EU AI Act in Ireland: Enforcement, Authorities, and Business Obligations

Ireland is where much of global technology meets EU law. Google, Meta, Apple, LinkedIn, Airbnb, and dozens of other multinational technology companies have their EU headquarters in Dublin — and that means their EU AI Act obligations, as providers or deployers of AI systems across the Union, are anchored here. Regulation (EU) 2024/1689 applies directly in Ireland without any Irish transposition required. What Ireland has had to construct is the enforcement infrastructure: the authorities that will investigate, sanction, and coordinate.

That construction is underway and moving faster than in several other Member States. In September 2025, Ireland designated 15 national competent authorities drawn from its existing sectoral regulators. A new statutory body — the AI Office of Ireland — is being created through the General Scheme of the Regulation of Artificial Intelligence Bill 2026 and must be operational by 1 August 2026. Given the concentration of multinational tech companies subject to EU AI Act provider obligations, Ireland's enforcement architecture will have reach far beyond its own territory.

---

A Regulation, Not a Directive: No Irish Transposition Required

The EU AI Act is a Regulation under Article 288 TFEU. It entered into force on 1 August 2024 and applies directly in every Member State, including Ireland, without being transposed into domestic law. Irish companies and the Irish subsidiaries of multinationals do not wait for a national statute before obligations bite.

Article 5's prohibited practices have applied since 2 February 2025. GPAI obligations under Chapter V have applied since 2 August 2025. What Ireland must provide — and what it is providing through the September 2025 designations and the 2026 Bill — is the domestic enforcement machinery: the authorities empowered to investigate, issue corrective orders, and impose fines under Article 99.

The General Scheme of the Regulation of Artificial Intelligence Bill 2026, published on 4 February 2026, gives domestic legal effect to enforcement powers and penalties under Regulation (EU) 2024/1689. It does not create new substantive AI obligations; those are set by the Regulation itself. It determines which Irish authorities can act on violations and how.

---

Ireland's Distributed Enforcement Model

Ireland adopted a distributed model rather than a single-authority structure, reflecting its existing regulatory architecture of specialist sectoral bodies. The result is a more complex map than Spain's (where AESIA is the single market surveillance authority) or Germany's (where the Bundesnetzagentur holds the central role).

In September 2025, the government designated 15 national competent authorities, each responsible for the EU AI Act within their existing domain. The EU single point of contact sits within the Department of Enterprise, Tourism and Employment (DETE).

The central coordinating body is the AI Office of Ireland, a new statutory independent body being established by the 2026 Bill. It must be operational by 1 August 2026 — the same date the Act's general provisions apply, including Article 50 limited-risk transparency obligations. There is no grace period: operational status and the start of general application are simultaneous.

The practical implication for companies: the relevant authority is the one that already regulates your sector. A fintech firm in Dublin engages the Central Bank of Ireland; a broadcaster engages Coimisiún na Meán. The AI Office of Ireland coordinates, it does not replace the 15.

---

Who Enforces the EU AI Act in Ireland?

The 15 Sectoral Competent Authorities

The September 2025 designations cover Ireland's main sectoral regulators. The key authorities for companies likely to encounter high-risk AI systems are:

Data Protection Commission (DPC): The DPC holds competence over AI systems with implications for fundamental rights and personal data. It is also Ireland's lead GDPR supervisory authority — and since Dublin hosts the EU establishments of many of the world's largest technology companies, the DPC is already the lead EU GDPR regulator for Google, Meta, Apple, LinkedIn, and others under the one-stop-shop mechanism. That double weight makes the DPC the most consequential AI Act authority in Ireland for technology companies.

Central Bank of Ireland: Responsible for AI systems deployed within the financial-services sector — credit scoring, insurance risk assessment, algorithmic trading systems, and automated lending decisions. Any AI system touching the creditworthiness determination or life/health insurance risk categories in Annex III, point 5(b) and 5(c), operated by a Central Bank-regulated entity, falls under its competence.

Coimisiún na Meán: Ireland's audiovisual and online-media regulator holds competence over AI use in audiovisual content, online platforms, and broadcasting — including, where relevant, Article 50 transparency obligations for AI-generated content and deepfakes.

