When do EU AI Act GPAI fines start for providers?

Article 101 fines for general-purpose AI model providers apply from August 2, 2026, because Article 113 delays Article 101 while most Chapter V GPAI obligations started earlier. The maximum is 3% of annual worldwide turnover or EUR 15 million, whichever is higher.

Does the EU AI Act apply to non-EU startups?

Yes, if the startup places AI systems or GPAI models on the EU market, puts them into service in the Union, or has AI outputs used in the Union. Article 2 makes location secondary to market access and use.

What are the core GPAI obligations for startups?

For GPAI providers, the core duties are Annex XI technical documentation, Annex XII downstream information, a copyright compliance policy, and a public training-content summary using the AI Office template. Systemic-risk models add evaluations, adversarial testing, incident reporting, and cybersecurity duties.

Is an API wrapper a GPAI provider under the AI Act?

A simple wrapper around a third-party model usually looks like a deployer or downstream AI system provider role, depending on the product. A fine-tune, substantial modification, or rebranded model can shift the startup into provider obligations for the resulting model.

EU AI Act GPAI Enforcement June 2026: 14 Moves Before Fines

Startups have 43 days to turn scattered model notes into evidence the EU AI Office can inspect. The short answer: EU AI Act GPAI enforcement June 2026 is the final build window because Article 101 fines for general-purpose AI providers begin applying on August 2, 2026, while Article 53 duties already cover new GPAI models placed on the EU market, as of June 20, 2026.

GPAI enforcement means Commission and AI Office supervision of general-purpose AI model provider duties under Chapter V of Regulation (EU) 2024/1689, including documentation, downstream transparency, copyright policy, training-content summaries, and systemic-risk controls.

If you sell, expose, fine-tune, or wrap AI for EU users, the compliance question is now operational. Who owns the inventory? Where is the model card? Where is the copyright policy? Who can answer a regulator request in five business days?

EU AI Act GPAI enforcement June 2026: TL;DR

The EU AI Act compliance checklist for startups starts with role classification. A startup can be a provider, deployer, downstream provider, importer, distributor, or several at once.

For GPAI providers, Article 53 requires model technical documentation, downstream integration information, a Union copyright policy, and a public training-content summary. Article 55 adds systemic-risk duties when the model crosses the 10^25 FLOPs threshold or is designated by the Commission.

Article 50 transparency rules come into effect in August 2026, according to the Commission's AI Act implementation page. That means chatbots, synthetic media, deepfakes, and generated public-interest text need labels and machine-readable marking where the Act requires them.

Key takeaways

August 2, 2026 is the practical deadline for Article 50 transparency and Article 101 GPAI fine exposure.
Article 53 already applies to new GPAI models placed on the EU market from August 2, 2025.
Non-EU startups are in scope if they place AI systems or GPAI models on the EU market, or if AI outputs are used in the Union.
A fine-tune or rebrand can turn a startup into a GPAI provider with Annex XI and Annex XII duties.
Signing the GPAI Code of Practice is voluntary, but the Commission treats it as a concrete compliance path.
The cheapest serious program is an evidence repository, not a legal memo.

What changed in the EU AI Act timeline?

The AI Act entered into force on August 1, 2024, and Article 113 says the regulation generally applies from August 2, 2026, with staged exceptions in the official text. The important startup detail is that GPAI obligations arrived earlier than many high-risk AI duties.

Date	What applies	Startup action
February 2, 2025	Prohibited AI practices and Article 4 AI literacy	Train staff and block banned use cases
August 2, 2025	GPAI obligations for new models under Chapter V, except Article 101	Build Annex XI, Annex XII, copyright, and summary packs
June 20, 2026	Final operating window before fines	Freeze scope, assign owners, close evidence gaps
August 2, 2026	Article 50 transparency and Article 101 GPAI fines	Be ready for disclosures, markings, and regulator requests
August 2, 2027	Legacy GPAI models placed before August 2, 2025 catch up	Retire, update, or document old models

The Commission's AI Act page also says the May 7, 2026 political agreement on the AI omnibus defers some high-risk categories to December 2, 2027. It does not remove the August 2026 pressure on GPAI enforcement, transparency, or provider fines.

