For the past year, the obligations governing general-purpose AI (GPAI) models under the EU AI Act have existed largely on paper. They applied in law from August 2, 2025, but the body responsible for enforcing them, the European Commission’s AI Office, had no formal power to sanction non-compliance. That changes on August 2, 2026. From that date, the Commission’s enforcement powers over GPAI model providers enter into application, and the AI Office can move from persuasion to compulsion: requesting documentation, evaluating models directly, ordering corrective measures, restricting or withdrawing models from the EU market, and imposing fines.

For AI governance and compliance teams, the significance is not that a new obligation appears on August 2. The substantive obligations have been in force since 2025. What appears on August 2, 2026 is consequence. A gap between a legal requirement and an enforceable one is easy to deprioritize; once the enforcement switch is flipped, that gap becomes a liability. With roughly two weeks remaining, this article sets out what the enforcement regime covers, who falls within scope, the specific obligations at stake, and a practical checklist for the teams that build on or deploy GPAI models, not only the frontier laboratories that train them.

Why August 2, 2026 Matters

The EU AI Act follows a staggered application calendar rather than switching on all at once. The prohibitions on unacceptable-risk AI practices and the AI literacy obligations applied first, from February 2, 2025. The GPAI provisions, along with governance and penalty provisions, applied from August 2, 2025. The bulk of the high-risk system requirements follow later, with the principal high-risk obligations phasing in through August 2, 2026 and August 2, 2027.

August 2, 2026 is the point at which the enforcement architecture for GPAI models becomes operational. Until now, the AI Office has functioned primarily as a convener and standard-setter, coordinating the drafting of the GPAI Code of Practice and engaging providers cooperatively. From August 2, 2026, it holds the enforcement mandate set out in the Act. That mandate is exclusive in an important respect: for GPAI models specifically, the Commission, through the AI Office, is the competent authority, rather than the network of national market surveillance authorities that handle other parts of the Act.

There is a crucial transitional nuance that determines whether your organization must be compliant now or has additional time.

  • Models placed on the market on or after August 2, 2025 must comply with the GPAI obligations now. There is no grace period for these. When enforcement powers activate on August 2, 2026, these models are fully within reach.
  • Models placed on the market before August 2, 2025 benefit from a longer runway. Their providers have until August 2, 2027 to bring those models into compliance.

This distinction rewards careful record-keeping about when a given model version was first made available in the EU. It also means that a provider maintaining a pre-August-2025 model and simultaneously releasing newer versions may be operating two models under two different deadlines at once.

The Regulatory Framework: What GPAI Obligations Actually Require

A general-purpose AI model is, in the Act’s terms, a model that displays significant generality and is capable of competently performing a wide range of distinct tasks, regardless of how it is placed on the market, and that can be integrated into a variety of downstream systems. Large language models and multimodal foundation models are the archetype. The obligations attach to the model provider, distinct from the obligations on providers and deployers of AI systems built using those models.

Baseline obligations for all GPAI providers

Every GPAI model provider, whether or not the model presents systemic risk, must satisfy a core set of duties:

  1. Technical documentation. Providers must draw up and keep up to date technical documentation of the model, including its training and testing process and the results of its evaluation. This documentation must be available to the AI Office on request.
  2. Information and documentation for downstream providers. Providers must make available to those who intend to integrate the model into their own AI systems the information they need to understand the model’s capabilities and limitations and to comply with their own obligations. This is the informational spine that lets a downstream deployer meet its transparency and risk duties.
  3. A copyright policy. Providers must put in place a policy to comply with EU copyright law, including a mechanism to honor reservations of rights (for example, opt-outs from text and data mining) expressed by rightsholders.
  4. A public summary of training content. Providers must draw up and make publicly available a sufficiently detailed summary of the content used to train the model, following the template published by the AI Office.

Providers established outside the EU that place GPAI models on the EU market must appoint an authorized representative in the Union. This is a practical trip-wire for non-EU labs and for any non-EU company that fine-tunes a model into a new GPAI offering for European users.

The systemic-risk tier

A subset of GPAI models carry heightened obligations because they are classified as presenting systemic risk. The primary trigger is a compute threshold: a model is presumed to present systemic risk when the cumulative amount of computation used for its training, measured in floating-point operations, exceeds 10^25 FLOPs. The Commission can also designate a model as systemic-risk on other grounds, and providers must notify the Commission when they train, or plan to train, a model that meets the threshold.

