On  August 2nd 2026, the European Union’s rulebook for artificial intelligence stops being a set of deadlines on paper and starts having teeth. From that day, the European Commission can supervise the companies that build the most powerful AI models, and fine them if it chooses. 

This is not the first time the EU AI Act has bitten. Prohibitions on certain AI practices took effect in February 2025, and duties for general-purpose model makers began in August 2025. What August 2026 marks is the end of a one-year grace period and the start of broad enforcement.

What the law actually requires

The Act splits general-purpose AI, the large models that power chatbots and image generators, into two tiers. A lighter tier applies to everyone who makes such a model. The heavier tier applies only to the handful of labs building the most capable systems.

In the lighter tier, every provider must publish a summary of what went into training the model. The AI Office released a mandatory template for this in July 2025. The aim is that the public, and people whose work may have been scraped into the training data, get at least a broad picture of what a model was built on. The summary should be updated every six months, or sooner if something significant changes.

The heavier tier is where the self-policing comes in. Providers of models judged to carry “systemic risk” face extra duties. They must test their models hard, including trying to break them; assess and reduce risks to public health, safety, security, rights and society; report serious incidents to the AI Office; and keep their systems secure. In short, the biggest labs are asked to audit their own most dangerous work and tell the regulator when something goes wrong.

What ‘systemic risk’ means in practice

The line between the two tiers is a number. A model is presumed to carry systemic risk if training it used more than 10^25 floating-point operations, a rough measure of how much raw computing power went into it. It is a blunt stand-in for capability, set deliberately high.

How many models clear that bar? Not many. The Commission says systemic-risk models are built by a handful of companies. One recent industry compliance guide estimates the count at around a dozen global models. That short list is exactly who the heavier regime is meant to reach.

The penalties give the rules their weight. For non-compliance, the Commission can fine a provider up to 3% of global annual turnover or 15 million euros, whichever is higher. Writing for Lawfare, Harvard Kennedy School fellow Joel Christoph set out how the powers stack up. Christoph writes that “the European Commission’s AI Office will gain three significant authorities.” They range from requesting documents, to running evaluations with access to source code, to demanding action up to pulling a model off the market. He describes these as “among the most far-reaching regulatory powers any government has claimed over frontier AI”.

The questions the law leaves open

Two gaps sit at the centre of whether any of this works. The first is about definitions. A training summary must be “sufficiently detailed”, but what that means in practice is not settled. Lawyers at WilmerHale noted the template does not say how scraped content should be measured, whether by file size, word count, or something else. The same analysis notes the Commission will not audit the data itself, but can act on complaints or alerts from its scientific panel. A disclosure regime that depends on outside tip-offs is only as strong as the tips it gets.

The second gap is staffing. Rules mean little without people to enforce them. The European AI Office currently employs more than 125 staff across all its functions, only a portion of whom work on general-purpose AI supervision; the office has over a hundred distinct responsibilities under the Act. Writing in Lawfare, Christoph cites a Pour Demain recommendation to scale that GPAI supervisory capacity specifically to at least 160 staff by 2030, having judged the current level insufficient.

Hiring has been slow. Transformer News reported that the AI Office has struggled to recruit for its safety unit, with rigid EU pay scales and slow bureaucracy making it hard to attract scarce frontier-AI talent. Risto Uuk, head of EU policy and research at the Future of Life Institute, told the publication it was “concerning that hiring is taking so long”. He added: “There needs to be more staff to carry out these tasks and meet the deadlines under the law.” For comparison, the UK’s AI Safety Institute, which pays above standard civil-service rates, employed around 250 people by August 2025.

The powers arriving on 2 August 2026 are real, and by one credible reading unusually broad. Whether they change how the biggest models are built is a separate question, and it turns on people and money rather than legal text. Christoph put the tension plainly: “The tools are on the table. The question is whether anyone picks them up.”