Skip to main content

29 Days to the GPAI Enforcement Cliff: What Lawyers Must Address Before August 2

With the EU AI Act's full GPAI enforcement powers activating on August 2, 2026, legal advisors have a narrow window to advise clients on compliance posture, signatory implications, and penalty exposure. This article outlines the key obligations under the Code of Practice, the enforcement machinery now taking effect, and the urgent steps lawyers should take for organizations deploying GPAI models in the EU.

  • contract review
  • legal research
  • compliance monitoring
  • document drafting
  • e-discovery
  • litigation support
  • law firm
  • in-house legal
  • enterprise
  • small firm
  • free tier
  • cloud
  • on-premise
  • RAG
  • agentic

Profile summary

Primary use cases
compliance monitoring
Pricing tier
enterprise/custom
Target audience
law firm, in-house legal, compliance team
Last reviewed
2026-07-04

Full profile

As of July 4, 2026, there are 29 days left before the European Commission’s full enforcement powers over general-purpose AI model providers switch on. The date to put on the legal workplan is August 2, 2026, when the AI Office can move beyond collaborative readiness work and use the AI Act’s investigative, corrective, and fining tools for Chapter V GPAI obligations.[1]

August 2026 calendar with August 2 circled in red and shown as an enforcement cliff

The penalty number also needs cleaning up before it lands in another board deck. For GPAI-related infringements, Article 101 sets the maximum administrative fine at €15 million or 3% of total worldwide annual turnover, whichever is higher. That is not the €35 million or 7% tier, which belongs to prohibited AI practices.[2]

For EU GPAI Code of Practice lawyers, the immediate question is not whether the AI Act exists or whether the Code is politically important. It is whether the client’s file can withstand a formal request after August 2: model timing, provider role, Code signatory status, documentation, copyright controls, downstream-response process, and escalation ownership.

The First Triage: Which Models Are Actually in the August 2026 Bucket?

Start with the placed-on-the-market date. GPAI models placed on the EU market before August 2, 2025, have a transitional compliance period until August 2, 2027. GPAI models placed on the market after August 2, 2025, are in the August 2, 2026 enforcement window.[3]

That distinction is operationally awkward because product teams do not always track model versions in the language regulators use. A release note may say “updated,” “fine-tuned,” “distilled,” “refreshed,” or “new endpoint” without answering the legal question. Counsel should not accept a single inventory column labeled “launch date” unless it explains what was launched: the base model, a materially modified model, a deployment wrapper, an API endpoint, or an EU-facing product feature.

The hard unresolved edge is modified models derived from pre-August 2025 originals but placed on the market after August 2, 2025. The available materials support caution, not certainty. If the client is relying on the 2027 transitional period for a model that has since been materially changed, the file should identify the change history and the legal basis for treating the model as still covered by the earlier date rather than simply inheriting it.

Question for the fileWhy it matters before August 2
Was the GPAI model placed on the EU market before or after August 2, 2025?This determines whether the August 2, 2026 enforcement activation or the August 2, 2027 transitional deadline is the relevant working date.
Is the company a GPAI model provider, downstream deployer, distributor, integrator, or several of these at once?The Code and Chapter V obligations attach to provider conduct, but enterprise deployments often create evidence dependencies across teams.
Has the model been modified, fine-tuned, distilled, or re-released since the original date?Modified-model treatment remains uncertain, so the change record may become the first dispute rather than a background detail.
Does the model meet systemic-risk criteria?The Safety and Security chapter adds obligations that most non-systemic-risk files should not over-engineer, but high-capability models cannot ignore.

Do not let the Digital Omnibus conversation blur this analysis. The May 2026 provisional agreement deferred certain high-risk AI system deadlines, but the materials identified for GPAI make clear that the August 2, 2026 GPAI enforcement date was not moved.[4]

What the Commission Can Ask For After the Switch Flips

The enforcement posture changes because the AI Office’s tools become formal. Article 91 supports requests for information and documentation. Article 92 allows model evaluations, including requests for access to models through APIs. Article 93 supports corrective measures, including market restriction and withdrawal. Article 101 supplies the GPAI fine ceiling.[3]

Those powers convert ordinary compliance gaps into response problems. A missing Model Documentation Form is no longer just a project-management issue. A vague copyright policy is no longer just a redline item. An unclear owner for regulator communications is no longer just a governance imperfection. After August 2, those gaps can determine who answers a Commission request, how fast the company can substantiate compliance, and whether the first production looks controlled or improvised.

