Box-tickers will find AI Office regime ‘challenging’
Successfully harnessing the benefits and managing the risks of AI requires collaboration across government, industry, academia and civil society, Niamh Smyth (Minister of State for Trade Promotion, Artificial Intelligence and Digital Transformation) has said.
The Minister was speaking at the third annual William Fry AI summit, Trust, Governance and the Future of AI in Europe, held at the Dublin Royal Convention Centre (14 May).
The opening panel, Regulating AI in Ireland: Emerging Supervisory Architecture, moderated by Rachel Hayes of William Fry, discussed Ireland's preparation for the EU AI Act and the broader European digital regulatory framework.
Jean Carberry of the Department of Enterprise explained that the new AI Office, Oifig Intleachta Shaorga na hÉireann, would be established by August, when the AI Act's prohibited practices provisions came into force.
Carberry said that Ireland had adopted a distributed model, designating 13 competent authorities, four notifying authorities, and nine fundamental-rights bodies under the act.
The AI Office will sit at the centre of these, providing coherence across enforcement, acting as a shared interpretive resource, and serving as a single point of contact for citizens, the EU, and government.
Secondary objective
“The office will also have a secondary objective,” Carberry said, “which is to promote innovation in AI in Ireland. And one of the tools that it will have to do that will be an AI regulatory sandbox.”
Legislation to give the office a statutory basis and to provide the powers required to the regulators is being prepared, and a skeleton staff is already in place.
“We are currently going through a process of hiring a chief executive officer who we expect to have in place within the next number of weeks,” she added.
Carberry stressed that, except for transparency obligations, only high-risk and prohibited uses fell within scope of the act,which the commission originally designed to apply to fewer than 10% of AI use cases.
It will not apply to “most productivity uses”.
Harmonised EU standards were in development, Carberry added, and there would be a certification framework.
Certified product
“Once you've got a certified product, there's nothing to worry about from a regulatory standpoint,” she said.
She also flagged that the AI Simplification Act had been agreed and would be among the first instruments signed during Ireland's EU presidency, with further digital omnibus legislation expected early next year.
John Evans of Coimisiún na Meán pointed to the existing Digital Regulators Group and bilateral cooperation agreements as practical foundations on which AI regulatory coordination between multiple regulators overlapping competences could be built.
The panellists agreed that adequate resourcing was vital.
“We have to give life to the registry regime,” Evans said, “and getting the correct skills in is important”.
Dale Sunderland of the Data Protection Commission (pictured) said: "The eyes of Europe are watching us".
The regulatory architecture being put in place must be backed by sufficient staff and technical expertise, he said.
Market surveillance authority role
“We still are the lead EU regulator under the GDPR, and that is our top priority, and that needs to be sustained. We need both staff and technical expertise,” he said.
Sunderland added that, while it “breaks new ground for the DPC, particularly around the MSA, market surveillance authority role”, AI regulation is "not a new thing in Ireland".
Under the GDPR, the DPC has been regulating large language models in its capacity as lead supervisory authority.
Over the past four years, it has engaged with 180 different AI products and services, with AI a component in one in four matters before the supervision team.
Red lines
The ex ante engagement is designed to identify "red lines" and significant risks "before it hits the market".
“For the most part, the recommendations have been accepted by the companies concerned,” Sunderland said.
And, where they have not, as in X's processing of personal data for model training, the regulator has turned to the courts.
Trevor Fitzpatrick of the Central Bank noted that AI was not new in financial services either and pointed to work being undertaken by the European Supervisory Authority to map where existing obligations, such as DORA's cyber requirements, might satisfy corresponding AI Act requirements, reducing duplicative compliance.
Lifecycle evaluation
He framed the act's requirements for risk management, lifecycle evaluation, fairness, and bias assessment not as burdens, but as disciplines that any responsible AI deployer should have in place.
"I don't think it's getting in the way of innovation; I think of it as a way for businesses to deploy AI services that are reliable and that consumers can trust."
Sunderland echoed this, urging organisations to embed AI risk and harm mitigation across every function, rather than treating it as a compliance-team exercise.
Organisations that have historically viewed regulation as "a compliance exercise to keep someone else happy," he said, will find this "a really, really challenging environment".
Integrated processes
He also suggested that a data-protection impact assessment under the GDPR should not be treated as an entirely separate exercise from a fundamental-rights impact assessment under the AI Act – organisations should build integrated processes capable of servicing multiple regulatory obligations at once.
Trevor Fitzpatrick highlighted the difficulty that agentic AI posed for the act's core assumptions, namely that a system could be well-defined at the point of deployment, that its risk profile remained stable, and that the roles of provider and deployer were clearly distinguishable.
He also identified an "evaluation gap" between the pace of AI deployment and the ability of regulators and industry to measure capability and risk – as a significant challenge for member states, governments, and industry alike.