On May 8, the European Commission published draft guidelines on AI transparency obligations. Eighty-six pages covering how companies must disclose when users are interacting with AI, how deepfake content must be labelled, and what emotion recognition systems must tell the people they’re scanning. A targeted consultation runs until June 3. The obligations themselves apply from August 2.

Someone has to read those pages. Process them, develop enforcement positions, and then act. Starting in eleven weeks. That someone is the network of national AI market surveillance authorities that EU member states were required to designate and empower by August 2025. What we actually know about their collective readiness is surprisingly thin. Almost nobody’s asking.

The EU AI Act goes into full effect on August 2, 2026. Companies deploying AI in high-risk categories (employment screening, credit scoring, critical infrastructure and law enforcement) face hard legal obligations from that date: conformity assessments, technical documentation, post-market monitoring and human oversight mechanisms. The fines run up to 35 million euros or 7 percent of global annual turnover.

The enforcement structure splits along two tracks. The AI Office in Brussels supervises general-purpose AI model providers: OpenAI, Google, Mistral and their peers. Its formal enforcement powers over those providers activate on August 2. Everything else falls to national market surveillance authorities. Hiring tools. Medical devices. Biometric systems used in workplaces or public spaces. The credit-scoring algorithm that just turned down someone’s mortgage. National authorities receive the complaints, request the documentation, demand source code if needed, order products suspended and impose fines. Their jurisdiction covers the vast majority of AI systems that ordinary people in the EU will actually interact with.

The Omnibus agreement, reached May 7, softened some provisions: regulatory sandbox deadlines moved, some high-risk thresholds narrowed. But the core enforcement timeline for national authorities didn’t shift. August 2 is still August 2. And the transparency guidelines published the following day, with eleven weeks on the clock, are one of several major documents national authorities are expected to absorb and act on before that date.

Here’s what enforcement actually involves. A complaint arrives. A job applicant says they were screened out by an AI system that never disclosed itself as AI.

The authority has to decide whether the system qualifies as high-risk at all.

Then, whether the deployer met its transparency and oversight obligations.

Then, whether what the provider put in their technical documentation is actually true.

If there’s doubt, the authority can demand source code, training data and system logs, order the system suspended while the review runs, and coordinate with other member states if the provider is headquartered elsewhere. The whole process is expensive, technically demanding and slow.

The people who can do this well are not easy to find. Reading a conformity assessment and spotting the gaps, assessing whether a risk management system has been genuinely implemented or just documented, telling the difference between a human oversight mechanism that works and one that’s been written up to look like it does. That skill set lives in law firms, consultancies and the AI companies that national authorities are supposed to regulate. Civil service pay in most EU member states doesn’t compete. Authorities have been dealing with this since designation began. Several borrowed staff from data protection offices. Some contracted out technical assessments. The IAPP’s EU AI Act Regulatory Directory and national implementation plan tracker document significant variation in how member states approached the task, from dedicated new units with genuine technical capacity to existing sector regulators handed new responsibilities without additional resources.

What nobody has published is a clear picture of whether that variation means some authorities are ready and others are not. The Commission hasn’t said. Member states haven’t volunteered it. The designation requirement was met, in a formal sense, by the August 2025 deadline. What designation looks like in practice varies enormously. Headcount, expertise levels, internal procedures: none of that is standardised, and most of it isn’t public.

The Omnibus amendments added interpretive work that didn’t exist three months ago. Which products now fall outside the high-risk scope under the narrowed definitions? What does “assistive rather than determinative” mean for a hiring tool that filters applications before any human sees them? Authorities developing enforcement positions will need answers. The answers will matter enormously to the companies that receive the first complaints.

Two years of AI Act coverage have focused almost entirely on whether industry is ready. That’s understandable. The obligations are real, and the compliance costs are significant. But regulator readiness has barely come up, not just in press coverage but in the policy conversation itself.

It matters practically. Enforcement credibility shapes compliance behavior. Companies that believe national authorities will spend 2026 developing guidance rather than taking cases will make different investment decisions than companies expecting active scrutiny. If the first years of enforcement are quiet, not because violations are rare but because capacity is thin, the Act’s market effect will be substantially weaker than the Commission intends. The uncertainty itself is a problem. We don’t know enough about national authority readiness to know whether enforcement will be credible. And without that knowledge, neither does industry.

The first enforcement actions, whenever they come, will answer the question. Authorities building track records tend to start with cases they can win: clear violations, clear evidence, and unambiguous high-risk classification. The technically complex ones will wait. Providers with arguable scope claims and good legal teams will make sure of that.

What to watch: which national authority moves first, and in what sector. How quickly matters, too. That will tell us more about enforcement reality than any implementation plan or guidance document. August 2 is the start of that answer, not the end of the question.

NOT ADVICE

The information is intended to be helpful but is in no way a substitute for seeking professional advice for your specific situation or intent. This applies to business, financial, legal, or other matters discussed herein. Please read the full DISCLAIMER