How Much Power Does the EU AI Office Actually Have?
On Aug. 2, the European Commission’s AI Office will gain three significant authorities. This includes the ability to demand documentation from the developers of the world’s most powerful artificial intelligence models, commission independent evaluations of those models (including access to source code), and impose fines of up to 3 percent of global annual turnover for noncompliance. These are among the most far-reaching regulatory powers any government has claimed over frontier AI—yet they have received surprisingly little detailed analysis.
The EU AI Act has been entering into force in phases since its passage in August 2024. Prohibitions on certain AI practices took effect in February 2025. Obligations for providers of general-purpose AI (GPAI) models became applicable in August 2025. The GPAI Code of Practice—signed by Amazon, Anthropic, Google, Mistral AI, OpenAI, and others—has been guiding voluntary compliance since then. But the AI Office’s formal enforcement powers under Section 5 of Chapter IX of the act do not apply until Aug. 2. Until that date, the office can engage informally with providers. After it, the office can compel.
The question facing the AI Office is how to use these tools. The choices it makes in its first months of enforcement will shape whether GPAI providers treat the Code of Practice as a serious compliance framework or a voluntary gesture, and whether the EU’s AI governance model is taken seriously by regulators elsewhere.
Three Graduated Powers
The act gives the AI Office three enforcement powers over GPAI model providers, designed to escalate in sequence.
The first is the power to request documentation and information (Article 91). The AI Office can require any GPAI model provider to hand over technical documentation, training data summaries, model reports, and other compliance materials. Providers that fail to respond, or that supply incomplete or misleading information, face fines under Article 101. This power is the foundation of the enforcement architecture. Without reliable information about what models can do and how they were trained, the AI Office cannot assess whether providers are meeting their obligations under Article 53 (for all GPAI models) or Article 55 (for models with systemic risk).
The second is the power to conduct evaluations (Article 92). Where information gathered under Article 91 is insufficient, or where the Scientific Panel issues a qualified alert about systemic risks, the AI Office can evaluate a GPAI model directly. It can appoint independent experts from the Scientific Panel to carry out these evaluations. Most significantly, it can request access to the model through APIs or other technical means, including source code. Providers must comply with these access requests or face fines. Before requesting access, the AI Office may initiate a structured dialogue with the provider to gather information about internal testing, safeguards, and risk mitigation procedures (Article 92(7)).
The third is the power to request measures (Article 93). When the AI Office identifies noncompliance or serious systemic risk, it can require a provider to take specific actions: comply with its obligations, implement mitigation measures, or, in the most extreme case, restrict the model’s availability on the market, withdraw it, or recall it. Before requesting measures, the AI Office may again initiate a structured dialogue with the provider (Article 93(2)). If the provider offers commitments during this dialogue to address a systemic risk, the European Commission can make those commitments legally binding and declare that no further action is needed (Article 93(3)). This mechanism closely resembles the commitments procedure under EU competition law, where companies offer behavioral remedies to resolve an investigation without a formal finding of infringement.
The Fining Power
Underpinning these three powers is Article 101, which authorizes the European Commission to impose fines on GPAI model providers. The maximum fine is 3 percent of the provider’s total worldwide annual turnover in the preceding financial year, or 15 million euros, whichever is higher. For providers that fail to comply with information requests under Article 91 or deny access for evaluations under Article 92, the maximum is 1 percent of turnover or 7.5 million euros.
These are substantial penalties by any measure. For a company like Alphabet, 3 percent of global turnover would exceed 9 billion euros. The fine levels are lower than the maximum penalties under the Digital Services Act (DSA; 6 percent of turnover) and the General Data Protection Regulation (GDPR; 4 percent), but the enforcement mechanism is structurally different: Fines on GPAI model providers are imposed by the commission directly, rather than by national regulators. This centralized enforcement model avoids the fragmentation that has slowed GDPR enforcement across 27 national data protection authorities, some of which have been criticized for underresourcing and inconsistent application.
The DSA Precedent
The closest precedent for how the AI Office might use its tools is the European Commission’s enforcement of the Digital Services Act against very large online platforms (VLOPs).
The DSA’s transparency and risk management obligations for VLOPs became applicable in August 2023. Within months, the commission opened formal proceedings against X (formerly Twitter) over suspected failures in content moderation, transparency reporting, and deceptive interface design. It subsequently opened proceedings against TikTok, AliExpress, Meta, and others. None of these early proceedings resulted in fines during the first year, but they established that the commission was willing to use its investigative powers promptly and against major platforms.
