EU AI Act enforcement starts August 2, 2026 — the GPAI builder's guide

The EU AI Act has been law since 2024, but enforcement powers for general-purpose AI (GPAI) providers only activate on August 2, 2026 — eight weeks from now. This is the deadline that's been on every compliance team's calendar for a year. Here's what actually changes, what to ship before then, and what it means if you're a buyer consuming GPAI models through an API.

What the August 2 deadline is

On August 2, 2025, GPAI providers became subject to the AI Act's Chapter V obligations: transparency templates, technical documentation, copyright policy, systemic risk assessment for frontier models.

On August 2, 2026, the European Commission's enforcement powers activate. Specifically:

• Article 91 — Request information. The Commission can compel any GPAI provider serving the EU to produce documentation on training data, compute, evals, and risk mitigations.
• Article 92 — Conduct evaluations. The Commission can run independent evaluations of GPAI models, including adversarial testing, with provider cooperation required.
• Article 93 — Request measures. When systemic risk is identified, the Commission can require providers to put mitigation measures in place, restrict market availability, or recall the model entirely.
• Article 101 — Fines. Up to 3% of global annual turnover or €15M, whichever is higher.

The Commission has indicated it will not penalize Code of Practice signatories acting in good faith for the first year after August 2026 activation — but the legal authority is there from day one.

What's already operational

The infrastructure is staffed:

The Code of Practice (June 2026, just finalized)

The GPAI Code of Practice was finalized in June 2026 after four drafting rounds and 1,000+ comments. Providers must either adopt the Code or demonstrate equivalent compliance by August 2, 2026.

Three core obligations the Code locks in:

1. Transparency template (published)

Providers must publish a transparency template covering:

• Model identity (name, version, release date)
• Intended use + known limitations
• Training data summary (now only required by category — web, licensed, synthetic — not specific datasets, after the April→June amendment)
• Compute used for training (in FLOPs)
• Evaluation results against published benchmarks
• Contact point for downstream users (no longer required to be a consumer-facing support line, after the amendment)

2. Copyright compliance framework

Providers must:

• Maintain policy for respecting the EU Text and Data Mining (TDM) opt-out under Article 4(3) of the DSM Directive
• Implement state-of-the-art technical measures to identify and exclude opted-out content
• Provide a single point of contact for rightsholders

3. Systemic risk methodology (frontier models only)

For models trained on >10^25 FLOPs (Claude Opus 4.x, GPT-5.x, Gemini 3.x, Llama 4 405B+):

• Annual systemic risk assessment using the Code's published methodology
• Adversarial testing covering specified threat categories: CBRN, cyber, large-scale persuasion, autonomous AI systems
• Incident reporting to the AI Office for misuse causing serious harm (narrowed from the April draft's "any harm" standard)
• Cybersecurity measures meeting Annex XI standards

The methodology covers eval set construction, red-team protocols, mitigation taxonomy, and disclosure formats. The full text is at artificialintelligenceact.eu.

What this means if you SHIP a GPAI model

Eight-week checklist:

1. Sign onto the Code of Practice OR document equivalent compliance. The Code is the path-of-least-resistance. The "equivalent compliance" route is legally available but means the AI Office evaluates your alternative against the Code's specifics on a case-by-case basis — slower and riskier.

2. Publish your transparency template by August 2, 2026. The template format is in the Code. Late publication is enforcement exposure from day one.

3. For frontier models (>10^25 FLOPs): run the systemic risk assessment. The methodology is published. The first annual assessment is due by August 2, 2026 for models already on the market; ongoing for new releases.

4. Wire incident reporting to the AI Office. "Serious harm" misuse must be reported. Build the workflow now — incident detection → triage → AI Office notification.

5. Verify training-data copyright posture. The TDM opt-out compliance technical measures need to be in production, not on a roadmap.

6. Have a single rightsholder contact point + GPAI contact point published. Email + URL on your website.

The AI Office has indicated priority enforcement against providers with broad EU market reach. If you serve EU enterprise customers, expect to be on the early enforcement list.

