Ireland has published the blueprint for how it will enforce the EU AI Act domestically. The Regulation of Artificial Intelligence Bill 2026 creates a new AI Office, designates 15 sectoral enforcement authorities, and sets penalties up to €35 million or 7% of global turnover. Here is what it means in practice.
Ireland has published the General Scheme of the Regulation of Artificial Intelligence Bill 2026 — the legislative blueprint that transforms the EU AI Act from a Brussels regulation into an operational Irish enforcement system.
This is not a future event. The AI Office of Ireland must be operational by 1 August 2026. Enforcement powers activate the same day. The question for Irish organisations is not whether this applies to them, but how prepared they will be when the first inspections begin.
What the Bill establishes
The Bill has three central elements.
The AI Office of Ireland. A new statutory independent body operating under the Department of Enterprise, Tourism and Employment. The AI Office serves as Ireland's Single Point of Contact for EU AI Act matters and coordinates implementation across the broader enforcement ecosystem. It must be established by 1 August 2026 — a hard statutory deadline driven by the EU AI Act's own implementation timeline.
A distributed enforcement model. Rather than centralising all enforcement in a single regulator, Ireland has designated 15 National Competent Authorities (NCAs) along existing sectoral lines. Your regulator under the AI Act is the same body that already regulates your sector. This is deliberate: the logic is to build on existing relationships and expertise rather than create a parallel enforcement apparatus from scratch.
Enforcement powers with real teeth. Market Surveillance Authorities can require documentation, conduct unannounced inspections, restrict or prohibit AI systems from the market, and impose penalties. The maximum fines are €35 million or 7% of worldwide annual turnover — whichever is higher — for the most serious violations.
Who regulates what
The distributed model means your enforcement authority depends on your sector and the AI system in question. The designations that matter for most Irish businesses:
- Central Bank of Ireland — financial services organisations: AI in credit scoring, fraud detection, insurance pricing, AML, customer-facing financial decisions
- Health Products Regulatory Authority (HPRA) — medical devices and healthcare AI systems
- Media Commission — broadcast and online platform providers
- Competition and Consumer Protection Commission (CCPC) — consumer-facing AI in non-regulated sectors
- Department of Justice — law enforcement and migration-related AI use
- Data Protection Commission (DPC) — AI systems that implicate GDPR obligations (which is most of them)
For AI systems that do not fall under a specific sectoral authority, the AI Office of Ireland acts as the default NCA.
The practical implication: if you are a financial services firm and your credit scoring system is found non-compliant, it is the Central Bank — not a new AI regulator you have never dealt with — that will knock on your door.
What triggers enforcement
The rules for Annex III high-risk AI systems come into force on 2 August 2026. High-risk categories include:
- AI used in HR and recruitment — CV screening, interview scoring, performance monitoring
- AI in credit and financial decisioning — loan assessments, insurance underwriting
- AI in healthcare — clinical decision support, diagnostic tools
- AI in critical infrastructure — energy, water, transport management
- AI in education — admissions, assessment, student performance monitoring
- AI used in law enforcement — risk scoring, predictive policing tools
If your organisation uses any of these systems, you need documented governance, human oversight mechanisms, technical documentation, and an incident reporting process in place before August.
What "unannounced inspection" means
The Bill gives Market Surveillance Authorities the power to access documentation without prior notice. This is not a theoretical power — it mirrors inspection powers already used in areas like health and safety and data protection.
For organisations that have not yet built a documented AI inventory, this is the part of the Bill that should concentrate the mind. An inspection that finds no documentation is not a minor compliance gap; it is the absence of evidence that governance exists at all.
What you should do now
There are four practical actions that matter before August 2026.
1. Build your AI inventory. Document every AI system in use across your organisation. Include tools purchased from vendors, AI features embedded in existing software (many organisations are surprised by how many there are), and any internally developed tools. The inventory needs to capture the system, its use case, the data it processes, and who owns it.
2. Classify by risk. Apply the Act's four-tier framework to each system: prohibited, high-risk, limited risk, minimal risk. Be honest about systems that sit in Annex III categories — the consequences of misclassification under inspection are worse than the compliance cost of correct classification.
3. Assign accountability. Each high-risk system needs a named owner with documented responsibility for oversight. Governance that lives in a policy document but has no named person responsible for it will not satisfy an inspector.
4. Know your regulator. Identify which National Competent Authority oversees your sector and familiarise yourself with their existing supervisory approach. If you already have a CBI or DPC relationship, that is the relationship through which AI Act compliance will be assessed.
The August 2026 deadline is not a soft target
There is sometimes an assumption in Irish business that regulatory deadlines come with a grace period — that enforcement will be light-touch in the first year. The EU AI Act's implementation timeline, the publication of the Bill, and the statutory requirement for the AI Office to be operational all point in the opposite direction. Ireland has moved faster on implementation than most EU member states. The infrastructure for enforcement is being built to be used.
If your organisation has not yet begun EU AI Act readiness work, the Bill's publication is the moment to start. A structured readiness review will identify your inventory, classify your systems, and produce a remediation roadmap before August — not a generic checklist, but an assessment of your actual position. That is the work we do at Acuity AI Advisory, and it is vendor-neutral by design.