"The CNPD has expressed its commitment to supporting responsible innovation and facilitating the development and use of AI in compliance with legislation on the protection of personal data,” said the National Commission for Data Protection (CNPD) in early autumn about the ongoing discussions. "We welcome the AI Act, which will strengthen Europe's global competitiveness and data sovereignty while bringing benefits to citizens and businesses. The AI Act and other new European regulations (such as the DMA, DSA, DGA or DA) area either modifying the GDPR slightly or developing it further. These new regulations incorporate data protection from the outset ("privacy by design"), taking the principles of personal data protection as the basis on which the other aspects are built. All these texts make explicit reference to the GDPR."

On the eve of the Christmas and New Year truce, the minister delegate to the prime minister, responsible for media and connectivity, (CSV), has submitted the text blessing this organisation, which is both horizontal and vertical, in the interests of consistency and efficiency.

The horizontal market supervisory authority, responsible for supervising AI in all areas not specifically assigned to other authorities, will have a supervisory and coordinating function alongside the other regulators designated on the basis of their respective areas of competence:

- the Judicial Review Authority for AI systems used by the courts of the judicial order, including the public prosecutor's office, and the administrative order in the exercise of their jurisdictional functions;

- the Financial Sector Supervisory Commission (CSSF);

- the Supervisory Authority for the Insurance Sector (CAA);

- the Luxembourg Institute for Standardisation, Accreditation, Safety and Quality of Products and Services (Ilnas)

- the Luxembourg Regulatory Institute (ILR) for "high-risk AI system deployers", operators of essential or important services in the sense of cybersecurity;

- the Luxembourg Medicines and Healthcare Products Agency (ALMPS)

- the Luxembourg Independent Audiovisual Authority (Alia) for content (output) produced by an AI system, such as images, text, sound and video.

These bodies can request information, carry out investigations and impose administrative penalties.

Four of these players are also designated as 'notifying authorities', meaning that they must check products and services before they are placed on the market: Ilnas, the Government Data Protection Commissioner's Office and ALMPS.

"We will have to learn how to work with the new rules and cooperate between the Data Protection Authorities and with other existing or newly created authorities. This cooperation will be essential to ensure consistent and effective application of the new rules," the CNPD also said in September. "DPAs, with their extensive experience in data processing, data security and assessing the risks to fundamental rights posed by new technologies, should play a leading role in this new enforcement framework. Our experience in developing guidelines and best practices can serve as an example for other national authorities and new European bodies.

This new organisation, which aims to avoid both gaps and duplication, is also--logically--accompanied by new human and financial requirements, quantified in the bill: 8 full-time equivalents from 2025 and three in 2026, i.e. an estimated €3.1m for the next two years for the CNPD; €41.300 for Alia and 3 additional FTEs from the first year when the law comes into force, i.e. €500,000 per year, while the other regulators had not yet responded to the estimate of their additional needs.

Sandboxing to come

These needs could increase for the CNPD since Luxembourg's draft law on AI provides for the establishment of "regulatory sandboxes" for AI, controlled environments where companies and developers can test their innovative AI systems before they are put on the market, in collaboration with the relevant authorities. The aim is to facilitate AI innovation and development while ensuring compliance with legal and ethical requirements. The CNPD will have launched at least one sandbox by 2 August 2026.

The draft provides for administrative penalties for non-compliance with the provisions of the AI Regulation, of up to €35m or 7% of the company's total annual worldwide turnover.

With this text, Luxembourg would be the second country after Malta to have settled this issue, once the legislative process has been completed. According to the Future of Life Institute (Fli), more than two-thirds of the member states, which have until 2 August to act, have begun to take a serious interest in this new European text, the IA Act, with very different degrees of clarity and precision. “Spain", said Fli, emphasising the latitude that the European text leaves to the member states, "has created a Spanish Artificial Intelligence Supervisory Agency (AESIA) which acts as a single market surveillance authority under the Spanish Ministry for Digital Transformation." In contrast, Finland has proposed a decentralised model designating ten already existing market surveillance authorities, including the Energy Authority, the Transport and Communications Agency and the Medicines Agency."

While Luxembourg is in the first wave, it cannot "sleep" on its laurels: the first bans on certain AI systems will come into force in February; codes of practice must be sent to the European Commission by 2 May and a large proportion of the rules will be in force from 2 August, one year after the IA Act comes into force, while those who have already launched their products on the market before the European text will have until 2027 to comply.

Finally, contrary to popular belief, Europe is not the only bloc regulating and supervising developments in AI: 700 texts have been passed this year in the United States, after 200 last year, and China has a complete system, in both cases in environments completely different from the European Union.

This article was originally published in .