Lawyers should assume the first request will not arrive in the taxonomy preferred by the company’s AI governance committee. It may ask for documents, model access, training-data information, risk-management evidence, copyright-policy implementation, downstream-provider materials, or explanation of Code adherence. The evidence file should therefore be organized around what the Commission can demand, not around the order in which internal committees approved the project.

A defensible evidence file is not a policy folder

For each in-scope model, the file should be able to show the model’s EU market timing, the provider entity, the applicable Code status, the documentation owner, the copyright-controls owner, the downstream-request owner, the incident-escalation owner, and the sign-off record for any unresolved legal position. If any of those fields are blank today, counsel should treat the blank as a live escalation item rather than a future remediation note.

This is also where legal precision matters. “We follow the Code” is not the same as being a Code signatory. “We are aligned with the Code” is not the same as having retained the required documentation. “We are not a model provider” is not a conclusion unless the product architecture and contractual chain support it.

Code Signatory Status Is Now a Risk Differentiator

Comparison of Code of Practice signatory and non-signatory compliance paths

The Code of Practice is voluntary in form, but that does not make it irrelevant to enforcement posture. The Commission has stated that signatories will be monitored through focused adherence monitoring, while non-signatories must demonstrate compliance by other adequate means and should expect a larger number of requests for information and access.[5]

That is not a magic shield. The available materials describe the conformity effect with different levels of force, and the Commission’s own adequacy framing should control. The practical point is narrower and more useful: signatory status gives counsel a recognized compliance framework to map against, while non-signatories need an alternative demonstration package ready to produce.

The known signatory landscape also matters because counterparties, boards, and regulators will compare posture. More than 26 organizations signed the full Code, including Amazon, Anthropic, Cohere, Google, IBM, Microsoft, Mistral AI, and OpenAI. Meta declined to sign, and xAI signed only the Safety and Security chapter.[5]

For legal review, the company-by-company list is less important than the file question it creates. If the client signed, where is the internal adherence map, and who owns each commitment? If it did not sign, what “other adequate means” will it rely on when asked? If it signed only part of the Code, which obligations are covered by that signature and which still require a separate evidentiary route?

The good-faith period also should not be oversold. The AI Office’s stated approach of treating signatories’ partial compliance as a demonstration of good faith was tied to the one-year ramp period. That collaborative grace period ends on August 2, 2026.[6]

The Code Provisions That Need Lawyer-Level Verification

The Code is not one undifferentiated checklist. For most counsel doing emergency triage, the Transparency and Copyright chapters deserve the deepest review. The Safety and Security chapter is critical for systemic-risk models, but it should not consume the same review time for a client whose models are not plausibly in that category.

Transparency: documentation that can be produced, not reconstructed

The Transparency chapter centers on model documentation, including the Model Documentation Form. The form covers information such as model architecture, training data, compute, and energy use. The Code materials also identify a 10-year retention expectation and a 14-day response timeline for downstream provider requests.[7]

The legal issue is not just whether the information exists somewhere. It is whether the company can assemble a coherent record without forcing engineering, infrastructure, legal, and policy teams to invent a response chain under deadline. If the answer to a downstream provider depends on three Slack searches and a staff engineer who is on leave, the process is not ready.

  • Confirm that each in-scope model has a completed or clearly tracked Model Documentation Form.
  • Identify where supporting records for architecture, training data, compute, and energy are stored.
  • Assign the person or function responsible for the 10-year retention file.
  • Test the 14-day downstream-provider response path with a realistic request, not a generic policy statement.

