On 2 August 2026, the European Commission can start fining general-purpose AI providers up to €15 million or 3% of worldwide turnover. That date is roughly 45 days out.
If you build or serve a foundation model to EU users from outside the EU, the obligations already bind you, and the enforcement teeth arrive on schedule.
The EU AI Act August 2 deadline is the moment the GPAI regime stops being paper and starts being a liability line item. The substantive duties have applied since 2 August 2025.
What changes now is that the AI Office can levy fines under Article 101, the high-risk Annex III regime is scheduled to apply, and the grace period the Commission extended to non-signatories of its Code of Practice runs out.
This is a checklist, not a lecture. The goal is to get a non-EU founder from "we serve EU users" to "we are documented and defensible" before the date hits.
What is the EU AI Act August 2 deadline?
The EU AI Act August 2 deadline (2 August 2026) is the date when Commission fines for general-purpose AI providers become enforceable, the high-risk AI obligations in Annex III are scheduled to apply, and the full enforcement phase of Regulation (EU) 2024/1689 begins. It is set by Article 113 as the default application date of the Act.
The phrase gets searched a lot because three different triggers collapse onto one day. Knowing which one applies to you decides what you do this month.
TL;DR: GPAI obligations already apply (since 2 Aug 2025). On 2 Aug 2026 the fines turn on. Non-EU providers serving EU users are caught, must appoint an EU representative, and owe four documentation duties under Article 53. The work is achievable in the time left if you start now.
Key takeaways
- You are probably a provider, not a deployer. Serving a model via API to EU customers makes you the provider under Article 3(3), wherever you are based.
- Four documents, due in practice now. Annex XI technical docs, Annex XII downstream info, a copyright policy, and a public training-data summary.
- Non-EU providers need an Authorised Representative under Article 54, with a 10-year retention duty. Onboarding takes 1-2 weeks, so don't leave it last.
- Fines scale to revenue: up to €15M or 3% of global turnover for GPAI breaches; €35M or 7% for prohibited practices.
- The open-source carve-out is narrow. Open-weights providers still owe the copyright policy and the public training-data summary.
How the AI Act's phased dates actually work
The Act entered into force on 1 August 2024 but switches on in stages under Article 113. An obligation can be legally binding yet not enforceable by fines, which is precisely where GPAI has sat for the past year.
| Date | What applies |
|---|---|
| 2 Feb 2025 | Article 5 prohibited practices (enforceable now) |
| 2 Aug 2025 | GPAI Chapter V obligations for new models (Articles 51-56) |
| 2 Aug 2026 | GPAI fines enforceable; high-risk Annex III scheduled; full enforcement |
| 2 Aug 2027 | Legacy GPAI models (placed before 2 Aug 2025) reach full compliance |
One live caveat. The Digital Omnibus, provisionally agreed on 7 May 2026, has been reported to push the high-risk Annex III date to December 2027 and the Annex I date to August 2028, per analysis from Latham & Watkins.
It does not move the GPAI penalty date. As of 18 June 2026 the Omnibus is not finally adopted, so plan around 2 August 2026 standing exactly as written.
Provider vs deployer: who owes what
Get this distinction wrong and you either over-build compliance or walk into a fine. The whole architecture turns on Article 3.
A provider develops a GPAI model and places it on the EU market under its own name. A deployer uses an AI system under its authority in a professional setting. The provider owns the documentation stack; the deployer owns use-time obligations under Article 26 and transparency duties under Article 50.
| Obligation | GPAI provider | Deployer |
|---|---|---|
| Annex XI technical documentation | Yes | No |
| Annex XII downstream info | Yes (produce) | Receive and use it |
| Copyright policy | Yes | No (unless you fine-tune) |
| Public training-data summary | Yes | No |
| Article 54 EU representative | Yes (if non-EU) | No |
| Article 55 systemic-risk duties | Yes (if ≥10²⁵ FLOPs) | No |
The trap is Article 25: a deployer who substantially modifies or repurposes a model for a high-risk use becomes the provider. Fine-tune a Llama- or Mistral-class model on proprietary data and resell it for hiring or credit decisions, and you inherit the full provider stack.
Are non-EU companies really caught?
Yes, and the hook is broad. Article 2(1) applies the Regulation to providers placing a GPAI model on the EU market "irrespective of whether those providers are established or located within the Union or in a third country," and to third-country providers and deployers "where the output produced by the AI system is used in the Union."
That last clause is wider than GDPR's monitoring trigger. It needs no EU establishment, no EU sales, no targeting. A US lab with EU API customers is squarely a provider. An Asian lab whose outputs reach EU users through downstream apps can be caught too.
The mechanism for non-EU providers is the Authorised Representative under Article 54, in force since 2 August 2025. You appoint an EU-established person by written mandate, they verify your Annex XI documentation exists, they retain the records for ten years, and they are the AI Office's point of contact.
AR-as-a-service firms charge low five figures a year and onboard in one to two weeks.
What documentation must a GPAI provider keep?
Article 53(1) sets four independent duties. Meeting one does not satisfy another.
- Annex XI technical documentation. Internal, held on request of the AI Office. Annex XI covers model description, architecture, parameter count, training compute in FLOPs, data processing, evaluation, capabilities and limitations. Section 1 is "as appropriate to the size and risk profile." Section 2 adds red-teaming, cybersecurity and energy detail for systemic-risk models.
- Annex XII downstream information. A pack for the companies integrating your model, so they can understand its limits and meet their own obligations.
