When do EU AI Act GPAI rules actually become enforceable?

The substantive obligations for general-purpose AI model providers under Chapter V of the EU AI Act entered into application on August 2, 2025. However, the European Commission's enforcement powers, including the authority to request information, conduct evaluations, order corrective measures, and impose fines under Article 101, only become exercisable on August 2, 2026. Providers of GPAI models placed on the market before August 2, 2025 have a longer compliance runway and must be brought into conformity by August 2, 2027.

What is the systemic-risk threshold for GPAI models?

Under Article 51(2) of the EU AI Act, a general-purpose AI model is presumed to have high-impact capabilities, and therefore to pose systemic risk, when the cumulative compute used for its training exceeds 10^25 floating-point operations (FLOPs). The presumption is rebuttable: a provider above the threshold can submit substantiated arguments under Article 52(2) that the model does not in fact pose systemic risk. The Commission may also designate models below the threshold and may update the threshold itself via delegated act as the state of the art evolves.

Do I need to sign the GPAI Code of Practice?

No. The Code of Practice, published on July 10, 2025, is voluntary. Signing it grants a presumption of conformity with the relevant Article 53 and (for systemic-risk providers) Article 55 obligations, which reduces administrative friction during AI Office assessments. As of mid-2025, 26 organisations had signed, including Anthropic, Google, Microsoft, and OpenAI. Meta declined to sign. Non-signatories must demonstrate compliance through alternative adequate means and can expect closer scrutiny when Article 101 enforcement begins.

What are the maximum fines for GPAI non-compliance?

Under Article 101 of the EU AI Act, the European Commission can fine GPAI model providers up to 3% of their global annual turnover or EUR 15 million, whichever is higher, for intentional or negligent infringements of GPAI obligations or for failures to provide requested information. This sits separately from the broader Article 99 tiers, which include up to EUR 35 million or 7% of turnover for prohibited AI practices. SMEs and start-ups are capped at the lower of the percentage or absolute amount.

← News

ANNOUNCEMENT · 2026-05-07

EU AI Act: August 2026 GPAI Enforcement Powers Go Live

On August 2, 2026, the European Commission's AI Office gains full enforcement powers over general-purpose AI (GPAI) model providers, including fines of up to 3% of global turnover or EUR 15 million. Pre-2025 models have until August 2, 2027 to comply.

What the August 2, 2026 milestone actually unlocks

GPAI obligations themselves entered into application on **August 2, 2025**, but providers were given a one-year adjustment window before the European Commission could begin exercising supervision and enforcement. That window closes on **August 2, 2026**, when the AI Office's enforcement powers under Chapter V take effect.

*This article is general guidance, not legal advice. Consult qualified EU counsel for compliance decisions.*

From that date, the AI Office can formally request documentation and information, conduct model evaluations, demand compliance measures (including risk mitigation, market restriction, recall, or withdrawal), and impose fines under **Article 101** of the Regulation. Maximum penalties for GPAI providers are **up to 3% of global annual turnover or EUR 15 million, whichever is higher**, for intentional or negligent infringements. The narrower Article 99 tier of up to EUR 35 million or 7% of turnover applies to prohibited AI practices, not GPAI obligations. August 2, 2026 is therefore not a new obligation date; it is the date the existing obligations become directly enforceable by the Commission.

Who counts as a GPAI provider (and the systemic-risk threshold)

A general-purpose AI model is defined as a model trained on broad data, displaying significant generality, and capable of competently performing a wide range of distinct tasks regardless of how it is placed on the market. The provider is the entity that develops or has the model developed and places it on the EU market under its own name or trademark.

A second, narrower category, **GPAI models with systemic risk**, triggers the heavier obligations of Articles 55 and 56. Under **Article 51**, a model is presumed to have high-impact capabilities when the cumulative compute used for training exceeds **10^25 floating-point operations (FLOPs)**. This is a rebuttable presumption: under Article 52(2), a provider above the threshold can submit substantiated arguments that the model does not in fact present systemic risk, and the Commission may also designate models below the threshold based on other criteria. The Commission can update the threshold by delegated act.

Critically, the Commission's July 2025 guidelines clarified that a **downstream actor becomes the new GPAI provider when the training compute used for modification exceeds one-third of the original training compute**. Minor fine-tuning does not flip the role; large-scale continued pretraining can.

Transparency, copyright, and downstream documentation duties

All GPAI providers, regardless of systemic-risk status, owe four baseline duties under **Article 53**:

1. **Technical documentation (Annex XI)** describing the model's design, training process, datasets, energy consumption, intended tasks, architecture, and licensing, maintained and made available to the AI Office on request. 2. **Downstream documentation (Annex XII)** providing integrators with the information needed to understand the model's capabilities and limitations, intended uses, and integration constraints. 3. **Copyright policy** consistent with EU copyright law, including Directive 2019/790 text-and-data-mining opt-outs. This means respecting machine-readable rights reservations (such as robots.txt) during web crawling and avoiding lawfully inaccessible sources. 4. **Public training-content summary** following the AI Office's mandatory template, broad enough to let rights-holders and the public understand what categories of content were used.

Fully free and open-source models that do not present systemic risk are exempted from duties 1 and 2 but **not** from the copyright policy or the public training summary.

Pre-2025 model grace deadlines

The Regulation distinguishes between models placed on the market after August 2, 2025 (which had to be compliant from day one) and **legacy models placed on the market before August 2, 2025**, which have until **August 2, 2027** to bring documentation and policies into line.

