Do I count as a GPAI provider under the EU AI Act?

If you place a general-purpose AI model on the EU market — whether by distributing weights, offering it as a hosted API, or shipping it inside a downstream product — you are a GPAI provider. A fine-tune that materially changes a base model's capabilities and is then redistributed also makes you a provider for that derivative model. Hosted-API-only providers still carry the baseline obligations; weight-distributors carry the heaviest documentation burden.

Does signing the GPAI Code of Practice waive the fines?

No. Signing the Code provides a presumption of compliance with related obligations on transparency, copyright and safety/security — it does not provide immunity. If the AI Office finds that your actual practice falls short of what the Code requires, the presumption is rebutted and standard enforcement applies. Non-signatories must demonstrate compliance through other means, which the Commission has signalled will attract closer scrutiny.

What about open-weight releases — are they exempt?

Open-weight models get a partial carve-out from some transparency obligations, but the carve-out does not extend to models with systemic risk. If your open-weight model crosses the systemic-risk compute threshold, you still owe model evaluations, adversarial testing, incident reporting and cybersecurity protections — and you still owe the training-data summary and copyright-compliance obligations.

Does the UK Frontier AI Bill cover this for British builders?

No. The UK Frontier AI Bill is a separate regime that applies inside the UK. If a UK-based GPAI provider serves EU users, the EU AI Act still bites — geography of the user, not of the provider, is what triggers the obligation. The Code of Practice is a useful template for UK builders preparing for the Frontier Bill, but it is not legally binding in the UK.

How realistic is a €15M fine in the first year of enforcement?

European data-protection authorities, coordinating with the Commission, issued GDPR fines above €200M against multiple named US tech platforms over the last five years (Meta €1.2B in 2023, Amazon €746M in 2021). The AI Office inherits the same institutional muscle through the GPAI enforcement pen. Expect early enforcement to focus on the most visible non-compliance — missing training-data summaries, absent copyright opt-out mechanisms — rather than borderline interpretive cases.

EU AI Act GPAI Fines Live 2 Aug 2026 — How €15M Penalty Lands

What changes on 2 August 2026

The obligations themselves are not new. GPAI provider duties under the AI Act entered into application on 2 August 2025, and any general-purpose AI model placed on the EU market after that date has been on the hook ever since. What was missing for the first year was the Commission's enforcement teeth. From 2 August 2026 the Commission — operating through the AI Office — can investigate, request information, conduct audits and issue fines.

Maximum penalty: up to 3% of worldwide annual turnover or €15 million, whichever is higher. This is the GPAI-specific cap; non-compliance with other AI Act provisions (prohibited practices, high-risk system breaches) carries higher caps.
Who enforces: the European Commission's AI Office, with national co-ordination through Member State authorities.
Models placed on market before 2 August 2025 get a longer runway — they must comply by 2 August 2027. Everything placed after that date is already covered.
Code of Practice: the final voluntary Code is in place. Signing it gives a presumption of compliance with related transparency, copyright and safety/security obligations — not immunity.

The fine ceiling, in plain numbers

Read the cap carefully: 3% of global annual turnover OR €15 million, whichever is higher. For a £40M-revenue UK startup, the ceiling is €15M (the floor figure dominates). For a billion-dollar Indian AI company serving EU users, 3% of turnover is the binding figure — and that is calculated on group worldwide revenue, not EU-only revenue. The €15M is not a soft target the Commission lands on for first-time offenders. It is the maximum exposure.

The four baseline obligations every GPAI provider owes

Every GPAI provider — open or closed, hosted or distributed — owes the same four baseline obligations. None of these require legal interpretation; they are pure documentation and engineering work.

Technical documentation covering training, evaluation, intended purpose, limitations and capabilities — kept up to date and made available to the AI Office on request.
Instructions for use for downstream providers integrating the model, including the model's capabilities, limitations and the conditions under which it can be used safely.
Copyright compliance policy aligned with the EU Copyright Directive — in practice this means honouring the machine-readable opt-out mechanism rights-holders use to signal they do not want their content used for training.
Public training-data summary — a sufficiently detailed summary of the content used to train the model, published openly. This is the hardest of the four, because most teams have not been organising their training-data provenance to a publishable standard.

The systemic-risk tier — four more obligations on top

If your model crosses the systemic-risk threshold (the compute-based criterion the Commission has set, plus designation by the AI Office), four additional obligations apply on top of the baseline four:

Model evaluations using state-of-the-art protocols.
Adversarial testing (red-teaming) to identify and mitigate systemic risks.
Tracking and reporting of serious incidents to the AI Office, with corrective measures.
Cybersecurity protections covering the model and its physical infrastructure.

Crucially, the systemic-risk tier applies regardless of whether the model is open-weight or closed. An open-weight release does not exempt you from red-teaming or incident reporting if the model is large enough to qualify.

Obligation → who has to comply → deadline → suggested artefact

The mapping below is the cleanest way to translate the regulation into a sprint backlog.