Additional designated authorities cover health (Health Products Regulatory Authority and others), occupational safety and employment (Health and Safety Authority, Workplace Relations Commission), education, consumer protection, and utilities and telecoms. The full map of 15 authorities corresponds to the Annex III high-risk categories and the sectoral legislation those categories intersect.

AI Office of Ireland and DETE

Once the 2026 Bill is enacted, the AI Office of Ireland coordinates enforcement across the 15 authorities and provides guidance on the Regulation's application in Ireland. It is a statutory independent body, not a government department. DETE acts as Ireland's single point of contact (SPoC) under Article 70 — the conduit to the EU system, including the EU AI Office in Brussels.

EU AI Office (Brussels): GPAI Oversight — A Critical Distinction

Ireland-based companies that develop and place GPAI models on the market are supervised not by the AI Office of Ireland or the DPC but directly by the EU AI Office in Brussels. The EU AI Office holds competence over all GPAI model obligations under Articles 53 and 55. DETE is Ireland's SPoC for this interface.

The distinction is important to state plainly: the AI Office of Ireland (national coordinator) and the EU AI Office (Brussels-based GPAI supervisor) are different bodies. A company developing a large language model from Dublin must engage Brussels — not the AI Office of Ireland — for GPAI obligations.

---

How Ireland's Framework Interacts with the GDPR

The GDPR and the EU AI Act stack for any AI system that processes personal data — and that includes nearly every Annex III high-risk use case. In Ireland, that intersection has an added dimension: the DPC is simultaneously Ireland's EU AI Act competent authority for fundamental-rights-relevant AI and the lead EU GDPR supervisory authority for a large share of global technology companies.

The most direct structural overlap is between GDPR Article 35 (Data Protection Impact Assessment, or DPIA) and EU AI Act Article 27 (Fundamental Rights Impact Assessment, or FRIA). Both are mandatory before deploying systems they cover; both require documentation available to supervisors. Article 27(4) allows the FRIA to build on an existing DPIA — a meaningful efficiency for companies that have already embedded GDPR compliance in their processes.

A second interaction concerns automated decisions. GDPR Article 22 governs solely automated decisions with legal or similarly significant effects. Article 12 of the EU AI Act requires logging for high-risk AI systems. A Dublin company running AI recruitment screening that ranks or eliminates candidates operates under both simultaneously. Compliance documentation built for one framework informs the other; neither substitutes for the other.

Given the DPC's role as lead GDPR supervisor for many multinational EU establishments, any GDPR enforcement action touching a high-risk AI system will likely involve the DPC in its AI Act capacity as well. Regulatory relationships built around GDPR should be extended to cover EU AI Act preparedness.

---

The EU AI Act Timeline as It Applies in Ireland

Two points deserve direct statement.

Article 5 is already live. Prohibited practices — biometric categorisation by sensitive characteristics, real-time remote biometric identification in public spaces, social scoring, manipulation exploiting personal vulnerabilities — have been enforceable since 2 February 2025. Any company whose AI touches those categories should have completed its review.

The high-risk deadline is not 2026. Under the Digital Omnibus — political agreement reached 7 May 2026, formal adoption expected before 2 August 2026 — stand-alone Annex III systems have until 2 December 2027, and Annex I product high-risk AI has until 2 August 2028. That is not an invitation to delay: building an Article 9 risk management system, Annex IV technical documentation, Article 14 human oversight controls, and preparing a conformity assessment under Article 43 takes most organisations six to twelve months.

---

Penalties: What Companies in Ireland Face

The penalty framework is Article 99 of Regulation (EU) 2024/1689. The 2026 Bill establishes the domestic enforcement procedure through which Irish authorities can impose these fines. Three tiers apply:

• €35,000,000 or 7% of total worldwide annual turnover (whichever is higher) — for violations of the Article 5 prohibitions.
• €15,000,000 or 3% — for non-compliance with most other obligations, including high-risk AI requirements under Articles 9–15, provider obligations under Article 16, deployer obligations under Article 26, and Article 50 transparency duties.
• €7,500,000 or 1% — for supplying incorrect, incomplete, or misleading information to notified bodies or competent authorities.

