What changes on 2 August
- Enforcement, not obligation, is the new event. The general-purpose AI (GPAI) obligations have been in force since 2 August 2025. What arrives on 2 August 2026 is the Commission's power to act on them — the one-year grace period for GPAI providers ends.
- Fines become real. Under Article 101, a GPAI provider that fails to meet its obligations faces fines of up to 3% of its total worldwide annual turnover for the preceding financial year, or €15 million, whichever is higher.
- That is a different tier from the headline 7%. The 7% of turnover or €35 million ceiling belongs to Article 99 and applies to the prohibited practices — social scoring and the like. It is not the GPAI number. Do not conflate the two.
- The Code of Practice is the easy road. Providers who sign the GPAI Code of Practice get a lighter-touch route with a presumption of conformity. Non-signatories must prove compliance the hard way and can expect closer scrutiny.
- It reaches exporters in India and the UK. Place a general-purpose model on the EU market, or make it available to EU users, and you are a GPAI provider — no EU office required.
This is a companion to our guide on what became enforceable on 2 August and what the Digital Omnibus deferred. That piece covered the high-risk deadlines slipping to 2027. This one is narrower and, for anyone building or shipping models, sharper: the moment the Commission can actually fine a general-purpose AI provider, and how to make sure it never wants to fine you.
The number that matters: Article 101
The single most important thing to get right here is which penalty applies to which behaviour, because the figures differ by more than a factor of two and the press coverage routinely blurs them.
GPAI providers sit under Article 101. If you are the provider of a general-purpose model and you breach the obligations — or you fail to supply information the Commission requests, or you do not implement agreed mitigations — the Commission can impose a fine of up to 3% of your total worldwide annual turnover for the preceding financial year, or €15 million, whichever is higher. For a well-funded startup, the percentage and the flat figure can be close; for a large company, the turnover percentage is the one that bites. Read the ceiling carefully: it is "whichever is higher", not lower, so a fast-scaling firm cannot rely on the €15 million cap.
Prohibited practices sit under Article 99, and that is a separate, heavier tier. Breaching the Article 5 bans — social scoring, untargeted facial-recognition scraping, certain manipulative or biometric systems — can draw up to 7% of worldwide annual turnover or €35 million, whichever is higher. We mention it only to draw the contrast: the 7% figure that dominates headlines is the prohibited-practices tier, not the GPAI tier. If your exposure is documentation gaps on a general-purpose model, your ceiling is the Article 101 3%/€15 million tier, not the 7% one.
When you brief your board or your legal counsel, name the article. Saying "our exposure is Article 101 — up to 3% of turnover or €15 million" is precise and defensible; saying "the AI Act fines are 7%" is wrong for a GPAI provider and will send you over-engineering the wrong controls. The tier follows the behaviour, so classify the behaviour first.
Who counts as a GPAI provider — and why it might be you
A general-purpose AI model is one trained on broad data at scale that can perform a wide range of tasks and be integrated into many downstream systems — a large language model is the obvious case. You are the provider if you develop such a model, or have it developed, and place it on the EU market under your own name or mark. Crucially, materially fine-tuning an existing model can make you a provider of that modified model, with the obligations that follow.
That definition catches more Indian and UK teams than most founders expect. A Bengaluru company that takes an open-weight base, fine-tunes it into a domain model and sells access to EU customers is a GPAI provider. A London studio that trains its own mid-sized model and offers it through an API to European users is a GPAI provider. Neither needs an office in Frankfurt or Dublin to be in scope — the Act reaches the model, not the corporate address. The extraterritorial trigger is placing the model on the EU market or making it available to users there.
The scope gotcha is that "we have no EU entity" is not a defence. If your model reaches EU users, you are a GPAI provider on the EU market, and Article 101 exposure travels with it. Worse, the obligations can attach to a model you did not train from scratch: material fine-tuning of an upstream base can make you the provider of the modified model. Assuming your upstream vendor absorbs all the compliance is exactly how a team ends up personally in scope without realising it.
There is a heavier sub-category to know about: GPAI models with systemic risk, identified partly by the scale of compute used to train them (the Act uses a threshold expressed in floating-point operations). Providers of those models carry extra duties — model evaluation, adversarial testing, serious-incident reporting and cybersecurity protections. Very few Indian or UK startups will train a systemic-risk model themselves, but the category matters because it is where the frontier debate lives; we looked at how governments are increasingly gating that tier in our piece on government-gated frontier AI.
The Code of Practice: the workable route
The Commission did not leave providers to guess what compliance looks like. The final GPAI Code of Practice is the intended path, and signing it is the pragmatic choice for the overwhelming majority of providers.
Signatories get a lighter-touch, more predictable route: adherence to the Code is treated as evidence of compliance and gives a presumption of conformity with the corresponding obligations. In practice that means less back-and-forth with the Commission, a clearer template for your documentation, and a defensible position if you are ever asked to show your work. Non-signatories are not exempt from anything — the underlying obligations are identical — but they must demonstrate compliance by other means, and they should expect closer examination. Choosing not to sign is choosing the harder, higher-friction path for no reduction in duty.
