EU AI Act National Competent Authorities 2026: Country-by-Country Enforcement Map for SaaS Developers

Post #1335 in the sota.io EU AI Act Enforcement Series

The EU AI Act created two enforcement tiers. The EU AI Office handles foundation models, GPAI providers, and cross-border systemic cases. Everything else — the hundreds of thousands of SaaS products that use or deploy AI — falls to 27 National Competent Authorities (NCAs), one per EU member state.

If you build SaaS with AI features and have EU customers, you will eventually interact with a national authority. It might be Germany's Bundesnetzagentur asking for technical documentation on your AI-powered email classifier. It might be France's Autorité de la cybersécurité requesting evidence of your bias testing framework. Or it might be the Swedish IMY cross-referencing your AI Act obligations with a GDPR investigation already underway.

This guide maps every designated NCA, explains their enforcement powers, and tells you exactly what to prepare before you receive the first request.

The Legal Framework: Who Are NCAs and What Can They Do?

The EU AI Act (Regulation 2024/1689) Article 70 requires each member state to designate one or more national competent authorities by August 2, 2025 — one year before the main enforcement provisions take effect on August 2, 2026.

NCAs serve three functions:

Market Surveillance Authority (MSA): Monitors AI systems placed on the EU market. Can request technical documentation, conduct audits, order corrective actions, and impose fines. For SaaS: your primary enforcement contact for any AI feature accessible in that country.

Notifying Authority: Manages the conformity assessment bodies (Notified Bodies) in their jurisdiction. Relevant if your high-risk AI system requires third-party conformity assessment.

National Supervisory Authority (for GPAI): Coordinates with EU AI Office on foundation model investigations. Receives complaints from national entities about GPAI providers.

A single NCA can hold all three roles, or a country may split them across multiple authorities. Germany, France, and the Netherlands have multi-authority setups; smaller member states typically consolidate into one body.

Enforcement Powers Under Article 74

NCAs have substantial enforcement tools:

• Document requests: Can demand full technical documentation, conformity assessment records, and training data descriptions (no warrant required for first-tier requests)
• On-site inspections: Physical or remote access to premises and software systems with 48-hour notice (can be immediate for serious incidents)
• Corrective actions: Order modifications, suspension of market placement, or withdrawal of non-compliant AI systems
• Emergency measures: Interim measures to prevent imminent serious harm (Article 79)
• Penalties: Fines up to €35M or 7% of global annual turnover for prohibited AI violations; up to €15M or 3% for other violations; up to €7.5M or 1.5% for incorrect information

The 27-Country Enforcement Map

🇩🇪 Germany — Bundesnetzagentur (Federal Network Agency) + BfDI

Primary MSA: Bundesnetzagentur (BNetzA) — Bonn GPAI Contact: Bundesnetzagentur + Bundesamt für Sicherheit in der Informationstechnik (BSI) for cybersecurity intersections Data Protection: Bundesbeauftragter für den Datenschutz und die Informationsfreiheit (BfDI) for GDPR-AI intersections

Germany designated BNetzA as lead MSA, extending its existing role as digital markets regulator. BNetzA is methodical and document-intensive — expect structured information requests using standardized forms, typically giving 4-6 weeks for initial documentation response.

SaaS developer action: Register with BNetzA's AI Registry (launching Q3 2026). Prepare German-language executive summaries of technical documentation even if full docs are in English.

Enforcement priority (Q3/Q4 2026): Prohibited AI practices sweep (Art.5 biometric systems, social scoring), then high-risk AI in HR and recruitment software.

🇫🇷 France — ARCOM + CNIL + ANSSI

Primary MSA: ARCOM (Autorité de régulation de la communication audiovisuelle et numérique) — Paris GPAI Contact: CNIL (Commission nationale de l'informatique et des libertés) Cybersecurity Intersection: ANSSI (Agence nationale de la sécurité des systèmes d'information)

France made the unusual choice of splitting AI oversight. ARCOM (France's digital media regulator) leads market surveillance. CNIL — already the most aggressive GDPR enforcer in Europe — handles AI-data protection intersections and GPAI supervision. This creates two parallel enforcement tracks for any AI system that processes personal data.