Does this apply to a non-EU startup?

Yes. Article 2 applies to providers placing AI systems or GPAI models on the EU market regardless of where they are established, and to providers or deployers in a third country where AI system output is used in the Union, as summarized by the AI Act Service Desk.

For a US or UK startup, EU incorporation is not the trigger. EU market access is.

If your API is reachable by EU customers, your web app accepts EU users, or your model is distributed through an EU-facing marketplace, assume you need a scoped legal analysis and an engineering compliance packet.

Are API wrappers treated like GPAI providers?

Role mapping is the hinge. A thin SaaS wrapper around a third-party model usually starts as an AI system provider or deployer analysis, depending on who controls the system and how it is put into service.

A fine-tune, merged model, substantial modification, or rebranded model is riskier. The AI Act defines a downstream provider as a provider integrating an AI model into an AI system, including a general-purpose AI system, and Article 25 can reassign responsibilities when another actor substantially modifies a system.

Use this decision table before writing policies.

Your product pattern	Likely role to analyze	Minimum evidence to gather
Chatbot powered by third-party API	Deployer or AI system provider	Vendor docs, Article 50 disclosure, output marking plan
Fine-tuned foundation model sold under your brand	GPAI or downstream provider	Training records, evals, Annex XI, Annex XII, copyright summary
Open-weight model release	GPAI provider with possible open-source carve-outs	License, weights, architecture, usage information, systemic-risk screen
Frontier model trained in-house	GPAI provider, possible systemic-risk provider	Compute estimate, red-team records, incident process, cybersecurity controls
High-risk vertical app using GPAI	High-risk AI provider plus GPAI dependency manager	Risk management, human oversight, conformity evidence, vendor packet

The startup-sized GPAI obligations

Article 53 is the center of gravity. It requires providers to keep technical documentation up to date, make information available to downstream providers, maintain a copyright policy, and publish a sufficiently detailed training-content summary using an AI Office template.

Annex XI is the internal technical pack. It should cover the model description, intended tasks, training and testing process, evaluation results, limitations, cybersecurity protections, and the development context.

Annex XII is the customer-facing integration pack. It should tell downstream builders what the model does, what it cannot do reliably, how to integrate it, what input and output formats it supports, and which use policies apply.

For copyright, Article 53 requires a policy to comply with Union law and rights reservations under the EU text-and-data-mining regime. The Commission's GPAI Code of Practice page says the Code has separate transparency, copyright, and safety and security chapters, with transparency and copyright aimed at Article 53 compliance.

Your first artifact can be simple:

yaml

model_inventory:
  model_id: "acme-reranker-v3"
  role: "downstream provider"
  base_model: "third-party-gpai-api"
  eu_access: true
  release_date: "2026-06-12"
  substantial_modification_review: "pending"
  article_50_surface: ["chat", "generated summary"]
  annex_xi_owner: "ml-platform"
  annex_xii_owner: "solutions"
  copyright_policy_owner: "legal"
  incident_contact: "security-oncall"

The point is traceability. A startup should be able to answer who owns every model, every EU-facing surface, every training dataset category, and every downstream customer document.

What if your model has systemic risk?

Article 51 presumes high-impact capabilities when training compute exceeds 10^25 floating-point operations, according to the official regulation. The Commission can also designate a model based on Annex XIII criteria.

Systemic-risk providers face Article 55 obligations. These include state-of-the-art model evaluations, adversarial testing, systemic-risk mitigation, serious-incident tracking and reporting, and cybersecurity protections.

The AI Office has published a serious-incident reporting template for GPAI models with systemic risk. Even if your startup is below the threshold, copy the incident taxonomy into your security process now. It is easier to add a model incident category during quiet weeks than during a production event.