This grace period is narrow in two ways. First, it does not delay enforcement against post-August 2025 models, which the AI Office can pursue immediately once its powers activate in August 2026. Second, it applies to the *model* as it existed before the cutover. Substantial post-cutoff modification, particularly any retraining exceeding the one-third compute trigger described above, can pull a legacy model into the post-2025 regime and reset the clock.

Providers relying on the legacy window should still expect informal engagement from the AI Office during 2025-2027. The Commission has signalled that good-faith collaboration during the adjustment period is a factor in how enforcement discretion will be exercised once Article 101 becomes available.

GPAI Code of Practice: opt-in benefits and risks

The **General-Purpose AI Code of Practice**, published on **July 10, 2025**, is a voluntary instrument drafted by independent experts through a multi-stakeholder process. It has three chapters: **Transparency** and **Copyright** apply to all GPAI providers; **Safety and Security** applies only to systemic-risk providers.

Signing the Code grants a **presumption of conformity** with the corresponding AI Act obligations: signatories benefit from a lighter administrative burden in assessments and greater legal certainty. As of mid-2025, **26 organisations** had signed, including Amazon, Anthropic, Cohere, Google, IBM, Microsoft, Mistral AI, and OpenAI. **Meta declined to sign.** xAI signed only the Safety and Security chapter, which means it must demonstrate transparency and copyright compliance through alternative means subject to AI Office assessment.

The risk side is real. Signatories accept structured commitments such as the standardised Model Documentation Form, designated copyright contact points, and ongoing reporting cadence. Non-signatories carry no extra obligations, but they also lose the conformity presumption and may face closer scrutiny when the Commission begins exercising Article 101 powers in August 2026.

Practical compliance checklist for downstream deployers

Using a compliant GPAI model does **not** discharge downstream obligations. Providers of AI *systems* built on a GPAI model carry their own duties, particularly if the resulting system is high-risk under Annex I or III, or if Article 50 transparency obligations apply (for example, to chatbots, deepfakes, or emotion-recognition systems).

A realistic deployer checklist:

**Request and archive the Annex XII information package** from every GPAI model you integrate; verify the upstream provider's Chapter V compliance position.
**Map intended use cases against Annex III** to determine whether your system is high-risk; if so, prepare conformity assessment evidence under Chapter III.
**Incorporate the upstream model card and limitations into your own technical documentation**, risk assessment, and post-market monitoring plan.
**Implement Article 50 transparency notices** where generative or interactive outputs are user-facing.
**Maintain audit logs and human-oversight controls** proportionate to system risk; AI literacy obligations under Article 4 have applied since February 2025.

Deployer obligations are independent of the model provider's status, so an incomplete or vague upstream model card is *your* problem to escalate, not a reason to delay your own documentation.

Why self-hosted and BYOK paths simplify the audit trail

Deployer duties presuppose that you can answer two questions on demand: *which model produced this output, under what configuration, and on whose infrastructure*, and *what data left your environment to get there*. Shared multi-tenant inference endpoints make both questions harder, because the logging, retention, and routing surface is owned by a third party whose disclosures may or may not match your Annex XII package.

Self-hosted inference and bring-your-own-key (BYOK) deployment patterns narrow the surface in a useful way. When the model runs in infrastructure you control, you own the inference logs, the data residency posture, and the audit trail that an enforcement request will eventually ask for. When BYOK routes calls directly from your tenant to the upstream provider under your contractual terms, the metadata path is auditable end-to-end. Platforms designed around this pattern, such as **osFoundry**, treat audit logs, data residency controls, and privacy-first defaults as part of the orchestration layer rather than as add-ons.

None of this substitutes for the substantive Article 53 obligations on the upstream provider, but it materially shortens the evidence chain you have to assemble when regulators ask.

Frequently asked questions

When do EU AI Act GPAI rules actually become enforceable?: The substantive obligations for general-purpose AI model providers under Chapter V of the EU AI Act entered into application on August 2, 2025. However, the European Commission's enforcement powers, including the authority to request information, conduct evaluations, order corrective measures, and impose fines under Article 101, only become exercisable on August 2, 2026. Providers of GPAI models placed on the market before August 2, 2025 have a longer compliance runway and must be brought into conformity by August 2, 2027.
What is the systemic-risk threshold for GPAI models?: Under Article 51(2) of the EU AI Act, a general-purpose AI model is presumed to have high-impact capabilities, and therefore to pose systemic risk, when the cumulative compute used for its training exceeds 10^25 floating-point operations (FLOPs). The presumption is rebuttable: a provider above the threshold can submit substantiated arguments under Article 52(2) that the model does not in fact pose systemic risk. The Commission may also designate models below the threshold and may update the threshold itself via delegated act as the state of the art evolves.
Do I need to sign the GPAI Code of Practice?: No. The Code of Practice, published on July 10, 2025, is voluntary. Signing it grants a presumption of conformity with the relevant Article 53 and (for systemic-risk providers) Article 55 obligations, which reduces administrative friction during AI Office assessments. As of mid-2025, 26 organisations had signed, including Anthropic, Google, Microsoft, and OpenAI. Meta declined to sign. Non-signatories must demonstrate compliance through alternative adequate means and can expect closer scrutiny when Article 101 enforcement begins.
What are the maximum fines for GPAI non-compliance?: Under Article 101 of the EU AI Act, the European Commission can fine GPAI model providers up to 3% of their global annual turnover or EUR 15 million, whichever is higher, for intentional or negligent infringements of GPAI obligations or for failures to provide requested information. This sits separately from the broader Article 99 tiers, which include up to EUR 35 million or 7% of turnover for prohibited AI practices. SMEs and start-ups are capped at the lower of the percentage or absolute amount.