What activates on 2 August 2026

This is the date the European Commission's supervisory and enforcement powers against providers of general-purpose AI models come into force. The substantive obligations on GPAI providers — technical documentation, downstream-deployer information, copyright policy, the public summary of training content — have been applicable since 2 August 2025. What changes next August is the Commission's ability to actually act on them.

From 2 August 2026, the AI Office, acting on behalf of the Commission, can:

  • Request documentation and information from a GPAI provider directly.
  • Conduct evaluations of the model — either via the AI Office's own technical staff or through accredited third parties.
  • Request measures, including compliance steps, risk-mitigation steps, market restriction, recall, or full withdrawal from the EU market.
  • Impose fines against providers that fail to comply.

The transparency rules of the AI Act also come into effect in August 2026, and the Commission published a second draft of its Code of Practice on marking and labelling AI-generated content in March 2026, with finalisation planned by mid-2026. So 2 August is, for builders, the moment a previously paper-only regime becomes operational with enforcement capacity.

Pro tip

Treat 2 August 2026 the way you would treat a payments regulator inspection: assume the first thing you will be asked for is your documentation pack, not your model weights. Whether the AI Office actually opens enquiries on day one is irrelevant — your readiness has to be evidenced before the date, not after.

Who is a "GPAI provider" — and who isn't

A GPAI provider, under the Act's structure as clarified by the Commission's published guidelines, is anyone who places a general-purpose AI model on the EU market under their own name or trademark. That includes:

  • Frontier-lab providers operating a hosted API into the EU.
  • Open-weights publishers releasing a GPAI model that is then mirrored or fine-tuned by EU users.
  • Companies that fine-tune a GPAI model so significantly that the resulting model becomes, in effect, a new GPAI model. The Commission's guidelines treat this as a separate placing-on-the-market event.
  • Non-EU providers — including Indian and UK companies — that make a GPAI model available to users in the Union, regardless of where the model is hosted or where the provider is incorporated.

Who is not a GPAI provider in the Act's sense:

  • Pure application builders integrating a third-party GPAI model via API into a downstream product, provided they do not retrain or substantially modify the model.
  • Researchers and scientific institutions developing models that are not placed on the market.
  • Internal-only deployments that never reach external EU users (although high-risk obligations may still apply elsewhere in the Act).

For builders in Bengaluru, Mumbai, Hyderabad, London, Manchester or Edinburgh, the question is rarely "are we a GPAI provider?" The question is whether the model variant you have shipped — particularly any fine-tune above a meaningful threshold of training compute or data — has, in effect, made you one. Providers placing GPAI models on the market after 2 August 2025 are expected to informally collaborate with the AI Office's technical staff during onboarding; that informal channel is the place to clarify uncertain cases.

The four supervisory powers explained in builder terms

Power What triggers it Likely first response from the AI Office
Request for documentation and information Complaint, downstream-deployer escalation, market-monitoring signal, or own-initiative review. A formal letter naming the model, citing the obligation in scope, and giving a response window — typically weeks, not months.
Evaluation of the model Documentation gaps, suspicion of systemic risk, or following up on a transparency complaint. Either AI-Office-led testing or an accredited third-party evaluation, often against a defined risk hypothesis (eg. CSAM generation, biosecurity uplift, cyberoffensive capability).
Request for measures Finding of non-compliance, identified systemic risk, or failure to remediate following an information request. An ordered measure — could be additional safeguards, additional disclosure, restriction on which downstream use cases the model may be offered for, recall, or withdrawal from the EU market.
Fines Persistent non-compliance, failure to cooperate, supply of incorrect or misleading information, or breach of a previously ordered measure. A formal infringement decision; under the Act's general fine architecture, GPAI-specific penalty caps apply and are calculated against worldwide annual turnover.

The order in that table is deliberate. The Commission's published enforcement design is escalatory: documentation first, evaluation second, ordered measures third, fines as the backstop. A team that responds professionally to the first letter rarely reaches the third row.

Watch out

"Failure to cooperate" is itself a fining trigger, separate from any underlying non-compliance. You can be fined for ignoring or stonewalling the AI Office even if the model itself would have been found compliant. Have a named GPAI response owner and a documented escalation playbook before August.