The 14-move EU AI Act compliance checklist

Do these in order. The sequence matters because later documents depend on the role map and inventory.

Build a live inventory of every model, fine-tune, AI feature, vendor model, and EU-facing AI surface.
Assign each entry a role: provider, deployer, downstream provider, importer, distributor, or out of scope.
Mark every GPAI model and estimate training compute. Escalate anything near 10^25 FLOPs.
Start Article 4 AI literacy training for staff who build, sell, operate, or support AI systems.
Add Article 50 disclosures at first AI contact for chatbots, assistants, and other AI interactions with natural persons.
Add machine-readable marking for synthetic audio, image, video, and text outputs where Article 50 requires it.
Draft the Annex XI technical documentation pack for each GPAI model you provide.
Draft the Annex XII downstream integration packet for customers and internal product teams.
Publish a copyright compliance policy with rights-holder contact, opt-out handling, and dataset governance.
Complete the public training-content summary using the AI Office template described on the Commission's AI Act support instruments page.
Review whether any product also falls into Annex III high-risk categories such as employment, education, credit, migration, justice, or critical infrastructure.
Wire a serious-incident process that routes legal, security, policy, and ML platform teams into one evidence channel.
Decide whether to sign the GPAI Code of Practice. The AI Office explains the signature process on its provider invitation page, and the Commission lists signatories on the Code page.
Freeze an evidence repository with owners, dates, model versions, customer-facing docs, evals, and regulator-response contacts.

Best choice if you need the fastest compliance path

If you only deploy third-party models, start with Article 50 labels, AI literacy, vendor documentation, and customer-facing AI disclosures. Your main risk is saying too little to users and having no proof that you assessed your provider chain.

If you fine-tune or rebrand models, prioritize Annex XI, Annex XII, copyright policy, and the training-content summary. Your main risk is being treated as the provider of the resulting model while your records still look like an experiment log.

If you train frontier models, build the Article 55 lane immediately. Your main risk is waiting for a formal systemic-risk designation before installing serious-incident and adversarial-testing machinery.

What happens if you miss the deadline?

Article 101 lets the Commission fine GPAI providers up to 3% of annual worldwide turnover or EUR 15 million, whichever is higher, for intentional or negligent infringement, failure to provide requested documents or information, failure to comply with measures, or failure to provide model access for evaluation under Article 92.

Article 99 separately covers many operator and transparency violations. The AI Act Service Desk summary for Article 99 notes that Member States set penalty rules and that fines should be effective, proportionate, and dissuasive.

The practical exposure is broader than the maximum fine. Downstream providers can complain under Article 89, customers can ask for Annex XII materials during procurement, and enterprise security reviews will start treating GPAI documentation as part of vendor due diligence.

What this means for you

Treat AI Act startup compliance as a product-readiness program. Put it beside SOC 2, privacy, security, and model evaluation, with the same owner discipline and release gates.

The most useful artifact is a single evidence map: model inventory, role classification, EU access, risk class, documentation status, disclosure status, incident owner, and next review date. That one table lets engineering, legal, sales, and support work from the same facts.

June 2026 is also a governance signal. The G7 Evian leaders' statements referenced digital and emerging-technology priorities, while World Economic Forum coverage framed the summit as part of a broader shift toward middle-power coordination. For startups, voluntary global alignment is useful background. Brussels is the binding operating rule for EU access.

Bottom line

EU AI Act GPAI enforcement June 2026 should change your next sprint, because August 2, 2026 is close enough that missing documents are now shipping blockers. Start with role mapping, then build the Annex XI, Annex XII, copyright, transparency, and incident evidence your team can actually maintain.

The caveat is scope. A pure internal tool, a third-party API wrapper, a fine-tuned model, and an in-house frontier model do not carry the same duties. Watch the Commission's GPAI guidance, Code of Practice updates, and transparency-labeling instruments through Q3 2026.