Flint Brief

Brief № 009 · Regulation

AI Act enforcement is no longer theoretical

The Commission's new Scientific Panel and Advisory Forum do not create new SME duties, but they make AI Act interpretation and surveillance more concrete.

By Eleanor Whitcombe 5 min read Last verified

The European Parliament chamber in Strasbourg with tiered blue seating, EU flags and an empty speaker area.
Photo: Modern parliamentary chamber with tiered seating by Nico Ruge on Unsplash
On this page
  1. What the Commission actually appointed
  2. Why this is enforcement, not decoration
  3. The high-risk clock still changed
  4. What this changes for SME buyers
  5. A simple register beats a policy PDF
  6. The useful reading of 1 June

The AI Act now has a sharper enforcement shape than it had a week ago. The law is not new, and the duties have not suddenly expanded, but the machinery behind interpretation, surveillance and technical judgment is moving from organisational chart to operating layer.

On 1 June 2026 the European Commission appointed two bodies to support that layer: a Scientific Panel and an Advisory Forum. The appointment matters because the next AI Act questions will not be answered only by reading Art. 6, Art. 50 or Annex III. They will be answered through guidance, expert alerts, model evaluations, standards work and national enforcement practice.

What the Commission actually appointed

The Scientific Panel is the narrower body. It has 60 independent experts appointed for two-year terms. Its brief is technical and concentrated on general-purpose AI, systemic-risk models, model classification, evaluation methodologies and cross-border market surveillance. In plain English: it is not a broad SME help desk. It is the expert layer that can help the AI Office and national authorities understand powerful models and their downstream risks.

The Advisory Forum is deliberately broader. It has 174 members selected from more than 700 applications across academia, civil society and industry, including SMEs and startups. Its task is to provide technical expertise on the implementation of the AI Act, standardisation problems and the practical friction between legal categories and deployed systems. Permanent participants include the EU Fundamental Rights Agency, ENISA and European standardisation bodies.

That split is sensible. The Scientific Panel exists for technical depth. The Advisory Forum exists for institutional breadth. Neither body replaces the AI Office, the AI Board or national authorities. Both bodies make their work more concrete.

Why this is enforcement, not decoration

The legal basis is not ornamental. Art. 68 of the AI Act sets up the Scientific Panel to support enforcement activities. Art. 90 then gives the panel a specific trigger: it may provide a qualified alert to the AI Office when it has reason to suspect that a general-purpose AI model poses a concrete identifiable risk at Union level, or meets the conditions for systemic-risk classification.

That alert is not a press release. It can lead the Commission, through the AI Office, toward formal powers. Under Art. 91, the Commission may request documentation and information from a GPAI model provider. Under Art. 92, it may conduct evaluations and request access through APIs or other technical means where necessary. The panel is therefore part of the route from suspicion to inspection.

For most SMEs, that route will remain indirect. A manufacturer using an embedded assistant, a professional-services firm buying a document tool, or a retailer deploying a customer-support chatbot is unlikely to face the Scientific Panel itself. But the model provider behind the tool might. So might the vendor packaging the model into a high-impact system. The downstream buyer then feels the effect through vendor questionnaires, contract terms, logging demands and risk-classification notes.

The high-risk clock still changed

The timing picture is messy because the AI Act is now being implemented and simplified at the same time.

Following the political agreement on the AI Omnibus, the Commission’s high-risk guidance page now describes a new enforcement timeline: rules for systems used in areas such as biometrics, critical infrastructure, education, employment, migration, asylum and border control apply from 2 December 2027, while systems integrated into products such as robotics and industrial machinery apply from 2 August 2028.

That delay matters for providers and deployers near Annex III. It does not mean the AI Act is asleep. The governance and GPAI provisions have already moved into the active phase. The Commission is publishing guidelines. Stakeholder consultations are open. Expert bodies are appointed. The compliance calendar is becoming more staggered, not less real.

For an SME, the practical mistake is to read “high-risk delayed” as “nothing to do”. The better reading is narrower: some heavy obligations get more time, but the evidence trail should start now because classification, vendor dependency and internal use will be harder to reconstruct later.

