8 min leer
EU AI Act Enforcement Begins August 2, 2026: GPAI Rules, 3% Fines, and the Vendor Divide
Category
Estrategia empresarial
Share the article
Most enterprises have filed the EU AI Act under "problem for 2027." For anyone running a general-purpose AI model, that assumption breaks on August 2, 2026. That is the date the European Commission's enforcement and penalty powers over providers of general-purpose AI (GPAI) models become applicable, including fines of up to 3% of global annual turnover or €15 million, whichever is higher, under Article 101 of the AI Act.
The obligations on GPAI providers are not new. They applied from August 2, 2025. What changes 41 days from now is teeth. From August 2, 2026, the European Commission and its AI Office can request documentation, run technical evaluations of models, demand compliance and risk-mitigation measures, restrict or withdraw a model from the EU market, and issue fines (European Commission).
If you deploy AI agents that touch EU users, this is not a vendor's problem you can watch from a distance. Your model vendor's compliance posture is now part of yours.
What changes on August 2, 2026?
Here is the distinction most planning decks get wrong. GPAI rules and the GPAI Code of Practice have been live since August 2025. The supervision and enforcement machinery was held back for a year to give providers and the AI Office time to operationalize. That grace period ends on August 2, 2026.
A short version of the timeline that matters:
August 2, 2025 — GPAI obligations apply to new models; the GPAI Code of Practice is in place.
August 2, 2026 — The Commission's enforcement and penalty powers over GPAI providers become applicable.
August 2, 2027 — GPAI models placed on the market before August 2, 2025 must be brought into compliance.
After August 2, the AI Office is not limited to issuing guidance. It can compel a provider to hand over technical documentation under Article 91, require risk-mitigation measures under Article 93, and demand model access to conduct evaluations under Article 92. Refusing or stalling on any of those is itself a finable offense.
How big are the EU AI Act fines for GPAI providers?
Worth being precise here, because the figure circulating in a lot of compliance briefings is wrong.
For GPAI model providers, Article 101 sets the maximum fine at up to 3% of global annual turnover or €15 million, whichever is higher. That covers intentional or negligent infringement of GPAI obligations, supplying incorrect or misleading information, and failing to comply with the AI Office's requests or evaluations (European Commission).
The €35 million / 7% number you may have seen attached to GPAI is a different tier. That maximum applies to prohibited AI practices under Article 5, such as social scoring or manipulative systems, governed by Article 99. It does not apply to a GPAI provider's documentation or transparency failures. The correct GPAI exposure is 3% / €15 million.
One nuance that buyers should internalize: signing the voluntary Code of Practice does not buy immunity from fines. But the AI Office has said it will weigh a provider's good-faith adherence to the Code when assessing penalties, as the firm Latham & Watkins notes in its GPAI analysis. So the Code is not law, but it is a documented mitigating factor. That is exactly why which vendors signed it is now a procurement signal.
Why your model vendor's signature is now your problem
The GPAI Code of Practice is the practical compliance route for model providers. It has three chapters: Transparency and Copyright, which apply to every GPAI provider, and Safety and Security, which applies only to the most capable models designated as carrying systemic risk. A provider who signs gets a presumption of conformity with the matching obligations. A provider who does not sign has to prove compliance "by other adequate means" and explain that approach to regulators.
Most of the frontier vendors signed the full Code. A few did not. That split, voluntary as it is, is now a concrete risk signal for anyone building on top of these models.
Model provider | Code of Practice status | What it means for buyers |
|---|---|---|
Anthropic | Signed (full Code) | Presumption of conformity across applicable chapters |
Signed (full Code) | Presumption of conformity across applicable chapters | |
Microsoft | Signed (full Code) | Presumption of conformity across applicable chapters |
OpenAI | Signed (full Code) | Presumption of conformity across applicable chapters |
IBM | Signed (full Code) | Presumption of conformity across applicable chapters |
Mistral AI | Signed (full Code) | Presumption of conformity across applicable chapters |
Cohere | Signed (full Code) | Presumption of conformity across applicable chapters |
Amazon | Signed (full Code) | Presumption of conformity across applicable chapters |
xAI | Signed Safety and Security chapter only | Must demonstrate Transparency and Copyright compliance by other means |
Meta | Declined to sign | Must demonstrate all applicable obligations by other means |
Sources: European Commission, General-Purpose AI Code of Practice (Wikipedia).