SaaS developer action: If your AI touches personal data (most do), prepare for coordinated ARCOM + CNIL investigations. CNIL has a proven track record of 6-18 month investigations resulting in significant fines. Their AI guidance published Q1 2026 should be treated as mandatory reading.

Enforcement priority: Recommendation algorithms, automated content moderation, profiling systems.

🇳🇱 Netherlands — ACM + Dutch DPA

Primary MSA: Autoriteit Consument en Markt (ACM) — The Hague Data Protection: Autoriteit Persoonsgegevens (AP)

ACM is the Netherlands' competition and consumer authority — it approaches AI regulation through a consumer protection lens. The Dutch DPA is known for thorough technical investigations. The Netherlands has been an early mover in AI governance, with ACM publishing AI-specific enforcement guidance in early 2026.

SaaS developer action: ACM has shown interest in AI-powered pricing and recommendation systems. If your SaaS uses dynamic pricing or AI-driven upselling, document the logic carefully.

🇸🇪 Sweden — IMY (Integritetsskyddsmyndigheten)

Primary MSA: IMY (Swedish Authority for Privacy Protection) Note: Sweden consolidated AI Act oversight into its existing data protection authority

IMY takes a pragmatic, dialogue-first approach — they prefer advisory letters before formal enforcement. Their joint AI/GDPR investigative capability is sophisticated. Sweden's tech sector (Spotify, Klarna, King) means IMY has significant AI-sector experience.

SaaS developer action: Swedish law requires that AI systems affecting individual rights provide meaningful human review mechanisms. IMY will scrutinize automated decision-making with particular care.

🇪🇸 Spain — AESIA

Primary MSA: Agencia Española de Supervisión de la Inteligencia Artificial (AESIA) — A Coruña Note: Spain created a dedicated AI agency — the first in the EU to do so

AESIA is the EU's only purpose-built AI regulatory authority. Launched in 2024, it has invested heavily in technical expertise and published some of the most detailed AI compliance guidance in the EU. AESIA operates a voluntary compliance sandbox and has a dedicated SaaS sector team.

SaaS developer action: AESIA's sandbox program allows companies to test compliance frameworks before enforcement. Strongly recommended for SaaS with high-risk AI features. AESIA's technical documentation templates are publicly available and worth using as your baseline format.

Enforcement priority: High-risk AI in credit scoring, employment, and essential services.

🇮🇹 Italy — AGID + Garante

Primary MSA: Agenzia per l'Italia Digitale (AGID) Data Protection: Garante per la protezione dei dati personali (Garante)

Italy designated AGID — its digital government agency — as MSA, which has received mixed reviews from the tech sector. AGID's primary expertise is government IT, not private-sector AI. However, Italy's Garante is exceptionally active: they were the first DPA to temporarily ban ChatGPT (2023) and have continued aggressive AI investigations.

SaaS developer action: For Italian-market products, the effective regulator is Garante for anything touching personal data. AGID handles non-personal-data AI systems. Prepare documentation in Italian for Garante requests.

🇧🇪 Belgium — Centre for Cybersecurity Belgium (CCB) + DPA

Primary MSA: Centre for Cybersecurity Belgium (CCB) — Brussels Data Protection: Gegevensbeschermingsautoriteit (GBA)

Belgium's choice of CCB reflects the Brussels tech community's focus on security. CCB has strong connections to EU institutions given Belgium's role as EU capital. The GBA is known for thorough, lengthy investigations.

SaaS developer action: Being based or incorporated in Belgium (common for EU-facing companies) means you're in CCB's primary jurisdiction even for cross-border services. CCB's NIS2 enforcement experience will transfer directly to AI Act investigations.

