EU AI Act GPAI Enforcement Begins. The First Compliance Notices Are Being Issued.

The European AI Office issued formal compliance notices to three General-Purpose AI model providers this month — the first enforcement actions under the EU AI Act's GPAI provisions. While the specific recipients and notice contents are subject to confidentiality provisions, the European AI Office confirmed that the notices relate to technical documentation requirements and systemic risk assessment obligations. The enforcement era has begun, and this is not a pilot program. The European AI Office has enforcement authority, enforcement budget, and — as these notices demonstrate — the institutional readiness to use both.

For enterprise organizations that have been treating EU AI Act compliance as a future-state concern, the issuance of formal notices against major model providers should function as a hard wake-up call. The regulatory environment that your compliance teams have been preparing for in theory is now producing consequences in practice.

What First-Wave Enforcement Signals

First-wave enforcement actions under new regulatory frameworks are not random. They are strategic communications from the regulator to the market. Enforcement agencies select their first targets carefully — typically high-visibility, high-impact actors where enforcement actions establish precedent, signal seriousness, and provide maximum instructional value to the broader regulated population. The three model providers receiving notices this month were not chosen arbitrarily. They were chosen to send a message about which compliance obligations the European AI Office considers most material and most immediately actionable.

The notices relate to technical documentation requirements and systemic risk assessment obligations. This is precisely the pattern that EU AI Act legal advisors have been warning about since the framework was published: the primary enforcement exposure is not in having deployed a powerful AI model, but in the quality and completeness of the documentation surrounding that deployment. Regulators cannot easily audit whether a model is "aligned" or "safe" in abstract terms — but they can absolutely audit whether required documentation exists, whether risk assessments were conducted according to specified methodologies, and whether transparency obligations were met. Documentation gaps are the most legible and most prosecutable form of non-compliance, and they are what the first enforcement wave is targeting.

Organizations watching the first notices to understand enforcement approach are making the right analytical move. The pattern of early enforcement consistently indicates which compliance gaps the regulator considers most material — and those signals should inform compliance prioritization across the board.

The Downstream Compliance Effect

GPAI compliance notices against model providers create immediate downstream pressure on enterprise users of those providers, and this is a dynamic that most legal teams have not yet fully modeled. The reasoning is direct: if a model provider is found non-compliant with GPAI transparency, documentation, or risk assessment requirements, the enterprise organizations that have deployed that model as a product component inherit compliance exposure in several dimensions.

First, any enterprise product built on a non-compliant GPAI model may itself fail to meet the transparency and documentation standards that downstream deployers are required to demonstrate. Second, contractual representations about the compliance status of underlying model providers may prove inaccurate, creating both direct regulatory exposure and potential commercial disputes. Third, when regulators investigate non-compliant model providers, their investigations frequently examine downstream deployers as part of understanding the scope of the compliance failure and its impact on end users.

Upstream vendor compliance is not an abstract concern that can be delegated to procurement boilerplate. It is a direct enterprise risk that should be actively monitored, documented, and managed. Organizations should be requesting compliance documentation from their AI model providers today, understanding the status of those providers' GPAI obligations, and ensuring that their own deployments can withstand regulatory scrutiny even if the upstream provider's compliance is subsequently challenged.

The Timeline That No Longer Has Slack

The EU AI Act's GPAI provisions have a compliance timeline that most organizations have been treating as generous. First-wave enforcement notices issued in February 2026 mean that timeline is now fully consumed. Organizations that do not have their GPAI compliance documentation in order are not in a preparation phase — they are in a non-compliance phase, and the gap between their current state and a compliant state carries quantified financial risk at every day it persists. The maximum penalty for GPAI non-compliance is 3% of global annual worldwide turnover. For a mid-sized enterprise with €500 million in global revenue, that is €15 million. For a global enterprise with €5 billion in revenue, it is €150 million. These are not hypothetical numbers — they are the basis of the enforcement actions currently being constructed.

ZeroForce Perspective

The transition from regulatory framework to active enforcement is the moment when compliance investment stops being optional. Organizations that treated the GPAI compliance window as a planning exercise now face an active enforcement environment where every week of non-compliance is a week of quantifiable financial exposure. The investment required to achieve compliance before a notice is significantly less — in time, cost, and organizational disruption — than the cost of remediating compliance after a notice is received and under regulatory scrutiny. The economics are clear. The urgency is present. The board directive is to commission an immediate GPAI compliance audit, establish a documented remediation timeline, and ensure that the organization's AI governance function has the resources and authority to execute against it.