European Union: European Data Protection Supervisor adopted strategy for supervising systems under Artificial Intelligence Act

On 17 March 2026, the European Data Protection Supervisor (EDPS) adopted a compass outlining how it will implement its new mandate under the European Union's Artificial Intelligence (AI) Act as both market surveillance authority and notified body for AI systems used by EU institutions, bodies, offices and agencies. It applies to AI systems deployed within the EU public administration, particularly high-risk systems, including biometric and recruitment tools. It establishes a two-tier supervisory framework, combining ex ante conformity assessments for certain high-risk systems and ex post market surveillance and enforcement, alongside four strategic pillars covering supervision, regulatory coordination, institutional capacity-building, and international cooperation. It was stated that the EDPS will introduce enforcement procedures, audits, sandbox testing, and knowledge-sharing mechanisms while strengthening technical expertise and ensuring independence between its roles.