🇵🇱 Poland — UKE + UODO

Primary MSA: Urząd Komunikacji Elektronicznej (UKE) — Warsaw Data Protection: Urząd Ochrony Danych Osobowych (UODO)

Poland designated its telecommunications regulator UKE as MSA. Poland has a large and growing tech sector with significant AI adoption. UODO has been increasingly active on GDPR enforcement.

SaaS developer action: Poland's market size (38M population, EU's 5th largest economy) makes NCA compliance non-optional if you have significant Polish customer base. UKE's AI enforcement framework is still maturing — early engagement and voluntary compliance documentation are strategically beneficial.

🇦🇹 Austria — RTR + DSB

Primary MSA: Rundfunk und Telekom Regulierungs-GmbH (RTR) — Vienna Data Protection: Datenschutzbehörde (DSB)

Austria designated RTR, its media and telecommunications regulator. Austria sits at a crossroads between German-speaking markets and Eastern Europe, making Vienna a hub for EU-facing SaaS. The DSB has been active on GDPR enforcement.

SaaS developer action: Austrian NCAs often coordinate closely with German counterparts given language alignment. Documentation prepared for BNetzA is typically acceptable to RTR.

🇩🇰 Denmark — The Danish Business Authority + Datatilsynet

Primary MSA: Erhvervsstyrelsen (Danish Business Authority) — Copenhagen Data Protection: Datatilsynet

Denmark took a business-friendly approach, designating its business promotion agency as MSA. Danish enforcement is typically pragmatic and proportionate. Copenhagen's growing AI startup ecosystem has influenced a collaborative regulatory stance.

🇫🇮 Finland — Transport and Communications Agency (Traficom) + Tietosuojavaltuutettu

Primary MSA: Traficom — Helsinki Data Protection: Office of the Data Protection Ombudsman

Finland designated Traficom, its multi-sector digital regulator. Finland's Nokia legacy means technical depth in the regulatory body. Enforcement approach is methodical and documentation-focused.

🇵🇹 Portugal — ANACOM + CNPD

Primary MSA: Autoridade Nacional de Comunicações (ANACOM) — Lisbon Data Protection: Comissão Nacional de Proteção de Dados (CNPD)

Portugal designated ANACOM, its telecom regulator. Portugal's growing tech sector (particularly in Lisbon) has attracted significant SaaS investment. CNPD has been actively publishing AI-GDPR intersection guidance.

🇬🇷 Greece — EETT + HDPA

Primary MSA: Εθνική Επιτροπή Τηλεπικοινωνιών και Ταχυδρομείων (EETT) — Athens Data Protection: Hellenic Data Protection Authority (HDPA)

Greece designated EETT, its telecom and postal regulator. Greece is implementing EU AI Act requirements in parallel with significant public-sector AI investments.

🇨🇿 Czech Republic — CTU + ÚOOÚ

Primary MSA: Český telekomunikační úřad (CTU) — Prague Data Protection: Úřad pro ochranu osobních údajů (ÚOOÚ)

Czech Republic designated its telecom regulator. Prague's growing tech hub status has prompted proactive CTU engagement with AI sector companies.

🇷🇴 Romania — ANCOM + ANSPDCP

Primary MSA: Autoritatea Națională pentru Administrare și Reglementare în Comunicații (ANCOM) — Bucharest Data Protection: ANSPDCP

Romania designated ANCOM. Romania has a large outsourcing and software development sector, and ANCOM is still developing its AI oversight capabilities.

🇭🇺 Hungary — NMHH + NAIH

Primary MSA: Nemzeti Média- és Hírközlési Hatóság (NMHH) — Budapest Data Protection: Nemzeti Adatvédelmi és Információszabadság Hatóság (NAIH)

Hungary designated its media and communications authority. NMHH's approach to AI regulation is still developing, though NAIH has been increasingly active on data-AI intersections.

🇸🇰 Slovakia — RÚSÚ + Úrad na ochranu osobných údajov

Primary MSA: Regulatory Office for Electronic Communications and Postal Services (RÚSÚ) Slovakia designated its telecoms regulator.

