The EU AI Act became enforceable in August 2024. But the parts that actually matter for frontier AI companies — the GPAI rules with real teeth — don't kick in until August 2, 2026. That deadline is four months away.
What Changes in August
The General Purpose AI (GPAI) rules — covering foundation models like GPT-5, Claude Opus 4.6, and Gemini — come into full effect. This means OpenAI, Google, and Anthropic face direct EU penalty exposure for the first time.
The fines are not trivial:
- Up to €35 million or 7% of global annual turnover for GPAI model violations
- Up to €3 million or 1.5% of turnover for providing incorrect or misleading information
- Additional enforcement powers: disqualification from public contracts, suspension of authorization to operate in EU
For a company like OpenAI with $122B in funding and global revenues in the billions, 7% of global turnover is not a rounding error.
The Technical Requirements Nobody Is Talking About
The GPAI rules require foundation model providers to:
- Maintain detailed technical documentation about training data, model architecture, and capabilities
- Conduct and publish adversarial testing results
- Implement safeguards against foreseeable misuse
- Report serious incidents to EU authorities within days, not months
Each of these is a significant operational commitment. The documentation requirements alone will take most companies months to complete properly. The adversarial testing requirements need to be rigorous, not theater.
Who Has Actually Done This
The honest answer: almost no one is fully compliant. The companies that have made the most progress are the large, well-resourced ones — and even their compliance programs are works in progress.
The companies that have made the least progress are mid-sized European companies using AI extensively without large regulatory teams. They're most vulnerable to enforcement actions and least able to absorb the cost.
The GDPR Parallel
When GDPR launched, everyone said "wait and see" for the first 18 months. Then the enforcement actions started — and the fines were real. The companies that prepared early were in a significantly better position than the ones who hoped it would blow over.
The EU AI Act is following the same pattern. August 2026 isn't a soft deadline. The enforcement infrastructure is being built right now. The first high-profile fine will be a message to every other company in the industry.
What This Means for AI Builders
If you're building applications on top of GPAI models — which is most AI applications today — your vendors' compliance is now your compliance. When OpenAI or Anthropic gets fined, the downstream effects ripple through every product that depends on them.
The companies handling this well are: treating AI compliance as an engineering problem, building compliance infrastructure that can scale as regulations evolve, and engaging directly with regulators rather than waiting for guidance that may never come.
The companies hoping it all works out? They'll find out in Q4 2026.
