EU AI Act GPAI Enforcement Goes Live August 2: Commission’s 15M EUR Fining Powers Reshape Foundation Model Compliance

The Clock Every Foundation Model Provider Is Watching

August 2, 2025 was the first hard deadline under the EU AI Act: GPAI governance rules entered force, requiring providers of general-purpose AI models to begin meeting transparency, copyright, and technical documentation obligations. But August 2, 2025 was not yet a day of reckoning — the European AI Office’s full enforcement machinery, including its fining powers, becomes operational exactly one year later.

On August 2, 2026, according to the EU AI Act’s implementation timeline, the Commission’s authority to impose financial penalties under Chapter V of the AI Act fully activates. The penalty structure is significant: fines of up to €15 million or 3% of global annual turnover (whichever is higher) for GPAI providers failing to meet their obligations, plus a separate tier of €7.5 million or 1% of global annual turnover for providing incorrect, incomplete, or misleading information to the European AI Office.

For companies like OpenAI, Anthropic, Google DeepMind, Meta, and Mistral — all of whose flagship models almost certainly fall within GPAI scope — these percentages represent sums far larger than the flat €15 million ceiling. At OpenAI’s estimated 2025 revenue run-rate, 3% of global turnover would exceed €500 million. The regulation’s architects designed it precisely this way: percentage-based penalties ensure the deterrent scales with the offender.

There is one significant transition window: providers of GPAI models already on the market before August 2, 2025 have until August 2, 2027 to achieve full compliance, per analysis by Latham & Watkins. But this grace period does not apply to new model releases, and it does not prevent the AI Office from opening investigations into any provider during the interim period.

What GPAI Providers Are Actually Required to Do

The AI Act’s GPAI obligations split into two tiers based on whether a provider’s model poses systemic risk. The systemic risk threshold is training compute exceeding 10^25 floating-point operations (FLOPs) — a bar that today captures the largest frontier models, including GPT-4-class systems, Gemini Ultra-class systems, and Llama 3-class models at their largest scale.

For all GPAI providers, the baseline obligations include:

• Technical documentation: Maintain comprehensive records covering training methodology, data sources, and computational resources used
• Downstream provider information: Supply documentation sufficient for downstream integrators to build AI systems that themselves comply with the Act
• Copyright compliance: Establish and enforce policies respecting EU copyright law, including opt-out mechanisms for rightsholders
• Training data summary: Publish a sufficiently detailed public summary of the content used for training, including top data sources and domain names

For systemic-risk models (above 10^25 FLOPs), the requirements expand substantially: model evaluations and adversarial testing (red-teaming), systematic risk assessments, mandatory incident reporting to the AI Office, and cybersecurity protections proportionate to the model’s risk profile.

The compliance gap between “all GPAI” and “systemic risk GPAI” is where the regulatory pressure is concentrated. Most mid-tier foundation model providers will argue they sit below the systemic risk threshold. But as model scale races upward quarter by quarter, that argument becomes harder to sustain — and providers who mischaracterize their compute spend face the misleading-information fine tier on top of any underlying violation.

The GPAI Code of Practice: Your De Facto Compliance Benchmark

The European Commission published the GPAI Code of Practice on July 10, 2025. Developed by an independent multi-stakeholder drafting process involving over 1,000 participants — including AI providers, civil society groups, and academic researchers — the Code is technically voluntary. In practice, it functions as the primary compliance benchmark.

Why? Because providers that adhere to the Code receive a presumption of conformity — meaning the AI Office effectively presumes they meet their legal obligations unless evidence to the contrary emerges. This is the same legal mechanism that EU technical standards (harmonized norms) use across product safety regulation: follow the standard, and you shift the burden of proof to regulators. Non-adherents must instead demonstrate compliance through their own frameworks, which requires considerably more regulatory engagement.

The Code addresses three pillars: transparency obligations (training data summaries, technical documentation templates), copyright obligations (opt-out infrastructure, rights-clearance auditing), and safety/security obligations for systemic-risk models (evaluation methodology, red-teaming protocols, incident notification procedures).

One critical nuance from Latham & Watkins’ analysis: compliance with the Code does not categorically exclude the imposition of fines. The Code is a compliance pathway and evidentiary shield, not immunity. Providers who sign up to the Code but fail to implement its provisions in substance remain exposed.

Who Faces the Most Risk Before August 2

The enforcement exposure breaks down unevenly across the foundation model landscape.

Highest-risk tier — Large-scale US-headquartered providers (OpenAI, Anthropic, Google, Meta) distributing models or API access within the EU, or whose models are used by EU-based enterprises. These companies must demonstrate compliance with all GPAI baseline obligations by August 2, 2026 for post-August 2025 models. Their systemic-risk exposure is also highest given training compute volumes. They have the resources to comply but also the largest organizational surface area for compliance gaps — particularly in copyright opt-out infrastructure and training data documentation.