🇧🇬 Bulgaria — CRC + KZLD

Primary MSA: Communications Regulation Commission (CRC) — Sofia Bulgaria designated its telecom regulator. CRC is in early stages of building AI oversight capacity.

🇭🇷 Croatia — HAKOM + AZOP

Primary MSA: Hrvatska regulatorna agencija za mrežne djelatnosti (HAKOM) Croatia designated its network activities regulator.

🇱🇹 Lithuania — RRT + VDAI

Primary MSA: Ryšių reguliavimo tarnyba (RRT) — Vilnius Lithuania designated its communications regulator. Lithuania's growing fintech sector means early focus on AI in financial services.

🇱🇻 Latvia — SPRK + DVI

Primary MSA: Sabiedrisko pakalpojumu regulēšanas komisija (SPRK) Latvia designated its public utilities regulator.

🇪🇪 Estonia — TTJA + AKI

Primary MSA: Tarbijakaitse ja Tehnilise Järelevalve Amet (TTJA) — Tallinn Data Protection: Andmekaitse Inspektsioon (AKI)

Estonia designated its consumer protection and technical supervisory authority. Estonia's e-government leadership means TTJA has sophisticated digital oversight capabilities. Estonian AI enforcement will likely be technically advanced and digitally-native (including e-filing, digital inspections).

🇮🇪 Ireland — CRU + DPC

Primary MSA: Commission for Regulation of Utilities (CRU) — Dublin Data Protection: Data Protection Commission (DPC)

Ireland is critical for SaaS developers. The DPC is the lead GDPR supervisor for most major US tech companies (Meta, Google, Apple, Microsoft are all Irish-headquartered in the EU). The CRU as MSA is unexpected — it's primarily an energy/water regulator — but reflects Ireland's limited regulatory capacity for new tech domains.

SaaS developer action: If your SaaS is established in Ireland (common for US companies seeking EU base), the DPC will be your primary AI-data intersection regulator. Expect DPC coordination with CRU for any AI investigation involving personal data. Ireland's tech sector lobbying influence has resulted in a measured CRU approach, but DPC enforcement history suggests caution.

🇱🇺 Luxembourg — ILR + CNPD

Primary MSA: Institut Luxembourgeois de Régulation (ILR) Data Protection: Commission nationale pour la protection des données (CNPD)

Luxembourg designated ILR, its financial and telecom regulator. Luxembourg's role as EU financial hub means significant attention to AI in financial services.

🇲🇹 Malta — MCA + IDPC

Primary MSA: Malta Communications Authority (MCA) Malta designated its telecom authority. MCA is a small authority developing AI oversight capabilities.

🇨🇾 Cyprus — OCECPR + Commissioner

Primary MSA: Office of the Commissioner of Electronic Communications and Postal Regulation (OCECPR) Cyprus designated its telecom regulator.

🇸🇮 Slovenia — AKOS + IP

Primary MSA: Agencija za komunikacijska omrežja in storitve (AKOS) Slovenia designated its communications networks regulator.

The EU AI Office Coordination Layer

While NCAs enforce domestically, the EU AI Office (based in Brussels, part of DG CNECT) coordinates the network of NCAs through the European AI Board. This creates three cross-border mechanisms that SaaS developers must understand:

Joint Investigations

If your SaaS has users in multiple EU countries and triggers enforcement concerns, any NCA can initiate an investigation — but must notify other affected NCAs and the EU AI Board. The AI Office can "call in" any cross-border case for centralized handling. Practically, this means a German investigation can quickly become a pan-European coordination exercise.

Mutual Assistance

NCAs can request evidence, test results, or on-site inspection assistance from each other. A Dutch DPA investigation into your AI system's data processing can trigger an Italian AGID request for your AI system's technical documentation. These requests must be fulfilled within 30 days.

Market Surveillance Network

The EU ICSMS (Internal Market Information System) connects all NCAs and the AI Office. Enforcement actions (corrective orders, market restrictions, fines) in one country are visible to all other NCAs. A serious violation in one country triggers monitoring alerts across the network.

