Acuity AI Advisory
← Insights
·4 min read

Which Regulator Actually Supervises Your AI in Ireland

G

Ger Perdisatt

Founder, Acuity AI Advisory

Ireland is not enforcing the EU AI Act through one central regulator. The AI Office of Ireland coordinates and acts as the single point of contact, but the body that actually supervises your AI is your existing sector regulator — the Central Bank, the Data Protection Commission, Coimisiún na Meán, and others. Knowing which one watches you is the first governance question to answer.

When organisations think about EU AI Act enforcement in Ireland, they tend to picture a single new regulator — the AI Office — knocking on the door. That is not how Ireland has built it. The model is distributed, and understanding the distinction matters, because it changes who you answer to and what they already know about you.

A coordinating authority, not a single enforcer

The Regulation of Artificial Intelligence Bill 2026 establishes the AI Office of Ireland — Oifig Intleachta Shaorga na hÉireann — as a statutory independent body under the Department of Enterprise, Tourism and Employment. Its role is to act as the central coordinating authority and the single point of contact for the AI Act in the State. It must be operational on or before 1 August 2026.

What the AI Office largely does not do is supervise your sector directly. Ireland has chosen a distributed model in which established regulators oversee AI within the domains they already govern, with the AI Office providing coordination and a set of centralised functions. The blueprint and the sectoral designations are set out on our Regulation of Artificial Intelligence Bill 2026 page; our note on the Office's first phase, AI Office of Ireland: What Happens From 1 August 2026, covers how that coordination role plays out in practice.

Who watches you depends on what you do

For most organisations the supervising authority is not a new relationship — it is one you already have. The mapping follows the sector:

  • Financial services, credit, insurance → the Central Bank of Ireland, which already supervises model risk and algorithmic decision-making in regulated firms.
  • Personal-data-heavy uses — profiling, recruitment screening, customer analytics → the Data Protection Commission, where the AI Act and GDPR obligations overlap heavily.
  • Media, platforms, content and recommender systems → Coimisiún na Meán.
  • Workplace monitoring, recruitment and employment uses → the Workplace Relations Commission.
  • Utilities and energy → the Commission for Regulation of Utilities.
  • Health and clinical settings → bodies in the health sector, including the HSE.

The practical consequence is that the regulator assessing your AI is usually one that already understands your business, already holds a supervisory history with you, and already has a view of where you cut corners. That is a higher bar than a generalist AI regulator starting from a blank page, not a lower one.

Why the "single point of contact" still matters

The AI Office being the single point of contact does not mean it is the only body you deal with. It means cross-sector questions, systems that span more than one regulator's remit, and coordination with the European AI Office route through it. A recruitment tool used by a regulated lender, for instance, can sit at the intersection of the Central Bank, the DPC and the WRC at once. The AI Office exists partly to stop organisations being pulled in three directions — and partly to make sure none of the three assumes another is handling it.

What to do with this

The first governance task is not to draft a policy. It is to answer a prior question: which authority supervises each of our AI use cases? Until you know that, you cannot judge what "good" looks like, because the standard is shaped by the sector regulator's existing expectations, not by a generic checklist.

A workable first pass:

  1. Inventory your AI use cases — not your tools, your uses. The same vendor product can fall under different regulators depending on what you do with it.
  2. Map each use to its likely supervising authority using the sector logic above.
  3. For each authority, ask what they already expect of you in adjacent areas — model documentation for the Central Bank, DPIAs and lawful basis for the DPC, and so on. The AI Act rarely starts from zero; it extends obligations these regulators already enforce.
  4. Decide where you want to engage early. Ireland's enforcement is phasing in, and voluntary engagement before powers fully bite is generally a stronger position than waiting to be found.

This is the work that makes everything downstream — the policy, the literacy programme, the risk classification — actually fit your situation. We help organisations do exactly this mapping as part of our AI governance advisory, and for public bodies specifically through AI governance for state bodies.


If you are not sure which Irish regulator supervises your AI — or you sit across several — Acuity AI Advisory offers a vendor-neutral EU AI Act readiness review that starts with exactly this mapping, and ongoing independent EU AI Act consulting for organisations managing it over time.

eu ai actirelandregulationgovernanceai office of ireland