Obligation	Who it applies to	Deadline	Suggested artefact
Technical documentation	All GPAI providers	2 Aug 2026 (post-Aug-2025 models); 2 Aug 2027 (legacy)	Public model card + private dossier for AI Office
Instructions for use	All GPAI providers	2 Aug 2026	Developer-facing usage page on your model website
Copyright opt-out policy	All GPAI providers	2 Aug 2026	Published policy + honoured robots-style opt-out signal
Training-data summary	All GPAI providers	2 Aug 2026	Published summary in the Commission's template format
Model evaluations	Systemic-risk GPAI only	2 Aug 2026	Eval report covering capabilities + safety dimensions
Adversarial testing	Systemic-risk GPAI only	2 Aug 2026	Red-team report + mitigations log
Serious-incident reporting	Systemic-risk GPAI only	Ongoing from 2 Aug 2026	Incident response runbook with AI Office notification path
Cybersecurity protections	Systemic-risk GPAI only	2 Aug 2026	Threat model + controls documentation

The Code of Practice shortcut

The GPAI Code of Practice — final version now in place after submission by independent experts — is the cleanest path for most providers. Signing the Code provides a presumption of compliance with the related transparency, copyright and safety/security obligations. It does not waive the fine ceiling, and the AI Office can still investigate if your actual practice diverges from what the Code requires. But it shifts the burden of proof, gives you a Commission-blessed template for each artefact, and is a strong signal to enterprise customers that you are prepared. UK builders should also treat the Code as a de-facto template for UK Frontier AI Bill compliance — it is not binding in the UK, but no British regulator is going to fault you for adopting it.

Who is exposed in India

Indian builders frequently assume the AI Act stops at the EU border. It does not. Any Indian organisation that places a GPAI model on the EU market — by distributing weights to EU customers, offering a hosted API to EU users, or shipping the model inside a downstream product sold in the EU — is a GPAI provider under the Act.

Sarvam — multilingual foundation models with EU enterprise interest. Hosted-API distribution today, but any weight-distribution channel triggers the heavier documentation burden. Our earlier coverage of Sarvam's $350M Series C noted EU expansion as part of the funding thesis.
BharatGen — Indian government-backed multilingual foundation model programme. Any EU-facing distribution from the consortium or its participating labs lands inside the Act. See our coverage of the IndiaAI Mission's 12 LLM partners.
Krutrim — Ola's foundation model effort. Same calculus.
Any Indian startup distributing weights to EU customers — this includes fine-tunes of open base models if the fine-tune materially changes capabilities and is redistributed.

The Indian regulatory parallel is the DPDP Phase 2 AI compliance regime, which has different mechanics but a similar artefact-driven posture. Teams that have already organised their data lineage for DPDP have most of the raw material for the EU training-data summary.

Who is exposed in the UK

UK builders are in a peculiar position post-Brexit. The UK Frontier AI Bill is a separate regime that applies inside the UK; it does not exempt UK firms from the EU AI Act when they serve EU users. The trigger is the geography of the user, not the provider.

Stability AI — UK-headquartered, models distributed globally including in the EU. Squarely inside the GPAI obligations.
Any UK-based GPAI provider serving EU users — hosted-API access from EU users counts as placing the model on the EU market.
UK-based fine-tuners redistributing materially modified open base models to EU customers — same exposure as the original provider for the redistributed derivative.

The UK government's parallel investment — the £500M UK Sovereign AI Fund — has been quiet on AI Act preparation for portfolio companies. Founders should not assume the Fund will cover compliance work.

Why €15M is not a theoretical number

The instinct among engineering teams is to treat €15M as a paper ceiling. The EU's record on GDPR fines should break that instinct. European data-protection authorities, coordinating under the European Data Protection Board and the Commission, have issued fines above €200M against named US tech platforms over the last five years — the Irish DPC's €1.2 billion Meta penalty in May 2023 and Luxembourg's €746 million Amazon penalty in 2021 are the most cited examples. Procedural muscle, investigator headcount, in-house legal capacity and political appetite for high-profile enforcement are all in place. The AI Office inherits that institutional muscle.

What is likely to differ in the first wave of GPAI enforcement is the target profile. Early enforcement actions usually focus on the most visible and most demonstrable non-compliance — missing training-data summaries, absent copyright opt-out mechanisms, failure to respond to AI Office information requests — rather than borderline interpretive disputes. If your team is sitting on incomplete documentation hoping for grace, recalibrate now. For the prior reporting on the runway, see our August 2026 GPAI checklist and the enforcement-day Builder checklist.

Need a Verified Builder who has shipped EU AI Act artefacts?

AI Tech Connect lists Indian and UK Builders with hands-on policy and compliance experience. Shortlist up to five — we email you their contact details.

Browse Builders →

What to ship in the next nine weeks — the concrete checklist

If you are a GPAI provider and have not yet published the four baseline artefacts, the next nine weeks is your runway. Order matters — the training-data summary is the slowest, so it goes first.

Training-data summary — start now. Pull together provenance for every dataset that fed pre-training and any large-scale fine-tune. The Commission has published a template; use it. If you cannot fully reconstruct provenance for older data, document the gaps honestly rather than fabricate completeness.
Copyright opt-out mechanism — implement and document. The Copyright Directive's machine-readable opt-out is the operative standard; honouring it is the cheapest defence.
Technical documentation — pull existing model cards into the AI Office's expected structure. Most labs already have 70% of what is needed; the gap is usually evaluation methodology and known limitations.
Instructions for use — a single developer-facing page covering capabilities, limitations, intended use, and safe-use conditions. This is the easiest artefact.
Decide on the Code of Practice — read the final text, decide whether to sign. The presumption-of-compliance benefit is real; the cost is publicly committing to the Code's specifics.
If you are systemic-risk tier — start the model evaluations and red-team report now. These cannot be backfilled in the last week.

For background on how the wider AI Act timeline interacts with these GPAI obligations, see our coverage of the high-risk system deadline and the omnibus delay debate that briefly threatened to push parts of the timetable back. Primary sources: the official AI Act implementation timeline at artificialintelligenceact.eu/implementation-timeline, the Commission's regulatory framework page at digital-strategy.ec.europa.eu, the GPAI provider guidelines at digital-strategy.ec.europa.eu/guidelines-gpai-providers, and Latham & Watkins' summary of the GPAI obligations and final Code of Practice at lw.com.

EU AI Act GPAI fines go live on 2 August 2026: how a €15M penalty actually lands on Indian and UK builders