Determining Your Primary NCA

The EU AI Act follows an establishment-based jurisdiction principle. Your primary NCA is determined by:

1. Where your SaaS company is legally established in the EU — If you have a subsidiary or branch in France, ARCOM/CNIL are your primary NCAs even if you serve customers across the EU.

2. Where your AI system is placed on the market — If you have no EU establishment but actively market to EU customers, the NCA of the member state where the first substantive commercial activity occurred typically asserts jurisdiction.

3. Where the harm occurred — For investigations triggered by complaints or incidents, the NCA of the affected member state has initial jurisdiction regardless of establishment.

4. Authorized Representative jurisdiction — Non-EU SaaS providers must appoint an EU Authorized Representative (Article 22). That representative's country of establishment becomes a secondary jurisdiction hook.

Practical Scenarios

What Happens When an NCA Contacts You

Stage 1: Document Request (Days 1-30)

Initial contact is typically a formal letter or registered email requesting:

• Technical documentation (Article 11 + Annex IV): system description, general purpose, performance metrics, risk management measures, data governance practices, accuracy and robustness testing results
• Conformity assessment records (if high-risk)
• Evidence of human oversight measures
• Incident reporting history

Response time: 30 days standard, 14 days for urgent matters. You can request extensions.

Language requirements: Formally, in the official language(s) of the requesting member state. In practice, English is widely accepted as a supplementary language, particularly by German, Dutch, Swedish, and Danish NCAs. French and Italian NCAs typically require French/Italian summaries even if full documentation is in English.

Stage 2: Clarification and Follow-up (Days 30-90)

After reviewing initial documentation, NCAs typically request clarification on:

• Specific technical implementation details
• Evidence of bias testing and results
• Human oversight mechanism effectiveness
• Incident response procedures

Stage 3: On-site Inspection or Audit (Days 90-180)

For high-risk AI systems or when documentation is insufficient, NCAs can conduct:

• Remote access inspections (reviewing code, configurations, testing environments)
• Physical on-site inspections of server infrastructure (typically coordinated with data center operators)
• Third-party audit requirements (you bear the cost)

Stage 4: Corrective Action or Penalty (Days 180+)

NCAs issue one of four outcomes:

1. Clean bill of compliance — investigation closed, no action required
2. Corrective action order — specific technical or procedural changes required within defined timeframe
3. Market suspension — AI system cannot be placed on market in that country pending compliance
4. Market withdrawal + penalty — system must be removed from market, fine issued

NCA-Specific Enforcement Priorities for Q3/Q4 2026

Based on published NCA work programs and European AI Board coordination documents:

Building Your NCA-Ready Compliance Stack

Documentation Tier (Always Required)

Every SaaS with AI features needs:

System Register: Internal inventory of all AI features with risk classification, data sources, and training information. This becomes your Article 11 technical documentation foundation.

Risk Management Records: Documented risk identification, assessment, and mitigation measures per AI system. Not a one-time document — a living record updated with each model change.

Data Governance Statement: Where training data came from, how it was processed, bias assessment methodology, and ongoing monitoring approach.

Human Oversight Procedures: Written procedures for how humans review and can override AI outputs, especially for high-risk functions.

Process Tier (Required for High-Risk AI)

For high-risk AI systems (hiring, credit, education, healthcare adjacent):

Conformity Assessment Evidence: Either self-assessment records (most high-risk systems can self-assess) or Notified Body certification if required by Annex III categories.

Post-Market Monitoring Plan: How you detect drift, monitor performance, and respond to performance degradation after deployment.

Incident Response Procedure: Written procedure for AI-related serious incidents with 72-hour NCA notification capability.

Readiness Tier (Competitive Advantage)

NCA Contact Registry: Pre-identified contact point in your organization for NCA communications, with backup. This person needs authority to commit to corrective actions.

Translation Capability: Ability to produce technical document summaries in French, German, Italian, Spanish within 5 business days of request.

