Ireland published the General Scheme of its Regulation of Artificial Intelligence Bill on 4 February 2026. The AI Office of Ireland must be established by August. Here is what the legislation means in practice — and what you should be doing now.
On 4 February 2026, the Irish government published the General Scheme of the Regulation of Artificial Intelligence Bill 2026. This is not a consultation document or a policy paper. It is the legislative blueprint that will transform the EU AI Act into an operational Irish enforcement system — with real penalties, real inspectors, and a hard deadline of 1 August 2026 for the establishment of the AI Office of Ireland.
If your organisation is using AI tools in any meaningful capacity, the window between now and August is not time to wait. It is time to build compliance capability.
What the Bill actually does
The EU AI Act is a European regulation that applies directly in all member states. But EU regulations require national implementing legislation to establish enforcement infrastructure. That is what this Bill does.
Rather than creating a single AI regulator — a model some jurisdictions have adopted — Ireland has chosen a distributed architecture. Thirteen existing sectoral regulators will supervise AI systems within their domains. The Data Protection Commission oversees AI in personal data processing. The Central Bank covers AI in financial services. The Health Information and Quality Authority takes responsibility in healthcare. And so on across thirteen sectors.
Sitting above all of these is the new Oifig Intleachta Shaorga na hÉireann — the AI Office of Ireland — which will act as the single point of contact with the European AI Office, coordinate national enforcement, and directly supervise general-purpose AI models.
The AI Office must be operational by 1 August 2026. That date is driven by the EU AI Act's own implementation timeline, not by political preference. It is fixed.
The penalties
The Bill operationalises the AI Act's penalty structure. For the most serious violations — prohibited AI practices and non-compliance with GPAI model obligations — fines can reach 7% of total worldwide annual turnover. For other high-risk system failures, the ceiling is 3% of turnover or €15 million for SMEs, whichever is lower.
Enforcement powers include unannounced inspections, remote audits, access to technical documentation and datasets, and — where necessary — access to source code.
These are not theoretical numbers. The Data Protection Commission's track record of issuing substantial GDPR fines demonstrates that Irish regulators are prepared to use the powers they are given.
What counts as high-risk
The AI Act's risk classification system is where most Irish organisations need to focus attention. High-risk AI systems — those subject to the most demanding compliance obligations — include systems used in:
- Recruitment, selection, or promotion decisions
- Employee performance monitoring and management
- Access to credit or financial services
- Insurance risk assessment
- Education and vocational training
- Administration of justice and democratic processes
- Critical infrastructure management
Many Irish organisations are already using AI tools that fall into these categories — in HR platforms, recruitment software, credit scoring systems, and employee monitoring tools — without having assessed their risk classification.
The obligation to maintain conformity documentation, implement human oversight mechanisms, and conduct fundamental rights impact assessments applies to deployers — the organisations using these systems — not just to the vendors who built them.
What the regulatory sandbox means
One aspect of the Bill that deserves more attention than it has received is the national AI Regulatory Sandbox. The AI Office will establish this environment to allow organisations — particularly SMEs and start-ups — to test innovative AI systems under regulatory supervision before full market deployment.
Access is free for SMEs. Priority access is guaranteed. The sandbox is explicitly designed to allow smaller organisations to validate compliance without needing to engage the full weight of the regulatory apparatus.
If you are building or procuring an AI system that you believe may be high-risk, engagement with the sandbox is worth serious consideration. Early dialogue with regulators before a system is fully deployed is almost always preferable to remediation after the fact.
What to do between now and August
The period between now and August 2026 is not a grace period. It is a compliance-building window. Here is what practical preparation looks like:
First: get your inventory right. Build a complete picture of every AI system your organisation uses — purchased tools, AI features embedded in existing software, and any internally developed systems. Most organisations are surprised by how many there are once they look properly.
Second: risk-classify what you find. Apply the Act's four-tier framework to each system. Prohibited practices must stop. High-risk systems require documentation, human oversight, and conformity assessment. Limited-risk systems require transparency obligations. Minimal-risk systems require nothing specific, though good practice still applies.
Third: identify your sectoral regulator. Depending on your sector, the body that will supervise your AI use is already identified in the Bill. Understanding who your regulator is, and what their existing supervisory posture looks like, is basic preparation.
Fourth: document your governance. The Act requires operators of high-risk systems to maintain documentation of their risk management systems, their human oversight mechanisms, and their incident reporting processes. If this does not exist, build it now.
Fifth: plan for August. When the AI Office opens its doors and sectoral regulators have their enforcement powers confirmed, you want to be in a position to demonstrate that you have been taking this seriously — not scrambling to catch up.
The independent advice question
One complication worth naming is that much of the advice being offered on EU AI Act compliance in Ireland comes from law firms and technology vendors who have a commercial interest in the scope and cost of the compliance programme they recommend. Legal advice on the regulatory framework is valuable. Technology vendor assessments of which tools you need to buy to comply are inherently conflicted.
Independent, vendor-neutral analysis of your actual compliance exposure — what you have, what is genuinely high-risk, and what remediation is proportionate — is more useful and typically less expensive than starting with a vendor-led engagement.
The August deadline is real. The preparation required is not necessarily complex. But it needs to start now.