The Omnibus political agreement of 7 May 2026 — what changed

The "AI Omnibus" — the EU's omnibus simplification package touching on the AI Act and adjacent digital files — was adopted by the Commission on 19 November 2025. The political agreement on the related changes between the co-legislators was reached on 7 May 2026. The package recalibrates parts of the regime, particularly around documentation duplication, SME burden, and certain high-risk implementation timelines.

What Omnibus did not do is push back the activation of GPAI enforcement powers on 2 August 2026. Several public summaries early in 2026 conflated the high-risk-deadline conversation with the GPAI-enforcement conversation, and a number of legal alerts have had to be corrected. For a fuller breakdown of where Omnibus does and does not move dates, see our analysis of the Omnibus's impact on the 2027 high-risk timeline.

Avoid

Treating the Omnibus as a delay rather than a recalibration. Every leadership conversation that opens with "we have an extra year now" needs to be redirected. GPAI enforcement powers activate on 2 August 2026. The Omnibus changed the texture of the surrounding regime; it did not buy you a year of slack on the GPAI side.

The three support instruments — Guidelines, Code of Practice, Template

In July 2025, the Commission published three instruments that, together, are now the operational vocabulary of GPAI compliance. Builders should treat all three as part of the working toolkit, not as background reading.

  1. Guidelines on the scope of GPAI provider obligations — these are the Commission's interpretation of who counts as a provider, when fine-tuning crosses the threshold into a new placing-on-the-market event, and what "substantial modification" looks like. They are the document the AI Office will reach for when arguing borderline cases.
  2. GPAI Code of Practice — a voluntary compliance tool. Signing up does not exempt you from the underlying obligations, but it provides a structured way to demonstrate adherence and gives you a default position the AI Office is broadly willing to accept. Several frontier-lab providers have already signed.
  3. Template for the public summary of training content — this is the format providers are expected to use to publish the summary of training content required under the Act. Using the template is not formally mandatory, but using anything else creates an evidentiary headache no-one wants on 3 August.

The Code of Practice has become the de facto reference standard for serious GPAI providers. UK and Indian teams supplying EU users should sign up to the Code unless they have a specific reason not to. The cost is low, the demonstrable-compliance benefit is high, and the alternative is reinventing every documentation artefact from first principles.

Transparency rules and the AI-content labelling Code of Practice

Alongside the GPAI obligations, the Act's transparency rules — labelling of AI-generated content, watermarking expectations, disclosure to users that they are interacting with an AI system — also come into effect in August 2026. The Commission's second draft of the Code of Practice on marking and labelling AI-generated content was published in March 2026, with finalisation planned by mid-2026.

For builders who ship generative AI products, the operational consequence is simple: by August your text, image, audio and video outputs intended for EU users need to carry detectable provenance signals — either embedded watermarks, content credentials (eg. C2PA), or both. Reliance on visible disclosure alone will not survive an enforcement enquiry.

The builder checklist — what to do before 2 August 2026

Compliance artefact map

Artefact Owner Source of template
Technical documentation of the GPAI model Model team / research lead Annexes referenced in the Commission's published guidelines
Information for downstream deployers (capabilities, limitations, intended use) Product / DevRel Guidelines on the scope of GPAI provider obligations
Public summary of training content Data lead with Legal sign-off Commission template (July 2025)
Copyright compliance policy Legal Code of Practice copyright chapter
Provenance / labelling implementation for outputs Platform engineering Code of Practice on marking and labelling AI-generated content (mid-2026)
Designated GPAI response owner + escalation playbook CISO or General Counsel Internal — no external template
EU authorised representative (non-EU providers) Legal / Operations Standard mandate document; appointed via EU-based legal entity

IN and UK provider scenarios

Scenario EU AI Act exposure What to do
Bengaluru-based foundation-model startup, API hosted on AWS Frankfurt, EU paying customers. Full GPAI provider exposure. Appoint EU authorised representative; full artefact map; consider signing the Code of Practice.
UK-based research lab, open-weights GPAI release on Hugging Face, no commercial offering in the EU. GPAI provider exposure if EU users meaningfully take up the weights. Maintain documentation pack; sign the Code of Practice; publish summary using the Commission template.
Mumbai-based product company fine-tuning a third-party GPAI model for an EU-facing chatbot. Likely not a new GPAI placing-on-the-market unless the fine-tune is substantial. Document the fine-tune scope; preserve the upstream provider's chain of obligations; check if your modifications cross the Commission's substantial-modification threshold.
London consultancy reselling a US-hosted GPAI model to EU clients under its own brand. You may inherit GPAI provider obligations because you are placing the model on the market under your own name. Either clarify the supply chain so the upstream provider is the named placer, or accept GPAI obligations directly.
Indian deployer integrating an EU-hosted GPAI model into a domestic-only product. No direct GPAI provider exposure; DPDP obligations apply instead. See our DPDP Phase 2 compliance playbook. Stay on top of upstream provider's compliance documentation; map data flows under DPDP.

