Article 89: Supervision and Enforcement for Union Institutions, Bodies, Offices and Agencies

Article 89 closes a critical governance gap: without it, EU institutions would be subject to the AI Act's obligations but have no enforcement authority overseeing them. Its core elements:

1. EDPS as supervisor: The European Data Protection Supervisor is designated as the market surveillance authority for Union institutions, bodies, offices, and agencies falling within the scope of the AI Act. This is a logical extension of the EDPS's existing supervisory role under the data protection framework. 2. Full enforcement powers: The EDPS exercises the same powers and fulfils the same obligations as national market surveillance authorities. This means Union institutions face the same enforcement regime as private-sector providers and deployers — there is no institutional immunity. 3. Fining power: Where a Union institution fails to comply, the EDPS may impose administrative fines under Article 98, ensuring enforcement has financial teeth. 4. Procedural parity: The EDPS follows the same procedures for non-compliance as national authorities under Chapter IX, ensuring consistent enforcement standards across the public and private sectors.

• Article 74 — Market surveillance and control: Article 89 extends the market surveillance framework to Union institutions by assigning the EDPS the role that national authorities play under Article 74.
• Article 98 — Fines for Union institutions: the penalty provisions specific to EU institutions, bodies, offices and agencies, which the EDPS administers.
• Article 88 — National competent authorities: Article 88 governs national-level authority designation; Article 89 is the Union-level counterpart.
• Article 113 — Application dates: Article 89 applies from 2 August 2026.

For EU institutions, bodies, offices and agencies:

1. Inventory AI systems — Conduct a comprehensive inventory of all AI systems developed or deployed by your institution. Classify each system by risk level (prohibited, high-risk, limited risk, minimal risk) to determine applicable obligations. 2. Appoint an AI compliance function — Designate a person or team responsible for AI Act compliance, distinct from but coordinating with the institution's Data Protection Officer. 3. Prepare for EDPS supervision — The EDPS will exercise market surveillance powers. Prepare technical documentation, conformity assessment records, and fundamental rights impact assessments for inspection. 4. Register high-risk systems — Ensure all high-risk AI systems are registered in the EU database under Article 49. 5. Budget for compliance — Allocate resources for conformity assessments, staff training, and ongoing monitoring, just as a private-sector operator would.

Article 89

Monitoring actions

1. For the purpose of carrying out the tasks assigned to it under this Section, the AI Office may take the necessary actions to monitor the effective implementation and compliance with this Regulation by providers of general-purpose AI models, including their adherence to approved codes of practice.

2. Downstream providers shall have the right to lodge a complaint alleging an infringement of this Regulation. A complaint shall be duly reasoned and indicate at least:

(a) the point of contact of the provider of the general-purpose AI model concerned;

(b) a description of the relevant facts, the provisions of this Regulation concerned, and the reason why the downstream provider considers that the provider of the general-purpose AI model concerned infringed this Regulation;

(c) any other information that the downstream provider that sent the request considers relevant, including, where appropriate, information gathered on its own initiative.