{"id":915,"date":"2025-10-22T09:30:19","date_gmt":"2025-10-22T09:30:19","guid":{"rendered":"https:\/\/naaia.ai\/news\/ai-act-flexible-governance-trust-artificial-intelligence\/"},"modified":"2026-06-02T13:54:17","modified_gmt":"2026-06-02T13:54:17","slug":"ai-act-flexible-governance-trust-artificial-intelligence","status":"publish","type":"post","link":"https:\/\/naaia.ai\/en\/ai-act-flexible-governance-trust-artificial-intelligence\/","title":{"rendered":"AI Act: The coordination of competent authorities at the national and European levels"},"content":{"rendered":"\n<p class=\"wp-block-paragraph\">The European regulation on artificial intelligence, better known as the <strong>AI Act<\/strong>, builds a true governance architecture articulated between a <strong>European coordination level<\/strong> and a <strong>national implementation level<\/strong>.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><br>The goal is to ensure the coherence of practices and the exchange of know-how among the Member States of the European Union. Each level has its own institutions and areas of action. Let us examine them, as well as the points of collaboration and convergence.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">The European level: strategic axis and pillar of overall coherence<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">At the top of the system, the <strong>European AI Office<\/strong>, attached to the <strong>European Commission<\/strong>, plays a leading role. Operational since February 2024, it drafts the delegated acts necessary for the implementation of the regulation, manages the database of high-risk AI systems, and supervises so-called \u201cgeneral-purpose\u201d models (GPAI). It acts somewhat like a central European regulator, guaranteeing the technical and legal coherence of the system.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Alongside it, the <strong>European AI Committee<\/strong>, whose first meeting will be held on <strong>August 2, 2025<\/strong>, brings together one representative per Member State. Its mission: to promote coordination among national authorities, share best practices, develop common guidelines, and support the Commission in interpreting the text.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Two advisory bodies complete this architecture: the <strong>Advisory Forum<\/strong>, which gathers stakeholders from the economic, academic, and civil society worlds, and the <strong>Independent Scientific Group<\/strong>, composed of recognized experts providing technical analyses of AI models and systems.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Finally, when AI is used directly by European institutions, <strong>supervision falls under the European Data Protection Supervisor (EDPS)<\/strong>, which acts as the competent authority.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Thus, this European level defines the <strong>strategic framework and overall coherence<\/strong>, while Member States ensure the <strong>operational implementation<\/strong> on the ground.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Member States: at the heart of local implementation<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The national level is where concrete action takes place. Each Member State must, by <strong>August 2, 2025<\/strong>, designate a set of authorities and bodies responsible for applying the regulation within its territory.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Market surveillance authorities<\/strong> will verify the compliance of deployed systems, conduct investigations, and may order the withdrawal or update of a non-compliant system.<br><strong>Notifying authorities<\/strong> will be responsible for designating and monitoring the <strong>notified bodies<\/strong> in charge of certifying high-risk systems.<br>Finally, <strong>authorities or bodies for the protection of fundamental rights<\/strong> will intervene to prevent any infringement of privacy, non-discrimination, or public freedoms. The powers of such authorities are not concretely defined within the meaning of the regulation: <strong>national implementation laws<\/strong> will likely determine their powers and interactions.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Each country must also have a <strong>single contact point<\/strong> ensuring the link between national authorities and the European Commission to guarantee coherence of practices and information exchange. Note that the <strong>designated Single Contact Points<\/strong> are centralized and <a href=\"https:\/\/digital-strategy.ec.europa.eu\/en\/policies\/market-surveillance-authorities-under-ai-act#1720699867912-2\" target=\"_blank\" rel=\"noopener\">published by the European Commission<\/a>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Focus on France: networked governance and shared expertise<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/www.entreprises.gouv.fr\/priorites-et-actions\/transition-numerique\/soutenir-le-developpement-de-lia-au-service-de-0\" target=\"_blank\" rel=\"noopener\">France has opted for a <strong>coordinated approach<\/strong><\/a>, relying on actors already experienced in digital regulation and consumer protection:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The government has entrusted the <strong>Directorate-General for Competition, Consumer Affairs and Fraud Control (DGCCRF)<\/strong> with the <strong>national coordination<\/strong> of the system as well as the <strong>function of Single Contact Point (SCP)<\/strong> with the European Commission.