Providers of GPAI models with systemic risk carry the baseline obligations plus four additional categories of duty:

  • Model evaluations, including adversarial testing (red-teaming) to identify and mitigate systemic risks.
  • Systemic risk assessment and mitigation, tracking, documenting, and addressing risks that could arise at Union level.
  • Serious incident reporting to the AI Office and, where relevant, to national authorities, including corrective measures.
  • Cybersecurity protection for the model and its physical infrastructure.

Most organizations building on top of GPAI models will not themselves cross the 10^25 FLOPs threshold. But the classification matters to everyone downstream, because a systemic-risk model comes with a richer documentation package and a different risk profile that deployers must account for in their own governance.

Article 101 penalties: the specific exposure for GPAI providers

The penalty regime is where enforcement acquires teeth. The general fining provision for AI Act infringements sits in Article 99, with the highest band, up to €35 million or 7% of global annual turnover, reserved for violations of the prohibited-practices rules. GPAI model providers, however, are governed by a distinct provision.

Article 101 empowers the Commission to fine providers of GPAI models up to 3% of their total worldwide annual turnover in the preceding financial year, or €15 million, whichever is higher. This ceiling applies where the Commission finds that a provider, intentionally or negligently:

  • infringed the relevant provisions of the Act governing GPAI models;
  • failed to comply with a request for a document or for information, or supplied incorrect, incomplete, or misleading information;
  • failed to comply with a measure requested under the Act; or
  • failed to make available to the Commission access to the model for the purpose of conducting an evaluation.

Two points deserve emphasis. First, the exposure is not limited to the substantive obligations. Simply failing to respond adequately to the AI Office, or providing misleading information in response to a request, is independently sanctionable at the same 3%/€15 million ceiling. Second, the “whichever is higher” construction means that for large providers the percentage governs, while for smaller providers the fixed €15 million figure sets a floor that can dwarf turnover. This is a meaningful figure for a mid-sized company that has fine-tuned a model and inadvertently become a GPAI provider without realizing it.

The Code of Practice as a compliance path

Recognizing that the statutory obligations are stated at a high level of generality, the AI Office coordinated the development of a GPAI Code of Practice, a voluntary framework intended to give providers a concrete route to demonstrating compliance. The Code is organized around three chapters: transparency, copyright, and safety and security, the last of which is directed at providers of GPAI models with systemic risk.

The Code’s status is important to understand correctly. It is voluntary, not law. But adherence carries a tangible enforcement benefit: the AI Office treats signatories as acting in good faith and has signaled that it will not move immediately to penalize signatories who are working toward, but have not yet fully implemented, the Code’s measures. In effect, signing the Code buys goodwill and a measure of enforcement forbearance during the ramp-up period, whereas a non-signatory that falls short must demonstrate compliance by other means and can expect a less accommodating posture. For most providers, adopting the Code is the lowest-friction way to structure a defensible compliance program before August 2.

Who Is Actually in Scope

The single most common misconception is that GPAI obligations apply only to companies like the large frontier laboratories that train foundation models from scratch. The scope is broader, and the boundary is where many organizations will be caught off guard.

You are likely a GPAI model provider, with the full obligations that entails, if you:

  • Train a general-purpose model and place it on the EU market or put it into service under your own name or trademark.
  • Fine-tune or otherwise substantially modify an existing GPAI model such that the modification results in what is effectively a new model or a significant change to the original. A downstream actor who takes a base model and adapts it can cross the line into becoming a provider. In that situation the obligations attach to the modification, and the practical question becomes how much documentation the modifier must supply relative to the original provider, an area where the Code of Practice and AI Office guidance are the operative reference.
  • Place a model on the EU market under your own branding, including by rebranding or white-labeling a third party’s model.

You are more likely in a deployer or downstream system provider posture, with a different (though still substantial) set of obligations under other parts of the Act, if you integrate an unmodified GPAI model into your product and simply use it as intended. Even then, you depend on the upstream provider’s documentation to meet your own duties, particularly the transparency requirements discussed in our analysis of Article 50 and the Digital Omnibus reforms. And where your product uses agentic AI, the governance and security expectations climb further, as explored in our coverage of agentic AI and the compliance implications of autonomous model behavior.

The action item is unglamorous but essential: classify your role for every model you build on or ship. Determine, model by model, whether your organization is a provider, a downstream provider, or a deployer. Fine-tuning teams in particular should not assume they are mere deployers.