The signal mattered. Platforms that might have treated DSA compliance as a formality recalibrated when they saw the commission requesting information, publishing preliminary findings, and engaging in sustained dialogue about specific compliance failures. The AI Office faces a similar dynamic. GPAI providers are watching closely to see whether the office will use its Article 91 information request powers as a routine supervisory tool or hold them in reserve for exceptional cases.
There are important differences, however. The DSA team within the commission had direct experience from years of enforcing EU competition law and had access to a larger staff. The AI Office, by contrast, is significantly underresourced relative to its mandate. The unit responsible for overseeing GPAI models with systemic risk is small, and the pool of independent evaluators qualified to assess frontier models is thinner still. A recent report by Pour Demain found that the AI Office’s projected staffing and budget levels appear inadequate for the enforcement demands it will face, and recommended scaling the GPAI supervisory capacity to at least 160 staff by 2030.
The Digital Omnibus Complication
The Digital Omnibus Regulation, proposed by the European Commission in November 2025 and now advancing through trilogue, introduces additional complexity. The omnibus proposes to delay the application of high-risk AI system obligations from August 2026 to as late as December 2027, conditional on the readiness of harmonized standards and conformity assessment infrastructure.
This delay does not directly affect the AI Office’s GPAI enforcement powers under Articles 91 through 93, which apply to providers of general-purpose AI models rather than deployers of high-risk AI systems. The August 2026 enforcement date for GPAI provisions remains intact under the current omnibus text. The omnibus does, however, shift the AI Office’s responsibilities in other ways: It grants the office exclusive supervisory authority over AI systems built on GPAI models where the model and system are developed by the same provider, and over AI systems that constitute or are integrated into very large online platforms under the DSA. These additional responsibilities compound the resourcing challenge.
What the Sequencing Signals
The AI Office’s first enforcement actions will be watched as closely as the European Commission’s early DSA proceedings. Several sequencing choices will be particularly consequential.
The first question is whether the office begins with information requests under Article 91 before or shortly after Aug. 2. Issuing requests to all Code of Practice signatories, asking them to demonstrate how they are meeting their commitments, would establish a routine supervisory baseline. It would also surface gaps in code adherence early, before those gaps harden into accepted practice. The alternative, waiting until a specific compliance failure or systemic risk materializes, would signal that the office intends to act reactively rather than proactively.
The second question is how the office handles Code of Practice signatories differently from nonsignatories. The commission’s GPAI guidelines state that signatories will receive increased trust from the commission, while nonsignatories can expect a larger number of information requests and will need to provide more detailed information. If the office enforces this asymmetry visibly, it creates a tangible incentive for additional providers to sign. Meta, the most prominent nonsignatory among major GPAI providers, would face a clear choice: Join the code and accept the compliance framework, or remain outside and face heavier scrutiny.
The third question is whether the office uses the structured dialogue mechanism under Articles 92 and 93 to resolve early compliance concerns before they reach the fining stage. The commitment mechanism under Article 93(3), where providers offer binding commitments to address systemic risks in exchange for the commission declaring no further grounds for action, could become a powerful tool if used early and transparently. If the first structured dialogues produce meaningful commitments, they will demonstrate that the enforcement framework can generate substantive outcomes without years of litigation. If the dialogues produce vague assurances without binding force, providers will draw the obvious conclusion about the office’s appetite for confrontation.
The Credibility Window
The AI Office has spent its first year of existence in a collaborative mode, working with providers and stakeholders to develop the Code of Practice and publish implementation guidelines. That collaborative phase served its purpose. August 2026 marks a transition. The office will gain the legal authority to compel disclosure, evaluate models, and impose fines. Whether it uses those powers with the same deliberate pace the European Commission showed in early DSA enforcement, or defers to informal engagement in a way that strains credibility, will shape how GPAI providers calibrate their compliance investments for years to come.
Regulators in other jurisdictions are paying attention as well. The International Network for Advanced AI Measurement, Evaluation and Science, whose members include the EU, the United States, the United Kingdom, Japan, and South Korea, is developing shared approaches to evaluation methodology and documentation standards. If the EU’s enforcement framework produces useful, portable compliance information, regulators in other jurisdictions can build on it. If the framework produces paperwork that satisfies a legal requirement without generating actionable safety information, the EU will have spent its enforcement credibility on an exercise that benefits no one.
The tools are on the table. The question is whether anyone picks them up.
