Centralized Authority Changes the Compliance Playbook

The May 7, 2026 AI Omnibus political agreement introduced a governance refinement that fundamentally reshapes how the EU regulates AI: expanded AI Office authority over general-purpose AI models, with carefully carved exemptions for member states in sensitive domains.

Under the new framework, the AI Office gains supervisory competence over GPAI systems across the EU—but with critical exceptions. National authorities retain control where law enforcement, border management, judicial operations, and financial institutions are involved. This creates a two-tier enforcement model that Irish enterprises must now navigate.

Why This Matters for Irish Builders

For Irish AI companies and organizations deploying GPAI systems, this agreement signals a shift from fragmented national enforcement toward centralized Brussels oversight. But the carve-outs introduce complexity: if your AI system touches financial services, border security, or law enforcement use cases, you’re still dealing with Irish regulatory authorities. Everything else flows through the EU’s AI Office.

This has immediate practical consequences. Companies building general-purpose models or integrating GPAI components must now prepare for EU-level compliance monitoring rather than relying on bilateral relationships with national regulators. The AI Office hasn’t yet published detailed supervisory procedures, creating uncertainty about what this oversight actually looks like in practice.

The Compliance Architecture Shift

Previously, the AI Act’s enforcement relied on a distributed model: national authorities handled most day-to-day compliance, with the Commission stepping in for cross-border disputes. The Omnibus deal consolidates GPAI oversight under the AI Office, which began operations in Ireland in August 2026. This concentration of authority means:

  • Centralized standards: One AI Office interprets transparency, safety, and capability disclosure requirements for all GPAI systems
  • Faster escalation: Compliance issues now reach EU-level decision-makers more directly
  • Reduced regulatory arbitrage: Irish enterprises can’t play different member states against each other on GPAI matters
  • Domain-specific exceptions: Carve-outs for law enforcement and financial services create pockets of national authority that require separate compliance frameworks

Practical Implications for Implementation

Irish developers and enterprises deploying GPAI systems should immediately audit which use cases fall under national exemptions versus AI Office oversight. A GPAI system powering financial compliance tools needs different governance than one supporting general business analytics.

The AI Office will likely publish supervisory guidance by late 2026 or early 2027. Organizations should prepare for more structured, formalized oversight than the current transitional period allows. This includes documentation of model capabilities, transparency mechanisms, and risk assessment procedures—all potentially subject to centralized EU auditing.

Open Questions

Several critical details remain unclear: How will the AI Office coordinate with national authorities in exempted domains? What reporting standards will apply to GPAI providers? Will the Office establish sector-specific guidance for different model types? And crucially: how will this centralization affect the timelines already extended by the Omnibus deal?

The agreement reflects pragmatism—acknowledging both industry need for clearer oversight and national sovereignty concerns. But the enforcement architecture still requires detailed rulebooks. Irish enterprises should monitor the AI Office’s regulatory output closely and begin mapping their GPAI deployments to this new governance model now.

Source: artificialintelligenceact.eu