For smaller companies, Article 99(6) caps the fine at the lower of the fixed amount or the percentage. A company with €8 million in global annual turnover cannot face a €15 million fine for a high-risk obligation breach — 3% of €8 million is €240,000. The cap is meaningful for Irish indigenous companies and early-stage technology firms; it does not apply to multinationals where 3% of worldwide turnover exceeds the fixed maximum.

For the large multinationals headquartered in Dublin, the percentage calculation runs against global turnover. The quantum is set by the Regulation; the 2026 Bill sets the procedural mechanics for how Irish authorities impose it.

GPAI-specific fines are separate: up to €15 million or 3%, imposed on GPAI model providers directly by the European Commission under Article 101.

---

Ireland-Specific Compliance Considerations

Multinationals Running EU-Wide AI from Dublin

The EU AI Act's extraterritorial reach means that a company placing an AI system on the EU market or putting it into service for EU users is bound by the Regulation regardless of where it is headquartered. For technology companies with EU operations legally based in Ireland, this concentrates provider obligations within Irish jurisdiction.

A provider placing a high-risk AI system on the EU market from its Dublin establishment must comply with Article 16's full obligation set: Article 9 risk management system, Article 11 / Annex IV technical documentation, Article 12 logging, Article 13 transparency information, Article 14 human oversight, Article 15 accuracy and cybersecurity, Article 17 quality management, Article 43 conformity assessment, Article 47 / Annex V Declaration of Conformity, and Article 49 registration in the EU database. The DPC and the AI Office of Ireland are the first-instance counterparts; the EU AI Office is the counterpart for any GPAI obligations.

The DPC's Dual Role

For any multinational with EU headquarters in Dublin, the DPC will simultaneously supervise GDPR compliance and, where fundamental rights or personal data are implicated, EU AI Act compliance. An AI incident that triggers GDPR investigation will likely trigger AI Act scrutiny. Regulatory relationships built around GDPR should be explicitly extended to cover EU AI Act preparedness.

Navigating 15 Authorities: Know Which Regulator Owns Your Sector

Identifying the correct authority is itself a compliance step in the distributed model. A medtech company building an AI diagnostic tool in Cork answers to the health regulators; a Dublin HR-tech firm building recruitment screening software answers to the employment and workplace safety regulators. Submitting documentation to the wrong authority is a foreseeable source of friction.

The AI Office of Ireland's coordination role should over time produce guidance on which authority leads for cross-sectoral AI systems. Until that guidance matures, companies should map their AI inventory to the relevant sectoral authority before any regulatory interaction begins.

Public-Sector FRIA and Article 25

Irish public bodies that deploy Annex III high-risk AI systems must complete an Article 27 FRIA before putting systems into service. The FRIA obligation falls on the deploying body — the supplier's Article 11 / Annex IV technical documentation informs it but does not substitute for it.

The Article 25 line matters equally: companies that substantially modify a high-risk AI system or place it on the market under their own name become providers subject to the full Article 16 stack. For Ireland's technology sector, where many companies build on third-party foundation models and distribute products to EU customers, this shift is not theoretical. If you build a recruitment tool on a third-party model and sell it under your brand, you are the provider — the model vendor is not.

---

How Confir Helps Companies in Ireland

Companies in Ireland building their EU AI Act compliance programmes face a documentation-intensive workload: AI inventory, Article 9 risk management records, Annex IV technical documentation, Article 27 FRIAs where required, Article 43 conformity preparation, and Article 12 logging. Multinationals running EU-wide AI from Dublin face the same stack at scale.

Confir is an EU-hosted compliance tool built specifically for this work. Its classification engine is rule-based and deterministic — it encodes Articles 5 and 6 with Annex III logic in explicit rules, so the same intake produces the same finding every time, with a human-readable explanation. It generates the Annex IV technical documentation pack, the Article 47 / Annex V Declaration of Conformity, and the Article 27 FRIA. Self-serve from €600 per year, no consulting engagement required.

---

What Companies in Ireland Should Do Now

Immediately (Article 5 already applies): Audit any AI system involving biometric categorisation by sensitive characteristics, social scoring, subliminal manipulation, or real-time biometric identification in public spaces. These prohibitions have been enforceable since 2 February 2025 — Irish authorities hold the power to act now.

