Key Takeaways
- The EU AI Act’s enforcement phase begins on 2 August 2026, granting the European Commission authority to monitor and penalise providers of the most powerful general‑purpose AI models.
- Providers are split into a “light” tier (all GPAI makers) and a “heavy” tier (those whose training exceeds 10²⁵ floating‑point operations, deemed systemic‑risk models).
- Light‑tier firms must publish and semi‑annually update a standardized training‑data summary; heavy‑tier firms must conduct rigorous risk testing, incident reporting, and security safeguards.
- Non‑compliance can draw fines up to 3 % of global turnover or €15 million, and the AI Office can request source‑code access, run evaluations, or order a model’s removal from the market.
- Critics point to vague wording around what counts as a “sufficiently detailed” summary and a reliance on external tips for enforcement.
- Staffing remains a bottleneck: the AI Office has ~125 employees, far short of the ≈160 recommended for adequate GPAI supervision, while the UK’s AI Safety Institute employs ~250.
Enforcement Begins: AI Act Gains Teeth on 2 August 2026
On 2 August 2026 the European Union’s rulebook for artificial intelligence moves from a set of deadlines on paper to an operative regime with real‑world consequences. From that date the European Commission can supervise the companies that build the most powerful AI models and levy fines if it chooses. As the article notes, “the European Commission can supervise the companies that build the most powerful AI models, and fine them if it chooses.” This marks the end of a one‑year grace period that followed the initial prohibitions and general‑purpose model duties introduced in 2025, signalling the start of broad enforcement across the bloc.
From Prohibitions to Full‑Scale Oversight: Timeline of the AI Act
The AI Act’s rollout has been staged. Certain AI practices were banned as early as February 2025, and obligations for general‑purpose model makers took effect in August 2025. The August 2026 deadline therefore represents the culmination of a phased approach: first outlawing the most harmful uses, then imposing baseline transparency duties, and finally activating the supervisory and sanctioning mechanisms that give the regulation its bite. This staggered timeline was designed to give industry time to adapt while ensuring that the most consequential models eventually face rigorous oversight.
Two‑Tier Framework: Light and Heavy Obligations for GPAI Providers
The Act distinguishes general‑purpose AI (GPAI) into two tiers based on the presumed systemic risk of the model. A lighter tier applies to every entity that creates such a model, while a heavier tier targets only the handful of labs building the most capable systems. This bifurcation allows the EU to impose baseline transparency on the broad ecosystem of AI developers while reserving stricter, risk‑based duties for the frontier models that could pose societal‑wide hazards if misbehave.
Light‑Tier Duty: Publishing and Updating Model‑Training Summaries
All providers in the light tier must publish a summary of what went into training their model. The AI Office released a mandatory template for this summary in July 2025, aiming to give the public—and individuals whose data may have been scraped—a broad picture of the model’s foundations. The summary must be refreshed at least every six months, or sooner if a significant change occurs in the training data or methodology. This requirement is intended to foster accountability without imposing prohibitive burdens on the majority of AI actors.
Heavy‑Tier Responsibilities: Risk Assessment, Auditing, and Incident Reporting
Providers judged to carry “systemic risk” face additional duties. They must stress‑test their models, attempt to break them, assess and mitigate risks to public health, safety, security, rights, and society, report serious incidents to the AI Office, and maintain robust system security. In short, the biggest labs are asked to audit their own most dangerous work and inform the regulator when something goes wrong. These measures mirror the kind of internal governance frameworks that leading AI firms already volunteer, but now they become legally enforceable obligations.
What Counts as Systemic Risk? The 10²⁵ FLOPs Benchmark
The line between the tiers is drawn at a numeric threshold: a model is presumed to carry systemic risk if its training required more than 10²⁵ floating‑point operations (FLOPs). This figure serves as a blunt proxy for capability, set deliberately high to capture only the most compute‑intensive models. According to the Commission, only a handful of companies—estimated at around a dozen global models—clear this bar, making the heavy regime a narrowly targeted but powerful tool aimed at the frontier of AI development.
Teeth of the Law: Fines, Investigative Powers, and Market‑Removal Authority
Non‑compliance carries substantial financial penalties: the Commission can fine a provider up to 3 % of global annual turnover or €15 million, whichever is greater. Beyond fines, the AI Office gains three significant authorities, as highlighted by Harvard Kennedy School fellow Joel Christoph in Lawfare: “requesting documents, running evaluations with access to source code, and demanding action up to pulling a model off the market.” Christoph describes these as “among the most far-reaching regulatory powers any government has claimed over frontier AI.” This combination of monetary deterrence and investigative reach is intended to give the regulation genuine enforcement capability.
Unsettled Details: What Is “Sufficiently Detailed” and the Limits of Disclosure
Two central gaps could undermine the Act’s effectiveness. First, the requirement that a training summary be “sufficiently detailed” lacks precision; lawyers at WilmerHale warn that the template does not specify whether detail should be measured by file size, word count, or another metric. Second, the disclosure regime leans heavily on external tip‑offs, as the Commission does not audit the data itself but can act on complaints or alerts from its scientific panel. A system that depends on outside reports is only as strong as the willingness and ability of whistle‑blowers or competitors to come forward, leaving a potential enforcement blind spot.
Capacity Concerns: AI Office Staffing Gaps and Talent Attraction
Effective enforcement hinges on personnel, and here the AI Office appears under‑resourced. The office currently employs more than 125 staff across all functions, only a fraction of whom focus on general‑purpose AI supervision, despite having over a hundred distinct responsibilities under the Act. Christoph cites a Pour Demain recommendation calling for at least 160 staff dedicated to GPAI oversight by 2030. Hiring has lagged; Transformer News reported difficulties recruiting for the safety unit due to rigid EU pay scales and slow bureaucracy. Risto Uuk, head of EU policy and research at the Future of Life Institute, warned, “There needs to be more staff to carry out these tasks and meet the deadlines under the law.” For contrast, the UK’s AI Safety Institute, which pays above standard civil‑service rates, employed roughly 250 people by August 2025, illustrating a staffing disparity that could affect the EU’s ability to monitor frontier models effectively.
The Bottom Line: Regulatory Tools Exist; Implementation Hinges on Will and Resources
The powers slated to take effect on 2 August 2026 are real and, by one credible reading, unusually broad. Whether they reshape how the largest AI models are built ultimately depends less on the statutory text and more on the willingness of regulators and the availability of resources. As Christoph summed up, “The tools are on the table. The question is whether anyone picks them up.” If the EU can close the definition ambiguities, bolster its AI Office with sufficient skilled staff, and sustain political resolve, the Act may become a benchmark for global AI governance; if not, the regulation risks remaining a potent framework on paper with limited practical impact.