Read the table carefully, because the framing matters. The Code is voluntary. Meta and xAI are not breaking the law by declining a chapter. Meta has cited legal uncertainty as its reason for not signing. What they have done is take on an obligation to demonstrate compliance through their own documentation and processes rather than leaning on the Commission's presumption of conformity. For a regulated enterprise, that is a different risk profile, and it is one you inherit the moment you build a production agent on that model.
If your customer-service agent runs on a model whose provider declined the Code, your compliance and legal teams now have a question to answer that they did not have to answer six months ago: how does our vendor prove conformity, and what happens to our service if the AI Office restricts that model in the EU? That is not theoretical. Market-restriction and withdrawal powers are part of what activates on August 2.
This is the right moment to plug something useful. We send a short weekly write-up on agentic AI, governance, and the regulatory shifts that actually change how you build. If you want this kind of analysis without digging through the Official Journal yourself, subscribe to the newsletter.
Does the Digital Omnibus delay this? Not for GPAI.
There is a genuine reason some teams think the AI Act timeline just got easier. In May 2026, EU negotiators reached a provisional agreement on the "Digital Omnibus," a package that pushes back several high-risk deadlines. Stand-alone high-risk systems under Annex III, covering things like recruitment, credit scoring, and education tools, are deferred to December 2, 2027, and high-risk AI embedded in regulated products under Annex I moves to August 2, 2028 (Gibson Dunn).
That relief is real. It just does not touch GPAI. The Omnibus reshuffles the high-risk timeline; it leaves the August 2, 2026 GPAI enforcement date standing. If your mental model was "everything slipped to late 2027," the part that affects model providers did not move.
Separately, the Commission's draft guidelines for classifying high-risk AI systems are open for feedback until July 23, 2026, with final guidelines expected by the end of the year. That consultation shapes who counts as high-risk later. It does not change what happens to GPAI providers next month.
What enterprises deploying AI agents should do before August 2
This is a planning problem, not a panic. A few concrete moves:
Inventory your models by vendor and by EU exposure. Know which agents touch EU users and which underlying models power them. You cannot assess vendor risk you have not mapped.
Pull each vendor's compliance posture into procurement. Code of Practice status, model documentation availability, and how the provider intends to demonstrate conformity should be standard questions in any AI vendor review. Beam's own approach is laid out on our security page.
Build for model portability. If a provider faces a market restriction in the EU, can you swap the underlying model without rebuilding the agent? Platforms that route across multiple models, rather than hard-wiring to one, absorb that shock far better. This is one reason Beam's platform is model-agnostic by design.
Keep your own audit trail. GPAI enforcement sits upstream of you, but your deployment of any model on EU users still has to stand up to scrutiny. Logging, human oversight, and documentation are the parts you control. We covered the deployment side of this in AI in Europe 2026 and the data-protection groundwork in building a GDPR-compliant AI agent platform).
Meta's Llama is a useful illustration of why portability matters. It is a widely deployed model whose provider declined the Code, which means enterprises running Llama-based agents in the EU should understand exactly how that compliance gap is being closed and have a fallback if it isn't. The point is not that any one model is unsafe. The point is that vendor compliance posture is now a variable in your architecture, and August 2 is the date it starts carrying weight.
The bottom line on EU AI Act enforcement in 2026
The EU AI Act's full enforcement powers over GPAI providers activate on August 2, 2026, with fines of up to 3% of global turnover or €15 million. The Code of Practice split the model market into providers who signed and providers who did not, and that split is now a procurement signal you can use. The Digital Omnibus delayed the high-risk timeline, not this one.
For enterprises running AI agents on EU audiences, the practical takeaway is simple. Your vendor's compliance posture became your compliance posture, and the date it starts mattering is six weeks out. The teams that mapped their model dependencies and built for portability will treat August 2 as a non-event. The teams that filed all of this under "2027" will be reading their vendors' compliance disclosures under deadline.
