The August 2 Deadline: What EU AI Act GPAI Compliance Actually Requires
Twenty-six days from now — on 2 August 2026 — the General-Purpose AI (GPAI) provisions of the EU AI Act become enforceable. Every provider that places a frontier-scale model on the Union market from that date onward owes a defined set of obligations. Most enterprise boards have read press summaries; very few have read the technical annexes. This brief is what the annexes actually require.
1. What the August 2 Deadline Actually Activates
From 2 August 2026, the obligations in Article 53, with the systemic-risk overlay in Article 55, apply to every GPAI provider that places a model on the EU market — wherever the provider is headquartered. The February 2025 prohibitions and the August 2025 high-risk-system obligations have already run; the GPAI layer is the last major tranche.
The upstream/downstream line matters: foundation-model providers carry the direct GPAI obligations. Deployers that build downstream applications on a third-party GPAI model are not, in most cases, treated as GPAI providers themselves — but they inherit documentation, marking, and cooperation duties. The cleanest test: if your vendor's contract names you as a "subsequent provider" of a modified GPAI variant, your obligations just changed.
2. GPAI Obligations — Standard vs Systemic-Risk Tiers
The Act creates two tiers. Standard GPAI providers owe the obligations below; "systemic-risk" GPAI providers — models trained with more than 10^25 FLOPs, or otherwise Commission-designated — owe the standard set plus the overlay.
Standard-tier obligations:
- Technical documentation under Annex XI, kept current and provided on request to the AI Office and national authorities.
- Training-data summary under Annex XII — a public, sufficiently detailed account of the data, sufficient to assess Union copyright compliance.
- A copyright and opt-out policy that respects rights-holder reservations under Article 4(3) of the Copyright Directive.
- A downstream-cooperation duty — informing downstream providers of model capabilities, limitations, and risks, and supporting their compliance work.
Systemic-risk overlay (Article 55):
- State-of-the-art model evaluations, including adversarial testing, before market placement.
- A systemic-risk evaluation under Article 34 standards.
- Serious-incident reporting to the AI Office on a tight window.
- Cybersecurity and model-weight protection for the most capable models.
3. Article 50 Marking and the 10 June 2025 Code of Practice
Article 50 requires providers and deployers of covered AI systems to ensure AI-generated content is machine-readable, markable, and detectable as artificially generated. For GPAI providers this is a real engineering obligation: ship the model with provenance metadata, watermarking capability, and downstream-visible disclosure mechanics.
The Code of Practice published on 10 June 2025 operationalizes Article 50 across three pillars:
- Watermarking: signal-bearing markers embedded in model outputs (text, image, audio, video) at generation time.
- Provenance metadata: AI Act-compliant manifests attached to outputs, sufficient to trace generation to the originating model.
- Deepfake disclosure: machine-readable labels attached to synthetic imagery and audio that cross the Article 50 thresholds.
Signatories commit to measurable compliance ahead of the August 2 deadline. Providers that did not sign now carry the same obligation without a negotiated safe harbor.
4. Enforcement: Fines up to 3% of Global Turnover
GPAI providers face administrative fines of up to the higher of 3% of global annual turnover or €15 million for non-compliance with the Act's core obligations — meaningfully above the GDPR administrative-fine structure, and without the prior-notice step that GDPR allows.
Regulators: the EU AI Office in Brussels as primary GPAI regulator across all Member States; national market-surveillance authorities for in-market deployers; coordinated action through the European Artificial Intelligence Board.
Public signalling from the AI Office points to first enforcement actions in Q3/Q4 2026, focused on GPAI providers that did not sign the Code of Practice or that ship models missing documentation or markings. Disclosed attention is on the largest non-EU providers in particular.
5. Action Checklist for Downstream Providers
If you build on top of someone else's GPAI model, these are the levers you actually control.
- Map your status. If you have fine-tuned, materially modified, or re-branded a foundation model, run the "subsequent provider" test in Article 25 — you may carry direct GPAI obligations.
- Pull technical documentation. Annex XI documentation is owed to you on request. If your vendor cannot produce it, your August 2 risk has a known upstream cause.
- Audit Article 50 marking. Whatever your application emits — text, image, audio, video — confirm provenance metadata and watermark signals pass through to end users.
- Verify the upstream's Annex XII summary. The training-data summary is public. Confirm the upstream's copyright-compliance posture is documented and aligns with what you tell customers.
- Document systemic-risk pass-through. If your upstream crosses the 10^25 FLOP threshold, confirm Article 55 evaluations are being met and your downstream use is within the assessed parameters.
- Pre-clear incident reporting. Identify the upstream's contact point for serious-incident reports. You may inherit a clock that runs faster than your normal vendor escalation.
Twenty-six days. The obligation set is finite, the deadline is not, and the regulator has signalled it intends to enforce.
Sources: Regulation (EU) 2024/1689 (AI Act), Articles 50, 53, 55; Annexes XI & XII; GPAI Code of Practice, 10 June 2025; EU AI Office public guidance, 2026.
Further Reading
-
McKinsey Strategy & Finance
↗
Corporate strategy & competitive advantage
-
MIT Sloan Management Review
↗
Research-based management insights
-
Harvard Business Review
↗
Leadership & organizational excellence
How does your organization score on AI autonomy?
The Zero Human Company Score benchmarks your AI readiness against industry peers. Takes 4 minutes. Boardroom-ready output.
Take the ZHC Score →Get every brief in your inbox
Boardroom-grade AI analysis delivered daily — written for corporate decision-makers.
Choose what you receive — all free:
No spam. Change preferences or unsubscribe anytime.