Specific Requirements to Have in Place

Translating the framework into artifacts, the following are the concrete deliverables an in-scope GPAI provider should be able to produce on August 2:

Technical documentation. A maintained record of the model’s design, training methodology, data sources at a general level, testing and evaluation results, and known limitations. It must be current and available to the AI Office on request. Stale documentation that no longer reflects the deployed model is a common and avoidable failure.

Downstream information package. A documented set of the capabilities, limitations, intended purpose, and integration guidance that downstream providers need. This is both a legal obligation and a commercial necessity, because customers building on your model will demand it to satisfy their own compliance.

Copyright policy. A written policy demonstrating how the model’s training respects EU copyright law, including how rights reservations and text-and-data-mining opt-outs are identified and honored. This is one of the more contentious areas, and rightsholders are actively watching.

Public training-content summary. A summary of training content published using the AI Office’s template. The obligation is to be “sufficiently detailed,” a standard that will be tested in practice; the safer posture is fuller disclosure structured to the template rather than a minimal gloss.

Systemic-risk documentation (if applicable). For models above the 10^25 FLOPs threshold: evaluation and red-teaming records, a systemic risk assessment and mitigation plan, an incident-reporting process wired to the AI Office, and documented cybersecurity controls covering both the model and its infrastructure.

Authorized representative (non-EU providers). A designated EU-based representative empowered to interface with the AI Office.

What to Do Now: A Pre-August-2 Checklist

With roughly two weeks before enforcement powers activate, the goal is not perfection but defensibility. An organization that can show a structured, good-faith program is in a materially better position than one scrambling reactively after a first contact from the AI Office.

  1. Inventory every GPAI model you train, fine-tune, rebrand, or ship. Build a register that records, for each, the model version, the date it was first placed on the EU market, and whether it predates August 2, 2025 (and therefore may fall under the 2027 deadline).
  2. Determine your legal role for each entry. Provider, downstream provider, or deployer. Flag every case where fine-tuning or rebranding may have made you a provider.
  3. Check the systemic-risk threshold. Confirm whether any model you provide was trained above 10^25 FLOPs, or has been designated by the Commission. If so, stand up the additional evaluation, risk-mitigation, incident-reporting, and cybersecurity obligations, and confirm whether a notification to the Commission was or is required.
  4. Assemble and refresh technical documentation. Ensure it reflects the currently deployed model, not an earlier version.
  5. Publish or update the training-content summary using the AI Office template, and confirm your copyright policy is written, implemented, and capable of honoring rights reservations.
  6. Prepare the downstream information package and confirm it is actually reaching the providers integrating your model.
  7. Decide on the Code of Practice. For most providers, signing and demonstrably working toward implementation is the pragmatic path to good-faith treatment. Document the decision either way.
  8. Appoint an EU authorized representative if you are established outside the Union and place GPAI models on the EU market.
  9. Build an AI Office response protocol. Designate an owner, define escalation paths, and prepare to respond to documentation requests and model-evaluation demands promptly and accurately. Remember that an inadequate or misleading response is itself sanctionable under Article 101.
  10. Map the wider calendar. August 2, 2026 is one milestone in a multi-year sequence that runs to August 2, 2027 and beyond. Align GPAI readiness with your broader high-risk-system obligations rather than treating it in isolation. The regulatory picture is also shifting elsewhere, as diverging approaches such as those discussed in our piece on Colorado’s AI Act repeal-and-replace effort illustrate; a global model provider must reconcile the EU regime with a fragmenting international landscape.

Conclusion

August 2, 2026 does not create new GPAI obligations; it makes the existing ones enforceable. That distinction is precisely why it is easy to underestimate. The transparency, copyright, and documentation duties, and for the largest models the systemic-risk regime, have been the law since 2025. From August 2, 2026, the AI Office can back them with document requests, direct model evaluations, market restrictions, and fines of up to 3% of global turnover or €15 million under Article 101, whichever is higher, including for the sin of simply failing to cooperate.

The organizations most exposed are not only the frontier laboratories, which have been engaged with the AI Office for a year, but the mid-market companies that fine-tune, rebrand, or build on GPAI models and have not yet asked whether they are, in law, providers. For those teams, the next two weeks are best spent on the unglamorous fundamentals: a clean model register, a clear-eyed role classification, current documentation, a published training summary, an implemented copyright policy, a decision on the Code of Practice, and a protocol for answering the AI Office. Enforcement readiness is less about elegance than about being able to show, on request, that you took the obligations seriously before the consequences arrived.

This article is provided for informational purposes only and does not constitute legal advice.