This paper explores the evolution of the European Union’s (EU) regulatory approach to technology through a comparative analysis of the enforcement mechanisms under the General Data Protection Regulation (GDPR) and the Artificial Intelligence Act (AI Act). It focuses on three elements of enforcement: regulatory authorities, sanctions and penalties, and regulatory approaches. One of the primary issues of enforcement under the GDPR is its reliance on decentralized, national authorities, which has led to inconsistent application of the law, inefficient enforcement, and limited deterrence. These challenges are likely to echo under the AI Act due to both laws’ heavy reliance on national authorities. However, the AI Act introduces important structural distinctions, such as centralized enforcement for general-purpose AI via the newly established AI Office and a risk-based regulatory framework, which may improve enforcement efficiency and resource targeting. Despite these advancements, the AI Act faces its unique challenges, such as potential ambiguity in its classification system. By drawing on lessons from GDPR implementation, this paper offers early insights into the potential effectiveness and pitfalls of AI governance in the EU.