EU AI Act GPAI Fines: How Enforcement Works From August 2026
# EU AI Act GPAI Fines: How Enforcement Works From August 2026
This page explains how the EU AI Act enforces obligations on general-purpose AI (GPAI) providers, what fines apply, what triggers an investigation, and what both GPAI providers and downstream API users need to have in place before August 2, 2026.
---
## What the EU AI Act Says
The EU AI Act establishes a dedicated enforcement regime for general-purpose AI models under Chapter V (Articles 51 to 56). The key enforcement provisions are:
- **Article 53** sets out the core obligations for GPAI model providers: technical documentation, transparency toward downstream providers, acceptable use policies, and copyright compliance measures.
- **Article 55** adds further obligations for providers of GPAI models with "systemic risk" (broadly: models trained on compute exceeding 10^25 FLOPs, or designated by the AI Office). These include adversarial testing, incident reporting, and cybersecurity measures.
- **Article 101** sets the fine levels: up to EUR 15 million or 3% of total worldwide annual turnover (whichever is higher) for violations of GPAI provider obligations. For providers of models with systemic risk, fines can reach EUR 30 million or 6% of global turnover for the most serious violations.
- **Article 99** and **Article 100** govern the enforcement process: investigations, interim measures, and the right to be heard before a fine is issued.
- **Recital 154** clarifies that the AI Office has primary jurisdiction over GPAI models at the EU level, meaning national market surveillance authorities are not the first point of contact for GPAI enforcement.
---
## Who This Applies To
**GPAI providers** are companies that develop or make available a general-purpose AI model for use by others, including via API. If your company releases a foundation model, an instruction-tuned model, or a hosted inference API that third parties integrate into their own products, you are a GPAI provider under the Act.
**Downstream deployers** (companies that build products on top of GPAI APIs) have a narrower set of direct obligations, but they are not entirely off the hook. Under Article 53(3), a downstream provider that places a GPAI model into their own product becomes a GPAI provider themselves if they substantially modify the model. In practice, fine-tuning on your own data likely triggers this. Standard API usage with prompt engineering does not.
Company size affects fine ceilings but not the existence of obligations. The Act applies to any company providing or using GPAI models to users in the EU, regardless of where the company is incorporated. SME exemptions exist for some high-risk AI provisions but do not eliminate GPAI obligations.
Sector does not determine GPAI applicability. A legal tech company, a SaaS HR platform, and a developer tools provider are all subject to the same GPAI rules if they provide or integrate GPAI models for EU users.
---
## What the Obligations Actually Require
For GPAI providers, Article 53 requires four concrete deliverables:
1. **Technical documentation**: A structured record of the model's architecture, training data sources, training methodology, evaluation results, and known limitations. The AI Office has published a template (the so-called "technical documentation template for GPAI models") to guide this. This is not a one-page summary. It is a detailed technical dossier.
2. **Information for downstream providers**: Any company integrating your model via API must receive documentation sufficient to understand what the model can and cannot do, including known failure modes and any use restrictions. This is typically delivered via terms of service, model cards, and developer documentation. A generic "see our docs page" is unlikely to satisfy the requirement.
3. **Acceptable use policy**: A publicly available policy listing prohibited uses of the model. This must cover at least the prohibited AI practices in Article 5 of the Act.
4. **Copyright compliance summary**: Documentation of the policy applied to training data with respect to copyright, including how the provider complied with the EU's Text and Data Mining exception framework under Directive 2019/790.
For models with systemic risk (Article 55), additional obligations apply: adversarial red-teaming before release, ongoing incident reporting to the AI Office within defined timeframes, and cybersecurity controls commensurate with the risk level.
---
## What Triggers an Investigation
The AI Office can open an investigation on its own initiative or following a complaint. Under Article 99, the AI Office can:
- Request access to training data, model weights, and technical documentation
- Conduct on-site inspections
- Require the provider to take interim corrective measures where there is a risk of serious harm
- Issue a preliminary finding and give the provider an opportunity to respond before issuing a fine
In practice, the most likely investigation triggers are: a public incident involving a GPAI model (a widely reported misuse or harm), a complaint from a national authority or affected party, or a targeted sector sweep by the AI Office (the office has indicated it will conduct proactive model evaluations).
When investigators arrive, they will request: the technical documentation package described in Article 53, training data inventories, incident logs, and records of how the provider communicated limitations to downstream integrators. Companies that cannot produce these on request face a much harder enforcement conversation than those with documented compliance programs already in place.
---
## Key Deadlines
- **February 2, 2025**: Article 5 (prohibited AI practices) entered into force. This is already law. Any AI system that performs social scoring, real-time biometric surveillance in public spaces (outside narrow exceptions), or subliminal manipulation is already prohibited.
- **August 2, 2026**: GPAI obligations (Chapter V, including Articles 53 and 55) and transparency obligations for certain AI systems (Article 50) become enforceable. This is the deadline that matters for most AI companies.
- **December 2, 2027**: Annex III high-risk AI system obligations apply to existing systems (new systems placed on the market after August 2026 must comply immediately). If your product is a high-risk AI system under Annex III (HR tools, credit scoring, biometric categorization, etc.), you have until this date for legacy systems, but not beyond.
---
## What to Do Now
If you are a GPAI provider or you build on GPAI APIs, these are the actions to take before August 2, 2026:
1. **Determine your role under the Act.** Decide whether your product makes you a GPAI provider (you offer a model to others) or a downstream deployer (you use someone else's model). If you fine-tune, re-examine this. The distinction changes your compliance obligations significantly.
2. **Draft your technical documentation now.** The AI Office's GPAI technical documentation template is public. Start filling it out. Gaps in training data records or evaluation methodology take months to address, not days.
3. **Audit your developer-facing documentation.** If you operate a GPAI API, review what information you currently provide to API users. Map it against Article 53(2) requirements. Identify gaps and assign ownership for closing them.
4. **Publish or update your acceptable use policy.** It must explicitly reference Article 5 prohibited uses. Generic "no harmful use" language is not sufficient.
5. **Set up an incident register.** Even if your model does not yet qualify as systemic risk, building the habit of logging significant incidents now puts you ahead of the obligation and demonstrates good faith to regulators.
---
## Check Your Specific Obligations
Every AI product has a different risk profile under the EU AI Act. GPAI rules, Annex III high-risk rules, and Article 50 transparency rules can all apply to the same product at the same time.
Use the free ActComply risk screener to see which obligations apply to your system: https://www.getactcomply.com/check