EU Country Codes & AI Authorities
EU Country Codes & AI Authorities
A structured reference of all 27 EU member states, their AI supervisory authorities (under the EU AI Act), and their Data Protection Authorities (under GDPR). This page is a living document — many AI Act authorities are still being designated (deadline: August 2025).
The Regulatory Structure
flowchart TD
EU_AI[EU AI Office - Brussels] --> MS[Member State AI Authorities]
EDPB[European Data Protection Board] --> DPA[National DPAs]
MS --> enforcement[Enforcement of AI Act]
DPA --> gdpr_enforcement[GDPR Enforcement]
enforcement -.-> overlap{Overlap: AI + Personal Data}
gdpr_enforcement -.-> overlapEU AI Office — Central EU body overseeing General-Purpose AI (GPAI) models and coordinating enforcement.
National AI Authorities — Each member state must designate at least one supervisory authority for the AI Act (by August 2025).
National DPAs — Already established under GDPR. Often overlap with AI authority responsibilities (especially where AI processes personal data).
All 27 Member States
| Code | Country | AI Act Authority | Data Protection Authority | Status |
|---|---|---|---|---|
| AT | Austria | TBD | Österreichische Datenschutzbehörde (DSB) | Pending |
| BE | Belgium | TBD | Autorité de protection des données (APD) | Pending |
| BG | Bulgaria | TBD | Commission for Personal Data Protection (CPDP) | Pending |
| HR | Croatia | TBD | Agencija za zaštitu osobnih podataka (AZOP) | Pending |
| CY | Cyprus | TBD | Commissioner for Personal Data Protection | Pending |
| CZ | Czechia | TBD | Úřad pro ochranu osobních údajů (ÚOOÚ) | Pending |
| DK | Denmark | TBD | Datatilsynet | Pending |
| EE | Estonia | TBD | Andmekaitse Inspektsioon (AKI) | Pending |
| FI | Finland | TBD | Tietosuojavaltuutetun toimisto | Pending |
| FR | France | TBD (likely CNIL or DGA) | CNIL | Pending |
| DE | Germany | TBD (likely BNetzA) | BfDI (Federal) + 16 State DPAs | Pending |
| GR | Greece | TBD | Hellenic DPA (HDPA) | Pending |
| HU | Hungary | TBD | Nemzeti Adatvédelmi és Információszabadság Hatóság (NAIH) | Pending |
| IE | Ireland | TBD | Data Protection Commission (DPC) | Pending |
| IT | Italy | TBD (likely AGID or Garante) | Garante per la protezione dei dati personali | Pending |
| LV | Latvia | TBD | Datu valsts inspekcija (DVI) | Pending |
| LT | Lithuania | TBD | Valstybinė duomenų apsaugos inspekcija (VDAI) | Pending |
| LU | Luxembourg | TBD | Commission nationale pour la protection des données (CNPD) | Pending |
| MT | Malta | TBD | Information and Data Protection Commissioner (IDPC) | Pending |
| NL | Netherlands | TBD (likely Autoriteit Persoonsgegevens) | Autoriteit Persoonsgegevens (AP) | Pending |
| PL | Poland | TBD | Urząd Ochrony Danych Osobowych (UODO) | Pending |
| PT | Portugal | TBD | Comissão Nacional de Proteção de Dados (CNPD) | Pending |
| RO | Romania | TBD | Autoritatea Națională de Supraveghere (ANSPDCP) | Pending |
| SK | Slovakia | TBD | Úrad na ochranu osobných údajov (ÚOOU) | Pending |
| SI | Slovenia | TBD | Informacijski pooblaščenec (IP) | Pending |
| ES | Spain | TBD (likely AESIA) | Agencia Española de Protección de Datos (AEPD) | Pending |
| SE | Sweden | TBD | Integritetsskyddsmyndigheten (IMY) | Pending |
Key Countries (Detailed Pages)
These countries have the most active AI regulatory environments:
- France — CNIL already active on AI. Likely DGA or dedicated body for AI Act.
countries/france.md - Germany — Complex federal structure. BNetzA proposed. 16 state DPAs complicate enforcement.
countries/germany.md - Ireland — DPC handles many Big Tech cases (headquarters effect). AI Act authority TBD.
countries/ireland.md - Italy — Garante already took action (ChatGPT ban, 2023). Proactive approach.
countries/italy.md - Netherlands — AP actively investigating algorithmic decision-making.
countries/netherlands.md - Spain — AESIA (Spanish AI Supervisory Agency) created — one of the first.
countries/spain.md
GDPR & AI — The Intersection
GDPR is already enforced. The AI Act is coming. They overlap significantly:
| Issue | GDPR Article | AI Act Relevance |
|---|---|---|
| Automated decision-making | Art. 22 | High-risk AI systems must allow human oversight |
| Right to explanation | Art. 13-15 | AI Act requires transparency for all AI systems |
| Data minimisation | Art. 5(1)(c) | Tension with AI’s need for large training datasets |
| DPIA required | Art. 35 | AI Act requires conformity assessment (similar but distinct) |
| Lawful basis for training | Art. 6 | Open question: legitimate interest vs consent for training data |
| Cross-border transfers | Art. 44-49 | Training data often crosses borders |
Key insight: Many AI Act enforcement actions will involve GDPR too. The authorities will need to coordinate — or will be the same body.
→ Full analysis: GDPR & AI.md (to be written)
EU AI Office
Centralised body in Brussels responsible for:
- Oversight of General-Purpose AI models (like GPT, Claude, Gemini)
- Coordinating national authorities
- Developing codes of practice
- Monitoring systemic risks
Established under the AI Act. Operational from 2024.
→ Full profile: authorities/EU AI Office.md (to be written)
Tracking Authority Designation
As member states designate their AI Act supervisory authorities throughout 2025-2026, this page will be updated. Key questions to track per country:
- Which body was designated? (New or existing?)
- What resources/budget were allocated?
- Does it overlap with the DPA?
- What enforcement powers does it have?
- Has it issued any guidance yet?
Go Deeper
- EU AI Act — The regulation these authorities enforce
- ISO 42001 AI Management System — Standards framework
- Legal & Compliance — Back to the legal section
- AI Safety & Ethics — The principles behind the regulation
- AI Intelligence Hub — Back to the hub home