- Copyright policy. You must honor Article 4(3) opt-outs under the DSM Directive using "state-of-the-art technologies." A 2024 Hamburg Regional Court ruling read machine-readable opt-out compliance broadly, so robots.txt, X-Robots-Tag, ai.txt and llms.txt handling all matter.
- Public training-data summary. On the AI Office's mandatory template.
The training-data summary template was published on 24 July 2025 and must be refreshed at least every six months. Large providers disclose the top 10% of scraped domains by volume; SMEs disclose the top 5%, capped at 1,000 domains.
The systemic-risk line is 10²⁵ FLOPs or Commission designation, which adds the Article 55 duties: model evaluation, serious-incident reporting, and weight-protection security. Most current production models sit under that line.
Does open source get you out of this?
Partly, and less than the internet thinks. Article 53(2) excuses open-weights providers from the Annex XI and Annex XII duties only. The copyright policy and the public training-data summary still apply, and there is no exemption at all for systemic-risk models.
The Commission's July 2025 scope guidelines require an OSI-style licence, so source-available licences do not qualify. Hugging Face's analysis is a useful read for open-weights teams. This narrowness is part of why Meta declined to sign the Code.
The Code of Practice decision
The GPAI Code of Practice, published 10 July 2025, has three chapters: transparency, copyright, and safety and security. Signing creates an Article 56 presumption of compliance until harmonised standards land.
By mid-2026, roughly 26 providers had signed, including Google, OpenAI, Anthropic, Microsoft, Mistral, IBM and Cohere, per Jones Day. Meta refused, calling it an overreach on copyright. Signing does not block fines, but the Commission has said non-signatories face closer scrutiny, and the good-faith grace period for them ends on 2 August 2026.
My read: if your documentation is in order, sign. The presumption of compliance is cheap insurance and the enforcement posture rewards it. If you cannot meet the copyright chapter cleanly, document an independent approach rather than sign and fall short.
The penalties, in plain numbers
Per Article 99, the percentage or the absolute figure applies, whichever is higher: €35M/7% for prohibited practices, €15M/3% for GPAI and other operator breaches, €7.5M/1% for misleading information. SMEs get the lower of the two figures. The AI Office enforces GPAI; national market surveillance authorities enforce high-risk systems.
Will year one be loud? Probably not. The AI Office is still scaling and has announced no closed enforcement action as of mid-2026. But the obligations bind regardless of enforcement tempo, and the first year of full enforcement is the most likely window for a precedent-setting case against a visibly deficient provider.
Build the audit trail on the merits.
The ~45-day countdown checklist
Calibrated to 18 June → 2 August 2026.
Week 1 (now → 26 Jun): scope. Confirm your role under Article 3(3)/3(4). Map which models are GPAI under Article 3(63). Compute cumulative training FLOPs to test the 10²⁵ systemic-risk line. If non-EU, start engaging an Authorised Representative today.
Week 2 (27 Jun → 6 Jul): draft. Write or refresh Annex XI (add Section 2 if systemic-risk), the Annex XII downstream pack, and the copyright policy covering opt-out detection and takedowns.
Week 3 (7 → 15 Jul): disclose and decide. Complete the AI Office training-data summary template, host it publicly, and make the Code of Practice call. File your Article 54 written mandate with the AR.
Week 4 (16 → 24 Jul): readiness. Systemic-risk teams: stand up the serious-incident reporting process and schedule adversarial testing. Brief your board on the enforcement shift.
Final week (25 Jul → 2 Aug): lock down. Run an internal Article 53 audit. Confirm the AR has every document and can answer the AI Office on time. Set a 6-month cadence for summary updates. On 2 August, you are operating under full enforcement.
What this means for you
The honest framing for founders is that the documentation is achievable with about one full-time compliance counsel, a half-time ML engineer for the technical dossiers, and standard tooling for opt-out detection and public hosting. There is no ex-ante approval, no notified body, no CE mark for GPAI. The duties are self-attested and ex-post.
So the cost of compliance is real but bounded. The cost of ignoring it is a 3% of global turnover ceiling and an AI Office looking for a year-one example.
Pick this path if you serve EU users: appoint the representative, write the four documents, sign the Code if you can stand behind it, and keep the summary current.
What would change the calendar? Only final adoption of the Digital Omnibus, and even then only for the high-risk dates, not GPAI. Watch that file, but do not bet your compliance plan on a delay that has not landed.
Sources
- Regulation (EU) 2024/1689 (full text), EUR-Lex
- Article 113: Entry into force and application, AI Act Service Desk
- Article 3: Definitions, AI Act Service Desk
- Article 2: Scope, AI Act Service Desk
- Article 53: Obligations for GPAI providers, AI Act Service Desk
- Annex XI technical documentation, AI Act Service Desk
- Article 55: Systemic-risk obligations, AI Act Service Desk
- Article 88: Enforcement of GPAI provider obligations, AI Act Service Desk
- Article 99: Penalties, AI Act Service Desk
- Training-data summary template, European Commission
- Guidelines on the scope of GPAI obligations, European Commission
- The GPAI Code of Practice, European Commission
- EU AI Act GPAI obligations in force, Latham & Watkins
- EU AI Act Code of Practice analysis, Jones Day
- The Authorised Representative for GPAI models, Blue Arrow
- Non-EU providers and the AI Act, WCR Legal
- Hamburg court on text and data mining, Greengate
- What open-source developers need to know, Hugging Face
- Serious-incident reporting template, European Commission