<\/li>\n\n\n\n<li>The <strong>Directorate-General for Enterprises (DGE)<\/strong> ensures the <strong>regulatory implementation<\/strong> of the AI Act and represents France in the European AI Committee. Two technical structures, <strong>ANSSI<\/strong> and <strong>PEReN<\/strong>, provide support to pool expertise in cybersecurity, technical evaluation, and standardization.<\/li>\n\n\n\n<li>The <strong>CNIL<\/strong> remains the <strong>reference authority<\/strong> for issues related to personal data protection and works closely with other actors to ensure respect for fundamental rights.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">Furthermore, France has established <strong>\u201ctype-based\u201d governance<\/strong>, where each authority is responsible for overseeing use cases falling within its domain of expertise.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Systems covered by Annex I<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Annex I<\/strong> covers products subject to European harmonization legislation: <strong>medical devices, machinery, connected toys, autonomous vehicles, radio equipment<\/strong>, etc. When one of these products integrates an AI component, the latter is automatically considered a <strong>high-risk AI system<\/strong>. In France, control falls under <strong>sectoral market surveillance authorities<\/strong>, coordinated by the DGCCRF.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">Systems covered by Annex III<\/h3>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Annex III<\/strong> groups eight main categories of high-risk uses, regardless of product type. These uses involve several French authorities depending on their nature:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><thead><tr><th>Domain<\/th><th>Examples of AI systems<\/th><th>Competent authority<\/th><\/tr><\/thead><tbody><tr><td>Biometrics<\/td><td>Facial recognition, biometric categorization, emotion detection<\/td><td>CNIL<\/td><\/tr><tr><td>Critical infrastructures<\/td><td>AI systems for traffic, energy, or water management<\/td><td>HFDS of MEFSIN and MATTE<\/td><\/tr><tr><td>Education and vocational training<\/td><td>AI for evaluating or orienting students and learners<\/td><td>Education: CNIL<br>Vocational training: DGCCRF<\/td><\/tr><tr><td>Employment, workforce management<\/td><td>Automated recruitment, HR scoring<\/td><td>CNIL<\/td><\/tr><tr><td>Access and right to essential private and public services<\/td><td>Loan granting, insurance, social security<\/td><td>Financial services by financial institutions: ACPR<br>CNIL<\/td><\/tr><tr><td>Law enforcement<\/td><td>Predictive policing, image analysis for public security<\/td><td>CNIL<\/td><\/tr><tr><td>Border control<\/td><td>Risk analysis, behavioral detection<\/td><td>CNIL<\/td><\/tr><tr><td>Administration of justice<\/td><td>Decision-support systems for courts<\/td><td>Deployed or used by judicial authorities: Council of State, Court of Cassation, Court of Auditors<\/td><\/tr><tr><td>Democratic processes<\/td><td>Moderation or electoral influence systems<\/td><td>CNIL, Arcom<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">In addition, certain practices are <strong>strictly prohibited<\/strong> (Article 5 of the regulation), such as:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>The use of <strong>manipulative or subliminal techniques<\/strong> to influence a person\u2019s behavior;<\/li>\n\n\n\n<li>The <strong>exploitation of vulnerabilities<\/strong> linked to age or disability;<\/li>\n\n\n\n<li><strong>Illegal social scoring systems<\/strong>;<\/li>\n\n\n\n<li><strong>Real-time remote biometric identification<\/strong> for law enforcement purposes (except for specific exceptions).<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">For these cases, the <strong>DGCCRF<\/strong>, the <strong>CNIL<\/strong>, and <strong>Arcom<\/strong> share competence, depending on the nature of the risk: <strong>commercial manipulation<\/strong> (DGCCRF), <strong>personal data processing<\/strong> (CNIL), or <strong>information integrity<\/strong> (Arcom).