EU AI Act enforcement fracturing

The European Union’s AI Act is no longer a single Brussels rulebook on paper; it is becoming a patchwork of national enforcement systems. (eur-lex.europa.eu) (digital-strategy.ec.europa.eu) In the Netherlands, the government put its AI Act implementation bill out for consultation on April 20, 2026, and said oversight will be spread across multiple existing watchdogs rather than one new agency. The consultation runs through June 1, 2026. (rijksoverheid.nl) Pinsent Masons reported on April 23 that the Dutch plan would hand compliance oversight to 10 regulators. The Dutch government said the Dutch Data Protection Authority and the Digital Infrastructure Inspectorate would take coordinating roles. (pinsentmasons.com) (rijksoverheid.nl) That structure fits the AI Act itself. The law requires each member state to designate national competent authorities, including at least one market surveillance authority and one notifying authority, and it allows countries to appoint more than one to match local administrative structures. (iapp.org) (eur-lex.europa.eu) The European Commission still has a central role, but not for every case. The AI Office enforces rules for general-purpose AI models, while national authorities supervise most other AI systems inside their own borders. (digital-strategy.ec.europa.eu 1) (digital-strategy.ec.europa.eu 2) The timing matters because the AI Act is already taking effect in stages. Banned AI practices and AI literacy duties started applying on February 2, 2025, general-purpose AI model obligations started on August 2, 2025, and major rules for high-risk systems apply from August 2, 2026. (artificialintelligenceact.eu) (digital-strategy.ec.europa.eu) (autoriteitpersoonsgegevens.nl) That means companies may face more than one regulator for the same product or deployment. The International Association of Privacy Professionals said on April 21 that the AI Act and the General Data Protection Regulation follow different legal logics and create overlapping duties around impact assessments, special-category data and automated decision-making. (iapp.org) One example is paperwork before launch. Under the AI Act, some deployers of high-risk systems must complete a fundamental rights impact assessment, while the General Data Protection Regulation can separately require a data protection impact assessment when personal-data processing creates high risk. (iapp.org) The Dutch Data Protection Authority is already framing the law that way. On its AI Act page, it says existing laws such as the General Data Protection Regulation already protect people when AI processes personal data, but do not cover all AI risks, and it says preparation for the August 2, 2026 phase should start now. (autoriteitpersoonsgegevens.nl) Across the bloc, the picture is still uneven. The International Association of Privacy Professionals’ regulatory directory says member states were required to designate or establish national competent authorities by August 2, 2025, but the directory’s January 2026 snapshot shows designations still developing country by country. (iapp.org) So the AI Act’s next phase is not a single enforcement launch. It is a rollout through national agencies, sector by sector, with Brussels handling the biggest general-purpose models and domestic regulators handling the rest. (digital-strategy.ec.europa.eu) (rijksoverheid.nl)