Unless you have a specific, lawyer-backed reason not to, sign the GPAI Code of Practice and align your documentation to its structure. It converts an open-ended "prove you comply" obligation into a checklist you can actually complete, and it puts you on the side of the presumption of conformity rather than the side that has to argue its way there.
Your compliance map for IN and UK builders
Work down this table by role. Most product teams are in one of the first three rows; the fourth is included only to keep the two penalty tiers straight in your head.
| Who is affected | Obligation | Deadline | Penalty exposure |
|---|---|---|---|
| GPAI model provider (you train or materially fine-tune a general-purpose model placed on the EU market) | Technical documentation, a sufficiently detailed training-data summary, a copyright policy respecting the EU text-and-data-mining opt-out; model card; ideally sign the Code of Practice | Obligations live since 2 Aug 2025; enforcement from 2 Aug 2026 | Up to 3% of worldwide turnover or €15M, whichever higher (Article 101) |
| GPAI with systemic risk (trained above the compute threshold) | All of the above plus model evaluation, adversarial testing, serious-incident reporting and cybersecurity protections | Enforcement from 2 Aug 2026 | Same Article 101 tier (3% / €15M) |
| Downstream deployer relying on an upstream provider's model | Confirm your provider is compliant (ideally a signatory); pass through the documentation you receive; meet your own transparency duties | 2 Aug 2026 | Indirect — your provider carries the Article 101 exposure, but gaps in their compliance become your product risk |
| Prohibited-practice systems (for contrast only) | Redesign or withdraw — there is no compliance route for a banned practice | Banned since 2 Feb 2025 | Up to 7% of worldwide turnover or €35M (Article 99) — the separate, higher prohibited-practices tier |
The row that trips up exporters is the third one. If you build on someone else's model, you are not automatically clear: you need to know whether your upstream provider has done the work, because their documentation is what lets you meet your own obligations and answer your enterprise customers' due-diligence questions. "We use a big-name model, so we are fine" is an assumption, not a control — write to your vendor and get the artefacts in hand.
Every article here is written by a Verified Builder. Want your name on the next one?
AI Tech Connect lists AI engineers, founders and researchers across India and the UK — and the people hiring browse it to find them. Adding your profile is free.
Become a Verified Builder →Why the UK and India pictures look different
Neither the UK nor India has a domestic equivalent of the GPAI regime, and that asymmetry is the whole point for exporters. Britain rejected a single comprehensive AI statute in favour of extending existing regulators' remits, and a dedicated UK GPAI law has not materialised. So a UK team faces no horizontal model-obligation law at home — but the instant its model reaches EU users, it inherits the full Article 101 exposure anyway. This is the same widening transatlantic split we traced in our piece on the US executive order and EU divergence: light-touch at home, heavyweight the moment you cross into the EU market.
India's position rhymes with the UK's but is framed around data. The DPDP regime governs personal data; it is not a model-obligation law and says nothing about training-data summaries, copyright policies or Code-of-Practice conformity. So an Indian team selling a general-purpose model into the EU is complying with two unrelated regimes at once — DPDP for personal data at home, and the AI Act's GPAI obligations abroad. The practical mercy is that the disciplines overlap: clear records of what your model was trained on, and disciplined data governance, serve both. Build the documentation once and it does double duty. For more on where the regulatory lines are being drawn, our policy coverage tracks the moving pieces.
What to do this quarter
If you provide a general-purpose model that any EU user might touch, four actions are worth taking before the enforcement date, and none of them requires a lawyer to start.
- Confirm your role in writing. Decide, per model, whether you are a provider, a material fine-tuner (also a provider of the modified model) or a downstream deployer. Most teams have at least one surface they had mis-filed.
- Assemble the core artefacts. Technical documentation, a sufficiently detailed training-data summary, a model card and a copyright policy that respects the EU text-and-data-mining opt-out. These are the documents the Commission and your enterprise customers will ask to see.
- Sign the Code of Practice, or record why you have not. Signing buys the presumption of conformity and a template to work against. If you decide against it, document the alternative way you will demonstrate compliance — silence is the worst option.
- Pin down your upstream provider. If you build on someone else's base, get their compliance status and documentation. Their Article 101 gap becomes your product's exposure the day an EU customer runs due diligence.
The framing to resist is the alarmist one. Enforcement going live is not a cliff edge for well-run teams — it is the point at which good documentation stops being optional and starts being the thing that protects you. The providers who come out of 2 August well are the ones who treated the year of grace as time to build the paperwork properly, signed the Code, and can answer the Commission's first letter with a folder rather than a scramble. The obligations were always there; from 2 August, so are the consequences of ignoring them.
Primary references: the European Commission's guidance on enforcement of Chapter V under the EU AI Act, and Latham & Watkins on GPAI model obligations in force and the final GPAI Code of Practice.