcement rules ahead of the current audit phase.

Transparency and Documentation Failures

According to people familiar with the process, several firms under review have been unable to produce the full technical documentation required under Article 11 of the Act, which mandates detailed records covering an AI system's purpose, the data used to train it, its performance metrics, and the risk management measures applied throughout its development lifecycle. Regulators said incomplete documentation is among the most common preliminary findings across the audits conducted so far. MIT Technology Review has reported that even some of the largest technology companies found the documentation requirements more burdensome than anticipated, given the pace at which AI systems are typically updated and retrained.

The Enforcement Architecture: How the System Works

The EU AI Act establishes a layered enforcement structure that distributes regulatory responsibility between national authorities and a newly created EU AI Office based in Brussels. The AI Office holds primary oversight over general-purpose AI models — sophisticated AI systems capable of performing a wide range of tasks, such as large language models that power conversational AI assistants and content generation tools — while national market surveillance authorities handle enforcement for most other AI applications within their borders.

The Role of the EU AI Office

The AI Office, which became operational earlier in the current enforcement cycle, has the power to request technical documentation, conduct on-site inspections, and impose fines directly on providers of general-purpose AI models that pose systemic risks. Officials said the office is working in coordination with data protection authorities in member states where AI systems intersect with the processing of personal data — an area where the Act overlaps significantly with the General Data Protection Regulation, the existing EU privacy law that has already resulted in billions of euros in fines against major technology firms since its own enforcement began.

Readers tracking the trajectory of these enforcement actions may also wish to review our analysis of what happens as EU AI Act enforcement begins and first fines loom for non-compliant operators.

Industry Response and Compliance Costs

Major technology companies have publicly committed to compliance while privately lobbying for interpretive guidance on several provisions they describe as ambiguous. Trade associations representing US technology firms operating in the EU have argued that the speed of regulatory rollout has not allowed sufficient time for smaller vendors and startups to build compliance infrastructure — a concern that regulators have acknowledged but declined to use as grounds for delay.

According to Gartner's most recent enterprise technology survey, compliance costs for high-risk AI deployments are proving substantially higher than initial industry projections, with legal and technical adaptation budgets frequently revised upward once companies begin the process of mapping their AI systems against the Act's risk classification criteria. Wired has reported that several mid-sized AI vendors are considering whether to withdraw certain products from the EU market entirely rather than undertake the expense of full compliance certification.

The Global Ripple Effect

The EU AI Act's extraterritorial reach — which applies to any provider whose AI system's outputs are used within the EU, regardless of where the company is headquartered — means that the current enforcement activity has implications far beyond European borders. Legal experts and technology policy analysts have described the Act as potentially establishing a de facto global standard, in much the same way that the GDPR influenced privacy legislation in jurisdictions including Brazil, South Korea, and several US states.

The Brussels Effect in AI Governance

This phenomenon, sometimes referred to in policy circles as the "Brussels Effect," describes the process by which EU regulatory standards become the baseline for multinational corporations that find it more efficient to build a single compliance architecture than to maintain different product configurations for different markets. IDC analysts have noted that the AI Act may accelerate this dynamic more rapidly than previous EU technology regulations, given how deeply AI systems are integrated into global digital infrastructure. For context on how compliance costs are affecting US technology companies specifically, our reporting on how EU AI rules are increasing pressure on US tech giants provides additional background.

The United Kingdom, which developed its own AI regulatory approach following its departure from the EU, is also watching the enforcement phase closely. British regulators have signalled that they may draw on the EU's practical enforcement experience when refining their own framework, though the UK's current approach remains deliberately more flexible and principles-based than the Act's prescriptive requirements. Coverage of how the UK is tightening its AI regulation framework in response to EU developments provides useful comparative context.

What Comes Next for AI Regulation

Regulators have indicated that the current round of audits is primarily diagnostic — intended to establish a baseline understanding of compliance levels across sectors and to identify where guidance is most urgently needed — rather than immediately punitive. Officials said enforcement decisions, including formal findings and potential fines, are expected to follow after companies have been given an opportunity to respond to preliminary audit findings and submit remediation plans.

However, legal practitioners advising technology companies have cautioned against interpreting this measured approach as a signal that enforcement will remain lenient. The Act's fine structure — with maximum penalties that dwarf even those imposed under the GDPR in its early years — gives regulators considerable leverage, and officials in Brussels have repeatedly stated that the EU intends to use these powers where necessary to ensure meaningful compliance rather than superficial box-ticking. The question of what substantive enforcement will look like in practice is explored further in our coverage of how the EU AI Act is moving toward big tech fines as the regulatory cycle matures.

The coming months are expected to bring greater clarity on several contested areas of the Act's application, including precisely which AI systems qualify as general-purpose models subject to the highest tier of obligations, how the conformity assessment process will work in practice for healthcare and financial services AI, and how regulators intend to handle AI systems that are continuously updated — a common feature of machine learning products that sits in tension with the Act's static documentation requirements. Industry groups, civil society organisations, and national governments are all expected to contribute to ongoing guidance processes as the EU's AI governance architecture moves from legislative text to operational reality.