Authorized Representative Agreement: If non-EU, a signed Authorized Representative agreement with an EU-established legal entity.

Voluntary Registration: Early registration in the EU AI Database (launching Q3 2026) demonstrates proactive compliance and can reduce enforcement scrutiny.

The sota.io Advantage: EU-Native Infrastructure for NCA Compliance

When an NCA requests evidence about your AI system, data residency becomes immediately relevant. Can you demonstrate that training data was processed within the EU? Can you show that your AI inference infrastructure is EU-hosted and subject only to EU law enforcement procedures?

SaaS developers running AI workloads on US-headquartered cloud infrastructure face a structural compliance gap. CLOUD Act subpoenas can compel disclosure of data without NCA notification. AI systems trained on US-processed data have provenance questions that EU-native alternatives avoid.

sota.io provides EU-native cloud infrastructure specifically designed for AI compliance workloads:

• Data residency: All processing, storage, and inference on EU-based servers subject exclusively to EU law
• Audit trail: Infrastructure-level logging that satisfies NCA documentation requirements without requiring data export to US discovery tools
• Compliance documentation templates: Pre-built Article 11 technical documentation structures, ready for NCA response
• NCA notification support: Incident notification workflows configured for 72-hour reporting requirements across all 27 member states

35-Point NCA Readiness Checklist

Use this checklist before August 2, 2026:

Know Your NCA (5 points)

• Identified primary NCA based on EU establishment or lead market
• Identified secondary NCAs for markets with significant customer bases (>5% revenue)
• Located NCA contact information for AI Act enforcement inquiries
• Assigned internal NCA contact point with decision-making authority
• If non-EU: appointed EU Authorized Representative

Risk Classification (5 points)

• Classified every AI feature against EU AI Act risk tiers (prohibited/high-risk/limited/minimal)
• Documented classification rationale for any feature near high-risk threshold
• Reviewed Annex III high-risk categories against your product features
• Confirmed no prohibited AI practices (Art.5) anywhere in product
• Documented basis for GPAI vs. narrow AI classification

Technical Documentation (8 points)

• Annex IV Article 11 documentation complete for all high-risk AI features
• System description covers intended purpose, general functioning, and limitations
• Training data sources documented with privacy and bias assessment
• Performance metrics recorded at deployment date
• Known limitations and failure modes documented
• Bias testing results available
• Human oversight mechanisms documented with evidence of effectiveness
• Post-market monitoring plan written and operational

Process Readiness (8 points)

• Incident detection and 72-hour NCA notification procedure tested
• NCA document request response procedure written (30-day workflow)
• Corrective action implementation procedure defined
• Legal review for AI Act compliance completed by external counsel
• Risk management procedure updated at least quarterly
• Version control for AI model changes (evidence of change management)
• Customer-facing AI disclosure texts reviewed for Art.50 transparency compliance
• Employee training on AI Act compliance obligations completed

Infrastructure (5 points)

• Data processing locations documented per AI feature
• CLOUD Act/foreign law enforcement risk assessed for each data location
• Logging and audit trail capability verified for NCA inspection readiness
• Data deletion capability confirmed (for training data governance)
• Backup and disaster recovery procedures include AI system configurations

Registration (4 points)

• EU AI Database registration planned for Q3 2026 (mandatory for high-risk AI)
• National AI registry requirements reviewed for primary NCA jurisdiction
• Notified Body engagement started if required (Annex III Category 1 systems)
• Conformity assessment schedule set before August 2, 2026 deadline

Key Dates for NCA Compliance

The 67 days until August 2, 2026 represent your compliance window. NCAs have published their enforcement priorities — this is not ambiguous. If your SaaS has high-risk AI features and your technical documentation cannot survive a 30-day document request from any of the 27 NCAs, that is the gap to close before enforcement day.

sota.io helps European SaaS teams deploy AI workloads on EU-sovereign infrastructure. Our compliance documentation tools and EU-native compute reduce NCA preparation time from months to weeks.