MONDAY · 18 MAY 2026№ 013

AMARTUVSHIN

Simplicity over complexity, quantity over quality.

Security Engineer · Notes from building at speed

amartuvshin.com
The EU AI Office Gets Teeth on August 2
◆ Essay № 03Policy2 min read

The EU AI Office Gets Teeth on August 2

GPAI obligations have technically been in force for nine months. The fines have not. That changes in under three.

Published
May 18, 2026
Reading time
2 minutes

The European Union's AI Act has been, until now, a law without a working enforcement mechanism. The General-Purpose AI (GPAI) obligations took effect on August 2, 2025, but the European Commission's AI Office was given a one-year grace period before it could actually use its powers — request documentation, run evaluations, restrict market access, impose fines. That grace period ends on August 2, 2026. In less than three months, the office will, for the first time, have teeth.

§ 01 What the office can do

Under Article 101 of the Act, the AI Office can fine providers of general-purpose AI models up to 3% of global annual turnover or €15 million, whichever is higher. For a hyperscaler, that is not a small number. For a frontier lab, it is the kind of number that becomes a quarterly board agenda item.

The enforcement toolkit is broader than fines. The office can request technical documentation, conduct its own model evaluations, demand compliance and risk-mitigation measures, restrict market access, order recalls, and force product withdrawal. The text of the Act gives it the same kind of supervisory powers a financial regulator has over a systemically important bank.

§ 02 What providers must produce

Every GPAI model placed on the EU market — and that includes most foundation models served through APIs to EU customers — must, by the August deadline, ship four things:

  • A complete technical-documentation package, kept current and available to the AI Office on request.
  • Instructions for downstream deployers describing the model's capabilities, limitations, and acceptable uses.
  • A copyright-compliance policy aligned with the Copyright Directive, including a Text-and-Data-Mining opt-out mechanism for rightsholders.
  • A public, sufficiently detailed summary of the training data — the most controversial of the four, because "sufficiently detailed" is now the subject of intense lobbying.

§ 03 Systemic-risk providers

Models designated as posing systemic risk — a designation the Commission can apply based on compute-spend thresholds and capability assessments — carry additional duties. These providers must run model evaluations including adversarial testing, report serious incidents to the office, implement cybersecurity protections for their training and serving infrastructure, and continuously monitor for emergent capabilities post-deployment.

The GPAI Code of Practice, finalized earlier this year, is the voluntary route to demonstrating compliance ahead of the deadline. The labs that have signed on get the regulatory equivalent of a safe harbour. The labs that have not are betting they can satisfy the Article 53 requirements directly — a bet that the office will pressure-test from August onward.

§ 04 The 2027 cliff

One detail worth filing away: models that were placed on the market before August 2, 2025 have until August 2, 2027 to reach full compliance — a two-year transition. Models released after the August 2025 cutoff get no such grace. The labs that froze their release cadence over the past nine months were not being cautious. They were timing the regulatory window.

A regulation without enforcement is a suggestion. A regulation with enforcement is a deadline. The EU AI Act is about to become the latter.

Archive Notes
Up NextAll essays →
GPT-5.5 Ships — and the Price Doubles
Models

GPT-5.5 Ships — and the Price Doubles

OpenAI's first ground-up rebuild since GPT-4.5 lands April 23. The capability jump is real. So is the bill.

Continue reading