What this means if you BUY GPAI through an API

Most builders aren't GPAI providers — you're consuming GPAI models through an API. The Act still affects you in three ways:

1. Your model provider must be compliant — verify it

If your stack depends on OpenAI / Anthropic / Google / DeepSeek / Mistral, your provider's compliance posture becomes your dependency. Ask:

• Are they Code of Practice signatories? (All four major US labs + Mistral signaled they would sign onto the original Code; verify the final-version signatures after June 2026.)
• Where is their published transparency template?
• For frontier models, where's the systemic risk assessment?

2. Your own AI System (built on a GPAI model) may have separate

obligations

If you build an AI System on top of a GPAI model — chatbots, code assistants, decision support — you're a downstream provider or deployer under the Act, not a GPAI provider. Different obligations apply (Chapter III, not Chapter V):

• High-risk classification check (Article 6 + Annex III)
• If high-risk: conformity assessment, post-market monitoring, registration in the EU database
• Transparency obligations under Article 50

These obligations are largely deferred to December 2, 2027 for Annex III high-risk systems, but the prohibited-practices ban (February 2025) and Article 50 transparency (December 2, 2026) hit sooner.

3. You need provider-passthrough documentation

When the AI Office audits you under Chapter III, they'll ask for documentation about the GPAI model your system uses. Your provider contracts should give you the right to receive — and pass through — the GPAI provider's transparency template + relevant risk-assessment docs.

For commercial gateways (Anvat, OpenRouter, Together, etc.): verify the gateway passes through upstream transparency docs. A gateway is not itself a GPAI provider (it doesn't train the model), but it's part of your audit chain.

What changes for "non-EU" workloads

Effectively nothing — if your model is available to EU users, you're in scope. The Act applies extraterritorially to:

• Providers placing GPAI models on the EU market (regardless of where they're trained)
• Output of an AI system used in the EU (even if the system itself is outside the EU)

Building "EU-restricted" model variants is technically possible but operationally painful. Most providers will run one compliance posture globally.

The "good faith" enforcement window

The European Commission has stated it will work cooperatively with Code signatories in the first year of enforcement (August 2026 – August 2027), not seeking penalties for good-faith compliance gaps. This is the Commission's standard pattern for new regulatory regimes — the GDPR had a similar 12-month enforcement honeymoon.

What "good faith" means in practice:

• Signed onto the Code of Practice
• Published transparency template (even if incomplete)
• Documented attempts to implement TDM compliance
• Cooperated with AI Office information requests

What good faith does NOT cover:

• Outright refusal to register or publish required documentation
• Operating systemic-risk frontier models without the published risk assessment
• Misrepresenting training data sources or compute

What we expect to happen

Three predictions:

1. Coordinated Code-signing in July 2026

All four major US labs (Anthropic, OpenAI, Google, Microsoft on behalf of OpenAI partners) plus Mistral, AI21, Cohere will publicly sign the Code in July. Open-weight providers (Meta, DeepSeek) position is more uncertain — Meta has historically been cooler on the Act, DeepSeek's EU exposure is small.

2. First Article 91 information request: Q4 2026

The AI Office's first formal enforcement action will be an Article 91 documentation request — not a fine. The recipient will be a frontier-tier model provider, almost certainly one with broad EU market reach. Public visibility on the response will reshape what "compliance" means in practice.

3. Smaller providers will adopt the Code as a competitive moat

For mid-sized model providers, being Code-compliant becomes a purchasing-decision differentiator in EU enterprise. The compliance overhead is non-trivial but doable for any team with serious EU revenue; expect a wave of "compliant by August 2026" marketing in July.

What builders should do this month

Six-week sprint:

1. Catalog your GPAI dependencies — every model your stack uses, every gateway in front of those models.
2. Ask each provider for their Code-signing timeline + transparency template draft.
3. For EU customers: get the GPAI dependency information in your security review. They'll ask if they haven't already.
4. If you're a GPAI provider yourself: hire a compliance counsel or engage one of the AI Act specialist firms. The Code is detailed; self-implementation without legal review is high-risk.
5. Wire up an EU-specific incident-reporting workflow. Even if you're a downstream provider (not GPAI), Article 50 transparency
   • incident reporting hits December 2, 2026.

Related coverage

• Claude Mythos & Glasswing — safety as gating
• Anvat compliance posture
• Anthropic API direct vs gateway