Trusq

factual analysis · traceable to primary sources

Topics Opportunities Take the check Work with us LinkedIn NLΒ·EN
Explainer

Filing a complaint under the AI Act and how enforcement works

Adopted 2026-06-22 Β· ≈ 2 min read Β· Dirk Baaijen

Anyone can file a complaint with the national market surveillance authority if an AI system breaches the AI Act. The supervisor investigates, can request documentation, require measures and impose fines. The process runs from report to decision and appeal.

Short answer: Anyone who believes an AI system breaches the AI Act can lodge a complaint with the national market surveillance authority, which is obliged to handle it. The supervisor investigates, can request documentation and, if needed, impose measures or fines. Where personal data are also involved, a parallel route runs through the privacy regulator.

Who can complain and about what

The AI Act gives any natural or legal person the right to lodge a complaint with a market surveillance authority about a suspected infringement. You need not be directly affected. Complaints may concern prohibited practices, high-risk systems that fail to meet their obligations, or a lack of transparency. Which national supervisor is competent depends on sector and country.

The steps of the process

In broad terms, enforcement proceeds as follows:

  • Report β€” you file the complaint with the competent supervisor, with the most concrete substantiation possible.
  • Assessment β€” the supervisor decides whether the complaint falls within its mandate and whether there are grounds to investigate.
  • Investigation β€” the supervisor can request technical documentation, log files and information; for high-risk systems also the conformity documentation.
  • Measure β€” on finding an infringement, the supervisor can require corrective measures, have the system withdrawn from the market or impose a fine.
  • Decision and appeal β€” the decision is reasoned; the company concerned can object and appeal.

What the supervisor can enforce

Market surveillance authorities have binding powers: access to documentation, setting a deadline to bring a system into compliance, and ultimately banning or recalling a system. Fines run up to EUR 35 million or 7% of worldwide annual turnover for the most serious infringements. For GPAI models, enforcement runs not through the national route but through the AI Office.

Overlap with the GDPR

Where a complaint also concerns personal data β€” for example with profiling or biometrics β€” the same case may fall under both the AI Act and the GDPR. In the Netherlands the Data Protection Authority is then a natural channel. A single set of facts can thus lead to two parallel investigations.

What to do

  • Gather evidence: describe the system, the provider and the suspected defect as concretely as possible.
  • Choose the right channel: model or application, and which sector β€” see national supervisors.
  • Consider the GDPR route where personal data are involved.
  • For organisations: make sure your audit documentation is in order, as it is requested first.
  • Know the financial risks: see fines and enforcement.

Sources

  1. https://eur-lex.europa.eu/eli/reg/2024/1689/oj
    Regulation (EU) 2024/1689 (AI Act); Art. 85 on the right to lodge a complaint with a market surveillance authority.
  2. https://eur-lex.europa.eu/eli/reg/2016/679/oj
    Regulation (EU) 2016/679 (GDPR); parallel complaint route to the data protection authority where personal data are involved.

Share on LinkedIn

Read next

U

National supervisors: how AI Act enforcement is divided (the Dutch case)

The AI Act is largely enforced nationally. In the Netherlands a draft Implementation Act (consultation 20 April–1 June 2026) gives the AP and RDI a coordinating role over ten existing market surveillance authorities, with the AFM and DNB supervising the financial sector.

W

The AI Act for SMEs: proportionality, sandboxes and costs

The AI Act applies to SMEs too, but builds in relief: proportionate documentation, priority and lower cost in regulatory sandboxes, and fines with an SME cap. This guide shows what to watch for as a small business.

U

The AI Office: role, tasks and enforcement powers

The AI Office within the European Commission coordinates implementation of the AI Act and is the exclusive supervisor of GPAI models. It draws up codes of practice, conducts investigations and can have fines imposed on model providers.

Dirk Baaijen

About this knowledge base

Compiled and maintained by YRproject β€” programme and project direction at the intersection of digital transformation, AI and regulation. Every factual claim is traceable to its primary source. YRproject is led by Dirk Baaijen About & method β†’

A project or programme? Work with YRproject β†’

The monthly briefing

AI regulation in five minutes: what changed, what is coming and what it means. No spam, unsubscribe anytime.

Your address is used for this only and stored on our own servers.