What changed in this refresh
Officially confirmed The AI Office and national market surveillance authorities are the main enforcement actors under the AI Act, and each Member State must appoint one or more market surveillance authorities.
Readiness signal This page now separates official designations and enacted powers from market-readiness interpretation. Those are not the same thing.
Practical guidance Spain, Finland, and Ireland remain useful reference points, but they should be presented as different kinds of signals: legislation, designation, guidance, and sandbox practice.
The old framing drifted toward a ranking exercise — “which countries are ready?” — when the harder and more useful question is: what has actually been designated, enacted, or operationalised, and what remains interpretation?
What is officially confirmed at EU level
The Commission states that the AI Office and the national market surveillance authorities are responsible for implementing, supervising, and enforcing the AI Act. Each Member State must appoint one or more market surveillance authorities. That is the baseline. Anything more specific at national level should be attributed carefully to the underlying national or Commission source.
Country signals worth watching
Finland. Finland publicly announced that the national supervision laws and powers for authorities supervising the AI Act would take effect on 1 January 2026. That is a hard legislative signal, not just a policy aspiration.
Ireland. Ireland announced in September 2025 that it had designated 15 national competent authorities under the AI Act and planned a National AI Office as the central coordinating authority. That is a strong designation signal and should be described as such.
Spain. Spain remains important because AESIA and the Spanish sandbox work continue to provide some of the most practical implementation-facing material in the market. Treat Spain primarily as a guidance and sandbox signal, not as a shortcut for claiming a complete pan-EU enforcement template.
How to read this tracker correctly
- Designation signal: has a Member State officially designated authorities or passed supplementary powers?
- Operational signal: is there evidence of live processes, public guidance, sandbox activity, or enforcement preparation?
- Market signal: are organisations in that jurisdiction being given enough clarity to act?
Those are different things. Blending them into a single “ready / not ready” label creates false precision.
What this means for businesses
Do not wait for a perfect EU-wide master list to begin. Treat authority designation and national guidance as rising signals that the period of vague implementation excuses is ending. For SMEs, the immediate implication is simple: classify systems, document decisions, train staff, and assume that evidence requests will become more structured through 2026.
For a current-law planning view, read the August 2026 SME guide. For a classification first pass, use the 12-question Compliance Checker.
About the author: Abhishek G Sharma is the founder of Move78 International Limited. He holds ISO 42001 Lead Auditor, CISA, CISM, CRISC, and CEH certifications. He brings over 20 years of practitioner experience in cybersecurity, AI governance, and enterprise risk management.
Disclaimer: This analysis is for educational purposes only and does not constitute legal advice. Consult qualified counsel for binding compliance decisions. Last updated: March 2026.