Medium-risk tier — European and mid-scale providers (Mistral, Aleph Alpha, and others). European domicile provides no exemption — all providers placing models on the EU market are in scope. Mistral in particular, as a French company, is directly within the AI Office’s jurisdiction. These providers are generally closer to the regulatory process and have had compliance programs running longer, but smaller teams mean implementation bandwidth is the constraint.

Downstream enterprise risk — Enterprise buyers of foundation model APIs are NOT GPAI providers under the Act, but they carry indirect risk. If an enterprise builds a product on a non-compliant GPAI model and that model’s provider faces enforcement action, the product’s compliance posture also becomes questionable. Vendor due diligence on GPAI compliance status is now a procurement requirement, not a nice-to-have.

What AI Providers and Enterprise Buyers Should Do

1. Map Your Foundation Model Exposure Before August 2

Every organization that develops, deploys, or builds on top of GPAI models needs a current-state inventory of which models they use, which models they develop, and where each sits on the GPAI compliance spectrum. For providers: identify which models were released before August 2, 2025 (and thus eligible for the 2027 grace period) versus after (immediately in scope). For enterprise buyers: request GPAI compliance attestations from every foundation model vendor in your stack. The question to ask is not “are you working on compliance?” but “what specific Code of Practice commitments have you made and what evidence can you share?”

This inventory exercise typically surfaces two surprises: (1) more models than expected exceed the systemic risk compute threshold, and (2) downstream documentation requirements — what providers owe their integrators — are more detailed than most vendor contracts currently specify.

2. Treat the GPAI Code of Practice as Your Audit Framework, Not a Checklist

The three-pillar structure of the Code (transparency, copyright, safety/security) maps directly to the enforcement priorities of the AI Office. Build your internal compliance program around those pillars rather than the Act’s statutory language, which is deliberately high-level. For transparency: implement training data documentation that can be exported in the Code’s prescribed template format. For copyright: stand up a rights-clearance audit process that logs opt-out requests and can produce a compliance trail. For systemic-risk models: run a structured red-team exercise and establish an incident notification workflow before a real incident requires it.

Do not treat Code adoption as a public relations exercise. The LW analysis explicitly warns that signing onto the Code without substantive implementation does not provide the presumption of conformity — and the AI Office has investigative powers to examine the gap between stated commitments and actual practice.

3. Embed GPAI Compliance into Procurement and Vendor Contracts

Enterprise buyers need to update standard AI vendor agreements to include GPAI compliance representations. Specifically: (a) vendors should represent that models delivered post-August 2, 2025 are covered by a current Code of Practice commitment, (b) vendors should provide training data summaries and technical documentation on request, and (c) contracts should include a right to audit compliance status and a material breach clause if the vendor faces AI Office enforcement action.

The procurement angle is underappreciated in current compliance discussions. According to Holland & Knight’s April 2026 analysis, fines apply to the provider, not the enterprise buyer — but a provider under investigation is a vendor whose API continuity, pricing, and product availability cannot be assumed. The business continuity risk is as real as the legal risk.

Where GPAI Enforcement Sets the Global Standard

The EU AI Act’s GPAI provisions are not an endpoint — they are the opening move in what will become a multi-jurisdictional compliance stack. The UK is developing its own AI regulation framework; several Southeast Asian jurisdictions have signaled they will reference the EU Code of Practice in their national frameworks. The Brazilian AI regulation bill, under active parliamentary debate as of early 2026, explicitly borrows from the EU’s tiered-obligation model.

What this means in practice is that GPAI compliance built for the EU in 2026 is not a one-market cost — it is the foundation of a global compliance posture. Providers who build documentation infrastructure, copyright opt-out systems, and red-team protocols to EU standards will find those investments reusable across every subsequent regulatory jurisdiction. Providers who delay until August 2, 2026 are not just falling behind on one regulation — they are forfeiting the first-mover advantage in what will be a multi-year international compliance competition.

The GPAI Code of Practice, for all its voluntary framing, is the first internationally recognized technical standard for foundation model governance. Organizations that treat it as a bureaucratic hurdle will manage a compliance crisis. Organizations that treat it as an engineering specification will ship audit-ready infrastructure before the fine clock starts ticking.

Frequently Asked Questions

Sources & Further Reading

• EU AI Act GPAI Model Obligations In Force and Final GPAI Code of Practice In Place — Latham & Watkins
• EU AI Act Implementation Timeline — artificialintelligenceact.eu
• EU AI Act Timeline and Deadlines — Legiscope
• US Companies Face EU AI Act’s Possible August 2026 Compliance Deadline — Holland & Knight
• Regulatory Framework for AI — European Commission