At the outset of 2026, Ireland set out how the EU AI Act will work in practice with the publication of the General Scheme of the Regulation of Artificial Intelligence Bill. 

The Act will determine how firms build, buy, deploy and oversee AI systems across functions such as recruitment, customer service, compliance, manufacturing, healthcare and financial services. The key question is no longer what the regulation says in principle, but how AI will be supervised, enforced and governed on the ground.

This legislative blueprint is intended to give effect to the parts of the EU AI Act that require national supervision and enforcement and confirms that Ireland will adopt a distributed enforcement model, built around existing sectoral regulators and supported by a new central coordinating body, the AI Office of Ireland.

This is relevant for multinational companies as many of them use their Irish operations as a base for European product, regulatory, trust, legal, operations and EMEA leadership functions. As the AI Act is phased in, those teams will need to translate a broad EU regulation into practical controls, governance processes and internal accountability.

Understanding the EU AI Act

The starting point is that the EU AI Act is a directly applicable EU regulation. Having entered into force on August 2, 2024, it applies in phases over 36 months. Its purpose is to create a harmonised framework for AI across the EU while protecting health, safety and fundamental rights. 

It is not designed as a blanket law for all uses of AI. Instead, it adopts a risk-based approach, with stricter requirements applied where AI systems pose greater risks to individuals or society.

For businesses, the key point is that the Act applies across sectors and is relevant not only to companies building AI systems, but also to those deploying third-party tools in their operations. PwC notes that the regulation is horizontal in nature and extends across sectors, including to systems operating within the EU market or affecting EU citizens, regardless of where the provider is based.

Risk categories

The EU AI Act is built around a four-tier risk structure, which is central to how companies should assess their exposure.

At the highest end is unacceptable risk. These are AI practices that are prohibited outright. Examples include social scoring, untargeted scraping of facial images, emotion recognition in workplaces and schools, and certain uses of real-time remote biometric identification by law enforcement. 

The next category is high risk. This includes two broad groups. The first is product-linked AI that falls within certain EU product safety regimes, such as machinery or toys. The second is a list of specific high-risk uses in Annex III, including areas where AI may significantly affect people’s safety or fundamental rights. These include sectors such as critical infrastructure, education, employment and access to essential services. High-risk systems come with the heaviest obligations, including requirements around governance, cybersecurity, documentation, and oversight.

Then there is limited risk, where transparency obligations apply. A business using a chatbot, for example, may need to make clear to users that they are interacting with AI. 
Finally, minimal risk covers the majority of everyday AI applications. These are generally permitted without the same level of regulatory burden.

Timeline of the EU AI Act

It is being applied in stages, but several important milestones have already passed.

On November 2, 2024, Member States had to identify public bodies responsible for supervising fundamental rights in relation to certain high-risk AI systems. On February 2, 2025, the rules on prohibited AI practices took effect, and providers and deployers also became responsible for ensuring a sufficient level of AI literacy among relevant staff. 

The next major deadline was August 2, 2025, when Member States had to designate competent authorities and legislate for penalties. In September 2025, Ireland designated 15 national competent authorities and established a national single point of contact within the Department of Enterprise, Tourism and Employment. 

Looking ahead, August 2, 2026, is the key date for the next phase. By then, Member States must have an operational AI regulatory sandbox, and the rules for Annex III high-risk systems come into effect. Ireland also plans to have the AI Office of Ireland in place by then as the central coordinating authority. A later deadline of August 2, 2027, applies to product-linked high-risk AI systems under Annex I.

In November 2025, the European Commission proposed changes to its data protection and AI regimes through the Digital Omnibus Package, aimed at reducing the regulatory burden, boosting European AI start-ups, and improving Europe’s overall competitiveness. Under the proposed changes, the rules for high-risk AI systems under Annex III, including sensitive use cases such as employment and law enforcement, would apply no later than 2 December 2027, while rules for certain product-linked high-risk AI systems under Annex I would apply no later than 2 August 2028. These proposed changes are currently being negotiated under the Cypriot Presidency of the European Council. The extended timeline has been welcomed by industry.  

What the Irish enforcement model means

Ireland’s model is unique in the sense that it has adopted a distributed enforcement model that draws on established sectoral authorities. Unlike relying on a standalone AI regulator, Ireland has empowered 15 competent authorities to supervise AI systems within their domains. They include:

• Central Bank of Ireland
• Coimisiún na Meán
• Commission for Communications Regulation
• Commission for Railway Regulation
• Commission for Regulation of Utilities
• Competition and Consumer Protection Commission
• Data Protection Commission
• Health and Safety Authority
• Health Products Regulatory Authority
• Health Services Executive
• Marine Survey Office of the Department of Transport
• Minister for Enterprise, Tourism and Employment
• Minister for Transport 
• National Transport Authority
• Workplace Relations Commission

For businesses in Ireland, this model has practical implications, according to a report by law firm William Fry. Companies operating across sectors may need to engage with more than one authority, depending on their AI use case. 

A financial services firm, a medtech business or an employer using AI in workforce settings may each face different supervisory touchpoints. 

The proposed AI Office of Ireland is intended to reduce fragmentation by coordinating enforcement, acting as the single point of contact and operating a national AI regulatory sandbox.

According to this KPMG report, demonstrating compliance with the AI Act and Irish enforcement expectations will increasingly become a condition of market access, procurement eligibility and partnership trust. 

Organisations should embed AI risk management, human oversight and governance structures, align product design with fundamental rights and transparency obligations, and engage with emerging AI Office guidance and sandbox opportunities, the report added.

Penalties for infringement

The AI Act carries significant financial penalties. For infringements of the rules, the maximum fines are up to €35 million or 7% of worldwide annual turnover of the preceding financial year, whichever is higher, for prohibited practices or certain data-related breaches; up to €15 million or 3% of worldwide annual turnover for other non-compliance; and up to €7.5 million or 1.5% of worldwide annual turnover for supplying incorrect, incomplete or misleading information to regulators. 

For SMEs, the lower threshold applies, while for larger companies the higher threshold applies. 

Essential related reads:

• How Ireland’s national AI strategy puts ethics at its core
• From IBM to OpenAI: The rise of AI in research across Ireland
• Ireland and NIS2 Directive: A new era of cybersecurity governance

FAQs: EU AI Act

What is the EU AI Act?
It is the EU’s legal framework for regulating AI based on the level of risk a system presents.

Does the EU AI Act apply to companies operating in Ireland?
Yes, it applies to companies placing AI systems on the EU market or using them in the course of business in Ireland.

Which AI systems face the strictest rules under the Act?
High-risk AI systems, especially those affecting safety, employment, education, essential services or fundamental rights, face the strongest obligations.

Are any AI uses banned outright under the EU AI Act?
Yes, certain uses such as social scoring and some forms of biometric surveillance are prohibited.

What are the penalties for non-compliance?
The most serious breaches can result in fines of up to €35 million or 7 per cent of global annual turnover.