<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">National examples: diversity of governance models<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">While France relies on coordination and specialization, other Member States have adopted diverse governance models according to their institutional organization:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Luxembourg<\/strong> is preparing a <strong>more centralized system<\/strong>, based on a single law under adoption, aiming to concentrate supervision within a main authority.<\/li>\n\n\n\n<li><strong>Ireland<\/strong> has chosen a <strong>distributed model<\/strong>: fifteen competent authorities have been designated, which will eventually be coordinated by the <strong>National AI Office<\/strong>, supported by a <strong>national implementation committee<\/strong> operational since September 2025.<\/li>\n\n\n\n<li><strong>Spain<\/strong> has established a <strong>Spanish Agency for AI Supervision (AESIA)<\/strong>, which collaborates with the <strong>Spanish Data Protection Agency (AEPD)<\/strong>, the <strong>Bank of Spain<\/strong>, the <strong>CNMV<\/strong>, and several <strong>regional authorities<\/strong> specializing in biometric and fundamental rights issues.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">This diversity reflects the <strong>flexibility granted to Member States<\/strong> to adapt the system to their administrative structures, while maintaining overall coherence through the coordination role of the <strong>European AI Office<\/strong> and the <strong>AI Committee<\/strong>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Implementation timeline: key dates to remember<\/h2>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>August 2, 2025<\/strong>: designation of notifying authorities, market surveillance authorities, and single contact points. However, most Member States have not yet designated their competent authorities.<\/li>\n\n\n\n<li><strong>End of 2025 \u2013 early 2026<\/strong>: first official designations of <strong>notified bodies<\/strong> for the certification of high-risk systems.<\/li>\n\n\n\n<li><strong>August 2, 2026<\/strong>: <strong>full application<\/strong> of obligations for high-risk systems as provided by the regulation.<\/li>\n<\/ul>\n\n\n\n<h2 class=\"wp-block-heading\">Toward governance built on trust<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The AI Act does not merely define obligations: it creates an <strong>institutional ecosystem<\/strong> designed to frame innovation while ensuring <strong>safety, transparency, and respect for fundamental rights<\/strong>.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">For companies, the key will be to <strong>anticipate compliance<\/strong>: identify the systems concerned, implement evaluation procedures, and establish early dialogue with competent national authorities.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Strong, clear, and coordinated governance at all levels<\/strong> constitutes the foundation for <strong>trustworthy and competitive artificial intelligence in Europe.<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">At <strong>Naaia<\/strong>, we support organizations in establishing <strong>ethical, flexible, and compliant governance<\/strong> in the field of artificial intelligence.<br><a href=\"https:\/\/naaia.ai\/request-demo\/\"><strong>Contact our experts<\/strong> to help structure your <strong>European AI compliance strategy<\/strong>.<\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><\/p>\n","protected":false},"excerpt":{"rendered":"<p>The European regulation on artificial intelligence, better known as the AI Act, builds a true governance architecture articulated between a European coordination level and a national implementation level. The goal&hellip; <a href=\"https:\/\/naaia.ai\/en\/ai-act-flexible-governance-trust-artificial-intelligence\/\">Lire la suite<\/a><\/p>\n","protected":false},"author":2,"featured_media":914,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[46],"tags":[],"class_list":["post-915","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-ai-governance-blog"],"_links":{"self":[{"href":"https:\/\/naaia.ai\/en\/wp-json\/wp\/v2\/posts\/915","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/naaia.ai\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/naaia.ai\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/naaia.ai\/en\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/naaia.ai\/en\/wp-json\/wp\/v2\/comments?post=915"}],"version-history":[{"count":1,"href":"https:\/\/naaia.ai\/en\/wp-json\/wp\/v2\/posts\/915\/revisions"}],"predecessor-version":[{"id":2379,"href":"https:\/\/naaia.ai\/en\/wp-json\/wp\/v2\/posts\/915\/revisions\/2379"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/naaia.ai\/en\/wp-json\/wp\/v2\/media\/914"}],"wp:attachment":[{"href":"https:\/\/naaia.ai\/en\/wp-json\/wp\/v2\/media?parent=915"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/naaia.ai\/en\/wp-json\/wp\/v2\/categories?post=915"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/naaia.ai\/en\/wp-json\/wp\/v2\/tags?post=915"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}