The Copyright chapter asks providers to implement policies and controls that include honoring robots.txt, excluding pirate sites, applying technical safeguards against infringing outputs, and designating a complaint contact for rights holders.[7][8]

A copyright review that stops at terms of service is too thin for this deadline. Counsel should ask how robots.txt instructions are captured, how exclusion lists are generated and refreshed, what the company treats as a pirate-site source, how output safeguards are tested, and where rights-holder complaints are routed. If the client uses vendors for crawling, filtering, dataset acquisition, or model training, the contract file should match the compliance story.

There is one important ambiguity to keep visible. Recital 106’s extraterritorial copyright issue was deliberately omitted from the final Code materials identified here, leaving uncertainty over how EU copyright-law compliance applies to training activities conducted entirely outside the EU. That does not make the issue disappear; it means the advice should mark the assumption rather than bury it.

Safety and Security: do not ignore it, but do not misapply it

The Safety and Security chapter applies to systemic-risk GPAI models. The materials identify requirements such as a pre-release Safety and Security Framework, risk-tier acceptance criteria, external evaluator access, and serious-incident reporting within 2 to 15 days depending on severity.[7]

The estimate of how many providers fall into the systemic-risk category varies across sources, with figures in the 5-to-15 range. That range should be treated as an estimate, not as a compliance boundary. If the client may be close to systemic-risk status, counsel should escalate the classification analysis now, because the incident-reporting and evaluator-access issues are not items to discover after a release.

What to Push Before August 2

The remaining work is not glamorous. It is the sort of cross-functional verification that prevents a formal regulator request from becoming an internal incident. The lawyer’s job over the next 29 days is to force specificity while there is still time to route uncertainty cleanly.

  • Verify model timing: separate pre-August 2, 2025 models from post-August 2, 2025 models, and document the treatment of modified versions.
  • Verify Code posture: signed, not signed, partially signed, or relying on other adequate means.
  • Build the evidence file around Articles 91, 92, 93, and 101: documents, access readiness, corrective-action ownership, and fine exposure.
  • Confirm Transparency chapter readiness: documentation form, retention, supporting records, and downstream-response timing.
  • Confirm Copyright chapter controls: robots.txt, pirate-site exclusion, technical output safeguards, vendor dependencies, and rights-holder complaint routing.
  • Escalate systemic-risk classification where plausible, including serious-incident reporting and external evaluator access.

This is also the moment to correct internal language. If a slide says “voluntary Code, low risk,” it should explain the difference between formal voluntariness and enforcement posture. If a slide says “safe harbor,” it should be replaced with the more precise conformity and monitoring language supported by the Commission materials. If a slide says “7% fine,” it should be corrected to the GPAI-specific €15 million or 3% maximum.

August 2 does not mean every GPAI provider will receive a request on August 3. It means the posture changes. Before that date, a missing answer can still be treated as readiness work. After that date, the same missing answer may be tested through information requests, model access demands, corrective measures, or penalty analysis. The defensible file is the one that shows what the company knows, what it has implemented, what remains uncertain, and who is accountable for the next response.

References

  1. Enforcement of Chapter V under the EU AI Act, Artificial Intelligence Act
  2. EU AI Act: European Commission Publishes General-Purpose AI Code of Practice, Jones Day, August 2025
  3. EU AI Act GPAI Model Obligations in Force and Final GPAI Code of Practice in Place, Latham & Watkins
  4. US Companies Face EU AI Act’s Possible August 2026 Compliance Deadline, Holland & Knight, April 2026
  5. Contents of the Code of Practice for General-Purpose AI, European Commission
  6. The EU Commission Publishes General-Purpose AI Code of Practice; Compliance Obligations Begin August 2025, Nelson Mullins
  7. Introduction to the Code of Practice, Artificial Intelligence Act
  8. Update AI Act, Taylor Wessing, July 2025

Corrections & feedback

Submit corrections to factual information, flag stale data, or share deployment experience. Comments are moderated. Nothing in comments constitutes legal advice.

Comments

Join the discussion with an anonymous comment.

Loading comments...
Blogarama - Blog Directory