The EU AI Act entered into force in August 2024, establishing the world's first comprehensive legal framework for artificial intelligence. But legislation without enforcement is aspiration without consequence. The Act requires each member state to designate national competent authorities to oversee compliance, and a critical institutional question has emerged: should data protection authorities—the agencies that enforce the GDPR—also be responsible for enforcing AI regulation? The answer will determine whether AI governance inherits the strengths and limitations of privacy regulation, or develops its own institutional identity.
The Research Landscape
A policy analysis published in International Data Privacy Law (2025, DOI: 10.1093/idpl/ipaf033) examines whether data protection authorities (DPAs) should be responsible for enforcing the EU AI Act. The study analyzes the institutional, legal, and practical implications of assigning AI regulation to existing privacy regulators versus creating new dedicated agencies.
The question is not abstract. Several EU member states have already designated their DPAs as the competent authority for the AI Act, while others are creating new bodies or assigning enforcement to sector-specific regulators. This divergence risks regulatory fragmentation—the very problem the AI Act was designed to prevent.
The case for DPA enforcement rests on practical arguments. DPAs already possess relevant expertise: automated decision-making, profiling, and biometric data processing fall squarely within the GDPR's scope. DPAs have existing enforcement infrastructure, including complaint-handling mechanisms, investigation powers, and cross-border cooperation frameworks. Creating new agencies is expensive, slow, and risks duplicating capabilities that already exist. And because AI systems frequently process personal data, separating AI regulation from data protection could create jurisdictional confusion, with two agencies claiming authority over the same system.
The case against DPA enforcement is equally compelling. DPAs are already under-resourced relative to their GDPR obligations. Adding AI Act enforcement—which covers domains far beyond personal data, including safety-critical applications in healthcare, transportation, law enforcement, and critical infrastructure—risks diluting DPAs' effectiveness on both fronts. AI regulation also requires technical expertise that differs from privacy expertise: understanding machine learning architectures, evaluating algorithmic fairness, assessing safety risks in autonomous systems. A DPA staffed with lawyers and privacy specialists may lack the engineering and domain-specific knowledge to evaluate, say, whether a medical diagnostic AI meets the AI Act's requirements for high-risk systems.
Critical Analysis
The institutional choice between DPAs and dedicated agencies involves trade-offs that the paper helps illuminate, though the optimal arrangement likely depends on national context.
<| Claim | Evidence | Verdict |
|---|---|---|
| DPAs possess relevant existing expertise in automated decision-making and data processing | GDPR enforcement covers profiling, automated decisions, and algorithmic transparency | ✅ Supported — there is genuine overlap between GDPR and AI Act competencies |
| DPAs are already under-resourced for GDPR enforcement | Widely documented in regulatory reports, though specific resource assessments vary by member state | ⚠️ Plausible and commonly argued, but resource adequacy varies significantly across the 27 member states |
| AI regulation requires technical expertise distinct from data protection expertise | AI Act covers safety-critical domains (health, transport, law enforcement) requiring domain-specific knowledge | ⚠️ Supported as a structural argument, though some DPAs have invested in technical capacity |
| Separating AI from data protection regulation creates jurisdictional confusion | Both GDPR and AI Act may apply to the same AI system processing personal data | ✅ Supported — regulatory overlap is a real coordination challenge |
The deepest tension may be between institutional efficiency and institutional specialization. Assigning AI enforcement to DPAs is efficient—it leverages existing infrastructure and avoids the multi-year process of building new agencies. But efficiency comes at the cost of specialization. The AI Act's high-risk categories span healthcare, biometric identification, critical infrastructure, education, employment, law enforcement, and migration management. Each domain has its own regulatory culture, technical standards, and stakeholder dynamics. A generalist DPA may struggle to develop the domain-specific knowledge needed for credible enforcement across all these areas.
There is also a governance philosophy at stake. The GDPR model treats data protection as a fundamental right, enforced by independent authorities with quasi-judicial powers. The AI Act, while incorporating fundamental rights concerns, is also a product safety regulation—closer in spirit to CE marking and market surveillance than to human rights enforcement. These different regulatory logics may not sit comfortably within a single institutional framework. A DPA accustomed to evaluating data processing agreements and conducting privacy impact assessments may approach AI enforcement through a privacy lens, potentially underweighting safety, performance, and fairness dimensions that the AI Act explicitly addresses.
The cross-border dimension adds further complexity. The GDPR's one-stop-shop mechanism has been criticized for creating enforcement bottlenecks. If AI Act enforcement follows the same model, the concentration of major AI developers in a small number of member states could reproduce these dynamics.
Open Questions
- Resource adequacy: What level of additional funding would DPAs need to credibly enforce the AI Act alongside GDPR obligations?
- Technical capacity: Can DPAs recruit and retain the engineering talent needed to evaluate AI systems, given private-sector competition for the same expertise?
- Coordination mechanisms: If different member states choose different institutional models, how will cross-border enforcement coordination work?
- Regulatory capture: Are DPAs—or newly created AI agencies—more susceptible to regulatory capture by the AI industry?
- GDPR precedent: Does the GDPR enforcement experience suggest DPAs are well-suited for technology regulation, or does it reveal limitations that AI Act enforcement would amplify?
What This Means for AI Governance
The institutional design question is not a bureaucratic detail—it is a governance choice that will shape how AI regulation works in practice. Researchers studying AI governance should attend not only to what the AI Act requires, but to who enforces it, with what resources, and through what institutional lens. The most well-drafted regulation fails if the enforcement body lacks the capacity, expertise, or independence to apply it. As member states make their institutional choices over the coming months, the gap between the AI Act's ambitions and its enforcement reality will become the central question of European AI governance.