What this changes for SME buyers

An SME buying AI in 2026 should assume three things.

First, model provenance will matter more. If a tool depends on a general-purpose model, the buyer needs to know which provider sits behind the interface, whether the model is changed silently, and what documentation the vendor can pass through. This is not only a legal question. It is procurement hygiene.

Second, risk classification will become less casual. The Commission’s draft high-risk guidelines are not legally binding, but they state the Commission’s interpretation and will guide enforcement. If a supplier says “not high-risk”, the buyer should ask for the reasoning, not only the conclusion.

Third, standards and implementation guidance will become part of ordinary vendor assessment. The Advisory Forum’s brief includes standardisation and implementation challenges. That is where many SME problems live: not in abstract AI ethics, but in the gap between a legal category and a messy workflow.

A simple register beats a policy PDF

The first deliverable is not a 40-page AI policy. It is a live register of AI systems the company actually uses.

Register fieldWhy it matters
Tool and providerIdentifies who controls the model and the service layer
Business purposeSeparates assistive use from decision-impacting use
Data processedFrames privacy, confidentiality and trade-secret risk
Users or persons affectedShows whether customers, workers or applicants are exposed
Human oversightRecords who can review, override or stop the system
Vendor documentationPreserves evidence before a questionnaire arrives
Initial AI Act viewCaptures why the system is minimal, limited or possibly high-risk

Source: Regulation (EU) 2024/1689; European Commission AI Act implementation pages. Last verified 2026-06-07.

This register does not solve every legal issue. It does something more useful: it gives the business a memory. When a vendor changes model, when a customer asks for assurance, or when a national authority publishes sector guidance, the company is not starting from folklore.

The useful reading of 1 June

The 1 June appointments should not be overread. They do not create a new deadline for ordinary SMEs. They do not make every AI tool high-risk. They do not mean Brussels is about to inspect every chatbot.

They do signal that AI Act enforcement is becoming staffed, technical and procedural. The next phase will be less about arguing whether the Act exists and more about producing evidence that a concrete system was classified, monitored and bought with a defensible understanding of its risk.

For SME operators, the response is deliberately boring: make the list, identify the vendors, write down the use cases, preserve the documentation, and revisit the classification when the final guidance lands. Enforcement machinery rewards records. It rarely rewards confident improvisation.

Frequently asked questions

Does the new Scientific Panel create new AI Act obligations?

No. The obligations still come from Regulation (EU) 2024/1689 and its implementing measures. The panel supports enforcement, especially for general-purpose AI models and systemic-risk questions.

Should an ordinary SME worry about the Scientific Panel?

Indirectly. Most SMEs will not be investigated by it, but its work will shape how model providers, vendors, auditors and national authorities interpret GPAI risk, documentation and surveillance.

What changed for high-risk AI in May and June 2026?

The Commission published draft high-risk classification guidelines and opened consultation until 23 June 2026. Under the AI Omnibus timeline, many standalone Annex III high-risk obligations move to 2 December 2027 and product-integrated systems to 2 August 2028.

What should an SME document first?

Start with a live AI system register: tool, provider, purpose, data processed, users affected, human oversight, vendor documentation and a first risk-classification note. That is more useful than a generic AI policy.

Sources

  1. Primary Regulation (EU) 2024/1689 laying down harmonised rules on artificial intelligence EUR-Lex accessed
  2. Official AI Act enforcement gets independent expert support European Commission accessed
  3. Official AI Act Scientific Panel European Commission accessed
  4. Official AI Act Advisory Forum European Commission accessed
  5. Official Guidelines for providers and deployers of AI high-risk systems European Commission accessed
  6. Official AI Act European Commission accessed

Image credit: Photo: Modern parliamentary chamber with tiered seating by Nico Ruge on Unsplash

Eleanor Whitcombe covers EU AI regulation for Flint Brief.

Spotted an error or want a right of reply? hello@flintbrief.com (subject [Right of reply]).