Want to discuss this with other verified Builders?

Every article on AI Tech Connect is written by a Verified Builder. Browse profiles, shortlist who you want to hire or collaborate with.

Browse Builders →

The eight-step countdown

  1. Confirm whether your team — or any of its model variants — is a GPAI provider under the Commission's published guidelines. Borderline? Open the informal channel with the AI Office now, not in July.
  2. Appoint an EU authorised representative if you are a non-EU provider. This takes weeks; do not leave it to the last fortnight.
  3. Refresh your technical documentation pack against the annexes the Commission has flagged. Date it. Version-control it.
  4. Publish the public summary of training content using the Commission template. If you have a previously published bespoke summary, migrate it to the template format.
  5. Decide on the Code of Practice. For most serious providers, signing is the lower-risk path. Document the decision either way.
  6. Implement provenance signals — watermarking, content credentials, or both — for all generative outputs targeting EU users. Test detection independently.
  7. Name a single GPAI response owner with a documented escalation playbook for AI Office correspondence. Run a half-day desktop exercise before August.
  8. Run a documentation-readiness audit. The test is simple: if a 14-day information request arrived tomorrow, could you ship the pack? If not, the rest of the list is academic.

The companion GPAI obligations checklist we published earlier covers the substantive content of each artefact in more depth; this article is about the enforcement-readiness layer that sits on top.

What happens if you ignore this — the escalation path

The Commission's enforcement architecture is deliberately graduated. The path most providers will see, in worst-case order, runs roughly:

  1. Information request letter from the AI Office, with a stated response window.
  2. Follow-up enquiry, often expanding the scope of documents requested if the first response is thin.
  3. Evaluation of the model — internal or third-party — typically against a defined risk hypothesis.
  4. Finding of non-compliance communicated formally, with an opportunity to remediate.
  5. Ordered measure — additional safeguards, restriction of use cases, recall, or withdrawal from the EU market.
  6. Fine — the Act provides for material penalty caps for GPAI providers, calculated against worldwide annual turnover.

Two operational realities matter more than the headline penalty number. First, market restriction or withdrawal can be commercially terminal long before a fine is imposed — if your model is ordered withdrawn from the EU market mid-quarter, the revenue impact is immediate. Second, the AI Office's findings will be shared with national market-surveillance authorities, and many of those authorities will, in turn, share with sector regulators. A bad finding does not stay contained.

Recommended

Engage early. The Commission has been explicit that providers who informally collaborate with the AI Office's technical staff during onboarding are treated very differently from providers it has to write a cold letter to. Reach out via the AI Office channels before August; do not wait to be discovered.

Builder questions still unresolved

Several questions remain unresolved either in the published guidelines or in the Code of Practice as of late May 2026:

  • The exact threshold at which a fine-tune becomes a new placing-on-the-market event. The Commission's guidelines describe substantial modification qualitatively; the AI Office's first enforcement decisions in the second half of 2026 will set the operational threshold.
  • How systemic-risk thresholds are computed in practice. The Act's compute-based threshold provides a starting point, but the empirical bar for capability-based designation is still being worked through.
  • Mutual recognition with the UK's frontier-AI regime. The relationship between EU GPAI provider obligations and any UK-side documentation requirements remains under bilateral conversation.
  • Final form of the AI-content labelling Code of Practice. Mid-2026 finalisation is planned, but the second-draft text still leaves room for movement on provenance-signal interoperability.
  • How the AI Omnibus operationally lands across the broader Act after the 7 May 2026 political agreement is transposed into the Council's adopted text.

For deeper background on the high-risk side of the regime — particularly how it interacts with the GPAI provisions — see our August 2026 high-risk deadline analysis.

Primary sources for this piece: the European Commission's regulatory framework page, the Commission's guidelines on the scope of GPAI provider obligations, the artificialintelligenceact.eu implementation timeline, the enforcement explainer for Chapter V, and Latham & Watkins's briefing on GPAI obligations and the final Code of Practice.