Before 2 August 2026 (Article 50 and AI Office of Ireland operational): AI systems interacting with natural persons must comply with Article 50's disclosure requirements — users must know when they are interacting with AI, when content is synthetic. This deadline has not been deferred.

Identify which of the 15 authorities owns your sector: Central Bank for financial services; DPC for data-intensive AI; Coimisiún na Meán for online media. The AI Office of Ireland coordinates; the sectoral authority enforces.

2026–2027 (high-risk preparation): Stand-alone Annex III systems have until 2 December 2027. Use 2026 to build the AI inventory, classify systems, apply the Article 6(3) filter, assign provider/deployer roles, and begin Annex IV documentation. Public bodies should initiate FRIA planning in parallel.

Track the 2026 Bill and the AI Office of Ireland's first guidance. The General Scheme is a blueprint; the enacted law and the AI Office of Ireland's initial guidance will determine the procedural specifics. Companies with existing DPC relationships should extend those conversations to cover AI Act preparedness.

---

Frequently Asked Questions

Who enforces the EU AI Act in Ireland?

Ireland uses a distributed model: 15 existing sectoral regulators each with competence in their domain, the AI Office of Ireland as a statutory central coordinator, and DETE as the EU single point of contact under Article 70. Key authorities are the Data Protection Commission (fundamental rights, data), the Central Bank of Ireland (financial services), and Coimisiún na Meán (audiovisual and online media). The EU AI Office in Brussels directly supervises GPAI model providers across the EU.

What is the AI Office of Ireland?

A new statutory independent body being created through the General Scheme of the Regulation of Artificial Intelligence Bill 2026, published 4 February 2026. It coordinates enforcement across Ireland's 15 designated competent authorities and must be operational by 1 August 2026. It is a national body — distinct from the EU AI Office in Brussels, which supervises GPAI model providers under Articles 53 and 55.

How many AI Act competent authorities does Ireland have?

Ireland designated 15 national competent authorities in September 2025, drawn from existing sectoral regulators. DETE is the EU single point of contact. The AI Office of Ireland, once established, acts as central coordinator across all 15.

What are the EU AI Act fines in Ireland?

Article 99 sets three tiers: €35 million or 7% of global annual turnover for Article 5 prohibition breaches; €15 million or 3% for most other obligations including high-risk requirements and deployer duties; and €7.5 million or 1% for supplying incorrect information to authorities. Article 99(6) caps fines for smaller companies at the lower of the fixed amount or the percentage. For large multinationals headquartered in Dublin, the percentage runs against worldwide turnover.

What is the Data Protection Commission's role in EU AI Act enforcement?

The DPC holds competence for AI systems with implications for fundamental rights and personal data, and is also Ireland's lead GDPR supervisory authority — the one-stop-shop lead for many multinationals with EU establishments in Dublin. This means GDPR enforcement actions touching AI systems with high-risk characteristics will likely involve the DPC in both capacities. The GDPR Article 35 DPIA and AI Act Article 27 FRIA can be coordinated; Article 27(4) allows the FRIA to build on an existing DPIA.

When do high-risk AI rules apply in Ireland?

Under the Digital Omnibus (political agreement 7 May 2026): stand-alone Annex III systems apply from 2 December 2027; high-risk AI in Annex I regulated products from 2 August 2028. Article 5 prohibitions have applied since 2 February 2025. Article 50 limited-risk transparency obligations apply from 2 August 2026.

Does the EU AI Act require Irish legislation to apply?

No. Regulation (EU) 2024/1689 applies directly under Article 288 TFEU. The General Scheme of the Regulation of Artificial Intelligence Bill 2026 does not create substantive AI obligations — those are set by the Regulation. The Bill gives Irish authorities the domestic legal powers to investigate, sanction, and establishes the AI Office of Ireland.

---

Related guides

• EU AI Act in Germany: a single-authority model for comparison
• What is the EU AI Act?
• EU AI Act summary
• EU AI Act penalties: Article 99 explained
• EU AI Act timeline and deadlines
• Extraterritorial scope: does the EU AI Act apply to you?
• Annex III: the high-risk use-case list
• Fintech AI compliance under the EU AI Act
• Public-sector AI compliance and FRIA obligations